Solved

How to find out why ntoskrnl.exe would open port 80

Posted on 2014-07-23
9
3,394 Views
1 Endorsement
Last Modified: 2014-07-24
This is not for you who hope to catch a virus :)

This is win8.1 x64 pro and we are establishing a firewall policy. We discovered a system that has port 80 open for no apparent reason and hesitate to let the firewall close it. We might finally do it but first I'd like to know how I could determine what service or process opens that port. [opening http:/localhost:80 will not amount to anything, but indeed from remote I can successfully "telnet client 80"]

netstat -ano shows, the PID of the process that is listening on 80 is 4 and the process name is "system". In taskmanager, I rightclick system (which indeed has PID=4) and select "open file location" which leads me to C:\Windows\System32\ntoskrnl.exe
I have no idea why ntoskrnl.exe would want to open port 80.

Process Explorer cannot tell me anything about which subthread of ntoskrnl.exe opens that port.

->who can tell me how to further investigate?
->who has seen the same?
1
Comment
Question by:McKnife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 19

Accepted Solution

by:
Miguel Angel Perez Muñoz earned 300 total points
ID: 40214244
Hope this helps: http://superuser.com/questions/352017/pid4-using-port-80
Some users has same and anyone suspect another app is launching IIS as a part of OS.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 200 total points
ID: 40214370
Any version of IIS, Visual Studio, or web development tools installed, or IIS enabled under Windows features?  That can have results similar to what you have found.
0
 
LVL 55

Author Comment

by:McKnife
ID: 40214405
Hi Miguel.

I am looking for a systematic way, like finding a list saved somewhere.
There is no IIS installed, telnet did not tell anything useful after "GET / HTTP/1.1".
What I could make out however, is that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP has a value of "3" for start, so it's that service. Who/what set it to start, is still unclear.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 55

Author Comment

by:McKnife
ID: 40214410
Hi Rob.

Yes, Visual Studio is installed - how to proceed? (I am the admin, not the VS end user)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40214559
To be honest I don't know I suspect it is intended just for internal use for testing purposes when doing design/development with VS.  I would close the port within the firewall console under public and domain, and leave just as private for localhost testing.
0
 
LVL 55

Author Comment

by:McKnife
ID: 40214616
That's not what I had in mind. I am looking for a method to get to the program name that opens port 80 in order to see what it is used for. I will not close 80 without before. This will not be the only case in the network, so I cannot simply close it.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40214657
Process explorer may help you find what is using ntoskrnl.exe , though probably only if the appropriate program is running.
http://technet.microsoft.com/en-ca/sysinternals/bb896653

Wireshark, again if the application is running, may help to identify what is accessing the port.
http://www.wireshark.org/

However without knowing the offending application you might have to try running everything and anything to make use of those tools.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40214701
Interesting question so out of curiosity I played with Windows features.    Enabling "World Wide Web Services", a sub-set of services under IIS, does set the localhost to listen on port 80 and is linked to PID 4 and ntoskrnl.exe.  I am sure it is not the only possible cause, but definitely one.

Though it does add the WWW service to the windows firewall rules, It does not appear to open the port -Action, Allow is set to no
0
 
LVL 55

Author Closing Comment

by:McKnife
ID: 40216201
As I wrote, process explorer does not reveal anything.
But about IIS, I was wrong, sorry, it is installed. So that's it.

I think for other processes that netstat lists, it won't be that hard and consider the matter solved. I have not learned a systematic way (that's why I hope you'll understand the B grading) but I'll reward both.
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
The goal of this Micro Tutorial is to help navigate beginning users with the app store on Windows 8. It will explain exciting features how to maximize your PC through these apps. This will be demonstrated using Windows 8 operating system.
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question