17 February 2011

Network Ports and Processes (Windows)

Previously, I wrote up how to match open network ports to running
processes for FreeBSD, Solaris, and Linux.  If UNIX hosts can correlate
ports to processes, shouldn't Windows Server be able to as well?
Beginning with Windows 2000, it can.  Our host details for this are:
        HOSTS:          redmond
        PROMPT:         redmond C:\>
        OS:             Windows Server 2008
With Windows 2000 (Win2k), Microsoft added the '-o' flag to 'netstat.exe',
allowing netstat to display the PID associated with the connection:
        redmond C:\> netstat -nao

        Active Connections

          Proto  Local Address          Foreign Address        State           PID
          TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       780
          TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       884
          TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
          TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1220
        <snip...>
Since we have the PID of the processes, we can use 'tasklist.exe' to
determine the process name (executable) relative to a particular PID:
        redmond C:\> tasklist /FI "PID eq 780"

        Image Name                     PID Session Name        Session#    Mem Usage
        ========================= ======== ================ =========== ============
        sshd.exe                       780 Services                   0      5,628 K
Yes, I'm strange, I sometimes install and run 'sshd' on Windows hosts,
moving along.  In Windows 2003 (Win2k3) and Windows 2008 (Win2k8),
Microsoft added the '-b' flag to 'netstat.exe'.  This flag will identify
the specific executable, and optionally, a particular executable
component, associated with the network port in question.  This saves us
from having to run 'tasklist.exe' separately to get the same info:
        redmond C:\> netstat -naob

        Active Connections

          Proto  Local Address          Foreign Address        State           PID
          TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       780
         [sshd.exe]
          TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       884
          RpcSs
         [svchost.exe]
          TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4

         Can not obtain ownership information
          TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1220
          Dnscache
         [svchost.exe]
        <snip...>
          TCP    [::]:49157             [::]:0                 LISTENING       608
         [services.exe]
          UDP    0.0.0.0:123            *:*                                    1132
          W32Time
         [svchost.exe]
          UDP    0.0.0.0:500            *:*                                    1032
          IKEEXT
         [svchost.exe]
          UDP    0.0.0.0:4500           *:*                                    1032
          IKEEXT
         [svchost.exe]
          UDP    0.0.0.0:5355           *:*                                    1220
          Dnscache
         [svchost.exe]
        <snip...>
When using '-b', 'netstat.exe' will display the executable and optional
component, each on a separate line, immediately following the related
connection.  Occasionally, as seen above, we may get the following error:
        Can not obtain ownership information
seen in this case relative to the process listening on port 445:
        TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
Stepping back to 'tasklist.exe', we can filter on PID 4 to identify it:
        redmond C:\> tasklist /FI "PID eq 4"

        Image Name                     PID Session Name        Session#    Mem Usage
        ========================= ======== ================ =========== ============
        System                           4 Services                   0      2,224 K

see also:
    Network Ports and Processes
Posted by troy at 15:33
Labels: , ,