[研究]列出 Windows Server 2022預設所有開放的 Port ? 用途 ? 服務名稱 ? 檔案名稱 ? 程序名稱 ?
2024-10-24
用 TCPView 工具軟體會方便些,不然就用 PowerShell,「命令提示字元」的 netstat -ano 和 tasklist /svc /FI "PID eq <PID>" ,只能顯示部分資訊,還要搭配 PowerShell 查更詳細資訊
Get-Process -Id (Get-NetTCPConnection | Where-Object { $_.LocalPort -eq 135 }).OwningProcess
不如直接用 PowerShell 取代 netstat + tasklist + PowerShell 工作。
********************************************************************************
如何列出所有 Windows 開放的 Port ? 用途 ? "控制台\系統及安全性\系統管理工具\服務" 的服務名稱 ? 檔案名稱 ? 程序名稱 ? 不要個別用 PID 查
1.TCP,使用 PowerShell
Get-NetTCPConnection | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess
[pscustomobject]@{
LocalAddress = $_.LocalAddress
LocalPort = $_.LocalPort
RemoteAddress = $_.RemoteAddress
RemotePort = $_.RemotePort
State = $_.State
ProcessId = $_.OwningProcess
ProcessName = $proc.ProcessName
FileName = $proc.Path
ServiceName = (Get-Service | Where-Object { $_.Id -eq $_.OwningProcess }).Name
}
} | Format-Table -AutoSize
|
結果
結果 (文字)
PS C:\> Get-NetTCPConnection | ForEach-Object {
>> $proc = Get-Process -Id $_.OwningProcess
>> [pscustomobject]@{
>> LocalAddress = $_.LocalAddress
>> LocalPort = $_.LocalPort
>> RemoteAddress = $_.RemoteAddress
>> RemotePort = $_.RemotePort
>> State = $_.State
>> ProcessId = $_.OwningProcess
>> ProcessName = $proc.ProcessName
>> FileName = $proc.Path
>> ServiceName = (Get-Service | Where-Object { $_.Id -eq $_.OwningProcess }).Name
>> }
>> } | Format-Table -AutoSize
LocalAddress LocalPort RemoteAddress RemotePort State ProcessId ProcessName FileName ServiceName
------------ --------- ------------- ---------- ----- --------- ----------- -------- -----------
:: 49669 :: 0 Listen 716 services {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 49668 :: 0 Listen 2432 spoolsv C:\Windows\System32\spoolsv.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 49667 :: 0 Listen 1608 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 49666 :: 0 Listen 1212 svchost C:\Windows\System32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 49665 :: 0 Listen 576 wininit {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 49664 :: 0 Listen 740 lsass C:\Windows\system32\lsass.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 47001 :: 0 Listen 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 5985 :: 0 Listen 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 5357 :: 0 Listen 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 445 :: 0 Listen 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 135 :: 0 Listen 972 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
192.168.128.129 49878 23.220.197.168 443 TimeWait 0 Idle {AJRouter, ALG, AppIDSvc, Appinfo...}
192.168.128.129 49876 23.220.197.168 443 TimeWait 0 Idle {AJRouter, ALG, AppIDSvc, Appinfo...}
192.168.128.129 49875 23.220.197.168 443 TimeWait 0 Idle {AJRouter, ALG, AppIDSvc, Appinfo...}
192.168.128.129 49874 23.220.197.168 443 TimeWait 0 Idle {AJRouter, ALG, AppIDSvc, Appinfo...}
192.168.128.129 49873 23.220.197.168 443 TimeWait 0 Idle {AJRouter, ALG, AppIDSvc, Appinfo...}
192.168.128.129 49871 23.220.197.168 443 TimeWait 0 Idle {AJRouter, ALG, AppIDSvc, Appinfo...}
0.0.0.0 49669 0.0.0.0 0 Listen 716 services {AJRouter, ALG, AppIDSvc, Appinfo...}
0.0.0.0 49668 0.0.0.0 0 Listen 2432 spoolsv C:\Windows\System32\spoolsv.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
0.0.0.0 49667 0.0.0.0 0 Listen 1608 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
0.0.0.0 49666 0.0.0.0 0 Listen 1212 svchost C:\Windows\System32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
0.0.0.0 49665 0.0.0.0 0 Listen 576 wininit {AJRouter, ALG, AppIDSvc, Appinfo...}
0.0.0.0 49664 0.0.0.0 0 Listen 740 lsass C:\Windows\system32\lsass.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
192.168.128.129 139 0.0.0.0 0 Listen 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
0.0.0.0 135 0.0.0.0 0 Listen 972 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
PS C:\>
|
********************************************************************************
2. 查看 UDP 端口
Get-NetUDPEndpoint 沒有 State 欄位,這是因為 UDP 協議是無連接的協議。與 TCP 不同,UDP 不會進行連接建立和斷開,因此沒有類似於 TCP 的 State(例如 LISTENING、ESTABLISHED 等)。UDP 通常只是打開一個端口來等待數據報,而不需要維護連接狀態。
PowerShell
Get-NetUDPEndpoint | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess
[pscustomobject]@{
LocalAddress = $_.LocalAddress
LocalPort = $_.LocalPort
ProcessId = $_.OwningProcess
ProcessName = $proc.ProcessName
FileName = $proc.Path
ServiceName = (Get-Service | Where-Object { $_.Id -eq $_.OwningProcess }).Name
}
} | Format-Table -AutoSize
|
結果
結果 (文字)
PS C:\> Get-NetUDPEndpoint | ForEach-Object {
>> $proc = Get-Process -Id $_.OwningProcess
>> [pscustomobject]@{
>> LocalAddress = $_.LocalAddress
>> LocalPort = $_.LocalPort
>> ProcessId = $_.OwningProcess
>> ProcessName = $proc.ProcessName
>> FileName = $proc.Path
>> ServiceName = (Get-Service | Where-Object { $_.Id -eq $_.OwningProcess }).Name
>> }
>> } | Format-Table -AutoSize
LocalAddress LocalPort ProcessId ProcessName FileName ServiceName
------------ --------- --------- ----------- -------- -----------
:: 61990 1952 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 61715 1952 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 49344 4088 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 5355 1952 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 5353 1952 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 3702 4088 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
:: 123 2708 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
127.0.0.1 62552 2500 svchost C:\Windows\System32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
0.0.0.0 49343 4088 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
0.0.0.0 5355 1952 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
0.0.0.0 5353 1952 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
0.0.0.0 3702 4088 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
192.168.128.129 138 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
192.168.128.129 137 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
0.0.0.0 123 2708 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
PS C:\>
|
********************************************************************************
3. TCP 和 UDP 一起列出
PowerShell
# 合併 Get-NetTCPConnection 和 Get-NetUDPEndpoint 結果
$connections = @()
# 處理 TCP 端口
$tcpConnections = Get-NetTCPConnection | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
$service = Get-Service | Where-Object { $_.Id -eq $_.OwningProcess }
[pscustomobject]@{
Protocol = "TCP"
LocalAddress = $_.LocalAddress
LocalPort = $_.LocalPort
RemoteAddress = $_.RemoteAddress
RemotePort = $_.RemotePort
State = $_.State
ProcessId = $_.OwningProcess
ProcessName = $proc.ProcessName
FileName = $proc.Path
ServiceName = $service.Name
}
}
# 處理 UDP 端口
$udpConnections = Get-NetUDPEndpoint | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
$service = Get-Service | Where-Object { $_.Id -eq $_.OwningProcess }
[pscustomobject]@{
Protocol = "UDP"
LocalAddress = $_.LocalAddress
LocalPort = $_.LocalPort
RemoteAddress = "*"
RemotePort = "*"
State = "LISTENING" # UDP 沒有 State,所有端口都類似 LISTENING
ProcessId = $_.OwningProcess
ProcessName = $proc.ProcessName
FileName = $proc.Path
ServiceName = $service.Name
}
}
# 合併 TCP 和 UDP 結果
$connections = $tcpConnections + $udpConnections
# 輸出結果
$connections | Format-Table -AutoSize
|
結果
結果
PS C:\> # 合併 Get-NetTCPConnection 和 Get-NetUDPEndpoint 結果
PS C:\> $connections = @()
PS C:\>
PS C:\> # 處理 TCP 端口
PS C:\> $tcpConnections = Get-NetTCPConnection | ForEach-Object {
>> $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
>> $service = Get-Service | Where-Object { $_.Id -eq $_.OwningProcess }
>> [pscustomobject]@{
>> Protocol = "TCP"
>> LocalAddress = $_.LocalAddress
>> LocalPort = $_.LocalPort
>> RemoteAddress = $_.RemoteAddress
>> RemotePort = $_.RemotePort
>> State = $_.State
>> ProcessId = $_.OwningProcess
>> ProcessName = $proc.ProcessName
>> FileName = $proc.Path
>> ServiceName = $service.Name
>> }
>> }
PS C:\>
PS C:\> # 處理 UDP 端口
PS C:\> $udpConnections = Get-NetUDPEndpoint | ForEach-Object {
>> $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
>> $service = Get-Service | Where-Object { $_.Id -eq $_.OwningProcess }
>> [pscustomobject]@{
>> Protocol = "UDP"
>> LocalAddress = $_.LocalAddress
>> LocalPort = $_.LocalPort
>> RemoteAddress = "*"
>> RemotePort = "*"
>> State = "LISTENING" # UDP 沒有 State,所有端口都類似 LISTENING
>> ProcessId = $_.OwningProcess
>> ProcessName = $proc.ProcessName
>> FileName = $proc.Path
>> ServiceName = $service.Name
>> }
>> }
PS C:\>
PS C:\> # 合併 TCP 和 UDP 結果
PS C:\> $connections = $tcpConnections + $udpConnections
PS C:\>
PS C:\> # 輸出結果
PS C:\> $connections | Format-Table -AutoSize
Protocol LocalAddress LocalPort RemoteAddress RemotePort State ProcessId ProcessName FileName ServiceName
-------- ------------ --------- ------------- ---------- ----- --------- ----------- -------- -----------
TCP :: 49669 :: 0 Listen 716 services {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP :: 49668 :: 0 Listen 2432 spoolsv C:\Windows\System32\spoolsv.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP :: 49667 :: 0 Listen 1608 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP :: 49666 :: 0 Listen 1212 svchost C:\Windows\System32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP :: 49665 :: 0 Listen 576 wininit {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP :: 49664 :: 0 Listen 740 lsass C:\Windows\system32\lsass.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP :: 47001 :: 0 Listen 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP :: 5985 :: 0 Listen 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP :: 5357 :: 0 Listen 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP :: 445 :: 0 Listen 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP :: 135 :: 0 Listen 972 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP 192.168.128.129 49879 40.79.173.41 443 TimeWait 0 Idle {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP 0.0.0.0 49669 0.0.0.0 0 Listen 716 services {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP 0.0.0.0 49668 0.0.0.0 0 Listen 2432 spoolsv C:\Windows\System32\spoolsv.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP 0.0.0.0 49667 0.0.0.0 0 Listen 1608 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP 0.0.0.0 49666 0.0.0.0 0 Listen 1212 svchost C:\Windows\System32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP 0.0.0.0 49665 0.0.0.0 0 Listen 576 wininit {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP 0.0.0.0 49664 0.0.0.0 0 Listen 740 lsass C:\Windows\system32\lsass.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP 192.168.128.129 139 0.0.0.0 0 Listen 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
TCP 0.0.0.0 135 0.0.0.0 0 Listen 972 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP :: 62653 * * LISTENING 1952 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP :: 61990 * * LISTENING 1952 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP :: 49344 * * LISTENING 4088 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP :: 5355 * * LISTENING 1952 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP :: 5353 * * LISTENING 1952 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP :: 3702 * * LISTENING 4088 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP :: 123 * * LISTENING 2708 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP 127.0.0.1 62552 * * LISTENING 2500 svchost C:\Windows\System32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP 0.0.0.0 49343 * * LISTENING 4088 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP 0.0.0.0 5355 * * LISTENING 1952 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP 0.0.0.0 5353 * * LISTENING 1952 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP 0.0.0.0 3702 * * LISTENING 4088 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP 192.168.128.129 138 * * LISTENING 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP 192.168.128.129 137 * * LISTENING 4 System {AJRouter, ALG, AppIDSvc, Appinfo...}
UDP 0.0.0.0 123 * * LISTENING 2708 svchost C:\Windows\system32\svchost.exe {AJRouter, ALG, AppIDSvc, Appinfo...}
PS C:\>
|
********************************************************************************
4. 使用 Microsoft Sysinternals 的 TCPView
TCPView v4.19
https://learn.microsoft.com/zh-tw/sysinternals/downloads/tcpview
(下圖)在新安裝的 Windows Server 2022 Standard 上測試
********************************************************************************
Copilot
這些預設開啟的 port 用途如下:
- 135/tcp: Microsoft RPC (Remote Procedure Call) 服務,用於遠程過程呼叫。
- 445/tcp: SMB (Server Message Block) 服務,用於文件和打印共享。
- 5357/tcp: WSDAPI (Web Services on Devices API),用於設備的網絡通訊。
- 5985/tcp: WS-Management 服務,用於管理和監控。
- 47001/tcp: WinRM (Windows Remote Management),用於遠程管理。
- 49664/tcp-49669/tcp: 這些是未知用途的 port,可能是用於內部服務或應用程式。
| Port | 用途 | 服務名稱 | 檔案名稱 | 程序名稱 |
| 135/tcp | Microsoft RPC | RPC 服務 | rpcss.dll | svchost.exe |
| 445/tcp | SMB (Server Message Block) | 文件和打印共享 | srv2.sys | srv2svc.exe |
| 5357/tcp | WSDAPI (Web Services on Devices API) | WSDAPI 服務 | wsddsvc.dll | wsddsvc.exe |
| 5985/tcp | WS-Management | Windows 管理員工具 | winrm.exe | winrm.exe |
| 47001/tcp | WinRM (Windows Remote Management) | Windows 遠程管理 | winrm.exe | winrm.exe |
| 49664/tcp-49669/tcp | 未知用途 | 未知 | 未知 | 未知 |
********************************************************************************
這些 port 分別是 Windows 服務中,哪個服務開起? 服務名稱 ?
ChatGPT 說:
以下是每個端口對應的 Windows 服務名稱和相關用途:
135/tcp (msrpc)
服務名稱: RPC Endpoint Mapper
用途: 為 RPC(Remote Procedure Call)通訊提供端口分配。當應用程式通過 RPC 與服務溝通時,這個服務負責分配合適的端口並進行通信。
445/tcp (microsoft-ds)
服務名稱: SMB (Server Message Block)
用途: 用於檔案共享、打印共享和網路瀏覽等功能。這是為了實現 SMB 協議所開啟的端口,許多文件共享服務依賴它運行。
5357/tcp (wsdapi)
服務名稱: Function Discovery Resource Publication
用途: 使用 Web Services on Devices (WSD) 協議來發佈網路設備(例如打印機、掃描儀)並允許其他設備發現它們。
5985/tcp (wsman)
服務名稱: Windows Remote Management (WS-Management)
用途: 這是 Windows 的遠端管理框架,用於支持基於標準的管理協議,允許系統管理員遠端配置和管理 Windows 系統,並且與 PowerShell Remoting 密切相關。
47001/tcp (winrm)
服務名稱: Windows Remote Management (WS-Management)
用途: 與 5985 端口類似,提供 WinRM 的額外功能支持,用於遠端管理。
49664/tcp 到 49669/tcp (unknown)
服務名稱: 這些端口屬於 RPC 動態端口範圍,通常由以下幾個核心 Windows 服務使用:
服務名稱: Remote Procedure Call (RPC)、DCOM Server Process Launcher、Distributed Transaction Coordinator、或其他使用 RPC 的服務。
用途: 這些動態端口是隨機分配給基於 RPC 的服務。每次 RPC 通信時,系統會從一個範圍內動態分配端口,具體端口號會隨著時間和需求變化。
如果需要具體服務對應這些動態端口,可以使用 PowerShell 或 Netstat 等工具來查看實際運行中的服務。
********************************************************************************
Process Explorer v17.06 進程總管 ( procexp64.exe)
可以查 PID => Process 階層關係
********************************************************************************
2024-10-28 補
PowerShell 僅列出 Listen 或 Listening 狀態的 TCP 和 UDP 連接
# 合併 Listen 或 Listening 狀態的 Get-NetTCPConnection 和 Get-NetUDPEndpoint 結果
$connections = @()
# 處理 TCP 端口,只列出 State 為 Listen 的
$tcpConnections = Get-NetTCPConnection | Where-Object { $_.State -eq "Listen" } | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
$service = Get-Service | Where-Object { $_.Id -eq $_.OwningProcess }
[pscustomobject]@{
Protocol = "TCP"
LocalAddress = $_.LocalAddress
LocalPort = $_.LocalPort
RemoteAddress = $_.RemoteAddress
RemotePort = $_.RemotePort
State = $_.State
ProcessId = $_.OwningProcess
ProcessName = $proc.ProcessName
FileName = $proc.Path
ServiceName = $service.Name
}
}
# 處理 UDP 端口,所有端口都類似 LISTENING 狀態
$udpConnections = Get-NetUDPEndpoint | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
$service = Get-Service | Where-Object { $_.Id -eq $_.OwningProcess }
[pscustomobject]@{
Protocol = "UDP"
LocalAddress = $_.LocalAddress
LocalPort = $_.LocalPort
RemoteAddress = "*"
RemotePort = "*"
State = "LISTENING"
ProcessId = $_.OwningProcess
ProcessName = $proc.ProcessName
FileName = $proc.Path
ServiceName = $service.Name
}
}
# 合併 TCP 和 UDP 結果
$connections = $tcpConnections + $udpConnections
# 輸出結果
$connections | Format-Table -AutoSize
|
(完)
相關
[研究]列出 Windows Server 2022預設所有開放的 Port ? 用途 ? 服務名稱 ? 檔案名稱 ? 程序名稱 ?https://shaurong.blogspot.com/2024/10/windows-port.html
[研究]Windows Server 2022預設開啟那些 Port (nmap, netstat, tasklist, powershell)
https://shaurong.blogspot.com/2024/10/windows-server-2022-port-nmap-netstat.html
沒有留言:
張貼留言