System process is using a port, why? Windows 7Why is System process listening on Port 80?Why is the System...

Do "fields" always combine by addition?

What language shall they sing in?

What is the difference between "...", '...', $'...', and $"..." quotes?

Short story where statues have their heads replaced by those of carved insect heads

Can you tell from a blurry photo if focus was too close or too far?

What happened to my GE option?

Why is Agricola named as such?

Saint abbreviation

Why don't key signatures indicate the tonic?

Is "the fire consumed everything on its way" correct?

Decision problem that can be verified but not run in n^2 time

Can I announce prefix 161.117.25.0/24 even though I don't have all of /24 IPs

What is the wife of a henpecked husband called?

How do you voice extended chords?

What happens when I Twin Life Transference?

Why are all my replica super soldiers young adults or old teenagers?

Boss asked me to sign a resignation paper without a date on it along with my new contract

How to not let the Identify spell spoil everything?

A Missing Symbol for This Logo

How does Leonard in "Memento" remember reading and writing?

Plausible reason for gold-digging ant

Hilchos Shabbos English Sefer

Is there a verb that means to inject with poison?

Why is it that Bernie Sanders is always called a "socialist"?



System process is using a port, why? Windows 7


Why is System process listening on Port 80?Why is the System process listening on Port 443?What is ::: in the Local Address of netstat output?Why is the System process listening on Port 443?Why is System listening on port 8000?ntoskrnl blocking port 8080Determining what process has bound a port (without listening) on WindowsMonitor a Process using NETSTATCan't start IIS website on port 443, even though netstat shows nothing listening on 443How to find which actual application uses port 80 via the System processThe System process is Listening on port 443, and I can't find what service is causing thisA system process is using port 80 and it's not IIS or SQLUsing lsof and fuser I can't find the process listening on a strange port













0















Is there a generic way to find out which service listens to a port as the System process?



In my case, the System process, PID 4, is listening on the port 443 (https), so another program that needs this port cannot start.



Before, for many years the system did not use this port, so I could use that another program.



How can I figure out what causes the system to listen to that port?



netstat -a -b -o run under elevated prompt shows 



TCP 0.0.0.0:443 MyComputerName:0 LISTENING 4

Can not obtain ownership information


I have Apache installed, but when I stop it, nothing changes. I have IIS uninstalled. Other suspects are Skype, CrashPlan, and MySQL server, but they have run on this computer for years without causing this problem. Skype has the option [_] Use port 80 and 443 unchecked. Putting CrashPlan to sleep does not release the port.



I have asked this question on StackOverflow, but it was deemed off-topic there.



There is a similar question on the port 80, but the answers there only say to stop this or that specific service, which does not generalize to another port.



There is another similar question, but in that case the OP comments that the netstat -ab shows svchost.exe as the source of connection, and none of the answers solve the problem in my case.






windows-7 windows networking port







share|improve this question
















bumped to the homepage by Community 14 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • See the IP address, it is 0.0.0.0, which is not a routable address.

    – Biswapriyo
    Jul 4 '17 at 3:26











  • @Biswa Thank you! I think 0.0.0.0 means to listen at all available interfaces (I have only one, but if I had two, this program would listen at both). howtogeek.com/225487/… says "In the context of servers, 0.0.0.0 means all IPv4 addresses on the local machine."

    – Alexander Gelbukh
    Jul 4 '17 at 4:21











  • @Biswa: Correct. I explain this in my answer about :::, responding to a question that also asked about 0.0.0.0. Basically, 0.0.0.0 indicates no address. By having no address specified, the result is listening to any address (instead of a specific address). So, I validate that conclusion.

    – TOOGAM
    Jul 4 '17 at 5:03











  • Oops, I meant @AlexanderGelbukh (not @Biswa). Oh well; both would receive that last comment (and this one) even without an @ in my comment.

    – TOOGAM
    Jul 4 '17 at 6:24
















0















Is there a generic way to find out which service listens to a port as the System process?



In my case, the System process, PID 4, is listening on the port 443 (https), so another program that needs this port cannot start.



Before, for many years the system did not use this port, so I could use that another program.



How can I figure out what causes the system to listen to that port?



netstat -a -b -o run under elevated prompt shows 



TCP 0.0.0.0:443 MyComputerName:0 LISTENING 4

Can not obtain ownership information


I have Apache installed, but when I stop it, nothing changes. I have IIS uninstalled. Other suspects are Skype, CrashPlan, and MySQL server, but they have run on this computer for years without causing this problem. Skype has the option [_] Use port 80 and 443 unchecked. Putting CrashPlan to sleep does not release the port.



I have asked this question on StackOverflow, but it was deemed off-topic there.



There is a similar question on the port 80, but the answers there only say to stop this or that specific service, which does not generalize to another port.



There is another similar question, but in that case the OP comments that the netstat -ab shows svchost.exe as the source of connection, and none of the answers solve the problem in my case.






windows-7 windows networking port







share|improve this question
















bumped to the homepage by Community 14 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • See the IP address, it is 0.0.0.0, which is not a routable address.

    – Biswapriyo
    Jul 4 '17 at 3:26











  • @Biswa Thank you! I think 0.0.0.0 means to listen at all available interfaces (I have only one, but if I had two, this program would listen at both). howtogeek.com/225487/… says "In the context of servers, 0.0.0.0 means all IPv4 addresses on the local machine."

    – Alexander Gelbukh
    Jul 4 '17 at 4:21











  • @Biswa: Correct. I explain this in my answer about :::, responding to a question that also asked about 0.0.0.0. Basically, 0.0.0.0 indicates no address. By having no address specified, the result is listening to any address (instead of a specific address). So, I validate that conclusion.

    – TOOGAM
    Jul 4 '17 at 5:03











  • Oops, I meant @AlexanderGelbukh (not @Biswa). Oh well; both would receive that last comment (and this one) even without an @ in my comment.

    – TOOGAM
    Jul 4 '17 at 6:24














0












0








0








Is there a generic way to find out which service listens to a port as the System process?



In my case, the System process, PID 4, is listening on the port 443 (https), so another program that needs this port cannot start.



Before, for many years the system did not use this port, so I could use that another program.



How can I figure out what causes the system to listen to that port?



netstat -a -b -o run under elevated prompt shows 



TCP 0.0.0.0:443 MyComputerName:0 LISTENING 4

Can not obtain ownership information


I have Apache installed, but when I stop it, nothing changes. I have IIS uninstalled. Other suspects are Skype, CrashPlan, and MySQL server, but they have run on this computer for years without causing this problem. Skype has the option [_] Use port 80 and 443 unchecked. Putting CrashPlan to sleep does not release the port.



I have asked this question on StackOverflow, but it was deemed off-topic there.



There is a similar question on the port 80, but the answers there only say to stop this or that specific service, which does not generalize to another port.



There is another similar question, but in that case the OP comments that the netstat -ab shows svchost.exe as the source of connection, and none of the answers solve the problem in my case.






windows-7 windows networking port







share|improve this question
















Is there a generic way to find out which service listens to a port as the System process?



In my case, the System process, PID 4, is listening on the port 443 (https), so another program that needs this port cannot start.



Before, for many years the system did not use this port, so I could use that another program.



How can I figure out what causes the system to listen to that port?



netstat -a -b -o run under elevated prompt shows 



TCP 0.0.0.0:443 MyComputerName:0 LISTENING 4

Can not obtain ownership information


I have Apache installed, but when I stop it, nothing changes. I have IIS uninstalled. Other suspects are Skype, CrashPlan, and MySQL server, but they have run on this computer for years without causing this problem. Skype has the option [_] Use port 80 and 443 unchecked. Putting CrashPlan to sleep does not release the port.



I have asked this question on StackOverflow, but it was deemed off-topic there.



There is a similar question on the port 80, but the answers there only say to stop this or that specific service, which does not generalize to another port.



There is another similar question, but in that case the OP comments that the netstat -ab shows svchost.exe as the source of connection, and none of the answers solve the problem in my case.






windows-7 windows networking port




windows-7 windows networking port






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jul 3 '17 at 21:44







Alexander Gelbukh

















asked Jul 3 '17 at 21:34









Alexander GelbukhAlexander Gelbukh

2481318




2481318





bumped to the homepage by Community 14 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community 14 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • See the IP address, it is 0.0.0.0, which is not a routable address.

    – Biswapriyo
    Jul 4 '17 at 3:26











  • @Biswa Thank you! I think 0.0.0.0 means to listen at all available interfaces (I have only one, but if I had two, this program would listen at both). howtogeek.com/225487/… says "In the context of servers, 0.0.0.0 means all IPv4 addresses on the local machine."

    – Alexander Gelbukh
    Jul 4 '17 at 4:21











  • @Biswa: Correct. I explain this in my answer about :::, responding to a question that also asked about 0.0.0.0. Basically, 0.0.0.0 indicates no address. By having no address specified, the result is listening to any address (instead of a specific address). So, I validate that conclusion.

    – TOOGAM
    Jul 4 '17 at 5:03











  • Oops, I meant @AlexanderGelbukh (not @Biswa). Oh well; both would receive that last comment (and this one) even without an @ in my comment.

    – TOOGAM
    Jul 4 '17 at 6:24



















  • See the IP address, it is 0.0.0.0, which is not a routable address.

    – Biswapriyo
    Jul 4 '17 at 3:26











  • @Biswa Thank you! I think 0.0.0.0 means to listen at all available interfaces (I have only one, but if I had two, this program would listen at both). howtogeek.com/225487/… says "In the context of servers, 0.0.0.0 means all IPv4 addresses on the local machine."

    – Alexander Gelbukh
    Jul 4 '17 at 4:21











  • @Biswa: Correct. I explain this in my answer about :::, responding to a question that also asked about 0.0.0.0. Basically, 0.0.0.0 indicates no address. By having no address specified, the result is listening to any address (instead of a specific address). So, I validate that conclusion.

    – TOOGAM
    Jul 4 '17 at 5:03











  • Oops, I meant @AlexanderGelbukh (not @Biswa). Oh well; both would receive that last comment (and this one) even without an @ in my comment.

    – TOOGAM
    Jul 4 '17 at 6:24

















See the IP address, it is 0.0.0.0, which is not a routable address.

– Biswapriyo
Jul 4 '17 at 3:26





See the IP address, it is 0.0.0.0, which is not a routable address.

– Biswapriyo
Jul 4 '17 at 3:26













@Biswa Thank you! I think 0.0.0.0 means to listen at all available interfaces (I have only one, but if I had two, this program would listen at both). howtogeek.com/225487/… says "In the context of servers, 0.0.0.0 means all IPv4 addresses on the local machine."

– Alexander Gelbukh
Jul 4 '17 at 4:21





@Biswa Thank you! I think 0.0.0.0 means to listen at all available interfaces (I have only one, but if I had two, this program would listen at both). howtogeek.com/225487/… says "In the context of servers, 0.0.0.0 means all IPv4 addresses on the local machine."

– Alexander Gelbukh
Jul 4 '17 at 4:21













@Biswa: Correct. I explain this in my answer about :::, responding to a question that also asked about 0.0.0.0. Basically, 0.0.0.0 indicates no address. By having no address specified, the result is listening to any address (instead of a specific address). So, I validate that conclusion.

– TOOGAM
Jul 4 '17 at 5:03





@Biswa: Correct. I explain this in my answer about :::, responding to a question that also asked about 0.0.0.0. Basically, 0.0.0.0 indicates no address. By having no address specified, the result is listening to any address (instead of a specific address). So, I validate that conclusion.

– TOOGAM
Jul 4 '17 at 5:03













Oops, I meant @AlexanderGelbukh (not @Biswa). Oh well; both would receive that last comment (and this one) even without an @ in my comment.

– TOOGAM
Jul 4 '17 at 6:24





Oops, I meant @AlexanderGelbukh (not @Biswa). Oh well; both would receive that last comment (and this one) even without an @ in my comment.

– TOOGAM
Jul 4 '17 at 6:24










1 Answer
1






active

oldest

votes


















0














From my reading, there can be multiple causes. For instance, after reading Cornelius's question: “Why is the System process listening on Port 443?”, I get the impression that at least these three different causes can lead to such a thing:




  • HTTP.SYS related to IIS (Microsoft's web server)


  • A network connection accepting an incoming VPN connection. (Possibly related to "Remote Access", part of RRAS which is "Routing and Remote Access"?)


  • Skype (see the hyperlink earlier in my answer, for pictures).


I'm guessing these have some common factors, such as using Microsoft code and probably using a low-level driver.



I would think there has to be a way to just check, instead of hunting. The TCP/IP stack has to know where to send the traffic, and we can check what the TCP/IP stack will do using the netstat command. Unfortunately, all the netstat command is giving us is the system-wide PID, which points us to a process named "System". I would think that, similarly, the "System" process must have a way to know which driver to send the traffic to. I have not yet found a way to just check that.



Meanwhile, I figured I'd point you to multiple possible causes I did find. Hopefully one of those will lead to you finding the answer you're seeking.



Note: The way I found this cause was by looking at some of the promising "Related" items that Superuser.com displays in the right frame. One of the basic rules of Stack Exchange is to try doing your own prior research. I suggest another good rule is that after you post a question, do check the section called "Related" in the right frame, because IMHO Stack Exchange does a pretty good job of frequently finding very on-topic questions.



On my Microsoft Windows system, PID 4 also belongs to the System process, so it does not appear that particular PID is very random.



The rest of this question just explains some things I checked on my system. It won't help you (Alexander Gelbukh) much because I can tell that you've already figured most or all of this out already. However, hopefully people reading that will be less inclined to blindly recommend netstat as a solution, since netstat's output is not a complete, sufficient solution (because we need to do more than just identify the process that the TCP/IP networking stack will send the traffic to).



I think there can be multiple reasons that netstat -b may say Can not obtain ownership information, including a lack of UAC elevation (at least on some versions of Microsoft Windows; on my Windows 10 I get different results when running un-elevated: netstat just immediately says The requested operation requires elevation. and gives two blank lines, and quits.)



I'm getting the same results as you: When I do run elevated, I cannot seem to see the results of PID 4.




Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 996
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 0.0.0.0:8732 0.0.0.0:0 LISTENING 4
Can not obtain ownership information


(This says PID 996 is svchost.exe, but no info on PID 4.)




C:>tasklist /SVC | more

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 4 K
System 4 Services 0 4,828 K



C:WINDOWSsystem32>powershell "Get-NetTCPConnection -LocalPort 445 | Format-List"

LocalAddress : ::
LocalPort : 445
RemoteAddress : ::
RemotePort : 0
State : Listen
AppliedSetting :
OwningProcess : 4
CreationTime : 3/2/2017 9:56:19 PM
OffloadState : InHost



C:WINDOWSsystem32>






share|improve this answer
























  • Thank you! Yes, as you have correctly noted, this information gives more details on the question but unfortunately does not provide an answer, or hints on any further action. And yes, I digged through related questions, but only found answers that say "try disabling this or that specific program" and not providing any generic way of actions. None of those programs seems to be the cause in my case. Any better idea?

    – Alexander Gelbukh
    Jul 4 '17 at 17:44











  • To respond to your comment's second sentence, in particular, my answer's second bullet point was a direct and unique answer: an idea that wasn't already dismissed in the question. I intentionally put that near the top to be easily found. As for your 3rd sentence seeking a "generic way", I address that idea in my paragraph starting with "I would", essentially stating that I don't have such a series of steps at this time.

    – TOOGAM
    Jul 5 '17 at 4:29











  • Thank you! Yes, VPN has been dismissed, too (among many other specific things that people mention in related questions) -- sorry I did not specify it in the question.

    – Alexander Gelbukh
    Jul 5 '17 at 20:39











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1225385%2fsystem-process-is-using-a-port-why-windows-7%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














From my reading, there can be multiple causes. For instance, after reading Cornelius's question: “Why is the System process listening on Port 443?”, I get the impression that at least these three different causes can lead to such a thing:




  • HTTP.SYS related to IIS (Microsoft's web server)


  • A network connection accepting an incoming VPN connection. (Possibly related to "Remote Access", part of RRAS which is "Routing and Remote Access"?)


  • Skype (see the hyperlink earlier in my answer, for pictures).


I'm guessing these have some common factors, such as using Microsoft code and probably using a low-level driver.



I would think there has to be a way to just check, instead of hunting. The TCP/IP stack has to know where to send the traffic, and we can check what the TCP/IP stack will do using the netstat command. Unfortunately, all the netstat command is giving us is the system-wide PID, which points us to a process named "System". I would think that, similarly, the "System" process must have a way to know which driver to send the traffic to. I have not yet found a way to just check that.



Meanwhile, I figured I'd point you to multiple possible causes I did find. Hopefully one of those will lead to you finding the answer you're seeking.



Note: The way I found this cause was by looking at some of the promising "Related" items that Superuser.com displays in the right frame. One of the basic rules of Stack Exchange is to try doing your own prior research. I suggest another good rule is that after you post a question, do check the section called "Related" in the right frame, because IMHO Stack Exchange does a pretty good job of frequently finding very on-topic questions.



On my Microsoft Windows system, PID 4 also belongs to the System process, so it does not appear that particular PID is very random.



The rest of this question just explains some things I checked on my system. It won't help you (Alexander Gelbukh) much because I can tell that you've already figured most or all of this out already. However, hopefully people reading that will be less inclined to blindly recommend netstat as a solution, since netstat's output is not a complete, sufficient solution (because we need to do more than just identify the process that the TCP/IP networking stack will send the traffic to).



I think there can be multiple reasons that netstat -b may say Can not obtain ownership information, including a lack of UAC elevation (at least on some versions of Microsoft Windows; on my Windows 10 I get different results when running un-elevated: netstat just immediately says The requested operation requires elevation. and gives two blank lines, and quits.)



I'm getting the same results as you: When I do run elevated, I cannot seem to see the results of PID 4.




Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 996
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 0.0.0.0:8732 0.0.0.0:0 LISTENING 4
Can not obtain ownership information


(This says PID 996 is svchost.exe, but no info on PID 4.)




C:>tasklist /SVC | more

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 4 K
System 4 Services 0 4,828 K



C:WINDOWSsystem32>powershell "Get-NetTCPConnection -LocalPort 445 | Format-List"

LocalAddress : ::
LocalPort : 445
RemoteAddress : ::
RemotePort : 0
State : Listen
AppliedSetting :
OwningProcess : 4
CreationTime : 3/2/2017 9:56:19 PM
OffloadState : InHost



C:WINDOWSsystem32>






share|improve this answer
























  • Thank you! Yes, as you have correctly noted, this information gives more details on the question but unfortunately does not provide an answer, or hints on any further action. And yes, I digged through related questions, but only found answers that say "try disabling this or that specific program" and not providing any generic way of actions. None of those programs seems to be the cause in my case. Any better idea?

    – Alexander Gelbukh
    Jul 4 '17 at 17:44











  • To respond to your comment's second sentence, in particular, my answer's second bullet point was a direct and unique answer: an idea that wasn't already dismissed in the question. I intentionally put that near the top to be easily found. As for your 3rd sentence seeking a "generic way", I address that idea in my paragraph starting with "I would", essentially stating that I don't have such a series of steps at this time.

    – TOOGAM
    Jul 5 '17 at 4:29











  • Thank you! Yes, VPN has been dismissed, too (among many other specific things that people mention in related questions) -- sorry I did not specify it in the question.

    – Alexander Gelbukh
    Jul 5 '17 at 20:39
















0














From my reading, there can be multiple causes. For instance, after reading Cornelius's question: “Why is the System process listening on Port 443?”, I get the impression that at least these three different causes can lead to such a thing:




  • HTTP.SYS related to IIS (Microsoft's web server)


  • A network connection accepting an incoming VPN connection. (Possibly related to "Remote Access", part of RRAS which is "Routing and Remote Access"?)


  • Skype (see the hyperlink earlier in my answer, for pictures).


I'm guessing these have some common factors, such as using Microsoft code and probably using a low-level driver.



I would think there has to be a way to just check, instead of hunting. The TCP/IP stack has to know where to send the traffic, and we can check what the TCP/IP stack will do using the netstat command. Unfortunately, all the netstat command is giving us is the system-wide PID, which points us to a process named "System". I would think that, similarly, the "System" process must have a way to know which driver to send the traffic to. I have not yet found a way to just check that.



Meanwhile, I figured I'd point you to multiple possible causes I did find. Hopefully one of those will lead to you finding the answer you're seeking.



Note: The way I found this cause was by looking at some of the promising "Related" items that Superuser.com displays in the right frame. One of the basic rules of Stack Exchange is to try doing your own prior research. I suggest another good rule is that after you post a question, do check the section called "Related" in the right frame, because IMHO Stack Exchange does a pretty good job of frequently finding very on-topic questions.



On my Microsoft Windows system, PID 4 also belongs to the System process, so it does not appear that particular PID is very random.



The rest of this question just explains some things I checked on my system. It won't help you (Alexander Gelbukh) much because I can tell that you've already figured most or all of this out already. However, hopefully people reading that will be less inclined to blindly recommend netstat as a solution, since netstat's output is not a complete, sufficient solution (because we need to do more than just identify the process that the TCP/IP networking stack will send the traffic to).



I think there can be multiple reasons that netstat -b may say Can not obtain ownership information, including a lack of UAC elevation (at least on some versions of Microsoft Windows; on my Windows 10 I get different results when running un-elevated: netstat just immediately says The requested operation requires elevation. and gives two blank lines, and quits.)



I'm getting the same results as you: When I do run elevated, I cannot seem to see the results of PID 4.




Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 996
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 0.0.0.0:8732 0.0.0.0:0 LISTENING 4
Can not obtain ownership information


(This says PID 996 is svchost.exe, but no info on PID 4.)




C:>tasklist /SVC | more

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 4 K
System 4 Services 0 4,828 K



C:WINDOWSsystem32>powershell "Get-NetTCPConnection -LocalPort 445 | Format-List"

LocalAddress : ::
LocalPort : 445
RemoteAddress : ::
RemotePort : 0
State : Listen
AppliedSetting :
OwningProcess : 4
CreationTime : 3/2/2017 9:56:19 PM
OffloadState : InHost



C:WINDOWSsystem32>






share|improve this answer
























  • Thank you! Yes, as you have correctly noted, this information gives more details on the question but unfortunately does not provide an answer, or hints on any further action. And yes, I digged through related questions, but only found answers that say "try disabling this or that specific program" and not providing any generic way of actions. None of those programs seems to be the cause in my case. Any better idea?

    – Alexander Gelbukh
    Jul 4 '17 at 17:44











  • To respond to your comment's second sentence, in particular, my answer's second bullet point was a direct and unique answer: an idea that wasn't already dismissed in the question. I intentionally put that near the top to be easily found. As for your 3rd sentence seeking a "generic way", I address that idea in my paragraph starting with "I would", essentially stating that I don't have such a series of steps at this time.

    – TOOGAM
    Jul 5 '17 at 4:29











  • Thank you! Yes, VPN has been dismissed, too (among many other specific things that people mention in related questions) -- sorry I did not specify it in the question.

    – Alexander Gelbukh
    Jul 5 '17 at 20:39














0












0








0







From my reading, there can be multiple causes. For instance, after reading Cornelius's question: “Why is the System process listening on Port 443?”, I get the impression that at least these three different causes can lead to such a thing:




  • HTTP.SYS related to IIS (Microsoft's web server)


  • A network connection accepting an incoming VPN connection. (Possibly related to "Remote Access", part of RRAS which is "Routing and Remote Access"?)


  • Skype (see the hyperlink earlier in my answer, for pictures).


I'm guessing these have some common factors, such as using Microsoft code and probably using a low-level driver.



I would think there has to be a way to just check, instead of hunting. The TCP/IP stack has to know where to send the traffic, and we can check what the TCP/IP stack will do using the netstat command. Unfortunately, all the netstat command is giving us is the system-wide PID, which points us to a process named "System". I would think that, similarly, the "System" process must have a way to know which driver to send the traffic to. I have not yet found a way to just check that.



Meanwhile, I figured I'd point you to multiple possible causes I did find. Hopefully one of those will lead to you finding the answer you're seeking.



Note: The way I found this cause was by looking at some of the promising "Related" items that Superuser.com displays in the right frame. One of the basic rules of Stack Exchange is to try doing your own prior research. I suggest another good rule is that after you post a question, do check the section called "Related" in the right frame, because IMHO Stack Exchange does a pretty good job of frequently finding very on-topic questions.



On my Microsoft Windows system, PID 4 also belongs to the System process, so it does not appear that particular PID is very random.



The rest of this question just explains some things I checked on my system. It won't help you (Alexander Gelbukh) much because I can tell that you've already figured most or all of this out already. However, hopefully people reading that will be less inclined to blindly recommend netstat as a solution, since netstat's output is not a complete, sufficient solution (because we need to do more than just identify the process that the TCP/IP networking stack will send the traffic to).



I think there can be multiple reasons that netstat -b may say Can not obtain ownership information, including a lack of UAC elevation (at least on some versions of Microsoft Windows; on my Windows 10 I get different results when running un-elevated: netstat just immediately says The requested operation requires elevation. and gives two blank lines, and quits.)



I'm getting the same results as you: When I do run elevated, I cannot seem to see the results of PID 4.




Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 996
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 0.0.0.0:8732 0.0.0.0:0 LISTENING 4
Can not obtain ownership information


(This says PID 996 is svchost.exe, but no info on PID 4.)




C:>tasklist /SVC | more

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 4 K
System 4 Services 0 4,828 K



C:WINDOWSsystem32>powershell "Get-NetTCPConnection -LocalPort 445 | Format-List"

LocalAddress : ::
LocalPort : 445
RemoteAddress : ::
RemotePort : 0
State : Listen
AppliedSetting :
OwningProcess : 4
CreationTime : 3/2/2017 9:56:19 PM
OffloadState : InHost



C:WINDOWSsystem32>






share|improve this answer













From my reading, there can be multiple causes. For instance, after reading Cornelius's question: “Why is the System process listening on Port 443?”, I get the impression that at least these three different causes can lead to such a thing:




  • HTTP.SYS related to IIS (Microsoft's web server)


  • A network connection accepting an incoming VPN connection. (Possibly related to "Remote Access", part of RRAS which is "Routing and Remote Access"?)


  • Skype (see the hyperlink earlier in my answer, for pictures).


I'm guessing these have some common factors, such as using Microsoft code and probably using a low-level driver.



I would think there has to be a way to just check, instead of hunting. The TCP/IP stack has to know where to send the traffic, and we can check what the TCP/IP stack will do using the netstat command. Unfortunately, all the netstat command is giving us is the system-wide PID, which points us to a process named "System". I would think that, similarly, the "System" process must have a way to know which driver to send the traffic to. I have not yet found a way to just check that.



Meanwhile, I figured I'd point you to multiple possible causes I did find. Hopefully one of those will lead to you finding the answer you're seeking.



Note: The way I found this cause was by looking at some of the promising "Related" items that Superuser.com displays in the right frame. One of the basic rules of Stack Exchange is to try doing your own prior research. I suggest another good rule is that after you post a question, do check the section called "Related" in the right frame, because IMHO Stack Exchange does a pretty good job of frequently finding very on-topic questions.



On my Microsoft Windows system, PID 4 also belongs to the System process, so it does not appear that particular PID is very random.



The rest of this question just explains some things I checked on my system. It won't help you (Alexander Gelbukh) much because I can tell that you've already figured most or all of this out already. However, hopefully people reading that will be less inclined to blindly recommend netstat as a solution, since netstat's output is not a complete, sufficient solution (because we need to do more than just identify the process that the TCP/IP networking stack will send the traffic to).



I think there can be multiple reasons that netstat -b may say Can not obtain ownership information, including a lack of UAC elevation (at least on some versions of Microsoft Windows; on my Windows 10 I get different results when running un-elevated: netstat just immediately says The requested operation requires elevation. and gives two blank lines, and quits.)



I'm getting the same results as you: When I do run elevated, I cannot seem to see the results of PID 4.




Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 996
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 0.0.0.0:8732 0.0.0.0:0 LISTENING 4
Can not obtain ownership information


(This says PID 996 is svchost.exe, but no info on PID 4.)




C:>tasklist /SVC | more

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 4 K
System 4 Services 0 4,828 K



C:WINDOWSsystem32>powershell "Get-NetTCPConnection -LocalPort 445 | Format-List"

LocalAddress : ::
LocalPort : 445
RemoteAddress : ::
RemotePort : 0
State : Listen
AppliedSetting :
OwningProcess : 4
CreationTime : 3/2/2017 9:56:19 PM
OffloadState : InHost



C:WINDOWSsystem32>







share|improve this answer












share|improve this answer



share|improve this answer










answered Jul 4 '17 at 6:23









TOOGAMTOOGAM

11.5k32644




11.5k32644













  • Thank you! Yes, as you have correctly noted, this information gives more details on the question but unfortunately does not provide an answer, or hints on any further action. And yes, I digged through related questions, but only found answers that say "try disabling this or that specific program" and not providing any generic way of actions. None of those programs seems to be the cause in my case. Any better idea?

    – Alexander Gelbukh
    Jul 4 '17 at 17:44











  • To respond to your comment's second sentence, in particular, my answer's second bullet point was a direct and unique answer: an idea that wasn't already dismissed in the question. I intentionally put that near the top to be easily found. As for your 3rd sentence seeking a "generic way", I address that idea in my paragraph starting with "I would", essentially stating that I don't have such a series of steps at this time.

    – TOOGAM
    Jul 5 '17 at 4:29











  • Thank you! Yes, VPN has been dismissed, too (among many other specific things that people mention in related questions) -- sorry I did not specify it in the question.

    – Alexander Gelbukh
    Jul 5 '17 at 20:39



















  • Thank you! Yes, as you have correctly noted, this information gives more details on the question but unfortunately does not provide an answer, or hints on any further action. And yes, I digged through related questions, but only found answers that say "try disabling this or that specific program" and not providing any generic way of actions. None of those programs seems to be the cause in my case. Any better idea?

    – Alexander Gelbukh
    Jul 4 '17 at 17:44











  • To respond to your comment's second sentence, in particular, my answer's second bullet point was a direct and unique answer: an idea that wasn't already dismissed in the question. I intentionally put that near the top to be easily found. As for your 3rd sentence seeking a "generic way", I address that idea in my paragraph starting with "I would", essentially stating that I don't have such a series of steps at this time.

    – TOOGAM
    Jul 5 '17 at 4:29











  • Thank you! Yes, VPN has been dismissed, too (among many other specific things that people mention in related questions) -- sorry I did not specify it in the question.

    – Alexander Gelbukh
    Jul 5 '17 at 20:39

















Thank you! Yes, as you have correctly noted, this information gives more details on the question but unfortunately does not provide an answer, or hints on any further action. And yes, I digged through related questions, but only found answers that say "try disabling this or that specific program" and not providing any generic way of actions. None of those programs seems to be the cause in my case. Any better idea?

– Alexander Gelbukh
Jul 4 '17 at 17:44





Thank you! Yes, as you have correctly noted, this information gives more details on the question but unfortunately does not provide an answer, or hints on any further action. And yes, I digged through related questions, but only found answers that say "try disabling this or that specific program" and not providing any generic way of actions. None of those programs seems to be the cause in my case. Any better idea?

– Alexander Gelbukh
Jul 4 '17 at 17:44













To respond to your comment's second sentence, in particular, my answer's second bullet point was a direct and unique answer: an idea that wasn't already dismissed in the question. I intentionally put that near the top to be easily found. As for your 3rd sentence seeking a "generic way", I address that idea in my paragraph starting with "I would", essentially stating that I don't have such a series of steps at this time.

– TOOGAM
Jul 5 '17 at 4:29





To respond to your comment's second sentence, in particular, my answer's second bullet point was a direct and unique answer: an idea that wasn't already dismissed in the question. I intentionally put that near the top to be easily found. As for your 3rd sentence seeking a "generic way", I address that idea in my paragraph starting with "I would", essentially stating that I don't have such a series of steps at this time.

– TOOGAM
Jul 5 '17 at 4:29













Thank you! Yes, VPN has been dismissed, too (among many other specific things that people mention in related questions) -- sorry I did not specify it in the question.

– Alexander Gelbukh
Jul 5 '17 at 20:39





Thank you! Yes, VPN has been dismissed, too (among many other specific things that people mention in related questions) -- sorry I did not specify it in the question.

– Alexander Gelbukh
Jul 5 '17 at 20:39


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1225385%2fsystem-process-is-using-a-port-why-windows-7%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

Image
Why didn't Boeing produce its own regional jet? What is the most common color to indicate the input-field is disabled? Theorists sure want true answers to this! What is the opposite of "eschatology"? What do you call someone who asks many questions? Is there a hemisphere-neutral way of specifying a season? Is this draw by repetition? Bug? String.split chopping off empty trailing value Is it inappropriate for a student to attend their mentor's dissertation defense? How dangerous is XSS Why do I get negative height? Is it possible to map
Read more

VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...

Image
risk of flooding in petra in november How to get directions in deep space? How could a planet have erratic days? 15% tax on $7.5k earnings. Is that right? Did the UK lift the requirement for registering SIM cards? Is it allowed to activate the ability of multiple planeswalkers in a single turn? Stack Interview Code methods made from class Node and Smart Pointers Non-trope happy ending? What is the highest possible scrabble score for placing a single tile Open a doc from terminal, but not by its name The IT department bottlenecks progress, how should I handle this?
Read more

Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...

Image
Does the Mueller report show a conspiracy between Russia and the Trump Campaign? Relating to the President and obstruction, were Mueller's conclusions preordained? How much damage would a cupful of neutron star matter do to the Earth? Nose gear failure in single prop aircraft: belly landing or nose landing? Should a wizard buy fine inks every time he want to copy spells into his spellbook? Can you force honesty by using the Speak with Dead and Zone of Truth spells together? A trigonometry question from STEP examination Special flights What is the "studentd" process? systemd and copy (/bin/cp): no such file or directory
Read more