Windows Remote Procedure Call (RPC) relies on a specific sequence of ports for communication between clients and servers. Here's how the core ports function:
- Port 135 (RPC Endpoint Mapper): Acts as the initial contact point. When a client needs to connect to an RPC service, it first queries Port 135 to discover the dynamic port where the actual service is running.
- Port 137 (NetBIOS Name Service): Used for NetBIOS name resolution in older Windows networks. This UDP port helps resolve computer names to IP addresses.
- Port 139 (NetBIOS Session Service): Provides session services for NetBIOS over TCP/IP (NBT), primarily used in older Windows versions for file and printer sharing.
After the initial handshake via Port 135, Windows allocates a random high port (typically between 49152-65535 in modern Windows versions) for the actual RPC communication. This can be observed using the following PowerShell command:
# View current RPC endpoints
Get-NetTCPConnection -State Established | Where-Object {$_.LocalPort -eq 135}
Port 145 emerged as part of Microsoft's efforts to optimize NBT/TCP communications. Here's what changed:
- Reduced dependency on NetBIOS for name resolution
- Improved direct hosting of SMB over TCP/IP
- Enhanced performance for RPC communications in modern Windows networks
Here's how the sequence works in practice when a client connects to a remote service:
1. Client queries Port 135 (Endpoint Mapper)
2. Server responds with assigned dynamic port
3. Client establishes connection to dynamic port
4. If NetBIOS is involved, Port 137/139 may be used initially
5. Port 145 may be utilized for optimized NBT/TCP traffic
Understanding this port sequence is crucial for security configurations. Here's a sample Windows Firewall rule to secure RPC:
# Allow RPC through firewall
New-NetFirewallRule -DisplayName "Allow RPC"
-Direction Inbound
-Protocol TCP
-LocalPort 135,139,145,49152-65535
-Action Allow
In Windows 10/11 and Server 2016+, the default behavior has shifted:
- NetBIOS over TCP/IP is disabled by default
- Direct SMB over TCP/IP (Port 445) is preferred
- Port 145 provides fallback compatibility
Windows Remote Procedure Call (RPC) relies on several critical ports that form the backbone of inter-process communication:
- Port 135 (Endpoint Mapper): Acts as the initial contact point for RPC services. When a client needs to connect to an RPC service, it first queries this port to discover the dynamic port where the actual service is running.
# Example: Querying RPC endpoints using rpcdump.py
rpcdump.py 192.168.1.100 -p 135After initial contact on port 135, Windows uses ephemeral ports (typically 49152-65535) for actual RPC communication. The sequence works like this:
- Client connects to port 135 requesting a specific service UUID
- Endpoint mapper returns the dynamic port assignment
- Client establishes new connection to the dynamic port
// C++ example of RPC binding sequence
RpcBindingFromStringBinding(L"ncacn_ip_tcp:192.168.1.100[135]", &hBinding);
RpcEpResolveBinding(hBinding, iface_handle);The introduction of port 145 addresses several limitations in the traditional NBT/TCP stack:
- Eliminates NetBIOS dependency for direct hosted RPC communication
- Supports TCP without requiring NetBIOS framing
- Enables more efficient firewall configurations
The connection sequence with port 145 becomes:
1. Client → Port 145 (direct RPC over TCP)
2. If unavailable, falls back to traditional port 135 → dynamic port sequenceWhen implementing RPC clients/servers in modern Windows environments:
- Prioritize port 145 connections when possible
- Include fallback logic for legacy systems
- Consider security implications of each port configuration
# PowerShell test for port 145 availability
Test-NetConnection -ComputerName server01 -Port 145Common scenarios and diagnostic commands:
# View current RPC endpoints
netstat -ano | findstr "135\|137\|139\|145"
# Check RPC service status
sc query rpcss
# Test direct RPC connectivity
rpcinfo -p server01