How to find out why ntoskrnl.exe would open port 80

Posted on 2014-07-23
Medium Priority
1 Endorsement
Last Modified: 2014-07-24
This is not for you who hope to catch a virus :)

This is win8.1 x64 pro and we are establishing a firewall policy. We discovered a system that has port 80 open for no apparent reason and hesitate to let the firewall close it. We might finally do it but first I'd like to know how I could determine what service or process opens that port. [opening http:/localhost:80 will not amount to anything, but indeed from remote I can successfully "telnet client 80"]

netstat -ano shows, the PID of the process that is listening on 80 is 4 and the process name is "system". In taskmanager, I rightclick system (which indeed has PID=4) and select "open file location" which leads me to C:\Windows\System32\ntoskrnl.exe
I have no idea why ntoskrnl.exe would want to open port 80.

Process Explorer cannot tell me anything about which subthread of ntoskrnl.exe opens that port.

->who can tell me how to further investigate?
->who has seen the same?
Question by:McKnife
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 19

Accepted Solution

Miguel Angel Perez Muñoz earned 900 total points
ID: 40214244
Hope this helps: http://superuser.com/questions/352017/pid4-using-port-80
Some users has same and anyone suspect another app is launching IIS as a part of OS.
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 600 total points
ID: 40214370
Any version of IIS, Visual Studio, or web development tools installed, or IIS enabled under Windows features?  That can have results similar to what you have found.
LVL 56

Author Comment

ID: 40214405
Hi Miguel.

I am looking for a systematic way, like finding a list saved somewhere.
There is no IIS installed, telnet did not tell anything useful after "GET / HTTP/1.1".
What I could make out however, is that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP has a value of "3" for start, so it's that service. Who/what set it to start, is still unclear.
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

LVL 56

Author Comment

ID: 40214410
Hi Rob.

Yes, Visual Studio is installed - how to proceed? (I am the admin, not the VS end user)
LVL 77

Expert Comment

by:Rob Williams
ID: 40214559
To be honest I don't know I suspect it is intended just for internal use for testing purposes when doing design/development with VS.  I would close the port within the firewall console under public and domain, and leave just as private for localhost testing.
LVL 56

Author Comment

ID: 40214616
That's not what I had in mind. I am looking for a method to get to the program name that opens port 80 in order to see what it is used for. I will not close 80 without before. This will not be the only case in the network, so I cannot simply close it.
LVL 77

Expert Comment

by:Rob Williams
ID: 40214657
Process explorer may help you find what is using ntoskrnl.exe , though probably only if the appropriate program is running.

Wireshark, again if the application is running, may help to identify what is accessing the port.

However without knowing the offending application you might have to try running everything and anything to make use of those tools.
LVL 77

Expert Comment

by:Rob Williams
ID: 40214701
Interesting question so out of curiosity I played with Windows features.    Enabling "World Wide Web Services", a sub-set of services under IIS, does set the localhost to listen on port 80 and is linked to PID 4 and ntoskrnl.exe.  I am sure it is not the only possible cause, but definitely one.

Though it does add the WWW service to the windows firewall rules, It does not appear to open the port -Action, Allow is set to no
LVL 56

Author Closing Comment

ID: 40216201
As I wrote, process explorer does not reveal anything.
But about IIS, I was wrong, sorry, it is installed. So that's it.

I think for other processes that netstat lists, it won't be that hard and consider the matter solved. I have not learned a systematic way (that's why I hope you'll understand the B grading) but I'll reward both.

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question