Open Ports on Windows XP

Inside your computer

I wage a constant battle to know everything that is going on in my computer. Much of this stems from the constant barage of security holes that Microsoft calls "features" that are enabled by default in Windows XP. Yes, I'm paranoid. :-) This page aims to be a quick-and-easy reference for what ports are open on a reasonably standard installation of Windows XP, and what they are used for.

Open ports

To see a list of open ports on Windows XP you can install one of many firewall applications, or you can go to a command prompt and enter:

netstat -ano

To find the program that is using the port, look at the PID number, then use the task manager to match the PID with a running process. To get a more detailed list that includes the EXE file and DLL file names (this takes a bit longer) try this:

netstat -anobv

Port Description 123 Network Time Protocol used by the Windows Time Service

In theory, this synchronizes with various time servers on the internet. In my experience, it always synchronizes with time.windows.com no matter how I set it. I would not have noticed if I weren't running Kerio Firewall. A bit suspicious, eh? 135 RPC (Remote Procedure Call) and DCOM (Distributed Component Object Model).

RPC and DCOM allow a remote computer to send commands to another computer. This is used by a variety of Windows-specific services. (See the entry "Anything >1023" below.) The RPC service is not stoppable (see the section on unstoppable services.) 137,138,139 File and printer sharing and network name resolution using NetBIOS over TCP. Windows 2000 and XP use 445 for the file and printer sharing portion, but is not accessible to Windows NT/'9x systems. 445 File and Printer sharing for Windows 2000 and above. (SMB over TCP) 500 This is IKE (Internet Key Exchange) which is part of the IPsec protocol.

This is handled by LSASS.EXE: Local Security Authority Service. LSASS is also used for user login authentication, so disabling IPSec closes port 500, but leaves LSASS running. Anything >1023 Ports above 1023 are available to applications in general. Any service that uses RPC will be given a port above 1023. The port number can vary based on what services are available and what order they start in. Examples include: Terminal services and Fast user switching

Task Scheduler

Microsoft Distributed Transaction Coordinator (MSDTC)

Domain Name System (DNS) 3372 Microsoft Distributed Transaction Coordinator (MSDTC). This also uses another variable port above 1023. 1900 Universal Plug and Plug (UPnP) 5000 Simple Service Discovery Protocol (SSDP). The companion to UPnP. 3389 The Remote Desktop service that allows you to control your PC remotely.

What is SVCHOST?

You will notice that most ports are held by one of the many instances of svchost.exe. Most Windows services are not full executables, merely DLLs. These DLLs must be loaded by a host executable like SVCHOST. This saves system resources at the expense of security. To determine which services are running under a specific instance of SVCHOST, open a command prompt and enter:

tasklist /svc

Svchost usually runs as one of three special users: SYSTEM, LOCAL SERVICE, or NETWORK SERVICE. Unfortunately, even the system administrator does not have sufficient rights to kill SVCHOST when it runs as one of these three users.

Unstoppable services

Some services such as RPC are unstoppable. They ignore the stop command, and the service control manager will refuse to even let you try. Some of these services cannot even be disabled. I cannot imagine why any service should get such priveledges. For example, why is the Audio Server unstoppable? Oh no! No audio!

More information

Jean-Baptiste Marchand wrote a very detailed article titled Minimization of network services on Windows systems which describes many of these ports in great detail.

Thanks to Brian at Infoshare Consulting for the tip on the tasklist command.