The NetBT (NetBios Over Tcpip) service of Windows NT operating systems is used to process SMB
(Server Message Block) Related Services/customer operations.
The driver file corresponding to the NetBT service is netbt. sys, and the corresponding registry key is:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBT.
Microsoft's KB 120642 and KB 314053 respectively describe Windows NT, Windows 2000, and Windows XP
Some optional parameters for this key value.
The port corresponding to the NetBT service on Windows NT 4.0 is:
NameservicePort 137/UDP
DatagramPort 138/UDP
SessionPort 139/TCP
Starting from Windows 2000, Microsoft introduced port 445 of SMB Direct Over TCP. Although the above ports 137, 138, and 139 are retained and can work normally, by default, the system always uses port 445 for SMB sessions, port 445 is used as the SessionPort only when port 139 fails to work.
Port 445 is always open by default. If you want to disable this port, refer to the method in Microsoft KB 301673, in
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetBTParameters
Add a value:
Value Name: SmbDeviceEnabled
Type: REG_DWORD
Value Data: 0
Then restart the system.
By the way, if you want to disable port 139, refer to Microsoft's KB 299977:
1. Click Start, point to settings, and then click Network and dial-up connection.
2. Click the local connection you want to statically configure and click Properties in the File menu.
3. Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click the WINS tab.
4. Click Disable NetBIOS on TCP/IP.
5. Click OK, click OK, and click OK again.
The modification takes effect immediately without restarting the system.
Can port 445 be changed to another value? According to the analysis of netbt. sys, when the service is initialized, the function NbtReadRegistry calls ReadParameters and ReadSmbDeviceInfo to obtain the information from the registry.
NetBT service configuration information:
;------------------------------------------------------------------------
Push [ebp + Handle]
Push offset _ NbtConfig
Call _ ReadParameters @ 8; ReadParameters (x, x)
Push [ebp + KeyHandle]
Call _ ReadSmbDeviceInfo @ 4; ReadSmbDeviceInfo (x)
;------------------------------------------------------------------------
The registry values read by ReadParameters are basically described in the three articles mentioned above in KB. However, the information obtained by ReadSmbDeviceInfo does not seem to have any ready-made document descriptions. The following is the ReadSmbDeviceInfo function of netbt. sys in version 5.0.2195.6783:
;------------------------------------------------------------------------
; _ Stdcall ReadSmbDeviceInfo (KeyHandle)
KeyHandle = dword ptr 8
Push ebp
Mov ebp, esp
Lea eax, [ebp + KeyHandle]
Push esi
Push eax; KeyHandle
Push offset aParametersSmb; "ParametersSmb"
Push [ebp + KeyHandle]; int
Call _ NbtOpenRegistry @ 12; NbtOpenRegistry (x, x, x)
Mov esi, eax
Test esi, esi
Jl short SetDefaultPort; if the key does not exist, turn to set the default value.
Push 1
Push 1BDh; 445 by default
Push offset aSessionport; "SessionPort"
Push [ebp + KeyHandle]
Call _ NbtReadSingleParameter @ 16; NbtReadSingleParameter (x, x)
Push 1
Push 1BDh; 445 by default
Push offset aDatagramport; "DatagramPort"
Mov word_2BA88, ax
Push [ebp + KeyHandle]
Call _ NbtReadSingleParameter @ 16; NbtReadSingleParameter (x, x)
Push [ebp + KeyHandle]; Handle
Mov word_2BA8A, ax
Call ds :__ imp _ ZwClose @ 4; _ declspec (dllimport) ZwClose (x)
Jmp short Return
SetDefaultPort:
Mov SessionPort, 1BDh; Set SessionPort to 445
Mov primary ramport, 1BDh; set the primary ramport to 445
Return:
Mov eax, esi
Pop esi
Pop ebp
Retn 4
;------------------------------------------------------------------------
Apparently, ReadSmbDeviceInfo will first try to open
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetBTParametersSmb
Then, read SessionPort and mongoramport respectively, and set relevant ports based on the values. If the key fails to be opened, switch to SetDefaultPort and set the two ports to the default 445 value. If the read value fails, the third parameter of NbtReadSingleParameter also specifies the default return value 445.
SessionPort and DatagramPort correspond to TCP and UDP ports respectively. However, I have never seen UDP SMB sessions, so SessionPort is more important.
Then, NbtCreateAddressObjects opens the port based on the information and creates a service:
;------------------------------------------------------------------------
Mov eax, [ebp + var_8]
Mov cx, SessionPort; tcp port value
Mov esi, offset aSmbserver; "* SMBSERVER"
Mov [eax + 1F2h], cx
Mov eax, [ebp + var_8]
Mov cx, DatagramPort; udp port value
Mov [eax + 1F6h], cx
Mov eax, [ebp + var_8]
Mov [eax + 1F4h], di
Mov eax, [ebp + var_8]
Lea edi, [eax + 1F8h]
Movsd
Movsd