What are the common ports/ranges that standard Windows processes will listen on?

Question

Is there any documentation that I can reference that outlines what ports or port ranges that most standard Windows processes will listen on? For example, if I saw wininit.exe listening on TCP 16000, would that be unusual? Or if csrss.exe was listening on 49123, would that be unusual? Or, should smss.exe be listening at all? Some kind of reference that can answer these types of questions for standard Windows OS processes.

I'm preparing for a test coming up soon that involves surveying machines and determining unusual processes and connections, and something like this would be way more helpful than doing 15 google searches for "process.exe listening port".

Answer 1

First the ports required will depend on the version of windows running. Second it depends on what roles and features are installed on that edition of windows. The reference document for what ports are open for which service is here (https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows)

However, your testing process is the problem, as windows should not be allowed to listen on "unusual" ports. You can enforce this by using the security and compliance manager (older oses) or the security compliance toolkit (server 2012 R2+, win 10 ). Included in the toolkit are a set of attack surface reduction rules that prevent such things as obfuscated scripts, adobe reader child processes, blocking javascript and vbscript from launching downloaded executables etc.

Answer 2

netstat -abn

That will list all the executables (-b), what their connection info is (-a) without waiting to resolve the hostnames of the ip addresses (-n). You can scale this out in powershell with Invoke-Command to run it across all your machines if WinRM is enable and compile a comprehensive list.

This is a good reference document to further answer your question Service overview and network port requirements for Windows