· PowerShell · 3 min read
PowerShell: Get Listening Network Daemons and Associated Processes - netstat replacement
This command line tool (powershell script) will list all tcp & udp listeners and their associated windows processes. It works by querying for all listening TCP & UDP network daemons and then...
This post was originally published on jcutrer.com (WordPress) and has been migrated to the archive.
This command line tool (powershell script) will list all tcp & udp listeners and their associated windows processes.
It works by querying for all listening TCP & UDP network daemons and then cross-references to the process that is listening on the port, pulling Process Name, Path, and executing Username. Consider it an enhanced replacement for the old netstat command.
The PowerShell Script
######################################################################################
# Get TCP&UDP Network Daemons and Associated Processes
# Make a lookup table by process ID
$Processes = @{}
Get-Process -IncludeUserName | ForEach-Object {
$Processes[$_.Id] = $_
}
# Query Listening TCP Daemons
echo "TCP Daemons"
Get-NetTCPConnection |
Where-Object { $_.LocalAddress -eq "0.0.0.0" -and $_.State -eq "Listen" } |
Select-Object LocalAddress,
LocalPort,
@{Name="PID"; Expression={ $_.OwningProcess }},
@{Name="UserName"; Expression={ $Processes[$_.OwningProcess].UserName }},
@{Name="ProcessName"; Expression={ $Processes[$_.OwningProcess].ProcessName }},
@{Name="Path"; Expression={ $Processes[$_.OwningProcess].Path }} |
Sort-Object -Property LocalPort, UserName |
Format-Table -AutoSize
# Query Listening UDP Daemons
echo "UDP Daemons"
Get-NetUDPEndpoint |
Where-Object { $_.LocalAddress -eq "0.0.0.0" } |
Select-Object LocalAddress,
LocalPort,
@{Name="PID"; Expression={ $_.OwningProcess }},
@{Name="UserName"; Expression={ $Processes[$_.OwningProcess].UserName }},
@{Name="ProcessName"; Expression={ $Processes[$_.OwningProcess].ProcessName }},
@{Name="Path"; Expression={ $Processes[$_.OwningProcess].Path }} |
Sort-Object -Property LocalPort, UserName |
Format-Table -AutoSize
#Example Output
PS C:\dev\Scripts> .\Get-Daemons.ps1
TCP Daemons
LocalAddress LocalPort PID UserName ProcessName Path
------------ --------- --- -------- ----------- ----
0.0.0.0 135 996 NT AUTHORITY\NETWORK SERVICE svchost c:\windows\system32\svchost.exe
0.0.0.0 443 6124 NT AUTHORITY\SYSTEM vmware-hostd C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
0.0.0.0 623 1328 NT AUTHORITY\SYSTEM LMS C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
0.0.0.0 902 4488 NT AUTHORITY\SYSTEM vmware-authd C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
0.0.0.0 912 4488 NT AUTHORITY\SYSTEM vmware-authd C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
0.0.0.0 7790 3608 NT AUTHORITY\SYSTEM KillerService C:\Program Files\Killer Networking\Network Manager\KillerService.exe
0.0.0.0 16992 1328 NT AUTHORITY\SYSTEM LMS C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
0.0.0.0 49664 696 wininit
0.0.0.0 49665 1824 NT AUTHORITY\LOCAL SERVICE svchost c:\windows\system32\svchost.exe
0.0.0.0 49666 2052 NT AUTHORITY\SYSTEM svchost c:\windows\system32\svchost.exe
0.0.0.0 49667 3008 NT AUTHORITY\SYSTEM spoolsv C:\WINDOWS\System32\spoolsv.exe
0.0.0.0 49670 772 services
0.0.0.0 49671 784 NT AUTHORITY\SYSTEM lsass C:\WINDOWS\system32\lsass.exe
UDP Daemons
LocalAddress LocalPort PID UserName ProcessName Path
------------ --------- --- -------- ----------- ----
0.0.0.0 500 3556 NT AUTHORITY\SYSTEM svchost c:\windows\system32\svchost.exe
0.0.0.0 3702 7444 NT AUTHORITY\LOCAL SERVICE svchost c:\windows\system32\svchost.exe
0.0.0.0 4500 3556 NT AUTHORITY\SYSTEM svchost c:\windows\system32\svchost.exe
0.0.0.0 5050 6872 NT AUTHORITY\LOCAL SERVICE svchost c:\windows\system32\svchost.exe
0.0.0.0 5353 3060 MYCOMPUTER\me chrome C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
0.0.0.0 5355 2540 NT AUTHORITY\NETWORK SERVICE svchost c:\windows\system32\svchost.exe
0.0.0.0 50774 7444 NT AUTHORITY\LOCAL SERVICE svchost c:\windows\system32\svchost.exe
0.0.0.0 56342 3628 NT AUTHORITY\SYSTEM mDNSResponder C:\Program Files\Bonjour\mDNSResponder.exe
PS C:\dev\Scripts>Motivation
I’ve always used the command netstat -ano to see listening daemons and their associated PID. Then I would have to go lookup the owning process by PID. The above script combines this into one easy-to-run command.
The script not only gives you the parent process name but also the path to the executable. There is room for improvement since all services are just going to return svchost. I may extend the script to additionally query Get-Service to pull the Windows Service name and path to the executable.
How to use it
- Copy and Paste the above code and save it to a file named Get-Daemons.ps1
- From an elevated command PowerShell prompt run the script.
PS C:\> Get-Daemons.ps1
Reference
The process lookup-table technique used to associated the daemon and owning process was adopted from (https://stackoverflow.com/questions/44509183/powershell-get-nettcpconnection-script-that-also-shows-username-process-name)
Comments are disabled (Giscus not yet configured).