Sysinternals TCPView Reveals Port Activities

One of the many things I do for a living is to develop and revise courseware for a local Austin company that provides “Learning Centers” for all kinds of Fortune 500 companies. This includes some companies whose high tech products and business activities overlap with my interests and expertise. Right now, I’m hot on the track of revising a course on spam and spyware that somebody else developed back in 2004. Among other things this means revising statistics, information, and tools supplied during Windows XP’s heyday, and updating them to reflect an increasingly Windows Vista world in 2008.

It’s as true today, however, as it was in 2004 that keeping track of TCP and UDP ports in use on your PC can tell you what’s up with your machine, network-wise. It’s even the case that unexpected or unwanted behavior can manifest in the form of strange or unknown process names, odd communications behaviors, and unexpected or insecure open ports on your machine.

That’s where the Microsoft Sysinternals tool TCPView¬† comes into play. This nifty nonpareil from Mark Russinovich shows all TCP and UDP ports that are open on any Windows system on which it is run, with some nice animations. Ports turn red just prior to being closed, green as they pop up while being created, yellow when creation is pending, and blue for whatever entry you may choose to highlight yourself for further inspection. You can right-click any such entry to call up related Process Properties (warning: you’ll have to use the Run as administrator option to launch this program if you want to see as much as possible while making use of this facility).

The best way to use TCPView is to keep it open where you can see it on the desktop while opening and closing programs, navigating around on Web sites, and so forth. This will show you exactly what’s happening with your system’s communication at one-second intervals (TCPView’s default refresh rate). I find this works best on a system with a big display, or multiple displays, so you have enough room for application windows and TCPView itself to be open and visible. The information you’ll get is useful enough to make it worth hooking up an extra monitor while investigation or troubleshooting is underway.

Basic TCP/IP view display

TCPView shows all processes with associated TCP or UDP ports open, and provides connection status for TCP.

I’ve been using this tool for over 5 years now, and have found it extremely helpful when trying to see what’s up on my system, network-wise. If you should ever suspect malware or spyware lurking on your system, chances are also pretty good that you’ll see some kind of unexpected network communications on your machine, in the context of a spoofed process (valid process name, invalid location) or a known malign process. But please, be careful with Vista processes: although you’ll find plenty of dire warnings on the web about a process named wininit.exe associated with a Trojan, it’s not only a necessary process, but if you kill it you will instantly bluescreen your PC. As you investigate processes, it’s best to stick to one of the well-known process libraries to check their authenticity for Vista, such as,, or

TCPView uses colors to indicate current port activity

Green means “just opened,” yellow “ready to open,” red “ready to close,” and blue represents a user-selected entry.

TCPView will also show you instantly what well-known port addresses (numbered 0 – 1023) are in use on your machine. You can check any of the port numbers you see by typing UDP xxx or TCP yyy into Google, and then digging into those results. Vista users will probably be surprised to see some TCPv6 and UDPv6 ports in use on their machines, even though they may not be actively using IPv6 on their PCs. Even with IPv6 disabled, however, you’ll still see some IPv6 action on Vista machines to service tunnel interfaces (IPv4 –> IPv6 and IPv6 –> IPv4) and the IPv6 loopback interface.

But whether your aims are investigatory (to see what TCP/IP is up to on your PC), diagnostic (to troubleshoot TCP/IP access or connectivity issues), or to hunt down spyware or malware, you’re likely to find TCPView a useful aid. It’s much easier to use (and see and understand) than netstat, but it does pretty much the same things, with nice hoods into related Windows processes.


Leave a Reply

Your email address will not be published. Required fields are marked *