Article ID: 126645 - Last Review: November 21, 2006 - Revision: 3.1

PRB: Access Denied When Opening a Named Pipe from a Service

View products that this article applies to.
This article was previously published under Q126645
Expand all | Collapse all

SYMPTOMS

If a service running in the Local System account attempts to open a named pipe on a computer running Windows NT version 3.5 or later, the operation may fail with an Access Denied error (error 5). This can happen even if the pipe was created with a NULL DACL.
Back to the top

CAUSE

In Windows NT version 3.1, a process running in the Local System account could connect to a resource using a Null Session. For security reasons, use of the Null Session is restricted by default on Windows NT version 3.5 or later.
Back to the top

RESOLUTION

You can allow access to a named pipe using the Null Session by adding the pipe name to the following registry entry on the machine that creates the named pipe: 
   \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ 
      Parameters\NullSessionPipes
The pipe name added to this entry is the name after the last backslash in the string used to open the pipe. For example, if you use the following string to open the pipe: 
   \\hardknox\pipe\mypipe
you would add mypipe to the NullSessionPipes entry on the computer named hardknox.

You must either reboot or restart (stop and then start) the Server service for changes in this entry to take effect. Also, the named pipe will still need to have a NULL DACL.

In Windows NT 3.51 and later, by customer request, it is no longer necessary to reboot. Once a named pipe is added to the key listed above, null-session connections to that pipe will immediately be accessible.

This new functionality allows programs to permit null session access to named pipes that do not have names known prior to booting the system.
Back to the top

MORE INFORMATION

Usually, when a session is established between a computer supplying a resource (server) and a computer that wants to use the resource (client), the client is identified and credentials are verified. When a Null Session is used, there is no validation of the client; everyone is allowed access.

If you allow a pipe to be used by a Null Session, you should either:

  • Verify that the data supplied by the pipe is truly public.

    -or-
  • Use an alternative method for verifying clients.
Back to the top

REFERENCES

The "Windows NT Registry Entries" Help file in the Windows NT version 3.5 Resource Kit.
Back to the top
APPLIES TO
  • Microsoft Win32 Application Programming Interface, when used with:
    • Microsoft Windows NT 4.0
    • Microsoft Windows NT 3.51 Service Pack 5
    • Microsoft Windows NT 4.0
    • Microsoft Windows 2000 Standard Edition
    • the operating system: Microsoft Windows XP
Back to the top
Keywords: 
kbapi kbservice kbkernbase kbsecurity kbprb kbacl KB126645
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations