INTRODUCTION
This article contains information about how to obtain,
install, and configure the Port Reporter tool. The Port Reporter tool is a tool
that you can use to log TCP/IP port data on computers that are running
Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows
2000.
back to the topOverview
The Port Reporter tool logs TCP and UDP port activity. The tool is
a small program that runs as a service on a computer that is running Windows
Server 2003, Windows XP, or Windows 2000.
On Windows Server 2003 and
on Windows XP-based computers, the service can log the following information:
- The ports that are used
- The processes that use the port
- Whether a process is a service
- The modules that a process loaded
- The user accounts that run a process
On Windows 2000-based computers, the service logs the ports
that are used and when the ports are used.
You can use the
information that is logged by the Port Reporter tool to help you track port
usage and troubleshoot certain issues. The information that is logged by the
Port Reporter tool may also be helpful for security purposes.
back to the topObtain the Port Reporter tool
The
Port Reporter tool is available from this link on the Microsoft Download
Center:
Important The Port Reporter Parser tool is a log parser
for Port Reporter log files. This tool is now available for download. Port
Reporter Parser has many features that can help you analyze Port Reporter log
files. You can download the Port Reporter Parser tool from the following
Microsoft web site:
http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exeback to the topInstall the Port Reporter service
When you run the Setup program (Pr-Setup.exe) to install Port
Reporter, the Setup program performs the following operations:
- Adds the following registry subkey to the Windows registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\PortReporter
The Port Reporter service requires this registry key to log
entries to the application event log on the computer. - Installs the Port Reporter service.
The Setup
program creates a service object for the Port Reporter tool and then adds the
object to the Service Control Manager database.
back to the topInstall the Port Reporter service to the default location
By default, the Port Reporter service is installed to the
following folder on the hard disk:
drive:\Program Files\PortReporter
To install the Port Reporter service to the default location:
- Log on to the computer as a member of the local
administrators group.
- Quit all programs that are running on the computer,
including the Services tool and Event Viewer in Administrative
Tools.
- Double-click Pr-Setup.exe to run the Setup
program.
- When you are prompted to install the Port Reporter tool to
the Program Files folder, press Y.
After you press Y, the Setup
program creates a subfolder named PortReporter in the Program Files folder.
Portreporter.exe is copied to the subfolder and is registered as a service in
Service Control Manager.
back to the topInstall the Port Reporter service to a different location than the default location
To install the Port Reporter service to a different location than
the default location:
- Log on to the computer as a member of the local
administrators group.
- Quit all programs that are running on the computer,
including the Services tool and Event Viewer in Administrative
Tools.
- Copy the Pr-setup.exe file and the Portreporter.exe file to
the folder where you want to install the Port Reporter tool to.
Note You have to run the Setup program from a fixed, local drive. You
cannot run the Setup program from a network drive or from a CD-ROM drive.
- At the command prompt, type the following line, and then
press ENTER, where PathOfFolder is the drive and
path of the folder that contains the Pr-setup.exe file and the Portreporter.exe
file:
pr-setup.exe -d 'PathOfFolder'
For example, to install the tool to the D:\Tools\Port Reporter
folder, type pr-setup.exe -d 'd:\tools\port reporter\'
You receive output that is similar to the following in the Command
Prompt window: C:\temp>pr-setup.exe -d 'PathOfFolder'
Installing Port Reporter service: PathOfFolder
Creating service...completed successfully
Creating registry key and values...completed successfully
Setup has successfully installed the Port Reporter service
The service is currently stopped and set to manual startup type
Please use the services applet in the control panel to configure
and start the Port Reporter service
press any key to exit setup
- Press any key to exit the Setup program.
back to the topConfigure and start the Port Reporter service
To verify that the Port Reporter service installed successfully
and to start the service, follow these steps:
- Click Start, right-click My
Computer, and then click Manage.
- Expand Services and Applications, and then
expand Services.
- In the right pane, verify that the Port Reporter service is
listed.
- To start the service, double-click the service name, and
then click to select the Start button. Click
OK.
The Port Reporter service will create a log
entry in the application log that indicates that it is started.
By default, the startup type for the Port Reporter service is
set to use the
Manual setting. If you want the service to
start automatically when Windows starts, set the startup type to use the
Automatic setting.
By default, the Port Reporter
service uses the Local System account to log on to the computer. By using the
Local System account, the Port Reporter service can gather details about
processes that the administrator account or other user accounts do not have
access to. Because of this, Microsoft recommends that you do not modify this
setting.
Note Because this service runs in the context of the Local System
account, Microsoft recommends that you secure the folder where Port Reporter is
installed. Whether you install Port Reporter in its default location
(%SystemDrive%\Program Files\PortReporter) or in a custom location, you must
take these steps:
- Install Port Reporter only on an NTFS file system
partition
- Adjust the Access Control List (ACLs) on the installation
folder so that only the local Administrators group has access to the folder. To
do this, follow these steps:
- Start Windows Explorer, and then find the installation
folder. By default, it is %SystemDrive%\Program Files\PortReporter.
- Right-click on the folder, and then click
Properties.
- In the folder property dialog box, click the
Security tab, and then inspect the group and user names that
have access to the folder. Only the local Administrators group and the System
account should have access to this folder
- Select any other groups and users that are listed, and
then click Remove. When the list contains only the local
Administrators group and the System account, click Apply, and
then click OK.
Location of log files
By default, the Port Reporter tool tries to create the log files
in the following folder:
%systemroot%\System32\LogFiles\PortReporter
If this folder does not already exist, the folder is created for
you. You can configure the location of the log files by using the start
parameter that is specified on the
General tab of the
Port Reporter service dialog box. To specify the log file
folder, use the
-ld command-line option followed by the name of the folder that you
want to use. Make sure that you enclose the name of the folder in single quotes
('). For example, if you specify the following start parameter, the Port
Reporter service creates log files in the C:\Program Files\Port Reporter folder
when the Port Reporter service starts:
-ld 'c:\program files\port reporter'
Size of log files
By default, the Port Reporter service continues to write to the
log files until the log files reach 5 megabytes (MB). After the log files reach
5 MB, a new log file is created. To configure the size of log files, use the
-ls command-line option. You can specify a size between 1000
kilobytes (KB) and 102400 KB. For example, if you specify the following start
parameter, the Port Reporter service creates a new log file every time the log
files reach 7000 KB:
After you configure the Port Reporter service with the start
parameters that you want, start the service. When the Port Reporter service
starts, the following two events are logged to the application event
log:
Type: Information
Source: PortReporter
Category: None
Event ID: 100
Description:
The Port Reporter
service was started. Type: Information
Source: PortReporter
Category: None
Event ID: 100
Description:
The Port Reporter service successfully created log files in the following
directory:
PathOfLogFilesback to the topRemove the Port Reporter service
To remove the Port Reporter service, type the following line at
the command prompt, and then press ENTER:
You receive output that is similar to the following in the Command
Prompt window:
Uninstalling Port Reporter service...
Deleting service...
Stopping service...completed successfully
Removing service...completed successfully
Deleting service...completed successfully
Deleting registry key and values...completed successfully
Setup successfully uninstalled the Port Reporter Service
The installation directory has been left intact
press any key to exit setup
When you remove the Port Reporter service, the Setup
program performs the following operations:
- Unregisters the Port Reporter service from the Service
Control Manager database.
- Deletes the registry entries that were created when you
installed the Port Reporter service.
When you remove the Port Reporter service, the Setup program
does not remove the folder that contains the Pr-setup.exe file and the
PortReporter.exe file, nor does the Setup program remove any log files that
were created by the service.
back to
the topInterpret Port Reporter log files
The Port Reporter service creates the log files under the
following circumstances:
- Every time the Port Reporter service starts
- At midnight each day.
- When the log file reaches 5 MB or when the log file reaches
the custom size that you specified in the start parameter.
When the Port Reporter service starts, the following log files
are created:
- PR-INITIAL-*.log
- PR-PORTS-*.log
- PR-PIDS-*.log
The name of each log file uses the date and the time (in 24-hour
format) when the file was created. The format of the date and time stamp is
year-month-day-hour-minute-second. For example, the following three files were
created January 24, 2004, at 8:49:30 A.M.:
- PR-INITIAL-04-01-24-8-49-30.log
- PR-PORTS-04-01-24-8-49-30.log
- PR-PIDS-04-01-24-8-49-30.log
back to the topThe PR-INITIAL log file
The PR-INITIAL log file contains data that the Port Reporter
service collects about the ports, processes, and modules that run on the
computer when the Port Reporter service is started. The user context that each
process is running under is also logged. The following is an example of the
contents of a PR-INITIAL log file on a Windows XP-based computer that was
created when the Port Reporter service started:
Port Reporter Version 1.0 Log File
Service initialization log
System Date: <Date and Time>
Local computer name:
<ComputerName>
TCP/UDP Port to Process Mappings at service start-up
36 mappings found
PID:Process Port Local IP State Remote IP:Port
0:System Idle TCP 4857 169.254.66.8 TIME WAIT 169.254.44.123:80
4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0:6246
4:System TCP 1026 0.0.0.0 LISTENING 0.0.0.0:28726
4:System TCP 139 169.254.66.8 LISTENING 0.0.0.0:34925
4:System UDP 445 0.0.0.0 *:*
4:System UDP 137 169.254.66.8 *:*
4:System UDP 138 169.254.66.8 *:*
664:iexplore.exe TCP 4867 0.0.0.0 LISTENING 0.0.0.0:4225
664:iexplore.exe TCP 4870 0.0.0.0 LISTENING 0.0.0.0:45070
664:iexplore.exe TCP 4871 0.0.0.0 LISTENING 0.0.0.0:18494
664:iexplore.exe TCP 4872 0.0.0.0 LISTENING 0.0.0.0:6182
664:iexplore.exe TCP 4867 169.254.66.8 ESTABLISHED 169.254.44.123:80
664:iexplore.exe TCP 4870 169.254.66.8 ESTABLISHED 207.68.177.62:80
664:iexplore.exe TCP 4871 169.254.66.8 ESTABLISHED 207.46.248.110:80
664:iexplore.exe TCP 4872 169.254.66.8 ESTABLISHED 207.46.248.110:80
664:iexplore.exe UDP 4817 127.0.0.1 *:*
748:lsass.exe UDP 500 0.0.0.0 *:*
952:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0:2096
1092:svchost.exe TCP 1025 0.0.0.0 LISTENING 0.0.0.0:2064
1092:svchost.exe TCP 3002 127.0.0.1 LISTENING 0.0.0.0:49193
1092:svchost.exe TCP 3003 127.0.0.1 LISTENING 0.0.0.0:39078
1092:svchost.exe UDP 123 169.254.66.8 *:*
1092:svchost.exe UDP 123 127.0.0.1 *:*
1192:svchost.exe UDP 3009 0.0.0.0 *:*
1192:svchost.exe UDP 3015 0.0.0.0 *:*
1192:svchost.exe UDP 3016 0.0.0.0 *:*
1228:svchost.exe TCP 5000 0.0.0.0 LISTENING 0.0.0.0:45223
1228:svchost.exe UDP 1900 169.254.66.8 *:*
1228:svchost.exe UDP 1900 127.0.0.1 *:*
1536:alg.exe TCP 3001 127.0.0.1 LISTENING 0.0.0.0:2064
1568:InoRpc.exe TCP 42510 0.0.0.0 LISTENING 0.0.0.0:14373
1568:InoRpc.exe UDP 43508 169.254.66.8 *:*
3764:msmsgs.exe TCP 16521 169.254.66.8 LISTENING 0.0.0.0:45294
3764:msmsgs.exe UDP 4803 0.0.0.0 *:*
3764:msmsgs.exe UDP 9160 169.254.66.8 *:*
3764:msmsgs.exe UDP 9586 169.254.66.8 *:*
=======================
======================================================
Process ID: 4 (System)
System Process
PID Port Local IP State Remote IP:Port
4 TCP 445 0.0.0.0 LISTENING 0.0.0.0:6246
4 TCP 1026 0.0.0.0 LISTENING 0.0.0.0:28726
4 TCP 139 169.254.66.8 LISTENING 0.0.0.0:34925
4 UDP 445 0.0.0.0 *:*
4 UDP 137 169.254.66.8 *:*
4 UDP 138 169.254.66.8 *:*
Port Statistics
TCP mappings: 3
UDP mappings: 3
TCP ports in a LISTENING state: 3 = 100.00%
Could not access module information for this process
======================================================
Process ID: 748 (lsass.exe)
User context: NT AUTHORITY\SYSTEM
Service Name: PolicyAgent
Display Name: IPSEC Services
Service Type: shares a process with other services
Service Name: ProtectedStorage
Display Name: Protected Storage
Service Name: SamSs
Display Name: Security Accounts Manager
Service Type: shares a process with other services
PID Port Local IP State Remote IP:Port
748 UDP 500 0.0.0.0 *:*
Port Statistics
TCP mappings: 0
UDP mappings: 1
Loaded modules:
D:\WINDOWS\system32\lsass.exe (0x01000000)
D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
D:\WINDOWS\system32\LSASRV.dll (0x74520000)
D:\WINDOWS\system32\msvcrt.dll (0x77C10000)
D:\WINDOWS\system32\Secur32.dll (0x76F90000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
D:\WINDOWS\system32\GDI32.dll (0x77C70000)
D:\WINDOWS\system32\SAMSRV.dll (0x74440000)
D:\WINDOWS\system32\cryptdll.dll (0x76790000)
D:\WINDOWS\system32\DNSAPI.dll (0x76F20000)
D:\WINDOWS\system32\WS2_32.dll (0x71AB0000)
D:\WINDOWS\system32\WS2HELP.dll (0x71AA0000)
D:\WINDOWS\system32\MSASN1.dll (0x762A0000)
D:\WINDOWS\system32\NETAPI32.dll (0x71C20000)
D:\WINDOWS\system32\SAMLIB.dll (0x71BF0000)
D:\WINDOWS\system32\MPR.dll (0x71B20000)
D:\WINDOWS\system32\NTDSAPI.dll (0x767A0000)
D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
D:\WINDOWS\system32\msprivs.dll (0x743B0000)
D:\WINDOWS\system32\kerberos.dll (0x71CF0000)
D:\WINDOWS\system32\msv1_0.dll (0x76D10000)
D:\WINDOWS\system32\netlogon.dll (0x744B0000)
D:\WINDOWS\system32\w32time.dll (0x767C0000)
D:\WINDOWS\system32\MSVCP60.dll (0x55900000)
D:\WINDOWS\system32\iphlpapi.dll (0x76D60000)
D:\WINDOWS\system32\USERENV.dll (0x75A70000)
D:\WINDOWS\system32\schannel.dll (0x767F0000)
D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)
D:\WINDOWS\system32\wdigest.dll (0x74380000)
D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)
D:\WINDOWS\system32\setupapi.dll (0x76670000)
D:\WINDOWS\system32\scecli.dll (0x74410000)
D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
D:\WINDOWS\system32\OLE32.DLL (0x771B0000)
D:\WINDOWS\system32\shell32.dll (0x773D0000)
D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000)
D:\WINDOWS\system32\comctl32.dll (0x77340000)
D:\WINDOWS\system32\ipsecsvc.dll (0x743E0000)
D:\WINDOWS\system32\oakley.DLL (0x745D0000)
D:\WINDOWS\system32\WINIPSEC.DLL (0x74370000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\system32\pstorsvc.dll (0x743A0000)
D:\WINDOWS\system32\psbase.dll (0x743C0000)
D:\WINDOWS\System32\dssenh.dll (0x0FFA0000)
======================================================
Process ID: 952 (svchost.exe)
User context: NT AUTHORITY\SYSTEM
Service Name: RpcSs
Display Name: Remote Procedure Call (RPC)
Service Type: shares a process with other services
PID Port Local IP State Remote IP:Port
952 TCP 135 0.0.0.0 LISTENING 0.0.0.0:2096
Port Statistics
TCP mappings: 1
UDP mappings: 0
TCP ports in a LISTENING state: 1 = 100.00%
Loaded modules:
D:\WINDOWS\system32\svchost.exe (0x01000000)
D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
d:\windows\system32\rpcss.dll (0x75850000)
D:\WINDOWS\system32\msvcrt.dll (0x77C10000)
d:\windows\system32\WS2_32.dll (0x71AB0000)
d:\windows\system32\WS2HELP.dll (0x71AA0000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
D:\WINDOWS\system32\GDI32.dll (0x77C70000)
d:\windows\system32\Secur32.dll (0x76F90000)
D:\WINDOWS\system32\userenv.dll (0x75A70000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\system32\DNSAPI.dll (0x76F20000)
D:\WINDOWS\system32\iphlpapi.dll (0x76D60000)
D:\WINDOWS\System32\winrnr.dll (0x76FB0000)
D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
D:\WINDOWS\system32\rasadhlp.dll (0x76FC0000)
D:\WINDOWS\system32\CLBCATQ.DLL (0x76FD0000)
D:\WINDOWS\system32\ole32.dll (0x771B0000)
D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
D:\WINDOWS\system32\COMRes.dll (0x77050000)
D:\WINDOWS\system32\VERSION.dll (0x77C00000)
======================================================
Process ID: 1092 (svchost.exe)
User context: NT AUTHORITY\SYSTEM
Service Name: AudioSrv
Display Name: Windows Audio
Service Type: shares a process with other services
Service Name: BITS
Display Name: Background Intelligent Transfer Service
Service Type: shares a process with other services
Service Name: CryptSvc
Display Name: Cryptographic Services
Service Type: shares a process with other services
Service Name: Dhcp
Display Name: DHCP Client
Service Type: shares a process with other services
Service Name: dmserver
Display Name: Logical Disk Manager
Service Type: shares a process with other services
Service Name: ERSvc
Display Name: Error Reporting Service
Service Type: shares a process with other services
Service Name: EventSystem
Display Name: COM+ Event System
Service Type: shares a process with other services
Service Name: helpsvc
Display Name: Help and Support
Service Type: shares a process with other services
Service Name: lanmanserver
Display Name: Server
Service Type: shares a process with other services
Service Name: lanmanworkstation
Display Name: Workstation
Service Type: shares a process with other services
Service Name: Messenger
Display Name: Messenger
Service Type: shares a process with other services
Service Name: Netman
Display Name: Network Connections
Service Name: Nla
Display Name: Network Location Awareness (NLA)
Service Type: shares a process with other services
Service Name: RasMan
Display Name: Remote Access Connection Manager
Service Type: shares a process with other services
Service Name: Schedule
Display Name: Task Scheduler
Service Name: seclogon
Display Name: Secondary Logon
Service Name: SENS
Display Name: System Event Notification
Service Type: shares a process with other services
Service Name: SharedAccess
Display Name: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Service Type: shares a process with other services
Service Name: ShellHWDetection
Display Name: Shell Hardware Detection
Service Type: shares a process with other services
Service Name: srservice
Display Name: System Restore Service
Service Type: shares a process with other services
Service Name: TapiSrv
Display Name: Telephony
Service Type: shares a process with other services
Service Name: TermService
Display Name: Terminal Services
Service Type: shares a process with other services
Service Name: Themes
Display Name: Themes
Service Type: shares a process with other services
Service Name: TrkWks
Display Name: Distributed Link Tracking Client
Service Type: shares a process with other services
Service Name: W32Time
Display Name: Windows Time
Service Type: shares a process with other services
Service Name: winmgmt
Display Name: Windows Management Instrumentation
Service Type: shares a process with other services
Service Name: wuauserv
Display Name: Automatic Updates
Service Type: shares a process with other services
Service Name: WZCSVC
Display Name: Wireless Zero Configuration
Service Type: shares a process with other services
PID Port Local IP State Remote IP:Port
1092 TCP 1025 0.0.0.0 LISTENING 0.0.0.0:2064
1092 TCP 3002 127.0.0.1 LISTENING 0.0.0.0:49193
1092 TCP 3003 127.0.0.1 LISTENING 0.0.0.0:39078
1092 UDP 123 169.254.66.8 *:*
1092 UDP 123 127.0.0.1 *:*
Port Statistics
TCP mappings: 3
UDP mappings: 2
TCP ports in a LISTENING state: 3 = 100.00%
Loaded modules:
D:\WINDOWS\System32\svchost.exe (0x01000000)
D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
D:\WINDOWS\system32\ole32.dll (0x771B0000)
D:\WINDOWS\system32\GDI32.dll (0x77C70000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
d:\windows\system32\shsvcs.dll (0x76BD0000)
D:\WINDOWS\system32\msvcrt.dll (0x77C10000)
D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
D:\WINDOWS\system32\shell32.dll (0x773D0000)
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000)
D:\WINDOWS\system32\comctl32.dll (0x77340000)
D:\WINDOWS\System32\WINSTA.dll (0x76360000)
d:\windows\system32\dhcpcsvc.dll (0x76D80000)
d:\windows\system32\DNSAPI.dll (0x76F20000)
d:\windows\system32\WS2_32.dll (0x71AB0000)
d:\windows\system32\WS2HELP.dll (0x71AA0000)
d:\windows\system32\iphlpapi.dll (0x76D60000)
d:\windows\system32\Secur32.dll (0x76F90000)
D:\WINDOWS\System32\UxTheme.dll (0x5AD70000)
D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)
d:\windows\system32\wzcsvc.dll (0x70B50000)
d:\windows\system32\rtutils.dll (0x76E80000)
d:\windows\system32\WMI.dll (0x76D30000)
D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)
D:\WINDOWS\system32\MSASN1.dll (0x762A0000)
d:\windows\system32\WTSAPI32.dll (0x76F50000)
d:\windows\system32\ESENT.dll (0x69710000)
D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
d:\windows\system32\NETAPI32.dll (0x71C20000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\System32\rastls.dll (0x555A0000)
D:\WINDOWS\System32\ATL.DLL (0x76B20000)
D:\WINDOWS\System32\CRYPTUI.dll (0x754D0000)
D:\WINDOWS\System32\WINTRUST.dll (0x76C30000)
D:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000)
D:\WINDOWS\system32\WININET.dll (0x76200000)
D:\WINDOWS\System32\MPRAPI.dll (0x76D40000)
D:\WINDOWS\System32\ACTIVEDS.dll (0x76E40000)
D:\WINDOWS\System32\adsldpc.dll (0x76E10000)
D:\WINDOWS\System32\SAMLIB.dll (0x71BF0000)
D:\WINDOWS\System32\SETUPAPI.dll (0x76670000)
D:\WINDOWS\System32\RASAPI32.dll (0x76EE0000)
D:\WINDOWS\System32\rasman.dll (0x76E90000)
D:\WINDOWS\System32\TAPI32.dll (0x76EB0000)
D:\WINDOWS\System32\WINMM.dll (0x76B40000)
D:\WINDOWS\System32\SCHANNEL.dll (0x767F0000)
D:\WINDOWS\system32\USERENV.dll (0x75A70000)
D:\WINDOWS\System32\WinSCard.dll (0x723D0000)
D:\WINDOWS\System32\raschap.dll (0x70AF0000)
D:\WINDOWS\system32\msv1_0.dll (0x76D10000)
D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)
D:\WINDOWS\System32\COMRes.dll (0x77050000)
D:\WINDOWS\system32\VERSION.dll (0x77C00000)
d:\windows\system32\schedsvc.dll (0x751D0000)
d:\windows\system32\NTDSAPI.dll (0x767A0000)
D:\WINDOWS\System32\MSIDLE.DLL (0x74F50000)
D:\WINDOWS\System32\NTMARTA.DLL (0x76CE0000)
d:\windows\system32\audiosrv.dll (0x708B0000)
d:\windows\system32\wkssvc.dll (0x75170000)
d:\windows\system32\cryptsvc.dll (0x74FA0000)
d:\windows\system32\certcli.dll (0x75350000)
d:\windows\pchealth\helpctr\binaries\pchsvc.dll (0x74F40000)
d:\windows\system32\es.dll (0x76B70000)
d:\windows\system32\ersvc.dll (0x74F80000)
d:\windows\system32\dmserver.dll (0x74F90000)
d:\windows\system32\srvsvc.dll (0x75090000)
d:\windows\system32\msgsvc.dll (0x74F60000)
d:\windows\system32\netman.dll (0x76DE0000)
d:\windows\system32\seclogon.dll (0x73D20000)
d:\windows\system32\sens.dll (0x722D0000)
d:\windows\system32\srsvc.dll (0x751A0000)
d:\windows\system32\POWRPROF.dll (0x74AD0000)
d:\windows\system32\tapisrv.dll (0x733E0000)
d:\windows\system32\PSAPI.DLL (0x76BF0000)
d:\windows\system32\trkwks.dll (0x75070000)
d:\windows\system32\w32time.dll (0x767C0000)
d:\windows\system32\MSVCP60.dll (0x55900000)
d:\windows\system32\wbem\wmisvc.dll (0x597A0000)
d:\windows\system32\wbem\wbemcomn.dll (0x75290000)
D:\WINDOWS\System32\VSSAPI.DLL (0x753E0000)
d:\windows\system32\wuauserv.dll (0x74EC0000)
D:\WINDOWS\System32\wuaueng.dll (0x01B20000)
D:\WINDOWS\System32\ADVPACK.dll (0x75260000)
D:\WINDOWS\System32\sfc.dll (0x76BB0000)
D:\WINDOWS\System32\sfc_os.dll (0x76C60000)
d:\windows\system32\rasmans.dll (0x72480000)
d:\windows\system32\WINIPSEC.DLL (0x74370000)
d:\windows\system32\netcfgx.dll (0x755F0000)
d:\windows\system32\CLUSAPI.dll (0x55560000)
d:\windows\system32\browser.dll (0x74FE0000)
D:\WINDOWS\System32\winspool.drv (0x73000000)
D:\WINDOWS\System32\rastapi.dll (0x72060000)
D:\WINDOWS\System32\SXS.DLL (0x75E90000)
D:\WINDOWS\system32\comsvcs.dll (0x75730000)
D:\WINDOWS\system32\MTXCLU.DLL (0x750F0000)
D:\WINDOWS\system32\WSOCK32.dll (0x71AD0000)
D:\WINDOWS\system32\colbact.DLL (0x75130000)
D:\WINDOWS\System32\RESUTILS.DLL (0x750B0000)
D:\WINDOWS\System32\mtxoci.dll (0x750D0000)
D:\WINDOWS\System32\unimdm.tsp (0x57CC0000)
D:\WINDOWS\System32\uniplat.dll (0x72000000)
D:\WINDOWS\System32\kmddsp.tsp (0x57D40000)
D:\WINDOWS\System32\ndptsp.tsp (0x57D20000)
D:\WINDOWS\System32\ipconf.tsp (0x57D50000)
D:\WINDOWS\System32\h323.tsp (0x57D70000)
D:\WINDOWS\System32\hidphone.tsp (0x57D60000)
D:\WINDOWS\System32\HID.DLL (0x688F0000)
D:\WINDOWS\System32\rasppp.dll (0x72240000)
D:\WINDOWS\System32\ntlsapi.dll (0x724B0000)
d:\windows\system32\ipnathlp.dll (0x66460000)
d:\windows\system32\netshell.dll (0x75CF0000)
d:\windows\system32\credui.dll (0x76C00000)
d:\windows\system32\HNetCfg.dll (0x68880000)
D:\WINDOWS\System32\rasadhlp.dll (0x76FC0000)
D:\WINDOWS\System32\Wbem\wbemcore.dll (0x75450000)
D:\WINDOWS\System32\Wbem\esscli.dll (0x75310000)
D:\WINDOWS\System32\Wbem\FastProx.dll (0x75690000)
D:\WINDOWS\System32\wbem\wmiutils.dll (0x75020000)
D:\WINDOWS\System32\wbem\repdrvfs.dll (0x75200000)
D:\WINDOWS\System32\wbem\wmiprvsd.dll (0x597F0000)
D:\WINDOWS\System32\NCObjAPI.DLL (0x5F770000)
D:\WINDOWS\System32\wbem\wbemess.dll (0x75390000)
D:\WINDOWS\System32\winhttp.dll (0x76080000)
d:\windows\system32\termsrv.dll (0x752D0000)
d:\windows\system32\ICAAPI.dll (0x74F70000)
d:\windows\system32\AUTHZ.dll (0x76CC0000)
d:\windows\system32\mstlsapi.dll (0x75110000)
D:\WINDOWS\System32\REGAPI.dll (0x76BC0000)
D:\WINDOWS\System32\wbem\ncprov.dll (0x5F740000)
D:\WINDOWS\System32\catsrvut.dll (0x6FB10000)
D:\WINDOWS\System32\MfcSubs.dll (0x61990000)
D:\WINDOWS\system32\MPR.dll (0x71B20000)
D:\WINDOWS\System32\msi.dll (0x76400000)
D:\WINDOWS\System32\Cabinet.dll (0x75150000)
D:\WINDOWS\system32\urlmon.dll (0x1A400000)
D:\WINDOWS\System32\catsrv.dll (0x6FBD0000)
D:\WINDOWS\System32\upnp.dll (0x555F0000)
D:\WINDOWS\System32\SSDPAPI.dll (0x74F00000)
D:\WINDOWS\System32\RASDLG.dll (0x75550000)
d:\windows\system32\qmgr.dll (0x5DDD0000)
d:\windows\system32\SHFOLDER.dll (0x76780000)
D:\WINDOWS\System32\qmgrprxy.dll (0x5DDC0000)
D:\WINDOWS\System32\sensapi.dll (0x722B0000)
D:\WINDOWS\System32\winrnr.dll (0x76FB0000)
D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000)
D:\WINDOWS\System32\actxprxy.dll (0x71D40000)
D:\WINDOWS\System32\wbem\wbemcons.dll (0x73D30000)
Because Windows 2000 systems do not support port-to-process mapping, the PR-INITIAL log file will contain the following line:
Port to process mappings are not available on this system.
back to the
topThe PR-PORTS log file
The PR-PORTS log file contains summary data about TCP and UDP port
activity on the computer. The data is listed by using a comma-separated value
(csv) format as follows:
date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context
On Windows 2000-based computers that do not support
port-to-process mapping, the Port Reporter service lists the data by using the
following format:
date,time,protocol,local port,local IP address,remote port,remote IP address
The following is an example of the contents of a PR-PORTS log
file:
Port Reporter Version 1.0 Log File - Port usage log
Check PR-PIDS-04-01-24-8-49-30.log for corresponding process data
Log format:
date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context
04/1/24,8:52:21,TCP,4873,0.0.0.0,45070,0.0.0.0,664,iexplore.exe,<MYDOMAIN\user>
04/1/24,8:52:21,TCP,4873,169.254.66.8,80,63.208.107.43,664,iexplore.exe,<MYDOMAIN\user>
04/1/24,8:52:22,UDP,55441,169.254.66.8,*,*,3764,msmsgs.exe,<MYDOMAIN\user>
04/1/24,8:52:41,TCP,4874,0.0.0.0,4225,0.0.0.0,664,iexplore.exe,<MYDOMAIN\user>
04/1/24,8:52:41,TCP,4874,169.254.66.8,80,216.74.132.12,664,iexplore.exe,<MYDOMAIN\user>
4/1/24,21:36:2,TCP,2682,169.254.66.8,445,169.254.133.55,4,System,
04/1/24,21:51:2,TCP,2684,0.0.0.0,12390,0.0.0.0,4,System,
04/1/24,21:51:2,TCP,2684,169.254.66.8,445,169.254.133.55,4,System,
04/1/24,22:03:15,UDP,2686,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:03:15,UDP,2687,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:03:43,UDP,2688,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:04:9,TCP,2690,169.254.66.8,389,169.254.133.55,0,System Idle,
04/1/24,22:04:35,TCP,2691,0.0.0.0,18644,0.0.0.0,1260,svchost.exe
04/1/24,22:04:36,TCP,2691,169.254.66.8,80,169.254.133.55,1260,svchost.exe
04/1/24,22:04:36,UDP,2692,127.0.0.1,*,*,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE>
04/1/24,22:04:37,TCP,2693,0.0.0.0,2160,0.0.0.0,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE>
04/1/24,22:04:40,TCP,2693,169.254.66.8,80,169.254.133.55,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE>
04/1/24,22:05:2,UDP,2697,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:06:2,TCP,2698,0.0.0.0,12390,0.0.0.0,4,System,
04/1/24,22:06:2,TCP,2698,169.254.66.8,445,169.254.133.55,4,System,
04/1/24,22:06:46,UDP,2700,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:06:47,UDP,2701,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:06:47,UDP,2702,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
You may see entries in the PR-PORTS log file that
look similar to the following:
04/1/24,22:06:2,TCP,2698,0.0.0.0,12390,0.0.0.0,4,System,
In this case, the user context is missing. These entries mean
that the Port Reporter service cannot determine the user account that the
process is associated with. This expected output is generated for the System
process and for the System Idle process. When you review the contents of the
PR-PORTS log file for ports or for processes, note the date and time stamp of
entries that you want to investigate more. You can find additional details
about an entry in the PR-PORTS log file when you locate its corresponding entry
in the PR-PIDS log file. To do so, follow these steps:
- Start Notepad, and then open the PR-PIDS log
file.
- On the Edit menu, click
Find.
- In the Find what box, type the date and
time stamp of the entry in the PR-PORTS log file that you want to find more
information about, and then click Find Next.
back to the topThe PR-PIDS log file
The PR-PIDS log file contains detailed information about ports,
processes, related modules, and the user account the process uses to run. The
following is an example of the contents of a PR-PIDS log file:
Port Reporter Version 1.0 Log File
Process detail log
System Date: Sat Jan 24 08:49:31 2004
Local computer name:
<ComputerName>
======================================================
Log entry below recorded at: <Date and Time>
======================================================
Process ID: 664 (iexplore.exe)
User context: MYDOMAIN\user
Process doesn't appear to be a service
PID Port Local IP State Remote IP:Port
664 TCP 4867 0.0.0.0 LISTENING 0.0.0.0:4225
664 TCP 4873 0.0.0.0 LISTENING 0.0.0.0:45070
664 TCP 4867 169.254.66.8 ESTABLISHED 169.254.44.12:80
664 TCP 4873 169.254.66.8 SYN SENT 169.254.44.12:80
664 UDP 4817 127.0.0.1 *:*
Port Statistics
TCP mappings: 4
UDP mappings: 1
TCP ports in a LISTENING state: 2 = 50.00%
TCP ports in a SYN SENT state: 1 = 25.00%
TCP ports in a ESTABLISHED state: 1 = 25.00%
Loaded modules:
D:\Program Files\Internet Explorer\iexplore.exe (0x00400000)
D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\msvcrt.dll (0x77C10000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
D:\WINDOWS\system32\GDI32.dll (0x77C70000)
D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
D:\WINDOWS\System32\SHDOCVW.dll (0x71700000)
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000)
D:\WINDOWS\system32\SHELL32.dll (0x773D0000)
D:\WINDOWS\system32\comctl32.dll (0x77340000)
D:\WINDOWS\system32\ole32.dll (0x771B0000)
D:\WINDOWS\System32\uxtheme.dll (0x5AD70000)
D:\WINDOWS\System32\BROWSEUI.dll (0x75F80000)
D:\WINDOWS\System32\browselc.dll (0x72430000)
D:\WINDOWS\system32\appHelp.dll (0x75F40000)
D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)
D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
D:\WINDOWS\System32\COMRes.dll (0x77050000)
D:\WINDOWS\system32\VERSION.dll (0x77C00000)
D:\WINDOWS\system32\WININET.dll (0x76200000)
D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)
D:\WINDOWS\system32\MSASN1.dll (0x762A0000)
D:\WINDOWS\System32\Secur32.dll (0x76F90000)
D:\WINDOWS\System32\cscui.dll (0x76620000)
D:\WINDOWS\System32\CSCDLL.dll (0x76600000)
D:\WINDOWS\System32\SETUPAPI.dll (0x76670000)
D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (0x10000000)
D:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll (0x5F200000)
D:\WINDOWS\System32\SXS.DLL (0x75E90000)
D:\WINDOWS\system32\urlmon.dll (0x1A400000)
D:\WINDOWS\System32\shdoclc.dll (0x00DE0000)
D:\WINDOWS\System32\mlang.dll (0x74770000)
D:\WINDOWS\System32\wsock32.dll (0x71AD0000)
D:\WINDOWS\System32\WS2_32.dll (0x71AB0000)
D:\WINDOWS\System32\WS2HELP.dll (0x71AA0000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\System32\RASAPI32.DLL (0x76EE0000)
D:\WINDOWS\System32\rasman.dll (0x76E90000)
D:\WINDOWS\System32\NETAPI32.dll (0x71C20000)
D:\WINDOWS\System32\TAPI32.dll (0x76EB0000)
D:\WINDOWS\System32\rtutils.dll (0x76E80000)
D:\WINDOWS\System32\WINMM.dll (0x76B40000)
D:\WINDOWS\System32\sensapi.dll (0x722B0000)
D:\WINDOWS\system32\USERENV.dll (0x75A70000)
D:\WINDOWS\System32\msi.dll (0x01370000)
D:\WINDOWS\System32\DNSAPI.dll (0x76F20000)
D:\WINDOWS\System32\winrnr.dll (0x76FB0000)
D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
D:\WINDOWS\System32\rasadhlp.dll (0x76FC0000)
D:\WINDOWS\System32\mshtml.dll (0x63580000)
D:\WINDOWS\System32\IMM32.DLL (0x76390000)
D:\Program Files\Microsoft Office\Office10\msohev.dll (0x32520000)
D:\WINDOWS\System32\jscript.dll (0x6B700000)
D:\WINDOWS\System32\dxtrans.dll (0x6BDD0000)
D:\WINDOWS\System32\ATL.DLL (0x76B20000)
D:\WINDOWS\System32\ddrawex.dll (0x65000000)
D:\WINDOWS\System32\DDRAW.dll (0x51000000)
D:\WINDOWS\System32\DCIMAN32.dll (0x73BC0000)
D:\WINDOWS\System32\dxtmsft.dll (0x6BE10000)
D:\WINDOWS\System32\MSLS31.DLL (0x746C0000)
D:\WINDOWS\System32\WINSPOOL.DRV (0x73000000)
D:\WINDOWS\System32\wdmaud.drv (0x72D20000)
D:\WINDOWS\System32\msacm32.drv (0x72D10000)
D:\WINDOWS\System32\MSACM32.dll (0x77BE0000)
D:\WINDOWS\System32\midimap.dll (0x77BD0000)
D:\WINDOWS\System32\msxml3.dll (0x72E00000)
D:\WINDOWS\System32\vbscript.dll (0x73300000)
D:\WINDOWS\System32\IMGUTIL.DLL (0x66880000)
D:\WINDOWS\System32\pngfilt.dll (0x5E310000)
D:\WINDOWS\System32\wmp.dll (0x07680000)
D:\WINDOWS\System32\MSVFW32.dll (0x73BD0000)
D:\WINDOWS\System32\wmploc.dll (0x08110000)
D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (0x6D440000)
D:\WINDOWS\System32\OLEPRO32.DLL (0x5EDD0000)
D:\Program Files\Java\j2re1.4.2\bin\jpiexp32.dll (0x6D310000)
D:\Program Files\Java\j2re1.4.2\bin\jpishare.dll (0x6D380000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\client\jvm.dll (0x04F20000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\hpi.dll (0x02FE0000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\verify.dll (0x05070000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\java.dll (0x05080000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\zip.dll (0x050A0000)
D:\Program Files\Java\j2re1.4.2\bin\awt.dll (0x083E0000)
D:\Program Files\Java\j2re1.4.2\bin\fontmanager.dll (0x075F0000)
D:\WINDOWS\System32\D3DIM700.DLL (0x5C000000)
D:\Program Files\Java\j2re1.4.2\bin\jpicom32.dll (0x6D2F0000)
D:\Program Files\Java\j2re1.4.2\bin\net.dll (0x07660000)
D:\WINDOWS\System32\wintrust.dll (0x76C30000)
D:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000)
D:\WINDOWS\System32\schannel.dll (0x767F0000)
D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)
D:\WINDOWS\System32\dssenh.dll (0x0FFA0000)
D:\WINDOWS\System32\wmvcore.dll (0x09270000)
D:\WINDOWS\System32\WMASF.DLL (0x09470000)
D:\WINDOWS\System32\actxprxy.dll (0x71D40000)
D:\WINDOWS\System32\dispex.dll (0x6CC60000)
D:\WINDOWS\System32\mshtmled.dll (0x74CB0000)
D:\WINDOWS\System32\wmnetmgr.dll (0x09D90000)
D:\WINDOWS\system32\msv1_0.dll (0x76D10000)
D:\WINDOWS\system32\wdigest.dll (0x74380000)
D:\WINDOWS\System32\winhttp.dll (0x76080000)
D:\WINDOWS\System32\MPRAPI.dll (0x76D40000)
D:\WINDOWS\System32\ACTIVEDS.dll (0x76E40000)
D:\WINDOWS\System32\adsldpc.dll (0x76E10000)
D:\WINDOWS\System32\SAMLIB.dll (0x71BF0000)
D:\WINDOWS\System32\iphlpapi.dll (0x76D60000)
D:\WINDOWS\System32\netman.dll (0x76DE0000)
D:\WINDOWS\System32\WZCSvc.DLL (0x70B50000)
D:\WINDOWS\System32\WMI.dll (0x76D30000)
D:\WINDOWS\System32\DHCPCSVC.DLL (0x76D80000)
D:\WINDOWS\System32\WTSAPI32.dll (0x76F50000)
D:\WINDOWS\System32\WINSTA.dll (0x76360000)
D:\WINDOWS\System32\ESENT.dll (0x69710000)
D:\WINDOWS\System32\hnetcfg.dll (0x68880000)
D:\WINDOWS\System32\netshell.dll (0x75CF0000)
D:\WINDOWS\System32\credui.dll (0x76C00000)
D:\WINDOWS\System32\wbem\wbemprox.dll (0x74EF0000)
D:\WINDOWS\System32\wbem\wbemcomn.dll (0x75290000)
D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000)
D:\WINDOWS\System32\wbem\fastprox.dll (0x75690000)
D:\WINDOWS\System32\quartz.dll (0x35500000)
D:\WINDOWS\System32\msdmo.dll (0x0ADF0000)
D:\WINDOWS\System32\wmadmod.dll (0x0AE00000)
D:\WINDOWS\System32\devenum.dll (0x35680000)
D:\WINDOWS\System32\DSOUND.DLL (0x51080000)
D:\WINDOWS\System32\KsUser.dll (0x5EF80000)
======================================================
Log entry below recorded at: <Date and Time>
======================================================
Process ID: 3764 (msmsgs.exe)
User context: MYDOMAIN\user
Process doesn't appear to be a service
PID Port Local IP State Remote IP:Port
3764 TCP 16521 169.254.66.8 LISTENING 0.0.0.0:45294
3764 UDP 4803 0.0.0.0 *:*
3764 UDP 9586 169.254.66.8 *:*
3764 UDP 55441 169.254.66.8 *:*
Port Statistics
TCP mappings: 1
UDP mappings: 3
TCP ports in a LISTENING state: 1 = 100.00%
Loaded modules:
D:\Program Files\Messenger\msmsgs.exe (0x00400000)
D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\ADVAPI32.DLL (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
D:\WINDOWS\system32\GDI32.DLL (0x77C70000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
D:\WINDOWS\system32\OLE32.DLL (0x771B0000)
D:\WINDOWS\system32\OLEAUT32.DLL (0x77120000)
D:\WINDOWS\system32\MSVCRT.DLL (0x77C10000)
D:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.DLL (0x71950000)
D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
D:\WINDOWS\system32\SHELL32.DLL (0x773D0000)
D:\WINDOWS\System32\uxtheme.dll (0x5AD70000)
D:\Program Files\Messenger\MSGSLANG.DLL (0x69200000)
D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)
D:\WINDOWS\System32\COMRes.dll (0x77050000)
D:\WINDOWS\system32\VERSION.dll (0x77C00000)
D:\WINDOWS\System32\SXS.DLL (0x75E90000)
D:\WINDOWS\System32\wtsapi32.dll (0x76F50000)
D:\WINDOWS\System32\WINSTA.dll (0x76360000)
D:\WINDOWS\System32\es.dll (0x76B70000)
D:\WINDOWS\System32\WS2_32.dll (0x71AB0000)
D:\WINDOWS\System32\WS2HELP.dll (0x71AA0000)
D:\Program Files\Messenger\rtcimsp.dll (0x00F30000)
D:\WINDOWS\System32\WSOCK32.dll (0x71AD0000)
D:\WINDOWS\System32\rtcdll.dll (0x5D370000)
D:\WINDOWS\System32\ATL.DLL (0x76B20000)
D:\WINDOWS\System32\Secur32.dll (0x76F90000)
D:\WINDOWS\system32\WININET.dll (0x76200000)
D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)
D:\WINDOWS\system32\MSASN1.dll (0x762A0000)
D:\WINDOWS\System32\WINMM.dll (0x76B40000)
D:\WINDOWS\System32\iphlpapi.dll (0x76D60000)
D:\WINDOWS\System32\DNSAPI.dll (0x76F20000)
D:\WINDOWS\System32\termmgr.dll (0x5B6F0000)
D:\WINDOWS\System32\rtutils.dll (0x76E80000)
D:\WINDOWS\System32\quartz.dll (0x35500000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\System32\dxmrtp.dll (0x6BE70000)
D:\WINDOWS\System32\MSVFW32.dll (0x73BD0000)
D:\WINDOWS\System32\DSOUND.dll (0x51080000)
D:\WINDOWS\System32\PSAPI.DLL (0x76BF0000)
D:\WINDOWS\System32\devenum.dll (0x35680000)
D:\WINDOWS\System32\setupapi.dll (0x76670000)
D:\WINDOWS\System32\wdmaud.drv (0x72D20000)
D:\WINDOWS\System32\msacm32.drv (0x72D10000)
D:\WINDOWS\System32\MSACM32.dll (0x77BE0000)
D:\WINDOWS\System32\midimap.dll (0x77BD0000)
D:\WINDOWS\System32\msdmo.dll (0x01450000)
D:\WINDOWS\System32\dpnhupnp.dll (0x018A0000)
D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)
D:\WINDOWS\System32\rasapi32.dll (0x76EE0000)
D:\WINDOWS\System32\rasman.dll (0x76E90000)
D:\WINDOWS\System32\NETAPI32.dll (0x71C20000)
D:\WINDOWS\System32\TAPI32.dll (0x76EB0000)
D:\WINDOWS\System32\hnetcfg.dll (0x68880000)
D:\WINDOWS\System32\netshell.dll (0x75CF0000)
D:\WINDOWS\System32\credui.dll (0x76C00000)
D:\WINDOWS\System32\DHCPCSVC.DLL (0x76D80000)
D:\WINDOWS\System32\wbem\wbemprox.dll (0x74EF0000)
D:\WINDOWS\System32\wbem\wbemcomn.dll (0x75290000)
D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000)
D:\WINDOWS\System32\wbem\fastprox.dll (0x75690000)
D:\WINDOWS\System32\netcfgx.dll (0x755F0000)
D:\WINDOWS\System32\CLUSAPI.dll (0x55560000)
D:\WINDOWS\System32\sensapi.dll (0x722B0000)
======================================================
Log entry below recorded at: <Date and Time>
======================================================
Process ID: 2424 (Virtual PC.exe)
User context: MYDOMAIN\user
Process doesn't appear to be a service
PID Port Local IP State Remote IP:Port
2424 TCP 1262 0.0.0.0 LISTENING 0.0.0.0:2192
2424 TCP 1731 0.0.0.0 LISTENING 0.0.0.0:53467
2424 TCP 2226 0.0.0.0 LISTENING 0.0.0.0:45214
2424 TCP 2229 0.0.0.0 LISTENING 0.0.0.0:2176
2424 TCP 4724 0.0.0.0 LISTENING 0.0.0.0:26634
2424 TCP 4725 0.0.0.0 LISTENING 0.0.0.0:2172
2424 TCP 4726 0.0.0.0 LISTENING 0.0.0.0:39049
2424 TCP 4727 0.0.0.0 LISTENING 0.0.0.0:37118
2424 TCP 4728 0.0.0.0 LISTENING 0.0.0.0:16491
2424 TCP 4729 0.0.0.0 LISTENING 0.0.0.0:20734
2424 TCP 4925 0.0.0.0 LISTENING 0.0.0.0:2064
2424 TCP 4930 0.0.0.0 LISTENING 0.0.0.0:8249
2424 TCP 4931 0.0.0.0 LISTENING 0.0.0.0:61639
2424 TCP 4932 0.0.0.0 LISTENING 0.0.0.0:22535
2424 TCP 2189 127.0.0.1 LISTENING 0.0.0.0:45095
2424 TCP 1262 169.254.66.8 ESTABLISHED 169.254.5.214:1745
2424 TCP 1731 169.254.66.8 ESTABLISHED 169.254.4.228:1745
2424 TCP 2226 169.254.66.8 ESTABLISHED 157.56.120.30:1745
2424 TCP 2229 169.254.66.8 ESTABLISHED 157.56.121.78:1745
2424 TCP 4724 169.254.66.8 ESTABLISHED 169.254.4.38:1745
2424 TCP 4725 169.254.66.8 ESTABLISHED 169.254.5.105:1745
2424 TCP 4726 169.254.66.8 ESTABLISHED 169.254.5.103:1745
2424 TCP 4727 169.254.66.8 ESTABLISHED 169.254.4.240:1745
2424 TCP 4728 169.254.66.8 ESTABLISHED 169.254.7.23:1745
2424 TCP 4729 169.254.66.8 ESTABLISHED 169.254.4.241:1745
2424 TCP 4925 169.254.66.8 ESTABLISHED 169.254.121.89:1745
2424 TCP 4930 169.254.66.8 ESTABLISHED 169.254.113.92:1745
2424 TCP 4931 169.254.66.8 ESTABLISHED 169.254.113.87:1745
2424 TCP 4932 169.254.66.8 ESTABLISHED 169.254.121.93:1745
2424 UDP 2686 0.0.0.0 *:*
2424 UDP 2687 0.0.0.0 *:*
Port Statistics
TCP mappings: 29
UDP mappings: 2
TCP ports in a LISTENING state: 15 = 51.72%
TCP ports in a ESTABLISHED state: 14 = 48.28%
Loaded modules:
C:\Program Files\Microsoft Virtual PC\Virtual PC.exe (0x00400000)
C:\WINDOWS\System32\ntdll.dll (0x77F50000)
C:\WINDOWS\system32\kernel32.dll (0x77E60000)
C:\WINDOWS\System32\DDRAW.dll (0x51000000)
C:\WINDOWS\system32\msvcrt.dll (0x77C10000)
C:\WINDOWS\system32\USER32.dll (0x77D40000)
C:\WINDOWS\system32\GDI32.dll (0x77C70000)
C:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
C:\WINDOWS\system32\RPCRT4.dll (0x78000000)
C:\WINDOWS\System32\DCIMAN32.dll (0x73BC0000)
C:\WINDOWS\System32\DINPUT.dll (0x72280000)
C:\WINDOWS\System32\WINMM.dll (0x76B40000)
C:\WINDOWS\System32\iphlpapi.dll (0x76D60000)
C:\WINDOWS\System32\WS2_32.dll (0x71AB0000)
C:\WINDOWS\System32\WS2HELP.dll (0x71AA0000)
C:\WINDOWS\System32\PSAPI.DLL (0x76BF0000)
C:\WINDOWS\system32\comdlg32.dll (0x763B0000)
C:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.dll (0x71950000)
C:\WINDOWS\system32\SHELL32.dll (0x773D0000)
C:\WINDOWS\System32\WINSPOOL.DRV (0x73000000)
C:\WINDOWS\system32\ole32.dll (0x771B0000)
C:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
C:\WINDOWS\system32\VERSION.dll (0x77C00000)
C:\WINDOWS\System32\OLEACC.dll (0x74C80000)
C:\WINDOWS\System32\MSVCP60.dll (0x55900000)
C:\WINDOWS\System32\uxtheme.dll (0x5AD70000)
C:\WINDOWS\System32\MSCTF.dll (0x74720000)
C:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)
C:\WINDOWS\System32\COMRes.dll (0x77050000)
C:\WINDOWS\System32\msxml4.dll (0x69B10000)
C:\WINDOWS\System32\LINKINFO.dll (0x76980000)
C:\WINDOWS\System32\ntshrui.dll (0x76990000)
C:\WINDOWS\System32\ATL.DLL (0x76B20000)
C:\WINDOWS\System32\NETAPI32.dll (0x71C20000)
C:\WINDOWS\system32\USERENV.dll (0x75A70000)
C:\Program Files\Microsoft Firewall Client\wspwsp.dll (0x55600000)
C:\WINDOWS\System32\mswsock.dll (0x71A50000)
C:\WINDOWS\System32\DNSAPI.dll (0x76F20000)
C:\WINDOWS\System32\winrnr.dll (0x76FB0000)
C:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
C:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
C:\WINDOWS\System32\rasadhlp.dll (0x76FC0000)
C:\WINDOWS\System32\wdmaud.drv (0x72D20000)
C:\WINDOWS\System32\msacm32.drv (0x72D10000)
C:\WINDOWS\System32\MSACM32.dll (0x77BE0000)
C:\WINDOWS\System32\midimap.dll (0x77BD0000)
C:\WINDOWS\System32\HID.DLL (0x688F0000)
C:\WINDOWS\System32\SETUPAPI.DLL (0x76670000)
C:\Documents and Settings\user\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll (0x10000000)
C:\WINDOWS\System32\mslbui.dll (0x605D0000)
C:\WINDOWS\System32\Secur32.dll (0x76F90000)
C:\WINDOWS\System32\security.dll (0x71F80000)
C:\WINDOWS\system32\msv1_0.dll (0x76D10000)
C:\WINDOWS\system32\appHelp.dll (0x75F40000)
C:\WINDOWS\System32\cscui.dll (0x76620000)
C:\WINDOWS\System32\CSCDLL.dll (0x76600000)
C:\WINDOWS\system32\MPR.dll (0x71B20000)
C:\WINDOWS\System32\ntlanman.dll (0x71C10000)
C:\WINDOWS\System32\NETUI0.dll (0x71CD0000)
C:\WINDOWS\System32\NETUI1.dll (0x71C90000)
C:\WINDOWS\System32\NETRAP.dll (0x71C80000)
C:\WINDOWS\System32\SAMLIB.dll (0x71BF0000)
C:\WINDOWS\System32\drprov.dll (0x75F60000)
C:\WINDOWS\System32\davclnt.dll (0x75F70000)
The Port Reporter service watches ports for changes
and reports those changes in the log files. The changes may include an increase
or a decrease in the number of connections on a port, or a change in connection
states of existing connections. The Port Reporter service reports when new
connections to a TCP port are made or when existing connections close. The Port
Reporter service also reports if the state of any one of the TCP connections on
a port change. TCP port states include the following:
- CLOSE_WAIT
- CLOSED
- ESTABLISHED
- FIN_WAIT_1
- LAST_ACK
- LISTEN
- SYN_RECEIVED
- SYN_SEND
- TIMED_WAIT
An example of a change in state occurs when a connection that
uses the ESTABLISHED state is changed to use the CLOSE_WAIT state. Sometimes,
the Port Reporter service may report that the System Idle process (PID 0) uses
some TCP ports. This scenario may occur when a program that is installed on the
computer connects to a TCP port and then disconnects from the port very
quickly. The TCP connection between the program and the port may be left in a
"Timed Wait" state although the program is no longer running. In this case, the
Port Reporter service may detect that the port is being used, but cannot
identify the program that used the port because the program is no longer
running. The port can be in a "Timed Wait" state for up to several minutes
although the process that was using the port is no longer running.
The Port Reporter service also creates a log entry when a program
that is installed on the computer starts using a new UDP port. For example, if
a program binds to UDP port 69, the Port Reporter service logs this action to
the PR-PORTS and PR-PIDS log files. The Port Reporter service does not log UDP
datagrams that are sent to UDP ports. The Port Reporter service only logs that
the UDP port is bound and is accepting datagrams. Microsoft recommends that you
check the system event log and the application event log for events that are
logged by the Port Reporter service. The Port Reporter service logs events when
the service starts, when the service creates log files, when the service stops,
or when the service encounters an error. The source of the events is logged as
PortReporter. The event IDs are between 100 and 112.
Because Windows 2000 systems do not support port-to-process mapping, the PR-PIDS log file will contain the following line:
Port to process mappings are not available on this system.
back to the top