This protocol first appeared in Windows NT4 and is used to access the registry across a network.
- DCE/RPC: This protocol is implemented ontop of the DCE/RPC transport. This protocol is often access from the \PIPE\winreg named pipe on IPC$ but can also be reached through a dynamically assigned TCP port. Accessing this service using TCP as transport requires the support of the EPM Endpoint Mapper service.
XXX - Add example traffic here (as plain text or Wireshark screenshot).
The WINREG dissector is partially functional and incomplete awaiting the protocol and its idl file to be fully analyzed.
There are no preference setting specific to the WINREG protocol.
XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.
A complete list of WINREG display filter fields can be found in the display filter reference
Show only the WINREG based traffic:
You cannot directly filter WINREG protocols while capturing.
The WINREG protocol implements the following functions:
- http://websvn.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_4_0/source/librpc/idl/winreg.idl IDL definition for the WINREG interface.
Imported from https://wiki.wireshark.org/WINREG on 2020-08-11 23:27:29 UTC