Blast from the Past: Nirsoft's CurrPorts
We are revisiting great applications in this series that we reviewed in the past. In this episode of Blast from the Past: Nirsoft's CurrPorts application.
We reviewed the freeware CurrPorts back in 2010 for the first time here on Ghacks Technology News. The free application displays all open ports of a system running Windows when you execute it. It displays a list of applications with Internet or network connectivity, as well as system services and tools with open ports or connections.
CurrPorts is a free program for Microsoft Windows devices by one of our favorite developers Nirsoft. It is compatible with all Windows operating system versions including the latest ones (and it goes back to Windows NT and 2000). The program is portable and you may run it from any location.
In a nutshell: CurrPorts displays open ports on systems running Windows. You may use it to detect applications with network connectivity and check which ports are open on the system; great to harden the system by closing ports or verifying applications with network connectivity.
The Windows system tool netstat and Windows PowerShell offer similar options but both need to be run from the command line. Check out LiveTCPUDPWatch as an alternative, or the port-focused programs PortExpert or PortScan.
CurrPorts
CurrPorts displays a list of all open TCP and UDP ports on the system when it is run. Each entry displays detailed information that includes the process name, ports, addresses, protocols, process path on the local system, and more. Each data column, e.g process name, local port, or remote address supports sorting.
Tip: Download the IP to Country database file from the Nirsoft website and place it in the same directory as the CurrPorts executable file to add IP to country look-ups to the application. You may download the ASN database file to display the ASN and company name of remote IP addresses.
The application refreshes the list of ports automatically in 2 second intervals by default. You can change the interval or disable auto-refresh under Options > Auto Refresh. Disabling is a good option if you need to analyze a certain state.
CurrPorts offers lots of options; you can use filters to display only a subset of ports, disable IPv6, UDP, or TCP, or enable audio feedback whenever new ports are detected. Advanced filters like include:remote:tcp:80 or exclude:both:tcpupd:6881 may be used to include or exclude certain listings. The first filter displays only TCP 80 port processes, the second excludes BitTorrent traffic provided that the default port 6881 is used.
CurrPorts supports more than just reporting. You can close processes right from the application's interface or by using the command line. The commands /close * * * 80 and /close * * 192.168.1.10 80 for example close all connections that use the local port 80 or all connections with the remote port 80 and the remote address specified in the command.
That's only a temporary change though and if you want to prevent an application or system process from opening ports, you need to find other ways to prevent that from happening, e.g. by creating new firewall rules, changing the state of Services on the system, or changing a program's configuration.
Check out our tutorial on blocking and closing ports on Windows as a start.
CurrPorts supports the generation of HTML reports. You can create new reports from the interface or by using the parameter /shtml.
Closing Words
I like CurrPorts a lot; it is one of those tiny Nirsoft applications for Windows that offers tremendous value. I use it to check open ports on Windows systems to make sure that only ports that are needed are open on the system.
It takes a bit of research to find out why a port is open; while that is easy enough to tell for applications that you can identify by looking at the process name, e.g. firefox.exe or chrome.exe, it may not be as easy when it comes to Services or Windows processes; you may need to research the port numbers if you cannot identify the service or system tool directly.
Now You: Do you use CurrPorts or have you used it?
@11r20 said on August 3, 2019 at 12:35 am
Good article with command tips ((cool))
I occasionally use currports as well but mostly keep my eye on NetLimiter without using the Goolag data base,
The NL’s dark grey screen with the orange,red,yellow colors are EZ on the eyes
I was also the same.
I used “CurrPorts” before, but from newly purchased Windows 10 machine, I use “GlassWire (free)” and “NetLimiter 4 64 bit (free)” as monitoring tools while PC is running.
About the difference between CurrPorts and with them:
・ CurrPorts boasts the same or better capabilities than the functions of “NetLimiter 4 64 bit paid versionâ€, but CurrPorts is a “text user interface†(TUI), and GlassWire and NetLimiter are sophisticated “GUIsâ€. For the general user, the latter would feel easy to use, such as visibility.
・ CurrPorts is extremely simple with reasonable specifications, even though it covers everything that is needed. Resources amount is also small.
・ CurrPorts is the best tool for “monitoring†and “controlâ€, however, the rating of “favorite†will vary depending on user preferences and values.
I completely forgot CurrPorts but decided to use it again.
Thanks to this “article” and “Comments”.
By the way, Nirsoft’s applications currently use the following.
AppAudioConfig (64-bit)
BrowserAddonsView (64-bit)
Clipboardic
DNSQuerySniffer (64-bit)
FavoritesView
GUIPropView (64-bit)
IPNetInfo
NTFSLinksView (64-bit)
QuickSetDNS
RegScanner (64-bit)
SearchMyFiles (64-bit)
ShadowCopyView (64-bit)
SiteShoter
SpecialFoldersView (64-bit)
TaskSchedulerView (64-bit)
TcpLogView (64-bit)
TimeZonesView
Volumouse (64-bit)
WebCookiesSniffer (64-bit)
WhoisThisDomain
Wireless Network Watcher
WirelessNetView version
These are all great things that are common to Nirsoft’s applications, “extremely simple with reasonable specifications, even though it covers everything that is needed. Resources amount is also small”.
“Nirsoft’s applications” recommended to consider the highest priority prior to other 3rd party apps.
Martin, not sure what you’re referring to by ” the IP to Country database file”, but you can download IPNetInfo from Nirsoft and put all of its files in the same folder as Currports. This activates a context menu item (IPNetInfo Ctrl-I) you see when you right click on one or more connection listed in Currports. If you right click on the selection and then choose that option, IPNetInfo opens and does a WHOIS on the remote IP address(es) you selected. IPNetInfo only displays the WHOIS info for one IP address at a time, but you can just select any IP address from its list to see that info.
Also note that you can “Ctrl-A” and “Ctrl-T”, then enter (to close a dialog window) to select all connections and close all the remote ones. Currports won’t close any local connections because doing so might cause system instability.
Good article with command tips ((cool))
I occasionally use currports as well but mostly keep my eye on NetLimiter without using the Goolag data base,
The NL’s dark grey screen with the orange,red,yellow colors are EZ on the eyes
If any wild lookin port numbers or DNS Resolvers=IP’s repeatedly show up, I write em down n’ block em in the firewall
I much prefer a freebie called Crowd Inspect by Crowdstrike.com. Not only does it provide a similar set of data to currports, but also links to the VirusTotal database so that live results can be checked there as well.
You reviewed it in 2014 and 2017 Martin: https://www.ghacks.net/2017/02/23/crowdinspect-second-opinion-malware-scanner-with-virustotal-integration/
Thanks for the great article, Martin.
I’ve been using CurrPorts since v1.01 and it runs full time on my systems along with the right-click evoked IPNetInfo.
I’ve emailed Nir a couple of times over the years requesting a tabbed interface for differing filter sets. But toggling filters on and off is OK, too. Edit Filters can accept text pastes, no restart needed, and I have a Notepad file with several filter sets. But I mostly filter just the browser.
Note that the latest version 2.60 now supports GeoLite2 data with the caveat “the loading process of the GeoLite2 City database is quite slow.” In that case, the previous GeoLite database still works, too. But, as I recall, the latest data is March of this year and won’t be updated anymore.
• Hold down Crtl and Shift and tap C, L, and R for a dark mode with pretty text!
netstat -a (dos command)
gives me a wakeup call when something is not right.
Installed this last week as I’m sure my unpatched machine is leaking data somewhere. Was also a good reminder to uninstall itunes, skype etc.
Check out “Everything” search tool for indexing all local or removed drives. Fast at 5 million files.
Great idea to do a V2 of tried and tested classics after a few years!
Old bits of software that still work great.
My vote would go for Cathy, I have yet (but I’m sure someone will correct me) anything better for locating files in offline external drives. The time I’ve saved not having to swap in and out external drives. Also works just as well for thumb drives.
Quoting NirSoft, copy/pasted at one time without keeping the exact source :
———-
“COMPARE CurrPorts, LiveTcpUdpWatch, NetworkTrafficView
Every tool behave differently and uses different technique to extract the network information.
CurrPorts displays the current table of active TCP connections and TCP/UDP listening ports. but this technique has some disadvantages, for example, if UDP packets are sent from your computer to remote network address, you won’t see it with CurrPorts, because with UDP there is no really a connection and the UDP table contains only listening UDP ports. The advantage of CurrPorts is the ability to use it without elevation (Run As Administrator).
LiveTcpUdpWatch uses event tracing API to get live information from Windows Kernel about every TCP/UDP packet sent/received on your system. As opposed to CurrPorts, it captures all UDP activity with process information, but without the need of using a network sniffer.
NetworkTrafficView uses network sniffing technique – It analyzes every packet sent/received by your network card and displays extensive summary according to the display mode you choose. The disadvantages of this tool: You have to choose a network card and capture method for activating the network sniffer.”
———-
I use all three, not to mention other apps from the excellent Nirsoft. because i use so many of them I chose to have them all within one package named NirLauncher at https://launcher.nirsoft.net/downloads/index.html
“Blast from the Past” not only sounds nice, would be a great movie/novel title if it isn’t already (I haven’t read/seen everything, lol!) but is so true when it comes to products which challenge time and remain references.