RpcView – Tool to explore RPC functionality

RpcView is a free tool that can be used to monitor and decompile all registered interfaces on windows operating system. Information provided by this tool include the following:

  • the Pid of the process hosting this endpoint;
  • the used protocol among which the main ones are ncacn_ip_tcp, ncacn_np and ncalrpc;
  • the endpoint name depending of the underlying protocol:
    • port value for ncacn_ip_tcp or ncadg_ip_udp
    • pipe name prefixed by \pipe\ for ncacn_np
    • (A)LPC port name for ncalrpc

RpcViewRpcView interface to explore RPC processes

Usually there are registered RPC calls by name and the tool will help in listing them to identify legitimate once. on the other hand there are anonymous RPC processes and for those security researcher will need to dig deeper and investigate the DLL source for them using this tool.

At the moment there are both versions for 64-bit and 32-bit operating system and you can download RpcView over this link http://rpcview.org/

Notify of
Inline Feedbacks
View all comments