Q

When I execute Netstat, I see over 20 unidentifiable ports connected or listening.

In Windows XP, the Task Manager shows the processes, but some are generic (SVCHOST.EXE). Execute Netstat and often as many as 20 ports are connected or listening. None of these processes are related to applications that I've intentionally launched. So how do I determine what is making contact to what? I can figure out some -- like one is for my antivirus auto-update. But which one is a virus? Which one is allowing access to my hard drive? Or listening for a DDoS command? From a security perspective, this makes me really nervous.
It makes me nervous, too, and there is no quick way to resolve the issue. Here's some help. First, in Windows XP there is a new switch for the netstat command, which will give you the PID, or Process ID, for the listening ports. At a command prompt enter:
netstat ?a -0

This will display any listening ports and active connections, as well as the PID. Then open Task Manager and find the process that is using that PID. If Task Manager is not showing the PIDs, you can add that column by opening the "Add Columns" selection from the View menu and checking the PID box. (Also by default you'll see the process that you started versus those the system did. (More information can be found in How to determine...

which program uses or blocks specific TCP ports in Windows.)

Once you have the process name, you may have to do a little research to find out what some of them are. Some you may know, others you can easily find by searching their location. If, for example, the executable is located in the program files folder for some software, it probably is part of that (but I'd check either on Microsoft's Web site or your original installation disk to make sure). If the process resides in your system root, you may have to do further research.

You also mention SVCHOST.EXE, which is a process that hosts multiple processes. (This makes more efficient use of resources.) It is instructive to learn what processes those are, not only from a security perspective, but also for troubleshooting needs. The Microsoft Windows Scripting Guide provides information on how SVCHOST is used and sample scripts that can be used to enumerate the processes running within. You can also find information on which process are run in SVCHOST by checking the registry location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost. This location is checked by the system at boot to determine what to load in which SVCHOST process.

The simplest solution, however, is to issue the following command at the command prompt:
Task /svc

This will list the processing running on the system, the PID, and for each instance of SVCHOST, enumerate the services running within it.

Finally, for use on all systems, you might want to invest in a good port analysis tool. A good, free for downloading tool is Vision1.

This was first published in February 2003

Dig deeper on Network intrusion detection and prevention and malware removal

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close