How to find which actual application uses port 80 via the System process
Solution 1
We finally found the culprit. In our case, it was the BranchCache service. From what we learned, this service uses TCP port 80 by default, and our IT service didn't change the default configuration. Stopping this service freed the port 80.
We had to manually stop every services on our computer, until we found the service which actually used port 80. This can lead to weird behaviors though, so I'm not fully sure this is the best way to get the information.
Solution 2
If you download the Sysinternals Suite from Microsoft and extract it to somewhere, start the tool TCPCon.exe (or TCPMon) This will ist all the services and processes including PID and tons of other information. If the service is not self-explanatory, upload it to virustotal.com
Solution 3
Run the command;
netsh http show servicestate view=requestq
This will give snapshot of all the HTTP listeners. Find the "Registered URL" containing the port number you are looking for and the PID of the controlling process will be a few lines above it, like my own rogue process here;
Request queue name: Request queue is unnamed.
Version: 2.0
State: Active
Request queue 503 verbosity level: Basic
Max requests: 1000
Number of active processes attached: 1
--> Process IDs:
14035
URL groups:
URL group ID: F80000014000004F
State: Active
Request queue name: Request queue is unnamed.
Properties:
Max bandwidth: inherited
Max connections: inherited
Timeouts:
Timeout values inherited
Number of registered URLs: 1
--> Registered URLs:
HTTP://+:8081/ROGUESERVICE/
Server session ID: F70000011000012D
Version: 2.0
State: Active
Properties:
Max bandwidth: 4294967295
Timeouts:
Entity body timeout (secs): 120
Drain entity body timeout (secs): 120
Request queue timeout (secs): 120
Idle connection timeout (secs): 120
Header wait timeout (secs): 120
Minimum send rate (bytes/sec): 150
Solution 4
I had the same issue, and found my Windows 10 System was running IIS Web Server. I knew that was a possible suspect, but had a hard time finding it. It was in Administrative Tools > Services > World Wide Web Publishing Service.
Related videos on Youtube
Comments
-
Laf almost 2 years
TL;DR
An application is listening on TCP port 80, but the process listed when I run
netstat
orTcpView
from the SysInternals tools isSystem
. I want to know which application is really listening on this port.
I have read this question, and tried running netstat, but it didn't help finding the actual application which uses port 80. The PID it gave me was 4, which corresponds to
System
. If I try to open a browser onlocalhost:80
, it only gives me a basic 404 page ("HTTP Error 404. The requested resource is not found.").I tried using a simple HTTP request via telnet, and I got the following:
HTTP/1.1 400 Bad Request Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Thu, 28 Jul 2016 19:22:42 GMT Connection: close Content-Length: 334 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>Bad Request</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD> <BODY><h2>Bad Request - Invalid Hostname</h2> <hr><p>HTTP Error 400. The request hostname is invalid.</p> </BODY></HTML>
Is there another way to find out which application is blocking my port 80 through the
System
process? I'm using Windows 7.Update
Here's an extract of the output when I run
netstat -anbo | findstr :80
:TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING 3900 TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 2876
And it's impossible to start our own HTTP server because port 80 is already in use.
Update2
We found out which application was using the port afterall (see my answer). However, I'm curious to see if anyone has a collection of tricks to speed up the process of finding which application uses a port in the case where it is using it via the System process (and not in the case where a virus is emulating the System process, as suggested by Steven).
-
DavidPostill almost 8 yearsWhat makes you think you actually have something listening on port 80?
-
Laf almost 8 years@DavidPostill see my update.
-
DavidPostill almost 8 yearsDrop the
findstr
. The process name is listed on a different line (the line before) -
Laf almost 8 yearsThe process ID is 4, which corresponds to
System
. If I try to drop thefindstr
call, the process name isCan not obtain ownership information
. -
DavidPostill almost 8 yearsDoes
netsh http show servicestate
show anything interesting? -
DavidPostill almost 8 years
-
-
Laf almost 8 yearsAgain, it only says that the
System
process (PID 4) is using port 80. Is there any way I can find out which application is really using port 80? I would assumed some application is listenening on this port, because before I rebooted my computer I was able to start a web server on port 80, and now after rebooting my computer I can't anymore. The IT Service most probably installed something, and we want to know what exactly. -
Steven almost 8 yearsThats why you want to use the monitor tool. This way you can make sure that System is really located in C:\Windows\System32 and is the original windows process. If that is the case, upload it to virustotal.com and check if its been modified.
-
Laf almost 8 yearsOh, now I get what you meant! We finally found out what it was (some sort of File Sharing service by Microsoft that was installed and improperly confirgured by the IT) by stopping all services one by one. I'll post an answer once I get the service's name, but I think your answer is pretty good.
-
Captain Hypertext over 6 yearsYou sir, made my day. The latest Windows update enabled this and broke my Apache all morning.
-
peterh over 4 yearsI am not sure how this answer the question. What is the guarantee that IIS sits on port 80?
-
THE JOATMON over 4 yearsI love you so much.