University of Wisconsin Help Desk Knowledgebase

• Service Outages
• NetID Self Help
• Getting Connected
• Desktop Computing
• Business Systems
• Department Support
• KB Search Tips
• Browse by Topic
• RSS Feeds
• Contact Us
• Feedback
• Work at Help Desk

• About Help Online
• Create a New Call

• Click to Chat

Windows - Remote Procedure Call Service Terminated

This document explains how to troubleshoot problems with the Remote Procedure Call in Windows.

• Changing the Remote Procedure Call (RPC) Settings
• Verifying what Windows version and service packs are on your system
• Applying the Remote Procedure Call (RPC) Patch
• W32.Blaster.Worm Removal Tool
• Things to Consider

SYMPTOM

This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT Authority/system.

Message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.

CAUSE

Note: If an attacker is able to successfully exploit this vulnerability they could gain complete control over a remote computer. This would give the attacker the ability to take any action on the system that they want. For example, an attacker could change web pages, reformat the hard disk, and / or add new users to the local administrators group.

SOLUTION

• Change the settings for the Remote Procedure Call (RPC) Service in order to connect to the internet without the computer shutting down

Note: This does not work in every case.

To change these settings you will need to perform the following:

1. Right-click the My Computer icon on the Windows desktop or in the Start menu.
2. Select Manage. The Computer Management window will open.
3. In the left pane, double-click on Services and Applications.
4. Select Services and a list of services should appear.
5. In the right pane, locate the Remote Procedure Call (RPC) service, it will have a Status of "Started".

   Note: This will be the first in a listing of two Remote Procedure Call (RPS) services.

6. Right-click on the first Remote Procedure Call (RPC) service listed.
7. Select Properties.
8. Select the Recovery tab.
9. Using the drop-down lists, change First failure, Second failure, and Subsequent failures from Restart the Computer to Take No Action.
10. Click on Apply and then OK.

CAUTION: Make sure that you change these settings back after completing the final step to remove the worm.

• Verify which service packs have been applied as well as which version of Windows you are running. To do this:
  1. Right-click My Computer on the desktop.
  2. Select Properties. Operating system information will be listed in the window that comes up. This will include what version of the operating system is running as well as what service packs have been applied to it.
  3. The following service packs need to be applied right away:

     Note: The service pack version will depend on what operating system you have on your computer.

     • If you are running Windows XP version 2002, Service Pack 1 will need to be installed. If this has not been applied to your system you can obtain it by doing one of the following:

       1. If you are on campus, are connecting through our modem pool, or are accessing the campus network through WiscVPN, this can be downloaded from the Electronic Shelf at http://shelf.doit.wisc.edu/PC/WinXP-Fix/xpsp1.
       2. If you connect through DSL, cable modem and / or another internet service provider this can be downloaded from https://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1. Be sure to select the Express Installation.

     • If you are running Windows 2000, you must have at the minimum, Service Pack 2 applied. Please note that Microsoft no longer supports this version and newer service packs such as service pack 3 and 4 are recommended and preferred. If this has not been applied to your system you can obtain it by doing one of the following:

       1. If you are on campus or are connecting through our modem pool service packs 3 and 4 can be downloaded from the Electronic Shelf at http://shelf/PC/W2k-Fix
       2. If you connect through DSL, cable modem and/or another internet service provider this can be downloaded from Windows 2000 Service Packs.

• After performing the above and verifying the required service pack is in place the Patch can be applied.

  Information and download links for your version of windows can be found at Microsoft Security Bulletin MS03-039.mspx.

• Removal of W32.Blaster.Worm

  After all of the steps listed above have been completed you will need to obtain and run the W32.Blaster.Worm Removal Tool that Symantec has made available. Be sure to read through removal instructions before running the removal tool.

• You will want to verify that all viruses have been removed from the system. Update your virus definitions and run a full system scan. If you do not have a virus scanner installed, Symantec has made an online scanner available. This can be accessed by going to Symantec Security Check and clicking on the Start button located below Virus Detection.
• Be sure to change the settings back for the Remote Procedure Call (RPC) Service. This will need to be changed back from Take No Action to Restart the Computer.