How to know who is listening to port 80 on Windows in multihomed case? [duplicate]

Well, let's make it an answer.

What you're seeing is most likely the result of a program using http.sys the Windows Kernel Mode HTTP Engine introduced in Windows Server 2003 (and XP?). It allows developers to circumvent the limitation that a listening port can only be served by one program at a time. With http.sys, a program registers a namespace, e.g. http://192.168.1.2:80/abc. The program now receives all requests beginning with the registered namespace. At the same time, another program could listen at http://192.168.1.2:80/xyz.

Another side-effect is that even "non-root" programs can listen on port 80, provided that a one-time setup has been completed.

Naturally, Microsoft didn't develop this because it's all fun and games. Internet Information Services (IIS) uses http.sys for listening. So this is a likely candidate in your case.

If no program has currently registered namespaces, http.sys stops listening.

netsh http show servicestate should be able to enumerate all active namespaces.

You can try TcpView, but if it's in fact in the kernel (as in - a socket opened by a driver), then there's really no way of telling what exactly controls the socket. That's even if you use something like ProcMon to do the boot tracing and capture the exact moment of a socket getting bound to tcp/80. What you need is a variation of ProcMon that would also capture a stack trace for each event and I haven't seen a tool like this.

But try TcpView first. Chances are that it's actually a user-space service that you are after and not a kernel component.