Open Ports on Windows XP
Inside your computer
I wage a constant battle to know everything that is going on in my computer. Much of this stems from the constant barage of security holes that Microsoft calls "features" that are enabled by default in Windows XP. Yes, I'm paranoid. :-) This page aims to be a quick-and-easy reference for what ports are open on a reasonably standard installation of Windows XP, and what they are used for.
To see a list of open ports on Windows XP you can install one of many firewall applications, or you can go to a command prompt and enter:
To find the program that is using the port, look at the PID number, then use the task manager to match the PID with a running process. To get a more detailed list that includes the EXE file and DLL file names (this takes a bit longer) try this:
|123||Network Time Protocol used by the Windows Time Service
In theory, this synchronizes with various time servers on the internet. In my experience, it always synchronizes with time.windows.com no matter how I set it. I would not have noticed if I weren't running Kerio Firewall. A bit suspicious, eh?
RPC (Remote Procedure Call) and DCOM (Distributed Component Object Model).
RPC and DCOM allow a remote computer to send commands to another computer. This is used by a variety of Windows-specific services. (See the entry "Anything >1023" below.) The RPC service is not stoppable (see the section on unstoppable services.)
|137,138,139||File and printer sharing and network name resolution using NetBIOS over TCP. Windows 2000 and XP use 445 for the file and printer sharing portion, but is not accessible to Windows NT/'9x systems.|
|445||File and Printer sharing for Windows 2000 and above. (SMB over TCP)|
|500||This is IKE (Internet Key Exchange) which is part of the IPsec protocol.
This is handled by LSASS.EXE: Local Security Authority Service. LSASS is also used for user login authentication, so disabling IPSec closes port 500, but leaves LSASS running.
|Anything >1023||Ports above 1023 are available to applications in general. Any service that
uses RPC will be given a port above 1023. The port number can vary based on
what services are available and what order they start in. Examples include:
|3372||Microsoft Distributed Transaction Coordinator (MSDTC). This also uses another variable port above 1023.|
|1900||Universal Plug and Plug (UPnP)|
|5000||Simple Service Discovery Protocol (SSDP). The companion to UPnP.|
|3389||The Remote Desktop service that allows you to control your PC remotely.|
What is SVCHOST?
You will notice that most ports are held by one of the many instances of svchost.exe. Most Windows services are not full executables, merely DLLs. These DLLs must be loaded by a host executable like SVCHOST. This saves system resources at the expense of security. To determine which services are running under a specific instance of SVCHOST, open a command prompt and enter:
Svchost usually runs as one of three special users: SYSTEM, LOCAL SERVICE, or NETWORK SERVICE. Unfortunately, even the system administrator does not have sufficient rights to kill SVCHOST when it runs as one of these three users.
Some services such as RPC are unstoppable. They ignore the stop command, and the service control manager will refuse to even let you try. Some of these services cannot even be disabled. I cannot imagine why any service should get such priveledges. For example, why is the Audio Server unstoppable? Oh no! No audio!
Jean-Baptiste Marchand wrote a very detailed article titled Minimization of network services on Windows systems which describes many of these ports in great detail.
Thanks to Brian at Infoshare Consulting for the tip on the tasklist command.