Windows optimize

See what process is using a TCP port in Windows Server 2008

Windows administrators sometimes have to track down network traffic or errant processes and then match that to network traffic. Here are scripts that will aid in the connectivity forensics at the port and process level.

You may find yourself frequently going to network tools to determine traffic patterns from one server to another; Windows Server 2008 (and earlier versions of Windows Server) can allow you to get that information locally on its connections. You can combine the netstat and tasklist commands to determine what process is using a port on the Windows Server.

The following command will show what network traffic is in use at the port level:

Netstat -a -n -o
The -o parameter will display the associated process identifier (PID) using the port. This command will produce an output similar to what is in Figure A. Figure A

Figure A

With the PIDs listed in the netstat output, you can follow up with the Windows Task Manager (taskmgr.exe) or run a script with a specific PID that is using a port from the previous step. You can then use the tasklist command with the specific PID that corresponds to a port in question. From the previous example, ports 5800 and 5900 are used by PID 1812, so using the tasklist command will show you the process using the ports. Figure B shows this query. Figure B

Figure B

This identifies VNC as the culprit to using the port. While a quick Google search on ports could possibly obtain the same result, this procedure can be extremely helpful when you're trying to identify a viral process that may be running on the Windows Server.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

20 comments
arjamit
arjamit

hi, I used this to stop some process that was holding my port. This is very useful and did work for me, but i had one issue with this. I have started multiple processes with same name (i am running multiple servers and java processes) I had many javaw processes, although i knew name of process, i still cant kill this. Windows 2003, cmd prompt sp1. Thanks, amit

sawaddell
sawaddell

just use netstat -nab and it gives you the same info without having to use two different commands.

sqvare
sqvare

netstat -a -n -b will list the pid & process

Pat Mckeon
Pat Mckeon

netstat -b will show all the info in one place... or am I missing something?

sevillanoeac
sevillanoeac

netstat -no -vb in Win Server 2003 will give you the process name right away, without the need the tasklist tool that does not come with the standard installation, you need to install Windows Administrative tools in order to get tasklist.

michael.leach
michael.leach

Does anyone know how to retrieve this information through Visual Basic or vbscript?

adekunlejob
adekunlejob

Very interesting. Please how do one stop a listening port that have been identified by the tasklist command.

bigQ123
bigQ123

You can also use TcpView from the Sysinternals guys at Microsoft Technet to see the same information. Its a windows based application instead of command line. It keeps a live view on the connections, showing new ones in green highlight, closed connections in red highlight, and much more too. You really should download the Sysinternals Suite, as there's so many useful utilities in there.

AndrewFisher
AndrewFisher

If you just want to know the executable using the port you might find it easier just to use "netstat -b". Use "netstat /h" for more information on what netstat can do.

martin.weaver
martin.weaver

If you add -b (so netstat -a -b -n -o) it also lists the executable used.

b4real
b4real

You don't get the pids, for more obscure processes or duplicate processes of the same names, it becomes more difficult to determine which one to kill.

gherardini
gherardini

or just go get the Tcpview.exe utility from the sysinternals website and it tells it to you in a gui with the application already prenamed.

ScottCopus
ScottCopus

How do you stop a listening port? Just kill the process that has it open. But you can actually close just the port by using a third-party utility called Sysinternals TCPView. Just google it.

techrepublic
techrepublic

Another amazing GUI tool that can be used is CPorts (http://www.nirsoft.net/utils/cports.html). It works even on Vista/W2008 x86/x64, is very small in size and has a bunch of filters to list the processes. It's free and doesn't even have to be installed: just run the standalone program and it's done.

ascott
ascott

use "portqry -local" it works on any windows OS. Search for portqry on google, it's my favourite utility.

b4real
b4real

Definitely mucho handy.

sawaddell
sawaddell

actually you do get the PIDS