What is msrpc needed for on a Windows 7 workstation

I just ran an nmap scan against our network, and many Windows 7 machines have several high ports listening with Microsoft Windows RPC. Example:

Port   Serv  Process name
49152, msrpc [wininit.exe]
49153, msrpc [svchost.exe, Eventlog]
49154, msrpc [svchost.exe, Schedule]
49155, msrpc [lsass.exe]
49157, msrpc [services.exe]
49159, msrpc [svchost.exe, PolicyAgent]

For security reasons, I would like to close any listening service that is not needed, or at least block the ports in question using the Windows FW.

I realize that the processes above are system processes that I cannot close, but perhaps there is some configuration that can be done to prevent them from listening?

Lastly, not sure if relevant, but we do not use any domains or Active Directory - only a workgroups against a Samba server.

So, my questions are:

  1. What are the listening services needed for in general?
  2. In my scenario, can I disable them somehow (=make them not listen)?
  3. If #2 is not doable, can I safely block them with the FW?

Thanks.


  • Port 49152 provides the ability to shut the computer down remotely via the shutdown.exe tool. It can be disabled by writing registry DWord HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRemoteShutdownRPCInterface=1
  • Port 49153 allows remote viewing of the Event Log. I don't know how to disable it yet.
  • Port 49154 allows remote viewing and administration of Scheduled Tasks. It can be disabled by writing registry DWord HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\DisableRpcOverTcp=1
  • Port 49155: I'm not sure what it does or how to disable it.
  • Port 49157 allows remote viewing and administration of Local Services. It can be disabled by writing registry DWord HKLM\System\CurrentControlSet\Control\DisableRPCOverTCP=1
  • Port 49159: I have not seen this one on end user computers.

You can disable all the RPC ports by following these steps:

  1. Make sure you have disabled all the disableable RPCs listed above.
  2. Delete HKLM\Software\Microsoft\Rpc\Internet
  3. Write HKLM\Software\Microsoft\Rpc\Internet\UseInternetPorts="N"

Unfortunately, completely disabling the RPC ports breaks the Print Spooler in Windows 8 and later. To re-enable, just repeat step 2 above.


A variety of Windows services listen on dynamic RPC ports, like you found out. These usually correspond to services in the Services list. However, some of them are services you really don't want to turn off. When that happens, you need to use the build in Windows firewall to prevent access. They're still listening, but nothing can get at them, which allows them to pass network audits.

The MS Dynamic RPC range did change as of Vista, to 49152-65535. You can even adjust the range if you need to:

netsh int ipv4 set dynamic tcp start=49152 number=50  # yields a range of 49152-49202