How to find which actual application uses port 80 via the System process
TL;DR
An application is listening on TCP port 80, but the process listed when I run netstat or TcpView from the SysInternals tools is System. I want to know which application is really listening on this port.
I have read this question, and tried running netstat, but it didn't help finding the actual application which uses port 80. The PID it gave me was 4, which corresponds to System. If I try to open a browser on localhost:80, it only gives me a basic 404 page ("HTTP Error 404. The requested resource is not found.").
I tried using a simple HTTP request via telnet, and I got the following:
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 28 Jul 2016 19:22:42 GMT
Connection: close
Content-Length: 334
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Hostname</h2>
<hr><p>HTTP Error 400. The request hostname is invalid.</p>
</BODY></HTML>Is there another way to find out which application is blocking my port 80 through the System process? I'm using Windows 7.
Update
Here's an extract of the output when I run netstat -anbo | findstr :80:
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING 3900
TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 2876And it's impossible to start our own HTTP server because port 80 is already in use.
Update2
We found out which application was using the port afterall (see my answer). However, I'm curious to see if anyone has a collection of tricks to speed up the process of finding which application uses a port in the case where it is using it via the System process (and not in the case where a virus is emulating the System process, as suggested by Steven).
65 Answers
We finally found the culprit. In our case, it was the BranchCache service. From what we learned, this service uses TCP port 80 by default, and our IT service didn't change the default configuration. Stopping this service freed the port 80.
We had to manually stop every services on our computer, until we found the service which actually used port 80. This can lead to weird behaviors though, so I'm not fully sure this is the best way to get the information.
2If you download the Sysinternals Suite from Microsoft and extract it to somewhere, start the tool TCPCon.exe (or TCPMon) This will ist all the services and processes including PID and tons of other information. If the service is not self-explanatory, upload it to virustotal.com
3Run the command;
netsh http show servicestate view=requestq
This will give snapshot of all the HTTP listeners. Find the "Registered URL" containing the port number you are looking for and the PID of the controlling process will be a few lines above it, like my own rogue process here;
Request queue name: Request queue is unnamed. Version: 2.0 State: Active Request queue 503 verbosity level: Basic Max requests: 1000 Number of active processes attached: 1
--> Process IDs: 14035 URL groups: URL group ID: F80000014000004F State: Active Request queue name: Request queue is unnamed. Properties: Max bandwidth: inherited Max connections: inherited Timeouts: Timeout values inherited Number of registered URLs: 1
--> Registered URLs: Server session ID: F70000011000012D Version: 2.0 State: Active Properties: Max bandwidth: 4294967295 Timeouts: Entity body timeout (secs): 120 Drain entity body timeout (secs): 120 Request queue timeout (secs): 120 Idle connection timeout (secs): 120 Header wait timeout (secs): 120 Minimum send rate (bytes/sec): 150I had the same issue, and found my Windows 10 System was running IIS Web Server. I knew that was a possible suspect, but had a hard time finding it. It was in Administrative Tools > Services > World Wide Web Publishing Service.
This is what is using the port: C:\Windows\system32\svchost.exe -k iissvcs, and
I had to disable its startup type in services.msc.
