System Process is listening on port 80 (Vista)

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

run this command from the command prompt  (start - run - cmd) :
netstat -anb -p TCP |more
and in the 'local address' column look for port :80, there should be written the process which is listening on that port.

Try this nifty tool


http://www.nirsoft.net/utils/cports.html

Guys, thanks for your feedback but unless I have missed something, none of you have read what I have said, which was:

I have just noticed that port 80 is in use by the System Process.  How do I determine what is causing the System process to bind to port 80.

To make that clearer, the Process that is listening on Port 80 is PID 4 which is the SYSTEM process.  How can I determine what is instructing the NT Kernel to BIND to port 80?

Thanks.

-Rowan

Did you try any of the suggestions?

SYSTEM Process is listening on Port 80 and Preventing IIS Default Website from Running

Thanks all the suggestions tell me that what is listening on Port 80 is PID 4 which is the SYSTEM process.  We have determined that.

I have already read the article you linked too, as you can see the telnet output is showed in my question, the server appears to be:  Microsoft-HTTPAPI/2.0

I am not using ISA, I do not have it installed.  I am not using SBS, this is a Vista install, and according to the control panel I do not have IIS enabled.

Whenever I point a web browser at my machine I get the response shown in the output above.

Thanks.

-Rowan

Post a hijackthis log to this online analyzer

http://www.hijackthis.de 

download and run malwarebyte from www.malwarebytes.org

and also run combofix from  http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks for your suggestion but I am looking for a way to determine what the process is that is instructing the Windows Kernel to listen on port 80.  I do not wish to scan my computer for MALWARE or analyse it for unwanted programs, I do this on a regular basis and right now everything on my computer is something that I want.  What ever is causing the system process to bind to port 80 is a program that I want, I want to know which program it is as I do not use the web service and it might be possible to disable the program from doing such.

I am going to ask the question in a different way, because I am not communicating this very effectively.

How do I list the URIs and associated file handles that have been registered with the Microsoft-HTTPAPI/2.0 Server.  I wish to determine which processes have called the Win32 function HttpCreateRequestQueue() and subsequently registered a URL with the Microsoft-HTTPAPI Service.  Ideally I am looking for an application I can run which will enumerate and list all of the URIs the file handles and the process IDs.

The question is here:  https://www.experts-exchange.com/questions/24085844/List-the-URLs-and-Processes-that-have-registered-with-Microsoft-HTTPAPI-2-0.html

Thanks.

-Rowan

Try process explorer from sysinternals

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

live.sysinternals.com

Thanks, this was suggested in the very first response by Mike Carroll.  Unfortunately process explorer does not expand the system process, while I am sure that the HTTPAPIServer exists as a thread within the kernel, I do not know what the address is and even if I did I would not be able to interrogate it via this tool.

Hmmmm....

system looks expanded to me

process.bmp

Yes you have expanded the System Process to show the Processes that have been spawned by the Kernel.

The process that is listening on Port 80 is the Kernel - PID# 4.  If it was a another process that was spawned by the Kernel then that process ID would show up in the netstat -ano output.

Inside that kernel (PID #4) are a number of threads, one of those threads is responsible for the HTTPAPI-Server.  That thread keeps track of file handles (and perhaps process ID's) that provide a conduit between the Kernel and the actual process that has requested that the kernel listen on a particular URL.

The HTTPAPI Server allows multiple applications (processes) to SHARE port 80.  Application/Process 1 might register the URL /myapplication1/ while Application/Process 2 might register the URL /myapplication2/.  When a web browser connects to the HTTPAPI Server and requests /myapplication1/default.html - the HTTPAPI Server knows to send this information via the handle it has to the correct process.  This allows multiple processes to effectively bind to port 80 under the condition that they are using unique namespace/URLs.

I wish to determine what that process is, perhaps even if I could list the URLs that have been registered with the Server I could determine the process assuming the URL is meaningful.

Thanks.

-Rowan

Good luck.

Thanks.

Well it turns out that the process responsible for my port 80 was PID 5244, which in this case was SQL Reporting Services.

I determined that by attaching a Kernel level debugger to the process that had the port open (SYSTEM - PID 4) and tracing through HTTP.SYS threads in the Kernel.

A non trivial process and not one I recommend people take.  I have not been able to find any tool that interrogates the Kernel for this information and from looking at the API for the Microsoft HTTP Server it would not appear that their is a way to do it via that avenue.

We will just leave the question here in the hope that someone else finds it and comes up with a better solution.  Failing that the question can be closed with this marked as the answer - although it is FAR from the best solution and is non generic.