Problem solve Get help with specific problems with your technologies, process and projects.

When I execute Netstat, I see over 20 unidentifiable ports connected or listening.

In Windows XP, the Task Manager shows the processes, but some are generic (SVCHOST.EXE). Execute Netstat and often as many as 20 ports are connected or listening. None of these processes are related to applications that I've intentionally launched. So how do I determine what is making contact to what? I can figure out some -- like one is for my antivirus auto-update. But which one is a virus? Which one is allowing access to my hard drive? Or listening for a DDoS command? From a security perspective, this makes me really nervous.
It makes me nervous, too, and there is no quick way to resolve the issue. Here's some help. First, in Windows XP there is a new switch for the netstat command, which will give you the PID, or Process ID, for the listening ports. At a command prompt enter:
netstat ?a -0

This will display any listening ports and active connections, as well as the PID. Then open Task Manager and find the process that is using that PID. If Task Manager is not showing the PIDs, you can add that column by opening the "Add Columns" selection from the View menu and checking the PID box. (Also by default you'll see the process that you started versus those the system did. (More information can be found in How to determine which program uses or blocks specific TCP ports in Windows.)

Once you have the process name, you may have to do a little research to find out what some of them are. Some you may know, others you can easily find by searching their location. If, for example, the executable is located in the program files folder for some software, it probably is part of that (but I'd check either on Microsoft's Web site or your original installation disk to make sure). If the process resides in your system root, you may have to do further research.

You also mention SVCHOST.EXE, which is a process that hosts multiple processes. (This makes more efficient use of resources.) It is instructive to learn what processes those are, not only from a security perspective, but also for troubleshooting needs. The Microsoft Windows Scripting Guide provides information on how SVCHOST is used and sample scripts that can be used to enumerate the processes running within. You can also find information on which process are run in SVCHOST by checking the registry location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost. This location is checked by the system at boot to determine what to load in which SVCHOST process.

The simplest solution, however, is to issue the following command at the command prompt:
Task /svc

This will list the processing running on the system, the PID, and for each instance of SVCHOST, enumerate the services running within it.

Finally, for use on all systems, you might want to invest in a good port analysis tool. A good, free for downloading tool is Vision1.

Dig Deeper on Windows legacy operating systems