Windows DevCenter    
 Published on Windows DevCenter (http://www.windowsdevcenter.com/)
 See this if you're having trouble printing code examples


Watching Ports with Port Reporter

by Mitch Tulloch,author of Windows Server Hacks
07/19/2005

Port Reporter is another cool tool from Redmond. It runs as a service in Windows XP/2003 (and also in Windows 2000 but with less functionality) and records information about which TCP and UDP ports are active on your system. Port Reporter also tells you the Windows processes that are using these ports and the security context under which each process is running. You can use Port Reporter to monitor port usage for security reasons and for troubleshooting network connectivity problems.

To get started with Port Reporter, you first need to download it from the Microsoft Download Center. After extracting the files in the zipped download package, run pr-setup.exe to install portreporter.exe as a Windows service, making sure you've closed all administrative consoles first. Once the tool is installed, it shows up in the Services console as a service named Port Reporter with a Manual startup type and in an initial Stopped state.

Figure 1
Figure 1. Initial state of the Port Reporter service after installation

Right-click on the service and select Start to start it. Once the service is running, three log files are created in the directory %SystemRoot%\System32\LogFiles\PortReporter:

Figure 2
Figure 2. Log files created by Port Reporter

The PR-INITIAL log (the actual filename includes a suffix that identifies the date and time that the file was created) summarizes the ports, processes, and modules running on your machine when Port Reporter is started. This log can be quite long but very informative. On a test machine running Windows XP SP2, the first part of the log looks like this:


Port Reporter Version 1.01 Log File

Service initialization log

System Date: Wed Jul 06 13:44:04 2005


Local computer name:

 TEST

Operating System: Windows XP

TCP/UDP Port to Process Mappings at service start-up

15 mappings found

PID:Process    Port        Local IP        State       Remote IP:Port
4:System       TCP 445     0.0.0.0         LISTENING    0.0.0.0
4:System       TCP 139     172.16.16.150   LISTENING    0.0.0.0
4:System       UDP 445     0.0.0.0           *:*
4:System       UDP 137     172.16.16.150     *:*
4:System       UDP 138     172.16.16.150     *:*
392:alg.exe    TCP 1025    127.0.0.1       LISTENING    0.0.0.0
932:lsass.exe  UDP 500     0.0.0.0           *:*
932:lsass.exe  UDP 4500    0.0.0.0           *:*
1196:svchost.exe   TCP 135    0.0.0.0      LISTENING    0.0.0.0
1308:svchost.exe   UDP 123    127.0.0.1      *:*
1308:svchost.exe   UDP 123    172.16.16.150  *:*
1460:svchost.exe   UDP 1029   0.0.0.0        *:*
1460:svchost.exe   UDP 1049   0.0.0.0        *:*
1500:svchost.exe   UDP 1900   127.0.0.1      *:*
1500:svchost.exe   UDP 1900   172.16.16.150  *:*

After this comes detailed information for each process identified above, which in this particular case is almost 50 pages of text.

Windows XP Hacks

Related Reading

Windows XP Hacks
Tips & Tools for Customizing and Optimizing Your OS
By Preston Gralla

The PR-PORTS log summarizes any changes to TCP/UDP port activity since the service started, and initially looks like this:


Port Reporter Version 1.01 Log File - Port usage log

Check PR-PIDS-05-07-6-13-44-4.log for corresponding process data

Log format:
date,time,protocol,local port,local IP address,remote port,remote 
IP address,PID,module,user context

Obviously not much has happened since the Port Reporter service was started (no new ports have been opened yet), so let's look at the third and last log this tool creates, namely PR-PIDS.

The PR-PIDS log summarizes the ports, processes, and modules associated with each port entry in the PR-PORTS log, so this file too doesn't have anything in it yet except headers:

Port Reporter Version 1.01 Log File

Process detail log

System Date: Wed Jul 06 13:44:04 2005


Local computer name:

 TEST

Operating System: Windows XP

Let's now get some port activity going on our test system. After enabling Remote Desktop on the system, I used Remote Desktop Connection (mstsc.exe) from another XP machine to establish a terminal services session with the test machine. Opening the PR-PORTS file should show some new port activity now, and it does:


Port Reporter Version 1.01 Log File - Port usage log

Check PR-PIDS-05-07-6-13-44-4.log for corresponding process data

Log format:
date,time,protocol,local port,local IP address,remote port,remote 
IP address,PID,module,user context

05/7/6,13:52:1,TCP,3389,0.0.0.0,,0.0.0.0,1096,svchost.exe,
   <NT AUTHORITY\SYSTEM>
05/7/6,13:52:2,TCP,3389,172.16.16.150,1486,172.16.16.100,1096,svchost.exe,
   <NT AUTHORITY\SYSTEM>
05/7/6,13:52:4,UDP,1088,0.0.0.0,*,*,1540,rdpclip.exe,<TEST\Administrator>

As expected, a connection was established on TCP port 3389, which is the standard port that Remote Desktop sessions use. In addition, the RDP Clip Monitor on the test system (rdpclip.exe) opens an ephemeral UDP port to support copying and pasting between the remote desktop and the local console on the remote client machine.

Now let's look at what the PR-PIDS log now says concerning these three records of port activity. (Most of the module information has been deleted.) The PR-PORTS log has three records; the PR-PIDS log similarly has three sections. Let's look at the first portion of this log, which shows the establishment of the Remote Desktop session on TCP port 3389:


Port Reporter Version 1.01 Log File

Process detail log

System Date: Wed Jul 06 13:44:04 2005


Local computer name:

 TEST

Operating System: Windows XP


======================================================

Log number: 1

Log entry below recorded at: 05/7/6,13:52:1

======================================================

Process ID: 1096 (svchost.exe)

User context: NT AUTHORITY\SYSTEM

Service Name: DcomLaunch
Display Name: DCOM Server Process Launcher
Service Type: shares a process with other services

Service Name: TermService
Display Name: Terminal Services
Service Type: shares a process with other services

PID	Port           Local IP        State         Remote IP:Port
1096    TCP 3389   0.0.0.0         LISTENING     0.0.0.0
1096    TCP 3389   172.16.16.150   ESTABLISHED   172.16.16.100:1486

Port Statistics

TCP mappings: 2
UDP mappings: 0

TCP ports in a LISTENING state: 	1 = 50.00%
TCP ports in a ESTABLISHED state: 	1 = 50.00%

Loaded modules:
C:\WINDOWS\system32\svchost.exe (0x01000000)

C:\WINDOWS\system32\ntdll.dll (0x7C900000)
C:\WINDOWS\system32\kernel32.dll (0x7C800000)
C:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
C:\WINDOWS\system32\RPCRT4.dll (0x77E70000)
C:\WINDOWS\system32\ShimEng.dll (0x5CB70000)
C:\WINDOWS\AppPatch\AcGenral.DLL (0x6F880000)
C:\WINDOWS\system32\USER32.dll (0x77D40000)
C:\WINDOWS\system32\GDI32.dll (0x77F10000)
C:\WINDOWS\system32\WINMM.dll (0x76B40000)
C:\WINDOWS\system32\ole32.dll (0x774E0000)
C:\WINDOWS\system32\msvcrt.dll (0x77C10000)
C:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
C:\WINDOWS\system32\MSACM32.dll (0x77BE0000)
C:\WINDOWS\system32\VERSION.dll (0x77C00000)
C:\WINDOWS\system32\SHELL32.dll (0x7C9C0000)
C:\WINDOWS\system32\SHLWAPI.dll (0x77F60000)
C:\WINDOWS\system32\USERENV.dll (0x769C0000)
C:\WINDOWS\system32\UxTheme.dll (0x5AD70000)
C:\WINDOWS\system32\comctl32.dll (0x5D090000)
C:\WINDOWS\system32\NTMARTA.DLL (0x77690000)
C:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
C:\WINDOWS\system32\SAMLIB.dll (0x71BF0000)
c:\windows\system32\rpcss.dll (0x76A80000)
c:\windows\system32\Secur32.dll (0x77FE0000)
c:\windows\system32\WS2_32.dll (0x71AB0000)
c:\windows\system32\WS2HELP.dll (0x71AA0000)
C:\WINDOWS\system32\xpsp2res.dll (0x20000000)
C:\WINDOWS\system32\CLBCATQ.DLL (0x76FD0000)
C:\WINDOWS\system32\COMRes.dll (0x77050000)
c:\windows\system32\termsrv.dll (0x760F0000)
c:\windows\system32\ICAAPI.dll (0x74F70000)
c:\windows\system32\SETUPAPI.dll (0x77920000)
C:\WINDOWS\system32\WINTRUST.dll (0x76C30000)
C:\WINDOWS\system32\CRYPT32.dll (0x77A80000)
C:\WINDOWS\system32\MSASN1.dll (0x77B20000)
C:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000)
c:\windows\system32\AUTHZ.dll (0x776C0000)
c:\windows\system32\mstlsapi.dll (0x75110000)
c:\windows\system32\ACTIVEDS.dll (0x77CC0000)
c:\windows\system32\adsldpc.dll (0x76E10000)
C:\WINDOWS\system32\NETAPI32.dll (0x5B860000)
c:\windows\system32\ATL.DLL (0x76B20000)
C:\WINDOWS\system32\REGAPI.dll (0x76BC0000)
C:\WINDOWS\system32\rsaenh.dll (0x0FFD0000)
C:\WINDOWS\system32\Apphelp.dll (0x77B40000)
C:\WINDOWS\system32\msv1_0.dll (0x77C70000)
C:\WINDOWS\system32\iphlpapi.dll (0x76D60000)
C:\WINDOWS\system32\rdpwsx.dll (0x72460000)
C:\WINDOWS\system32\WINSPOOL.DRV (0x73000000)

We can see from the above that a Remote Desktop session has been established on TCP port 3389 between the remote client 172.16.16.100 and the target 172.16.16.150, and we can also see all the processes and modules involved in this activity.

Additional Resources

Once you start playing around with Port Reporter, you'll probably realize that interpreting the logs it creates can be challenging. So to make life easier for you, Microsoft has created a tool called Port Reporter Parser that you can download and use to simplify such analysis.

Finally, if you want to focus on the activity of only a single port (or a group of ports used by a certain process), you can use an older tool called PortQry, and there's a GUI called PortQryUI you can download for this as well.

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.


Return to the Windows DevCenter.

Copyright © 2009 O'Reilly Media, Inc.