Thursday, July 9, 2009

Check which process is using which port in Windows

Ports are used all the time. Some are standardized (25 for SMTP), and others are dynamic. I ran into an issue setting up a TFTP server yesterday where it said it couldn't start because another process was already using the port, even though I couldn't think of any programs I had running that would have had it in use. I had to investigate, and being that it is simple, I thought I'd share the process. Also, matching ports to processes can help catch or track down spyware/malware, which typically uses some type of Internet connection.

1. Open a command prompt. You can do this by going to Start->Run, typing "cmd", and pressing OK
2. Use the command "netstat -a -n -o". This will list all active ports, along with the process id of the process that is using it. Find the port you want to check, then look at the PID listed for using that port. Remember the PID
3. Now use command "tasklist /FI "pid eq yourPID"", making sure to surround "pid eq yourPID" in quotes. This will filter (/FI) your tasklist results, and only show programs using the PID equal to yourPID. Make sure to substitute the numerical PID from step 2 in for the yourPID text in the command.
4. If you'd like to stop the process that you found, use the command "tskill yourPID" to terminate the process, remembering to substitute your process ID value in for the yourPID text.

You can also use Task Manager to track down the process once you have the PID if you would like. However, the PID column on the Processes tab is not displayed by default, so you will have to add that (go to the Processes tab, then to View->Select Columns...). You can then check and end the process with the more familiar GUI interface.

Tasklist is a very helpful tool. One additional use for tasklist is for tracking down programs that are using svchost.exe. If you're interested in that, check out my previous post.

No comments: