Avatar of rowansmith
rowansmith asked on

System Process is listening on port 80 (Vista)

I have just noticed that port 80 is in use by the System Process.  I have not noticed this before and I am wondering if something has gone "astray".

How do I determine what is causing the System process to bind to port 80.  I do not have IIS running (According to Control Panel->Windows Features).

An output from the HTTP server is below.
Trying 192.168.1.64, 80 ... Open
GET / HTTP/1.0
 
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sun, 25 Jan 2009 21:21:54 GMT
Connection: close
Content-Length: 315
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Not Found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Found</h2>
<hr><p>HTTP Error 404. The requested resource is not found.</p>
</BODY></HTML>
 
[Connection to 192.168.1.64 closed by foreign host]

Open in new window

OS SecurityMicrosoft IIS Web ServerWindows Vista

Avatar of undefined
Last Comment
rowansmith

8/22/2022 - Mon
Mike_Carroll

ludofulop

run this command from the command prompt  (start - run - cmd) :
netstat -anb -p TCP |more
and in the 'local address' column look for port :80, there should be written the process which is listening on that port.
Don

Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
rowansmith

Guys, thanks for your feedback but unless I have missed something, none of you have read what I have said, which was:

I have just noticed that port 80 is in use by the System Process.  How do I determine what is causing the System process to bind to port 80.

To make that clearer, the Process that is listening on Port 80 is PID 4 which is the SYSTEM process.  How can I determine what is instructing the NT Kernel to BIND to port 80?

Thanks.

-Rowan


Don

Did you try any of the suggestions?
Don

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
rowansmith

Thanks all the suggestions tell me that what is listening on Port 80 is PID 4 which is the SYSTEM process.  We have determined that.

I have already read the article you linked too, as you can see the telnet output is showed in my question, the server appears to be:  Microsoft-HTTPAPI/2.0

I am not using ISA, I do not have it installed.  I am not using SBS, this is a Vista install, and according to the control panel I do not have IIS enabled.

Whenever I point a web browser at my machine I get the response shown in the output above.

Thanks.

-Rowan


Don

Post a hijackthis log to this online analyzer

http://www.hijackthis.de 

download and run malwarebyte from www.malwarebytes.org

and also run combofix from  http://www.bleepingcomputer.com/combofix/how-to-use-combofix
ASKER
rowansmith

Thanks for your suggestion but I am looking for a way to determine what the process is that is instructing the Windows Kernel to listen on port 80.  I do not wish to scan my computer for MALWARE or analyse it for unwanted programs, I do this on a regular basis and right now everything on my computer is something that I want.  What ever is causing the system process to bind to port 80 is a program that I want, I want to know which program it is as I do not use the web service and it might be possible to disable the program from doing such.

I am going to ask the question in a different way, because I am not communicating this very effectively.

How do I list the URIs and associated file handles that have been registered with the Microsoft-HTTPAPI/2.0 Server.  I wish to determine which processes have called the Win32 function HttpCreateRequestQueue() and subsequently registered a URL with the Microsoft-HTTPAPI Service.  Ideally I am looking for an application I can run which will enumerate and list all of the URIs the file handles and the process IDs.

The question is here:  https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_24085844.html

Thanks.

-Rowan
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Don

Try process explorer from sysinternals

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

live.sysinternals.com
ASKER
rowansmith

Thanks, this was suggested in the very first response by Mike Carroll.  Unfortunately process explorer does not expand the system process, while I am sure that the HTTPAPIServer exists as a thread within the kernel, I do not know what the address is and even if I did I would not be able to interrogate it via this tool.
Don

Hmmmm....

system looks expanded to me

process.bmp
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
rowansmith

Yes you have expanded the System Process to show the Processes that have been spawned by the Kernel.

The process that is listening on Port 80 is the Kernel - PID# 4.  If it was a another process that was spawned by the Kernel then that process ID would show up in the netstat -ano output.

Inside that kernel (PID #4) are a number of threads, one of those threads is responsible for the HTTPAPI-Server.  That thread keeps track of file handles (and perhaps process ID's) that provide a conduit between the Kernel and the actual process that has requested that the kernel listen on a particular URL.

The HTTPAPI Server allows multiple applications (processes) to SHARE port 80.  Application/Process 1 might register the URL /myapplication1/ while Application/Process 2 might register the URL /myapplication2/.  When a web browser connects to the HTTPAPI Server and requests /myapplication1/default.html - the HTTPAPI Server knows to send this information via the handle it has to the correct process.  This allows multiple processes to effectively bind to port 80 under the condition that they are using unique namespace/URLs.

I wish to determine what that process is, perhaps even if I could list the URLs that have been registered with the Server I could determine the process assuming the URL is meaningful.

Thanks.

-Rowan
Don

Good luck.
ASKER
rowansmith

Thanks.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
rowansmith

Well it turns out that the process responsible for my port 80 was PID 5244, which in this case was SQL Reporting Services.

I determined that by attaching a Kernel level debugger to the process that had the port open (SYSTEM - PID 4) and tracing through HTTP.SYS threads in the Kernel.

A non trivial process and not one I recommend people take.  I have not been able to find any tool that interrogates the Kernel for this information and from looking at the API for the Microsoft HTTP Server it would not appear that their is a way to do it via that avenue.

We will just leave the question here in the hope that someone else finds it and comes up with a better solution.  Failing that the question can be closed with this marked as the answer - although it is FAR from the best solution and is non generic.
ASKER CERTIFIED SOLUTION
rowansmith

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question