How do you free up a port being held open by dead process?

A colleague of mine recently ran into a problem where a process that had supposedly died was still bound to a network port, preventing other processes from binding to that port. Specifically, netstat -a -b was reporting that a process named System with PID 4476 had port 60001 open, except no process with PID 4476 existed, at least as far as I could tell.

Process Explorer and Task Manager did not list PID 4476 (though there was another process named System with PID 4, which had its own set of TCP connections that did not include 60001). taskkill /PID 4476 also reported that PID 4476 could not be found.

Is there a way to kill this mysterious System process to free up the port to which it's currently bound? What can cause this to happen? How can there be processes that none of Task Manager, Process Explorer, and taskkill don't know about? Rebooting managed to fix the problem, but I'd like to know if there's a way to fix this without rebooting.


Solution 1:

I know this is an old thread, but in case anyone else is having the same issue, I had...

What may be happening is that your process had a TCP port open when it crashed or otherwise exited without explicitly closing it. Normally the OS cleans up these sorts of things, but only when the process record goes away. While the process may not appear to be running any more, there is at least one thing that can keep a record of it around, in order to prevent reuse of its PID. This is the existence of a child process that is not detached from the parent.

If your program spawned any processes while it was running, try killing them. That should cause its process record to be freed and the TCP port to be cleaned up. Apparently windows does this when the record is released not when the process exits as I would have expected.

Solution 2:

Open command prompt as admin

  1. C:\WINDOWS\system32>netstat -ano | findstr :7895

*** Repeat step 2 until there are no more child process

  1. C:\WINDOWS\system32>wmic process where (ParentProcessId=1091 ) get Caption,ProcessId

    Caption ProcessId

    cmd.exe 1328

2.a. C:\WINDOWS\system32>wmic process where (ParentProcessId=1328) get Caption,ProcessId

  Caption  ProcessId

  conhost.exe  1128

2.b. repeat this until no further child processes found

-- Then kill all child processes

  1. C:\WINDOWS\system32>taskkill /F /PID 1128 SUCCESS: The process with PID 9500 has been terminated.

Solution 3:

Did you try using TCPView and closing the connection? I don't know if it will show the connection in the scenario you're describing, because I've never had that happen to me. But it's the only thing I can think of if this happens again.

What was the process - was it commercial software, or something homegrown? It appears that port 60001 is used by some Trojans - I wonder if it could have been a rootkit or something that could hide itself from the OS? Might want to give that machine a good once-over with AV, maybe something from bootable media.