Open Ports in Windows XP:

Inside your computer

I wage a constant battle to know everything that is going on in my computer. Much of this stems from the constant barage of security holes that Microsoft calls "features" that are enabled by default in Windows XP. Yes, I'm paranoid. :-) This page aims to be a quick-and-easy reference for what ports are open on a reasonably standard installation of Windows XP, and what they are used for.

Open ports

To see a list of open ports on Windows XP you can install one of many firewall applications, or you can go to a command prompt and enter:
netstat -ano http://www.mobydisk.com/techres/enterkey.png
To find the program that is using the port, look at the PID number, then use the task manager to match the PID with a running process. To get a more detailed list that includes the EXE file and DLL file names (this takes a bit longer) try this:
netstat -anobv http://www.mobydisk.com/techres/enterkey.png

Port

Description

123

Network Time Protocol used by the Windows Time Service
In theory, this synchronizes with various time servers on the internet. In my experience, it always synchronizes with time.windows.com no matter how I set it. I would not have noticed if I weren't running Kerio Firewall. A bit suspicious, eh?

135

RPC (Remote Procedure Call) and DCOM (Distributed Component Object Model).
RPC and DCOM allow a remote computer to send commands to another computer. This is used by a variety of Windows-specific services. (See the entry "Anything >1023" below.) The RPC service is not stoppable (see the section on unstoppable services.)

137,138,139

File and printer sharing and network name resolution using NetBIOS over TCP. Windows 2000 and XP use 445 for the file and printer sharing portion, but is not accessible to Windows NT/'9x systems.

445

File and Printer sharing for Windows 2000 and above. (SMB over TCP)

500

This is IKE (Internet Key Exchange) which is part of the IPsec protocol.
This is handled by LSASS.EXE: Local Security Authority Service. LSASS is also used for user login authentication, so disabling IPSec closes port 500, but leaves LSASS running.

Anything >1023

Ports above 1023 are available to applications in general. Any service that uses RPC will be given a port above 1023. The port number can vary based on what services are available and what order they start in. Examples include:

  • Terminal services and Fast user switching
  • Task Scheduler
  • Microsoft Distributed Transaction Coordinator (MSDTC)
  • Domain Name System (DNS)

3372

Microsoft Distributed Transaction Coordinator (MSDTC). This also uses another variable port above 1023.

1900

Universal Plug and Plug (UPnP)

5000

Simple Service Discovery Protocol (SSDP). The companion to UPnP.

3389

The Remote Desktop service that allows you to control your PC remotely.

 

What is SVCHOST?

You will notice that most ports are held by one of the many instances of svchost.exe. Most Windows services are not full executables, merely DLLs. These DLLs must be loaded by a host executable like SVCHOST. This saves system resources at the expense of security. To determine which services are running under a specific instance of SVCHOST, open a command prompt and enter:
tasklist /svc http://www.mobydisk.com/techres/enterkey.png
Svchost usually runs as one of three special users: SYSTEM, LOCAL SERVICE, or NETWORK SERVICE. Unfortunately, even the system administrator does not have sufficient rights to kill SVCHOST when it runs as one of these three users.

Unstoppable services

Some services such as RPC are unstoppable. They ignore the stop command, and the service control manager will refuse to even let you try. Some of these services cannot even be disabled. I cannot imagine why any service should get such priveledges. For example, why is the Audio Server unstoppable? Oh no! No audio!

Connect With Us
Instant Query
Your Name :
Email Address :
Message :
Email: info@wtuto.com
Copyright © wtuto.com