By taking advantage of hardcoded named pipes allowed for NULL sessions and using the property of MSRPC that, by default, all available RPC interfaces in a process can be reached using any opened endpoint, it is possible to anonymously enumerate Windows services and read the Application and System eventlogs of a remote Windows NT 4.0 or Windows 2000 system.
2bb873f5988aeb3ade45cf990ed9c3c66d76a67a398e497b3f4c007ab913879a