Share via


Event ID 2 — RPC Filter Functionality

Applies To: Windows Server 2008

Administrators can configure Remote Procedure Call (RPC) Services (RpcSs) to listen on a subset of the computer's network interfaces using RPC Firewall Filters.

RPC Firewall Filters comprise a set of rules and conditions that an administrator specifies. The administrator must add the RPC filter rules and the RPC filter conditions before creating the RPC Firewall Filter.

Event Details

Product: Windows Operating System
ID: 2
Source: PEventLogFw
Version: 6.0
Symbolic Name: RPC_EVENTLOG_FILTER_GET_ERR
Message: An attempt to retrieve firewall filter with key %1 has failed with error %2. RPC is not able to enforce this filter. User Action: Verify that the machine has sufficient memory.

Resolve

Reinstall the RPC Filter

The RPC Filtering engine could not load an RPC filter rule. The rule may have been deleted, the rule may be corrupted, or the system may be experiencing a low-resource condition.

Check the system for a low-resource condition. If no low-resource condition exists, delete and then reinstall the RPC filter.

The registry keys for this filter may have been changed. If you know the change that was made to the registry, revert the change or delete and then reinstall the RPC Filter.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Check the system for a low-resource condition

To check the system for a low-resource condition:

  1. Right-click the taskbar, and then click Task Manager.
  2. Click the Performance tab, and look for the amount of physical memory used under Memory and Physical Memory Usage History. If the amount of memory used is high, consider increasing the size of the page file. You can also end a process to free up memory resources.

To increase the size of the page file:

  1. Click Start, click Control Panel, and then double-click System.
  2. Under Tasks, click Advanced System Settings. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. Click the Advanced tab. Under Performance, click Settings.
  4. In the Performance Options dialog box, click the Advanced tab.
  5. Under Virtual Memory, click Change.
  6. Clear the Automatically manage paging file size for all drives check box.
  7. Under Drive [Volume Label], click the drive that contains the paging file that you want to change.
  8. Click Custom size, type a new size in megabytes in the Initial size (MB) or Maximum size (MB) box, click Set, and then click OK.

To end a process to free memory:

  1. Right-click the taskbar, and then click Task Manager.

  2. Click the Processes tab, and then click Show processes from all users (at the bottom). If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. Be careful when you end processes. If you end a process that is associated with an open program, the program will close and you will lose unsaved data. If you end a process that is associated with a system service, part of the system might not function properly.

    Try to identify processes that are leaking memory by looking for a process with unusually high memory consumption. Select a process to end, and then click End Process. For more information about how to identify a process that is leaking memory, see Using Performance Monitor to Identify a Pool Leak (https://go.microsoft.com/fwlink/?LinkId=105512).

Delete and then reinstall an RPC Filter

Before you add an RPC filter, uninstall (delete) the existing filter.

To delete an existing RPC filter:

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type netsh rpc filter delete filter filterkey=, and then specify the unique filter ID after the equal sign (=).

To add an RPC filter:

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. RPC filter rules (and associated conditions, if any) must be added before you can create an RPC filter. At the command prompt, type netsh rpc filter add rule, and then specify the parameters for the rule.
  3. To add a condition to a RPC filter rule, at the command prompt, type netsh rpc filter add condition, and then specify the parameters for the condition.
  4. When you have successfully created the rule or rules, use the following command to add the RPC filter. At the command prompt, type netsh rpc filter add filter, and then specify the parameters for the filter.
  5. To confirm that your filter was added, at the command prompt, type netsh rpc filter show filter. If your filter was added successfully, it appears in the list of RPC filters.

To see Help for this command, type netsh rpc filter /?, and then press ENTER.

For more information about using the netsh command for RPC, see Netsh commands for RPC (https://go.microsoft.com/fwlink/?LinkId=105638).

Verify

Verify that the Base Filtering Engine service is running by opening the Services administrative tool and ensuring that the status of the service is Started. In addition, verify that your RPC filters are installed by executing the RPC Filter Show Filter command.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To open Services and verify that the service is started:

  1. Click Start, and then click Run.
  2. Type services.msc, and then click OK. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. To locate the Base Filtering Engine in the list of services, scroll down to Base Filtering Engine.
  4. Verify that the status of the service is Started.

To verify that the RPC filters are installed:

  1. Open an elevated command prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. At the command prompt, type netsh rpc filter show filter, and then press ENTER. Verify that the list of filters shows the filters that you expect.

    To see Help for this command, type netsh rpc filter /?, and then press ENTER.

RPC Filter Functionality

Application Server