Layered Service Provider
Layered Service Provider (LSP) is a deprecated feature of the
Details
Unlike the well-known
Base service providers implement the actual details of a transport protocol: setting up connections, transferring data, and exercising flow control and error control. Layered service providers implement only higher-level custom communication functions and rely on an existing underlying base provider for the actual data exchange with a remote endpoint.
Winsock 2 LSPs are implemented as Windows
LSPs work by intercepting Winsock 2 commands before they are processed by ws2_32.dll; they can therefore modify the commands, drop a command, or just log the data which makes them a useful tool for malware, network filters, network intercepters, and stream based sniffers. Sniffing network traffic through LSP can sometimes be troublesome since anti-virus vendors typically flag such activity as malicious — a network packet analyzer is therefore a better alternative for capturing network traffic.
A feature of LSP and Winsock proxy sniffing is that they allow traffic to be captured from a single application and also enable traffic going to localhost (127.0.0.1) to be sniffed on Windows.[1]
There are two kinds of LSP: IFS and non IFS LSP. Currently most LSPs on the market are non IFS. The difference between the two LSPs is that non IFS LSPs modify the
Deprecation and LSP bypass
LSPs have been deprecated since Windows Server 2012.[2] Systems that include LSPs will not pass the Windows logo checks.[3] Windows 8 style "metro" apps that use networking will automatically bypass all LSPs. The Windows Filtering Platform provides similar functionality and is compatible with both Windows 8 style "metro" apps and conventional desktop applications.
Corruption issues
A major issue with LSPs is that any bugs in the LSP can cause applications to break. For example, an LSP that returns the wrong number of bytes sent through an interface can cause applications to go into an infinite loop while waiting for the network stack to indicate that data has been sent.
Another major common issue with LSPs was that if they were to be removed or unregistered improperly or if the LSP was buggy, it would result in corruption of the Winsock catalog in the registry, and the entire TCP/IP stack would break and the computer could no longer access the network.
LSP technology is often exploited by
Such potential loss of all network connectivity is prevented in Windows XP Service Pack 2, Windows Server 2003 Service Pack 1 and all later Windows operating systems, in which Winsock has the ability to self-heal after a user uninstalls such an LSP.[4]
Installed LSPs can be viewed using the XP/Vista
References
- Unraveling the Mysteries of Writing a Winsock 2 Layered Service Provider - Microsoft Systems Journal
- Categorizing LSPs and Applications