Skip to main content
The Epm tool connects to the RPC Endpoint Mapper on a remote system and lists the dynamic endpoints registered with it. This is useful for discovering which RPC services are running and on which ports or named pipes they are listening.
Endpoint mapper queries are typically unauthenticated. This is distinct from anonymous authentication — no security context is established.

Subcommands

CommandDescription
lsepList dynamic RPC endpoints registered with the endpoint mapper
For help on any subcommand, run Epm <subcommand> -h.

lsep

Queries the RPC Endpoint Mapper and lists the registered dynamic endpoints. You can filter results by interface ID, version, object GUID, or major version number. 
Epm lsep [options] <ServerName>
ServerName
string
required
RPC server to interact with.
-InterfaceId (-I)
Guid
Filter for a specific interface ID (GUID).
-MajorVersion (-M)
UInt16
Filter by major version number.
-ExactVersion
RpcVersion
Filter for an exact interface version.
-CompatVersion
RpcVersion
Filter for a compatible interface version.
-UpToVersion
RpcVersion
Filter for interfaces up to a maximum version.
-ObjectId
Guid
Filter for a specific object ID.
-PageSize
integer
Number of results to fetch at a time.
-OutputFields
string[]
Fields to display. Available: ObjectGuid, annotation, Tower.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.
-UserName (-u)
UserPrincipalName
User name to authenticate with (not including the domain).
-Password (-p)
string
Password to authenticate with.
-NtlmHash
hexadecimal hash
NTLM hash for pass-the-hash authentication.
-Kdc (-K)
host:port
KDC endpoint for Kerberos.
-Tgt
string
Path to a TGT file (.kirbi or ccache).
-EncryptRpc
boolean
Encrypt RPC messages.
-HostAddress (-ha)
string[]
Override network address(es) of the server.
-Socks5
host:port
SOCKS5 proxy endpoint.

Examples

# List all registered endpoints
Epm lsep LUMON-DC1

# List endpoints for a specific interface
Epm lsep LUMON-DC1 -InterfaceId 12345678-1234-abcd-ef01-0123456789ab

# Filter by major version and output as JSON
Epm lsep LUMON-DC1 -MajorVersion 1 -OutputStyle Json

# Authenticate with credentials
Epm lsep LUMON-DC1 -UserName milchick -Password Br3@kr00m! -EncryptRpc
  • Scm — manage services on remote Windows systems
  • Wmi — interact with WMI over RPC

Build docs developers (and LLMs) love

Get started for freeTalk to us