A port basically allows communication to or from the device. Characteristics are a port number, an IP address and a protocol type. This article will give you the tools at hand to identify and evaluate the open ports on your Windows system to make a decision in the end whether they can or should be closed or left open.

Software programs and tools that we will use:

• CurrPorts: Available for 32-bit and 64-bit editions of Windows. It is a port monitor that displays all open ports on a computer system. We will use it to identify the ports and the programs that are using them.
• Windows Task Manager: Also used to identify the programs and link some ports to programs.
• Search Engine: Searching for port information is necessary for some ports that cannot be identified that easily.

It would be an impossible task to go through all of the ports that are open, we will therefor use a few examples to enable everyone to understand the process and go on from there.

Fire up CurrPorts and take a look at the populated main area.

The program displays the process name and ID, local port, protocol and local port name among others.

The easiest ports to identify are those with a process name that corresponds to a running program like RSSOwl.exe with the process ID 3216 in the above example that is listing on the local ports 50847 and 52016. Those ports are usually closed when the program closes.

The more important ports are the ones that cannot be linked to a program right away like the System ports shown in the above screenshot.

There are a few ways to identify the services and programs linked to those ports. There are other indicators that we can use to discover the services and applications besides the process name.

The most important ones are the port number, the local port name and the process ID.

With the process ID we can take a look in the Windows Task Manager to try and link it to a process running on the system. To do that you need to start the task manager (press Ctrl Shift Esc). Click on View, Select Columns and enable the PID (Process Identifier) to be shown. That’s the process ID that is also shown in CurrPorts.

Now we can link process IDs in Currports to running processes in the Windows Task Manager.

Let us take a look at some examples:

ICSLAP, TCP Port 2869

Here we have a port that we cannot identify immediately. The local port name is icslap, the port 2869, it uses the TCP protocol, has the process ID 4 and the process name system.

It is usually a good idea to search for the local port name first if it cannot be identified right away. Fire up Google and search for icslap port 2869 or something similar.

Often there are several suggestions or possiblities. For Icslap they are Internet Connection Sharing, Windows Firewall or Local Network Sharing. It took some research to find out that in this case it was used by the Windows Media Player Network Sharing Service.

A good option to find out if this is indeed the case is to stop the service if it is running and refresh the port listing to see if the port is not appearing anymore. In this case it was closed after stopping the Windows Media Player Network Sharing Service.

epmap, TCP port 135

Research shows that it is linked to the dcom server process launcher. Research also shows that it is not a good idea to disable the service. It is however possible to block the port in the firewall instead to close it down.

llmnr, UDP port 5355

If you look in Currports your notice that the local port name llmnr uses the UDP port 5355. PC Library has information on the service. It is referring to the Link Local Multicast Name Resolution protocol which is related to the DNS service. Windows users who do not need the DNS service can disable it in the Services Manager. This closes the ports from being open on the computer system.

Conclusion:

It is not always easy to identify ports and the services or applications they are linked to. Research on search engines usually provides enough information to find out which service is responsible with ways to disable it if it not needed.

A good first approach before starting to hunt down ports would be to take a close look at all started services in the Services Manager and stop and disable those that are necessary for the system. A good starting point to evaluate those is the services configuration page at BlackViper.

The network connection data that is displayed by Connection Monitor is basic but useful for a quick overview of all network connections. The program itself lacks information that are displayed in Curr Ports, most notable the process ID and process that are using that network connection. It is therefor more difficulty to identify the running processes with Connection Monitor.

Curr Ports (and Open Ports as well) is therefor the better alternative for users who would like to identify the processes that use the open network connections. Connection Monitor is a free download at the developer’s website. No compatibility information are displayed on the website or in the application. It worked fine on a Windows XP SP3 test system.

What this means is that Fport will basically display all open ports and the applications that use them for their connection. This makes it very easy to find unauthorized connections by simply verifying the applications one by one.

Fport has to be launched from the command line or a batch script. It will display all open ports and their applications if it is executed without switches. The following switches are available:

/p (sort by port)
/a (sort by application)
/i (sort by pid)
/ap (sort by application path)

The output will look like this:

C:\>fport
FPort v2.0 – TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid Process Port Proto Path
392 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 139 TCP
8 System -> 445 TCP
508 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe

392 svchost -> 135 UDP C:\WINNT\system32\svchost.exe
8 System -> 137 UDP
8 System -> 138 UDP
8 System -> 445 UDP
224 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
212 services -> 1026 UDP C:\WINNT\system32\services.exe

The easiest way to work with fport is to save the output into a text document for further processing. This can be done with the command fport > output.txt which will create a text document with the name output.txt in the root directory of fport.

A similar application with a graphical user interface is Cports.

The freeware requires no installation and does not change the system, just run it using the windows run command. Every user that is logged on can use the application, that´s right even guests can use it. Another great tool that uses a gui is Currports. Just follow the link if you like it.

Update: The developer website is no longer available. We have uploaded the latest version of Open Ports Scanner to our own servers. Be advised though that it has not been updated for a long time, and that you may experience issues with the program because of this. We suggest you download CurrPorts instead.

The program lists all open ports on startup. This did not work correctly under a 64-bit Windows test system. Only the protocol and local port were displayed on the system, and not process names, IDs or ports. It is therefor clear that the program is either incompatible with 64-bt editions of Windows, or with newer versions of Microsoft’s operating system.

Connections and processes can be terminated and exported for further analysis. The settings allow you to configure the program to automatically refresh the connection list and ports. If you do not configure that, you are left with manually refreshing the listings.

You can download Open Ports Scanner 1.2 with a click on the following link: Open Ports Scanner (9)