Microsoft KB Archive/837243

= Availability and description of the Port Reporter tool =

Article ID: 837243

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-





SUMMARY
''This article discusses the Port Reporter tool. The Port Reporter tool runs as a service on computers that are running Windows Server 2003, Windows XP, and Windows 2000. The tool logs TCP and UDP port activity. This article contains information about how to obtain and install the tool. When you install the tool, the Setup program creates the appropriate registry entries and installs the Port Reporter service.

This article also contains information about how to use start parameters to configure the Port Reporter service and information about the Port Reporter log files that are generated by the Port Reporter service.''



IN THIS TASK

 * INTRODUCTION
 * Overview
 * Obtain the Port Reporter tool
 * Install the Port Reporter service
 * Install the Port Reporter service to the default location
 * Install the Port Reporter service to a different location than the default location
 * Configure and start the Port Reporter service
 * Remove the Port Reporter service
 * Interpret Port Reporter log files
 * The PR-INITIAL log file
 * The PR-PORTS log file
 * The PR-PIDS log file
 * REFERENCES



INTRODUCTION
This article contains information about how to obtain, install, and configure the Port Reporter tool. The Port Reporter tool is a tool that you can use to log TCP/IP port data on computers that are running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000.

back to the top

Overview
The Port Reporter tool logs TCP and UDP port activity. The tool is a small program that runs as a service on a computer that is running Windows Server 2003, Windows XP, or Windows 2000.

On Windows Server 2003 and on Windows XP-based computers, the service can log the following information:
 * The ports that are used
 * The processes that use the port
 * Whether a process is a service
 * The modules that a process loaded
 * The user accounts that run a process

On Windows 2000-based computers, the service logs the ports that are used and when the ports are used.

You can use the information that is logged by the Port Reporter tool to help you track port usage and troubleshoot certain issues. The information that is logged by the Port Reporter tool may also be helpful for security purposes.

back to the top

Obtain the Port Reporter tool
The Port Reporter tool is available from this link on the Microsoft Download Center:

http://www.microsoft.com/downloads/details.aspx?familyid=69ba779b-bae9-4243-b9d6-63e62b4bcd2e&displaylang=en

Important The Port Reporter Parser tool is a log parser for Port Reporter log files. This tool is now available for download. Port Reporter Parser has many features that can help you analyze Port Reporter log files. You can download the Port Reporter Parser tool from the following Microsoft web site:

http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exe

back to the top

Install the Port Reporter service
When you run the Setup program (Pr-Setup.exe) to install Port Reporter, the Setup program performs the following operations:  Adds the following registry subkey to the Windows registry:

The Port Reporter service requires this registry key to log entries to the application event log on the computer. Installs the Port Reporter service.

The Setup program creates a service object for the Port Reporter tool and then adds the object to the Service Control Manager database.

back to the top

Install the Port Reporter service to the default location
By default, the Port Reporter service is installed to the following folder on the hard disk:



To install the Port Reporter service to the default location:
 * 1) Log on to the computer as a member of the local administrators group.
 * 2) Quit all programs that are running on the computer, including the Services tool and Event Viewer in Administrative Tools.
 * 3) Double-click Pr-Setup.exe to run the Setup program.
 * 4) When you are prompted to install the Port Reporter tool to the Program Files folder, press Y.

After you press Y, the Setup program creates a subfolder named PortReporter in the Program Files folder. Portreporter.exe is copied to the subfolder and is registered as a service in Service Control Manager.

back to the top

Install the Port Reporter service to a different location than the default location
To install the Port Reporter service to a different location than the default location:  Log on to the computer as a member of the local administrators group. Quit all programs that are running on the computer, including the Services tool and Event Viewer in Administrative Tools. Copy the Pr-setup.exe file and the Portreporter.exe file to the folder where you want to install the Port Reporter tool to.

Note You have to run the Setup program from a fixed, local drive. You cannot run the Setup program from a network drive or from a CD-ROM drive.</li> At the command prompt, type the following line, and then press ENTER, where  is the drive and path of the folder that contains the Pr-setup.exe file and the Portreporter.exe file:

pr-setup.exe -d ' '

For example, to install the tool to the D:\Tools\Port Reporter folder, type

pr-setup.exe –d ‘d:\tools\port reporter\’

You receive output that is similar to the following in the Command Prompt window:

<pre class="fixed_text">C:\temp>pr-setup.exe -d 'PathOfFolder'

Installing Port Reporter service: PathOfFolder

Creating service...completed successfully

Creating registry key and values...completed successfully

Setup has successfully installed the Port Reporter service The service is currently stopped and set to manual startup type

Please use the services applet in the control panel to configure and start the Port Reporter service

press any key to exit setup

</li> Press any key to exit the Setup program.</li></ol>

back to the top

Configure and start the Port Reporter service
To verify that the Port Reporter service installed successfully and to start the service, follow these steps:
 * 1) Click Start, right-click My Computer, and then click Manage.
 * 2) Expand Services and Applications, and then expand Services.
 * 3) In the right pane, verify that the Port Reporter service is listed.
 * 4) To start the service, double-click the service name, and then click to select the Start button. Click OK.

The Port Reporter service will create a log entry in the application log that indicates that it is started.

By default, the startup type for the Port Reporter service is set to use the Manual setting. If you want the service to start automatically when Windows starts, set the startup type to use the Automatic setting.

By default, the Port Reporter service uses the Local System account to log on to the computer. By using the Local System account, the Port Reporter service can gather details about processes that the administrator account or other user accounts do not have access to. Because of this, Microsoft recommends that you do not modify this setting.

Note Because this service runs in the context of the Local System account, Microsoft recommends that you secure the folder where Port Reporter is installed. Whether you install Port Reporter in its default location (%SystemDrive%\Program Files\PortReporter) or in a custom location, you must take these steps:
 * Install Port Reporter only on an NTFS file system partition
 * Adjust the Access Control List (ACLs) on the installation folder so that only the local Administrators group has access to the folder. To do this, follow these steps:
 * Start Windows Explorer, and then find the installation folder. By default, it is %SystemDrive%\Program Files\PortReporter.
 * Right-click on the folder, and then click Properties.
 * In the folder property dialog box, click the Security tab, and then inspect the group and user names that have access to the folder. Only the local Administrators group and the System account should have access to this folder
 * Select any other groups and users that are listed, and then click Remove. When the list contains only the local Administrators group and the System account, click Apply, and then click OK.

Location of log files
By default, the Port Reporter tool tries to create the log files in the following folder:

%systemroot%\System32\LogFiles\PortReporter

If this folder does not already exist, the folder is created for you. You can configure the location of the log files by using the start parameter that is specified on the General tab of the Port Reporter service dialog box. To specify the log file folder, use the -ld command-line option followed by the name of the folder that you want to use. Make sure that you enclose the name of the folder in single quotes ('). For example, if you specify the following start parameter, the Port Reporter service creates log files in the C:\Program Files\Port Reporter folder when the Port Reporter service starts:

-ld ‘c:\program files\port reporter’

Size of log files
By default, the Port Reporter service continues to write to the log files until the log files reach 5 megabytes (MB). After the log files reach 5 MB, a new log file is created. To configure the size of log files, use the -ls command-line option. You can specify a size between 1000 kilobytes (KB) and 102400 KB. For example, if you specify the following start parameter, the Port Reporter service creates a new log file every time the log files reach 7000 KB:

-ls 7000

After you configure the Port Reporter service with the start parameters that you want, start the service. When the Port Reporter service starts, the following two events are logged to the application event log:

Type: Information

Source: PortReporter

Category: None

Event ID: 100

Description:

The Port Reporter service was started.

Type: Information

Source: PortReporter

Category: None

Event ID: 100

Description:

The Port Reporter service successfully created log files in the following directory:

back to the top

Remove the Port Reporter service
To remove the Port Reporter service, type the following line at the command prompt, and then press ENTER:

pr-setup.exe -u

You receive output that is similar to the following in the Command Prompt window:

<pre class="fixed_text">Uninstalling Port Reporter service...

Deleting service... Stopping service...completed successfully

Removing service...completed successfully

Deleting service...completed successfully

Deleting registry key and values...completed successfully

Setup successfully uninstalled the Port Reporter Service The installation directory has been left intact

press any key to exit setup

When you remove the Port Reporter service, the Setup program performs the following operations:
 * Unregisters the Port Reporter service from the Service Control Manager database.
 * Deletes the registry entries that were created when you installed the Port Reporter service.

When you remove the Port Reporter service, the Setup program does not remove the folder that contains the Pr-setup.exe file and the PortReporter.exe file, nor does the Setup program remove any log files that were created by the service.

back to the top

Interpret Port Reporter log files
The Port Reporter service creates the log files under the following circumstances:
 * Every time the Port Reporter service starts
 * At midnight each day.
 * When the log file reaches 5 MB or when the log file reaches the custom size that you specified in the start parameter.

When the Port Reporter service starts, the following log files are created:
 * PR-INITIAL-*.log
 * PR-PORTS-*.log
 * PR-PIDS-*.log

The name of each log file uses the date and the time (in 24-hour format) when the file was created. The format of the date and time stamp is year-month-day-hour-minute-second. For example, the following three files were created January 24, 2004, at 8:49:30 A.M.:
 * PR-INITIAL-04-01-24-8-49-30.log
 * PR-PORTS-04-01-24-8-49-30.log
 * PR-PIDS-04-01-24-8-49-30.log

back to the top

The PR-INITIAL log file
The PR-INITIAL log file contains data that the Port Reporter service collects about the ports, processes, and modules that run on the computer when the Port Reporter service is started. The user context that each process is running under is also logged. The following is an example of the contents of a PR-INITIAL log file on a Windows XP-based computer that was created when the Port Reporter service started:

<pre class="fixed_text">Port Reporter Version 1.0 Log File

Service initialization log

System Date: <Date and Time>

Local computer name:

<ComputerName>

TCP/UDP Port to Process Mappings at service start-up

36 mappings found

PID:Process    Port        Local IP    State        Remote IP:Port 0:System Idle      TCP 4857    169.254.66.8    TIME WAIT    169.254.44.123:80 4:System       TCP 445     0.0.0.0     LISTENING    0.0.0.0:6246 4:System       TCP 1026    0.0.0.0     LISTENING    0.0.0.0:28726 4:System       TCP 139     169.254.66.8    LISTENING    0.0.0.0:34925 4:System       UDP 445     0.0.0.0              *:* 4:System       UDP 137     169.254.66.8             *:* 4:System       UDP 138     169.254.66.8             *:* 664:iexplore.exe   TCP 4867    0.0.0.0     LISTENING    0.0.0.0:4225 664:iexplore.exe   TCP 4870    0.0.0.0     LISTENING    0.0.0.0:45070 664:iexplore.exe   TCP 4871    0.0.0.0     LISTENING    0.0.0.0:18494 664:iexplore.exe   TCP 4872    0.0.0.0     LISTENING    0.0.0.0:6182 664:iexplore.exe   TCP 4867    169.254.66.8    ESTABLISHED  169.254.44.123:80 664:iexplore.exe   TCP 4870    169.254.66.8    ESTABLISHED  207.68.177.62:80 664:iexplore.exe   TCP 4871    169.254.66.8    ESTABLISHED  207.46.248.110:80 664:iexplore.exe   TCP 4872    169.254.66.8    ESTABLISHED  207.46.248.110:80 664:iexplore.exe   UDP 4817    127.0.0.1            *:* 748:lsass.exe      UDP 500     0.0.0.0              *:* 952:svchost.exe TCP 135    0.0.0.0     LISTENING    0.0.0.0:2096 1092:svchost.exe   TCP 1025    0.0.0.0     LISTENING    0.0.0.0:2064 1092:svchost.exe   TCP 3002    127.0.0.1   LISTENING    0.0.0.0:49193 1092:svchost.exe   TCP 3003    127.0.0.1   LISTENING    0.0.0.0:39078 1092:svchost.exe   UDP 123     169.254.66.8             *:* 1092:svchost.exe   UDP 123     127.0.0.1            *:* 1192:svchost.exe   UDP 3009    0.0.0.0              *:* 1192:svchost.exe   UDP 3015    0.0.0.0              *:* 1192:svchost.exe   UDP 3016    0.0.0.0              *:* 1228:svchost.exe   TCP 5000    0.0.0.0     LISTENING    0.0.0.0:45223 1228:svchost.exe   UDP 1900    169.254.66.8             *:* 1228:svchost.exe   UDP 1900    127.0.0.1            *:* 1536:alg.exe       TCP 3001    127.0.0.1   LISTENING    0.0.0.0:2064 1568:InoRpc.exe TCP 42510  0.0.0.0     LISTENING    0.0.0.0:14373 1568:InoRpc.exe UDP 43508  169.254.66.8             *:* 3764:msmsgs.exe TCP 16521  169.254.66.8    LISTENING    0.0.0.0:45294 3764:msmsgs.exe UDP 4803   0.0.0.0              *:* 3764:msmsgs.exe UDP 9160   169.254.66.8             *:* 3764:msmsgs.exe UDP 9586   169.254.66.8             *:*

=
==========

=
=========================================

Process ID: 4 (System)

System Process

PID Port       Local IP    State        Remote IP:Port 4  TCP 445     0.0.0.0     LISTENING    0.0.0.0:6246 4  TCP 1026    0.0.0.0     LISTENING    0.0.0.0:28726 4  TCP 139     169.254.66.8    LISTENING    0.0.0.0:34925 4  UDP 445     0.0.0.0              *:* 4  UDP 137     169.254.66.8             *:* 4  UDP 138     169.254.66.8             *:*

Port Statistics

TCP mappings: 3 UDP mappings: 3

TCP ports in a LISTENING state:    3 = 100.00%

Could not access module information for this process

=
=========================================

Process ID: 748 (lsass.exe)

User context: NT AUTHORITY\SYSTEM

Service Name: PolicyAgent Display Name: IPSEC Services Service Type: shares a process with other services

Service Name: ProtectedStorage Display Name: Protected Storage

Service Name: SamSs Display Name: Security Accounts Manager Service Type: shares a process with other services

PID Port       Local IP    State        Remote IP:Port 748 UDP 500    0.0.0.0              *:*

Port Statistics

TCP mappings: 0 UDP mappings: 1

Loaded modules: D:\WINDOWS\system32\lsass.exe (0x01000000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000) D:\WINDOWS\system32\kernel32.dll (0x77E60000) D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000) D:\WINDOWS\system32\RPCRT4.dll (0x78000000) D:\WINDOWS\system32\LSASRV.dll (0x74520000) D:\WINDOWS\system32\msvcrt.dll (0x77C10000) D:\WINDOWS\system32\Secur32.dll (0x76F90000) D:\WINDOWS\system32\USER32.dll (0x77D40000) D:\WINDOWS\system32\GDI32.dll (0x77C70000) D:\WINDOWS\system32\SAMSRV.dll (0x74440000) D:\WINDOWS\system32\cryptdll.dll (0x76790000) D:\WINDOWS\system32\DNSAPI.dll (0x76F20000) D:\WINDOWS\system32\WS2_32.dll (0x71AB0000) D:\WINDOWS\system32\WS2HELP.dll (0x71AA0000) D:\WINDOWS\system32\MSASN1.dll (0x762A0000) D:\WINDOWS\system32\NETAPI32.dll (0x71C20000) D:\WINDOWS\system32\SAMLIB.dll (0x71BF0000) D:\WINDOWS\system32\MPR.dll (0x71B20000) D:\WINDOWS\system32\NTDSAPI.dll (0x767A0000) D:\WINDOWS\system32\WLDAP32.dll (0x76F60000) D:\WINDOWS\system32\msprivs.dll (0x743B0000) D:\WINDOWS\system32\kerberos.dll (0x71CF0000) D:\WINDOWS\system32\msv1_0.dll (0x76D10000) D:\WINDOWS\system32\netlogon.dll (0x744B0000) D:\WINDOWS\system32\w32time.dll (0x767C0000) D:\WINDOWS\system32\MSVCP60.dll (0x55900000) D:\WINDOWS\system32\iphlpapi.dll (0x76D60000) D:\WINDOWS\system32\USERENV.dll (0x75A70000) D:\WINDOWS\system32\schannel.dll (0x767F0000) D:\WINDOWS\system32\CRYPT32.dll (0x762C0000) D:\WINDOWS\system32\wdigest.dll (0x74380000) D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000) D:\WINDOWS\system32\setupapi.dll (0x76670000) D:\WINDOWS\system32\scecli.dll (0x74410000) D:\WINDOWS\system32\OLEAUT32.dll (0x77120000) D:\WINDOWS\system32\OLE32.DLL (0x771B0000) D:\WINDOWS\system32\shell32.dll (0x773D0000) D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000) D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000) D:\WINDOWS\system32\comctl32.dll (0x77340000) D:\WINDOWS\system32\ipsecsvc.dll (0x743E0000) D:\WINDOWS\system32\oakley.DLL (0x745D0000) D:\WINDOWS\system32\WINIPSEC.DLL (0x74370000) D:\WINDOWS\system32\mswsock.dll (0x71A50000) D:\WINDOWS\System32\wshtcpip.dll (0x71A90000) D:\WINDOWS\system32\pstorsvc.dll (0x743A0000) D:\WINDOWS\system32\psbase.dll (0x743C0000) D:\WINDOWS\System32\dssenh.dll (0x0FFA0000)

=
=========================================

Process ID: 952 (svchost.exe)

User context: NT AUTHORITY\SYSTEM

Service Name: RpcSs Display Name: Remote Procedure Call (RPC) Service Type: shares a process with other services

PID Port       Local IP    State        Remote IP:Port 952 TCP 135    0.0.0.0     LISTENING    0.0.0.0:2096

Port Statistics

TCP mappings: 1 UDP mappings: 0

TCP ports in a LISTENING state:    1 = 100.00%

Loaded modules: D:\WINDOWS\system32\svchost.exe (0x01000000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000) D:\WINDOWS\system32\kernel32.dll (0x77E60000) D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000) D:\WINDOWS\system32\RPCRT4.dll (0x78000000) d:\windows\system32\rpcss.dll (0x75850000) D:\WINDOWS\system32\msvcrt.dll (0x77C10000) d:\windows\system32\WS2_32.dll (0x71AB0000) d:\windows\system32\WS2HELP.dll (0x71AA0000) D:\WINDOWS\system32\USER32.dll (0x77D40000) D:\WINDOWS\system32\GDI32.dll (0x77C70000) d:\windows\system32\Secur32.dll (0x76F90000) D:\WINDOWS\system32\userenv.dll (0x75A70000) D:\WINDOWS\system32\mswsock.dll (0x71A50000) D:\WINDOWS\System32\wshtcpip.dll (0x71A90000) D:\WINDOWS\system32\DNSAPI.dll (0x76F20000) D:\WINDOWS\system32\iphlpapi.dll (0x76D60000) D:\WINDOWS\System32\winrnr.dll (0x76FB0000) D:\WINDOWS\system32\WLDAP32.dll (0x76F60000) D:\WINDOWS\system32\rasadhlp.dll (0x76FC0000) D:\WINDOWS\system32\CLBCATQ.DLL (0x76FD0000) D:\WINDOWS\system32\ole32.dll (0x771B0000) D:\WINDOWS\system32\OLEAUT32.dll (0x77120000) D:\WINDOWS\system32\COMRes.dll (0x77050000) D:\WINDOWS\system32\VERSION.dll (0x77C00000)

=
=========================================

Process ID: 1092 (svchost.exe)

User context: NT AUTHORITY\SYSTEM

Service Name: AudioSrv Display Name: Windows Audio Service Type: shares a process with other services

Service Name: BITS Display Name: Background Intelligent Transfer Service Service Type: shares a process with other services

Service Name: CryptSvc Display Name: Cryptographic Services Service Type: shares a process with other services

Service Name: Dhcp Display Name: DHCP Client Service Type: shares a process with other services

Service Name: dmserver Display Name: Logical Disk Manager Service Type: shares a process with other services

Service Name: ERSvc Display Name: Error Reporting Service Service Type: shares a process with other services

Service Name: EventSystem Display Name: COM+ Event System Service Type: shares a process with other services

Service Name: helpsvc Display Name: Help and Support Service Type: shares a process with other services

Service Name: lanmanserver Display Name: Server Service Type: shares a process with other services

Service Name: lanmanworkstation Display Name: Workstation Service Type: shares a process with other services

Service Name: Messenger Display Name: Messenger Service Type: shares a process with other services

Service Name: Netman Display Name: Network Connections

Service Name: Nla Display Name: Network Location Awareness (NLA) Service Type: shares a process with other services

Service Name: RasMan Display Name: Remote Access Connection Manager Service Type: shares a process with other services

Service Name: Schedule Display Name: Task Scheduler

Service Name: seclogon Display Name: Secondary Logon

Service Name: SENS Display Name: System Event Notification Service Type: shares a process with other services

Service Name: SharedAccess Display Name: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Service Type: shares a process with other services

Service Name: ShellHWDetection Display Name: Shell Hardware Detection Service Type: shares a process with other services

Service Name: srservice Display Name: System Restore Service Service Type: shares a process with other services

Service Name: TapiSrv Display Name: Telephony Service Type: shares a process with other services

Service Name: TermService Display Name: Terminal Services Service Type: shares a process with other services

Service Name: Themes Display Name: Themes Service Type: shares a process with other services

Service Name: TrkWks Display Name: Distributed Link Tracking Client Service Type: shares a process with other services

Service Name: W32Time Display Name: Windows Time Service Type: shares a process with other services

Service Name: winmgmt Display Name: Windows Management Instrumentation Service Type: shares a process with other services

Service Name: wuauserv Display Name: Automatic Updates Service Type: shares a process with other services

Service Name: WZCSVC Display Name: Wireless Zero Configuration Service Type: shares a process with other services

PID Port       Local IP    State        Remote IP:Port 1092   TCP 1025    0.0.0.0     LISTENING    0.0.0.0:2064 1092   TCP 3002    127.0.0.1   LISTENING    0.0.0.0:49193 1092   TCP 3003    127.0.0.1   LISTENING    0.0.0.0:39078 1092   UDP 123     169.254.66.8             *:* 1092   UDP 123     127.0.0.1            *:*

Port Statistics

TCP mappings: 3 UDP mappings: 2

TCP ports in a LISTENING state:    3 = 100.00%

Loaded modules: D:\WINDOWS\System32\svchost.exe (0x01000000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000) D:\WINDOWS\system32\kernel32.dll (0x77E60000) D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000) D:\WINDOWS\system32\RPCRT4.dll (0x78000000) D:\WINDOWS\system32\ole32.dll (0x771B0000) D:\WINDOWS\system32\GDI32.dll (0x77C70000) D:\WINDOWS\system32\USER32.dll (0x77D40000) d:\windows\system32\shsvcs.dll (0x76BD0000) D:\WINDOWS\system32\msvcrt.dll (0x77C10000) D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000) D:\WINDOWS\system32\shell32.dll (0x773D0000) D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000) D:\WINDOWS\system32\comctl32.dll (0x77340000) D:\WINDOWS\System32\WINSTA.dll (0x76360000) d:\windows\system32\dhcpcsvc.dll (0x76D80000) d:\windows\system32\DNSAPI.dll (0x76F20000) d:\windows\system32\WS2_32.dll (0x71AB0000) d:\windows\system32\WS2HELP.dll (0x71AA0000) d:\windows\system32\iphlpapi.dll (0x76D60000) d:\windows\system32\Secur32.dll (0x76F90000) D:\WINDOWS\System32\UxTheme.dll (0x5AD70000) D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000) d:\windows\system32\wzcsvc.dll (0x70B50000) d:\windows\system32\rtutils.dll (0x76E80000) d:\windows\system32\WMI.dll (0x76D30000) D:\WINDOWS\system32\OLEAUT32.dll (0x77120000) D:\WINDOWS\system32\CRYPT32.dll (0x762C0000) D:\WINDOWS\system32\MSASN1.dll (0x762A0000) d:\windows\system32\WTSAPI32.dll (0x76F50000) d:\windows\system32\ESENT.dll (0x69710000) D:\WINDOWS\system32\WLDAP32.dll (0x76F60000) d:\windows\system32\NETAPI32.dll (0x71C20000) D:\WINDOWS\system32\mswsock.dll (0x71A50000) D:\WINDOWS\System32\wshtcpip.dll (0x71A90000) D:\WINDOWS\System32\rastls.dll (0x555A0000) D:\WINDOWS\System32\ATL.DLL (0x76B20000) D:\WINDOWS\System32\CRYPTUI.dll (0x754D0000) D:\WINDOWS\System32\WINTRUST.dll (0x76C30000) D:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000) D:\WINDOWS\system32\WININET.dll (0x76200000) D:\WINDOWS\System32\MPRAPI.dll (0x76D40000) D:\WINDOWS\System32\ACTIVEDS.dll (0x76E40000) D:\WINDOWS\System32\adsldpc.dll (0x76E10000) D:\WINDOWS\System32\SAMLIB.dll (0x71BF0000) D:\WINDOWS\System32\SETUPAPI.dll (0x76670000) D:\WINDOWS\System32\RASAPI32.dll (0x76EE0000) D:\WINDOWS\System32\rasman.dll (0x76E90000) D:\WINDOWS\System32\TAPI32.dll (0x76EB0000) D:\WINDOWS\System32\WINMM.dll (0x76B40000) D:\WINDOWS\System32\SCHANNEL.dll (0x767F0000) D:\WINDOWS\system32\USERENV.dll (0x75A70000) D:\WINDOWS\System32\WinSCard.dll (0x723D0000) D:\WINDOWS\System32\raschap.dll (0x70AF0000) D:\WINDOWS\system32\msv1_0.dll (0x76D10000) D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000) D:\WINDOWS\System32\COMRes.dll (0x77050000) D:\WINDOWS\system32\VERSION.dll (0x77C00000) d:\windows\system32\schedsvc.dll (0x751D0000) d:\windows\system32\NTDSAPI.dll (0x767A0000) D:\WINDOWS\System32\MSIDLE.DLL (0x74F50000) D:\WINDOWS\System32\NTMARTA.DLL (0x76CE0000) d:\windows\system32\audiosrv.dll (0x708B0000) d:\windows\system32\wkssvc.dll (0x75170000) d:\windows\system32\cryptsvc.dll (0x74FA0000) d:\windows\system32\certcli.dll (0x75350000) d:\windows\pchealth\helpctr\binaries\pchsvc.dll (0x74F40000) d:\windows\system32\es.dll (0x76B70000) d:\windows\system32\ersvc.dll (0x74F80000) d:\windows\system32\dmserver.dll (0x74F90000) d:\windows\system32\srvsvc.dll (0x75090000) d:\windows\system32\msgsvc.dll (0x74F60000) d:\windows\system32\netman.dll (0x76DE0000) d:\windows\system32\seclogon.dll (0x73D20000) d:\windows\system32\sens.dll (0x722D0000) d:\windows\system32\srsvc.dll (0x751A0000) d:\windows\system32\POWRPROF.dll (0x74AD0000) d:\windows\system32\tapisrv.dll (0x733E0000) d:\windows\system32\PSAPI.DLL (0x76BF0000) d:\windows\system32\trkwks.dll (0x75070000) d:\windows\system32\w32time.dll (0x767C0000) d:\windows\system32\MSVCP60.dll (0x55900000) d:\windows\system32\wbem\wmisvc.dll (0x597A0000) d:\windows\system32\wbem\wbemcomn.dll (0x75290000) D:\WINDOWS\System32\VSSAPI.DLL (0x753E0000) d:\windows\system32\wuauserv.dll (0x74EC0000) D:\WINDOWS\System32\wuaueng.dll (0x01B20000) D:\WINDOWS\System32\ADVPACK.dll (0x75260000) D:\WINDOWS\System32\sfc.dll (0x76BB0000) D:\WINDOWS\System32\sfc_os.dll (0x76C60000) d:\windows\system32\rasmans.dll (0x72480000) d:\windows\system32\WINIPSEC.DLL (0x74370000) d:\windows\system32\netcfgx.dll (0x755F0000) d:\windows\system32\CLUSAPI.dll (0x55560000) d:\windows\system32\browser.dll (0x74FE0000) D:\WINDOWS\System32\winspool.drv (0x73000000) D:\WINDOWS\System32\rastapi.dll (0x72060000) D:\WINDOWS\System32\SXS.DLL (0x75E90000) D:\WINDOWS\system32\comsvcs.dll (0x75730000) D:\WINDOWS\system32\MTXCLU.DLL (0x750F0000) D:\WINDOWS\system32\WSOCK32.dll (0x71AD0000) D:\WINDOWS\system32\colbact.DLL (0x75130000) D:\WINDOWS\System32\RESUTILS.DLL (0x750B0000) D:\WINDOWS\System32\mtxoci.dll (0x750D0000) D:\WINDOWS\System32\unimdm.tsp (0x57CC0000) D:\WINDOWS\System32\uniplat.dll (0x72000000) D:\WINDOWS\System32\kmddsp.tsp (0x57D40000) D:\WINDOWS\System32\ndptsp.tsp (0x57D20000) D:\WINDOWS\System32\ipconf.tsp (0x57D50000) D:\WINDOWS\System32\h323.tsp (0x57D70000) D:\WINDOWS\System32\hidphone.tsp (0x57D60000) D:\WINDOWS\System32\HID.DLL (0x688F0000) D:\WINDOWS\System32\rasppp.dll (0x72240000) D:\WINDOWS\System32\ntlsapi.dll (0x724B0000) d:\windows\system32\ipnathlp.dll (0x66460000) d:\windows\system32\netshell.dll (0x75CF0000) d:\windows\system32\credui.dll (0x76C00000) d:\windows\system32\HNetCfg.dll (0x68880000) D:\WINDOWS\System32\rasadhlp.dll (0x76FC0000) D:\WINDOWS\System32\Wbem\wbemcore.dll (0x75450000) D:\WINDOWS\System32\Wbem\esscli.dll (0x75310000) D:\WINDOWS\System32\Wbem\FastProx.dll (0x75690000) D:\WINDOWS\System32\wbem\wmiutils.dll (0x75020000) D:\WINDOWS\System32\wbem\repdrvfs.dll (0x75200000) D:\WINDOWS\System32\wbem\wmiprvsd.dll (0x597F0000) D:\WINDOWS\System32\NCObjAPI.DLL (0x5F770000) D:\WINDOWS\System32\wbem\wbemess.dll (0x75390000) D:\WINDOWS\System32\winhttp.dll (0x76080000) d:\windows\system32\termsrv.dll (0x752D0000) d:\windows\system32\ICAAPI.dll (0x74F70000) d:\windows\system32\AUTHZ.dll (0x76CC0000) d:\windows\system32\mstlsapi.dll (0x75110000) D:\WINDOWS\System32\REGAPI.dll (0x76BC0000) D:\WINDOWS\System32\wbem\ncprov.dll (0x5F740000) D:\WINDOWS\System32\catsrvut.dll (0x6FB10000) D:\WINDOWS\System32\MfcSubs.dll (0x61990000) D:\WINDOWS\system32\MPR.dll (0x71B20000) D:\WINDOWS\System32\msi.dll (0x76400000) D:\WINDOWS\System32\Cabinet.dll (0x75150000) D:\WINDOWS\system32\urlmon.dll (0x1A400000) D:\WINDOWS\System32\catsrv.dll (0x6FBD0000) D:\WINDOWS\System32\upnp.dll (0x555F0000) D:\WINDOWS\System32\SSDPAPI.dll (0x74F00000) D:\WINDOWS\System32\RASDLG.dll (0x75550000) d:\windows\system32\qmgr.dll (0x5DDD0000) d:\windows\system32\SHFOLDER.dll (0x76780000) D:\WINDOWS\System32\qmgrprxy.dll (0x5DDC0000) D:\WINDOWS\System32\sensapi.dll (0x722B0000) D:\WINDOWS\System32\winrnr.dll (0x76FB0000) D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000) D:\WINDOWS\System32\actxprxy.dll (0x71D40000) D:\WINDOWS\System32\wbem\wbemcons.dll (0x73D30000)

Because Windows 2000 systems do not support port-to-process mapping, the PR-INITIAL log file will contain the following line:

Port to process mappings are not available on this system.

back to the top

The PR-PORTS log file
The PR-PORTS log file contains summary data about TCP and UDP port activity on the computer. The data is listed by using a comma-separated value (csv) format as follows:

date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context

On Windows 2000-based computers that do not support port-to-process mapping, the Port Reporter service lists the data by using the following format:

date,time,protocol,local port,local IP address,remote port,remote IP address

The following is an example of the contents of a PR-PORTS log file:

<pre class="fixed_text">Port Reporter Version 1.0 Log File - Port usage log

Check PR-PIDS-04-01-24-8-49-30.log for corresponding process data

Log format: date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context

04/1/24,8:52:21,TCP,4873,0.0.0.0,45070,0.0.0.0,664,iexplore.exe,<MYDOMAIN\user> 04/1/24,8:52:21,TCP,4873,169.254.66.8,80,63.208.107.43,664,iexplore.exe,<MYDOMAIN\user> 04/1/24,8:52:22,UDP,55441,169.254.66.8,*,*,3764,msmsgs.exe,<MYDOMAIN\user> 04/1/24,8:52:41,TCP,4874,0.0.0.0,4225,0.0.0.0,664,iexplore.exe,<MYDOMAIN\user> 04/1/24,8:52:41,TCP,4874,169.254.66.8,80,216.74.132.12,664,iexplore.exe,<MYDOMAIN\user> 4/1/24,21:36:2,TCP,2682,169.254.66.8,445,169.254.133.55,4,System, 04/1/24,21:51:2,TCP,2684,0.0.0.0,12390,0.0.0.0,4,System, 04/1/24,21:51:2,TCP,2684,169.254.66.8,445,169.254.133.55,4,System, 04/1/24,22:03:15,UDP,2686,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user> 04/1/24,22:03:15,UDP,2687,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user> 04/1/24,22:03:43,UDP,2688,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user> 04/1/24,22:04:9,TCP,2690,169.254.66.8,389,169.254.133.55,0,System Idle, 04/1/24,22:04:35,TCP,2691,0.0.0.0,18644,0.0.0.0,1260,svchost.exe 04/1/24,22:04:36,TCP,2691,169.254.66.8,80,169.254.133.55,1260,svchost.exe 04/1/24,22:04:36,UDP,2692,127.0.0.1,*,*,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE> 04/1/24,22:04:37,TCP,2693,0.0.0.0,2160,0.0.0.0,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE> 04/1/24,22:04:40,TCP,2693,169.254.66.8,80,169.254.133.55,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE> 04/1/24,22:05:2,UDP,2697,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user> 04/1/24,22:06:2,TCP,2698,0.0.0.0,12390,0.0.0.0,4,System, 04/1/24,22:06:2,TCP,2698,169.254.66.8,445,169.254.133.55,4,System, 04/1/24,22:06:46,UDP,2700,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user> 04/1/24,22:06:47,UDP,2701,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user> 04/1/24,22:06:47,UDP,2702,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>

You may see entries in the PR-PORTS log file that look similar to the following:

04/1/24,22:06:2,TCP,2698,0.0.0.0,12390,0.0.0.0,4,System,

In this case, the user context is missing. These entries mean that the Port Reporter service cannot determine the user account that the process is associated with. This expected output is generated for the System process and for the System Idle process. When you review the contents of the PR-PORTS log file for ports or for processes, note the date and time stamp of entries that you want to investigate more. You can find additional details about an entry in the PR-PORTS log file when you locate its corresponding entry in the PR-PIDS log file. To do so, follow these steps:
 * 1) Start Notepad, and then open the PR-PIDS log file.
 * 2) On the Edit menu, click Find.
 * 3) In the Find what box, type the date and time stamp of the entry in the PR-PORTS log file that you want to find more information about, and then click Find Next.

back to the top

The PR-PIDS log file
The PR-PIDS log file contains detailed information about ports, processes, related modules, and the user account the process uses to run. The following is an example of the contents of a PR-PIDS log file:

<pre class="fixed_text">Port Reporter Version 1.0 Log File

Process detail log

System Date: Sat Jan 24 08:49:31 2004

Local computer name:

<ComputerName>

=
=========================================

Log entry below recorded at: <Date and Time>

=
=========================================

Process ID: 664 (iexplore.exe)

User context: MYDOMAIN\user

Process doesn't appear to be a service

PID Port       Local IP    State        Remote IP:Port 664 TCP 4867   0.0.0.0     LISTENING    0.0.0.0:4225 664 TCP 4873   0.0.0.0     LISTENING    0.0.0.0:45070 664 TCP 4867   169.254.66.8    ESTABLISHED  169.254.44.12:80 664 TCP 4873   169.254.66.8    SYN SENT     169.254.44.12:80 664 UDP 4817   127.0.0.1            *:*

Port Statistics

TCP mappings: 4 UDP mappings: 1

TCP ports in a LISTENING state:    2 = 50.00% TCP ports in a SYN SENT state:     1 = 25.00% TCP ports in a ESTABLISHED state:  1 = 25.00%

Loaded modules: D:\Program Files\Internet Explorer\iexplore.exe (0x00400000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000) D:\WINDOWS\system32\kernel32.dll (0x77E60000) D:\WINDOWS\system32\msvcrt.dll (0x77C10000) D:\WINDOWS\system32\USER32.dll (0x77D40000) D:\WINDOWS\system32\GDI32.dll (0x77C70000) D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000) D:\WINDOWS\system32\RPCRT4.dll (0x78000000) D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000) D:\WINDOWS\System32\SHDOCVW.dll (0x71700000) D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000) D:\WINDOWS\system32\SHELL32.dll (0x773D0000) D:\WINDOWS\system32\comctl32.dll (0x77340000) D:\WINDOWS\system32\ole32.dll (0x771B0000) D:\WINDOWS\System32\uxtheme.dll (0x5AD70000) D:\WINDOWS\System32\BROWSEUI.dll (0x75F80000) D:\WINDOWS\System32\browselc.dll (0x72430000) D:\WINDOWS\system32\appHelp.dll (0x75F40000) D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000) D:\WINDOWS\system32\OLEAUT32.dll (0x77120000) D:\WINDOWS\System32\COMRes.dll (0x77050000) D:\WINDOWS\system32\VERSION.dll (0x77C00000) D:\WINDOWS\system32\WININET.dll (0x76200000) D:\WINDOWS\system32\CRYPT32.dll (0x762C0000) D:\WINDOWS\system32\MSASN1.dll (0x762A0000) D:\WINDOWS\System32\Secur32.dll (0x76F90000) D:\WINDOWS\System32\cscui.dll (0x76620000) D:\WINDOWS\System32\CSCDLL.dll (0x76600000) D:\WINDOWS\System32\SETUPAPI.dll (0x76670000) D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (0x10000000) D:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll (0x5F200000) D:\WINDOWS\System32\SXS.DLL (0x75E90000) D:\WINDOWS\system32\urlmon.dll (0x1A400000) D:\WINDOWS\System32\shdoclc.dll (0x00DE0000) D:\WINDOWS\System32\mlang.dll (0x74770000) D:\WINDOWS\System32\wsock32.dll (0x71AD0000) D:\WINDOWS\System32\WS2_32.dll (0x71AB0000) D:\WINDOWS\System32\WS2HELP.dll (0x71AA0000) D:\WINDOWS\system32\mswsock.dll (0x71A50000) D:\WINDOWS\System32\wshtcpip.dll (0x71A90000) D:\WINDOWS\System32\RASAPI32.DLL (0x76EE0000) D:\WINDOWS\System32\rasman.dll (0x76E90000) D:\WINDOWS\System32\NETAPI32.dll (0x71C20000) D:\WINDOWS\System32\TAPI32.dll (0x76EB0000) D:\WINDOWS\System32\rtutils.dll (0x76E80000) D:\WINDOWS\System32\WINMM.dll (0x76B40000) D:\WINDOWS\System32\sensapi.dll (0x722B0000) D:\WINDOWS\system32\USERENV.dll (0x75A70000) D:\WINDOWS\System32\msi.dll (0x01370000) D:\WINDOWS\System32\DNSAPI.dll (0x76F20000) D:\WINDOWS\System32\winrnr.dll (0x76FB0000) D:\WINDOWS\system32\WLDAP32.dll (0x76F60000) D:\WINDOWS\System32\rasadhlp.dll (0x76FC0000) D:\WINDOWS\System32\mshtml.dll (0x63580000) D:\WINDOWS\System32\IMM32.DLL (0x76390000) D:\Program Files\Microsoft Office\Office10\msohev.dll (0x32520000) D:\WINDOWS\System32\jscript.dll (0x6B700000) D:\WINDOWS\System32\dxtrans.dll (0x6BDD0000) D:\WINDOWS\System32\ATL.DLL (0x76B20000) D:\WINDOWS\System32\ddrawex.dll (0x65000000) D:\WINDOWS\System32\DDRAW.dll (0x51000000) D:\WINDOWS\System32\DCIMAN32.dll (0x73BC0000) D:\WINDOWS\System32\dxtmsft.dll (0x6BE10000) D:\WINDOWS\System32\MSLS31.DLL (0x746C0000) D:\WINDOWS\System32\WINSPOOL.DRV (0x73000000) D:\WINDOWS\System32\wdmaud.drv (0x72D20000) D:\WINDOWS\System32\msacm32.drv (0x72D10000) D:\WINDOWS\System32\MSACM32.dll (0x77BE0000) D:\WINDOWS\System32\midimap.dll (0x77BD0000) D:\WINDOWS\System32\msxml3.dll (0x72E00000) D:\WINDOWS\System32\vbscript.dll (0x73300000) D:\WINDOWS\System32\IMGUTIL.DLL (0x66880000) D:\WINDOWS\System32\pngfilt.dll (0x5E310000) D:\WINDOWS\System32\wmp.dll (0x07680000) D:\WINDOWS\System32\MSVFW32.dll (0x73BD0000) D:\WINDOWS\System32\wmploc.dll (0x08110000) D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (0x6D440000) D:\WINDOWS\System32\OLEPRO32.DLL (0x5EDD0000) D:\Program Files\Java\j2re1.4.2\bin\jpiexp32.dll (0x6D310000) D:\Program Files\Java\j2re1.4.2\bin\jpishare.dll (0x6D380000) D:\PROGRA~1\Java\J2RE14~1.2\bin\client\jvm.dll (0x04F20000) D:\PROGRA~1\Java\J2RE14~1.2\bin\hpi.dll (0x02FE0000) D:\PROGRA~1\Java\J2RE14~1.2\bin\verify.dll (0x05070000) D:\PROGRA~1\Java\J2RE14~1.2\bin\java.dll (0x05080000) D:\PROGRA~1\Java\J2RE14~1.2\bin\zip.dll (0x050A0000) D:\Program Files\Java\j2re1.4.2\bin\awt.dll (0x083E0000) D:\Program Files\Java\j2re1.4.2\bin\fontmanager.dll (0x075F0000) D:\WINDOWS\System32\D3DIM700.DLL (0x5C000000) D:\Program Files\Java\j2re1.4.2\bin\jpicom32.dll (0x6D2F0000) D:\Program Files\Java\j2re1.4.2\bin\net.dll (0x07660000) D:\WINDOWS\System32\wintrust.dll (0x76C30000) D:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000) D:\WINDOWS\System32\schannel.dll (0x767F0000) D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000) D:\WINDOWS\System32\dssenh.dll (0x0FFA0000) D:\WINDOWS\System32\wmvcore.dll (0x09270000) D:\WINDOWS\System32\WMASF.DLL (0x09470000) D:\WINDOWS\System32\actxprxy.dll (0x71D40000) D:\WINDOWS\System32\dispex.dll (0x6CC60000) D:\WINDOWS\System32\mshtmled.dll (0x74CB0000) D:\WINDOWS\System32\wmnetmgr.dll (0x09D90000) D:\WINDOWS\system32\msv1_0.dll (0x76D10000) D:\WINDOWS\system32\wdigest.dll (0x74380000) D:\WINDOWS\System32\winhttp.dll (0x76080000) D:\WINDOWS\System32\MPRAPI.dll (0x76D40000) D:\WINDOWS\System32\ACTIVEDS.dll (0x76E40000) D:\WINDOWS\System32\adsldpc.dll (0x76E10000) D:\WINDOWS\System32\SAMLIB.dll (0x71BF0000) D:\WINDOWS\System32\iphlpapi.dll (0x76D60000) D:\WINDOWS\System32\netman.dll (0x76DE0000) D:\WINDOWS\System32\WZCSvc.DLL (0x70B50000) D:\WINDOWS\System32\WMI.dll (0x76D30000) D:\WINDOWS\System32\DHCPCSVC.DLL (0x76D80000) D:\WINDOWS\System32\WTSAPI32.dll (0x76F50000) D:\WINDOWS\System32\WINSTA.dll (0x76360000) D:\WINDOWS\System32\ESENT.dll (0x69710000) D:\WINDOWS\System32\hnetcfg.dll (0x68880000) D:\WINDOWS\System32\netshell.dll (0x75CF0000) D:\WINDOWS\System32\credui.dll (0x76C00000) D:\WINDOWS\System32\wbem\wbemprox.dll (0x74EF0000) D:\WINDOWS\System32\wbem\wbemcomn.dll (0x75290000) D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000) D:\WINDOWS\System32\wbem\fastprox.dll (0x75690000) D:\WINDOWS\System32\quartz.dll (0x35500000) D:\WINDOWS\System32\msdmo.dll (0x0ADF0000) D:\WINDOWS\System32\wmadmod.dll (0x0AE00000) D:\WINDOWS\System32\devenum.dll (0x35680000) D:\WINDOWS\System32\DSOUND.DLL (0x51080000) D:\WINDOWS\System32\KsUser.dll (0x5EF80000)

=
=========================================

Log entry below recorded at: <Date and Time>

=
=========================================

Process ID: 3764 (msmsgs.exe)

User context: MYDOMAIN\user

Process doesn't appear to be a service

PID Port       Local IP    State        Remote IP:Port 3764   TCP 16521   169.254.66.8    LISTENING    0.0.0.0:45294 3764   UDP 4803    0.0.0.0              *:* 3764   UDP 9586    169.254.66.8             *:* 3764   UDP 55441   169.254.66.8             *:*

Port Statistics

TCP mappings: 1 UDP mappings: 3

TCP ports in a LISTENING state:    1 = 100.00%

Loaded modules: D:\Program Files\Messenger\msmsgs.exe (0x00400000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000) D:\WINDOWS\system32\kernel32.dll (0x77E60000) D:\WINDOWS\system32\ADVAPI32.DLL (0x77DD0000) D:\WINDOWS\system32\RPCRT4.dll (0x78000000) D:\WINDOWS\system32\GDI32.DLL (0x77C70000) D:\WINDOWS\system32\USER32.dll (0x77D40000) D:\WINDOWS\system32\OLE32.DLL (0x771B0000) D:\WINDOWS\system32\OLEAUT32.DLL (0x77120000) D:\WINDOWS\system32\MSVCRT.DLL (0x77C10000) D:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.DLL (0x71950000) D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000) D:\WINDOWS\system32\SHELL32.DLL (0x773D0000) D:\WINDOWS\System32\uxtheme.dll (0x5AD70000) D:\Program Files\Messenger\MSGSLANG.DLL (0x69200000) D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000) D:\WINDOWS\System32\COMRes.dll (0x77050000) D:\WINDOWS\system32\VERSION.dll (0x77C00000) D:\WINDOWS\System32\SXS.DLL (0x75E90000) D:\WINDOWS\System32\wtsapi32.dll (0x76F50000) D:\WINDOWS\System32\WINSTA.dll (0x76360000) D:\WINDOWS\System32\es.dll (0x76B70000) D:\WINDOWS\System32\WS2_32.dll (0x71AB0000) D:\WINDOWS\System32\WS2HELP.dll (0x71AA0000) D:\Program Files\Messenger\rtcimsp.dll (0x00F30000) D:\WINDOWS\System32\WSOCK32.dll (0x71AD0000) D:\WINDOWS\System32\rtcdll.dll (0x5D370000) D:\WINDOWS\System32\ATL.DLL (0x76B20000) D:\WINDOWS\System32\Secur32.dll (0x76F90000) D:\WINDOWS\system32\WININET.dll (0x76200000) D:\WINDOWS\system32\CRYPT32.dll (0x762C0000) D:\WINDOWS\system32\MSASN1.dll (0x762A0000) D:\WINDOWS\System32\WINMM.dll (0x76B40000) D:\WINDOWS\System32\iphlpapi.dll (0x76D60000) D:\WINDOWS\System32\DNSAPI.dll (0x76F20000) D:\WINDOWS\System32\termmgr.dll (0x5B6F0000) D:\WINDOWS\System32\rtutils.dll (0x76E80000) D:\WINDOWS\System32\quartz.dll (0x35500000) D:\WINDOWS\system32\mswsock.dll (0x71A50000) D:\WINDOWS\System32\wshtcpip.dll (0x71A90000) D:\WINDOWS\System32\dxmrtp.dll (0x6BE70000) D:\WINDOWS\System32\MSVFW32.dll (0x73BD0000) D:\WINDOWS\System32\DSOUND.dll (0x51080000) D:\WINDOWS\System32\PSAPI.DLL (0x76BF0000) D:\WINDOWS\System32\devenum.dll (0x35680000) D:\WINDOWS\System32\setupapi.dll (0x76670000) D:\WINDOWS\System32\wdmaud.drv (0x72D20000) D:\WINDOWS\System32\msacm32.drv (0x72D10000) D:\WINDOWS\System32\MSACM32.dll (0x77BE0000) D:\WINDOWS\System32\midimap.dll (0x77BD0000) D:\WINDOWS\System32\msdmo.dll (0x01450000) D:\WINDOWS\System32\dpnhupnp.dll (0x018A0000) D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000) D:\WINDOWS\System32\rasapi32.dll (0x76EE0000) D:\WINDOWS\System32\rasman.dll (0x76E90000) D:\WINDOWS\System32\NETAPI32.dll (0x71C20000) D:\WINDOWS\System32\TAPI32.dll (0x76EB0000) D:\WINDOWS\System32\hnetcfg.dll (0x68880000) D:\WINDOWS\System32\netshell.dll (0x75CF0000) D:\WINDOWS\System32\credui.dll (0x76C00000) D:\WINDOWS\System32\DHCPCSVC.DLL (0x76D80000) D:\WINDOWS\System32\wbem\wbemprox.dll (0x74EF0000) D:\WINDOWS\System32\wbem\wbemcomn.dll (0x75290000) D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000) D:\WINDOWS\System32\wbem\fastprox.dll (0x75690000) D:\WINDOWS\System32\netcfgx.dll (0x755F0000) D:\WINDOWS\System32\CLUSAPI.dll (0x55560000) D:\WINDOWS\System32\sensapi.dll (0x722B0000)

=
=========================================

Log entry below recorded at: <Date and Time>

=
=========================================

Process ID: 2424 (Virtual PC.exe)

User context: MYDOMAIN\user

Process doesn't appear to be a service

PID Port       Local IP    State        Remote IP:Port 2424   TCP 1262    0.0.0.0     LISTENING    0.0.0.0:2192 2424   TCP 1731    0.0.0.0     LISTENING    0.0.0.0:53467 2424   TCP 2226    0.0.0.0     LISTENING    0.0.0.0:45214 2424   TCP 2229    0.0.0.0     LISTENING    0.0.0.0:2176 2424   TCP 4724    0.0.0.0     LISTENING    0.0.0.0:26634 2424   TCP 4725    0.0.0.0     LISTENING    0.0.0.0:2172 2424   TCP 4726    0.0.0.0     LISTENING    0.0.0.0:39049 2424   TCP 4727    0.0.0.0     LISTENING    0.0.0.0:37118 2424   TCP 4728    0.0.0.0     LISTENING    0.0.0.0:16491 2424   TCP 4729    0.0.0.0     LISTENING    0.0.0.0:20734 2424   TCP 4925    0.0.0.0     LISTENING    0.0.0.0:2064 2424   TCP 4930    0.0.0.0     LISTENING    0.0.0.0:8249 2424   TCP 4931    0.0.0.0     LISTENING    0.0.0.0:61639 2424   TCP 4932    0.0.0.0     LISTENING    0.0.0.0:22535 2424   TCP 2189    127.0.0.1   LISTENING    0.0.0.0:45095 2424   TCP 1262    169.254.66.8    ESTABLISHED  169.254.5.214:1745 2424   TCP 1731    169.254.66.8    ESTABLISHED  169.254.4.228:1745 2424   TCP 2226    169.254.66.8    ESTABLISHED  157.56.120.30:1745 2424   TCP 2229    169.254.66.8    ESTABLISHED  157.56.121.78:1745 2424   TCP 4724    169.254.66.8    ESTABLISHED  169.254.4.38:1745 2424   TCP 4725    169.254.66.8    ESTABLISHED  169.254.5.105:1745 2424   TCP 4726    169.254.66.8    ESTABLISHED  169.254.5.103:1745 2424   TCP 4727    169.254.66.8    ESTABLISHED  169.254.4.240:1745 2424   TCP 4728    169.254.66.8    ESTABLISHED  169.254.7.23:1745 2424   TCP 4729    169.254.66.8    ESTABLISHED  169.254.4.241:1745 2424   TCP 4925    169.254.66.8    ESTABLISHED  169.254.121.89:1745 2424   TCP 4930    169.254.66.8    ESTABLISHED  169.254.113.92:1745 2424   TCP 4931    169.254.66.8    ESTABLISHED  169.254.113.87:1745 2424   TCP 4932    169.254.66.8    ESTABLISHED  169.254.121.93:1745 2424   UDP 2686    0.0.0.0              *:* 2424   UDP 2687    0.0.0.0              *:*

Port Statistics

TCP mappings: 29 UDP mappings: 2

TCP ports in a LISTENING state:    15 = 51.72% TCP ports in a ESTABLISHED state:  14 = 48.28%

Loaded modules: C:\Program Files\Microsoft Virtual PC\Virtual PC.exe (0x00400000)

C:\WINDOWS\System32\ntdll.dll (0x77F50000) C:\WINDOWS\system32\kernel32.dll (0x77E60000) C:\WINDOWS\System32\DDRAW.dll (0x51000000) C:\WINDOWS\system32\msvcrt.dll (0x77C10000) C:\WINDOWS\system32\USER32.dll (0x77D40000) C:\WINDOWS\system32\GDI32.dll (0x77C70000) C:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000) C:\WINDOWS\system32\RPCRT4.dll (0x78000000) C:\WINDOWS\System32\DCIMAN32.dll (0x73BC0000) C:\WINDOWS\System32\DINPUT.dll (0x72280000) C:\WINDOWS\System32\WINMM.dll (0x76B40000) C:\WINDOWS\System32\iphlpapi.dll (0x76D60000) C:\WINDOWS\System32\WS2_32.dll (0x71AB0000) C:\WINDOWS\System32\WS2HELP.dll (0x71AA0000) C:\WINDOWS\System32\PSAPI.DLL (0x76BF0000) C:\WINDOWS\system32\comdlg32.dll (0x763B0000) C:\WINDOWS\system32\SHLWAPI.dll (0x70A70000) C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.dll (0x71950000) C:\WINDOWS\system32\SHELL32.dll (0x773D0000) C:\WINDOWS\System32\WINSPOOL.DRV (0x73000000) C:\WINDOWS\system32\ole32.dll (0x771B0000) C:\WINDOWS\system32\OLEAUT32.dll (0x77120000) C:\WINDOWS\system32\VERSION.dll (0x77C00000) C:\WINDOWS\System32\OLEACC.dll (0x74C80000) C:\WINDOWS\System32\MSVCP60.dll (0x55900000) C:\WINDOWS\System32\uxtheme.dll (0x5AD70000) C:\WINDOWS\System32\MSCTF.dll (0x74720000) C:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000) C:\WINDOWS\System32\COMRes.dll (0x77050000) C:\WINDOWS\System32\msxml4.dll (0x69B10000) C:\WINDOWS\System32\LINKINFO.dll (0x76980000) C:\WINDOWS\System32\ntshrui.dll (0x76990000) C:\WINDOWS\System32\ATL.DLL (0x76B20000) C:\WINDOWS\System32\NETAPI32.dll (0x71C20000) C:\WINDOWS\system32\USERENV.dll (0x75A70000) C:\Program Files\Microsoft Firewall Client\wspwsp.dll (0x55600000) C:\WINDOWS\System32\mswsock.dll (0x71A50000) C:\WINDOWS\System32\DNSAPI.dll (0x76F20000) C:\WINDOWS\System32\winrnr.dll (0x76FB0000) C:\WINDOWS\system32\WLDAP32.dll (0x76F60000) C:\WINDOWS\System32\wshtcpip.dll (0x71A90000) C:\WINDOWS\System32\rasadhlp.dll (0x76FC0000) C:\WINDOWS\System32\wdmaud.drv (0x72D20000) C:\WINDOWS\System32\msacm32.drv (0x72D10000) C:\WINDOWS\System32\MSACM32.dll (0x77BE0000) C:\WINDOWS\System32\midimap.dll (0x77BD0000) C:\WINDOWS\System32\HID.DLL (0x688F0000) C:\WINDOWS\System32\SETUPAPI.DLL (0x76670000) C:\Documents and Settings\user\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll (0x10000000) C:\WINDOWS\System32\mslbui.dll (0x605D0000) C:\WINDOWS\System32\Secur32.dll (0x76F90000) C:\WINDOWS\System32\security.dll (0x71F80000) C:\WINDOWS\system32\msv1_0.dll (0x76D10000) C:\WINDOWS\system32\appHelp.dll (0x75F40000) C:\WINDOWS\System32\cscui.dll (0x76620000) C:\WINDOWS\System32\CSCDLL.dll (0x76600000) C:\WINDOWS\system32\MPR.dll (0x71B20000) C:\WINDOWS\System32\ntlanman.dll (0x71C10000) C:\WINDOWS\System32\NETUI0.dll (0x71CD0000) C:\WINDOWS\System32\NETUI1.dll (0x71C90000) C:\WINDOWS\System32\NETRAP.dll (0x71C80000) C:\WINDOWS\System32\SAMLIB.dll (0x71BF0000) C:\WINDOWS\System32\drprov.dll (0x75F60000) C:\WINDOWS\System32\davclnt.dll (0x75F70000)

The Port Reporter service watches ports for changes and reports those changes in the log files. The changes may include an increase or a decrease in the number of connections on a port, or a change in connection states of existing connections. The Port Reporter service reports when new connections to a TCP port are made or when existing connections close. The Port Reporter service also reports if the state of any one of the TCP connections on a port change. TCP port states include the following:
 * CLOSE_WAIT
 * CLOSED
 * ESTABLISHED
 * FIN_WAIT_1
 * LAST_ACK
 * LISTEN
 * SYN_RECEIVED
 * SYN_SEND
 * TIMED_WAIT

An example of a change in state occurs when a connection that uses the ESTABLISHED state is changed to use the CLOSE_WAIT state. Sometimes, the Port Reporter service may report that the System Idle process (PID 0) uses some TCP ports. This scenario may occur when a program that is installed on the computer connects to a TCP port and then disconnects from the port very quickly. The TCP connection between the program and the port may be left in a “Timed Wait” state although the program is no longer running. In this case, the Port Reporter service may detect that the port is being used, but cannot identify the program that used the port because the program is no longer running. The port can be in a “Timed Wait” state for up to several minutes although the process that was using the port is no longer running.

The Port Reporter service also creates a log entry when a program that is installed on the computer starts using a new UDP port. For example, if a program binds to UDP port 69, the Port Reporter service logs this action to the PR-PORTS and PR-PIDS log files. The Port Reporter service does not log UDP datagrams that are sent to UDP ports. The Port Reporter service only logs that the UDP port is bound and is accepting datagrams. Microsoft recommends that you check the system event log and the application event log for events that are logged by the Port Reporter service. The Port Reporter service logs events when the service starts, when the service creates log files, when the service stops, or when the service encounters an error. The source of the events is logged as PortReporter. The event IDs are between 100 and 112.

Because Windows 2000 systems do not support port-to-process mapping, the PR-PIDS log file will contain the following line:

Port to process mappings are not available on this system.

back to the top

<div class="moreinformation_section">

MORE INFORMATION
To view a WebCast about Port Reporter, click the following Microsoft Knowledge Base article number:

840832 Support WebCast: Port Reporter

<div class="references_section">