1

I just experienced an issue that I have never seen before when displaying services in Win8.1 (with Powershell Core 6+). Running Get-Service in an Admin shell, result in the following error:

$ Get-Service

...
Get-Service : Service 'NetTcpPortSharing (NetTcpPortSharing)' cannot be queried due to the following error:
At line:1 char:1
+ Get-Service
+ ~~~~~~~~~~~
+ CategoryInfo          : PermissionDenied: (System.ServiceProcess.ServiceController:ServiceController) [Get-Service], ServiceCommandException
+ FullyQualifiedErrorId : CouldNotGetServiceInfo,Microsoft.PowerShell.Commands.GetServiceCommand

Stopped  NetTcpPortSharing  NetTcpPortSharing
...

Looking at the details of this Service I see:

enter image description here

Using net helpmsg 15101 I then got this:
The resource loader failed to load MUI file because the file fail to pass validation.

I have no idea what this means, of even if it's relevant as it was shown in the Description field.

So none of this info makes sense, and I have no idea what created this service, nor what it is doing or was using it. However I know that a few days ago I didn't have this problem, but I don't know if I had the service. I have been playing a lot with various Remoting features, but from this machine to another W10.

What is NetTcpPortSharing used for and can I safely delete it?
(Where does it typically come from?)

Possibly Related References:

UPDATE (according to magicandre1981)

# $key = 'HKLM:\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing'
# Get-ItemProperty -Path $key

DisplayName        : NetTcpPortSharing
ErrorControl       : 1
ImagePath          : C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
Start              : 4
Type               : 32
Description        : @%systemroot%\Microsoft.NET\Framework64\v4.0.30319\ServiceModelInstallRC.dll,-8200
ObjectName         : NT AUTHORITY\LocalService
ServiceSidType     : 3
RequiredPrivileges : {SeCreateGlobalPrivilege}
FailureActions     : {132, 3, 0, 0...}
PSPath             : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing
PSParentPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
PSChildName        : NetTcpPortSharing
PSDrive            : HKLM
PSProvider         : Microsoft.PowerShell.Core\Registry

The config file for this is located here:

# find //c/Windows/Microsoft.NET/Framework*/ -iname "SMSvcHost.exe.config"
//c/Windows/Microsoft.NET/Framework/v4.0.30319/SMSvcHost.exe.config
//c/Windows/Microsoft.NET/Framework64/v4.0.30319/SMSvcHost.exe.config
not2qubit
  • 14,531
  • 8
  • 95
  • 135
  • 1
    This is actually a [Super User](https://superuser.com/) question. I guess the service is owned exclusively by the system account. What happens when you query the concerned service [under the system account](https://stackoverflow.com/a/51612478/1701026)? – iRon Oct 31 '20 at 08:22
  • @iron I'm getting an error using `PsExec64` as suggested (and commented) in your link. Is there a more Powershell native way to run as "System"? – not2qubit Oct 31 '20 at 12:34
  • I managed to run as SYSTEM using *[AdvancedRun](https://www.nirsoft.net/utils/advanced_run.html)* from Nirsoft and I still get the same permission denied error. Used: `AdvancedRun.exe /EXEFilename "C:\path\to\pwsh.exe" /RunAs 4 /Run` – not2qubit Oct 31 '20 at 15:47
  • this is [WCF related service](https://learn.microsoft.com/en-US/dotnet/framework/wcf/feature-details/configuring-the-net-tcp-port-sharing-service) – magicandre1981 Nov 01 '20 at 15:25
  • Perhaps this new issue is related to a windows patch? I'm looking at all [these methods](https://www.romhack.io/dl-2020/RH2020-slides-Cocomazzi.pdf) for EOP hacks. – not2qubit Nov 02 '20 at 15:39

1 Answers1

1

This service belongs to Windows Communication Foundation (WCF) and is part of .net framework.

On my Windows 8.1 Pro x64 (German), the registry setting under the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing

is

# Description:
%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8200 
# DisplayName:
%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-820
# Imagepath:
%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe

So check which settings you have for for Description. I have no idea why it is .net 3.x and 4.0 for you.

not2qubit
  • 14,531
  • 8
  • 95
  • 135
magicandre1981
  • 27,895
  • 5
  • 86
  • 127
  • Can you please edit your post using my regisitry method. Provides more clear details. And I keep my machines updated, so I have no idea how anyone is still using .NET v3.x. ;) – not2qubit Nov 01 '20 at 23:57
  • I have no idea why I see the 3.0. Change the values to mine and look what happens. If you never used WCF you don't need the service. In my case it is the host OS, I run my dev stuff in VMs – magicandre1981 Nov 02 '20 at 14:26
  • I can only assume you're using .NET v3.x for some dev stuff, or from default Win8 install. I removed all my .NET v3 *malware* a long time ago and never went back. So I don't have anything below `.NET v4.x`. Either way, I would still like to know what this service is "used for" and "used by" as I'm certain I did not have it a few months ago. So something must have installed it... – not2qubit Nov 02 '20 at 15:11
  • Maybe you know where that `MUI` *file* is located and what kind of *validation* we're talking about? – not2qubit Nov 02 '20 at 15:13
  • BTW. What is your output of `ls -Dir -Recurse -Depth 1 C:\Windows\Microsoft.NET`. – not2qubit Nov 02 '20 at 15:21
  • the MUIs are in an extra folder, here in my case: **"C:\Windows\Microsoft.NET\Framework\v4.0.30319\de-DE\ServiceModelInstallRC.dll.mui"** so under **de-DE** you should have it under **en-US** if you use American English – magicandre1981 Nov 02 '20 at 19:19
  • as already said, this service is part of .net framework and is used if you use WCF – magicandre1981 Nov 02 '20 at 19:21
  • Thanks for all your effort, but I am ultimately looking for an explanation of the permission error and how to fix it. However, I decided to accept your answer anyway, since nobody else seem to know anything about this. – not2qubit Nov 04 '20 at 18:43
  • if you don't provide enough information I can't help. you said you removed somethin, but how? simply delete in explorer? Trustedinstaller has full access to this service+MUI files and users/admins can run-execute. – magicandre1981 Nov 05 '20 at 14:41