Microsoft INITSHUTDOWN interface

This is a DCE/RPC based protocol used by CIFS hosts to remotely shutdown or restart other CIFS hosts. This dissector is described by an IDL file and is automatically generated by the Pidl compiler.


This protocol first appeared with the release of Active Directory (Windows 2000).

Protocol dependencies

  • DCE/RPC: This protocol is implemented ontop of the DCE/RPC transport. This protocol is often access from the \PIPE\InitShutdown named pipe on IPC$ but in some cases, it can also be reached through a dynamically assigned TCP port.

Example traffic

XXX - Add example traffic here (as plain text or Wireshark screenshot).


The INITSHUTDOWN dissector is fully functional.

Preference Settings

There are no preference settings specific to the INITSHUTDOWN protocol.

Example capture file

Someone should donate a capture for this protocol

Display Filter

A complete list of INITSHUTDOWN display filter fields can be found in the display filter reference

Show only the INITSHUTDOWN based traffic:


Capture Filter

You cannot directly filter INITSHUTDOWN protocols while capturing.

Protocol Functions

The INITSHUTDOWN interface supports the following operations:

External links


Imported from on 2020-08-11 23:15:06 UTC