Solved

How to find out why ntoskrnl.exe would open port 80

Posted on 2014-07-23
9
2,894 Views
1 Endorsement
Last Modified: 2014-07-24
This is not for you who hope to catch a virus :)

This is win8.1 x64 pro and we are establishing a firewall policy. We discovered a system that has port 80 open for no apparent reason and hesitate to let the firewall close it. We might finally do it but first I'd like to know how I could determine what service or process opens that port. [opening http:/localhost:80 will not amount to anything, but indeed from remote I can successfully "telnet client 80"]

netstat -ano shows, the PID of the process that is listening on 80 is 4 and the process name is "system". In taskmanager, I rightclick system (which indeed has PID=4) and select "open file location" which leads me to C:\Windows\System32\ntoskrnl.exe
I have no idea why ntoskrnl.exe would want to open port 80.

Process Explorer cannot tell me anything about which subthread of ntoskrnl.exe opens that port.

->who can tell me how to further investigate?
->who has seen the same?
1
Comment
Question by:McKnife
  • 4
  • 4
9 Comments
 
LVL 19

Accepted Solution

by:
Miguel Angel Perez Muñoz earned 300 total points
ID: 40214244
Hope this helps: http://superuser.com/questions/352017/pid4-using-port-80
Some users has same and anyone suspect another app is launching IIS as a part of OS.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 200 total points
ID: 40214370
Any version of IIS, Visual Studio, or web development tools installed, or IIS enabled under Windows features?  That can have results similar to what you have found.
0
 
LVL 53

Author Comment

by:McKnife
ID: 40214405
Hi Miguel.

I am looking for a systematic way, like finding a list saved somewhere.
There is no IIS installed, telnet did not tell anything useful after "GET / HTTP/1.1".
What I could make out however, is that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP has a value of "3" for start, so it's that service. Who/what set it to start, is still unclear.
0
 
LVL 53

Author Comment

by:McKnife
ID: 40214410
Hi Rob.

Yes, Visual Studio is installed - how to proceed? (I am the admin, not the VS end user)
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 40214559
To be honest I don't know I suspect it is intended just for internal use for testing purposes when doing design/development with VS.  I would close the port within the firewall console under public and domain, and leave just as private for localhost testing.
0
 
LVL 53

Author Comment

by:McKnife
ID: 40214616
That's not what I had in mind. I am looking for a method to get to the program name that opens port 80 in order to see what it is used for. I will not close 80 without before. This will not be the only case in the network, so I cannot simply close it.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40214657
Process explorer may help you find what is using ntoskrnl.exe , though probably only if the appropriate program is running.
http://technet.microsoft.com/en-ca/sysinternals/bb896653

Wireshark, again if the application is running, may help to identify what is accessing the port.
http://www.wireshark.org/

However without knowing the offending application you might have to try running everything and anything to make use of those tools.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40214701
Interesting question so out of curiosity I played with Windows features.    Enabling "World Wide Web Services", a sub-set of services under IIS, does set the localhost to listen on port 80 and is linked to PID 4 and ntoskrnl.exe.  I am sure it is not the only possible cause, but definitely one.

Though it does add the WWW service to the windows firewall rules, It does not appear to open the port -Action, Allow is set to no
0
 
LVL 53

Author Closing Comment

by:McKnife
ID: 40216201
As I wrote, process explorer does not reveal anything.
But about IIS, I was wrong, sorry, it is installed. So that's it.

I think for other processes that netstat lists, it won't be that hard and consider the matter solved. I have not learned a systematic way (that's why I hope you'll understand the B grading) but I'll reward both.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Ever wondered why Windows 8 and 10 don't seem to accept your GPO-based software deployment while Windows 7 does? Read on.
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now