Netstat is a great utility to check network connections. It gives local and remote addresses (with the port numbers and protocol name if it was a well know protocol) and state of the connections.
Sometimes we need to have more information than netstat provide us. For example, what if we need the actual process name which listens a specific port netstat tell us?
We can use TCPview. TCPView is a Windows program that will show us detailed listings of all TCP and UDP endpoints on our system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows.
Let’s download the TCPview from here.
If you like command line more like me, you can use tcpvcon which comes with the TCPview.They do same job.
Say we want to know a process number, the process path and end the process which listens specific port.
Start TCPview and highlight the process number. Right click and then click the ‘Process Properties’.
When we think our windows machine is compromised, we can use TCPview to check networking connections and corresponding process name. Then, we can use Wireshark to listen the connections to gather more info.
One last thing. TCPview update the connection table every second but we can change this from ‘View’.