Layered Service Provider (LSP) is a deprecated feature of the

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

Winsock 2

Service Provider Interface Service provider interface (SPI) is an API intended to be implemented or extended by a third party. It can be used to enable framework extension and replaceable components. Details From Java documentation: The concept can be extended to other pla ...

(SPI). A Layered Service Provider is a DLL that uses Winsock APIs to attempt to insert itself into the TCP/IP protocol stack. Once in the stack, a Layered Service Provider can intercept and modify inbound and outbound Internet traffic. It allows processing of all the

TCP/IP The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...

traffic taking place between the Internet and the applications that are accessing the Internet (such as a web browser, the email client, etc.). For example, it could be used by

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...

to redirect web browers to rogue websites, or to block access to sites like

Windows Update Windows Update is a Microsoft service for the Windows 9x and Windows NT families of operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. The service delivers software updates for Wind ...

. Alternatively, a computer security program could scan network traffic for viruses or other threats. The Winsock ''Service Provider Interface (SPI)'' API provides a mechanism for layering providers on top of each other. Winsock LSPs are available for a range of useful purposes, including parental controls and Web content filtering. The parental controls web filter in Windows Vista is an LSP. The layering order of all providers is kept in the Winsock Catalog.

Details

Unlike the well-known Winsock 2 API, which is covered by numerous books, documentation, and samples, the Winsock 2 SPI is relatively unexplored. The Winsock 2 SPI is implemented by network transport service providers and namespace resolution service providers. The Winsock 2 SPI can be used to extend an existing transport service provider by implementing a Layered Service Provider. For example, quality of service (QoS) on Windows 98 and Windows 2000 is implemented as an LSP over the

protocol stack. Another use for LSPs would be to develop specialized URL filtering software to prevent Web browsers from accessing certain sites, regardless of the browser installed on a desktop. The Winsock 2 SPI allows software developers to create two different types of service providers—transport and namespace. Transport providers (commonly referred to as protocol stacks) are services, which supply functions that set up connections, transfer data, exercise flow control, error control, and so on. Namespace providers are services that associate the addressing attributes of a network protocol with one or more human-friendly names and enable protocol-independent name resolution. The SPI also allows you to develop two types of transport service providers—base and layered service providers. Base service providers implement the actual details of a transport protocol: setting up connections, transferring data, and exercising flow control and error control. Layered service providers implement only higher-level custom communication functions and rely on an existing underlying base provider for the actual data exchange with a remote endpoint. Winsock 2 LSPs are implemented as Windows DLLs with a single exported entry function, ''WSPStartup''. All other transport SPI functions are made accessible to ws2_32.dll or an upper chain layered provider via the LSP's dispatch table. LSPs and base providers are strung together to form a protocol chain. The LSP DLL has to be registered using a special LSP registrant which instructs Winsock 2, the loading order of the LSPs (there can be more than one LSP installed) and which protocols to intercept. LSPs work by intercepting Winsock 2 commands before they are processed by ws2_32.dll; they can therefore modify the commands, drop a command, or just log the data which makes them a useful tool for malware, network filters, network intercepters, and stream based sniffers. Sniffing network traffic through LSP can sometimes be troublesome since anti-virus vendors typically flag such activity as malicious — a network packet analyzer is therefore a better alternative for capturing network traffic. A feature of LSP and Winsock proxy sniffing is that they allow traffic to be captured from a single application and also enable traffic going to

localhost In computer networking, localhost is a hostname that refers to the current device used to access it. It is used to access the network services that are running on the host via the loopback network interface. Using the loopback interface bypasses a ...

(127.0.0.1) to be sniffed on Windows. There are two kinds of LSP: IFS and non IFS LSP. Currently most LSPs on the market are non IFS. The difference between the two LSPs is that non IFS LSPs modify the

socket Socket may refer to: Mechanics * Socket wrench, a type of wrench that uses separate, removable sockets to fit different sizes of nuts and bolts * Socket head screw, a screw (or bolt) with a cylindrical head containing a socket into which the hexag ...

handle to a non valid Windows IFS handle and therefore the LSP must implement all Winsock 2 methods. IFS LSPs, on the other hand, preserve the socket handle, which allows the LSP to implement only the functions it wants to intercept. IFS LSPs have much less performance impact than non IFS LPS, but they are limited by the fact that they cannot inspect or modify data on the receive path.

Deprecation and LSP bypass

LSPs have been deprecated since Windows Server 2012. Systems that include LSPs will not pass the Windows logo checks. Windows 8 style "metro" apps that use networking will automatically bypass all LSPs. The

Windows Filtering Platform Windows Filtering Platform (WFP) is a set of system services in Windows Vista and later that allows Windows software to process and filter network traffic. Microsoft intended WFP for use by firewalls, antimalware software, and parental controls a ...

provides similar functionality and is compatible with both Windows 8 style "metro" apps and conventional desktop applications.

Corruption issues

A major issue with LSPs is that any bugs in the LSP can cause applications to break. For example, an LSP that returns the wrong number of bytes sent through an interface can cause applications to go into an infinite loop while waiting for the network stack to indicate that data has been sent. Another major common issue with LSPs was that if they were to be removed or unregistered improperly or if the LSP was buggy, it would result in corruption of the Winsock catalog in the registry, and the entire TCP/IP stack would break and the computer could no longer access the network. LSP technology is often exploited by

spyware Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their privac ...

and

adware Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the ...

programs in order to intercept the communication across the Internet. For example,

may insert itself as an LSP in the network stack and forward all of the user's traffic to an unauthorized external site, where it can be data-mined to find the user's interests to bombard him/her with targeted advertisements, as well as

spam Spam may refer to: * Spam (food), a canned pork meat product * Spamming, unsolicited or undesired electronic messages ** Email spam, unsolicited, undesired, or illegal email messages ** Messaging spam, spam targeting users of instant messaging ( ...

e-mail. If a malware LSP is not removed correctly, older versions of Windows may be left without a working network connection. Such potential loss of all network connectivity is prevented in Windows XP Service Pack 2, Windows Server 2003 Service Pack 1 and all later Windows operating systems, in which Winsock has the ability to self-heal after a user uninstalls such an LSP.How to determine and recover from Winsock2 corruption
/ref> Installed LSPs can be viewed using the XP/Vista

Windows Defender Microsoft Defender Antivirus (formerly Windows Defender) is an anti-malware component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has ...

's ''Software Explorer'' or using third-party utilities.

References

{{Reflist
Unraveling the Mysteries of Writing a Winsock 2 Layered Service Provider - Microsoft Systems Journal

Categorizing LSPs and Applications

External links

New PowerPoint Trojan installs itself as LSP

The "Dark Side of Winsock": PDF of a DefCon presentation dealing with the creation and exploitation of Winsock Layered Service Providers

the "Dark Side of Winsock": Video of same presentation
- Microsoft application programming interfaces Windows communication and services