Article ID: 837243
Article Last Modified on 10/30/2006
APPLIES TO
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows XP Professional
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
SUMMARY
This article discusses the Port Reporter tool. The Port Reporter tool runs as a service on computers that are running Windows Server 2003, Windows XP, and Windows 2000. The tool logs TCP and UDP port activity. This article contains information about how to obtain and install the tool. When you install the tool, the Setup program creates the appropriate registry entries and installs the Port Reporter service.
This article also contains information about how to use start parameters to configure the Port Reporter service and information about the Port Reporter log files that are generated by the Port Reporter service.
IN THIS TASK
- INTRODUCTION
- Overview
- Obtain the Port Reporter tool
- Install the Port Reporter service
- Configure and start the Port Reporter service
- Remove the Port Reporter service
- Interpret Port Reporter log files
- REFERENCES
INTRODUCTION
This article contains information about how to obtain, install, and configure the Port Reporter tool. The Port Reporter tool is a tool that you can use to log TCP/IP port data on computers that are running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000.
back to the top
Overview
The Port Reporter tool logs TCP and UDP port activity. The tool is a small program that runs as a service on a computer that is running Windows Server 2003, Windows XP, or Windows 2000.
On Windows Server 2003 and on Windows XP-based computers, the service can log the following information:
- The ports that are used
- The processes that use the port
- Whether a process is a service
- The modules that a process loaded
- The user accounts that run a process
On Windows 2000-based computers, the service logs the ports that are used and when the ports are used.
You can use the information that is logged by the Port Reporter tool to help you track port usage and troubleshoot certain issues. The information that is logged by the Port Reporter tool may also be helpful for security purposes.
back to the top
Obtain the Port Reporter tool
The Port Reporter tool is available from this link on the Microsoft Download Center:
Important The Port Reporter Parser tool is a log parser for Port Reporter log files. This tool is now available for download. Port Reporter Parser has many features that can help you analyze Port Reporter log files. You can download the Port Reporter Parser tool from the following Microsoft web site:
http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exe
back to the top
Install the Port Reporter service
When you run the Setup program (Pr-Setup.exe) to install Port Reporter, the Setup program performs the following operations:
- Adds the following registry subkey to the Windows registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\PortReporter
- Installs the Port Reporter service.
The Setup program creates a service object for the Port Reporter tool and then adds the object to the Service Control Manager database.
Install the Port Reporter service to the default location
By default, the Port Reporter service is installed to the following folder on the hard disk:
drive
:\Program Files\PortReporter
To install the Port Reporter service to the default location:
- Log on to the computer as a member of the local administrators group.
- Quit all programs that are running on the computer, including the Services tool and Event Viewer in Administrative Tools.
- Double-click Pr-Setup.exe to run the Setup program.
- When you are prompted to install the Port Reporter tool to the Program Files folder, press Y.
After you press Y, the Setup program creates a subfolder named PortReporter in the Program Files folder. Portreporter.exe is copied to the subfolder and is registered as a service in Service Control Manager.
Install the Port Reporter service to a different location than the default location
To install the Port Reporter service to a different location than the default location:
- Log on to the computer as a member of the local administrators group.
- Quit all programs that are running on the computer, including the Services tool and Event Viewer in Administrative Tools.
- Copy the Pr-setup.exe file and the Portreporter.exe file to the folder where you want to install the Port Reporter tool to.
Note You have to run the Setup program from a fixed, local drive. You cannot run the Setup program from a network drive or from a CD-ROM drive. - At the command prompt, type the following line, and then press ENTER, where
PathOfFolder
is the drive and path of the folder that contains the Pr-setup.exe file and the Portreporter.exe file:pr-setup.exe -d '
PathOfFolder
'For example, to install the tool to the D:\Tools\Port Reporter folder, type
pr-setup.exe –d ‘d:\tools\port reporter\’
You receive output that is similar to the following in the Command Prompt window:
C:\temp>pr-setup.exe -d 'PathOfFolder' Installing Port Reporter service: PathOfFolder Creating service...completed successfully Creating registry key and values...completed successfully Setup has successfully installed the Port Reporter service The service is currently stopped and set to manual startup type Please use the services applet in the control panel to configure and start the Port Reporter service press any key to exit setup
- Press any key to exit the Setup program.
Configure and start the Port Reporter service
To verify that the Port Reporter service installed successfully and to start the service, follow these steps:
- Click Start, right-click My Computer, and then click Manage.
- Expand Services and Applications, and then expand Services.
- In the right pane, verify that the Port Reporter service is listed.
- To start the service, double-click the service name, and then click to select the Start button. Click OK.
The Port Reporter service will create a log entry in the application log that indicates that it is started.
By default, the startup type for the Port Reporter service is set to use the Manual setting. If you want the service to start automatically when Windows starts, set the startup type to use the Automatic setting.
By default, the Port Reporter service uses the Local System account to log on to the computer. By using the Local System account, the Port Reporter service can gather details about processes that the administrator account or other user accounts do not have access to. Because of this, Microsoft recommends that you do not modify this setting.
Note Because this service runs in the context of the Local System account, Microsoft recommends that you secure the folder where Port Reporter is installed. Whether you install Port Reporter in its default location (%SystemDrive%\Program Files\PortReporter) or in a custom location, you must take these steps:
- Install Port Reporter only on an NTFS file system partition
- Adjust the Access Control List (ACLs) on the installation folder so that only the local Administrators group has access to the folder. To do this, follow these steps:
- Start Windows Explorer, and then find the installation folder. By default, it is %SystemDrive%\Program Files\PortReporter.
- Right-click on the folder, and then click Properties.
- In the folder property dialog box, click the Security tab, and then inspect the group and user names that have access to the folder. Only the local Administrators group and the System account should have access to this folder
- Select any other groups and users that are listed, and then click Remove. When the list contains only the local Administrators group and the System account, click Apply, and then click OK.
Location of log files
By default, the Port Reporter tool tries to create the log files in the following folder:
%systemroot%\System32\LogFiles\PortReporter
If this folder does not already exist, the folder is created for you. You can configure the location of the log files by using the start parameter that is specified on the General tab of the Port Reporter service dialog box. To specify the log file folder, use the -ld command-line option followed by the name of the folder that you want to use. Make sure that you enclose the name of the folder in single quotes ('). For example, if you specify the following start parameter, the Port Reporter service creates log files in the C:\Program Files\Port Reporter folder when the Port Reporter service starts:
-ld ‘c:\program files\port reporter’
Size of log files
By default, the Port Reporter service continues to write to the log files until the log files reach 5 megabytes (MB). After the log files reach 5 MB, a new log file is created. To configure the size of log files, use the -ls command-line option. You can specify a size between 1000 kilobytes (KB) and 102400 KB. For example, if you specify the following start parameter, the Port Reporter service creates a new log file every time the log files reach 7000 KB:
-ls 7000
After you configure the Port Reporter service with the start parameters that you want, start the service. When the Port Reporter service starts, the following two events are logged to the application event log:
Remove the Port Reporter service
To remove the Port Reporter service, type the following line at the command prompt, and then press ENTER:
pr-setup.exe -u
You receive output that is similar to the following in the Command Prompt window:
Uninstalling Port Reporter service... Deleting service... Stopping service...completed successfully Removing service...completed successfully Deleting service...completed successfully Deleting registry key and values...completed successfully Setup successfully uninstalled the Port Reporter Service The installation directory has been left intact press any key to exit setup
When you remove the Port Reporter service, the Setup program performs the following operations:
- Unregisters the Port Reporter service from the Service Control Manager database.
- Deletes the registry entries that were created when you installed the Port Reporter service.
When you remove the Port Reporter service, the Setup program does not remove the folder that contains the Pr-setup.exe file and the PortReporter.exe file, nor does the Setup program remove any log files that were created by the service.
back to the top
Interpret Port Reporter log files
The Port Reporter service creates the log files under the following circumstances:
- Every time the Port Reporter service starts
- At midnight each day.
- When the log file reaches 5 MB or when the log file reaches the custom size that you specified in the start parameter.
When the Port Reporter service starts, the following log files are created:
- PR-INITIAL-*.log
- PR-PORTS-*.log
- PR-PIDS-*.log
The name of each log file uses the date and the time (in 24-hour format) when the file was created. The format of the date and time stamp is year-month-day-hour-minute-second. For example, the following three files were created January 24, 2004, at 8:49:30 A.M.:
- PR-INITIAL-04-01-24-8-49-30.log
- PR-PORTS-04-01-24-8-49-30.log
- PR-PIDS-04-01-24-8-49-30.log
The PR-INITIAL log file
The PR-INITIAL log file contains data that the Port Reporter service collects about the ports, processes, and modules that run on the computer when the Port Reporter service is started. The user context that each process is running under is also logged. The following is an example of the contents of a PR-INITIAL log file on a Windows XP-based computer that was created when the Port Reporter service started:
Port Reporter Version 1.0 Log File Service initialization log System Date: <Date and Time> Local computer name: <ComputerName> TCP/UDP Port to Process Mappings at service start-up 36 mappings found PID:Process Port Local IP State Remote IP:Port 0:System Idle TCP 4857 169.254.66.8 TIME WAIT 169.254.44.123:80 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0:6246 4:System TCP 1026 0.0.0.0 LISTENING 0.0.0.0:28726 4:System TCP 139 169.254.66.8 LISTENING 0.0.0.0:34925 4:System UDP 445 0.0.0.0 *:* 4:System UDP 137 169.254.66.8 *:* 4:System UDP 138 169.254.66.8 *:* 664:iexplore.exe TCP 4867 0.0.0.0 LISTENING 0.0.0.0:4225 664:iexplore.exe TCP 4870 0.0.0.0 LISTENING 0.0.0.0:45070 664:iexplore.exe TCP 4871 0.0.0.0 LISTENING 0.0.0.0:18494 664:iexplore.exe TCP 4872 0.0.0.0 LISTENING 0.0.0.0:6182 664:iexplore.exe TCP 4867 169.254.66.8 ESTABLISHED 169.254.44.123:80 664:iexplore.exe TCP 4870 169.254.66.8 ESTABLISHED 207.68.177.62:80 664:iexplore.exe TCP 4871 169.254.66.8 ESTABLISHED 207.46.248.110:80 664:iexplore.exe TCP 4872 169.254.66.8 ESTABLISHED 207.46.248.110:80 664:iexplore.exe UDP 4817 127.0.0.1 *:* 748:lsass.exe UDP 500 0.0.0.0 *:* 952:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0:2096 1092:svchost.exe TCP 1025 0.0.0.0 LISTENING 0.0.0.0:2064 1092:svchost.exe TCP 3002 127.0.0.1 LISTENING 0.0.0.0:49193 1092:svchost.exe TCP 3003 127.0.0.1 LISTENING 0.0.0.0:39078 1092:svchost.exe UDP 123 169.254.66.8 *:* 1092:svchost.exe UDP 123 127.0.0.1 *:* 1192:svchost.exe UDP 3009 0.0.0.0 *:* 1192:svchost.exe UDP 3015 0.0.0.0 *:* 1192:svchost.exe UDP 3016 0.0.0.0 *:* 1228:svchost.exe TCP 5000 0.0.0.0 LISTENING 0.0.0.0:45223 1228:svchost.exe UDP 1900 169.254.66.8 *:* 1228:svchost.exe UDP 1900 127.0.0.1 *:* 1536:alg.exe TCP 3001 127.0.0.1 LISTENING 0.0.0.0:2064 1568:InoRpc.exe TCP 42510 0.0.0.0 LISTENING 0.0.0.0:14373 1568:InoRpc.exe UDP 43508 169.254.66.8 *:* 3764:msmsgs.exe TCP 16521 169.254.66.8 LISTENING 0.0.0.0:45294 3764:msmsgs.exe UDP 4803 0.0.0.0 *:* 3764:msmsgs.exe UDP 9160 169.254.66.8 *:* 3764:msmsgs.exe UDP 9586 169.254.66.8 *:* ======================= ====================================================== Process ID: 4 (System) System Process PID Port Local IP State Remote IP:Port 4 TCP 445 0.0.0.0 LISTENING 0.0.0.0:6246 4 TCP 1026 0.0.0.0 LISTENING 0.0.0.0:28726 4 TCP 139 169.254.66.8 LISTENING 0.0.0.0:34925 4 UDP 445 0.0.0.0 *:* 4 UDP 137 169.254.66.8 *:* 4 UDP 138 169.254.66.8 *:* Port Statistics TCP mappings: 3 UDP mappings: 3 TCP ports in a LISTENING state: 3 = 100.00% Could not access module information for this process ====================================================== Process ID: 748 (lsass.exe) User context: NT AUTHORITY\SYSTEM Service Name: PolicyAgent Display Name: IPSEC Services Service Type: shares a process with other services Service Name: ProtectedStorage Display Name: Protected Storage Service Name: SamSs Display Name: Security Accounts Manager Service Type: shares a process with other services PID Port Local IP State Remote IP:Port 748 UDP 500 0.0.0.0 *:* Port Statistics TCP mappings: 0 UDP mappings: 1 Loaded modules: D:\WINDOWS\system32\lsass.exe (0x01000000) D:\WINDOWS\System32\ntdll.dll (0x77F50000) D:\WINDOWS\system32\kernel32.dll (0x77E60000) D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000) D:\WINDOWS\system32\RPCRT4.dll (0x78000000) D:\WINDOWS\system32\LSASRV.dll (0x74520000) D:\WINDOWS\system32\msvcrt.dll (0x77C10000) D:\WINDOWS\system32\Secur32.dll (0x76F90000) D:\WINDOWS\system32\USER32.dll (0x77D40000) D:\WINDOWS\system32\GDI32.dll (0x77C70000) D:\WINDOWS\system32\SAMSRV.dll (0x74440000) D:\WINDOWS\system32\cryptdll.dll (0x76790000) D:\WINDOWS\system32\DNSAPI.dll (0x76F20000) D:\WINDOWS\system32\WS2_32.dll (0x71AB0000) D:\WINDOWS\system32\WS2HELP.dll (0x71AA0000) D:\WINDOWS\system32\MSASN1.dll (0x762A0000) D:\WINDOWS\system32\NETAPI32.dll (0x71C20000) D:\WINDOWS\system32\SAMLIB.dll (0x71BF0000) D:\WINDOWS\system32\MPR.dll (0x71B20000) D:\WINDOWS\system32\NTDSAPI.dll (0x767A0000) D:\WINDOWS\system32\WLDAP32.dll (0x76F60000) D:\WINDOWS\system32\msprivs.dll (0x743B0000) D:\WINDOWS\system32\kerberos.dll (0x71CF0000) D:\WINDOWS\system32\msv1_0.dll (0x76D10000) D:\WINDOWS\system32\netlogon.dll (0x744B0000) D:\WINDOWS\system32\w32time.dll (0x767C0000) D:\WINDOWS\system32\MSVCP60.dll (0x55900000) D:\WINDOWS\system32\iphlpapi.dll (0x76D60000) D:\WINDOWS\system32\USERENV.dll (0x75A70000) D:\WINDOWS\system32\schannel.dll (0x767F0000) D:\WINDOWS\system32\CRYPT32.dll (0x762C0000) D:\WINDOWS\system32\wdigest.dll (0x74380000) D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000) D:\WINDOWS\system32\setupapi.dll (0x76670000) D:\WINDOWS\system32\scecli.dll (0x74410000) D:\WINDOWS\system32\OLEAUT32.dll (0x77120000) D:\WINDOWS\system32\OLE32.DLL (0x771B0000) D:\WINDOWS\system32\shell32.dll (0x773D0000) D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000) D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000) D:\WINDOWS\system32\comctl32.dll (0x77340000) D:\WINDOWS\system32\ipsecsvc.dll (0x743E0000) D:\WINDOWS\system32\oakley.DLL (0x745D0000) D:\WINDOWS\system32\WINIPSEC.DLL (0x74370000) D:\WINDOWS\system32\mswsock.dll (0x71A50000) D:\WINDOWS\System32\wshtcpip.dll (0x71A90000) D:\WINDOWS\system32\pstorsvc.dll (0x743A0000) D:\WINDOWS\system32\psbase.dll (0x743C0000) D:\WINDOWS\System32\dssenh.dll (0x0FFA0000) ====================================================== Process ID: 952 (svchost.exe) User context: NT AUTHORITY\SYSTEM Service Name: RpcSs Display Name: Remote Procedure Call (RPC) Service Type: shares a process with other services PID Port Local IP State Remote IP:Port 952 TCP 135 0.0.0.0 LISTENING 0.0.0.0:2096 Port Statistics TCP mappings: 1 UDP mappings: 0 TCP ports in a LISTENING state: 1 = 100.00% Loaded modules: D:\WINDOWS\system32\svchost.exe (0x01000000) D:\WINDOWS\System32\ntdll.dll (0x77F50000) D:\WINDOWS\system32\kernel32.dll (0x77E60000) D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000) D:\WINDOWS\system32\RPCRT4.dll (0x78000000) d:\windows\system32\rpcss.dll (0x75850000) D:\WINDOWS\system32\msvcrt.dll (0x77C10000) d:\windows\system32\WS2_32.dll (0x71AB0000) d:\windows\system32\WS2HELP.dll (0x71AA0000) D:\WINDOWS\system32\USER32.dll (0x77D40000) D:\WINDOWS\system32\GDI32.dll (0x77C70000) d:\windows\system32\Secur32.dll (0x76F90000) D:\WINDOWS\system32\userenv.dll (0x75A70000) D:\WINDOWS\system32\mswsock.dll (0x71A50000) D:\WINDOWS\System32\wshtcpip.dll (0x71A90000) D:\WINDOWS\system32\DNSAPI.dll (0x76F20000) D:\WINDOWS\system32\iphlpapi.dll (0x76D60000) D:\WINDOWS\System32\winrnr.dll (0x76FB0000) D:\WINDOWS\system32\WLDAP32.dll (0x76F60000) D:\WINDOWS\system32\rasadhlp.dll (0x76FC0000) D:\WINDOWS\system32\CLBCATQ.DLL (0x76FD0000) D:\WINDOWS\system32\ole32.dll (0x771B0000) D:\WINDOWS\system32\OLEAUT32.dll (0x77120000) D:\WINDOWS\system32\COMRes.dll (0x77050000) D:\WINDOWS\system32\VERSION.dll (0x77C00000) ====================================================== Process ID: 1092 (svchost.exe) User context: NT AUTHORITY\SYSTEM Service Name: AudioSrv Display Name: Windows Audio Service Type: shares a process with other services Service Name: BITS Display Name: Background Intelligent Transfer Service Service Type: shares a process with other services Service Name: CryptSvc Display Name: Cryptographic Services Service Type: shares a process with other services Service Name: Dhcp Display Name: DHCP Client Service Type: shares a process with other services Service Name: dmserver Display Name: Logical Disk Manager Service Type: shares a process with other services Service Name: ERSvc Display Name: Error Reporting Service Service Type: shares a process with other services Service Name: EventSystem Display Name: COM+ Event System Service Type: shares a process with other services Service Name: helpsvc Display Name: Help and Support Service Type: shares a process with other services Service Name: lanmanserver Display Name: Server Service Type: shares a process with other services Service Name: lanmanworkstation Display Name: Workstation Service Type: shares a process with other services Service Name: Messenger Display Name: Messenger Service Type: shares a process with other services Service Name: Netman Display Name: Network Connections Service Name: Nla Display Name: Network Location Awareness (NLA) Service Type: shares a process with other services Service Name: RasMan Display Name: Remote Access Connection Manager Service Type: shares a process with other services Service Name: Schedule Display Name: Task Scheduler Service Name: seclogon Display Name: Secondary Logon Service Name: SENS Display Name: System Event Notification Service Type: shares a process with other services Service Name: SharedAccess Display Name: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Service Type: shares a process with other services Service Name: ShellHWDetection Display Name: Shell Hardware Detection Service Type: shares a process with other services Service Name: srservice Display Name: System Restore Service Service Type: shares a process with other services Service Name: TapiSrv Display Name: Telephony Service Type: shares a process with other services Service Name: TermService Display Name: Terminal Services Service Type: shares a process with other services Service Name: Themes Display Name: Themes Service Type: shares a process with other services Service Name: TrkWks Display Name: Distributed Link Tracking Client Service Type: shares a process with other services Service Name: W32Time Display Name: Windows Time Service Type: shares a process with other services Service Name: winmgmt Display Name: Windows Management Instrumentation Service Type: shares a process with other services Service Name: wuauserv Display Name: Automatic Updates Service Type: shares a process with other services Service Name: WZCSVC Display Name: Wireless Zero Configuration Service Type: shares a process with other services PID Port Local IP State Remote IP:Port 1092 TCP 1025 0.0.0.0 LISTENING 0.0.0.0:2064 1092 TCP 3002 127.0.0.1 LISTENING 0.0.0.0:49193 1092 TCP 3003 127.0.0.1 LISTENING 0.0.0.0:39078 1092 UDP 123 169.254.66.8 *:* 1092 UDP 123 127.0.0.1 *:* Port Statistics TCP mappings: 3 UDP mappings: 2 TCP ports in a LISTENING state: 3 = 100.00% Loaded modules: D:\WINDOWS\System32\svchost.exe (0x01000000) D:\WINDOWS\System32\ntdll.dll (0x77F50000) D:\WINDOWS\system32\kernel32.dll (0x77E60000) D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000) D:\WINDOWS\system32\RPCRT4.dll (0x78000000) D:\WINDOWS\system32\ole32.dll (0x771B0000) D:\WINDOWS\system32\GDI32.dll (0x77C70000) D:\WINDOWS\system32\USER32.dll (0x77D40000) d:\windows\system32\shsvcs.dll (0x76BD0000) D:\WINDOWS\system32\msvcrt.dll (0x77C10000) D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000) D:\WINDOWS\system32\shell32.dll (0x773D0000) D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000) D:\WINDOWS\system32\comctl32.dll (0x77340000) D:\WINDOWS\System32\WINSTA.dll (0x76360000) d:\windows\system32\dhcpcsvc.dll (0x76D80000) d:\windows\system32\DNSAPI.dll (0x76F20000) d:\windows\system32\WS2_32.dll (0x71AB0000) d:\windows\system32\WS2HELP.dll (0x71AA0000) d:\windows\system32\iphlpapi.dll (0x76D60000) d:\windows\system32\Secur32.dll (0x76F90000) D:\WINDOWS\System32\UxTheme.dll (0x5AD70000) D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000) d:\windows\system32\wzcsvc.dll (0x70B50000) d:\windows\system32\rtutils.dll (0x76E80000) d:\windows\system32\WMI.dll (0x76D30000) D:\WINDOWS\system32\OLEAUT32.dll (0x77120000) D:\WINDOWS\system32\CRYPT32.dll (0x762C0000) D:\WINDOWS\system32\MSASN1.dll (0x762A0000) d:\windows\system32\WTSAPI32.dll (0x76F50000) d:\windows\system32\ESENT.dll (0x69710000) D:\WINDOWS\system32\WLDAP32.dll (0x76F60000) d:\windows\system32\NETAPI32.dll (0x71C20000) D:\WINDOWS\system32\mswsock.dll (0x71A50000) D:\WINDOWS\System32\wshtcpip.dll (0x71A90000) D:\WINDOWS\System32\rastls.dll (0x555A0000) D:\WINDOWS\System32\ATL.DLL (0x76B20000) D:\WINDOWS\System32\CRYPTUI.dll (0x754D0000) D:\WINDOWS\System32\WINTRUST.dll (0x76C30000) D:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000) D:\WINDOWS\system32\WININET.dll (0x76200000) D:\WINDOWS\System32\MPRAPI.dll (0x76D40000) D:\WINDOWS\System32\ACTIVEDS.dll (0x76E40000) D:\WINDOWS\System32\adsldpc.dll (0x76E10000) D:\WINDOWS\System32\SAMLIB.dll (0x71BF0000) D:\WINDOWS\System32\SETUPAPI.dll (0x76670000) D:\WINDOWS\System32\RASAPI32.dll (0x76EE0000) D:\WINDOWS\System32\rasman.dll (0x76E90000) D:\WINDOWS\System32\TAPI32.dll (0x76EB0000) D:\WINDOWS\System32\WINMM.dll (0x76B40000) D:\WINDOWS\System32\SCHANNEL.dll (0x767F0000) D:\WINDOWS\system32\USERENV.dll (0x75A70000) D:\WINDOWS\System32\WinSCard.dll (0x723D0000) D:\WINDOWS\System32\raschap.dll (0x70AF0000) D:\WINDOWS\system32\msv1_0.dll (0x76D10000) D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000) D:\WINDOWS\System32\COMRes.dll (0x77050000) D:\WINDOWS\system32\VERSION.dll (0x77C00000) d:\windows\system32\schedsvc.dll (0x751D0000) d:\windows\system32\NTDSAPI.dll (0x767A0000) D:\WINDOWS\System32\MSIDLE.DLL (0x74F50000) D:\WINDOWS\System32\NTMARTA.DLL (0x76CE0000) d:\windows\system32\audiosrv.dll (0x708B0000) d:\windows\system32\wkssvc.dll (0x75170000) d:\windows\system32\cryptsvc.dll (0x74FA0000) d:\windows\system32\certcli.dll (0x75350000) d:\windows\pchealth\helpctr\binaries\pchsvc.dll (0x74F40000) d:\windows\system32\es.dll (0x76B70000) d:\windows\system32\ersvc.dll (0x74F80000) d:\windows\system32\dmserver.dll (0x74F90000) d:\windows\system32\srvsvc.dll (0x75090000) d:\windows\system32\msgsvc.dll (0x74F60000) d:\windows\system32\netman.dll (0x76DE0000) d:\windows\system32\seclogon.dll (0x73D20000) d:\windows\system32\sens.dll (0x722D0000) d:\windows\system32\srsvc.dll (0x751A0000) d:\windows\system32\POWRPROF.dll (0x74AD0000) d:\windows\system32\tapisrv.dll (0x733E0000) d:\windows\system32\PSAPI.DLL (0x76BF0000) d:\windows\system32\trkwks.dll (0x75070000) d:\windows\system32\w32time.dll (0x767C0000) d:\windows\system32\MSVCP60.dll (0x55900000) d:\windows\system32\wbem\wmisvc.dll (0x597A0000) d:\windows\system32\wbem\wbemcomn.dll (0x75290000) D:\WINDOWS\System32\VSSAPI.DLL (0x753E0000) d:\windows\system32\wuauserv.dll (0x74EC0000) D:\WINDOWS\System32\wuaueng.dll (0x01B20000) D:\WINDOWS\System32\ADVPACK.dll (0x75260000) D:\WINDOWS\System32\sfc.dll (0x76BB0000) D:\WINDOWS\System32\sfc_os.dll (0x76C60000) d:\windows\system32\rasmans.dll (0x72480000) d:\windows\system32\WINIPSEC.DLL (0x74370000) d:\windows\system32\netcfgx.dll (0x755F0000) d:\windows\system32\CLUSAPI.dll (0x55560000) d:\windows\system32\browser.dll (0x74FE0000) D:\WINDOWS\System32\winspool.drv (0x73000000) D:\WINDOWS\System32\rastapi.dll (0x72060000) D:\WINDOWS\System32\SXS.DLL (0x75E90000) D:\WINDOWS\system32\comsvcs.dll (0x75730000) D:\WINDOWS\system32\MTXCLU.DLL (0x750F0000) D:\WINDOWS\system32\WSOCK32.dll (0x71AD0000) D:\WINDOWS\system32\colbact.DLL (0x75130000) D:\WINDOWS\System32\RESUTILS.DLL (0x750B0000) D:\WINDOWS\System32\mtxoci.dll (0x750D0000) D:\WINDOWS\System32\unimdm.tsp (0x57CC0000) D:\WINDOWS\System32\uniplat.dll (0x72000000) D:\WINDOWS\System32\kmddsp.tsp (0x57D40000) D:\WINDOWS\System32\ndptsp.tsp (0x57D20000) D:\WINDOWS\System32\ipconf.tsp (0x57D50000) D:\WINDOWS\System32\h323.tsp (0x57D70000) D:\WINDOWS\System32\hidphone.tsp (0x57D60000) D:\WINDOWS\System32\HID.DLL (0x688F0000) D:\WINDOWS\System32\rasppp.dll (0x72240000) D:\WINDOWS\System32\ntlsapi.dll (0x724B0000) d:\windows\system32\ipnathlp.dll (0x66460000) d:\windows\system32\netshell.dll (0x75CF0000) d:\windows\system32\credui.dll (0x76C00000) d:\windows\system32\HNetCfg.dll (0x68880000) D:\WINDOWS\System32\rasadhlp.dll (0x76FC0000) D:\WINDOWS\System32\Wbem\wbemcore.dll (0x75450000) D:\WINDOWS\System32\Wbem\esscli.dll (0x75310000) D:\WINDOWS\System32\Wbem\FastProx.dll (0x75690000) D:\WINDOWS\System32\wbem\wmiutils.dll (0x75020000) D:\WINDOWS\System32\wbem\repdrvfs.dll (0x75200000) D:\WINDOWS\System32\wbem\wmiprvsd.dll (0x597F0000) D:\WINDOWS\System32\NCObjAPI.DLL (0x5F770000) D:\WINDOWS\System32\wbem\wbemess.dll (0x75390000) D:\WINDOWS\System32\winhttp.dll (0x76080000) d:\windows\system32\termsrv.dll (0x752D0000) d:\windows\system32\ICAAPI.dll (0x74F70000) d:\windows\system32\AUTHZ.dll (0x76CC0000) d:\windows\system32\mstlsapi.dll (0x75110000) D:\WINDOWS\System32\REGAPI.dll (0x76BC0000) D:\WINDOWS\System32\wbem\ncprov.dll (0x5F740000) D:\WINDOWS\System32\catsrvut.dll (0x6FB10000) D:\WINDOWS\System32\MfcSubs.dll (0x61990000) D:\WINDOWS\system32\MPR.dll (0x71B20000) D:\WINDOWS\System32\msi.dll (0x76400000) D:\WINDOWS\System32\Cabinet.dll (0x75150000) D:\WINDOWS\system32\urlmon.dll (0x1A400000) D:\WINDOWS\System32\catsrv.dll (0x6FBD0000) D:\WINDOWS\System32\upnp.dll (0x555F0000) D:\WINDOWS\System32\SSDPAPI.dll (0x74F00000) D:\WINDOWS\System32\RASDLG.dll (0x75550000) d:\windows\system32\qmgr.dll (0x5DDD0000) d:\windows\system32\SHFOLDER.dll (0x76780000) D:\WINDOWS\System32\qmgrprxy.dll (0x5DDC0000) D:\WINDOWS\System32\sensapi.dll (0x722B0000) D:\WINDOWS\System32\winrnr.dll (0x76FB0000) D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000) D:\WINDOWS\System32\actxprxy.dll (0x71D40000) D:\WINDOWS\System32\wbem\wbemcons.dll (0x73D30000)
Because Windows 2000 systems do not support port-to-process mapping, the PR-INITIAL log file will contain the following line:
Port to process mappings are not available on this system.
The PR-PORTS log file
The PR-PORTS log file contains summary data about TCP and UDP port activity on the computer. The data is listed by using a comma-separated value (csv) format as follows:
date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context
On Windows 2000-based computers that do not support port-to-process mapping, the Port Reporter service lists the data by using the following format:
date,time,protocol,local port,local IP address,remote port,remote IP address
The following is an example of the contents of a PR-PORTS log file:
Port Reporter Version 1.0 Log File - Port usage log Check PR-PIDS-04-01-24-8-49-30.log for corresponding process data Log format: date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context 04/1/24,8:52:21,TCP,4873,0.0.0.0,45070,0.0.0.0,664,iexplore.exe,<MYDOMAIN\user> 04/1/24,8:52:21,TCP,4873,169.254.66.8,80,63.208.107.43,664,iexplore.exe,<MYDOMAIN\user> 04/1/24,8:52:22,UDP,55441,169.254.66.8,*,*,3764,msmsgs.exe,<MYDOMAIN\user> 04/1/24,8:52:41,TCP,4874,0.0.0.0,4225,0.0.0.0,664,iexplore.exe,<MYDOMAIN\user> 04/1/24,8:52:41,TCP,4874,169.254.66.8,80,216.74.132.12,664,iexplore.exe,<MYDOMAIN\user> 4/1/24,21:36:2,TCP,2682,169.254.66.8,445,169.254.133.55,4,System, 04/1/24,21:51:2,TCP,2684,0.0.0.0,12390,0.0.0.0,4,System, 04/1/24,21:51:2,TCP,2684,169.254.66.8,445,169.254.133.55,4,System, 04/1/24,22:03:15,UDP,2686,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user> 04/1/24,22:03:15,UDP,2687,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user> 04/1/24,22:03:43,UDP,2688,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user> 04/1/24,22:04:9,TCP,2690,169.254.66.8,389,169.254.133.55,0,System Idle, 04/1/24,22:04:35,TCP,2691,0.0.0.0,18644,0.0.0.0,1260,svchost.exe 04/1/24,22:04:36,TCP,2691,169.254.66.8,80,169.254.133.55,1260,svchost.exe 04/1/24,22:04:36,UDP,2692,127.0.0.1,*,*,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE> 04/1/24,22:04:37,TCP,2693,0.0.0.0,2160,0.0.0.0,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE> 04/1/24,22:04:40,TCP,2693,169.254.66.8,80,169.254.133.55,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE> 04/1/24,22:05:2,UDP,2697,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user> 04/1/24,22:06:2,TCP,2698,0.0.0.0,12390,0.0.0.0,4,System, 04/1/24,22:06:2,TCP,2698,169.254.66.8,445,169.254.133.55,4,System, 04/1/24,22:06:46,UDP,2700,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user> 04/1/24,22:06:47,UDP,2701,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user> 04/1/24,22:06:47,UDP,2702,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
You may see entries in the PR-PORTS log file that look similar to the following:
04/1/24,22:06:2,TCP,2698,0.0.0.0,12390,0.0.0.0,4,System,
In this case, the user context is missing. These entries mean that the Port Reporter service cannot determine the user account that the process is associated with. This expected output is generated for the System process and for the System Idle process. When you review the contents of the PR-PORTS log file for ports or for processes, note the date and time stamp of entries that you want to investigate more. You can find additional details about an entry in the PR-PORTS log file when you locate its corresponding entry in the PR-PIDS log file. To do so, follow these steps:
- Start Notepad, and then open the PR-PIDS log file.
- On the Edit menu, click Find.
- In the Find what box, type the date and time stamp of the entry in the PR-PORTS log file that you want to find more information about, and then click Find Next.
The PR-PIDS log file
The PR-PIDS log file contains detailed information about ports, processes, related modules, and the user account the process uses to run. The following is an example of the contents of a PR-PIDS log file:
Port Reporter Version 1.0 Log File Process detail log System Date: Sat Jan 24 08:49:31 2004 Local computer name: <ComputerName> ====================================================== Log entry below recorded at: <Date and Time> ====================================================== Process ID: 664 (iexplore.exe) User context: MYDOMAIN\user Process doesn't appear to be a service PID Port Local IP State Remote IP:Port 664 TCP 4867 0.0.0.0 LISTENING 0.0.0.0:4225 664 TCP 4873 0.0.0.0 LISTENING 0.0.0.0:45070 664 TCP 4867 169.254.66.8 ESTABLISHED 169.254.44.12:80 664 TCP 4873 169.254.66.8 SYN SENT 169.254.44.12:80 664 UDP 4817 127.0.0.1 *:* Port Statistics TCP mappings: 4 UDP mappings: 1 TCP ports in a LISTENING state: 2 = 50.00% TCP ports in a SYN SENT state: 1 = 25.00% TCP ports in a ESTABLISHED state: 1 = 25.00% Loaded modules: D:\Program Files\Internet Explorer\iexplore.exe (0x00400000) D:\WINDOWS\System32\ntdll.dll (0x77F50000) D:\WINDOWS\system32\kernel32.dll (0x77E60000) D:\WINDOWS\system32\msvcrt.dll (0x77C10000) D:\WINDOWS\system32\USER32.dll (0x77D40000) D:\WINDOWS\system32\GDI32.dll (0x77C70000) D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000) D:\WINDOWS\system32\RPCRT4.dll (0x78000000) D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000) D:\WINDOWS\System32\SHDOCVW.dll (0x71700000) D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000) D:\WINDOWS\system32\SHELL32.dll (0x773D0000) D:\WINDOWS\system32\comctl32.dll (0x77340000) D:\WINDOWS\system32\ole32.dll (0x771B0000) D:\WINDOWS\System32\uxtheme.dll (0x5AD70000) D:\WINDOWS\System32\BROWSEUI.dll (0x75F80000) D:\WINDOWS\System32\browselc.dll (0x72430000) D:\WINDOWS\system32\appHelp.dll (0x75F40000) D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000) D:\WINDOWS\system32\OLEAUT32.dll (0x77120000) D:\WINDOWS\System32\COMRes.dll (0x77050000) D:\WINDOWS\system32\VERSION.dll (0x77C00000) D:\WINDOWS\system32\WININET.dll (0x76200000) D:\WINDOWS\system32\CRYPT32.dll (0x762C0000) D:\WINDOWS\system32\MSASN1.dll (0x762A0000) D:\WINDOWS\System32\Secur32.dll (0x76F90000) D:\WINDOWS\System32\cscui.dll (0x76620000) D:\WINDOWS\System32\CSCDLL.dll (0x76600000) D:\WINDOWS\System32\SETUPAPI.dll (0x76670000) D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (0x10000000) D:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll (0x5F200000) D:\WINDOWS\System32\SXS.DLL (0x75E90000) D:\WINDOWS\system32\urlmon.dll (0x1A400000) D:\WINDOWS\System32\shdoclc.dll (0x00DE0000) D:\WINDOWS\System32\mlang.dll (0x74770000) D:\WINDOWS\System32\wsock32.dll (0x71AD0000) D:\WINDOWS\System32\WS2_32.dll (0x71AB0000) D:\WINDOWS\System32\WS2HELP.dll (0x71AA0000) D:\WINDOWS\system32\mswsock.dll (0x71A50000) D:\WINDOWS\System32\wshtcpip.dll (0x71A90000) D:\WINDOWS\System32\RASAPI32.DLL (0x76EE0000) D:\WINDOWS\System32\rasman.dll (0x76E90000) D:\WINDOWS\System32\NETAPI32.dll (0x71C20000) D:\WINDOWS\System32\TAPI32.dll (0x76EB0000) D:\WINDOWS\System32\rtutils.dll (0x76E80000) D:\WINDOWS\System32\WINMM.dll (0x76B40000) D:\WINDOWS\System32\sensapi.dll (0x722B0000) D:\WINDOWS\system32\USERENV.dll (0x75A70000) D:\WINDOWS\System32\msi.dll (0x01370000) D:\WINDOWS\System32\DNSAPI.dll (0x76F20000) D:\WINDOWS\System32\winrnr.dll (0x76FB0000) D:\WINDOWS\system32\WLDAP32.dll (0x76F60000) D:\WINDOWS\System32\rasadhlp.dll (0x76FC0000) D:\WINDOWS\System32\mshtml.dll (0x63580000) D:\WINDOWS\System32\IMM32.DLL (0x76390000) D:\Program Files\Microsoft Office\Office10\msohev.dll (0x32520000) D:\WINDOWS\System32\jscript.dll (0x6B700000) D:\WINDOWS\System32\dxtrans.dll (0x6BDD0000) D:\WINDOWS\System32\ATL.DLL (0x76B20000) D:\WINDOWS\System32\ddrawex.dll (0x65000000) D:\WINDOWS\System32\DDRAW.dll (0x51000000) D:\WINDOWS\System32\DCIMAN32.dll (0x73BC0000) D:\WINDOWS\System32\dxtmsft.dll (0x6BE10000) D:\WINDOWS\System32\MSLS31.DLL (0x746C0000) D:\WINDOWS\System32\WINSPOOL.DRV (0x73000000) D:\WINDOWS\System32\wdmaud.drv (0x72D20000) D:\WINDOWS\System32\msacm32.drv (0x72D10000) D:\WINDOWS\System32\MSACM32.dll (0x77BE0000) D:\WINDOWS\System32\midimap.dll (0x77BD0000) D:\WINDOWS\System32\msxml3.dll (0x72E00000) D:\WINDOWS\System32\vbscript.dll (0x73300000) D:\WINDOWS\System32\IMGUTIL.DLL (0x66880000) D:\WINDOWS\System32\pngfilt.dll (0x5E310000) D:\WINDOWS\System32\wmp.dll (0x07680000) D:\WINDOWS\System32\MSVFW32.dll (0x73BD0000) D:\WINDOWS\System32\wmploc.dll (0x08110000) D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (0x6D440000) D:\WINDOWS\System32\OLEPRO32.DLL (0x5EDD0000) D:\Program Files\Java\j2re1.4.2\bin\jpiexp32.dll (0x6D310000) D:\Program Files\Java\j2re1.4.2\bin\jpishare.dll (0x6D380000) D:\PROGRA~1\Java\J2RE14~1.2\bin\client\jvm.dll (0x04F20000) D:\PROGRA~1\Java\J2RE14~1.2\bin\hpi.dll (0x02FE0000) D:\PROGRA~1\Java\J2RE14~1.2\bin\verify.dll (0x05070000) D:\PROGRA~1\Java\J2RE14~1.2\bin\java.dll (0x05080000) D:\PROGRA~1\Java\J2RE14~1.2\bin\zip.dll (0x050A0000) D:\Program Files\Java\j2re1.4.2\bin\awt.dll (0x083E0000) D:\Program Files\Java\j2re1.4.2\bin\fontmanager.dll (0x075F0000) D:\WINDOWS\System32\D3DIM700.DLL (0x5C000000) D:\Program Files\Java\j2re1.4.2\bin\jpicom32.dll (0x6D2F0000) D:\Program Files\Java\j2re1.4.2\bin\net.dll (0x07660000) D:\WINDOWS\System32\wintrust.dll (0x76C30000) D:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000) D:\WINDOWS\System32\schannel.dll (0x767F0000) D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000) D:\WINDOWS\System32\dssenh.dll (0x0FFA0000) D:\WINDOWS\System32\wmvcore.dll (0x09270000) D:\WINDOWS\System32\WMASF.DLL (0x09470000) D:\WINDOWS\System32\actxprxy.dll (0x71D40000) D:\WINDOWS\System32\dispex.dll (0x6CC60000) D:\WINDOWS\System32\mshtmled.dll (0x74CB0000) D:\WINDOWS\System32\wmnetmgr.dll (0x09D90000) D:\WINDOWS\system32\msv1_0.dll (0x76D10000) D:\WINDOWS\system32\wdigest.dll (0x74380000) D:\WINDOWS\System32\winhttp.dll (0x76080000) D:\WINDOWS\System32\MPRAPI.dll (0x76D40000) D:\WINDOWS\System32\ACTIVEDS.dll (0x76E40000) D:\WINDOWS\System32\adsldpc.dll (0x76E10000) D:\WINDOWS\System32\SAMLIB.dll (0x71BF0000) D:\WINDOWS\System32\iphlpapi.dll (0x76D60000) D:\WINDOWS\System32\netman.dll (0x76DE0000) D:\WINDOWS\System32\WZCSvc.DLL (0x70B50000) D:\WINDOWS\System32\WMI.dll (0x76D30000) D:\WINDOWS\System32\DHCPCSVC.DLL (0x76D80000) D:\WINDOWS\System32\WTSAPI32.dll (0x76F50000) D:\WINDOWS\System32\WINSTA.dll (0x76360000) D:\WINDOWS\System32\ESENT.dll (0x69710000) D:\WINDOWS\System32\hnetcfg.dll (0x68880000) D:\WINDOWS\System32\netshell.dll (0x75CF0000) D:\WINDOWS\System32\credui.dll (0x76C00000) D:\WINDOWS\System32\wbem\wbemprox.dll (0x74EF0000) D:\WINDOWS\System32\wbem\wbemcomn.dll (0x75290000) D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000) D:\WINDOWS\System32\wbem\fastprox.dll (0x75690000) D:\WINDOWS\System32\quartz.dll (0x35500000) D:\WINDOWS\System32\msdmo.dll (0x0ADF0000) D:\WINDOWS\System32\wmadmod.dll (0x0AE00000) D:\WINDOWS\System32\devenum.dll (0x35680000) D:\WINDOWS\System32\DSOUND.DLL (0x51080000) D:\WINDOWS\System32\KsUser.dll (0x5EF80000) ====================================================== Log entry below recorded at: <Date and Time> ====================================================== Process ID: 3764 (msmsgs.exe) User context: MYDOMAIN\user Process doesn't appear to be a service PID Port Local IP State Remote IP:Port 3764 TCP 16521 169.254.66.8 LISTENING 0.0.0.0:45294 3764 UDP 4803 0.0.0.0 *:* 3764 UDP 9586 169.254.66.8 *:* 3764 UDP 55441 169.254.66.8 *:* Port Statistics TCP mappings: 1 UDP mappings: 3 TCP ports in a LISTENING state: 1 = 100.00% Loaded modules: D:\Program Files\Messenger\msmsgs.exe (0x00400000) D:\WINDOWS\System32\ntdll.dll (0x77F50000) D:\WINDOWS\system32\kernel32.dll (0x77E60000) D:\WINDOWS\system32\ADVAPI32.DLL (0x77DD0000) D:\WINDOWS\system32\RPCRT4.dll (0x78000000) D:\WINDOWS\system32\GDI32.DLL (0x77C70000) D:\WINDOWS\system32\USER32.dll (0x77D40000) D:\WINDOWS\system32\OLE32.DLL (0x771B0000) D:\WINDOWS\system32\OLEAUT32.DLL (0x77120000) D:\WINDOWS\system32\MSVCRT.DLL (0x77C10000) D:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.DLL (0x71950000) D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000) D:\WINDOWS\system32\SHELL32.DLL (0x773D0000) D:\WINDOWS\System32\uxtheme.dll (0x5AD70000) D:\Program Files\Messenger\MSGSLANG.DLL (0x69200000) D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000) D:\WINDOWS\System32\COMRes.dll (0x77050000) D:\WINDOWS\system32\VERSION.dll (0x77C00000) D:\WINDOWS\System32\SXS.DLL (0x75E90000) D:\WINDOWS\System32\wtsapi32.dll (0x76F50000) D:\WINDOWS\System32\WINSTA.dll (0x76360000) D:\WINDOWS\System32\es.dll (0x76B70000) D:\WINDOWS\System32\WS2_32.dll (0x71AB0000) D:\WINDOWS\System32\WS2HELP.dll (0x71AA0000) D:\Program Files\Messenger\rtcimsp.dll (0x00F30000) D:\WINDOWS\System32\WSOCK32.dll (0x71AD0000) D:\WINDOWS\System32\rtcdll.dll (0x5D370000) D:\WINDOWS\System32\ATL.DLL (0x76B20000) D:\WINDOWS\System32\Secur32.dll (0x76F90000) D:\WINDOWS\system32\WININET.dll (0x76200000) D:\WINDOWS\system32\CRYPT32.dll (0x762C0000) D:\WINDOWS\system32\MSASN1.dll (0x762A0000) D:\WINDOWS\System32\WINMM.dll (0x76B40000) D:\WINDOWS\System32\iphlpapi.dll (0x76D60000) D:\WINDOWS\System32\DNSAPI.dll (0x76F20000) D:\WINDOWS\System32\termmgr.dll (0x5B6F0000) D:\WINDOWS\System32\rtutils.dll (0x76E80000) D:\WINDOWS\System32\quartz.dll (0x35500000) D:\WINDOWS\system32\mswsock.dll (0x71A50000) D:\WINDOWS\System32\wshtcpip.dll (0x71A90000) D:\WINDOWS\System32\dxmrtp.dll (0x6BE70000) D:\WINDOWS\System32\MSVFW32.dll (0x73BD0000) D:\WINDOWS\System32\DSOUND.dll (0x51080000) D:\WINDOWS\System32\PSAPI.DLL (0x76BF0000) D:\WINDOWS\System32\devenum.dll (0x35680000) D:\WINDOWS\System32\setupapi.dll (0x76670000) D:\WINDOWS\System32\wdmaud.drv (0x72D20000) D:\WINDOWS\System32\msacm32.drv (0x72D10000) D:\WINDOWS\System32\MSACM32.dll (0x77BE0000) D:\WINDOWS\System32\midimap.dll (0x77BD0000) D:\WINDOWS\System32\msdmo.dll (0x01450000) D:\WINDOWS\System32\dpnhupnp.dll (0x018A0000) D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000) D:\WINDOWS\System32\rasapi32.dll (0x76EE0000) D:\WINDOWS\System32\rasman.dll (0x76E90000) D:\WINDOWS\System32\NETAPI32.dll (0x71C20000) D:\WINDOWS\System32\TAPI32.dll (0x76EB0000) D:\WINDOWS\System32\hnetcfg.dll (0x68880000) D:\WINDOWS\System32\netshell.dll (0x75CF0000) D:\WINDOWS\System32\credui.dll (0x76C00000) D:\WINDOWS\System32\DHCPCSVC.DLL (0x76D80000) D:\WINDOWS\System32\wbem\wbemprox.dll (0x74EF0000) D:\WINDOWS\System32\wbem\wbemcomn.dll (0x75290000) D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000) D:\WINDOWS\System32\wbem\fastprox.dll (0x75690000) D:\WINDOWS\System32\netcfgx.dll (0x755F0000) D:\WINDOWS\System32\CLUSAPI.dll (0x55560000) D:\WINDOWS\System32\sensapi.dll (0x722B0000) ====================================================== Log entry below recorded at: <Date and Time> ====================================================== Process ID: 2424 (Virtual PC.exe) User context: MYDOMAIN\user Process doesn't appear to be a service PID Port Local IP State Remote IP:Port 2424 TCP 1262 0.0.0.0 LISTENING 0.0.0.0:2192 2424 TCP 1731 0.0.0.0 LISTENING 0.0.0.0:53467 2424 TCP 2226 0.0.0.0 LISTENING 0.0.0.0:45214 2424 TCP 2229 0.0.0.0 LISTENING 0.0.0.0:2176 2424 TCP 4724 0.0.0.0 LISTENING 0.0.0.0:26634 2424 TCP 4725 0.0.0.0 LISTENING 0.0.0.0:2172 2424 TCP 4726 0.0.0.0 LISTENING 0.0.0.0:39049 2424 TCP 4727 0.0.0.0 LISTENING 0.0.0.0:37118 2424 TCP 4728 0.0.0.0 LISTENING 0.0.0.0:16491 2424 TCP 4729 0.0.0.0 LISTENING 0.0.0.0:20734 2424 TCP 4925 0.0.0.0 LISTENING 0.0.0.0:2064 2424 TCP 4930 0.0.0.0 LISTENING 0.0.0.0:8249 2424 TCP 4931 0.0.0.0 LISTENING 0.0.0.0:61639 2424 TCP 4932 0.0.0.0 LISTENING 0.0.0.0:22535 2424 TCP 2189 127.0.0.1 LISTENING 0.0.0.0:45095 2424 TCP 1262 169.254.66.8 ESTABLISHED 169.254.5.214:1745 2424 TCP 1731 169.254.66.8 ESTABLISHED 169.254.4.228:1745 2424 TCP 2226 169.254.66.8 ESTABLISHED 157.56.120.30:1745 2424 TCP 2229 169.254.66.8 ESTABLISHED 157.56.121.78:1745 2424 TCP 4724 169.254.66.8 ESTABLISHED 169.254.4.38:1745 2424 TCP 4725 169.254.66.8 ESTABLISHED 169.254.5.105:1745 2424 TCP 4726 169.254.66.8 ESTABLISHED 169.254.5.103:1745 2424 TCP 4727 169.254.66.8 ESTABLISHED 169.254.4.240:1745 2424 TCP 4728 169.254.66.8 ESTABLISHED 169.254.7.23:1745 2424 TCP 4729 169.254.66.8 ESTABLISHED 169.254.4.241:1745 2424 TCP 4925 169.254.66.8 ESTABLISHED 169.254.121.89:1745 2424 TCP 4930 169.254.66.8 ESTABLISHED 169.254.113.92:1745 2424 TCP 4931 169.254.66.8 ESTABLISHED 169.254.113.87:1745 2424 TCP 4932 169.254.66.8 ESTABLISHED 169.254.121.93:1745 2424 UDP 2686 0.0.0.0 *:* 2424 UDP 2687 0.0.0.0 *:* Port Statistics TCP mappings: 29 UDP mappings: 2 TCP ports in a LISTENING state: 15 = 51.72% TCP ports in a ESTABLISHED state: 14 = 48.28% Loaded modules: C:\Program Files\Microsoft Virtual PC\Virtual PC.exe (0x00400000) C:\WINDOWS\System32\ntdll.dll (0x77F50000) C:\WINDOWS\system32\kernel32.dll (0x77E60000) C:\WINDOWS\System32\DDRAW.dll (0x51000000) C:\WINDOWS\system32\msvcrt.dll (0x77C10000) C:\WINDOWS\system32\USER32.dll (0x77D40000) C:\WINDOWS\system32\GDI32.dll (0x77C70000) C:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000) C:\WINDOWS\system32\RPCRT4.dll (0x78000000) C:\WINDOWS\System32\DCIMAN32.dll (0x73BC0000) C:\WINDOWS\System32\DINPUT.dll (0x72280000) C:\WINDOWS\System32\WINMM.dll (0x76B40000) C:\WINDOWS\System32\iphlpapi.dll (0x76D60000) C:\WINDOWS\System32\WS2_32.dll (0x71AB0000) C:\WINDOWS\System32\WS2HELP.dll (0x71AA0000) C:\WINDOWS\System32\PSAPI.DLL (0x76BF0000) C:\WINDOWS\system32\comdlg32.dll (0x763B0000) C:\WINDOWS\system32\SHLWAPI.dll (0x70A70000) C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.dll (0x71950000) C:\WINDOWS\system32\SHELL32.dll (0x773D0000) C:\WINDOWS\System32\WINSPOOL.DRV (0x73000000) C:\WINDOWS\system32\ole32.dll (0x771B0000) C:\WINDOWS\system32\OLEAUT32.dll (0x77120000) C:\WINDOWS\system32\VERSION.dll (0x77C00000) C:\WINDOWS\System32\OLEACC.dll (0x74C80000) C:\WINDOWS\System32\MSVCP60.dll (0x55900000) C:\WINDOWS\System32\uxtheme.dll (0x5AD70000) C:\WINDOWS\System32\MSCTF.dll (0x74720000) C:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000) C:\WINDOWS\System32\COMRes.dll (0x77050000) C:\WINDOWS\System32\msxml4.dll (0x69B10000) C:\WINDOWS\System32\LINKINFO.dll (0x76980000) C:\WINDOWS\System32\ntshrui.dll (0x76990000) C:\WINDOWS\System32\ATL.DLL (0x76B20000) C:\WINDOWS\System32\NETAPI32.dll (0x71C20000) C:\WINDOWS\system32\USERENV.dll (0x75A70000) C:\Program Files\Microsoft Firewall Client\wspwsp.dll (0x55600000) C:\WINDOWS\System32\mswsock.dll (0x71A50000) C:\WINDOWS\System32\DNSAPI.dll (0x76F20000) C:\WINDOWS\System32\winrnr.dll (0x76FB0000) C:\WINDOWS\system32\WLDAP32.dll (0x76F60000) C:\WINDOWS\System32\wshtcpip.dll (0x71A90000) C:\WINDOWS\System32\rasadhlp.dll (0x76FC0000) C:\WINDOWS\System32\wdmaud.drv (0x72D20000) C:\WINDOWS\System32\msacm32.drv (0x72D10000) C:\WINDOWS\System32\MSACM32.dll (0x77BE0000) C:\WINDOWS\System32\midimap.dll (0x77BD0000) C:\WINDOWS\System32\HID.DLL (0x688F0000) C:\WINDOWS\System32\SETUPAPI.DLL (0x76670000) C:\Documents and Settings\user\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll (0x10000000) C:\WINDOWS\System32\mslbui.dll (0x605D0000) C:\WINDOWS\System32\Secur32.dll (0x76F90000) C:\WINDOWS\System32\security.dll (0x71F80000) C:\WINDOWS\system32\msv1_0.dll (0x76D10000) C:\WINDOWS\system32\appHelp.dll (0x75F40000) C:\WINDOWS\System32\cscui.dll (0x76620000) C:\WINDOWS\System32\CSCDLL.dll (0x76600000) C:\WINDOWS\system32\MPR.dll (0x71B20000) C:\WINDOWS\System32\ntlanman.dll (0x71C10000) C:\WINDOWS\System32\NETUI0.dll (0x71CD0000) C:\WINDOWS\System32\NETUI1.dll (0x71C90000) C:\WINDOWS\System32\NETRAP.dll (0x71C80000) C:\WINDOWS\System32\SAMLIB.dll (0x71BF0000) C:\WINDOWS\System32\drprov.dll (0x75F60000) C:\WINDOWS\System32\davclnt.dll (0x75F70000)
The Port Reporter service watches ports for changes and reports those changes in the log files. The changes may include an increase or a decrease in the number of connections on a port, or a change in connection states of existing connections. The Port Reporter service reports when new connections to a TCP port are made or when existing connections close. The Port Reporter service also reports if the state of any one of the TCP connections on a port change. TCP port states include the following:
- CLOSE_WAIT
- CLOSED
- ESTABLISHED
- FIN_WAIT_1
- LAST_ACK
- LISTEN
- SYN_RECEIVED
- SYN_SEND
- TIMED_WAIT
An example of a change in state occurs when a connection that uses the ESTABLISHED state is changed to use the CLOSE_WAIT state. Sometimes, the Port Reporter service may report that the System Idle process (PID 0) uses some TCP ports. This scenario may occur when a program that is installed on the computer connects to a TCP port and then disconnects from the port very quickly. The TCP connection between the program and the port may be left in a “Timed Wait” state although the program is no longer running. In this case, the Port Reporter service may detect that the port is being used, but cannot identify the program that used the port because the program is no longer running. The port can be in a “Timed Wait” state for up to several minutes although the process that was using the port is no longer running.
The Port Reporter service also creates a log entry when a program that is installed on the computer starts using a new UDP port. For example, if a program binds to UDP port 69, the Port Reporter service logs this action to the PR-PORTS and PR-PIDS log files. The Port Reporter service does not log UDP datagrams that are sent to UDP ports. The Port Reporter service only logs that the UDP port is bound and is accepting datagrams. Microsoft recommends that you check the system event log and the application event log for events that are logged by the Port Reporter service. The Port Reporter service logs events when the service starts, when the service creates log files, when the service stops, or when the service encounters an error. The source of the events is logged as PortReporter. The event IDs are between 100 and 112.
Because Windows 2000 systems do not support port-to-process mapping, the PR-PIDS log file will contain the following line:
Port to process mappings are not available on this system.
MORE INFORMATION
To view a WebCast about Port Reporter, click the following Microsoft Knowledge Base article number:
840832 Support WebCast: Port Reporter
REFERENCES
PortQry version 2.0 is a related tool. This tool permits you to track activity on a single port or on all ports that are used by a specified process. For additional information about PortQry version 2.0, click the following article number to view the article in the Microsoft Knowledge Base:
832919 New features and functionality in PortQry version 2.0
Important The PortQueryUI tool provides a graphical user interface and is available for download. PortQueryUI has several features that can make using PortQry easier. To obtain the PortQueryUI tool, visit the following Microsoft Web site:
Important The Port Reporter Parser tool is a log parser for Port Reporter log files and is now available for download. Port Reporter Parser has many advanced features that can help analyze Port Reporter log files. To obtain the Port Reporter Parser tool, visit the following Microsoft Web site:
Additional query words: security ports tcp/ip logging TIME_WAIT PR-Parser, Port Reporter Parser, Incident Response, IR, hacking, malware
Keywords: kbhowtomaster KB837243