Starting with Windows XP, the netstat command can be used with the -o option to identify which process opened a given socket . Starting with Windows XP SP2 and Windows Server 2003 SP1, the -b option can be used instead of the -o option.
In October 2005, Microsoft documented the availability of a Windows 2000 update , adding support for the -o netstat option.
On systems where the -o netstat option is not available, the following tools can be used:
These tools will give the PID (Process Identifier) of processes using sockets.
However, knowing the PID is not always enough to identify precisely which system component opened a given socket, particularly in the following cases:
On a default Windows system, some sockets will be reported as owned by the System process (pid 8 on Windows 2000, pid 4 on Windows XP and Windows Server 2003): these sockets are opened by drivers communicating directly with the TCP/IP driver in kernel-mode.
It is not possible to statically identify which driver opened a given port. Thus, it is sometimes hard to figure out why a port is opened when it has been opened by a driver. For example, on some Windows systems, port 1025 (the first dynamic port) seems to be opened by an unknown driver at system startup.
The following well-known ports are opened by the following drivers:
For more information, a list of TCP and UDP ports used by Microsoft Server Products is available .