Determining what process has bound a port (without listening) on Windows

If I want to find out what process is listening on what socket, I can use netstat/TCPview and will immediately see it. However, it is possible to bind to an address without listening. If this is done, it does not show up in netstat/TCPview, but does block the socket.

Python example:

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('0.0.0.0',12345))

The port is now bound, and attempting to execute the same code in a second instance while the first is still running will result in an error. However, unless you actually start listening on that port using

s.listen(1)

the port does not show up in netstat/TCPview.

The question is: Is it possible to see what ports are bound (but not listening), and which process is binding them?

The background of this is that I have had a moving range of 1976 ports that cannot be bound, and I want to know what causes this. In the meantime, I determined through trial and error that Internet Connection Sharing was blocking those ports, but I am still curious about the answer to this question.

Edit: Due to popular request, here is the code I used to find those ports:

import time
import socket

for i in range(0,65536):
    try:
        print "Listening on port", i, '...', 
        serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        serversocket.bind(('0.0.0.0', i))
        serversocket.listen(5)
        #time.sleep(0.1)
        serversocket.close()
        print "ok"
    except:
        print "FAIL"

(you may want to pipe the output to grep and filter for FAIL only)

Solution 1:

I had to do this exact thing today. Powershell can do it with Get-NetTCPConnection.

PS C:\WINDOWS\system32> Get-NetTCPConnection -LocalPort 53100

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting OwningProcess
------------                        --------- -------------                       ---------- -----       -------------- -------------
0.0.0.0                             53100     0.0.0.0                             0          Bound                      40120


PS C:\WINDOWS\system32> get-process -PID 40120

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
   2133    1331    13884      30740  30,955.31  40120   1 HWMonitorPro

Solution 2:

In recent versions of netstat there is now a command line parameter -q that shows those sockets.

$ netstat -?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-x] [-t] [interval]

  -a            Displays all connections and listening ports.
  -b            Displays the executable involved in creating...
  ...
  -p proto      Shows connections for the protocol specified...
  -q            Displays all connections, listening ports, and bound
                nonlistening TCP ports. Bound nonlistening ports may or may not
                be associated with an active connection.
  -r            Displays the routing table.
  ...

Example of use:

$ netstat -nq -p tcp

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:7              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:9              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:13             0.0.0.0:0              LISTENING
  ...

 TCP    192.168.122.157:50059  54.213.66.195:443      ESTABLISHED
  TCP    0.0.0.0:49676          0.0.0.0:0              BOUND
  TCP    0.0.0.0:49700          0.0.0.0:0              BOUND
  TCP    0.0.0.0:49704          0.0.0.0:0              BOUND
  TCP    0.0.0.0:49705          0.0.0.0:0              BOUND
  ...

It seems there is no public API for getting the sockets in that situation. See my question in StackOverflow.