PowerShell: Get Listening Network Daemons and Associated Processes – netstat replacement
This command line tool (powershell script) will list all tcp & udp listeners and their associated windows processes.
It works by querying for all listening TCP & UDP network daemons and then cross-references to the process that is listening on the port, pulling Process Name, Path, and executing Username. Consider it an enhanced replacement for the old netstat
command.
The PowerShell Script
###################################################################################### # Get TCP&UDP Network Daemons and Associated Processes # Make a lookup table by process ID $Processes = @{} Get-Process -IncludeUserName | ForEach-Object { $Processes[$_.Id] = $_ } # Query Listening TCP Daemons echo "TCP Daemons" Get-NetTCPConnection | Where-Object { $_.LocalAddress -eq "0.0.0.0" -and $_.State -eq "Listen" } | Select-Object LocalAddress, LocalPort, @{Name="PID"; Expression={ $_.OwningProcess }}, @{Name="UserName"; Expression={ $Processes[[int]$_.OwningProcess].UserName }}, @{Name="ProcessName"; Expression={ $Processes[[int]$_.OwningProcess].ProcessName }}, @{Name="Path"; Expression={ $Processes[[int]$_.OwningProcess].Path }} | Sort-Object -Property LocalPort, UserName | Format-Table -AutoSize # Query Listening UDP Daemons echo "UDP Daemons" Get-NetUDPEndpoint | Where-Object { $_.LocalAddress -eq "0.0.0.0" } | Select-Object LocalAddress, LocalPort, @{Name="PID"; Expression={ $_.OwningProcess }}, @{Name="UserName"; Expression={ $Processes[[int]$_.OwningProcess].UserName }}, @{Name="ProcessName"; Expression={ $Processes[[int]$_.OwningProcess].ProcessName }}, @{Name="Path"; Expression={ $Processes[[int]$_.OwningProcess].Path }} | Sort-Object -Property LocalPort, UserName | Format-Table -AutoSize #
Example Output
PS C:\dev\Scripts> .\Get-Daemons.ps1 TCP Daemons LocalAddress LocalPort PID UserName ProcessName Path ------------ --------- --- -------- ----------- ---- 0.0.0.0 135 996 NT AUTHORITY\NETWORK SERVICE svchost c:\windows\system32\svchost.exe 0.0.0.0 443 6124 NT AUTHORITY\SYSTEM vmware-hostd C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe 0.0.0.0 623 1328 NT AUTHORITY\SYSTEM LMS C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe 0.0.0.0 902 4488 NT AUTHORITY\SYSTEM vmware-authd C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe 0.0.0.0 912 4488 NT AUTHORITY\SYSTEM vmware-authd C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe 0.0.0.0 7790 3608 NT AUTHORITY\SYSTEM KillerService C:\Program Files\Killer Networking\Network Manager\KillerService.exe 0.0.0.0 16992 1328 NT AUTHORITY\SYSTEM LMS C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe 0.0.0.0 49664 696 wininit 0.0.0.0 49665 1824 NT AUTHORITY\LOCAL SERVICE svchost c:\windows\system32\svchost.exe 0.0.0.0 49666 2052 NT AUTHORITY\SYSTEM svchost c:\windows\system32\svchost.exe 0.0.0.0 49667 3008 NT AUTHORITY\SYSTEM spoolsv C:\WINDOWS\System32\spoolsv.exe 0.0.0.0 49670 772 services 0.0.0.0 49671 784 NT AUTHORITY\SYSTEM lsass C:\WINDOWS\system32\lsass.exe UDP Daemons LocalAddress LocalPort PID UserName ProcessName Path ------------ --------- --- -------- ----------- ---- 0.0.0.0 500 3556 NT AUTHORITY\SYSTEM svchost c:\windows\system32\svchost.exe 0.0.0.0 3702 7444 NT AUTHORITY\LOCAL SERVICE svchost c:\windows\system32\svchost.exe 0.0.0.0 4500 3556 NT AUTHORITY\SYSTEM svchost c:\windows\system32\svchost.exe 0.0.0.0 5050 6872 NT AUTHORITY\LOCAL SERVICE svchost c:\windows\system32\svchost.exe 0.0.0.0 5353 3060 MYCOMPUTER\me chrome C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 0.0.0.0 5355 2540 NT AUTHORITY\NETWORK SERVICE svchost c:\windows\system32\svchost.exe 0.0.0.0 50774 7444 NT AUTHORITY\LOCAL SERVICE svchost c:\windows\system32\svchost.exe 0.0.0.0 56342 3628 NT AUTHORITY\SYSTEM mDNSResponder C:\Program Files\Bonjour\mDNSResponder.exe PS C:\dev\Scripts>
Motivation
I’ve always used the command netstat -ano
to see listening daemons and their associated PID. Then I would have to go lookup the owning process by PID. The above script combines this into one easy-to-run command.
The script not only gives you the parent process name but also the path to the executable. There is room for improvement since all services are just going to return svchost. I may extend the script to additionally query Get-Service to pull the Windows Service name and path to the executable.
How to use it
- Copy and Paste the above code and save it to a file named Get-Daemons.ps1
- From an elevated command PowerShell prompt run the script.
PS C:\> Get-Daemons.ps1
Reference
The process lookup-table technique used to associated the daemon and owning process was adopted from https://stackoverflow.com/questions/44509183/powershell-get-nettcpconnection-script-that-also-shows-username-process-name