PowerShell: Get Listening Network Daemons and Associated Processes – netstat replacement

PowerShell: Get Listening Network Daemons and Associated Processes – netstat replacement

This command line tool (powershell script) will list all tcp & udp listeners and their associated windows processes.

It works by querying for all listening TCP & UDP network daemons and then cross-references to the process that is listening on the port, pulling Process Name, Path, and executing Username. Consider it an enhanced replacement for the old netstat command.

The PowerShell Script

######################################################################################
# Get TCP&UDP Network Daemons and Associated Processes

# Make a lookup table by process ID
$Processes = @{}
Get-Process -IncludeUserName | ForEach-Object {
    $Processes[$_.Id] = $_
}


# Query Listening TCP Daemons
echo "TCP Daemons"
Get-NetTCPConnection | 
    Where-Object { $_.LocalAddress -eq "0.0.0.0" -and $_.State -eq "Listen" } |
    Select-Object LocalAddress,
        LocalPort,
        @{Name="PID";         Expression={ $_.OwningProcess }},
        @{Name="UserName";    Expression={ $Processes[[int]$_.OwningProcess].UserName }},
        @{Name="ProcessName"; Expression={ $Processes[[int]$_.OwningProcess].ProcessName }}, 
        @{Name="Path"; Expression={ $Processes[[int]$_.OwningProcess].Path }} |
    Sort-Object -Property LocalPort, UserName |
    Format-Table -AutoSize


# Query Listening UDP Daemons
echo "UDP Daemons"
Get-NetUDPEndpoint | 
    Where-Object { $_.LocalAddress -eq "0.0.0.0" } |
    Select-Object LocalAddress,
        LocalPort,
        @{Name="PID";         Expression={ $_.OwningProcess }},
        @{Name="UserName";    Expression={ $Processes[[int]$_.OwningProcess].UserName }},
        @{Name="ProcessName"; Expression={ $Processes[[int]$_.OwningProcess].ProcessName }}, 
        @{Name="Path"; Expression={ $Processes[[int]$_.OwningProcess].Path }} |
    Sort-Object -Property LocalPort, UserName |
    Format-Table -AutoSize

#

Example Output

PS C:\dev\Scripts> .\Get-Daemons.ps1
TCP Daemons

LocalAddress LocalPort  PID UserName                     ProcessName   Path                                                                          
------------ ---------  --- --------                     -----------   ----                                                                          
0.0.0.0            135  996 NT AUTHORITY\NETWORK SERVICE svchost       c:\windows\system32\svchost.exe                                               
0.0.0.0            443 6124 NT AUTHORITY\SYSTEM          vmware-hostd  C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe             
0.0.0.0            623 1328 NT AUTHORITY\SYSTEM          LMS           C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
0.0.0.0            902 4488 NT AUTHORITY\SYSTEM          vmware-authd  C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe             
0.0.0.0            912 4488 NT AUTHORITY\SYSTEM          vmware-authd  C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe             
0.0.0.0           7790 3608 NT AUTHORITY\SYSTEM          KillerService C:\Program Files\Killer Networking\Network Manager\KillerService.exe          
0.0.0.0          16992 1328 NT AUTHORITY\SYSTEM          LMS           C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
0.0.0.0          49664  696                              wininit                                                                                     
0.0.0.0          49665 1824 NT AUTHORITY\LOCAL SERVICE   svchost       c:\windows\system32\svchost.exe                                               
0.0.0.0          49666 2052 NT AUTHORITY\SYSTEM          svchost       c:\windows\system32\svchost.exe                                               
0.0.0.0          49667 3008 NT AUTHORITY\SYSTEM          spoolsv       C:\WINDOWS\System32\spoolsv.exe                                               
0.0.0.0          49670  772                              services                                                                                    
0.0.0.0          49671  784 NT AUTHORITY\SYSTEM          lsass         C:\WINDOWS\system32\lsass.exe                                                 


UDP Daemons

LocalAddress LocalPort  PID UserName                     ProcessName   Path                                                       
------------ ---------  --- --------                     -----------   ----                                                       
0.0.0.0            500 3556 NT AUTHORITY\SYSTEM          svchost       c:\windows\system32\svchost.exe                            
0.0.0.0           3702 7444 NT AUTHORITY\LOCAL SERVICE   svchost       c:\windows\system32\svchost.exe                            
0.0.0.0           4500 3556 NT AUTHORITY\SYSTEM          svchost       c:\windows\system32\svchost.exe                            
0.0.0.0           5050 6872 NT AUTHORITY\LOCAL SERVICE   svchost       c:\windows\system32\svchost.exe                            
0.0.0.0           5353 3060 MYCOMPUTER\me                chrome        C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
0.0.0.0           5355 2540 NT AUTHORITY\NETWORK SERVICE svchost       c:\windows\system32\svchost.exe                            
0.0.0.0          50774 7444 NT AUTHORITY\LOCAL SERVICE   svchost       c:\windows\system32\svchost.exe                            
0.0.0.0          56342 3628 NT AUTHORITY\SYSTEM          mDNSResponder C:\Program Files\Bonjour\mDNSResponder.exe                 



PS C:\dev\Scripts> 

Motivation

I’ve always used the command netstat -ano to see listening daemons and their associated PID. Then I would have to go lookup the owning process by PID. The above script combines this into one easy-to-run command.

The script not only gives you the parent process name but also the path to the executable. There is room for improvement since all services are just going to return svchost. I may extend the script to additionally query Get-Service to pull the Windows Service name and path to the executable.

How to use it

  1. Copy and Paste the above code and save it to a file named Get-Daemons.ps1
  2. From an elevated command PowerShell prompt run the script.
    PS C:\> Get-Daemons.ps1

Reference

The process lookup-table technique used to associated the daemon and owning process was adopted from https://stackoverflow.com/questions/44509183/powershell-get-nettcpconnection-script-that-also-shows-username-process-name


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.