Microsoft KB Archive/126645

{|
 * width="100%"|

PRB: Access Denied When Opening a Named Pipe from a Service

 * }

Q126645

-

The information in this article applies to:


 * Microsoft Win32 Application Programming Interface (API), used with:
 * the operating system: Microsoft Windows NT, versions 3.5, 3.51

-

SYMPTOMS
If a service running in the Local System account attempts to open a named pipe on a computer running Windows NT version 3.5, the operation may fail with an Access Denied error (error 5). This can happen even if the pipe was created with a NULL DACL.

CAUSE
In Windows NT version 3.1, a process running in the Local System account could connect to a resource using a Null Session. For security reasons, use of the Null Session is restricted by default on Windows NT version 3.5.

RESOLUTION
You can allow access to a named pipe using the Null Session by adding the pipe name to the following registry entry on the machine that creates the named pipe:

  \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ Parameters\NullSessionPipes The pipe name added to this entry is the name after the last backslash in the string used to open the pipe. For example, if you use the following string to open the pipe:

  \\hardknox\pipe\mypipe you would add mypipe to the NullSessionPipes entry on the computer named hardknox.

You must either reboot or restart (stop and then start) the Server service for changes in this entry to take effect. Also, the named pipe will still need to have a NULL DACL.

In Windows NT 3.51, by customer request, it is no longer necessary to reboot. Once a named pipe is added to the key listed above, null-session connections to that pipe will immediately be accessible.

This new functionality allows programs to permit null session access to named pipes that do not have names known prior to booting the system.

MORE INFORMATION
Usually, when a session is established between a computer supplying a resource (server) and a computer that wants to use the resource (client), the client is identified and credentials are verified. When a Null Session is used, there is no validation of the client; everyone is allowed access.

If you allow a pipe to be used by a Null Session, you should either:


 * Verify that the data supplied by the pipe is truly public.

-or-
 * Use an alternative method for verifying clients.