Why is the 'System' process listening on port 443?
I am having problems starting my Apache server, because port 443 is already in use.
It turns out, the system process (PID 4) uses the port 443. I don't have IIS installed, the services.msc shows (predictably) no Exchange server running, nor WWW-Services, nor IIS. I have no idea how to find out what service uses that port, short of just disabling each service one after the other, and I am not even sure that would help.
I would be grateful if someone could point me towards how I can get my SSL port back, thank you :)
P.S.: Of course "just switch Apache to another port for SSL" would solve the problem of not being able to start Apache. But I'd still like to know what is so insistent about hogging port 443. :)
I by now took the 'hard route' and disabled services one after the other. It turned out that the "Routing and RAS" service was the culprit.
Thank you all for the valuable input and the new tools in the combat against "WTF does my system do now?".
Run the following from an elevated command prompt:
netstat -ab
I bet it's Skype. Uncheck the checkbox shown below if you have it installed.
First off, I will answer this question directly and anyone reading this can ignore any answers talking about 3rd-party, non-Microsoft applications using the System Process.
-
The System process is listed as PID 4 on every modern-day Windows system. It is for kernel-mode access. This rules out most 3rd-party web products like Apache.
-
Since the inception of WinRM (Windows Remote Management), the HTTP service (%SystemRoot%\system32\drivers\http.sys) has been a standard part of Windows (Vista and later / Server 2008 and later). http.sys runs under the System process (PID 4).
-
Other Microsoft-developed software may also use the %SystemRoot%\system32\drivers\http.sys under the System process like IIS, SQL Reporting Services, and Microsoft Web Deployment Service (http://support.microsoft.com/kb/2597817)...
-
WinRM 1.0 default ports were:
HTTP = 80
HTTPS = 443
WinRM 2.0 and greater default ports are:
HTTP = 5985
HTTPS = 5986
Check with the following commands:
Winrm enumerate winrm/config/listener
Winrm get http://schemas.microsoft.com/wbem/wsman/1/config
Troubleshooting steps:
Get the process number of the port that you are looking for (443 in this case):
...from a non-mapped drive of Windows to avoid "Access Denied":
netstat -aon | find ":443"
Output should look like the following for the System process:
C:>netstat -ano |find ":443"
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
TCP [::]:443 [::]:0 LISTENING 4
The last column is the PID (4).
-
Running tasklist to find out what is running in the process proves unhelpful:
tasklist /SVC /FI "PID eq 4"
tasklist /m /FI "PID eq 4" -
Look in the registry for the HTTP service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters\UrlAclInfo
There will be a list of URLs (with the port numbers) which can lead you to which application is running and holding which ports:
http:// +:5985/wsman/ --> WinRM
https:// +:5986/wsman/ --> WinRM
http:// +:80/Reports/ --> SQL Reporting Server
http:// +:80/ReportServer/ --> SQL Reporting Server
https:// server_fqdn:443/Reports/ --> SQL Reporting Server
https:// server_fqdn:443/ReportsServer/ --> SQL Reporting Server
http://* :2869/ --> Simple Service Discovery Protocol service (SSDPSRV)
http://* :5357/ --> Web Services Dynamic Discovery (WS-Discovery)
https://* :5358/ --> Web Services Dynamic Discovery (WS-Discovery)
You can then find the corresponding service on the system and stop it and see that wanted port is released by confirming with another netstat -aon | find ":443" command.
I had the problem that port 443 was used by "system" with PID 4 on my Windows 7 machine. The solution for me was to delete a "Incoming Connection" (VPN) which existed in the network connections folder.
It seems that I created it and forgot to delete it after usage...
Often this is the VMware host agent service (required for VM-host-to-guest communication) - vmware-hostd.exe.
A good way to find out what sub process svchost.exe is running is to use Sysinternals' Process Explorer.