Solved

How to find out why ntoskrnl.exe would open port 80

Posted on 2014-07-23
9
2,982 Views
1 Endorsement
Last Modified: 2014-07-24
This is not for you who hope to catch a virus :)

This is win8.1 x64 pro and we are establishing a firewall policy. We discovered a system that has port 80 open for no apparent reason and hesitate to let the firewall close it. We might finally do it but first I'd like to know how I could determine what service or process opens that port. [opening http:/localhost:80 will not amount to anything, but indeed from remote I can successfully "telnet client 80"]

netstat -ano shows, the PID of the process that is listening on 80 is 4 and the process name is "system". In taskmanager, I rightclick system (which indeed has PID=4) and select "open file location" which leads me to C:\Windows\System32\ntoskrnl.exe
I have no idea why ntoskrnl.exe would want to open port 80.

Process Explorer cannot tell me anything about which subthread of ntoskrnl.exe opens that port.

->who can tell me how to further investigate?
->who has seen the same?
1
Comment
Question by:McKnife
  • 4
  • 4
9 Comments
 
LVL 19

Accepted Solution

by:
Miguel Angel Perez Muñoz earned 300 total points
ID: 40214244
Hope this helps: http://superuser.com/questions/352017/pid4-using-port-80
Some users has same and anyone suspect another app is launching IIS as a part of OS.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 200 total points
ID: 40214370
Any version of IIS, Visual Studio, or web development tools installed, or IIS enabled under Windows features?  That can have results similar to what you have found.
0
 
LVL 53

Author Comment

by:McKnife
ID: 40214405
Hi Miguel.

I am looking for a systematic way, like finding a list saved somewhere.
There is no IIS installed, telnet did not tell anything useful after "GET / HTTP/1.1".
What I could make out however, is that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP has a value of "3" for start, so it's that service. Who/what set it to start, is still unclear.
0
 
LVL 53

Author Comment

by:McKnife
ID: 40214410
Hi Rob.

Yes, Visual Studio is installed - how to proceed? (I am the admin, not the VS end user)
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 40214559
To be honest I don't know I suspect it is intended just for internal use for testing purposes when doing design/development with VS.  I would close the port within the firewall console under public and domain, and leave just as private for localhost testing.
0
 
LVL 53

Author Comment

by:McKnife
ID: 40214616
That's not what I had in mind. I am looking for a method to get to the program name that opens port 80 in order to see what it is used for. I will not close 80 without before. This will not be the only case in the network, so I cannot simply close it.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40214657
Process explorer may help you find what is using ntoskrnl.exe , though probably only if the appropriate program is running.
http://technet.microsoft.com/en-ca/sysinternals/bb896653

Wireshark, again if the application is running, may help to identify what is accessing the port.
http://www.wireshark.org/

However without knowing the offending application you might have to try running everything and anything to make use of those tools.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40214701
Interesting question so out of curiosity I played with Windows features.    Enabling "World Wide Web Services", a sub-set of services under IIS, does set the localhost to listen on port 80 and is linked to PID 4 and ntoskrnl.exe.  I am sure it is not the only possible cause, but definitely one.

Though it does add the WWW service to the windows firewall rules, It does not appear to open the port -Action, Allow is set to no
0
 
LVL 53

Author Closing Comment

by:McKnife
ID: 40216201
As I wrote, process explorer does not reveal anything.
But about IIS, I was wrong, sorry, it is installed. So that's it.

I think for other processes that netstat lists, it won't be that hard and consider the matter solved. I have not learned a systematic way (that's why I hope you'll understand the B grading) but I'll reward both.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Resolve DNS query failed errors for Exchange
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now