November 25th, 2004 12:44 AM
When running the tasklist | findstr "PID" for the one listenning on port 1025 it gave me the following.
winlogon.exe 460 0 1,516 K
lsass.exe 516 0 4,192 K
November 25th, 2004 08:25 AM
The winlogon.exe you can forget. The match was due to "1,516 K".
Which OS have you running (XP home/pro SP1 or SP2, 2000, ...)? They apparently
handle RPC-things differently (svchost/lsass listening).
A reminder: Port 1025 is the first dynamically assigned port on a windows
machine. Usually, this port is used by the RPC "environment". RPC opens, if
needed, further ports (>1025).
The RPC port mapper (on 135) enables the communication with RPC services.,
ie. a client asks the RPC port mapper about the endpoints of the server
(e.g. for the task scheduler this usually is 1025).
I would not be overly concerned about it, if you have a patched system and/or
a decent configured firewall. But maybe I missed something, and someone else
could clarify further.
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)