How to find out why ntoskrnl.exe would open port 80

This is not for you who hope to catch a virus :)

This is win8.1 x64 pro and we are establishing a firewall policy. We discovered a system that has port 80 open for no apparent reason and hesitate to let the firewall close it. We might finally do it but first I'd like to know how I could determine what service or process opens that port. [opening http:/localhost:80 will not amount to anything, but indeed from remote I can successfully "telnet client 80"]

netstat -ano shows, the PID of the process that is listening on 80 is 4 and the process name is "system". In taskmanager, I rightclick system (which indeed has PID=4) and select "open file location" which leads me to C:\Windows\System32\ntoskrnl.exe
I have no idea why ntoskrnl.exe would want to open port 80.

Process Explorer cannot tell me anything about which subthread of ntoskrnl.exe opens that port.

->who can tell me how to further investigate?
->who has seen the same?
LVL 60
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Miguel Angel Perez MuñozCommented:
Hope this helps:
Some users has same and anyone suspect another app is launching IIS as a part of OS.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rob WilliamsCommented:
Any version of IIS, Visual Studio, or web development tools installed, or IIS enabled under Windows features?  That can have results similar to what you have found.
McKnifeAuthor Commented:
Hi Miguel.

I am looking for a systematic way, like finding a list saved somewhere.
There is no IIS installed, telnet did not tell anything useful after "GET / HTTP/1.1".
What I could make out however, is that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP has a value of "3" for start, so it's that service. Who/what set it to start, is still unclear.
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

McKnifeAuthor Commented:
Hi Rob.

Yes, Visual Studio is installed - how to proceed? (I am the admin, not the VS end user)
Rob WilliamsCommented:
To be honest I don't know I suspect it is intended just for internal use for testing purposes when doing design/development with VS.  I would close the port within the firewall console under public and domain, and leave just as private for localhost testing.
McKnifeAuthor Commented:
That's not what I had in mind. I am looking for a method to get to the program name that opens port 80 in order to see what it is used for. I will not close 80 without before. This will not be the only case in the network, so I cannot simply close it.
Rob WilliamsCommented:
Process explorer may help you find what is using ntoskrnl.exe , though probably only if the appropriate program is running.

Wireshark, again if the application is running, may help to identify what is accessing the port.

However without knowing the offending application you might have to try running everything and anything to make use of those tools.
Rob WilliamsCommented:
Interesting question so out of curiosity I played with Windows features.    Enabling "World Wide Web Services", a sub-set of services under IIS, does set the localhost to listen on port 80 and is linked to PID 4 and ntoskrnl.exe.  I am sure it is not the only possible cause, but definitely one.

Though it does add the WWW service to the windows firewall rules, It does not appear to open the port -Action, Allow is set to no
McKnifeAuthor Commented:
As I wrote, process explorer does not reveal anything.
But about IIS, I was wrong, sorry, it is installed. So that's it.

I think for other processes that netstat lists, it won't be that hard and consider the matter solved. I have not learned a systematic way (that's why I hope you'll understand the B grading) but I'll reward both.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.