Querying services from a remote Windows 7 PC extremely slow

When I query installed services from a remote Windows 7 PC it's very slow. With a remote Windows XP PC it's always fast.

For example, from my Windows 7 PC the command

sc \\pc1 query type= service

takes 21s with Windows 7 remote PC. With a Windows XP remote PC it's instantly. I can reproduce this behavior with any of our PCs. And it happens with other tools too (e.g. Hyena) Has someone an idea what makes the request so slow or how to make it as instantly as with Windows XP?


Classic firewall issue.

Microsoft RPC high ports default to tcp/49152 - tcp/65535 on Windows 7/2008. Unless you have specified a custom RPC port range.

The particular RPC endpoint in question is the Service Control Manager Remote Protocol (SCMR). If you run a packet capture at the time you run the sc command, you will see the port(s) in use. First it will connect to tcp/135 to get the RPC endpoint for the SCMR, then attempt to connect to the port advertised by SCMR.

If you want to configure a smaller port range, the following articles may help:

How to configure RPC dynamic port allocation to work with firewalls
https://support.microsoft.com/kb/154596

Key: HKLM\Software\Microsoft\Rpc\Internet\
Value: Ports
Value type: REG_MULTI_SZ

The default dynamic port range for TCP/IP has changed in Windows Vista/7/2008
https://support.microsoft.com/kb/929851


The service controller uses a dynamic RPC port, which is identified after talking to the RPC Endpoint Mapper on port 135, as mentioned by Greg Askew. Windows Firewall can be configured to allow the RPC dynamic ports through without any registry editing or RPC reconfiguration:

Open Windows Firewall with Advanced Security. Create a new inbound rule with the Custom type. Apply it to All programs. On the Protocol and Ports page, choose TCP as the protocol and RPC Dynamic Ports as the local port. Apply the rule to any source address or local interface, and Allow the connection (or Allow the connection if it is secure if you're using IPsec). No reboot required.

sc is now blazing fast from remote machines.