Solved

RPC Server is unavailable in Windows NT 4

Posted on 2006-10-22
19
2,366 Views
Last Modified: 2013-12-28
I am running Windows NT 4 server with SP 6a on Dell PowerEdge 2500. Very often I get the error message "RPC server unavailable".

When this happens, can't open IE, several services from control panel can' run or open, all network shares are unavailable to other computers on the LAN. Getting the same error when I try these.

Any solution help?

Appreciate.
0
Comment
Question by:hosalin
  • 7
  • 5
  • 4
  • +1
19 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 17784462
Check your event logs.  What are the errors?  Reapply Service Pack 6a
0
 

Author Comment

by:hosalin
ID: 17784474
When the error occurs, Dr. Watson error window appears with "Services.exe" exception error.
There are no logs recorded in the Event viewer, can't locate Dr. Watson error log.

I did reapply SP6a. I changed memory  (2 GB RAM) also.

I greatly appreciate your prompt help.

Thanks
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17784528
A scheduled reboot more often than the error occurs to keep all memory pools etc. from being eaten up so quickly :-) .... Have been working recently with a ~2,500 server NT4 network migrating to 2003 and this plus other such errors are more or less part of life on NT4.  How often is the occuring, daily, weekly?
0
 
LVL 15

Expert Comment

by:qz8dsw
ID: 17784531
Is there anything in the event log that gives you more information about the error?
Look in both the system and application logs.
There should be an event for the Dr Watson is there anything just before it?
0
 

Author Comment

by:hosalin
ID: 17784561
I don't see any event in the Event viewer before/after Dr. Watson error. After Dr. Watson, even the Event viewer can't be opened. The server has to be rebooted when the server functions normally till the error occurs (some times daily).

I can reboot the server and clear both System and application logs in the event viewer and look for the entry in the logs when Dr. Watson error occurs.

Is there switch to turn on/off Dr. Watson log? in NT.

Thanks
0
 
LVL 15

Expert Comment

by:qz8dsw
ID: 17785462
http://support.microsoft.com/?kbid=188296&sd=RMVP
details how to turn off Dr Watson.
However in looking into this I stumbled across an exploit for a DOS attack which after being tested against SP1 - SP6a NT4 was vulnerable.

Don't know if it's what you are getting, but it kills services.exe, causing a Dr Watson.
"> The impact is pretty severe. Services.exe handles named pipes for
> the system. Once this crashes, everything named-pipe-based goes with it.
> This means logons, logouts, remote system access (registry, server
> functions, etc), local server management, IIS, file sharing, etc...all go
> down the tube. However, the box will, for the most part, appear to
> function normally on the local side, until you do something involving a
> named pipe service. The only fix is to reboot."

Event viewer uses named pipes to connect to the machine.

0
 

Author Comment

by:hosalin
ID: 17785697
Very close analysis and this is exactly what happens when Dr. Watson error occurs.

Can you  be kind to suggest what I need to do to fix this problem?

I will visit the above link.

I appreciate the much needed help.

Thanks
0
 
LVL 15

Accepted Solution

by:
qz8dsw earned 500 total points
ID: 17786753
Asides from upgrading the box to Win2k heres my best bet with the info we have.

I'm still doubtful it's using this exploit or if the hole still exists, It's been a LONG time since I tested NT4 fully patched for known exploits.
The solutions to this were waiting on a fix from Microsoft dating back to Quarter 4 of 1999. I don't know if it ever got fixed in either NT or win9x.
But for NT4 for anything to kill services.exe will produce the same results. Getting to the root cause of services.exe dieing will get you a fix.

1) a repair install on NT. Take it down completely, disconnect it from the network and install over the top from an original NT install CD, then apply SP6a from a CD or whatever before connecting it to the network.
Make sure you have any third party up to date drivers needed to talk to SCSI controllers or raid arrays/other essential devices on floppy or CD before you begin and overwrite any files it says are newer.
(I.E your 3rd party drivers would override any from NT4 the original install CD)

2) If this is a frontward facing server to the internet, block port 139 on your firewall for incoming internet traffic for that server unless it's really needed to be open.

I still doubt this exploit is being used, but If, BIG IF this exploit still exists then the suggested way to stop it from being used is not viable for a server. It was a stop gap for VERY short term.
Is there anything that happens in the event logs JUST before it happens.
Turn on all logging, successful and unsucessful if you suspect someone would be willing to try this.

Terry
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 

Author Comment

by:hosalin
ID: 17807779
Terry,

You helped me in a big way to narrow RPC problem to blocking the 139 on the firewall. Since that blocking, RPC is running in full mode, meaning all the services supported by it are running fime. You deserve more than 1000 points.

I have another problem with NT 4 server.

I am trying to find working LINK SHELL EXTENSION software utility for NT 4 server. Can you suggest one?


Thanks
Hosali
0
 
LVL 15

Expert Comment

by:qz8dsw
ID: 17809178
WOW, OK.
Blocking port 139 was one of the work arounds for the exploit but that supposedly didn't stop internal attacks.

Heres the link to the exploit details from WAYYYYY back in 1999.
http://www.wiretrip.net/rfp/txt/rfp9906.txt

And here for more information from Microsoft about malformed packets causing services.exe to die (And hence named pipes).
http://www.microsoft.com/technet/security/bulletin/fq99-055.mspx

Try here for a post SP6a hotfix from Microsoft.
http://support.microsoft.com/default.aspx?scid=kb;en-us;246045&sd=tech

(I just found the microsoft links today, Sorry)

For Link Shell Extension this is one I've tried before.
It supports back to NT4

http://schinagl.priv.at/nt/hardlinkshellext/hardlinkshellext.html
But Junctions can only be made under Win2k and above.
Hard links are fine though.
Or as that page says "They can be created with the POSIX command ln included in the Windows Resource Kit or the fsutil command utility included in Windows XP. "

Glad the server is stable now.

Terry
0
 
LVL 15

Expert Comment

by:qz8dsw
ID: 17809252
Oh, Hosalin,

Could you please accept the answer that helped you pin down the problem, that way other people can see what the accepted answer was easily.
(The microsoft links especially the post SP6a link above might fix it totally, but port 139 should only be open for internal network at a maximium)

Thanks,
Terry.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17809369
Wow, surely no-one has a server pointing at the internet with NetBIOS / RPC ports open these days?!
0
 
LVL 15

Expert Comment

by:qz8dsw
ID: 17809417
Actually dragon, I've found 3-4 other posts all sounding VERY similar in this forum.
RPC dieing, one mentioned services.exe

Perhaps people have found a new way to hack port 139 under NT via netbios.
If the SRP don't fix it, it would seem going to Win2k or disabling port 139 would be the only way to minimise the impact of this.

Terry
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17810011
Erm, while I hate to thow away 2000 points, is that the answer you intended to select?  If hosalin doesn't respond other experts please suggest who you think should have got points and I will post Community Support Q.

Steve
0
 
LVL 15

Expert Comment

by:qz8dsw
ID: 17810196
Ummm, OK,
Well it seems since I was the only one to give up the option of port 139 being the hastle you get the points steve.
Considering there are post SP6a fixes that might fix this and the
"Terry,

You helped me in a big way to narrow RPC problem to blocking the 139 on the firewall. Since that blocking, RPC is running in full mode, meaning all the services supported by it are running fime. You deserve more than 1000 points."

 perhaps a review of this question and accepted answer might be in order.

Terry
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17810217
Fine by me, didn't expect to get points for my comments. Do you want to post a review Q in C/S, Agreed points to you for then mods get here anyway...
0
 

Author Comment

by:hosalin
ID: 17830000

Teryy's comment helped the most.

Thanks
Hosali
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

A few months ago I had an issue with LaserJet 1020 printer which was installed to XP and Windows 7.  It was installed to XP and working, but when I tried to connect from a Windows 7 PC, it would attempt connection and then fail.  Sometimes the Spool…
This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now