The 'System' process is listening on port 443, and I can't find what service is causing this

windows windows-server-2012 windows-server-2012-r2 windows-server
7,960

Solution 1

It turns out I had the "Work Folders" feature installed. This caused at least one of these two services to run:

  • File Server Storage Reports Manager
  • Remote Registry

So, anyone else facing this issue could also check for that. And of course all the other services mentioned in Why is the 'System' process listening on port 443?.

Solution 2

If a Windows Service isn't the culprit (which the netstat -ao almost certainly would have revealed), it could be a kernel module or the Windows executive (kernel) itself listening on that port. In that case, the chances of it being a virus increase slightly, since that's a fairly uncommon thing for a kernel to do.

Try grabbing Kernel Mode Drivers Manager and take a peek under the hood. Check for anything that looks fishy.

If you're not sure, a few common tactics can include:

  • Right-click and Open Containing Folder on the file in question; if it's part of a legit program, it'll probably be somewhere in Program Files in a well-known product's location, or in the Windows folder. If it's in the Windows folder, you might want to google the name of it to make sure rootkits haven't historically tried to attack that file by embedding themselves within it, and search for the MD5 sum, to see if anyone else has posted that MD5 sum before.
  • Or upload it to VirusTotal if you're not sure.
  • Inspect file metadata and check for typos or strange created/modified dates that are very different from other dates in the rest of your driver list.

Also try exploring more than one virus scanner or rootkit detecting program. The one you already have installed on your system might have missed it.

If you still have no luck, as a last resort you can try putting a hardware firewall downstream of the box and get it to capture traffic on port 443. Monitor it for a couple days/weeks and program it to alert you if anything happens there, ideally. If nothing is sent or received over the port, it's probably just some device driver's management port (though possibly a backdoor that can be easily hacked, even if it is legit) and there's not much you can do.

Are you running Internet Information Server (IIS)? If all of the above doesn't really clear it up, and you are running IIS, try temporarily turning it off, and see if the symptom goes away.

Share:
7,960

Related videos on Youtube

Wouter
Author by

Wouter

Updated on September 18, 2022

Comments

  • Wouter
    Wouter over 1 year

    I am running Windows Server 2012 R2.

    When I run Process Explorer (as Administrator) I can see that the System process is listening on port 443. More specifically, it shows the following:

    • Protocol: TCPV6
    • LocalAddress: [0:0:0:0:0:0:0:0]:443
    • Remote Address: [0:0:0:0:0:0:0:0]:0
    • State: LISTENING

    There is no entry for TCP 443, only for TCPV6.

    In my running services, I have checked for all the usual suspects mentioned in the other posts concerning this issue. Below you can find an overview of the services running on this system:

    Application Experience
Application Host Helper Service
Application Information
Background Intelligent Transfer Service
Background Tasks Infrastructure Service
Base Filtering Engine
ccmsetup
Certificate Propagation
COM+ Event System
Cryptographic Services
DCOM Server Process Launcher
Dell SupportAssist Service
Dell Update Service
DHCP Client
Diagnostic Policy Service
Diagnostics Tracking Service
Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
DSM Essentials DA Service
DSM Essentials Host Service
DSM Essentials Task Manager
DSM SA Connection Service
DSM SA Data Manager
DSM SA Event Manager
DSM SA Shared Services
File Server Resource Manager
Group Policy Client
IKE and AuthIP IPsec Keying Modules
IP Helper
IPsec Policy Agent
Local Session Manager
Microsoft iSCSI Initiator Service
Microsoft Software Shadow Copy Provider
Modular Disk Storage Manager Agent
Modular Disk Storage Manager Event Monitor
Netlogon
Network Connections
Network List Service
Network Location Awareness
Network Store Interface Service
Plug and Play
Power
Print Spooler
Remote Desktop Configuration
Remote Desktop Services
Remote Desktop Services UserMode Port Redirector
Remote Procedure Call (RPC)
RPC Endpoint Mapper
Security Accounts Manager
Server
Shell Hardware Detection
Smart Card Device Enumeration Service
SNMP Service
System Event Notification Service
System Events Broker
Task Scheduler
TCP/IP NetBIOS Helper
Themes
TSM Client Scheduler
User Access Logging Service
User Profile Service
Volume Shadow Copy
Windows Connection Manager
Windows Event Log
Windows Firewall
Windows Font Cache Service
Windows Management Instrumentation
Windows Modules Installer
Windows Remote Management (WS-Management)
Windows Sync Share
Windows Time
Windows Update
WinHTTP Web Proxy Auto-Discovery Service
Workstation

    Other analysis options that I have tried:

    • netstat -ao: This shows the same information as Process Explorer. System with PID 4, is listening on port 443
    • wmic process: PID 4 is System... no further information.
    • Opening a browser to localhost:443, or a raw PuTTY session doesn't work.

    Any suggestions are welcome...

    • Wouter
      Wouter about 7 years
      I explicitly mentioned that service "Routing and RAS" and Skype are not running, and that wmic process and netstat -ao did not solve my problem, so although the symptoms are identical, the cause can not be the same.
    • Wouter
      Wouter about 7 years
      As mentioned in my answer, this is indeed somewhat of a duplicate. This is an issue that can have many different (yet similar) causes. It would be best if all these questions, and answers, get collapsed into one overview.
  • Wouter
    Wouter about 7 years
    The World Wide Web? I don't see that service in my list of running services. Do you mean "WinHTTP Web Proxy Auto-Discovery Service"? I already tried disabling that one, didn't fix it.
  • moonpoint
    moonpoint about 7 years
    As you found, the "WinHTTP Web Proxy Auto-Discovery Service" doesn't listen on port 443. Web Proxy Auto-Discovery (WPAD), instead, provides a means for a system to automatically configure itself to use a web proxy server.
  • Wouter
    Wouter about 7 years
    Great debugging suggestions. Unfortunately (or luckily) I won't have to try them, since I found the cause... I'll post it as an answer.
  • moonpoint
    moonpoint about 7 years
    Though it was not the culprit on your server, I noticed you had Windows Remote Management (WS-Management) among the running services. Microsoft notes at Installation and Configuration for Windows Remote Management in regards to the value for EnableCompatibilityHttpsListener: "Specifies whether the compatibility HTTPS listener is enabled. If this setting is True, the listener will listen on port 443 in addition to port 5986. The default is False."
  • Wouter
    Wouter about 7 years
    Nice catch, that could indeed be useful for other people facing this.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Failed Authentication Against Windows Server 2012 R2 RADIUS Using PAP
Failed to schedule Software Protection service for re-start at 2119-10-19T18:07:58Z. Error Code: 0x80041316
Windows 2012 Server: Enable .NET 3.5
Media driver needed when installing Windows server 2012
Work folders not working
Windows Security Options over RDP in Server 2012+
windows 10 unable to access sysvol and netlogon
Windows Server: what is the difference between Security Filtering (under the Scope tab) and the Delegation tab in Group Policy Management?
How to have your DNS servers forward queries for internet names
How do you manually trigger the first sync for 'Internet Time' in Windows?