5

When I query installed services from a remote Windows 7 PC it's very slow. With a remote Windows XP PC it's always fast.

For example, from my Windows 7 PC the command

sc \\pc1 query type= service

takes 21s with Windows 7 remote PC. With a Windows XP remote PC it's instantly. I can reproduce this behavior with any of our PCs. And it happens with other tools too (e.g. Hyena) Has someone an idea what makes the request so slow or how to make it as instantly as with Windows XP?

Michael
  • 345
  • 6
  • 19
  • Is Windows firewall activated on Windows 7 PCs ? – krisFR Apr 25 '15 at 13:03
  • It is caused by RPC/TCP being blocked by the server firewall or because RPC/TCP is not supported by the server. See the following article on microsoft.com: https://docs.microsoft.com/en-us/windows/win32/services/services-and-rpc-tcp – The_Fox Jul 28 '21 at 14:37

3 Answers3

8

Classic firewall issue.

Microsoft RPC high ports default to tcp/49152 - tcp/65535 on Windows 7/2008. Unless you have specified a custom RPC port range.

The particular RPC endpoint in question is the Service Control Manager Remote Protocol (SCMR). If you run a packet capture at the time you run the sc command, you will see the port(s) in use. First it will connect to tcp/135 to get the RPC endpoint for the SCMR, then attempt to connect to the port advertised by SCMR.

If you want to configure a smaller port range, the following articles may help:

How to configure RPC dynamic port allocation to work with firewalls
https://support.microsoft.com/kb/154596

Key: HKLM\Software\Microsoft\Rpc\Internet\
Value: Ports
Value type: REG_MULTI_SZ

The default dynamic port range for TCP/IP has changed in Windows Vista/7/2008
https://support.microsoft.com/kb/929851

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Awesome! This led me to my solution of allowing the RPC dynamic ports through the firewall, so have an upvote +50 :) – Ben N Apr 30 '15 at 17:33
  • 1
    Thanks to this, I found the windows firewall even has pre-defined rules to handle this. Add a new incoming rule and choose "Predefined". In the dropdown select "Remote Service Management" (I checked all three options on the next page). After allowing those connections, sc query etc are super fast! – Isak Savo May 23 '16 at 09:50
7

The service controller uses a dynamic RPC port, which is identified after talking to the RPC Endpoint Mapper on port 135, as mentioned by Greg Askew. Windows Firewall can be configured to allow the RPC dynamic ports through without any registry editing or RPC reconfiguration:

Open Windows Firewall with Advanced Security. Create a new inbound rule with the Custom type. Apply it to All programs. On the Protocol and Ports page, choose TCP as the protocol and RPC Dynamic Ports as the local port. Apply the rule to any source address or local interface, and Allow the connection (or Allow the connection if it is secure if you're using IPsec). No reboot required.

sc is now blazing fast from remote machines.

Ben N
  • 181
  • 2
  • 13
  • Just tested the mentioned solution and it solves the issue. Works on Windows Server 2016. – Mötz Mar 21 '18 at 13:37
0

have you tries other tools? i.e. wmic /node:NAME service or powershell -command get-service -computername NAME

Have you tried locally to isolate whether it's a problem in the local machine or over the network?

Shachaf.

Shachaf Goldstein
  • 41
  • 2
  • As the question states, using `sc` on the local machine works quickly. WMI is blocked by my firewall, and PowerShell doesn't seem to have a non-WMI way of creating services (which I need), only starting and stopping them. – Ben N Apr 28 '15 at 20:04