Windows portqry

I haven't seen this mentioned on here before but I was reading an article in one of my many monthly periodicals and a guy was looking for a way to query UDP ports were running on a server.

Well there is a cool utility called portqry that you can download from Microsoft, throw it into your c:\windows folder and run it

you can download it here

Here is the info on it

Code:

---

Displays the state of TCP and UDP ports


Command line mode:  portqry -n name_to_query [-options]
Interactive mode:  portqry -i [-n name_to_query] [-options]
Local Mode:        portqry -local | -wpid pid| -wport port [-options]

Command line mode:

portqry -n name_to_query [-p protocol] [-e || -r || -o endpoint(s)] [-q]
        [-l logfile] [-sp source_port] [-sl] [-cn SNMP community name]

Command line mode options explained:
        -n [name_to_query] IP address or name of system to query
        -p [protocol] TCP or UDP or BOTH (default is TCP)
        -e [endpoint] single port to query (valid range: 1-65535)
        -r [end point range] range of ports to query (start:end)
        -o [end point order] range of ports to query in an order (x,y,z)
        -l [logfile] name of text log file to create
        -y overwrites existing text log file without prompting
        -sp [source port] initial source port to use for query
        -sl 'slow link delay' waits longer for UDP replies from remote systems
        -nr by-passes default IP address-to-name resolution
            ignored unless an IP address is specified after -n
        -cn specifies SNMP community name for query
            ignored unless querying an SNMP port
            must be delimited with !
        -q 'quiet' operation runs with no output
          returns 0 if port is listening
          returns 1 if port is not listening
          returns 2 if port is listening or filtered

Notes:  PortQry runs on Windows 2000 and later systems
        Defaults: TCP, port 80, no log file, slow link delay off
        Hit Ctrl-c to terminate prematurely

---

It has built in information on common ports as well which is kind of cool. It appears to be similar to a less intesive version of nmap.

example:

Code:

---

TCP port 17 (qotd service): NOT LISTENING
TCP port 18 (unknown service): NOT LISTENING
TCP port 19 (chargen service): NOT LISTENING
TCP port 20 (ftp-data service): NOT LISTENING
TCP port 21 (ftp service): LISTENING
Data returned from port:
TCP port 22 (unknown service): LISTENING
TCP port 23 (telnet service): NOT LISTENING
TCP port 24 (unknown service): NOT LISTENING
TCP port 25 (smtp service): NOT LISTENING

---

I ran that as just TCP but you can do UDP as well

Hope someone can enjoy this

Hey Hey,

PortQry is quite nice... I've played with it a bit in the past....

I actually like it for one of it's local processes.... Actually this command could possible warrant a tutorial to demonstrate everything you can do with it..

Things like q mail will cause it to check smtp, pop3 and imap on a server..

But if you do portqry -local you get a rather detailed list..

How many ports are listening, how many are established..

Then you get a process by process listing... if it's a process that runs assorted services (svchost, lsass).. it'll list the services that it is running... If the server has an open port... it'll list the associated ports... here's some examples from when I just ran it against myself

Quote:

---

PortQry Version 2.0 Log File

System Date: Fri Jan 06 14:44:55 2006

Command run:
portqry -local -l logfile.txt

Local computer name:

DESKTOP

TCP/UDP Port to Process Mappings

36 mappings found

PID Port Local IP State Remote IP:Port
4 TCP 445 0.0.0.0 LISTENING 0.0.0.0:24596
4 TCP 139 192.168.1.100 LISTENING 0.0.0.0:32980
4 TCP 139 192.168.60.1 LISTENING 0.0.0.0:2128
4 TCP 139 192.168.254.1 LISTENING 0.0.0.0:6314
4 UDP 445 0.0.0.0 *:*
4 UDP 137 192.168.1.100 *:*
4 UDP 138 192.168.1.100 *:*
4 UDP 137 192.168.60.1 *:*
4 UDP 138 192.168.60.1 *:*
4 UDP 137 192.168.254.1 *:*
4 UDP 138 192.168.254.1 *:*
388 UDP 1062 127.0.0.1 *:*
812 TCP 5180 127.0.0.1 LISTENING 0.0.0.0:63546
812 TCP 1059 192.168.1.100 ESTABLISHED 205.188.9.12:5190
812 TCP 1085 192.168.1.100 ESTABLISHED 64.12.165.83:5190
812 UDP 1066 127.0.0.1 *:*
824 TCP 1041 192.168.1.100 ESTABLISHED 216.239.37.125:5222
1076 TCP 3389 0.0.0.0 LISTENING 0.0.0.0:2144
1124 TCP 135 0.0.0.0 LISTENING 0.0.0.0:34966
1248 TCP 1034 127.0.0.1 LISTENING 0.0.0.0:39022
1532 UDP 1038 0.0.0.0 *:*
1532 UDP 1063 0.0.0.0 *:*
1916 TCP 1025 0.0.0.0 LISTENING 0.0.0.0:39054
2112 TCP 1417 192.168.1.100 ESTABLISHED 216.239.37.99:80
2112 TCP 1496 192.168.1.100 ESTABLISHED 209.123.81.89:80
2112 TCP 1498 192.168.1.100 ESTABLISHED 207.68.178.16:80
2112 TCP 1499 192.168.1.100 ESTABLISHED 209.123.81.89:80
2112 TCP 1503 192.168.1.100 ESTABLISHED 216.239.37.99:80
2112 UDP 1099 127.0.0.1 *:*
2204 UDP 1122 127.0.0.1 *:*
2628 TCP 1048 192.168.1.100 ESTABLISHED 207.46.6.58:1863
2628 TCP 1507 192.168.1.100 ESTABLISHED 64.4.36.46:1863
2628 TCP 1508 192.168.1.100 ESTABLISHED 207.68.178.16:80
2628 UDP 1055 0.0.0.0 *:*
2628 UDP 1045 127.0.0.1 *:*
2628 UDP 9 192.168.1.100 *:*

Port Statistics

TCP mappings: 20
UDP mappings: 16

TCP ports in a LISTENING state: 9 = 45.00%
TCP ports in a ESTABLISHED state: 11 = 55.00%


Port and Module Information by Process

Note: restrictions applied to some processes may
prevent PortQry from accessing more information

For best results run PortQry in the context of
the local administrator

---

Quote:

---

System Process

PID Port Local IP State Remote IP:Port
4 TCP 445 0.0.0.0 LISTENING 0.0.0.0:24596
4 TCP 139 192.168.1.100 LISTENING 0.0.0.0:32980
4 TCP 139 192.168.60.1 LISTENING 0.0.0.0:2128
4 TCP 139 192.168.254.1 LISTENING 0.0.0.0:6314
4 UDP 445 0.0.0.0 *:*
4 UDP 137 192.168.1.100 *:*
4 UDP 138 192.168.1.100 *:*
4 UDP 137 192.168.60.1 *:*
4 UDP 138 192.168.60.1 *:*
4 UDP 137 192.168.254.1 *:*
4 UDP 138 192.168.254.1 *:*

---

Quote:

---

Process ID: 888 (services.exe)

Service Name: Eventlog
Display Name: Event Log
Service Type: shares a process with other services

Service Name: PlugPlay
Display Name: Plug and Play
Service Type: shares a process with other services

---

Quote:

---

Process ID: 812 (aim.exe)

Process doesn't appear to be a service

PID Port Local IP State Remote IP:Port
812 TCP 5180 127.0.0.1 LISTENING 0.0.0.0:63546
812 TCP 1059 192.168.1.100 ESTABLISHED 205.188.9.12:5190
812 TCP 1085 192.168.1.100 ESTABLISHED 64.12.165.83:5190
812 UDP 1066 127.0.0.1 *:*

---

It's basically like combining netstat and fport into a nice seperated readout..

Peace,
HT

HT, aren't you suppose to be resting? Get off the Damm computer mate.

:p

Cheers:

*dino aims tiny neg gun at HT untill next week* Un Plug man!

Hey Hey,

Resting... .what's that?

I've been resting for the last three days... I've gotta get my computer resistance back up... I need to go back to work on Monday... I'm basically doing an on off pattern today.

I did 30 minutes on... and then 30 minutes off

Then I did 45 on and 45 off.... (which almost did me in)

I'm pushing for a full hour this time :)

I am resting and relaxing though.. Thanks for your concern.

Peace,
HT