Which port is used for running schtasks.exe in a remote computer?

Question

I was trying to extract the list of scheduled tasks in a number of remote computers, and found this schtasks.exe. I put this inside a powershell script and run against a list of servers, and almost 80% of the servers returned the results. This was the command I used.

$Output = & schtasks.exe /query /v /s $Server /fo csv 2>&1

I am wondering which port it used to connect to the remote computer and extracted the data, because this is a very controlled environment with non standard ports are not open. I also need to find out why the 20% of servers failed, perhaps some port is not open there ? I understand from here that powershell remote uses TCP/5985 = HTTP and TCP/5986 = HTTPS, but from what i checked, these ports are not open.

Answer 1

Using procmon from sysinternals shows that schtasks uses the epmap port.

epmapis port 135 (Endpoint Mapper). After that, the conversation seems to continue on a newly created connection at port 49154. Repeating the excercise always uses port 49154 so I assume that schtasks needs port 135 and 49154 to be able to get a response from a remote server.

Edit _{cudo's to Barry}

schtasks.exe definitely connects via port 135, then uses a dynamic port ranging from 49152 to 65535, source docs.microsoft.com/en-us/troubleshoot/windows-server/networking/…. What I've observed is that it will consistently use one port for a while, and then for reasons that I haven't discovered it will start using another port