Event ID 8 — Remote Procedure Call (RPC) Service Endpoint Functionality

Updated: December 3, 2008

Applies To: Windows Server 2008 R2

red

Administrators can configure the Remote Procedure Call (RPC) service (RpcSs) to listen on a subset of the computer's network interfaces using RPC Firewall Filters. The administrator can use RPC Firewall Filters to block some interfaces from being accessed over a given network interface and while allowing other interfaces to be accessed over the same network interface. RPC Firewall Filters make it possible for an administrator to configure network interface access on a per-interface level of detail.

RPC Firewall Filters comprise a set of rules and conditions that the administrator specifies. The Ep_add Layer filter supports port addition to processes that host a given interface. By creating an Ep_add Layer filter, an administrator can force an interface to receive calls over the port that the administrator specifies when the administrator creates the filter. If the port that is specified in the RPC Firewall Filter is already in use, the system registers a port conflict error.

Event Details

Product: Windows Operating System
ID: 8
Source: Microsoft-Windows-RPC-Events
Version: 6.1
Symbolic Name: RPC_EVENTLOG_FW_EP_ADD_ERR
Message: Application (%1) (PID: %2) has failed to add endpoint %3:%4 for interface with unique identifier %5 with error %6. User Action: Verify that the machine has sufficient memory and that no other process is listening on the endpoint.

Diagnose

This error might be caused by one of the following conditions:

  • There is an endpoint conflict.
  • The system is low on resources.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

There is an endpoint conflict

To check current TCP/IP network connections and listening ports for conflicts:

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type netstat -a, and then press ENTER.
  3. Review the list of network connections and listening ports for conflicts. If more than one application is using or listening on the same port, see "Change the RPC filter endpoint port."

    If there does not seem to be an endpoint conflict, try the operation again. The problem may be due to a transient port issue.

The system is low on resources

To check the system for a low-resource condition:

  1. Right-click the taskbar, and then click Task Manager.
  2. Click the Performance tab, and look for the amount of physical memory used under Memory and Physical Memory Usage History. If the amount of memory used is high, see "Correct the low-resource condition."

Resolve

Change the RPC filter endpoint port

An RPC firewall filter that you created added a static endpoint port to an interface. The port that is specified in the ep_add layer of the RPC firewall filter is in conflict with a port that is already in use.

To resolve this conflict, you must change the port that is specified in the RPC firewall filter by removing the filter that has the port in conflict and then reinstalling a filter that has an open port.

From the event message, identify the port in conflict and make a note of it. The event message specifies the port in the format address:port. You will use the port number to help identify the filter with the port that is in conflict.

Identify the filter with the port that is in conflict. Make note of the FilterKey. Delete that filter by specifying the unique FilterKey. Identify an open port, and then reinstall the filter, specifying the open port.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Identify the filter and obtain the unique FilterKey

To identify the filter and obtain the unique FilterKey:

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type netsh rpc filter show filter, and then carefully review the results. You are looking for an ep_add layer filter. The ep_add layer filter contains the line layerKey: ep_add.
  3. Look for the ep_add filter that contains the following lines: filterCondition[1] fieldKey: protocol. The conditionValue must be equal to 1. For example, the conditionValue line might look like the following:

    conditionValue: Type: FWP_UINT8 Value: 1.

  4. In addition, the conditionValue of the ep_value key must be equal to the port number that is specified in the event message. For example, the conditionValue line might look like the following:

    conditionValue: Type: FWP_BYTE_BLOB_TYPE Value: 2345.

  5. Note the unique FilterKey for this filter. You will use this FilterKey to specify the filter to delete. For example, the FilterKey might look like the following:

    filterKey: 11111111-1111-1111-1111-111111111119.

Delete an existing RPC filter

To delete an existing RPC filter:

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type netsh rpc filter delete filter filterkey=, and then specify the unique filter ID after the equal sign (=).

To identify an open port, use the netstat -ban command to identify the ports in use, and then specify a port that is not in the list of ports in use.

Reinstall the filter, specifying an open port

For information about using the netsh command for RPC and about adding an Ep_add Layer filter, see Netsh commands for RPC (http://go.microsoft.com/fwlink/?LinkId=105638).

This error indicates that an RPC firewall filter, which is adding a static endpoint port to an interface (ep_add layer filter), is in conflict with a port that is already in use. Change the RPC firewall filter to not conflict with a port that is already in use.

To change the RPC filter, first determine the filter that is in conflict:

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type netsh rpc filter show filter, and then press ENTER.
  3. Locate the ep_add layer filter that is in conflict:
    • The layerKey will be equal to ep_add.
    • The conditionValue for the protocol field key should be 1.
    • The conditionValue for the ep_value key will be equal to the port in conflict from the error message text.
  4. Make note of the filterKey; it will be used to remove the filter.

When you identify the filter, delete it.

To delete the filter:

  • At the command prompt, type netsh rpc filter delete filter <filterKey>, and then press ENTER, where <filterKey> is the filterKey from the filter that you identified previously.

After you delete the filter, reinstall it by executing the netsh commands that you used to install the filter. Ensure that a new port number is passed in the ep_value field, and ensure the port is not in use.

To check the list of used ports on the system:

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type netstat -ban, and then press ENTER.
  3. Make note of the ports that are in use. Ensure that an open port is used when you recreate the RPC filter.

Correct the low-resource condition

To resolve this problem:

  • Check the system for a low-resource condition.
  • You can resolve a low-resource condition by increasing the page file size. A page file is a hidden file or files on the hard disk that the operating system uses to hold parts of programs and data files that do not fit in memory. Virtual memory comprises the paging file and physical memory or random access memory (RAM). Windows moves data from the paging file to memory as needed, and it moves data from memory to the paging file to make room for new data. Increasing the page file size usually does not require a restart of the computer.
  • You may be able to resolve a low-resource condition by ending unnecessary processes to free memory resources. Be careful when you end a process. If you end a process that is associated with an open program, the program will close and you will lose unsaved data. If you end a process that is associated with a system service, part of the system might not function properly.

If you continue to get this error, note any details in the event message, and then contact Microsoft Customer Service and Support (CSS). For information about how to contact CSS, see Enterprise Support (http://go.microsoft.com/fwlink/?LinkId=52267).

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Check the system for a low-resource condition

To check the system for a low-resource condition:

  1. Right-click the taskbar, and then click Task Manager.
  2. Click the Performance tab, and look for the amount of physical memory used under Memory and Physical Memory Usage History. If the amount of memory used is high, consider increasing the size of the page file.

Increase the size of the page file

To increase the size of the page file:

  1. Click Start, click Control Panel, and then double-click System.
  2. Under Tasks, click Advanced System Settings. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. Click the Advanced tab. Under Performance, click Settings.
  4. In the Performance Options dialog box, click the Advanced tab.
  5. Under Virtual Memory, click Change.
  6. Clear the Automatically manage paging file size for all drives check box.
  7. Under Drive [Volume Label], click the drive that contains the paging file that you want to change.
  8. Click Custom size, type a new size in megabytes in the Initial size (MB) or Maximum size (MB) box, click Set, and then click OK.

Free memory to end a process

To free memory to end a process:

  1. Right-click the taskbar, and then click Task Manager.
  2. Click the Processes tab, and then click Show processes from all users (at the bottom). If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. Be careful when you end processes. If you end a process that is associated with an open program, the program will close and you will lose unsaved data. If you end a process that is associated with a system service, part of the system might not function properly.

    Try to identify processes that are leaking memory by looking for a process with unusually high memory consumption. Select a process to end, and then click End Process. For more information about how to identify a process that is leaking memory, see Using Performance Monitor to Identify a Pool Leak (http://go.microsoft.com/fwlink/?LinkId=105512).

For more information about RAM, virtual memory, and page file, see RAM, Virtual Memory, Pagefile and all that stuff (http://go.microsoft.com/fwlink/?LinkId=105511).

Report the error to the application developer

An error condition may have resulted from a problem in the application's code. The data item used to return data to the client is not large enough to hold the return data. Report the entire event message and related text to the application developer so that the developer can debug and fix the application.

Verify

You can verify that the Remote Procedure Call (RPC) service (RpcSs) is running by opening the Services administrative tool and ensuring that the status of the service is Started.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To open the Services administrative tool and verify that the Remote Procedure Call (RPC) service is running:

  1. Click Start, and then click Run.
  2. Type services.msc, and then click OK. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. To locate the Remote Procedure Call (RPC) service in the list of services, scroll down to Remote Procedure Call (RPC).
  4. Verify that the status of the service is Started.

Using RPC Firewall Filters, an administrator can control the network interfaces that the RpcSs is allowed to listen on. The administrator can use RPC Firewall Filters to block some interfaces from being accessed over a given network interface while allowing other interfaces to be accessed over the same network interface. RPC Firewall Filters make it possible for the administrator to configure network interface access on a per-interface level of detail.

You can verify that the RPC filters running on the system are the filters that you expect.

To verify the RPC filters:

  1. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Type netsh rpc filter show filter, and then press ENTER.
  3. Confirm that any RPC filters in the list are the filters that you expect.

Related Management Information

Remote Procedure Call (RPC) Service Endpoint Functionality

Application Server

Community Additions

ADD
Show: