NeuroAgent

How to Identify Process Listening on Port in Windows

Learn multiple methods to identify which process is listening on specific TCP or UDP ports in Windows using netstat, PowerShell cmdlets, and advanced scripts for effective network troubleshooting.

#command-line-tools#network-security#powershell-scripts#process-identification#system-troubleshooting#tcp-udp-port-monitoring#windows-network-administration
Question

How can I identify which process is listening on a specific TCP or UDP port in Windows?

NeuroAgent

You can identify which process is listening on a specific TCP or UDP port in Windows using several methods, including the traditional netstat command with filtering, modern PowerShell cmdlets like Get-NetTCPConnection and Get-NetUDPEndpoint, or by combining these tools with tasklist to get detailed process information. The most efficient approach depends on your Windows version and familiarity with command-line tools, with PowerShell generally offering more structured and easier-to-filter results.

Contents

Using netstat Command

The traditional netstat command has been available in Windows for decades and remains a reliable method for identifying processes listening on ports. To find which process is listening on a specific port, you can use the following commands:

Basic netstat with PID

cmd
netstat -aon | findstr ":80"

This command shows all connections related to port 80, including the process ID (PID) in the last column. The -a parameter shows all connections, -o shows the process ID, and -n shows addresses numerically.

Filtering for listening ports

cmd
netstat -aon | findstr "LISTENING" | findstr ":80"

For PowerShell v2.0 compatibility, you need to add a space after the find criteria:

cmd
netstat -aon | find /i "listening" | find "1234 "

Complete netstat output

The netstat -aon command displays a comprehensive list of all active TCP connections, including:

  • Protocol type (TCP/UDP)
  • Local address and port
  • Foreign address and port
  • State (Established, Listening, etc.)
  • Process ID (PID)

Note: The netstat output format can vary slightly between Windows versions, but the PID is always shown in the last column when using the -o parameter.

Using PowerShell Cmdlets

PowerShell provides more modern and structured approaches to identify listening processes. The Windows operating system includes specialized cmdlets for this purpose.

Get-NetTCPConnection for TCP ports

For TCP ports, use the Get-NetTCPConnection cmdlet:

powershell
# Get all listening TCP connections
Get-NetTCPConnection -State Listen | Select-Object -Property LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess

# Get process listening on specific port
Get-Process -Id (Get-NetTCPConnection -LocalPort 80).OwningProcess

Get-NetUDPEndpoint for UDP ports

For UDP ports, use the Get-NetUDPEndpoint cmdlet:

powershell
# Get all UDP endpoints
Get-NetUDPEndpoint | Select-Object -Property LocalAddress, LocalPort, CreationTime, OwningProcess

# Get process listening on specific UDP port
Get-Process -Id (Get-NetUDPEndpoint -LocalPort 53).OwningProcess

Enhanced PowerShell filtering

You can create more comprehensive queries:

powershell
# Get TCP connections with process names
Get-NetTCPConnection -State Listen | 
    Select-Object LocalAddress, LocalPort, State, OwningProcess,
    @{Name="ProcessName"; Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}

# Same for UDP
Get-NetUDPEndpoint | 
    Select-Object LocalAddress, LocalPort, CreationTime, OwningProcess,
    @{Name="ProcessName"; Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}

Note: According to Microsoft Learn documentation, Get-NetTCPConnection supports various parameters including -LocalPort, -State, -RemoteAddress, and -OwningProcess for precise filtering.

Using Tasklist with Process IDs

Once you identify the process ID from netstat or PowerShell cmdlets, you can use tasklist to get detailed process information:

Basic tasklist usage

cmd
tasklist /fi "pid eq 16876"

Display all processes with PIDs

cmd
tasklist /v

PowerShell approach with process details

powershell
# Get process details after finding PID
$tcpConnection = Get-NetTCPConnection -LocalPort 80
$process = Get-Process -Id $tcpConnection.OwningProcess
$process | Select-Object ProcessName, Id, Path, CPU, WorkingSet

Complete process information

powershell
# Comprehensive process information for listening ports
Get-NetTCPConnection -State Listen | ForEach-Object {
    $process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        LocalPort = $_.LocalPort
        LocalAddress = $_.LocalAddress
        ProcessName = $process.ProcessName
        PID = $_.OwningProcess
        Path = $process.Path
        CPU = $process.CPU
        Memory = $process.WorkingSet
    }
}

PowerShell Scripts and Advanced Methods

For more advanced scenarios, you can create PowerShell scripts that combine these methods for better results.

Complete port monitoring script

powershell
function Get-ListeningProcess {
    param(
        [Parameter()]
        [ValidateSet("TCP", "UDP", "Both")]
        [string]$Protocol = "Both",
        
        [Parameter()]
        [int]$Port
    )
    
    $results = @()
    
    if ($Protocol -eq "TCP" -or $Protocol -eq "Both") {
        $tcpConnections = Get-NetTCPConnection -State Listen
        if ($Port) {
            $tcpConnections = $tcpConnections | Where-Object { $_.LocalPort -eq $Port }
        }
        
        foreach ($connection in $tcpConnections) {
            $process = Get-Process -Id $connection.OwningProcess -ErrorAction SilentlyContinue
            $results += [PSCustomObject]@{
                Protocol = "TCP"
                LocalPort = $connection.LocalPort
                LocalAddress = $connection.LocalAddress
                ProcessName = $process.ProcessName
                PID = $connection.OwningProcess
                Path = $process.Path
                StartTime = $process.StartTime
            }
        }
    }
    
    if ($Protocol -eq "UDP" -or $Protocol -eq "Both") {
        $udpEndpoints = Get-NetUDPEndpoint
        if ($Port) {
            $udpEndpoints = $udpEndpoints | Where-Object { $_.LocalPort -eq $Port }
        }
        
        foreach ($endpoint in $udpEndpoints) {
            $process = Get-Process -Id $endpoint.OwningProcess -ErrorAction SilentlyContinue
            $results += [PSCustomObject]@{
                Protocol = "UDP"
                LocalPort = $endpoint.LocalPort
                LocalAddress = $endpoint.LocalAddress
                ProcessName = $process.ProcessName
                PID = $endpoint.OwningProcess
                Path = $process.Path
                StartTime = $process.StartTime
            }
        }
    }
    
    return $results | Sort-Object LocalPort
}

# Usage examples:
# Get-ListeningProcess -Protocol TCP -Port 80
# Get-ListeningProcess -Protocol UDP
# Get-ListeningProcess

One-liner for quick identification

powershell
# Quick way to see what's listening on port 80
Get-NetTCPConnection -LocalPort 80 | Select-Object LocalPort, LocalAddress, OwningProcess | ForEach-Object {
    $process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    $_ | Add-Member -MemberType NoteProperty -Name ProcessName -Value $process.ProcessName -PassThru
}

Advanced filtering by process name

powershell
# Find all listening ports for a specific process
$processName = "node"
Get-Process -Name $processName | ForEach-Object {
    $tcpPorts = Get-NetTCPConnection -State Listen -OwningProcess $_.Id
    $udpPorts = Get-NetUDPEndpoint -OwningProcess $_.Id
    
    foreach ($port in $tcpPorts) {
        [PSCustomObject]@{
            Process = $_.ProcessName
            PID = $_.Id
            Protocol = "TCP"
            Port = $port.LocalPort
            Address = $port.LocalAddress
        }
    }
    
    foreach ($port in $udpPorts) {
        [PSCustomObject]@{
            Process = $_.ProcessName
            PID = $_.Id
            Protocol = "UDP"
            Port = $port.LocalPort
            Address = $port.LocalAddress
        }
    }
}

Troubleshooting Tips

Common issues and solutions

Permission issues: Some processes may require elevated privileges to view their network connections. Always run your commands as Administrator.

Process not found: If a PID appears in netstat but Get-Process fails, the process may have terminated between commands. Use -ErrorAction SilentlyContinue to handle this gracefully.

Port conflicts: Multiple processes may attempt to bind to the same port. Windows typically allows this only if the addresses differ (e.g., 127.0.0.1 vs 0.0.0.0).

IPv6 vs IPv4: Some processes may listen on both IPv4 and IPv6 addresses. Check for both 0.0.0.0 and :: in the local address field.

Verifying port accessibility

After identifying the listening process, you can verify the port is accessible:

cmd
telnet localhost 80

Or in PowerShell:

powershell
Test-NetConnection -ComputerName localhost -Port 80

Monitoring port changes

For real-time monitoring of port changes:

powershell
# Monitor TCP connections in real-time
Get-NetTCPConnection -State Listen | Select-Object LocalPort, LocalAddress, OwningProcess | 
    Format-Table -AutoSize -Wrap

# Monitor every 5 seconds
while ($true) {
    Clear-Host
    Get-NetTCPConnection -State Listen | Sort-Object LocalPort | Format-Table -AutoSize
    Start-Sleep -Seconds 5
}

Best Practices

Security considerations

  • Regular monitoring: Regularly check for unexpected listening ports on critical systems
  • Process verification: Always verify that processes listening on sensitive ports are legitimate
  • Least privilege: Run monitoring tools with minimum necessary privileges
  • Logging: Consider logging port information for security auditing

Performance optimization

  • Specific queries: Always filter by port or protocol when possible to reduce output
  • Batch processing: Use PowerShell’s pipeline capabilities for efficient processing
  • Error handling: Implement proper error handling for robust scripts
  • Scheduling: Use Task Scheduler for regular port monitoring

Cross-version compatibility

  • netstat vs PowerShell: Use netstat for older Windows versions (pre-Windows 8/Server 2012)
  • PowerShell version: Modern PowerShell cmdlets require Windows 8/Server 2012 or later
  • Fallback methods: Always have fallback methods for different Windows versions

Documentation and reporting

  • Script documentation: Comment your PowerShell scripts thoroughly
  • Output formatting: Use consistent formatting for easy reading
  • Alert systems: Consider integrating with monitoring systems for critical ports
  • Historical analysis: Keep logs to analyze port usage patterns over time

Conclusion

Identifying processes listening on specific TCP or UDP ports in Windows can be accomplished through several effective methods. The traditional netstat command remains reliable for quick checks, while PowerShell cmdlets like Get-NetTCPConnection and Get-NetUDPEndpoint offer more structured and filterable results. For comprehensive analysis, combining these tools with tasklist or custom PowerShell scripts provides the most detailed information about listening processes.

For optimal results, use PowerShell cmdlets on modern Windows systems for their superior filtering capabilities, while keeping netstat as a fallback for compatibility. Always consider running commands with elevated privileges and implement proper error handling for robust port monitoring solutions.

Regular port monitoring should be part of system administration best practices to ensure security and optimal performance, helping you quickly identify unauthorized network activity or configuration issues that could impact system stability.

Sources

  1. Stack Overflow - How do I find out which process is listening on a TCP or UDP port on Windows?

  2. Windows OS Hub - Find Out Which Process is Listening on a Specific Port on Windows

  3. CloudHadoop - How to find process id name listen to TCP/UDP ports in windows

  4. Medium - Finding the Windows Process That’s Using a Particular TCP or UDP Port

  5. TechnoFossy - Identifying Processes Using Specific TCP/UDP Ports on Windows

  6. TempMail - Finding the Windows Process That’s Using a Particular TCP or UDP Port

  7. Microsoft Learn - Get-NetTCPConnection

  8. Microsoft Learn - Get-NetUDPEndpoint

  9. SANS ISC - Netstat, but Better and in PowerShell

  10. PDQ - Get-NetTCPConnection - PowerShell Command

How can I kill a process that's using a specific port in Windows?What are the best practices for monitoring network ports on Windows servers?How do I identify all listening ports on a Windows system and their associated processes?Can I automate port monitoring and alerting in Windows using PowerShell?How do I handle port conflicts between multiple processes on Windows?What security considerations should I keep in mind when monitoring ports on Windows systems?
Ask NeuroAgent