DelphiFAQ Home Search:

Determine which ports a specific process on Windows is using

 

commentsThis article has not been rated yet. After reading, feel free to leave comments and rate it.

Question:

I suspect that a newly installed application may be listening on some ports and act as a backdoor. How can I determine which ports a specific process on Windows is using?

Answer:

Windows does have the means to show you this. The following steps assume that your application is running on your computer and that you have Windows XP. Older Windows versions do not have all those tools e.g. the commandline task list tool and NETSTAT has not all the same parameters, but the steps are basically the same e.g. for Windows 2000.

The example inspects Yahoo Messenger (YPager.exe).


  1. Find out the process ID (PID) associated with your running application. You can use the task manager for that or from the command line:
    [c:\] tasklist | findstr YPager*

    This will show you the PID in the second column. (Try tasklist /fi "IMAGENAME eq YPager.exe" as an alternative; it will include the column headers.

  2. Now use the PID (in our example, it was 7200) and the NETSTAT tool.
    [c:\] netstat -ano | findstr 7200
      TCP    0.0.0.0:4161           0.0.0.0:0              LISTENING     7200
      TCP    0.0.0.0:5101           0.0.0.0:0              LISTENING     7200
      TCP    192.168.0.9:4161       216.155.193.165:5050   ESTABLISHED   7200
      UDP    127.0.0.1:4172         *:*                                  7200
    
  3. This means Yahoo Messenger is listening on ports 4161 and 5101 for all addresses of this machine. It has an established connection with 216.155.193.165. To find out who is behind this 216.155.193.165, use NSLOOKUP:
    nslookup 216.155.193.165
    Name:    cs38.msg.dcn.yahoo.com
    Address:  216.155.193.165
    I guess that is ok. You could also have tried netstat -a which shows you all connections, and with the IP numbers already resolved to names. Don't try this on a PC where Peer-to-Peer software (P2P) like edonkey, Kazaa or WinMX is running. You'll have to wait *very* long if your P2P system works as designed. :-)


If you need to do this kind of analysis a lot, you may want to check out a handy tool like TCPView - Freeware from Systernals. http://www.sysinternals.com/ntw2k/source/tcpview.shtml


Content-type: text/html

Comments:

2007-03-20, 11:59:44
anonymous from Kuwait  


2012-10-29, 02:29:04
anonymous from China  

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: