Other: RPCSS and mdm.exe

From: Subject: Other: RPCSS and mdm.exe Date: Thu, 21 Nov 2002 14:10:01 +0100 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_000F_01C29167.AE632F70"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 This is a multi-part message in MIME format. ------=_NextPart_000_000F_01C29167.AE632F70 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://www.cexx.org/rpcss.htm Other: RPCSS and mdm.exe

Your generous donations help keep = this site=20 online! Click here to support=20 = cexx.org.

Other: RPCSS.EXE,=20 mdm.exe

First off, check out "What is RPCSS.EXE?" (Guest) for = the most=20 comprehensive description of RPCSS I've seen. According to this = information, RPC=20 is no more than a glorified port mapper.=20

There is also this page explaining MDM in detail and how to remove = it.
=20

RjN sheds some light on = the RPCSS=20 process:=20

The RPCSS = program ... is=20 the Microsoft Remote Procedure Call Service.=20
It facilitates the = development and=20 debugging of distributed applications, apps that are resident on = machines=20 other than the local one. While I=92m unaware of any current = exploits the=20 software is designed to make it easier for =93nonresident,=94 i.e. = non-local=20 applications to run on your machine, and vice=20 versa.

The RPCSS program is = installed=20 by certain Microsoft products such as MS Visual Studio and Visual C++, = Visual=20 Basic, Interdev, and J++. I actually had this on my own system for some=20 time--since its appearance seemed to coincide with my installation of = the=20 Microsoft "Evil Movie Player" (necessary for playing all those .ASF = files=20 college people on networks insist on passing around), I assumed it was = some kind=20 of multimedia handler a la MPREXE and MMTASK.=20

Behavior=20
RPCSS opens ports on = your machine=20 (usually 135 as well as some "random" ports in the low 1000s) and = proceeds to=20 try and access the Internet, setting off programs such as Zone Alarm and = firewalls with its suspicious activity. While the RPCSS program is = probably=20 supposed to serve some kind of legitimate purpose, it has nonetheless = been cited=20 for numerous stability problems as well as security concerns. = (Not to=20 mention the unverified, but fairly wide-spread, other=20 allegations...)=20

The Microsoft Machine = Debug Manager=20 (mdm.exe), to my knowledge, does not connect to the Internet itself. = However, it=20 is still a rather ill-behaved program that leaves scads of = temporary=20 files on the hard drive that it never deletes, and fails to unload properly (on = shared=20 computers, when a user logs on a new instance of mdm.exe may start, but = it won't=20 necessarily exit when the user logs off. Depending on how many users = have used=20 the PC since the last reboot, dozens of copies of this program could be=20 simultaneously running, eating up CPU and memory!).=20

Solutions
While privacy implications of these programs have yet to be = established,=20 the RPCSS program is known to cause crashes and fatal errors on some PCs = using=20 Dial-Up Networking, as described here. The program doesn't seem to do anything useful = for most=20 people, and several users have reported deleting it without any ill = effects.=20 (Note: RPCSS appears to be critical to Windows NT=20 operation--see warning below.) The Debug Manager may be useful to = power=20 users and software developers, but for the majority of users it is = probably just=20 wasting memory. My recommendation for Windows 95 users is to rename = these files=20 (rpcss.exe ->=20 rpcss.ex_, mdm.exe -> mdm.ex_) if you are concerned about them, or if they cause = problems on=20 your system. The RPCSS file is normally located in C:\Windows\System and = the=20 MDM.EXE file may be located either there or C:\Windows -- but for best = results,=20 use Windows' Find to locate all copies. Renaming the files allows you to = restore=20 them later if you ever need to.
Note: Microsoft suggests that = users can=20 safely remove mdm.exe without ill effects. See http://support.microsoft.com/support/kb/articles/q221/4/3= 8.asp=20 for more information.=20

Warning: Do not = tamper with=20 RPCSS.EXE on Windows NT: I have received a report that removing RPCSS on = a=20 Windows NT system severely crippled it (to almost non-functional = status);=20 apparently many of the NT Services require it. See description=20 below:=20

Woodrow=20 writes:

"NT 4.0=20 Sp6=20
rpcss.exe size = 53kb=20
Results of = rename: Found=20 many associated NT services required rpcss.exe to be present to load = at=20 start up. NT OS crippled with out rpcss.exe to (almost) not = functional=20 status.=20
Work around to = 'recover' NT=20 OS: My system would not allow 'vga mode' on start up, possible = due to=20 lack of rpcss.exe. Opened task manager (Cntl-Alt-Del) to = 'selectively'=20 end all non essential tasks to get extremely slow functioning on = OS. =20 Used 'file find' to rename rpcss.ex_ back to = rpcss.exe.=20
I can't tell you = what the=20 results are on win95/98, but the results of renaming rpcss.exe on NT = are=20 *NOT* fun!"

Microsoft tech support suggests = an alternate=20 solution to RPCSS issues which does not involve removing the RPCSS.exe=20 file:=20

SYMPTOMS=20
When you start = Windows 95,=20 Windows 98 or applications (including Visual Basic 6.0, Visual C++ = 6.0, and so=20 forth), the Internet Connection dialog box appears.=20
CAUSE =
If you have enabled remote = connections in=20 Windows 95 or Windows 98, your system might try to initiate an = Internet=20 connection at Windows 95 or Windows 98 startup or at the start of some = applications. This behavior is often referred to as AutoDial or=20 AutoConnect.=20
Resolution:=20
To turn off remote = connections in=20 Windows 95 or Windows 98, set the registry key EnableRemoteConnect to = "N". You=20 can do this by running DCOMCNFG, clicking the Default Security tab, = and=20 clearing the Enable remote connection check box. If DCOMCNFG fails to = run, try=20 the steps below, which describe creating REG files that modify the=20 EnableRemoteConnect setting directly.=20
Your normal Internet = activities=20 should not be affected by changing this setting to disable remote = connections.=20 This setting is the default for most systems. However, enabling remote = connections is necessary for some features of DCOM.=20
For additional = information on this=20 setting, please see the following article in the Microsoft Knowledge=20 Base:
Q177394 Troubleshoot Run-Time Error '429' = in DCOM=20 Applications
Q175312 Modem Attempts to Dial When Windows=20 Starts

Thanks=20 M@X/B@R@K@ for alerting me to the RPCSS program and its Internet = connection=20 activities.=20

Links =
Privacy = Power! DCOM=20 and SOAP
Microsoft Knowledge Base: Mdm.exe leaving temporary = files in=20 \Windows directory
Parasites - Info re: Machine Debug = Manager=20
. =
=20

3D"Up

3DHome=20 3DE-mail=20 3D"Copyrights

=20

"All trademarks are = hereby=20 acknowledged as the property of their respective owners." So don't even = THINK=20 about suing me :)

------=_NextPart_000_000F_01C29167.AE632F70 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.cexx.org/up_main.gif R0lGODlhIABKAPcAAAAAAAAAAQAAAgAAAwAABAAABQAABgAABwAACAAACQAACgAACwAADAAADQAA DgAADwAAEAAAEgAAEwAAFAAAFQAAFgAAFwAAGAAAGQAAGgAAGwAAHAAAHQAAHgAAIAAAIQAAIgAA IwAAJAAAJgAAJwAAKAAAKQAAKgAAKwAALAAALgAALwAAMQAAMgAAMwAANAAANQAANgAAOAAAOgAA OwAAPAAAPQAAPgAAPwAAQQAAQgAAQwAARAAARQAARgAARwAASgAASwAATQAATgAAUQAAUgAAVAAA VQAAVwAAWAAAWQAAWgAAWwAAXAAAXQAAXgAAXwAAYAAAYgAAYwAAZQAAZgAAZwAAaAAAaQAAagAA bAAAcAAAcQAAcgAAcwAAdAAAdwAAegAAewAAfAAAfQAAfgAAggAAgwAAhQAAhgAAiAAAigAAjAAA jQAAjwAAkQAAkgAAlAAAlQAAlgAAlwAAmAAAmQAAmgAAmwAAnwAAoAAAoQAAogAApAAApQAApwAA qgAArQAArgAArwAAsAAAsgAAswAAtAAAtQAAtgAAuQAAugAAuwAAvAAAvwAAwAAAwQAAwgAAxAAA xQAAxgAAxwAAyAAAyQAAywAAzAAAzwAA0QAA0gAA0wAA1QAA1wAA2AAA2QAA2v///0YAAAAAAHQA A88AA+ciNAABFwAPYBev5zV7vAAXdwAPYLnsLBzhYLnsKAAPYLnrkPQAALns2PuM+PcT4rnsTBzh 8LnsSMwLMLnrtLnsLLns2PuM+PcT4gABN+wacxzh8GKmyLnsTLnsTBzh8LnsFOwXaRzh8GKmyLns TBzh8AAAAAAAA8xj0Mxj0LnsOEkIogAAALnsREAdQcxj0Mxj0LnsVEj4+veYt/eYz17CiMxj0AAR kQQj2Mxj0AATzwAACcxj0APReEAbkMxgAESV1cxj0GMboGMboEUEtf8AAMxiEKUADAAAAAAAAEzs 1Ezs1Ezs1Ezs1MxiEAAAAUtY48xijAAAAAAAAAAAIEAQGEAQGAAAAiH5BAEAAKMALAAAAAAgAEoA AAj+AEcJHEiwoChRBRMqXDjwEyhQoRhKZMipk6dPEzMWxJRJEyeNIB05gkQp0yaQGQkROsRIUiaU E/Xo8SNo0SSYDOO0aRNHj6BGlnAqPBMmzJk3fAxFElrwDJcrV7icmQOo0SWmA79MSZJkypc1exDd xDrKihEgQIxYKUMnkCOyXZb8sGHjx5IubfwoqoTVypAaLVrUGGLFDJ5CS5k24dGiRIkWPJqAgVOV qZYiM0p48FBiRhEtavYkoiRUyg8WHzBg+MDihxQydQY9EprkhgkNEiRoMHEjyRc3fxjhzDIEBggK Dx5QAAFjSJY0esTCjNJDxQYICxZA2KCiRxQydAT+zQbZBYmNEhYaIEDQwEIJG0i6AF8UVCMWIS8+ SFBgwIACCR+8IAQWaORxiCQgPcGDCho8gAABBCDwgAYq8PCEGHK4pREXRtAwQgUMGDDAAAYwUMEI NBjBBRt97JURFUG44EEECRAggAAEJBCBBy4EQYVhiGXERA4oZPDAAQPcOMABD2SAQg5MTFaZRFoQ IYMIFCxQwAABBDBAAQtQIIIMRIAmGmkMSeHDChxAkECSXQowQAIQcLCCD6/FNt5CtZVwQQMidtkl iQ1cUEJvvwXHEHEwfDCBAjYKGgCOCkzwQXPPRTdWQtRZ5yCcgsopIXfegSeeQuWdl16gknppQHv+ 78U3X30E3ZefBDUK0OqkOQIoIIEGIliQggx+qmurok5Y4YUZvkUQhx6CyGoAAAAgKIkmoqgiiy4O BKOMNEbaZbWh5rhjjz8elphAQxZ5JKjUWhvnkk0+GSVljQxU5ZVZbiloteQOCqaYZJo5mkBqsukm vADLO+mcdd6Zp2yjeNHnn9PGG/CgrxramxfzXcIoCI8WcOy4AEsqQAGVMudcgQdG4YN1C5+sscMP 08mdD1GMMUcgew4E780qDyBhBidkRACX/6Z8bY5NlpCRiCc3HCqJCkSwAQoZJbDlsVY/XEACD1wQ QgsZOfAg2E7jiIADFHygwg0ZSbAAq2GTuID+BB2kUIMQGWFgLNHJYkCCDEE8kVEH4epqNY46drDC DkpskdFxWjqe8sphghCDEFWUkdGHDJhMeAHZ0nDEFmtk5CegmpMrQMcl4LAEGG9kdAIGsBP+KgYn 5OBEGHJkhALvBsRu7ewNYICCDk+QYYfxyCs/6e8o7ACF9NT3/jj22nM/0fHebw7+9tOPX73vzWeP fvfJs+98+OlLRH7837dPP/zWMz//++orn+zOJz77rS9//ysgQ+7XPwLWb4EHNJ/+AGhAAS7PgfyT n/sUuBAGanB/AcSfBBP4wA5GcIAT5KBCPIjADZZQISnIgAOQZDM5HcABGUhB+O6QkRQ0CAEQI7qR kow2oRTw4Ds8LEhAAAA7 ------=_NextPart_000_000F_01C29167.AE632F70 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.cexx.org/home_main.gif R0lGODlhHQAoALMAAAAAAABjAIAAAP////////////////////////////////////////////// /////yH5BAEAAAIALAAAAAAdACgAAASPUMhJq70406A75t4VgBMZbgBgnlaQpuA4soL7wjV+2jds rxleD6brCIdEYAuJnGmOzJeyFI1OodUbEJvVorpZkmxMLpvF4DA1bV2zm+53Dy0f0uteCfd9P4/U elJMe0U8XIQqboeAOURNjIaDkIJzKpOOdpeWj1V9kp2Kn22BmJWgpJuZpzV+rWU0sLEZEQAAOw== ------=_NextPart_000_000F_01C29167.AE632F70 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.cexx.org/mail_main.gif R0lGODlhJQAdALMAAAAAAAAdAAAnAAAyAAA8AABEAABMAABXAABnAAB5AACIAACYAACmAAC4AADK AP8AACH5BAEAAA8ALAAAAAAlAB0AAARr8MlJq7046827/2AojmRpnmiqruyEvHAsz7RMIcAL7Hzv /z0d4sbTAY8+Y44YxCGByt3QBXU+c9Ygs5ptIqeSbrUYhRJj3/J3e20nzzT3miqvL6lx+w/8EOuP fH5/e2yDgDc1iYo2LY0gEQAAOw== ------=_NextPart_000_000F_01C29167.AE632F70 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.cexx.org/led_main.gif R0lGODlhJQAaALMAAAAAAABjAAgIhL4CAv////////////////////////////////////////// /////yH5BAEAAAAALAAAAAAlABoAAARFEMhJq7046827/2AojmRpnmiqrlhguWwAT7Mq13V6zzm6 w73TzxU0DWWdo3LJRIKULMBQGv1JiqUdreq8citYUi8c3UQAADs= ------=_NextPart_000_000F_01C29167.AE632F70 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.cexx.org/graph0.gif R0lGODlhFAAUAIAAAAAAAABAACwAAAAAFAAUAAACJoyPqcDt7wKcUNILLJ56v+41YJiRnxmhosqM oevBm4zRl03hHAsUADsNCg== ------=_NextPart_000_000F_01C29167.AE632F70 Content-Type: application/octet-stream Content-Transfer-Encoding: 7bit Content-Location: http://www.cexx.org/rollover.js // preload the rollover images, after originals have been loaded. if (document.images) { left = new Image; left.src = "rarrow_anim.gif"; right = new Image; right.src = "larrow_anim.gif"; home = new Image; home.src = "home_anim.gif" mail = new Image; mail.src = "mail_anim.gif" links = new Image; links.src = "sphere_anim.gif" } function rollover(off, on) { if (document.images) { document[off].src = on; } } ------=_NextPart_000_000F_01C29167.AE632F70--