Port Reporter is another cool tool from Redmond. It runs as a service in Windows XP/2003 (and also in Windows 2000 but with less functionality) and records information about which TCP and UDP ports are active on your system. Port Reporter also tells you the Windows processes that are using these ports and the security context under which each process is running. You can use Port Reporter to monitor port usage for security reasons and for troubleshooting network connectivity problems.
To get started with Port Reporter, you first need to download it from the Microsoft Download Center. After extracting the files in the zipped download package, run pr-setup.exe to install portreporter.exe as a Windows service, making sure you've closed all administrative consoles first. Once the tool is installed, it shows up in the Services console as a service named Port Reporter with a Manual startup type and in an initial Stopped state.
Figure 1. Initial state of the Port Reporter service after installation
Right-click on the service and select Start to start it. Once the service is running, three log files are created in the directory %SystemRoot%\System32\LogFiles\PortReporter:
Figure 2. Log files created by Port Reporter
The PR-INITIAL log (the actual filename includes a suffix that identifies the date and time that the file was created) summarizes the ports, processes, and modules running on your machine when Port Reporter is started. This log can be quite long but very informative. On a test machine running Windows XP SP2, the first part of the log looks like this:
Port Reporter Version 1.01 Log File Service initialization log System Date: Wed Jul 06 13:44:04 2005 Local computer name: TEST Operating System: Windows XP TCP/UDP Port to Process Mappings at service start-up 15 mappings found PID:Process Port Local IP State Remote IP:Port 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0 4:System TCP 139 172.16.16.150 LISTENING 0.0.0.0 4:System UDP 445 0.0.0.0 *:* 4:System UDP 137 172.16.16.150 *:* 4:System UDP 138 172.16.16.150 *:* 392:alg.exe TCP 1025 127.0.0.1 LISTENING 0.0.0.0 932:lsass.exe UDP 500 0.0.0.0 *:* 932:lsass.exe UDP 4500 0.0.0.0 *:* 1196:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0 1308:svchost.exe UDP 123 127.0.0.1 *:* 1308:svchost.exe UDP 123 172.16.16.150 *:* 1460:svchost.exe UDP 1029 0.0.0.0 *:* 1460:svchost.exe UDP 1049 0.0.0.0 *:* 1500:svchost.exe UDP 1900 127.0.0.1 *:* 1500:svchost.exe UDP 1900 172.16.16.150 *:*
After this comes detailed information for each process identified above, which in this particular case is almost 50 pages of text.
The PR-PORTS log summarizes any changes to TCP/UDP port activity since the service started, and initially looks like this:
Port Reporter Version 1.01 Log File - Port usage log Check PR-PIDS-05-07-6-13-44-4.log for corresponding process data Log format: date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context
Obviously not much has happened since the Port Reporter service was started (no new ports have been opened yet), so let's look at the third and last log this tool creates, namely PR-PIDS.
The PR-PIDS log summarizes the ports, processes, and modules associated with each port entry in the PR-PORTS log, so this file too doesn't have anything in it yet except headers:
Port Reporter Version 1.01 Log File Process detail log System Date: Wed Jul 06 13:44:04 2005 Local computer name: TEST Operating System: Windows XP
Let's now get some port activity going on our test system. After enabling Remote Desktop on the system, I used Remote Desktop Connection (mstsc.exe) from another XP machine to establish a terminal services session with the test machine. Opening the PR-PORTS file should show some new port activity now, and it does:
Port Reporter Version 1.01 Log File - Port usage log Check PR-PIDS-05-07-6-13-44-4.log for corresponding process data Log format: date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context 05/7/6,13:52:1,TCP,3389,0.0.0.0,,0.0.0.0,1096,svchost.exe, <NT AUTHORITY\SYSTEM> 05/7/6,13:52:2,TCP,3389,172.16.16.150,1486,172.16.16.100,1096,svchost.exe, <NT AUTHORITY\SYSTEM> 05/7/6,13:52:4,UDP,1088,0.0.0.0,*,*,1540,rdpclip.exe,<TEST\Administrator>
As expected, a connection was established on TCP port 3389, which is the standard port that Remote Desktop sessions use. In addition, the RDP Clip Monitor on the test system (rdpclip.exe) opens an ephemeral UDP port to support copying and pasting between the remote desktop and the local console on the remote client machine.
Now let's look at what the PR-PIDS log now says concerning these three records of port activity. (Most of the module information has been deleted.) The PR-PORTS log has three records; the PR-PIDS log similarly has three sections. Let's look at the first portion of this log, which shows the establishment of the Remote Desktop session on TCP port 3389:
Port Reporter Version 1.01 Log File Process detail log System Date: Wed Jul 06 13:44:04 2005 Local computer name: TEST Operating System: Windows XP ====================================================== Log number: 1 Log entry below recorded at: 05/7/6,13:52:1 ====================================================== Process ID: 1096 (svchost.exe) User context: NT AUTHORITY\SYSTEM Service Name: DcomLaunch Display Name: DCOM Server Process Launcher Service Type: shares a process with other services Service Name: TermService Display Name: Terminal Services Service Type: shares a process with other services PID Port Local IP State Remote IP:Port 1096 TCP 3389 0.0.0.0 LISTENING 0.0.0.0 1096 TCP 3389 172.16.16.150 ESTABLISHED 172.16.16.100:1486 Port Statistics TCP mappings: 2 UDP mappings: 0 TCP ports in a LISTENING state: 1 = 50.00% TCP ports in a ESTABLISHED state: 1 = 50.00% Loaded modules: C:\WINDOWS\system32\svchost.exe (0x01000000) C:\WINDOWS\system32\ntdll.dll (0x7C900000) C:\WINDOWS\system32\kernel32.dll (0x7C800000) C:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000) C:\WINDOWS\system32\RPCRT4.dll (0x77E70000) C:\WINDOWS\system32\ShimEng.dll (0x5CB70000) C:\WINDOWS\AppPatch\AcGenral.DLL (0x6F880000) C:\WINDOWS\system32\USER32.dll (0x77D40000) C:\WINDOWS\system32\GDI32.dll (0x77F10000) C:\WINDOWS\system32\WINMM.dll (0x76B40000) C:\WINDOWS\system32\ole32.dll (0x774E0000) C:\WINDOWS\system32\msvcrt.dll (0x77C10000) C:\WINDOWS\system32\OLEAUT32.dll (0x77120000) C:\WINDOWS\system32\MSACM32.dll (0x77BE0000) C:\WINDOWS\system32\VERSION.dll (0x77C00000) C:\WINDOWS\system32\SHELL32.dll (0x7C9C0000) C:\WINDOWS\system32\SHLWAPI.dll (0x77F60000) C:\WINDOWS\system32\USERENV.dll (0x769C0000) C:\WINDOWS\system32\UxTheme.dll (0x5AD70000) C:\WINDOWS\system32\comctl32.dll (0x5D090000) C:\WINDOWS\system32\NTMARTA.DLL (0x77690000) C:\WINDOWS\system32\WLDAP32.dll (0x76F60000) C:\WINDOWS\system32\SAMLIB.dll (0x71BF0000) c:\windows\system32\rpcss.dll (0x76A80000) c:\windows\system32\Secur32.dll (0x77FE0000) c:\windows\system32\WS2_32.dll (0x71AB0000) c:\windows\system32\WS2HELP.dll (0x71AA0000) C:\WINDOWS\system32\xpsp2res.dll (0x20000000) C:\WINDOWS\system32\CLBCATQ.DLL (0x76FD0000) C:\WINDOWS\system32\COMRes.dll (0x77050000) c:\windows\system32\termsrv.dll (0x760F0000) c:\windows\system32\ICAAPI.dll (0x74F70000) c:\windows\system32\SETUPAPI.dll (0x77920000) C:\WINDOWS\system32\WINTRUST.dll (0x76C30000) C:\WINDOWS\system32\CRYPT32.dll (0x77A80000) C:\WINDOWS\system32\MSASN1.dll (0x77B20000) C:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000) c:\windows\system32\AUTHZ.dll (0x776C0000) c:\windows\system32\mstlsapi.dll (0x75110000) c:\windows\system32\ACTIVEDS.dll (0x77CC0000) c:\windows\system32\adsldpc.dll (0x76E10000) C:\WINDOWS\system32\NETAPI32.dll (0x5B860000) c:\windows\system32\ATL.DLL (0x76B20000) C:\WINDOWS\system32\REGAPI.dll (0x76BC0000) C:\WINDOWS\system32\rsaenh.dll (0x0FFD0000) C:\WINDOWS\system32\Apphelp.dll (0x77B40000) C:\WINDOWS\system32\msv1_0.dll (0x77C70000) C:\WINDOWS\system32\iphlpapi.dll (0x76D60000) C:\WINDOWS\system32\rdpwsx.dll (0x72460000) C:\WINDOWS\system32\WINSPOOL.DRV (0x73000000)
We can see from the above that a Remote Desktop session has been established on TCP port 3389 between the remote client 172.16.16.100 and the target 172.16.16.150, and we can also see all the processes and modules involved in this activity.
Once you start playing around with Port Reporter, you'll probably realize that interpreting the logs it creates can be challenging. So to make life easier for you, Microsoft has created a tool called Port Reporter Parser that you can download and use to simplify such analysis.Finally, if you want to focus on the activity of only a single port (or a group of ports used by a certain process), you can use an older tool called PortQry, and there's a GUI called PortQryUI you can download for this as well.
Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.
Return to the Windows DevCenter.
Copyright © 2009 O'Reilly Media, Inc.