2.5.2. Identifying processes behind sockets

Starting with Windows XP, the netstat command can be used with the -o option to identify which process opened a given socket [12]. Starting with Windows XP SP2 and Windows Server 2003 SP1, the -b option can be used instead of the -o option.

In October 2005, Microsoft documented the availability of a Windows 2000 update [13], adding support for the -o netstat option.

On systems where the -o netstat option is not available, the following tools can be used:

These tools will give the PID (Process Identifier) of processes using sockets.

However, knowing the PID is not always enough to identify precisely which system component opened a given socket, particularly in the following cases:

On a default Windows system, some sockets will be reported as owned by the System process (pid 8 on Windows 2000, pid 4 on Windows XP and Windows Server 2003): these sockets are opened by drivers communicating directly with the TCP/IP driver in kernel-mode.

It is not possible to statically identify which driver opened a given port. Thus, it is sometimes hard to figure out why a port is opened when it has been opened by a driver. For example, on some Windows systems, port 1025 (the first dynamic port) seems to be opened by an unknown driver at system startup.

The following well-known ports are opened by the following drivers:

For more information, a list of TCP and UDP ports used by Microsoft Server Products is available [15].