Читаем Windows® Internals, Sixth Edition, Part 1 полностью

EXPERIMENT: Listing the Named-Pipe Namespace and Watching Named-Pipe Activity

It’s not possible to use the Windows API to open the root of the named-pipe FSD and perform a directory listing, but you can do this by using native API services. The PipeList tool from Sysinternals shows you the names of the named pipes defined on a computer as well as the number of instances that have been created for a name and the maximum number of instances as defined by a server’s call to CreateNamedPipe. Here’s an example of PipeList output:C:\>pipelist PipeList v1.01 by Mark Russinovich http://www.sysinternals.com Pipe Name Instances Max Instances --------- --------- ------------- InitShutdown 3 -1 lsass 6 -1 protected_storage 3 -1 ntsvcs 3 -1 scerpc 3 -1 net\NtControlPipe1 1 1 plugplay 3 -1 net\NtControlPipe2 1 1 Winsock2\CatalogChangeListener-394-0 1 1 epmapper 3 -1 Winsock2\CatalogChangeListener-25c-0 1 1 LSM_API_service 3 -1 net\NtControlPipe3 1 1 eventlog 3 -1 net\NtControlPipe4 1 1 Winsock2\CatalogChangeListener-3f8-0 1 1 net\NtControlPipe5 1 1 net\NtControlPipe6 1 1 net\NtControlPipe0 1 1 atsvc 3 -1 Winsock2\CatalogChangeListener-438-0 1 1 Winsock2\CatalogChangeListener-2c8-0 1 1 net\NtControlPipe7 1 1 net\NtControlPipe8 1 1 net\NtControlPipe9 1 1 net\NtControlPipe10 1 1 net\NtControlPipe11 1 1 net\NtControlPipe12 1 1 142CDF96-10CC-483c-A516-3E9057526912 1 1 net\NtControlPipe13 1 1 net\NtControlPipe14 1 1 TSVNCache-000000000001b017 20 -1 TSVNCacheCommand-000000000001b017 2 -1 Winsock2\CatalogChangeListener-2b0-0 1 1 Winsock2\CatalogChangeListener-468-0 1 1 TermSrv_API_service 3 -1 Ctx_WinStation_API_service 3 -1 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER 2 -1 net\NtControlPipe15 1 1 keysvc 3 -1

It’s clear from this output that several system components use named pipes as their communications mechanism. For example, the InitShutdown pipe is created by WinInit to accept remote shutdown commands, and the Atsvc pipe is created by the Task Scheduler service to enable applications to communicate with it to schedule tasks. You can determine what process has each of these pipes open by using the object search facility in Process Explorer.

Note

A Max Instances value of –1 means that there is no upper limit on the number of instances.

NetBIOS

Until the 1990s, the Network Basic Input/Output System (NetBIOS) programming API had been the most widely used network programming API on PCs. NetBIOS allows for both reliable connection-oriented and unreliable connectionless communication. Windows supports NetBIOS for its legacy applications. Microsoft discourages application developers from using NetBIOS because other APIs, such as named pipes and Winsock, are much more flexible and portable. NetBIOS is supported by the TCP/IP protocol on Windows.

NetBIOS Names