The 'System' process is listening on port 443, and I can't find what service is causing this
Solution 1
It turns out I had the "Work Folders" feature installed. This caused at least one of these two services to run:
- File Server Storage Reports Manager
- Remote Registry
So, anyone else facing this issue could also check for that. And of course all the other services mentioned in Why is the 'System' process listening on port 443?.
Solution 2
If a Windows Service isn't the culprit (which the netstat -ao
almost certainly would have revealed), it could be a kernel module or the Windows executive (kernel) itself listening on that port. In that case, the chances of it being a virus increase slightly, since that's a fairly uncommon thing for a kernel to do.
Try grabbing Kernel Mode Drivers Manager and take a peek under the hood. Check for anything that looks fishy.
If you're not sure, a few common tactics can include:
- Right-click and Open Containing Folder on the file in question; if it's part of a legit program, it'll probably be somewhere in Program Files in a well-known product's location, or in the Windows folder. If it's in the Windows folder, you might want to google the name of it to make sure rootkits haven't historically tried to attack that file by embedding themselves within it, and search for the MD5 sum, to see if anyone else has posted that MD5 sum before.
- Or upload it to VirusTotal if you're not sure.
- Inspect file metadata and check for typos or strange created/modified dates that are very different from other dates in the rest of your driver list.
Also try exploring more than one virus scanner or rootkit detecting program. The one you already have installed on your system might have missed it.
If you still have no luck, as a last resort you can try putting a hardware firewall downstream of the box and get it to capture traffic on port 443. Monitor it for a couple days/weeks and program it to alert you if anything happens there, ideally. If nothing is sent or received over the port, it's probably just some device driver's management port (though possibly a backdoor that can be easily hacked, even if it is legit) and there's not much you can do.
Are you running Internet Information Server (IIS)? If all of the above doesn't really clear it up, and you are running IIS, try temporarily turning it off, and see if the symptom goes away.
Related videos on Youtube
Wouter
Updated on September 18, 2022Comments
-
Wouter over 1 year
I am running
Windows Server 2012 R2
.When I run Process Explorer (as Administrator) I can see that the
System
process is listening on port 443. More specifically, it shows the following:- Protocol: TCPV6
- LocalAddress: [0:0:0:0:0:0:0:0]:443
- Remote Address: [0:0:0:0:0:0:0:0]:0
- State: LISTENING
There is no entry for TCP 443, only for TCPV6.
In my running services, I have checked for all the usual suspects mentioned in the other posts concerning this issue. Below you can find an overview of the services running on this system:
Application Experience Application Host Helper Service Application Information Background Intelligent Transfer Service Background Tasks Infrastructure Service Base Filtering Engine ccmsetup Certificate Propagation COM+ Event System Cryptographic Services DCOM Server Process Launcher Dell SupportAssist Service Dell Update Service DHCP Client Diagnostic Policy Service Diagnostics Tracking Service Distributed Link Tracking Client Distributed Transaction Coordinator DNS Client DSM Essentials DA Service DSM Essentials Host Service DSM Essentials Task Manager DSM SA Connection Service DSM SA Data Manager DSM SA Event Manager DSM SA Shared Services File Server Resource Manager Group Policy Client IKE and AuthIP IPsec Keying Modules IP Helper IPsec Policy Agent Local Session Manager Microsoft iSCSI Initiator Service Microsoft Software Shadow Copy Provider Modular Disk Storage Manager Agent Modular Disk Storage Manager Event Monitor Netlogon Network Connections Network List Service Network Location Awareness Network Store Interface Service Plug and Play Power Print Spooler Remote Desktop Configuration Remote Desktop Services Remote Desktop Services UserMode Port Redirector Remote Procedure Call (RPC) RPC Endpoint Mapper Security Accounts Manager Server Shell Hardware Detection Smart Card Device Enumeration Service SNMP Service System Event Notification Service System Events Broker Task Scheduler TCP/IP NetBIOS Helper Themes TSM Client Scheduler User Access Logging Service User Profile Service Volume Shadow Copy Windows Connection Manager Windows Event Log Windows Firewall Windows Font Cache Service Windows Management Instrumentation Windows Modules Installer Windows Remote Management (WS-Management) Windows Sync Share Windows Time Windows Update WinHTTP Web Proxy Auto-Discovery Service Workstation
Other analysis options that I have tried:
- netstat -ao: This shows the same information as Process Explorer.
System
with PID 4, is listening on port 443 - wmic process: PID 4 is System... no further information.
- Opening a browser to localhost:443, or a raw PuTTY session doesn't work.
Any suggestions are welcome...
-
Wouter about 7 yearsI explicitly mentioned that service "Routing and RAS" and Skype are not running, and that wmic process and netstat -ao did not solve my problem, so although the symptoms are identical, the cause can not be the same.
-
Wouter about 7 yearsAs mentioned in my answer, this is indeed somewhat of a duplicate. This is an issue that can have many different (yet similar) causes. It would be best if all these questions, and answers, get collapsed into one overview.
-
Wouter about 7 yearsThe World Wide Web? I don't see that service in my list of running services. Do you mean "WinHTTP Web Proxy Auto-Discovery Service"? I already tried disabling that one, didn't fix it.
-
moonpoint about 7 yearsAs you found, the "WinHTTP Web Proxy Auto-Discovery Service" doesn't listen on port 443. Web Proxy Auto-Discovery (WPAD), instead, provides a means for a system to automatically configure itself to use a web proxy server.
-
Wouter about 7 yearsGreat debugging suggestions. Unfortunately (or luckily) I won't have to try them, since I found the cause... I'll post it as an answer.
-
moonpoint about 7 yearsThough it was not the culprit on your server, I noticed you had
Windows Remote Management (WS-Management)
among the running services. Microsoft notes at Installation and Configuration for Windows Remote Management in regards to the value forEnableCompatibilityHttpsListener
: "Specifies whether the compatibility HTTPS listener is enabled. If this setting is True, the listener will listen on port 443 in addition to port 5986. The default is False." -
Wouter about 7 yearsNice catch, that could indeed be useful for other people facing this.