Microsoft Windows Remote Registry Service (WINREG)

This is a DCE/RPC based protocol used by CIFS hosts to access the registry across a network. This dissector is described by an IDL file and is automatically generated by the Pidl compiler.


This protocol first appeared in Windows NT4 and is used to access the registry across a network.

Protocol dependencies

Example traffic

XXX - Add example traffic here (as plain text or Wireshark screenshot).


The WINREG dissector is partially functional and incomplete awaiting the protocol and its idl file to be fully analyzed.

Preference Settings

There are no preference setting specific to the WINREG protocol.

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of WINREG display filter fields can be found in the display filter reference

Show only the WINREG based traffic:


Capture Filter

You cannot directly filter WINREG protocols while capturing.

Protocol Functions

The WINREG protocol implements the following functions:

External links


Imported from on 2020-08-11 23:27:29 UTC