question

71LoveTech-3037 avatar image
0 Votes"
71LoveTech-3037 asked LimitlessTechnology-0326 published

Need Ownership Information In Netstat

179486-screenshot-20466netstat-can-not-obtain-ownership-i.pngI realize computer and code is very detailed, one little character could mess the real meaning up.

I really feel that there should be a script of code that should be patch on "Can not obtain owner information" in a Netstat -a -n -o run.

I have run Wireshark and in the Loopback I'm getting the loopback address of 127.0.0.1 that which is normal but it is connecting to a port 5037 which is a way to be a remote, I think part of my computer. That is an Android device.

I ran Netstat -a -n -o and I was offline. I had an active Time_Wait/Listening connection to 127.0.0.1 and it had a port of 135, then underneath this area it said "Can not obtain owner information".

Whoever is using this 127.0.0.1, since I am offline, Wireless settings in the Bios are disabled. No ethernet to my computer how is it possible for me to be getting traffic on this 127.0.0.1:135 Time_Wait/Listening when I run the Netstat. I have not tried to do both at the same time and or run in Netstat in intervals.

Help on this matter would be greatly appreciated


windows-10-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-0326 avatar image
0 Votes"
LimitlessTechnology-0326 answered LimitlessTechnology-0326 published

Hello @71LoveTech-3037

To answer your query kindly check this link.

https://social.technet.microsoft.com/Forums/en-US/b286dcc3-75b9-4cf3-aa42-5ae1c7bff09c/the-list-of-open-ports-the-process-and-the-name-of-the-service

Scroll down to the bottom and look at the Power shell script. It shows the listeners, process names, and the service name if one exists.

To see if I could parse that output and possible incorporate it into the ShowListeners.ps1 script. I just left it as a second script. This may show you some of the "ownership information".

This is "work in progress" script.

  1. Script: ShowSystemListeners.ps1


  2. Author: MotoX80

  3. cls

  4. $r = (netsh.exe http show servicestate view=requestq) -join "" # make it one long string

  5. $r = $r -replace " Request queue name", "============" # we only want these that are not indented

  6. $ra = $r -split "Request queue name: " # create an array of each entry to be processed

  7. $idx = 1 # skip over header
    8.while ($idx -lt $ra.count) {

  8.   $tf = $ra[$idx] -match '(Process IDs:).*(URL groups:)'
    
  9.   if ($tf) {
    
  10.       #$matches[0]                # uncomment to see what we found.
    
  11.   } else {
    
  12.       #"No pids???"               # we didn't find the headings. not sure what kind of entry this is.
    
  13.       $idx++                      # go to next entry 
    
  14.       continue
    
  15.   }
    
  16.   $ids = $matches[0].split(" ")    # get pids, but we only process the first one. I have not seen 2 pids on my machine
    
  17.   $p = ($ids -match "^\d+$")[0]
    
  18.   if ($p -eq $null) {
    
  19.       #"No pids2???"      
    
  20.       $tf = $ra[$idx] -match '(Controller process ID:).*(Process IDs:)'
    
  21.       if ($tf) {
    

24.#$matches[0] # uncomment to see what we found.
25. } else {
26. #"No pids???" # we didn't find the headings. not sure what kind of entry this is.
27. $idx++ # go to next entry
28. continue
29. }
30.
31.
32. $ids = $matches[0].split(" ") # get pids
33. $p = ($ids -match "^\d+$")[0] # our pid
34.
35. #$idx++ # I think that each listener must have a controlling pid
36. #break
37. #continue
38. }
39. "======================== $idx ======================================================================="
40.
41. $tf = $ra[$idx] -match '(Registered URLs:).*(Server session)'42.
42. if ($tf) {
43. #$matches[0]
44. } else {
45. "No HTTP addresses???"
46. #$ra[$idx]
47. $idx++
48. #continue
49. }
50. $http = $matches[0].split(" ")
51. $http -match ':/'
52. ""
53. "Process ID: $p"
54.
55. $s = Get-CimInstance win32_service -FIlter "ProcessId=$p"
56. ""
57. (Get-Process -Id $p -IncludeUserName| Format-List -Property Path, company, Description, Username | Out-String).trim()
58. "ComandLine : {0}" -f (Get-CimInstance win32_process -FIlter "ProcessId=$p").Commandline
59. ""
60. if ($s) {
61. (Get-Service -Name $No HTTP addresses???"
46. #$ra[$idx]
47. $idx++
48. #continue
49. }
50. $http = $matches[0].split(" ")
51. $http -match ':/'
52. ""
53. "Process ID: $p"
54.
55. $s = Get-CimInstance win32_service -FIlter "ProcessId=$p"
56. ""
57. (Get-Process -Id $p -IncludeUserName| Format-List -Property Path, company, Description, Username | Out-String).trim()
58. "ComandLine : {0}" -f (Get-CimInstance win32_process -FIlter "ProcessId=$p").Commandline
59. ""
60. if ($s) {
61. (Get-Service -Name $No HTTP addresses???"
46. #$ra[$idx]
47. $idx++
48. #continue
49. }
50. $http = $matches[0].split(" ")
51. $http -match ':/'
52. ""
53. "Process ID: $p"
54.
55. $s = Get-CimInstance win32_service -FIlter "ProcessId=$p"
56. ""
57. (Get-Process -Id $p -IncludeUserName| Format-List -Property Path, company, Description, Username | Out-String).trim()
58. "ComandLine : {0}" -f (Get-CimInstance win32_process -FIlter "ProcessId=$p").Commandline
59. ""
60. if ($s) {
61. (Get-Service -Name $"Process ID: $p"
54.
55. $s = Get-CimInstance win32_service -FIlter "ProcessId=$p"
56. ""
57. (Get-Process -Id $p -IncludeUserName| Format-List -Property Path, company, Description, Username | Out-String).trim()
58. "ComandLine : {0}" -f (Get-CimInstance win32_process -FIlter "ProcessId=$p").Commandline
59. ""
60. if ($s) {
61. (Get-Service -Name $"Process ID: $p"
54.
55. $s = Get-CimInstance win32_service -FIlter "ProcessId=$p"
56. ""
57. (Get-Process -Id $p -IncludeUserName| Format-List -Property Path, company, Description, Username | Out-String).trim()
58. "ComandLine : {0}" -f (Get-CimInstance win32_process -FIlter "ProcessId=$p").Commandline
59. ""
60. if ($s) {
61. (Get-Service -Name $if ($s) {
61. (Get-Service -Name $if ($s) {
61. (Get-Service -Name $s.name | Format-Table -AutoSize | Out-String).trim()
62. ""
63. }
64.
65. $idx++
66. }


If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.