Microsoft KB Archive/837243

From BetaArchive Wiki

Article ID: 837243

Article Last Modified on 10/30/2006


APPLIES TO

  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server



SUMMARY

This article discusses the Port Reporter tool. The Port Reporter tool runs as a service on computers that are running Windows Server 2003, Windows XP, and Windows 2000. The tool logs TCP and UDP port activity. This article contains information about how to obtain and install the tool. When you install the tool, the Setup program creates the appropriate registry entries and installs the Port Reporter service.
This article also contains information about how to use start parameters to configure the Port Reporter service and information about the Port Reporter log files that are generated by the Port Reporter service.


IN THIS TASK

INTRODUCTION

This article contains information about how to obtain, install, and configure the Port Reporter tool. The Port Reporter tool is a tool that you can use to log TCP/IP port data on computers that are running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000.

back to the top

Overview

The Port Reporter tool logs TCP and UDP port activity. The tool is a small program that runs as a service on a computer that is running Windows Server 2003, Windows XP, or Windows 2000.

On Windows Server 2003 and on Windows XP-based computers, the service can log the following information:

  • The ports that are used
  • The processes that use the port
  • Whether a process is a service
  • The modules that a process loaded
  • The user accounts that run a process

On Windows 2000-based computers, the service logs the ports that are used and when the ports are used.

You can use the information that is logged by the Port Reporter tool to help you track port usage and troubleshoot certain issues. The information that is logged by the Port Reporter tool may also be helpful for security purposes.

back to the top

Obtain the Port Reporter tool

The Port Reporter tool is available from this link on the Microsoft Download Center:

http://www.microsoft.com/downloads/details.aspx?familyid=69ba779b-bae9-4243-b9d6-63e62b4bcd2e&displaylang=en




Important The Port Reporter Parser tool is a log parser for Port Reporter log files. This tool is now available for download. Port Reporter Parser has many features that can help you analyze Port Reporter log files. You can download the Port Reporter Parser tool from the following Microsoft web site:
http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exe

back to the top

Install the Port Reporter service

When you run the Setup program (Pr-Setup.exe) to install Port Reporter, the Setup program performs the following operations:

  • Adds the following registry subkey to the Windows registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\PortReporter

    The Port Reporter service requires this registry key to log entries to the application event log on the computer.
  • Installs the Port Reporter service.

    The Setup program creates a service object for the Port Reporter tool and then adds the object to the Service Control Manager database.

back to the top

Install the Port Reporter service to the default location

By default, the Port Reporter service is installed to the following folder on the hard disk:

drive:\Program Files\PortReporter


To install the Port Reporter service to the default location:

  1. Log on to the computer as a member of the local administrators group.
  2. Quit all programs that are running on the computer, including the Services tool and Event Viewer in Administrative Tools.
  3. Double-click Pr-Setup.exe to run the Setup program.
  4. When you are prompted to install the Port Reporter tool to the Program Files folder, press Y.


After you press Y, the Setup program creates a subfolder named PortReporter in the Program Files folder. Portreporter.exe is copied to the subfolder and is registered as a service in Service Control Manager.

back to the top

Install the Port Reporter service to a different location than the default location

To install the Port Reporter service to a different location than the default location:

  1. Log on to the computer as a member of the local administrators group.
  2. Quit all programs that are running on the computer, including the Services tool and Event Viewer in Administrative Tools.
  3. Copy the Pr-setup.exe file and the Portreporter.exe file to the folder where you want to install the Port Reporter tool to.

    Note You have to run the Setup program from a fixed, local drive. You cannot run the Setup program from a network drive or from a CD-ROM drive.
  4. At the command prompt, type the following line, and then press ENTER, where PathOfFolder is the drive and path of the folder that contains the Pr-setup.exe file and the Portreporter.exe file:

    pr-setup.exe -d 'PathOfFolder'

    For example, to install the tool to the D:\Tools\Port Reporter folder, type

    pr-setup.exe –d ‘d:\tools\port reporter\’

    You receive output that is similar to the following in the Command Prompt window: 

    C:\temp>pr-setup.exe -d 'PathOfFolder'

Installing Port Reporter service: PathOfFolder

Creating service...completed successfully

Creating registry key and values...completed successfully

Setup has successfully installed the Port Reporter service
The service is currently stopped and set to manual startup type

Please use the services applet in the control panel to configure
and start the Port Reporter service


press any key to exit setup
  5. Press any key to exit the Setup program.

back to the top

Configure and start the Port Reporter service

To verify that the Port Reporter service installed successfully and to start the service, follow these steps:

  1. Click Start, right-click My Computer, and then click Manage.
  2. Expand Services and Applications, and then expand Services.
  3. In the right pane, verify that the Port Reporter service is listed.
  4. To start the service, double-click the service name, and then click to select the Start button. Click OK.


The Port Reporter service will create a log entry in the application log that indicates that it is started.

By default, the startup type for the Port Reporter service is set to use the Manual setting. If you want the service to start automatically when Windows starts, set the startup type to use the Automatic setting.

By default, the Port Reporter service uses the Local System account to log on to the computer. By using the Local System account, the Port Reporter service can gather details about processes that the administrator account or other user accounts do not have access to. Because of this, Microsoft recommends that you do not modify this setting.

Note Because this service runs in the context of the Local System account, Microsoft recommends that you secure the folder where Port Reporter is installed. Whether you install Port Reporter in its default location (%SystemDrive%\Program Files\PortReporter) or in a custom location, you must take these steps:

  • Install Port Reporter only on an NTFS file system partition
  • Adjust the Access Control List (ACLs) on the installation folder so that only the local Administrators group has access to the folder. To do this, follow these steps:
    1. Start Windows Explorer, and then find the installation folder. By default, it is %SystemDrive%\Program Files\PortReporter.
    2. Right-click on the folder, and then click Properties.
    3. In the folder property dialog box, click the Security tab, and then inspect the group and user names that have access to the folder. Only the local Administrators group and the System account should have access to this folder
    4. Select any other groups and users that are listed, and then click Remove. When the list contains only the local Administrators group and the System account, click Apply, and then click OK.

Location of log files

By default, the Port Reporter tool tries to create the log files in the following folder:

%systemroot%\System32\LogFiles\PortReporter


If this folder does not already exist, the folder is created for you. You can configure the location of the log files by using the start parameter that is specified on the General tab of the Port Reporter service dialog box. To specify the log file folder, use the -ld command-line option followed by the name of the folder that you want to use. Make sure that you enclose the name of the folder in single quotes ('). For example, if you specify the following start parameter, the Port Reporter service creates log files in the C:\Program Files\Port Reporter folder when the Port Reporter service starts:

-ld ‘c:\program files\port reporter’


Size of log files

By default, the Port Reporter service continues to write to the log files until the log files reach 5 megabytes (MB). After the log files reach 5 MB, a new log file is created. To configure the size of log files, use the -ls command-line option. You can specify a size between 1000 kilobytes (KB) and 102400 KB. For example, if you specify the following start parameter, the Port Reporter service creates a new log file every time the log files reach 7000 KB:

-ls 7000


After you configure the Port Reporter service with the start parameters that you want, start the service. When the Port Reporter service starts, the following two events are logged to the application event log:

Type: Information
Source: PortReporter
Category: None
Event ID: 100
Description:
The Port Reporter service was started.

Type: Information
Source: PortReporter
Category: None
Event ID: 100
Description:
The Port Reporter service successfully created log files in the following directory: PathOfLogFiles

back to the top

Remove the Port Reporter service

To remove the Port Reporter service, type the following line at the command prompt, and then press ENTER:

pr-setup.exe -u


You receive output that is similar to the following in the Command Prompt window: 

Uninstalling Port Reporter service...

Deleting service...
   Stopping service...completed successfully

   Removing service...completed successfully

Deleting service...completed successfully

Deleting registry key and values...completed successfully


Setup successfully uninstalled the Port Reporter Service
The installation directory has been left intact


press any key to exit setup

When you remove the Port Reporter service, the Setup program performs the following operations:

  • Unregisters the Port Reporter service from the Service Control Manager database.
  • Deletes the registry entries that were created when you installed the Port Reporter service.

When you remove the Port Reporter service, the Setup program does not remove the folder that contains the Pr-setup.exe file and the PortReporter.exe file, nor does the Setup program remove any log files that were created by the service.

back to the top

Interpret Port Reporter log files

The Port Reporter service creates the log files under the following circumstances:

  • Every time the Port Reporter service starts
  • At midnight each day.
  • When the log file reaches 5 MB or when the log file reaches the custom size that you specified in the start parameter.

When the Port Reporter service starts, the following log files are created:

  • PR-INITIAL-*.log
  • PR-PORTS-*.log
  • PR-PIDS-*.log

The name of each log file uses the date and the time (in 24-hour format) when the file was created. The format of the date and time stamp is year-month-day-hour-minute-second. For example, the following three files were created January 24, 2004, at 8:49:30 A.M.:

  • PR-INITIAL-04-01-24-8-49-30.log
  • PR-PORTS-04-01-24-8-49-30.log
  • PR-PIDS-04-01-24-8-49-30.log

back to the top

The PR-INITIAL log file

The PR-INITIAL log file contains data that the Port Reporter service collects about the ports, processes, and modules that run on the computer when the Port Reporter service is started. The user context that each process is running under is also logged. The following is an example of the contents of a PR-INITIAL log file on a Windows XP-based computer that was created when the Port Reporter service started: 

Port Reporter Version 1.0 Log File

Service initialization log

System Date: <Date and Time>


Local computer name:

 <ComputerName>

TCP/UDP Port to Process Mappings at service start-up

36 mappings found

PID:Process     Port        Local IP    State        Remote IP:Port
0:System Idle       TCP 4857    169.254.66.8    TIME WAIT    169.254.44.123:80
4:System        TCP 445     0.0.0.0     LISTENING    0.0.0.0:6246
4:System        TCP 1026    0.0.0.0     LISTENING    0.0.0.0:28726
4:System        TCP 139     169.254.66.8    LISTENING    0.0.0.0:34925
4:System        UDP 445     0.0.0.0              *:*
4:System        UDP 137     169.254.66.8             *:*
4:System        UDP 138     169.254.66.8             *:*
664:iexplore.exe    TCP 4867    0.0.0.0     LISTENING    0.0.0.0:4225
664:iexplore.exe    TCP 4870    0.0.0.0     LISTENING    0.0.0.0:45070
664:iexplore.exe    TCP 4871    0.0.0.0     LISTENING    0.0.0.0:18494
664:iexplore.exe    TCP 4872    0.0.0.0     LISTENING    0.0.0.0:6182
664:iexplore.exe    TCP 4867    169.254.66.8    ESTABLISHED  169.254.44.123:80
664:iexplore.exe    TCP 4870    169.254.66.8    ESTABLISHED  207.68.177.62:80
664:iexplore.exe    TCP 4871    169.254.66.8    ESTABLISHED  207.46.248.110:80
664:iexplore.exe    TCP 4872    169.254.66.8    ESTABLISHED  207.46.248.110:80
664:iexplore.exe    UDP 4817    127.0.0.1            *:*
748:lsass.exe       UDP 500     0.0.0.0              *:*
952:svchost.exe TCP 135     0.0.0.0     LISTENING    0.0.0.0:2096
1092:svchost.exe    TCP 1025    0.0.0.0     LISTENING    0.0.0.0:2064
1092:svchost.exe    TCP 3002    127.0.0.1   LISTENING    0.0.0.0:49193
1092:svchost.exe    TCP 3003    127.0.0.1   LISTENING    0.0.0.0:39078
1092:svchost.exe    UDP 123     169.254.66.8             *:*
1092:svchost.exe    UDP 123     127.0.0.1            *:*
1192:svchost.exe    UDP 3009    0.0.0.0              *:*
1192:svchost.exe    UDP 3015    0.0.0.0              *:*
1192:svchost.exe    UDP 3016    0.0.0.0              *:*
1228:svchost.exe    TCP 5000    0.0.0.0     LISTENING    0.0.0.0:45223
1228:svchost.exe    UDP 1900    169.254.66.8             *:*
1228:svchost.exe    UDP 1900    127.0.0.1            *:*
1536:alg.exe        TCP 3001    127.0.0.1   LISTENING    0.0.0.0:2064
1568:InoRpc.exe TCP 42510   0.0.0.0     LISTENING    0.0.0.0:14373
1568:InoRpc.exe UDP 43508   169.254.66.8             *:*
3764:msmsgs.exe TCP 16521   169.254.66.8    LISTENING    0.0.0.0:45294
3764:msmsgs.exe UDP 4803    0.0.0.0              *:*
3764:msmsgs.exe UDP 9160    169.254.66.8             *:*
3764:msmsgs.exe UDP 9586    169.254.66.8             *:*
=======================

======================================================

Process ID: 4 (System)

System Process

PID Port        Local IP    State        Remote IP:Port
4   TCP 445     0.0.0.0     LISTENING    0.0.0.0:6246
4   TCP 1026    0.0.0.0     LISTENING    0.0.0.0:28726
4   TCP 139     169.254.66.8    LISTENING    0.0.0.0:34925
4   UDP 445     0.0.0.0              *:*
4   UDP 137     169.254.66.8             *:*
4   UDP 138     169.254.66.8             *:*

Port Statistics

TCP mappings: 3
UDP mappings: 3

TCP ports in a LISTENING state:     3 = 100.00%


Could not access module information for this process

======================================================

Process ID: 748 (lsass.exe)

User context: NT AUTHORITY\SYSTEM

Service Name: PolicyAgent
Display Name: IPSEC Services
Service Type: shares a process with other services

Service Name: ProtectedStorage
Display Name: Protected Storage

Service Name: SamSs
Display Name: Security Accounts Manager
Service Type: shares a process with other services

PID Port        Local IP    State        Remote IP:Port
748 UDP 500     0.0.0.0              *:*

Port Statistics

TCP mappings: 0
UDP mappings: 1


Loaded modules:
D:\WINDOWS\system32\lsass.exe (0x01000000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
D:\WINDOWS\system32\LSASRV.dll (0x74520000)
D:\WINDOWS\system32\msvcrt.dll (0x77C10000)
D:\WINDOWS\system32\Secur32.dll (0x76F90000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
D:\WINDOWS\system32\GDI32.dll (0x77C70000)
D:\WINDOWS\system32\SAMSRV.dll (0x74440000)
D:\WINDOWS\system32\cryptdll.dll (0x76790000)
D:\WINDOWS\system32\DNSAPI.dll (0x76F20000)
D:\WINDOWS\system32\WS2_32.dll (0x71AB0000)
D:\WINDOWS\system32\WS2HELP.dll (0x71AA0000)
D:\WINDOWS\system32\MSASN1.dll (0x762A0000)
D:\WINDOWS\system32\NETAPI32.dll (0x71C20000)
D:\WINDOWS\system32\SAMLIB.dll (0x71BF0000)
D:\WINDOWS\system32\MPR.dll (0x71B20000)
D:\WINDOWS\system32\NTDSAPI.dll (0x767A0000)
D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
D:\WINDOWS\system32\msprivs.dll (0x743B0000)
D:\WINDOWS\system32\kerberos.dll (0x71CF0000)
D:\WINDOWS\system32\msv1_0.dll (0x76D10000)
D:\WINDOWS\system32\netlogon.dll (0x744B0000)
D:\WINDOWS\system32\w32time.dll (0x767C0000)
D:\WINDOWS\system32\MSVCP60.dll (0x55900000)
D:\WINDOWS\system32\iphlpapi.dll (0x76D60000)
D:\WINDOWS\system32\USERENV.dll (0x75A70000)
D:\WINDOWS\system32\schannel.dll (0x767F0000)
D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)
D:\WINDOWS\system32\wdigest.dll (0x74380000)
D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)
D:\WINDOWS\system32\setupapi.dll (0x76670000)
D:\WINDOWS\system32\scecli.dll (0x74410000)
D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
D:\WINDOWS\system32\OLE32.DLL (0x771B0000)
D:\WINDOWS\system32\shell32.dll (0x773D0000)
D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000)
D:\WINDOWS\system32\comctl32.dll (0x77340000)
D:\WINDOWS\system32\ipsecsvc.dll (0x743E0000)
D:\WINDOWS\system32\oakley.DLL (0x745D0000)
D:\WINDOWS\system32\WINIPSEC.DLL (0x74370000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\system32\pstorsvc.dll (0x743A0000)
D:\WINDOWS\system32\psbase.dll (0x743C0000)
D:\WINDOWS\System32\dssenh.dll (0x0FFA0000)
======================================================

Process ID: 952 (svchost.exe)

User context: NT AUTHORITY\SYSTEM

Service Name: RpcSs
Display Name: Remote Procedure Call (RPC)
Service Type: shares a process with other services

PID Port        Local IP    State        Remote IP:Port
952 TCP 135     0.0.0.0     LISTENING    0.0.0.0:2096

Port Statistics

TCP mappings: 1
UDP mappings: 0

TCP ports in a LISTENING state:     1 = 100.00%

Loaded modules:
D:\WINDOWS\system32\svchost.exe (0x01000000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
d:\windows\system32\rpcss.dll (0x75850000)
D:\WINDOWS\system32\msvcrt.dll (0x77C10000)
d:\windows\system32\WS2_32.dll (0x71AB0000)
d:\windows\system32\WS2HELP.dll (0x71AA0000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
D:\WINDOWS\system32\GDI32.dll (0x77C70000)
d:\windows\system32\Secur32.dll (0x76F90000)
D:\WINDOWS\system32\userenv.dll (0x75A70000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\system32\DNSAPI.dll (0x76F20000)
D:\WINDOWS\system32\iphlpapi.dll (0x76D60000)
D:\WINDOWS\System32\winrnr.dll (0x76FB0000)
D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
D:\WINDOWS\system32\rasadhlp.dll (0x76FC0000)
D:\WINDOWS\system32\CLBCATQ.DLL (0x76FD0000)
D:\WINDOWS\system32\ole32.dll (0x771B0000)
D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
D:\WINDOWS\system32\COMRes.dll (0x77050000)
D:\WINDOWS\system32\VERSION.dll (0x77C00000)
======================================================

Process ID: 1092 (svchost.exe)

User context: NT AUTHORITY\SYSTEM

Service Name: AudioSrv
Display Name: Windows Audio
Service Type: shares a process with other services

Service Name: BITS
Display Name: Background Intelligent Transfer Service
Service Type: shares a process with other services

Service Name: CryptSvc
Display Name: Cryptographic Services
Service Type: shares a process with other services

Service Name: Dhcp
Display Name: DHCP Client
Service Type: shares a process with other services

Service Name: dmserver
Display Name: Logical Disk Manager
Service Type: shares a process with other services

Service Name: ERSvc
Display Name: Error Reporting Service
Service Type: shares a process with other services

Service Name: EventSystem
Display Name: COM+ Event System
Service Type: shares a process with other services

Service Name: helpsvc
Display Name: Help and Support
Service Type: shares a process with other services

Service Name: lanmanserver
Display Name: Server
Service Type: shares a process with other services

Service Name: lanmanworkstation
Display Name: Workstation
Service Type: shares a process with other services

Service Name: Messenger
Display Name: Messenger
Service Type: shares a process with other services

Service Name: Netman
Display Name: Network Connections

Service Name: Nla
Display Name: Network Location Awareness (NLA)
Service Type: shares a process with other services

Service Name: RasMan
Display Name: Remote Access Connection Manager
Service Type: shares a process with other services

Service Name: Schedule
Display Name: Task Scheduler

Service Name: seclogon
Display Name: Secondary Logon

Service Name: SENS
Display Name: System Event Notification
Service Type: shares a process with other services

Service Name: SharedAccess
Display Name: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Service Type: shares a process with other services

Service Name: ShellHWDetection
Display Name: Shell Hardware Detection
Service Type: shares a process with other services

Service Name: srservice
Display Name: System Restore Service
Service Type: shares a process with other services

Service Name: TapiSrv
Display Name: Telephony
Service Type: shares a process with other services

Service Name: TermService
Display Name: Terminal Services
Service Type: shares a process with other services

Service Name: Themes
Display Name: Themes
Service Type: shares a process with other services

Service Name: TrkWks
Display Name: Distributed Link Tracking Client
Service Type: shares a process with other services

Service Name: W32Time
Display Name: Windows Time
Service Type: shares a process with other services

Service Name: winmgmt
Display Name: Windows Management Instrumentation
Service Type: shares a process with other services

Service Name: wuauserv
Display Name: Automatic Updates
Service Type: shares a process with other services

Service Name: WZCSVC
Display Name: Wireless Zero Configuration
Service Type: shares a process with other services

PID Port        Local IP    State        Remote IP:Port
1092    TCP 1025    0.0.0.0     LISTENING    0.0.0.0:2064
1092    TCP 3002    127.0.0.1   LISTENING    0.0.0.0:49193
1092    TCP 3003    127.0.0.1   LISTENING    0.0.0.0:39078
1092    UDP 123     169.254.66.8             *:*
1092    UDP 123     127.0.0.1            *:*

Port Statistics

TCP mappings: 3
UDP mappings: 2

TCP ports in a LISTENING state:     3 = 100.00%

Loaded modules:
D:\WINDOWS\System32\svchost.exe (0x01000000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
D:\WINDOWS\system32\ole32.dll (0x771B0000)
D:\WINDOWS\system32\GDI32.dll (0x77C70000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
d:\windows\system32\shsvcs.dll (0x76BD0000)
D:\WINDOWS\system32\msvcrt.dll (0x77C10000)
D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
D:\WINDOWS\system32\shell32.dll (0x773D0000)
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000)
D:\WINDOWS\system32\comctl32.dll (0x77340000)
D:\WINDOWS\System32\WINSTA.dll (0x76360000)
d:\windows\system32\dhcpcsvc.dll (0x76D80000)
d:\windows\system32\DNSAPI.dll (0x76F20000)
d:\windows\system32\WS2_32.dll (0x71AB0000)
d:\windows\system32\WS2HELP.dll (0x71AA0000)
d:\windows\system32\iphlpapi.dll (0x76D60000)
d:\windows\system32\Secur32.dll (0x76F90000)
D:\WINDOWS\System32\UxTheme.dll (0x5AD70000)
D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)
d:\windows\system32\wzcsvc.dll (0x70B50000)
d:\windows\system32\rtutils.dll (0x76E80000)
d:\windows\system32\WMI.dll (0x76D30000)
D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)
D:\WINDOWS\system32\MSASN1.dll (0x762A0000)
d:\windows\system32\WTSAPI32.dll (0x76F50000)
d:\windows\system32\ESENT.dll (0x69710000)
D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
d:\windows\system32\NETAPI32.dll (0x71C20000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\System32\rastls.dll (0x555A0000)
D:\WINDOWS\System32\ATL.DLL (0x76B20000)
D:\WINDOWS\System32\CRYPTUI.dll (0x754D0000)
D:\WINDOWS\System32\WINTRUST.dll (0x76C30000)
D:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000)
D:\WINDOWS\system32\WININET.dll (0x76200000)
D:\WINDOWS\System32\MPRAPI.dll (0x76D40000)
D:\WINDOWS\System32\ACTIVEDS.dll (0x76E40000)
D:\WINDOWS\System32\adsldpc.dll (0x76E10000)
D:\WINDOWS\System32\SAMLIB.dll (0x71BF0000)
D:\WINDOWS\System32\SETUPAPI.dll (0x76670000)
D:\WINDOWS\System32\RASAPI32.dll (0x76EE0000)
D:\WINDOWS\System32\rasman.dll (0x76E90000)
D:\WINDOWS\System32\TAPI32.dll (0x76EB0000)
D:\WINDOWS\System32\WINMM.dll (0x76B40000)
D:\WINDOWS\System32\SCHANNEL.dll (0x767F0000)
D:\WINDOWS\system32\USERENV.dll (0x75A70000)
D:\WINDOWS\System32\WinSCard.dll (0x723D0000)
D:\WINDOWS\System32\raschap.dll (0x70AF0000)
D:\WINDOWS\system32\msv1_0.dll (0x76D10000)
D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)
D:\WINDOWS\System32\COMRes.dll (0x77050000)
D:\WINDOWS\system32\VERSION.dll (0x77C00000)
d:\windows\system32\schedsvc.dll (0x751D0000)
d:\windows\system32\NTDSAPI.dll (0x767A0000)
D:\WINDOWS\System32\MSIDLE.DLL (0x74F50000)
D:\WINDOWS\System32\NTMARTA.DLL (0x76CE0000)
d:\windows\system32\audiosrv.dll (0x708B0000)
d:\windows\system32\wkssvc.dll (0x75170000)
d:\windows\system32\cryptsvc.dll (0x74FA0000)
d:\windows\system32\certcli.dll (0x75350000)
d:\windows\pchealth\helpctr\binaries\pchsvc.dll (0x74F40000)
d:\windows\system32\es.dll (0x76B70000)
d:\windows\system32\ersvc.dll (0x74F80000)
d:\windows\system32\dmserver.dll (0x74F90000)
d:\windows\system32\srvsvc.dll (0x75090000)
d:\windows\system32\msgsvc.dll (0x74F60000)
d:\windows\system32\netman.dll (0x76DE0000)
d:\windows\system32\seclogon.dll (0x73D20000)
d:\windows\system32\sens.dll (0x722D0000)
d:\windows\system32\srsvc.dll (0x751A0000)
d:\windows\system32\POWRPROF.dll (0x74AD0000)
d:\windows\system32\tapisrv.dll (0x733E0000)
d:\windows\system32\PSAPI.DLL (0x76BF0000)
d:\windows\system32\trkwks.dll (0x75070000)
d:\windows\system32\w32time.dll (0x767C0000)
d:\windows\system32\MSVCP60.dll (0x55900000)
d:\windows\system32\wbem\wmisvc.dll (0x597A0000)
d:\windows\system32\wbem\wbemcomn.dll (0x75290000)
D:\WINDOWS\System32\VSSAPI.DLL (0x753E0000)
d:\windows\system32\wuauserv.dll (0x74EC0000)
D:\WINDOWS\System32\wuaueng.dll (0x01B20000)
D:\WINDOWS\System32\ADVPACK.dll (0x75260000)
D:\WINDOWS\System32\sfc.dll (0x76BB0000)
D:\WINDOWS\System32\sfc_os.dll (0x76C60000)
d:\windows\system32\rasmans.dll (0x72480000)
d:\windows\system32\WINIPSEC.DLL (0x74370000)
d:\windows\system32\netcfgx.dll (0x755F0000)
d:\windows\system32\CLUSAPI.dll (0x55560000)
d:\windows\system32\browser.dll (0x74FE0000)
D:\WINDOWS\System32\winspool.drv (0x73000000)
D:\WINDOWS\System32\rastapi.dll (0x72060000)
D:\WINDOWS\System32\SXS.DLL (0x75E90000)
D:\WINDOWS\system32\comsvcs.dll (0x75730000)
D:\WINDOWS\system32\MTXCLU.DLL (0x750F0000)
D:\WINDOWS\system32\WSOCK32.dll (0x71AD0000)
D:\WINDOWS\system32\colbact.DLL (0x75130000)
D:\WINDOWS\System32\RESUTILS.DLL (0x750B0000)
D:\WINDOWS\System32\mtxoci.dll (0x750D0000)
D:\WINDOWS\System32\unimdm.tsp (0x57CC0000)
D:\WINDOWS\System32\uniplat.dll (0x72000000)
D:\WINDOWS\System32\kmddsp.tsp (0x57D40000)
D:\WINDOWS\System32\ndptsp.tsp (0x57D20000)
D:\WINDOWS\System32\ipconf.tsp (0x57D50000)
D:\WINDOWS\System32\h323.tsp (0x57D70000)
D:\WINDOWS\System32\hidphone.tsp (0x57D60000)
D:\WINDOWS\System32\HID.DLL (0x688F0000)
D:\WINDOWS\System32\rasppp.dll (0x72240000)
D:\WINDOWS\System32\ntlsapi.dll (0x724B0000)
d:\windows\system32\ipnathlp.dll (0x66460000)
d:\windows\system32\netshell.dll (0x75CF0000)
d:\windows\system32\credui.dll (0x76C00000)
d:\windows\system32\HNetCfg.dll (0x68880000)
D:\WINDOWS\System32\rasadhlp.dll (0x76FC0000)
D:\WINDOWS\System32\Wbem\wbemcore.dll (0x75450000)
D:\WINDOWS\System32\Wbem\esscli.dll (0x75310000)
D:\WINDOWS\System32\Wbem\FastProx.dll (0x75690000)
D:\WINDOWS\System32\wbem\wmiutils.dll (0x75020000)
D:\WINDOWS\System32\wbem\repdrvfs.dll (0x75200000)
D:\WINDOWS\System32\wbem\wmiprvsd.dll (0x597F0000)
D:\WINDOWS\System32\NCObjAPI.DLL (0x5F770000)
D:\WINDOWS\System32\wbem\wbemess.dll (0x75390000)
D:\WINDOWS\System32\winhttp.dll (0x76080000)
d:\windows\system32\termsrv.dll (0x752D0000)
d:\windows\system32\ICAAPI.dll (0x74F70000)
d:\windows\system32\AUTHZ.dll (0x76CC0000)
d:\windows\system32\mstlsapi.dll (0x75110000)
D:\WINDOWS\System32\REGAPI.dll (0x76BC0000)
D:\WINDOWS\System32\wbem\ncprov.dll (0x5F740000)
D:\WINDOWS\System32\catsrvut.dll (0x6FB10000)
D:\WINDOWS\System32\MfcSubs.dll (0x61990000)
D:\WINDOWS\system32\MPR.dll (0x71B20000)
D:\WINDOWS\System32\msi.dll (0x76400000)
D:\WINDOWS\System32\Cabinet.dll (0x75150000)
D:\WINDOWS\system32\urlmon.dll (0x1A400000)
D:\WINDOWS\System32\catsrv.dll (0x6FBD0000)
D:\WINDOWS\System32\upnp.dll (0x555F0000)
D:\WINDOWS\System32\SSDPAPI.dll (0x74F00000)
D:\WINDOWS\System32\RASDLG.dll (0x75550000)
d:\windows\system32\qmgr.dll (0x5DDD0000)
d:\windows\system32\SHFOLDER.dll (0x76780000)
D:\WINDOWS\System32\qmgrprxy.dll (0x5DDC0000)
D:\WINDOWS\System32\sensapi.dll (0x722B0000)
D:\WINDOWS\System32\winrnr.dll (0x76FB0000)
D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000)
D:\WINDOWS\System32\actxprxy.dll (0x71D40000)
D:\WINDOWS\System32\wbem\wbemcons.dll (0x73D30000)

Because Windows 2000 systems do not support port-to-process mapping, the PR-INITIAL log file will contain the following line:

Port to process mappings are not available on this system.


back to the top

The PR-PORTS log file

The PR-PORTS log file contains summary data about TCP and UDP port activity on the computer. The data is listed by using a comma-separated value (csv) format as follows:

date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context


On Windows 2000-based computers that do not support port-to-process mapping, the Port Reporter service lists the data by using the following format:

date,time,protocol,local port,local IP address,remote port,remote IP address


The following is an example of the contents of a PR-PORTS log file: 

Port Reporter Version 1.0 Log File - Port usage log

Check PR-PIDS-04-01-24-8-49-30.log for corresponding process data

Log format:
date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context

04/1/24,8:52:21,TCP,4873,0.0.0.0,45070,0.0.0.0,664,iexplore.exe,<MYDOMAIN\user>
04/1/24,8:52:21,TCP,4873,169.254.66.8,80,63.208.107.43,664,iexplore.exe,<MYDOMAIN\user>
04/1/24,8:52:22,UDP,55441,169.254.66.8,*,*,3764,msmsgs.exe,<MYDOMAIN\user>
04/1/24,8:52:41,TCP,4874,0.0.0.0,4225,0.0.0.0,664,iexplore.exe,<MYDOMAIN\user>
04/1/24,8:52:41,TCP,4874,169.254.66.8,80,216.74.132.12,664,iexplore.exe,<MYDOMAIN\user>
4/1/24,21:36:2,TCP,2682,169.254.66.8,445,169.254.133.55,4,System,
04/1/24,21:51:2,TCP,2684,0.0.0.0,12390,0.0.0.0,4,System,
04/1/24,21:51:2,TCP,2684,169.254.66.8,445,169.254.133.55,4,System,
04/1/24,22:03:15,UDP,2686,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:03:15,UDP,2687,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:03:43,UDP,2688,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:04:9,TCP,2690,169.254.66.8,389,169.254.133.55,0,System Idle,
04/1/24,22:04:35,TCP,2691,0.0.0.0,18644,0.0.0.0,1260,svchost.exe
04/1/24,22:04:36,TCP,2691,169.254.66.8,80,169.254.133.55,1260,svchost.exe
04/1/24,22:04:36,UDP,2692,127.0.0.1,*,*,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE>
04/1/24,22:04:37,TCP,2693,0.0.0.0,2160,0.0.0.0,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE>
04/1/24,22:04:40,TCP,2693,169.254.66.8,80,169.254.133.55,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE>
04/1/24,22:05:2,UDP,2697,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:06:2,TCP,2698,0.0.0.0,12390,0.0.0.0,4,System,
04/1/24,22:06:2,TCP,2698,169.254.66.8,445,169.254.133.55,4,System,
04/1/24,22:06:46,UDP,2700,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:06:47,UDP,2701,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:06:47,UDP,2702,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>

You may see entries in the PR-PORTS log file that look similar to the following:

04/1/24,22:06:2,TCP,2698,0.0.0.0,12390,0.0.0.0,4,System,


In this case, the user context is missing. These entries mean that the Port Reporter service cannot determine the user account that the process is associated with. This expected output is generated for the System process and for the System Idle process. When you review the contents of the PR-PORTS log file for ports or for processes, note the date and time stamp of entries that you want to investigate more. You can find additional details about an entry in the PR-PORTS log file when you locate its corresponding entry in the PR-PIDS log file. To do so, follow these steps:

  1. Start Notepad, and then open the PR-PIDS log file.
  2. On the Edit menu, click Find.
  3. In the Find what box, type the date and time stamp of the entry in the PR-PORTS log file that you want to find more information about, and then click Find Next.


back to the top

The PR-PIDS log file

The PR-PIDS log file contains detailed information about ports, processes, related modules, and the user account the process uses to run. The following is an example of the contents of a PR-PIDS log file: 

Port Reporter Version 1.0 Log File

Process detail log

System Date: Sat Jan 24 08:49:31 2004


Local computer name:

 <ComputerName>


======================================================

Log entry below recorded at: <Date and Time>

======================================================

Process ID: 664 (iexplore.exe)

User context: MYDOMAIN\user

Process doesn't appear to be a service

PID Port        Local IP    State        Remote IP:Port
664 TCP 4867    0.0.0.0     LISTENING    0.0.0.0:4225
664 TCP 4873    0.0.0.0     LISTENING    0.0.0.0:45070
664 TCP 4867    169.254.66.8    ESTABLISHED  169.254.44.12:80
664 TCP 4873    169.254.66.8    SYN SENT     169.254.44.12:80
664 UDP 4817    127.0.0.1            *:*

Port Statistics

TCP mappings: 4
UDP mappings: 1

TCP ports in a LISTENING state:     2 = 50.00%
TCP ports in a SYN SENT state:      1 = 25.00%
TCP ports in a ESTABLISHED state:   1 = 25.00%

Loaded modules:
D:\Program Files\Internet Explorer\iexplore.exe (0x00400000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\msvcrt.dll (0x77C10000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
D:\WINDOWS\system32\GDI32.dll (0x77C70000)
D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
D:\WINDOWS\System32\SHDOCVW.dll (0x71700000)
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000)
D:\WINDOWS\system32\SHELL32.dll (0x773D0000)
D:\WINDOWS\system32\comctl32.dll (0x77340000)
D:\WINDOWS\system32\ole32.dll (0x771B0000)
D:\WINDOWS\System32\uxtheme.dll (0x5AD70000)
D:\WINDOWS\System32\BROWSEUI.dll (0x75F80000)
D:\WINDOWS\System32\browselc.dll (0x72430000)
D:\WINDOWS\system32\appHelp.dll (0x75F40000)
D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)
D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
D:\WINDOWS\System32\COMRes.dll (0x77050000)
D:\WINDOWS\system32\VERSION.dll (0x77C00000)
D:\WINDOWS\system32\WININET.dll (0x76200000)
D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)
D:\WINDOWS\system32\MSASN1.dll (0x762A0000)
D:\WINDOWS\System32\Secur32.dll (0x76F90000)
D:\WINDOWS\System32\cscui.dll (0x76620000)
D:\WINDOWS\System32\CSCDLL.dll (0x76600000)
D:\WINDOWS\System32\SETUPAPI.dll (0x76670000)
D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (0x10000000)
D:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll (0x5F200000)
D:\WINDOWS\System32\SXS.DLL (0x75E90000)
D:\WINDOWS\system32\urlmon.dll (0x1A400000)
D:\WINDOWS\System32\shdoclc.dll (0x00DE0000)
D:\WINDOWS\System32\mlang.dll (0x74770000)
D:\WINDOWS\System32\wsock32.dll (0x71AD0000)
D:\WINDOWS\System32\WS2_32.dll (0x71AB0000)
D:\WINDOWS\System32\WS2HELP.dll (0x71AA0000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\System32\RASAPI32.DLL (0x76EE0000)
D:\WINDOWS\System32\rasman.dll (0x76E90000)
D:\WINDOWS\System32\NETAPI32.dll (0x71C20000)
D:\WINDOWS\System32\TAPI32.dll (0x76EB0000)
D:\WINDOWS\System32\rtutils.dll (0x76E80000)
D:\WINDOWS\System32\WINMM.dll (0x76B40000)
D:\WINDOWS\System32\sensapi.dll (0x722B0000)
D:\WINDOWS\system32\USERENV.dll (0x75A70000)
D:\WINDOWS\System32\msi.dll (0x01370000)
D:\WINDOWS\System32\DNSAPI.dll (0x76F20000)
D:\WINDOWS\System32\winrnr.dll (0x76FB0000)
D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
D:\WINDOWS\System32\rasadhlp.dll (0x76FC0000)
D:\WINDOWS\System32\mshtml.dll (0x63580000)
D:\WINDOWS\System32\IMM32.DLL (0x76390000)
D:\Program Files\Microsoft Office\Office10\msohev.dll (0x32520000)
D:\WINDOWS\System32\jscript.dll (0x6B700000)
D:\WINDOWS\System32\dxtrans.dll (0x6BDD0000)
D:\WINDOWS\System32\ATL.DLL (0x76B20000)
D:\WINDOWS\System32\ddrawex.dll (0x65000000)
D:\WINDOWS\System32\DDRAW.dll (0x51000000)
D:\WINDOWS\System32\DCIMAN32.dll (0x73BC0000)
D:\WINDOWS\System32\dxtmsft.dll (0x6BE10000)
D:\WINDOWS\System32\MSLS31.DLL (0x746C0000)
D:\WINDOWS\System32\WINSPOOL.DRV (0x73000000)
D:\WINDOWS\System32\wdmaud.drv (0x72D20000)
D:\WINDOWS\System32\msacm32.drv (0x72D10000)
D:\WINDOWS\System32\MSACM32.dll (0x77BE0000)
D:\WINDOWS\System32\midimap.dll (0x77BD0000)
D:\WINDOWS\System32\msxml3.dll (0x72E00000)
D:\WINDOWS\System32\vbscript.dll (0x73300000)
D:\WINDOWS\System32\IMGUTIL.DLL (0x66880000)
D:\WINDOWS\System32\pngfilt.dll (0x5E310000)
D:\WINDOWS\System32\wmp.dll (0x07680000)
D:\WINDOWS\System32\MSVFW32.dll (0x73BD0000)
D:\WINDOWS\System32\wmploc.dll (0x08110000)
D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (0x6D440000)
D:\WINDOWS\System32\OLEPRO32.DLL (0x5EDD0000)
D:\Program Files\Java\j2re1.4.2\bin\jpiexp32.dll (0x6D310000)
D:\Program Files\Java\j2re1.4.2\bin\jpishare.dll (0x6D380000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\client\jvm.dll (0x04F20000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\hpi.dll (0x02FE0000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\verify.dll (0x05070000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\java.dll (0x05080000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\zip.dll (0x050A0000)
D:\Program Files\Java\j2re1.4.2\bin\awt.dll (0x083E0000)
D:\Program Files\Java\j2re1.4.2\bin\fontmanager.dll (0x075F0000)
D:\WINDOWS\System32\D3DIM700.DLL (0x5C000000)
D:\Program Files\Java\j2re1.4.2\bin\jpicom32.dll (0x6D2F0000)
D:\Program Files\Java\j2re1.4.2\bin\net.dll (0x07660000)
D:\WINDOWS\System32\wintrust.dll (0x76C30000)
D:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000)
D:\WINDOWS\System32\schannel.dll (0x767F0000)
D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)
D:\WINDOWS\System32\dssenh.dll (0x0FFA0000)
D:\WINDOWS\System32\wmvcore.dll (0x09270000)
D:\WINDOWS\System32\WMASF.DLL (0x09470000)
D:\WINDOWS\System32\actxprxy.dll (0x71D40000)
D:\WINDOWS\System32\dispex.dll (0x6CC60000)
D:\WINDOWS\System32\mshtmled.dll (0x74CB0000)
D:\WINDOWS\System32\wmnetmgr.dll (0x09D90000)
D:\WINDOWS\system32\msv1_0.dll (0x76D10000)
D:\WINDOWS\system32\wdigest.dll (0x74380000)
D:\WINDOWS\System32\winhttp.dll (0x76080000)
D:\WINDOWS\System32\MPRAPI.dll (0x76D40000)
D:\WINDOWS\System32\ACTIVEDS.dll (0x76E40000)
D:\WINDOWS\System32\adsldpc.dll (0x76E10000)
D:\WINDOWS\System32\SAMLIB.dll (0x71BF0000)
D:\WINDOWS\System32\iphlpapi.dll (0x76D60000)
D:\WINDOWS\System32\netman.dll (0x76DE0000)
D:\WINDOWS\System32\WZCSvc.DLL (0x70B50000)
D:\WINDOWS\System32\WMI.dll (0x76D30000)
D:\WINDOWS\System32\DHCPCSVC.DLL (0x76D80000)
D:\WINDOWS\System32\WTSAPI32.dll (0x76F50000)
D:\WINDOWS\System32\WINSTA.dll (0x76360000)
D:\WINDOWS\System32\ESENT.dll (0x69710000)
D:\WINDOWS\System32\hnetcfg.dll (0x68880000)
D:\WINDOWS\System32\netshell.dll (0x75CF0000)
D:\WINDOWS\System32\credui.dll (0x76C00000)
D:\WINDOWS\System32\wbem\wbemprox.dll (0x74EF0000)
D:\WINDOWS\System32\wbem\wbemcomn.dll (0x75290000)
D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000)
D:\WINDOWS\System32\wbem\fastprox.dll (0x75690000)
D:\WINDOWS\System32\quartz.dll (0x35500000)
D:\WINDOWS\System32\msdmo.dll (0x0ADF0000)
D:\WINDOWS\System32\wmadmod.dll (0x0AE00000)
D:\WINDOWS\System32\devenum.dll (0x35680000)
D:\WINDOWS\System32\DSOUND.DLL (0x51080000)
D:\WINDOWS\System32\KsUser.dll (0x5EF80000)

======================================================

Log entry below recorded at: <Date and Time>
======================================================

Process ID: 3764 (msmsgs.exe)

User context: MYDOMAIN\user

Process doesn't appear to be a service

PID Port        Local IP    State        Remote IP:Port
3764    TCP 16521   169.254.66.8    LISTENING    0.0.0.0:45294
3764    UDP 4803    0.0.0.0              *:*
3764    UDP 9586    169.254.66.8             *:*
3764    UDP 55441   169.254.66.8             *:*

Port Statistics

TCP mappings: 1
UDP mappings: 3

TCP ports in a LISTENING state:     1 = 100.00%

Loaded modules:
D:\Program Files\Messenger\msmsgs.exe (0x00400000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\ADVAPI32.DLL (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
D:\WINDOWS\system32\GDI32.DLL (0x77C70000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
D:\WINDOWS\system32\OLE32.DLL (0x771B0000)
D:\WINDOWS\system32\OLEAUT32.DLL (0x77120000)
D:\WINDOWS\system32\MSVCRT.DLL (0x77C10000)
D:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.DLL (0x71950000)
D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
D:\WINDOWS\system32\SHELL32.DLL (0x773D0000)
D:\WINDOWS\System32\uxtheme.dll (0x5AD70000)
D:\Program Files\Messenger\MSGSLANG.DLL (0x69200000)
D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)
D:\WINDOWS\System32\COMRes.dll (0x77050000)
D:\WINDOWS\system32\VERSION.dll (0x77C00000)
D:\WINDOWS\System32\SXS.DLL (0x75E90000)
D:\WINDOWS\System32\wtsapi32.dll (0x76F50000)
D:\WINDOWS\System32\WINSTA.dll (0x76360000)
D:\WINDOWS\System32\es.dll (0x76B70000)
D:\WINDOWS\System32\WS2_32.dll (0x71AB0000)
D:\WINDOWS\System32\WS2HELP.dll (0x71AA0000)
D:\Program Files\Messenger\rtcimsp.dll (0x00F30000)
D:\WINDOWS\System32\WSOCK32.dll (0x71AD0000)
D:\WINDOWS\System32\rtcdll.dll (0x5D370000)
D:\WINDOWS\System32\ATL.DLL (0x76B20000)
D:\WINDOWS\System32\Secur32.dll (0x76F90000)
D:\WINDOWS\system32\WININET.dll (0x76200000)
D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)
D:\WINDOWS\system32\MSASN1.dll (0x762A0000)
D:\WINDOWS\System32\WINMM.dll (0x76B40000)
D:\WINDOWS\System32\iphlpapi.dll (0x76D60000)
D:\WINDOWS\System32\DNSAPI.dll (0x76F20000)
D:\WINDOWS\System32\termmgr.dll (0x5B6F0000)
D:\WINDOWS\System32\rtutils.dll (0x76E80000)
D:\WINDOWS\System32\quartz.dll (0x35500000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\System32\dxmrtp.dll (0x6BE70000)
D:\WINDOWS\System32\MSVFW32.dll (0x73BD0000)
D:\WINDOWS\System32\DSOUND.dll (0x51080000)
D:\WINDOWS\System32\PSAPI.DLL (0x76BF0000)
D:\WINDOWS\System32\devenum.dll (0x35680000)
D:\WINDOWS\System32\setupapi.dll (0x76670000)
D:\WINDOWS\System32\wdmaud.drv (0x72D20000)
D:\WINDOWS\System32\msacm32.drv (0x72D10000)
D:\WINDOWS\System32\MSACM32.dll (0x77BE0000)
D:\WINDOWS\System32\midimap.dll (0x77BD0000)
D:\WINDOWS\System32\msdmo.dll (0x01450000)
D:\WINDOWS\System32\dpnhupnp.dll (0x018A0000)
D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)
D:\WINDOWS\System32\rasapi32.dll (0x76EE0000)
D:\WINDOWS\System32\rasman.dll (0x76E90000)
D:\WINDOWS\System32\NETAPI32.dll (0x71C20000)
D:\WINDOWS\System32\TAPI32.dll (0x76EB0000)
D:\WINDOWS\System32\hnetcfg.dll (0x68880000)
D:\WINDOWS\System32\netshell.dll (0x75CF0000)
D:\WINDOWS\System32\credui.dll (0x76C00000)
D:\WINDOWS\System32\DHCPCSVC.DLL (0x76D80000)
D:\WINDOWS\System32\wbem\wbemprox.dll (0x74EF0000)
D:\WINDOWS\System32\wbem\wbemcomn.dll (0x75290000)
D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000)
D:\WINDOWS\System32\wbem\fastprox.dll (0x75690000)
D:\WINDOWS\System32\netcfgx.dll (0x755F0000)
D:\WINDOWS\System32\CLUSAPI.dll (0x55560000)
D:\WINDOWS\System32\sensapi.dll (0x722B0000)

======================================================

Log entry below recorded at: <Date and Time>
======================================================

Process ID: 2424 (Virtual PC.exe)

User context: MYDOMAIN\user

Process doesn't appear to be a service

PID Port        Local IP    State        Remote IP:Port
2424    TCP 1262    0.0.0.0     LISTENING    0.0.0.0:2192
2424    TCP 1731    0.0.0.0     LISTENING    0.0.0.0:53467
2424    TCP 2226    0.0.0.0     LISTENING    0.0.0.0:45214
2424    TCP 2229    0.0.0.0     LISTENING    0.0.0.0:2176
2424    TCP 4724    0.0.0.0     LISTENING    0.0.0.0:26634
2424    TCP 4725    0.0.0.0     LISTENING    0.0.0.0:2172
2424    TCP 4726    0.0.0.0     LISTENING    0.0.0.0:39049
2424    TCP 4727    0.0.0.0     LISTENING    0.0.0.0:37118
2424    TCP 4728    0.0.0.0     LISTENING    0.0.0.0:16491
2424    TCP 4729    0.0.0.0     LISTENING    0.0.0.0:20734
2424    TCP 4925    0.0.0.0     LISTENING    0.0.0.0:2064
2424    TCP 4930    0.0.0.0     LISTENING    0.0.0.0:8249
2424    TCP 4931    0.0.0.0     LISTENING    0.0.0.0:61639
2424    TCP 4932    0.0.0.0     LISTENING    0.0.0.0:22535
2424    TCP 2189    127.0.0.1   LISTENING    0.0.0.0:45095
2424    TCP 1262    169.254.66.8    ESTABLISHED  169.254.5.214:1745
2424    TCP 1731    169.254.66.8    ESTABLISHED  169.254.4.228:1745
2424    TCP 2226    169.254.66.8    ESTABLISHED  157.56.120.30:1745
2424    TCP 2229    169.254.66.8    ESTABLISHED  157.56.121.78:1745
2424    TCP 4724    169.254.66.8    ESTABLISHED  169.254.4.38:1745
2424    TCP 4725    169.254.66.8    ESTABLISHED  169.254.5.105:1745
2424    TCP 4726    169.254.66.8    ESTABLISHED  169.254.5.103:1745
2424    TCP 4727    169.254.66.8    ESTABLISHED  169.254.4.240:1745
2424    TCP 4728    169.254.66.8    ESTABLISHED  169.254.7.23:1745
2424    TCP 4729    169.254.66.8    ESTABLISHED  169.254.4.241:1745
2424    TCP 4925    169.254.66.8    ESTABLISHED  169.254.121.89:1745
2424    TCP 4930    169.254.66.8    ESTABLISHED  169.254.113.92:1745
2424    TCP 4931    169.254.66.8    ESTABLISHED  169.254.113.87:1745
2424    TCP 4932    169.254.66.8    ESTABLISHED  169.254.121.93:1745
2424    UDP 2686    0.0.0.0              *:*
2424    UDP 2687    0.0.0.0              *:*

Port Statistics

TCP mappings: 29
UDP mappings: 2

TCP ports in a LISTENING state:     15 = 51.72%
TCP ports in a ESTABLISHED state:   14 = 48.28%

Loaded modules:
C:\Program Files\Microsoft Virtual PC\Virtual PC.exe (0x00400000)

C:\WINDOWS\System32\ntdll.dll (0x77F50000)
C:\WINDOWS\system32\kernel32.dll (0x77E60000)
C:\WINDOWS\System32\DDRAW.dll (0x51000000)
C:\WINDOWS\system32\msvcrt.dll (0x77C10000)
C:\WINDOWS\system32\USER32.dll (0x77D40000)
C:\WINDOWS\system32\GDI32.dll (0x77C70000)
C:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
C:\WINDOWS\system32\RPCRT4.dll (0x78000000)
C:\WINDOWS\System32\DCIMAN32.dll (0x73BC0000)
C:\WINDOWS\System32\DINPUT.dll (0x72280000)
C:\WINDOWS\System32\WINMM.dll (0x76B40000)
C:\WINDOWS\System32\iphlpapi.dll (0x76D60000)
C:\WINDOWS\System32\WS2_32.dll (0x71AB0000)
C:\WINDOWS\System32\WS2HELP.dll (0x71AA0000)
C:\WINDOWS\System32\PSAPI.DLL (0x76BF0000)
C:\WINDOWS\system32\comdlg32.dll (0x763B0000)
C:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.dll (0x71950000)
C:\WINDOWS\system32\SHELL32.dll (0x773D0000)
C:\WINDOWS\System32\WINSPOOL.DRV (0x73000000)
C:\WINDOWS\system32\ole32.dll (0x771B0000)
C:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
C:\WINDOWS\system32\VERSION.dll (0x77C00000)
C:\WINDOWS\System32\OLEACC.dll (0x74C80000)
C:\WINDOWS\System32\MSVCP60.dll (0x55900000)
C:\WINDOWS\System32\uxtheme.dll (0x5AD70000)
C:\WINDOWS\System32\MSCTF.dll (0x74720000)
C:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)
C:\WINDOWS\System32\COMRes.dll (0x77050000)
C:\WINDOWS\System32\msxml4.dll (0x69B10000)
C:\WINDOWS\System32\LINKINFO.dll (0x76980000)
C:\WINDOWS\System32\ntshrui.dll (0x76990000)
C:\WINDOWS\System32\ATL.DLL (0x76B20000)
C:\WINDOWS\System32\NETAPI32.dll (0x71C20000)
C:\WINDOWS\system32\USERENV.dll (0x75A70000)
C:\Program Files\Microsoft Firewall Client\wspwsp.dll (0x55600000)
C:\WINDOWS\System32\mswsock.dll (0x71A50000)
C:\WINDOWS\System32\DNSAPI.dll (0x76F20000)
C:\WINDOWS\System32\winrnr.dll (0x76FB0000)
C:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
C:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
C:\WINDOWS\System32\rasadhlp.dll (0x76FC0000)
C:\WINDOWS\System32\wdmaud.drv (0x72D20000)
C:\WINDOWS\System32\msacm32.drv (0x72D10000)
C:\WINDOWS\System32\MSACM32.dll (0x77BE0000)
C:\WINDOWS\System32\midimap.dll (0x77BD0000)
C:\WINDOWS\System32\HID.DLL (0x688F0000)
C:\WINDOWS\System32\SETUPAPI.DLL (0x76670000)
C:\Documents and Settings\user\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll (0x10000000)
C:\WINDOWS\System32\mslbui.dll (0x605D0000)
C:\WINDOWS\System32\Secur32.dll (0x76F90000)
C:\WINDOWS\System32\security.dll (0x71F80000)
C:\WINDOWS\system32\msv1_0.dll (0x76D10000)
C:\WINDOWS\system32\appHelp.dll (0x75F40000)
C:\WINDOWS\System32\cscui.dll (0x76620000)
C:\WINDOWS\System32\CSCDLL.dll (0x76600000)
C:\WINDOWS\system32\MPR.dll (0x71B20000)
C:\WINDOWS\System32\ntlanman.dll (0x71C10000)
C:\WINDOWS\System32\NETUI0.dll (0x71CD0000)
C:\WINDOWS\System32\NETUI1.dll (0x71C90000)
C:\WINDOWS\System32\NETRAP.dll (0x71C80000)
C:\WINDOWS\System32\SAMLIB.dll (0x71BF0000)
C:\WINDOWS\System32\drprov.dll (0x75F60000)
C:\WINDOWS\System32\davclnt.dll (0x75F70000)

The Port Reporter service watches ports for changes and reports those changes in the log files. The changes may include an increase or a decrease in the number of connections on a port, or a change in connection states of existing connections. The Port Reporter service reports when new connections to a TCP port are made or when existing connections close. The Port Reporter service also reports if the state of any one of the TCP connections on a port change. TCP port states include the following:

  • CLOSE_WAIT
  • CLOSED
  • ESTABLISHED
  • FIN_WAIT_1
  • LAST_ACK
  • LISTEN
  • SYN_RECEIVED
  • SYN_SEND
  • TIMED_WAIT

An example of a change in state occurs when a connection that uses the ESTABLISHED state is changed to use the CLOSE_WAIT state. Sometimes, the Port Reporter service may report that the System Idle process (PID 0) uses some TCP ports. This scenario may occur when a program that is installed on the computer connects to a TCP port and then disconnects from the port very quickly. The TCP connection between the program and the port may be left in a “Timed Wait” state although the program is no longer running. In this case, the Port Reporter service may detect that the port is being used, but cannot identify the program that used the port because the program is no longer running. The port can be in a “Timed Wait” state for up to several minutes although the process that was using the port is no longer running.

The Port Reporter service also creates a log entry when a program that is installed on the computer starts using a new UDP port. For example, if a program binds to UDP port 69, the Port Reporter service logs this action to the PR-PORTS and PR-PIDS log files. The Port Reporter service does not log UDP datagrams that are sent to UDP ports. The Port Reporter service only logs that the UDP port is bound and is accepting datagrams. Microsoft recommends that you check the system event log and the application event log for events that are logged by the Port Reporter service. The Port Reporter service logs events when the service starts, when the service creates log files, when the service stops, or when the service encounters an error. The source of the events is logged as PortReporter. The event IDs are between 100 and 112.

Because Windows 2000 systems do not support port-to-process mapping, the PR-PIDS log file will contain the following line:

Port to process mappings are not available on this system.




back to the top

MORE INFORMATION

To view a WebCast about Port Reporter, click the following Microsoft Knowledge Base article number:

840832 Support WebCast: Port Reporter


REFERENCES

PortQry version 2.0 is a related tool. This tool permits you to track activity on a single port or on all ports that are used by a specified process. For additional information about PortQry version 2.0, click the following article number to view the article in the Microsoft Knowledge Base:

832919 New features and functionality in PortQry version 2.0


Important The PortQueryUI tool provides a graphical user interface and is available for download. PortQueryUI has several features that can make using PortQry easier. To obtain the PortQueryUI tool, visit the following Microsoft Web site:

http://download.microsoft.com/download/3/f/4/3f4c6a54-65f0-4164-bdec-a3411ba24d3a/PortQryUI.exe


Important The Port Reporter Parser tool is a log parser for Port Reporter log files and is now available for download. Port Reporter Parser has many advanced features that can help analyze Port Reporter log files. To obtain the Port Reporter Parser tool, visit the following Microsoft Web site:

http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exe


back to the top


Additional query words: security ports tcp/ip logging TIME_WAIT PR-Parser, Port Reporter Parser, Incident Response, IR, hacking, malware

Keywords: kbhowtomaster KB837243



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/837243&oldid=334793
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki