The Cable Guy - December 2005

Windows TCP/IP Ephemeral, Reserved, and Blocked Port Behavior

TechNet's The Cable Guy

By The Cable Guy

This article describes the various types of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports that are available to Windows Sockets applications and their ranges for Windows XP and Windows Server 2003.

Introduction

TCP and UDP use port numbers to identify source and destination applications. For typical client-server protocols such as those used for Web and email access, a client computer initiates the communication. The server application is typically listening on a well known TCP or UDP port assigned by the Internet Assigned Numbers Authority (IANA). For the source port, the client application typically queries the operating system for a dynamically allocated TCP or UDP port that is not already in use by another application. When an application requests and then binds to a dynamically allocated port, this is known as a wildcard bind.

Dynamically allocated ports are also known as ephemeral ports. The term ephemeral (short-lived) does not imply that the ports must have a short lifetime. For example, ports used for the HyperText Transfer Protocol are immediately closed after the data transfer is complete. Ephemeral refers to the fact that client application ports are relatively short-lived (open at a maximum for the time that the application is running) in comparison to server application ports that are typically open for the entire time that the server computer is running.

The client computer uses an ephemeral port rather than the well-known port to prevent conflicts with a local service that might use the well-known port. For example, a computer running Microsoft Windows XP can use Internet Explorer and also run Internet Information Services (IIS). When Internet Explorer accesses a Web page, it cannot use TCP port 80 as the source port because that local port might already be in use by IIS. If both applications were designed to exclusively use the same port, then only one of them can be successfully running at a time.

Ephemeral Ports

The maximum value of an ephemeral TCP or UDP port number that is assigned by Windows Sockets in Microsoft Windows XP or Windows Server 2003 to an application is controlled by the MaxUserPort registry setting, which has a default value of 5000. Ephemeral ports begin with port number 1025. Therefore, by default, Windows XP or Windows Server 2003 assigns an application that performs a wildcard bind a number from 1025 to 5000.

To change the maximum value for ephemeral ports on a computer running Windows XP or Windows Server 2003, do the following:

  1. Click Start, click Run, type regedit.exe, and then click OK.

  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  3. On the Edit menu, point to New, and then click DWORD Value.

  4. Type MaxUserPort and then press ENTER.

  5. Double-click the MaxUserPort value, and then type the maximum value in decimal or hexadecimal.

    You must type a number in the range of 500065534 (decimal). Setting this parameter to a value outside of the valid range causes the nearest valid value to be used (5000 or 65534).

  6. Click OK.

  7. Quit Registry Editor.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You must restart the computer for changes to the MaxUserPort registry setting to take effect.

You might only need to change this value if an application is opening a large number of simultaneous connections using wildcard binds and you want to ensure that the application does not run out of usable ephemeral ports. For example, a data backup application that uses the File Transfer Protocol (FTP) to transfer a very large amount of small files could run out of ephemeral ports.

Port Reservation

Port reservation allows an application to prevent a range of ports from being assigned during a wildcard bind. However, reserving a port range does not prevent an application from performing a specific bind (a request for the use of a specific port) within a reserved range. When reserving a port range, you must choose a contiguous range of port numbers from 1025 to the value of the MaxUserPort setting (5000 by default) or from 49152 to 65535. Multiple client applications can reserve the same range. When unreserving (removing the reservation), Windows Sockets removes the first entry it finds that is completely encompassed by the unreserve request.

You can also specify a range of reserved ports with the registry by doing the following:

  1. Click Start, click Run, type regedit.exe, and then click OK.

  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  3. On the Edit menu, point to New, and then click Multi-string Value.

  4. Type ReservedPorts and then press ENTER.

  5. Double-click the ReservedPorts value, type the range of ports using the syntax: x-y

    To specify a single port, use the same value for x and y. For example, to specify port 4000, type 4000-4000.

  6. Click OK.

  7. Quit Registry Editor.

Port Blocking

Port blocking allows an application to prevent other applications from performing specific binds to the ports within a specified range. When blocking a port range, the application must choose a contiguous range of port numbers that are between the value of the MaxUserPort setting (5000 by default) + 1 and either 49151 (for Windows XP and Windows Server 2003 with no service packs installed) or 65535 (for Windows Server 2003 Service Pack 1). There should be no existing bindings to the ports within the range of blocked ports. Windows Sockets returns the last port number in the blocked range as the handle. When unblocking (removing the block), Windows Sockets unblocks the range that has the same left edge as the unblock request.

Port Ranges

The different port ranges for computers running Windows XP or Windows Server 2003 with no service packs installed are the following:

  • Well known port range (reserved by IANA): 0 to 1023

  • Ephemeral port range (for wildcard binds): 1025 to the value of the MaxUserPort registry setting

  • Available as a specific port (for specific binds): Any port from 0 to 65535 that is not blocked

  • Ranges available for reserved ports: 1025 to MaxUserPort and 49152 to 65535

  • Range available for blocked ports: MaxUserPort + 1 to 49151 (unless MaxUserPort is set to a value of 49152 or higher, in which case there is no range of blockable ports)

The following figure shows the different port ranges for computers running Windows XP or Windows Server 2003 with no service packs installed.

If your browser does not support inline frames, click here to view on a separate page.

Although it makes sense to separate the well known port range, the reservable port range, and the blockable port range, there are scenarios in which the MaxUserPort needs to be set higher than 49152 and port blocking is required. To service port requests and maintain backward compatibility, Windows Server 2003 Service Pack 1 (SP1) allows port blocking in the reserved ranges. Therefore, for Windows Server 2003 SP1, the ranges are the following:

  • Well known port range (reserved by IANA): 0 to 1023

  • Ephemeral port range: 1025 to the value of the MaxUserPort registry setting

  • Available as a specific port: Any port from 0 to 65535 that is not blocked

  • Ranges available for reserved ports: 1025 to MaxUserPort and 49152 to 65535

  • Range available for blocked ports: MaxUserPort + 1 to 65535

The following figure shows the different port ranges for computers running Windows Server 2003 with SP1.

If your browser does not support inline frames, click here to view on a separate page.

For More Information

For more information about this topic, consult the following resources:

For a list of all The Cable Guy articles, click here.