How do I determine which process has TCP ports or UDP ports open?

A. To display which process ID is using a certain TCP port or UDP port, you can start by using the Netstat command with the n (display in numeric form), o (display the owning process ID--this works on Windows XP only), and a (display all connections and listening ports) switches as follows:

  netstat -noa  

For example, the command

  C:>netstat -noa  

might produce output like the following:

   Active Connections    Proto Local Address Foreign Address State PID   TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 888   TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4   TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 988   TCP 0.0.0.0:1076 0.0.0.0:0 LISTENING 4   TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING 1144   TCP 127.0.0.1:1063 0.0.0.0:0 LISTENING 1380   TCP 127.0.0.1:1064 0.0.0.0:0 LISTENING 500   TCP 127.0.0.1:1065 0.0.0.0:0 LISTENING 500   TCP 127.0.0.1:1199 0.0.0.0:0 LISTENING 356   TCP 200.200.200.206:139 0.0.0.0:0 LISTENING 4   TCP 200.200.200.206:1150 0.0.0.0:0 LISTENING 4   TCP 200.200.200.206:1150 200.200.200.1:139 ESTABLISHED 4   TCP 200.200.200.206:1152 0.0.0.0:0 LISTENING 4   TCP 200.200.200.206:1152 200.200.200.200:139 ESTABLISHED 4   UDP 0.0.0.0:135 *:* 888   UDP 0.0.0.0:445 *:* 4   UDP 0.0.0.0:500 *:* 712   UDP 0.0.0.0:1026 *:* 1124   UDP 0.0.0.0:1027 *:* 1124   UDP 0.0.0.0:1028 *:* 712

After you have this information, you can use the Tasklist command to match a particular process ID to a task name. To search for a specific process ID, use the following format:

  C:> tasklist | findstr 

A sample command and output might look like

  C:> tasklist | findstr 712    lsass.exe 712 Console 0 1,792 K  

The sample output indicates that the task lsass.exe is using process ID 712. If you're using Windows 2000, you can accomplish the same task by using Tlist instead of Tasklist. (See also, "TCP vs. UDP Ports").