File Types (37)
Internet Explorer (80)
About this site
Links to us
Determine which ports a specific process on Windows is using
This article has not been rated yet. After reading, feel free to leave comments and rate it.
Question: I suspect that a newly installed application may be listening on some ports and act as a backdoor. How can I determine which ports a specific process on Windows is using?
Answer: Windows does have the means to show you this. The following steps assume that your application is running on your computer and that you have Windows XP. Older Windows versions do not have all those tools e.g. the commandline task list tool and NETSTAT has not all the same parameters, but the steps are basically the same e.g. for Windows 2000.
The example inspects Yahoo Messenger (YPager.exe).
- Find out the process ID (PID) associated with your running application. You can use the task manager for that or from the command line:
[c:\] tasklist | findstr YPager*
This will show you the PID in the second column. (Try tasklist /fi "IMAGENAME eq YPager.exe" as an alternative; it will include the column headers.
- Now use the PID (in our example, it was 7200) and the NETSTAT tool.
[c:\] netstat -ano | findstr 7200
TCP 0.0.0.0:4161 0.0.0.0:0 LISTENING 7200
TCP 0.0.0.0:5101 0.0.0.0:0 LISTENING 7200
TCP 192.168.0.9:4161 18.104.22.168:5050 ESTABLISHED 7200
UDP 127.0.0.1:4172 *:* 7200
- This means Yahoo Messenger is listening on ports 4161 and 5101 for all addresses of this machine. It has an established connection with 22.214.171.124. To find out who is behind this 126.96.36.199, use NSLOOKUP:
I guess that is ok. You could also have tried netstat -a which shows you all connections, and with the IP numbers already resolved to names. Don't try this on a PC where Peer-to-Peer software (P2P) like edonkey, Kazaa or WinMX is running. You'll have to wait *very* long if your P2P system works as designed. :-)
If you need to do this kind of analysis a lot, you may want to check out a handy tool like TCPView - Freeware from Systernals. http://www.sysinternals.com/ntw2k/source/tcpview.shtml