rowansmith
asked on
System Process is listening on port 80 (Vista)
I have just noticed that port 80 is in use by the System Process. I have not noticed this before and I am wondering if something has gone "astray".
How do I determine what is causing the System process to bind to port 80. I do not have IIS running (According to Control Panel->Windows Features).
An output from the HTTP server is below.
How do I determine what is causing the System process to bind to port 80. I do not have IIS running (According to Control Panel->Windows Features).
An output from the HTTP server is below.
Trying 192.168.1.64, 80 ... Open
GET / HTTP/1.0
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sun, 25 Jan 2009 21:21:54 GMT
Connection: close
Content-Length: 315
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Not Found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Found</h2>
<hr><p>HTTP Error 404. The requested resource is not found.</p>
</BODY></HTML>
[Connection to 192.168.1.64 closed by foreign host]
Mike_Carroll
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
run this command from the command prompt (start - run - cmd) :
netstat -anb -p TCP |more
and in the 'local address' column look for port :80, there should be written the process which is listening on that port.
netstat -anb -p TCP |more
and in the 'local address' column look for port :80, there should be written the process which is listening on that port.
ASKER
Guys, thanks for your feedback but unless I have missed something, none of you have read what I have said, which was:
I have just noticed that port 80 is in use by the System Process. How do I determine what is causing the System process to bind to port 80.
To make that clearer, the Process that is listening on Port 80 is PID 4 which is the SYSTEM process. How can I determine what is instructing the NT Kernel to BIND to port 80?
Thanks.
-Rowan
I have just noticed that port 80 is in use by the System Process. How do I determine what is causing the System process to bind to port 80.
To make that clearer, the Process that is listening on Port 80 is PID 4 which is the SYSTEM process. How can I determine what is instructing the NT Kernel to BIND to port 80?
Thanks.
-Rowan
Did you try any of the suggestions?
ASKER
Thanks all the suggestions tell me that what is listening on Port 80 is PID 4 which is the SYSTEM process. We have determined that.
I have already read the article you linked too, as you can see the telnet output is showed in my question, the server appears to be: Microsoft-HTTPAPI/2.0
I am not using ISA, I do not have it installed. I am not using SBS, this is a Vista install, and according to the control panel I do not have IIS enabled.
Whenever I point a web browser at my machine I get the response shown in the output above.
Thanks.
-Rowan
I have already read the article you linked too, as you can see the telnet output is showed in my question, the server appears to be: Microsoft-HTTPAPI/2.0
I am not using ISA, I do not have it installed. I am not using SBS, this is a Vista install, and according to the control panel I do not have IIS enabled.
Whenever I point a web browser at my machine I get the response shown in the output above.
Thanks.
-Rowan
Post a hijackthis log to this online analyzer
http://www.hijackthis.de
download and run malwarebyte from www.malwarebytes.org
and also run combofix from http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.hijackthis.de
download and run malwarebyte from www.malwarebytes.org
and also run combofix from http://www.bleepingcomputer.com/combofix/how-to-use-combofix
ASKER
Thanks for your suggestion but I am looking for a way to determine what the process is that is instructing the Windows Kernel to listen on port 80. I do not wish to scan my computer for MALWARE or analyse it for unwanted programs, I do this on a regular basis and right now everything on my computer is something that I want. What ever is causing the system process to bind to port 80 is a program that I want, I want to know which program it is as I do not use the web service and it might be possible to disable the program from doing such.
I am going to ask the question in a different way, because I am not communicating this very effectively.
How do I list the URIs and associated file handles that have been registered with the Microsoft-HTTPAPI/2.0 Server. I wish to determine which processes have called the Win32 function HttpCreateRequestQueue() and subsequently registered a URL with the Microsoft-HTTPAPI Service. Ideally I am looking for an application I can run which will enumerate and list all of the URIs the file handles and the process IDs.
The question is here: https://www.experts-exchange.com/questions/24085844/List-the-URLs-and-Processes-that-have-registered-with-Microsoft-HTTPAPI-2-0.html
Thanks.
-Rowan
I am going to ask the question in a different way, because I am not communicating this very effectively.
How do I list the URIs and associated file handles that have been registered with the Microsoft-HTTPAPI/2.0 Server. I wish to determine which processes have called the Win32 function HttpCreateRequestQueue() and subsequently registered a URL with the Microsoft-HTTPAPI Service. Ideally I am looking for an application I can run which will enumerate and list all of the URIs the file handles and the process IDs.
The question is here: https://www.experts-exchange.com/questions/24085844/List-the-URLs-and-Processes-that-have-registered-with-Microsoft-HTTPAPI-2-0.html
Thanks.
-Rowan
Try process explorer from sysinternals
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
live.sysinternals.com
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
live.sysinternals.com
ASKER
Thanks, this was suggested in the very first response by Mike Carroll. Unfortunately process explorer does not expand the system process, while I am sure that the HTTPAPIServer exists as a thread within the kernel, I do not know what the address is and even if I did I would not be able to interrogate it via this tool.
ASKER
Yes you have expanded the System Process to show the Processes that have been spawned by the Kernel.
The process that is listening on Port 80 is the Kernel - PID# 4. If it was a another process that was spawned by the Kernel then that process ID would show up in the netstat -ano output.
Inside that kernel (PID #4) are a number of threads, one of those threads is responsible for the HTTPAPI-Server. That thread keeps track of file handles (and perhaps process ID's) that provide a conduit between the Kernel and the actual process that has requested that the kernel listen on a particular URL.
The HTTPAPI Server allows multiple applications (processes) to SHARE port 80. Application/Process 1 might register the URL /myapplication1/ while Application/Process 2 might register the URL /myapplication2/. When a web browser connects to the HTTPAPI Server and requests /myapplication1/default.ht
I wish to determine what that process is, perhaps even if I could list the URLs that have been registered with the Server I could determine the process assuming the URL is meaningful.
Thanks.
-Rowan
The process that is listening on Port 80 is the Kernel - PID# 4. If it was a another process that was spawned by the Kernel then that process ID would show up in the netstat -ano output.
Inside that kernel (PID #4) are a number of threads, one of those threads is responsible for the HTTPAPI-Server. That thread keeps track of file handles (and perhaps process ID's) that provide a conduit between the Kernel and the actual process that has requested that the kernel listen on a particular URL.
The HTTPAPI Server allows multiple applications (processes) to SHARE port 80. Application/Process 1 might register the URL /myapplication1/ while Application/Process 2 might register the URL /myapplication2/. When a web browser connects to the HTTPAPI Server and requests /myapplication1/default.ht
I wish to determine what that process is, perhaps even if I could list the URLs that have been registered with the Server I could determine the process assuming the URL is meaningful.
Thanks.
-Rowan
Good luck.
ASKER
Thanks.
ASKER
Well it turns out that the process responsible for my port 80 was PID 5244, which in this case was SQL Reporting Services.
I determined that by attaching a Kernel level debugger to the process that had the port open (SYSTEM - PID 4) and tracing through HTTP.SYS threads in the Kernel.
A non trivial process and not one I recommend people take. I have not been able to find any tool that interrogates the Kernel for this information and from looking at the API for the Microsoft HTTP Server it would not appear that their is a way to do it via that avenue.
We will just leave the question here in the hope that someone else finds it and comes up with a better solution. Failing that the question can be closed with this marked as the answer - although it is FAR from the best solution and is non generic.
I determined that by attaching a Kernel level debugger to the process that had the port open (SYSTEM - PID 4) and tracing through HTTP.SYS threads in the Kernel.
A non trivial process and not one I recommend people take. I have not been able to find any tool that interrogates the Kernel for this information and from looking at the API for the Microsoft HTTP Server it would not appear that their is a way to do it via that avenue.
We will just leave the question here in the hope that someone else finds it and comes up with a better solution. Failing that the question can be closed with this marked as the answer - although it is FAR from the best solution and is non generic.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.