Retina KB001021


Introduced in Retina Network Security Scanner 5.15.0, the Retina Local Scan Service (RLSS) provides the ability to perform local tasks on the target being scanned. Such tasks include the ability to control and execute console commands. RLSS is a temporary service that is deployed, performs an action, and then removed. The use of RLSS adds greater flexibility to the type and depth of information that Retina can gather.



Deployment of RLSS is controlled by the Perform Local Scanning advanced scan job option. This option is enabled by default. If this option is unchecked, RLSS will not be deployed and all dependent options will be ignored. There are currently several features that rely on RLSS which controlled by scan job options:

Enumerate Ports via Local Scan Service This option instructs RLSS to run the netstat command on the target and return the results to the engine. Ports obtained from the output are marked in the scan result port detail as LOCAL. Ports obtained from standard network based port scanning will be marked as REMOTE. If an entry only contains the LOCAL attribute, that is an indication that the port is open but likely firewalled and not visible during the network port scan.

Enable Remote Registry Service When enabled, RLSS will attempt to start the Remote Registry service if it isn’t already running. This will ensure that Retina has registry access during the course of the scan. Once the scan of the target has completed, the Remote Registry service will be restored to its original state.

Enable WMI Service When enabled, RLSS will attempt to start the Windows Management Instrumentation (WMI) service if it isn’t already running. This will ensure that audits and enumerations requiring WMI will have access during the course of the scan. Once the scan of the target has completed, the Windows Management Instrumentation service will be restored to its original state.

Enumerate Processes via Local Scan Service If selected, data associated with running processes such as executable name, process ID, and command line are made available.

Vulnerability Audits The following vulnerabilty audit check types require RLSS: AP_REMOTE_PORT_TCP CHECK_FILE_DATA CHECK_INET_PROXY WINDOWS_EXECUTE_REGEX The following vulnerability audit check types will optionally run via RLSS, decreasing scan times compared to remote auditing: The following check types will CHECK_FILE_SECURITY CHECK_PATH_EXISTS

Target Requirements

Windows Platform RLSS is compatible with the following operating systems:

  • Windows 2000 Professional
  • Windows 2000 Server
  • Windows XP (32-bit and 64-bit)
  • Windows Server 2003 (32-bit and 64-bit)
  • Windows Vista SP1 (32-bit and 64-bit)
  • Windows Server 2008 (32-bit and 64-bit)
  • Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2 (64-bit)
  • Windows 8 (32-bit and 64-bit)
  • Windows 8.1 (32-bit and 64-bit)
  • Windows 2012 (64-bit)
  • Windows 2012 R2(64-bit)

Firewall Settings RLSS requires that TCP/445 (Microsoft-DS SMB file sharing) or TCP/139 (NetBIOS Session Service) be open on the scan target. These are standard file sharing ports, and are open by default on most versions of Windows. Once connected, Retina will communicate with RLSS over this port. All sessions are originated from the Retina scanner, so there are no inbound port requirements on the Retina host machine.

Remote UAC Settings (Windows Vista and later) Starting with Windows Vista, Microsoft introduced User Account Control (UAC). UAC is enabled by default and can be disabled only from the registry. In order to deploy the Beyondtrust Local Scan Agent using credentials other than the BUILTIN administrator or domain administrator accounts, remote UAC MUST be disabled. Please note, this involves modifying the registry and the usual precaution about backing it up prior to proceeding any further applies. Purpose: In order to authenticate without UAC remotely, the below registry key must be set to allow this.

For further information visit:

Create the following registry key and value:
a) From the “Run” dialog box (Press WINDOWS_KEY + ‘r’), type “regedit.exe” which starts the Registry Editor.
b) Locate the following registry key: HKEY_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
c) In this registry key, create the following DWORD value and set it to ‘1’: LocalAccountTokenFilterPolicy
d) A system reboot is required after making the change and doesn’t take effect immediately.

Write access to the ADMIN$ share of the target When RLSS is deployed, it must first copy the service executable retinalss.exe and associated library retinalss.dll to the %systemroot% folder of the target. If the ADMIN$ share is not available or the SYSTEM account does not have modify, read/execute privileges, deployment will fail and RLSS will not be available. Agent deployment can also fail if antivirus software is active and has restricted the rights to the %systemroot% folder.

Permissions to remotely create and control a service Once RLSS is copied, Retina will use Service Control Manager (SCM) API calls to create a service entry, set the service permissions, and start the service. The service name is BeyondTrust Retina Local Scan Agent and will appear in the targets Services Management Console. The service runs in the security context of the credentials used to scan the target and is configured with the AutoStart attribute. In the event that the service cannot be started, Retina will restore the target to its original state.

Registry Permissions RLSS stores the original state of the target within the Windows registry. To eliminate potential permission issues, the state settings are stored within the standard services registry hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\retinalss During the course of a scan, Retina will send keep-a-live probes to RLSS. In the event that Retina stops sending keep-a-live probes, the service will query the stored values, reconfigure the target to its original state, terminate and remove itself. If for some reason RLSS terminates unexpectedly or the target is rebooted, RLSS will automatically launch at system startup. At that time it will reconfigure the target to its original state, terminate and remove itself.


local scan service, retina, scanning