Windows Name Resolution

The process by which a Windows system gets its name propagated out on the network
so everybody else knows its name has a long and convoluted history.

However we can make things a little bit simpler basically starting with Windows
Vista.

There's even a little variance in there a Windows system will do.

Name resolution in a very specific order.

First of all if it's a member of a domain it will immediately go to its domain

controller which is also going to be its DNS server and everything's done through
good old fashioned DNS.

Now if you're not on a domain like at your home for example you would traditionally
use netbios so you'd be using ports 1:37 1:38 1:39 to handle your name resolution.

However starting around Vista a new type of protocol came online.

This protocol is known as LLMNR It runs on UDP port 53 55 normally and it basically
is a vastly improved name resolving service much better.

The netbios.

So what's interesting now is that on today's system if you're not in a domain it

really depends on your version of Windows.

For example if you're running Windows 10 professional you run both net bias and L L
and R simultaneously in whatever it can grab.

It the name resolution that way.

In Windows Home net bias is completely gone.

It just uses good ole LLMNR so the whole netbios world disappears.

Now what makes all of this interesting is that we do run into problems with
computer names in Windows networks when these problems kick in.

The fix can be wild It could be anything from a fire wall to you've turned off
network discovery too.

You have a router between you and another computer so there's all kinds of issues.

But what we need is a tool that tells us the state of things right now simply
clicking on your network and looking what computers are showing up and not showing
up is a terrible way to understand what's going on in your windows network because
Windows Lird to itself some time.

Luckily for us we do have a great tool this tool called NBTstat.

It's been around for a while since Windows networking started pretty much and it is
a wonderful powerful tool.

The only downside is that it's getting a little long in the tooth.

NBTstat doesn't play well with LLMNR and while I am going to show you this to a
while it still
has a place in your tool box.

It does have a couple of problems so let's go and take a minute and look at
NBTstat.

Now before we dive into this I want to make sure you understand what I have here.

So this is a Windows desktop system the desktops underneath my table here.

And I've also drug and you just barely see but I've got this little laptop here to.

So I've got these two systems running modern versions of Windows.

They're plugged into the same switch underneath my table and I've got a little home
router that's really doing nothing more than acting as a DHCP server.

So with that setup in mind let's go ahead and go over to my desktop and let me show
you how that works.

Now here's a I've got a command prompt open because then NBTstat at his command
prompt command.

But what I first want to do is have you look over here on the right.

This is my little network.

This is the computer I'm on right now called Studio student PC is the little laptop
right next to me and we're plugged into this little home router.

We have no internet connection.

We don't need it for this one particular example.

Oh and by the way I'm running on the workgroup called workgroup.

So to run NBTstat just type NBTstat

Now if you type it by itself isn't going to get as a help screen.

Now I need to warn you right now NBTstat is long in the tooth.

There's a lot of commands in here that simply don't work anymore.

So I'm not going to be covering them here we don't even really need them anymore.

However there are a number of really great tools and a lot of switches we are going
to use so let's go ahead and dive into the ones that I know work well.

Now you got to keep in mind that every Windows system has what it calls its
registered names.

These are the names that it has sent out to the world and said this is who I am
nobody came back and said oh that's my name too or anything.

So the names are registered.

So you want to make sure that your system knows who he is.
And the best way to do that is through NBTstat using the minus n switch.

So when I type NBTstat minus n like this you'll see a lot of stuff comes out.

Now what's interesting here is basically this is telling everybody who is workgroup
is what his name is.

And some of his functionality.

So for example on this first line it says you'll see the double zero that means I
am a member of workgroup called workgroup the computer name is called studio but
you'll see it's listed twice.

One of these is to say he's a workstation he can read other people's shared folders
and the other value means he's a server which means he can actually share folders
up on the network.

These last three values are used by the browser managers.

When you have a Windows network some one system has to have the main list and you
can actually tell who the browser manager is because it has this listing right here
you see here it says MS browse.

That means in my little two computer network this guy right where is the browser
manager.

Now that tells me all about him.

But how does he know about other computers on the network.

Well he has a cache built into them so to see that cache type and the T-stat minus
see and right now you'll see there's no names in the cache.

That's OK because we don't keep these caches very long and after a very short
amount of time one minute two minutes I don't remember exactly what it is.

The caches are dumped and we'll have to do a rebroadcast to get computer names so I
got to do something on this network to get my computer to talk to that student PC.

So I'm just going to do something like net view.

All right.

Now he sees it.

And let's go ahead and ping him while we're at it.

I'm going to paying what is this student as you see in the dash PC.

So we get a little ping I'm just trying to get some traffic move in here and now I
can rerun NBT stat minus c

And you'll see I have a listing for the other computer so that just gives you an
idea of the two tools we can use.

These are the two biggest tools you can use with T-stat running the minus end and
making sure the names that you think this computer actually are are showing up in
the listing and also making sure that some type of transaction goes on with another
machine to make sure it works.
So in this case everything worked beautifully.

Were these become more useful is when they make an error than we know to start
looking for.

Do I have a firewall in here.

Do I have a discovery protocol not turned on.

Did I forget to turn on IPV4 and I'm just using IPV 6.

There's a lot of things that can happen.

And remember NBTstat's job is to simply let you know there's a problem.

You're going to have to dig for yourself to find it.

Now we could do a few more interesting things that can be very handy for example I
can take the NBTstat command now.

In this case what I'm going to do is I'm going to go talk to that other machine.

So here I'm going to say go to another computer with the minus a switch

and now what you're looking at is the actual registered information not for my
computer but for this guy over here.

So this should look fairly similar.

Notice that we don't have that MS browse at the bottom.

That's because this little laptop is not the browser manager.

The other guy is but it does show that this system is on the workgroup.

We see its name twice once with double zeros to let us know that it's a
workstation.

And once with a 20 to let it know it's a server.

So for example if we were trying to get to a shared folder on this guy and it
wasn't showing up with that 20 we would know that there's a problem on this system
where he thinks he's not sharing stuff.

So there could be a problem like for example the server service is a service so you
actually have to make sure it's turned on or off.

All right.

So that can be pretty handy.

Now I want to start showing you some of the problems that we run into with NBTstat.

That can drive people batty.

One of them is a statistical function called minus R and basically this is just
statistics in terms of what it's been doing lately.
Now if you take a look here you'll see the word student PC in here a lot because
while I've been talking to him for a while but you're also going to see a lot of
Google the GOC literally ASCII jibberish in here netbios was originally designed to
have a maximum of 15 character names all uppercase no spaces no special characters.

It had a lot of rules.

So today's Windows systems especially ones using llmnr and such.

They don't really worry about that anymore.

It's not a problem.

However they'll still try to update that same table and poor NBT stats never been
updated and he can't read them so this is just an example of a great tool that's
getting a little bit old.

Also if you take a look on this and NBTstat -r you'll see all these resolved by
broadcast which is what we should see.

But then you see resolved by name server in this case at 0.

Now you say well OK name server maybe they need DNS.

They don't.

They're actually talking about an ancient naming service called wins which I'm not
even going to get into anymore.

So we should only see things resolved and registered by broadcast and never ever
ever buy server.

Ok.

Now there is one more thing we can actually do.

Probably the only fix tool that we have built into and be T-stat basically we can
do either number one take all your registered information and just rebroadcast it
let everybody know who you are again because we've got a problem.

The other thing you can do is clear that cash and you do that through the NBT
commands.

These are upper upper case Rs.

So we can do NBT stat space minus our and that is going to clear your remote cache
table and then we can do an NBT stat minus our our and that is all of your
registered information has been rebroadcast and reestablished out to the world.

So I guess I will have to back up a little bit and say NBT stat can be used in some
cases using the minus capital R or the minus capital R R to at least make a quick
chance that maybe there's a little problem that needs a little bit of fixing.

Also keep in mind that NBT T-stat really is a netbios tool.

It's doesn't really work that well with LLMNR but you'll be surprised how often you
can find yourself turning to it to make those quick little fixes when you can't
find another computer out on your network.
Netbios is an old protocol that manages connections based on the names of the
computers within a LAN

Link Local Multicast Name Resolution (LLMNR) is a protocol that allows hosts to
name resolution for hosts on the same local link

nbtstat is a dignostic command that can be useful, but has some issues with LLMNR