I don't know why, but I have recently gotten it into my head that I absolutely must figure out what is coming in and going out of my Windows XP Professional machine.
Could some one who REALLY knows what they're talking about please give me their thoughts.
Here is the exact information from Essential Nettools showing the TCP ports that are currently active:
TCP 0.0.0.0 port 135 Listen c:\windows\system32\svchos
TCP 0.0.0.0 port 445 Listen System
TCP 0.0.0.0 port 1025 Listen c:\windows\system32\svchos
TCP 0.0.0.0 port 1033 Listen System
TCP 0.0.0.0 port 1052 Listen c:\program files\messenger\msmsgs.exe
TCP 192.168.0.4 port 139 Listen System
TCP 192.168.0.4 port 1052 Established c:\program files\messenger\msmsgs.exe
TCP 192.168.0.4 port 9147 Listen c:\program files\messenger\msmsgs.exe
I am relatively experienced at networking, but not an expert. Here is my analysis along with a couple of specific questions.
My laptop is connected to a Windows 2003 domain controller and I am logged in. Focusing on TCP first. I have turned off all the services that I possibly can.
I know that the entry 192.168.0.4 port 139 and port 9147 are for the DHCP client.
192.168.0.4 and 0.0.0.0 port 1052 is my connection from Outlook Express to the newsgroup.
That leaves the following entries.
port 135
port 445
port 1025
port 1033
Most times, there is also a port 1027, but it wasn't there when I did the screen shot.
Also, these are the services that are running on my machine with notes.
****Event Log****
No option to stop this service
****Plug and Play****
No option to stop this service
****Remote Access Connection Manager****
Get the message, "Could not stop the Remote Access Connection Manager service on Local Computer. The service did not return an error. This could be an internal Windows error or an internal service error. If the problem persists, contact your system administrator."
****Remote Procedure Call (RPC)****
No option to stop this service
****Security Accounts Manager****
No option to stop this service
****Telephony****
Message says that the Remote Access Connection Manager will also stop.
****Terminal Services****
No option to stop this service
****Windows Audio****
No option to stop this service
Every other service is turned off.
From my reading, it seems that ports 135 and 445 are very deeply rooted in Windows networking. But, I'm really interested in what is *really* going on through these ports. What kind of traffic moves in and out?
I don't have any idea what is going on with the other ports.
I'm not worried about the UDP ports at this point. I want to figure out the TCP first, then I'll move on.
Any help would be appreciated.
--
Kurt Dicus
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
port 1025/1026 are for AD logon, so they are normal connections. the following MSKB article should be hepful on understanding the purpose of port 135/445/1025.
XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls
http://support.microsoft.c
as for 1033, it depends on different services on your system. you may use tcpview.exe to detect it.
www.sysinternals.com/ntw2k
hope it helps,
bbao
I think I got it figured out. What I was looking for was someone who could "really" tell me what was happening. Not so much the text book answer. I've spent most of the day reading on grc.com and uksecurityfocus.com. They have gotten me closer to what I was looking for. I do appreciate your timely answer. It looks like based on your profile that you are quite the guru. This was the first time I had used this site. Extremely impressive. Much better than posting to a newsgroup.
Kurt
Hi,
I also have a query on port 1025. I am working on windows xp sp2. I have been observing something wierd for last two months. Whenever, i connect to internet, my machine accepts connection on port 1025. Its random ip, sometimes from my internet cable network, sometimes its from china, us, hongcong, japan, russia. etc... I am using TCPView to see the endpoint connections.
I observed svchost.ext accepts connection on this 1025 port. I manually closed this connection 100 of times. But I am very curious to know whats happening on this port. On the same direction to know the secrets behind the scene, i installed file monitor from systinernal. I found svchost.exe (one which accepted connection on port 1025) was accessing some files in "C:\WINDOWS\System32\WBEM\
I concluded that there is bug in WIM and it allows remote users to use WIM for exploiting systems. But after two days i found, svchost.exe was doing something with modemui.dll in system32 directory. Similarly, next time..svchost.exe keep reading different system files..
Can you all please tell me whats happening there? I am also keeping a close eye, sometimes spending entire night find things..
My machine details once again:
OS: Windows XP sp2 with latest patches
IP Type: Dynamic IP
Connection Accepted on port 1025
System file: instance of svchost.exe
I searched on google and many other networking related sites..Didnt find much info on the same.
Looking forward...
Thanks,
Abdul
Close Port 1025 Or Any Other W Sygate
With Sygate Personal Firewall 5.5,
Open the Advanced Options, click ADD, then goto PORTS AND PROTOCOLS, Select TCP, two options now appear, in LOCAL box type in 1025 and leave Remote box clear, in the Traffic Direction box select Incomming. Click OK , then OK again...
goto www.grc.com do the shields up, test ur computer, and then thank me... & youre welcome.
carry on soldiers
Swp&Clr
get sygate personal firewall here, http://smb.sygate.com/free
P.S. if this has helped you, please reply and let me know, thanks...
also please note: that this port is prone to the Netsky worm, that is currently running itself all over the world. Dont believe me, see for yourself at the website of Trend Micro, http://housecall.trendmicr
i hope i have helped. good luck~
Did you ever get the answer you were looking for on 135 & 445?
You do not need to run 135 (RPC) on your workstation. It is used to call for services from workstation to a server, so the server is running this. Unless your workstation is providing a service of some sort, kill it.
Oh, kill it by disabling your RPC service (start, run, services.msc, select, stop and disable the service).
For 445 (SMB), this is used for a bunch of stuff, file shares among them. If you want to kill this, disable the server service (same way). Servers use this during authentication process, but I'm pretty sure it's for reading netlogon commands.
I found one great way to keep worms from finding my computer is to turn on IPSec, but set it to preferred instead of required. This means the first 3 syn's coming to your computer will be me with ISAKMP, which the originating computer is most likely not running. Your computer will appear non-existent until the second series of connection attempts, where it will decide the sending computer cannot talk IPSec. Great for remote access if you don't have a firewall or NAT router.
This will stop Netsky, BOT's etc, unless they are repeatedly sweeping from the same IP.
The other guys are right on with 1025-1027-ish being AD related ports. Bear in mind that Windows messenger (the PITA popup) listens on 1025.
This is an old link. I hope you are still monitoring this.
Andy
Business Accounts
Answer for Membership
by: rj-smithPosted on 2004-01-15 at 01:26:59ID: 10118744
Port 135 is the end-point mapper or RPC locator port. This is the port that RPC uses to find other RPC server ports, it's vital to the operation of MS operating systems on your LAN. This is also the port exploited by the blaster virus.
Port 445 is the port used by CIFS (Common Internet File System) and again is probably required for normal operation of your PC on the LAN.
Not sure about 1025 and 1033 but these could be dynamic port assignments and used for other Microsoft services like Active Directory, etc.
I vaguely remember 1025 being used for something like the Blackjack game though.
Hope that helps.