This is Part 4 of the "Inside the Running Object Table" series. Parts 1-3 covered the public COM API and rpcss internals. This one is about going further & getting it wrong several times before getting it right. ## The goal GetRunningObjectTable() returns 15 entries on my machine. We wanted to read the same table without calling that function at all , directly from rpcss memory. Without ole32 & ALPC. Raw ReadProcessMemory . The motivation: the public API filters. AppContainer entries disappear. Security policy silently drops others. We wanted the unfiltered view. Simple idea. But suddenly aint simple path. ## Phase 1. Ghidra and the structure hunt We opened rpcss.dll in Ghidra, loaded the PDB from Microsoft's symbol server, and searched for ROT in the Symbol Table. CScmRotEntry :: GetAllowAnyClient CScmRotEntry :: GetProcessID CScmRotEntry :: IsValid CScmRotMgotEntryBase :: CScmRotMgotEntryBase Enter fullscreen mode Exit fullscreen mode Aint CROTEntry . CScmRotEntry . SCM: Service Control Manager.…