3
1
How to know who is listening to port 80 on Windows?
Don't suggest to use
netstat -aon | findstr :80
because it is reporting PID of NT Kernel & System which is useless information.
I need to know exact name of component in order to control it.
Dims
Posted 2014-03-10T08:34:32.593
Reputation: 8 464
6
Well, let's make it an answer.
What you're seeing is most likely the result of a program using http.sys the Windows Kernel Mode HTTP Engine introduced in Windows Server 2003 (and XP?). It allows developers to circumvent the limitation that a listening port can only be served by one program at a time. With http.sys, a program registers a namespace, e.g. http://192.168.1.2:80/abc. The program now receives all requests beginning with the registered namespace. At the same time, another program could listen at http://192.168.1.2:80/xyz.
Another side-effect is that even "non-root" programs can listen on port 80, provided that a one-time setup has been completed.
Naturally, Microsoft didn't develop this because it's all fun and games. Internet Information Services (IIS) uses http.sys for listening. So this is a likely candidate in your case.
If no program has currently registered namespaces, http.sys stops listening.
netsh http show servicestate should be able to enumerate all active namespaces.
Daniel B
Posted 2014-03-10T08:34:32.593
Reputation: 40 502
The command above shows process id, so you can find out which exe is listening. – tjleigh – 2017-01-20T10:52:26.167
You mention the example of http://192.168.1.2:80/helloworld for program A vs http://192.168.1.200:80/helloworld for B, where the IP address (not the path) is different between program A and B. Is this the intended difference, rather than /helloworld vs /somethingelse? – MicroVirus – 2019-04-15T09:57:39.337
@MicroVirus You’re right, I updated the example. Of course, http.sys does both: The host and port are also part of the registration. – Daniel B – 2019-04-15T13:13:26.420
Is it possible to list registerings in http.sys? – Dims – 2014-03-10T09:06:45.780
I've updated the answer to include a command that seems to accomplish this. – Daniel B – 2014-03-10T10:51:24.523
2
You can try TcpView, but if it's in fact in the kernel (as in - a socket opened by a driver), then there's really no way of telling what exactly controls the socket. That's even if you use something like ProcMon to do the boot tracing and capture the exact moment of a socket getting bound to tcp/80. What you need is a variation of ProcMon that would also capture a stack trace for each event and I haven't seen a tool like this.
But try TcpView first. Chances are that it's actually a user-space service that you are after and not a kernel component.
Angstrom
Posted 2014-03-10T08:34:32.593
Reputation: 610
TcpView shows a very long list with some IPs represented in IPv6 format. No any way to catch specific one. – Dims – 2014-03-10T08:45:46.433
Well, if
http.sysis used, you probably have no chance to find out. – Daniel B – 2014-03-10T08:41:10.543What is
http.sys? It is a part of IIS? – Dims – 2014-03-10T08:42:02.497http.sysis the Windows Kernel Mode HTTP Engine. It can be used by many programs at the same time, with each listening for requests to a "subdirectory". For .NET, there's the HttpListener class. IIS also useshttp.sys. – Daniel B – 2014-03-10T08:51:51.910… and http://superuser.com/questions/465529/ and http://superuser.com/questions/43307/ .
– JdeBP – 2014-03-10T09:04:21.080