Need Ownership Information In Netstat

Question

I realize computer and code is very detailed, one little character could mess the real meaning up.

I really feel that there should be a script of code that should be patch on "Can not obtain owner information" in a Netstat -a -n -o run.

I have run Wireshark and in the Loopback I'm getting the loopback address of 127.0.0.1 that which is normal but it is connecting to a port 5037 which is a way to be a remote, I think part of my computer. That is an Android device.

I ran Netstat -a -n -o and I was offline. I had an active Time_Wait/Listening connection to 127.0.0.1 and it had a port of 135, then underneath this area it said "Can not obtain owner information".

Whoever is using this 127.0.0.1, since I am offline, Wireless settings in the Bios are disabled. No ethernet to my computer how is it possible for me to be getting traffic on this 127.0.0.1:135 Time_Wait/Listening when I run the Netstat. I have not tried to do both at the same time and or run in Netstat in intervals.

Help on this matter would be greatly appreciated

Answer 1

Hello @71LoveTech

To answer your query kindly check this link.

https://social.technet.microsoft.com/Forums/en-US/b286dcc3-75b9-4cf3-aa42-5ae1c7bff09c/the-list-of-open-ports-the-process-and-the-name-of-the-service

Scroll down to the bottom and look at the Power shell script. It shows the listeners, process names, and the service name if one exists.

To see if I could parse that output and possible incorporate it into the ShowListeners.ps1 script. I just left it as a second script. This may show you some of the "ownership information".

This is "work in progress" script.

1. Script: ShowSystemListeners.ps1

2. Author: MotoX80

3. cls
4. $r = (netsh.exe http show servicestate view=requestq) -join "" # make it one long string
5. $r = $r -replace " Request queue name", "============" # we only want these that are not indented
6. $ra = $r -split "Request queue name: " # create an array of each entry to be processed
7. $idx = 1 # skip over header
   8.while ($idx -lt $ra.count) {
8. $tf = $ra[$idx] -match '(Process IDs:).*(URL groups:)'
9. if ($tf) {

10. $matches[0] # uncomment to see what we found.

11. } else {

12. "No pids???" # we didn't find the headings. not sure what kind of entry this is.

13. $idx++ # go to next entry
14. continue
15. }
16. 18. $ids = $matches[0].split(" ") # get pids, but we only process the first one. I have not seen 2 pids on my machine
17. $p = ($ids -match "^\d+$")[0]
18. if ($p -eq $null) {

19. "No pids2???"

20. $tf = $ra[$idx] -match '(Controller process ID:).*(Process IDs:)'
21. if ($tf) {
    24.#$matches[0] # uncomment to see what we found.
22. } else {

23. "No pids???" # we didn't find the headings. not sure what kind of entry this is.

24. $idx++ # go to next entry
25. continue
26. }
28. $ids = $matches[0].split(" ") # get pids
29. $p = ($ids -match "^\d+$")[0] # our pid

30. 35. $idx++ # I think that each listener must have a controlling pid

31. break

32. continue

33. }
34. "======================== $idx ======================================================================="
35. 41. $tf = $ra[$idx] -match '(Registered URLs:).*(Server session)'42.
36. if ($tf) {

37. $matches[0]

38. } else {
39. "No HTTP addresses???"

40. $ra[$idx]

41. $idx++

42. continue

43. }
44. $http = $matches[0].split(" ")
45. $http -match ':/'
46. ""
47. "Process ID: $p"
48. 55. $s = Get-CimInstance win32_service -FIlter "ProcessId=$p"
49. ""
50. (Get-Process -Id $p -IncludeUserName| Format-List -Property Path, company, Description, Username | Out-String).trim()
51. "ComandLine : {0}" -f (Get-CimInstance win32_process -FIlter "ProcessId=$p").Commandline
52. ""
53. if ($s) {
54. (Get-Service -Name $No HTTP addresses???"

55. $ra[$idx]

56. $idx++

57. continue

58. }
59. $http = $matches[0].split(" ")
60. $http -match ':/'
61. ""
62. "Process ID: $p"
63. 55. $s = Get-CimInstance win32_service -FIlter "ProcessId=$p"
64. ""
65. (Get-Process -Id $p -IncludeUserName| Format-List -Property Path, company, Description, Username | Out-String).trim()
66. "ComandLine : {0}" -f (Get-CimInstance win32_process -FIlter "ProcessId=$p").Commandline
67. ""
68. if ($s) {
69. (Get-Service -Name $No HTTP addresses???"

70. $ra[$idx]

71. $idx++

72. continue

73. }
74. $http = $matches[0].split(" ")
75. $http -match ':/'
76. ""
77. "Process ID: $p"
78. 55. $s = Get-CimInstance win32_service -FIlter "ProcessId=$p"
79. ""
80. (Get-Process -Id $p -IncludeUserName| Format-List -Property Path, company, Description, Username | Out-String).trim()
81. "ComandLine : {0}" -f (Get-CimInstance win32_process -FIlter "ProcessId=$p").Commandline
82. ""
83. if ($s) {
84. (Get-Service -Name $"Process ID: $p"
85. 55. $s = Get-CimInstance win32_service -FIlter "ProcessId=$p"
86. ""
87. (Get-Process -Id $p -IncludeUserName| Format-List -Property Path, company, Description, Username | Out-String).trim()
88. "ComandLine : {0}" -f (Get-CimInstance win32_process -FIlter "ProcessId=$p").Commandline
89. ""
90. if ($s) {
91. (Get-Service -Name $"Process ID: $p"
92. 55. $s = Get-CimInstance win32_service -FIlter "ProcessId=$p"
93. ""
94. (Get-Process -Id $p -IncludeUserName| Format-List -Property Path, company, Description, Username | Out-String).trim()
95. "ComandLine : {0}" -f (Get-CimInstance win32_process -FIlter "ProcessId=$p").Commandline
96. ""
97. if ($s) {
98. (Get-Service -Name $if ($s) {
99. (Get-Service -Name $if ($s) {
100. (Get-Service -Name $s.name | Format-Table -AutoSize | Out-String).trim()
101. ""
102. }
103. 65. $idx++
104. }

--
If the Answer is helpful, please click "Accept Answer" and upvote it.