Port Reporter 工具的可用性和说明

文章翻译 文章翻译
文章编号: 837243 - 查看本文应用于的产品
展开全部 | 关闭全部

本文内容

概要

本文讨论 Port Reporter 工具。Port Reporter 工具在运行 Windows Server 2003、Windows XP 和 Windows 2000 的计算机上作为一项服务运行。此工具可用于记录 TCP 和 UDP 端口活动。本文包含有关如何获取和安装此工具的信息。安装此工具时,安装程序会创建相应的注册表项并安装 Port Reporter 服务。

本文还包含有关如何使用启动参数配置 Port Reporter 服务的信息,以及有关 Port Reporter 服务所生成的 Port Reporter 日志文件的信息。

简介

本文包含有关如何获取、安装和配置 Port Reporter 工具的信息。Port Reporter 工具可用于记录运行 Microsoft Windows Server 2003、Microsoft Windows XP 或 Microsoft Windows 2000 的计算机上的 TCP/IP 端口数据。

概述

Port Reporter 工具可用于记录 TCP 和 UDP 端口活动。此工具是一个小程序,它在运行 Windows Server 2003、Windows XP 或 Windows 2000 的计算机上作为一项服务运行。

在基于 Windows Server 2003 和 Windows XP 的计算机上,此服务可记录以下信息:
  • 所使用的端口
  • 使用端口的进程
  • 进程是否为一项服务
  • 进程已加载的模块
  • 运行进程的用户帐户
在基于 Windows 2000 的计算机上,此服务记录所使用的端口和使用端口的时间。

可以使用 Port Reporter 工具记录的信息来帮助您跟踪端口使用情况和解决某些问题。出于安全考虑,Port Reporter 工具所记录的信息也是非常有用的。

获取 Port Reporter 工具

可以从 Microsoft 下载中心的以下链接下载 Port Reporter 工具:
http://www.microsoft.com/downloads/details.aspx?familyid=69ba779b-bae9-4243-b9d6-63e62b4bcd2e&displaylang=en


重要说明:Port Reporter 分析器工具是一种用于 Port Reporter 日志文件的日志分析器。现在可通过下载获取该工具。Port Reporter 分析器包含许多功能,可帮助您分析 Port Reporter 日志文件。可以从下面的 Microsoft 网站下载 Port Reporter 分析器工具:
http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exe

安装 Port Reporter 服务

运行安装程序 (Pr-Setup.exe) 以安装 Port Reporter 时,安装程序将执行以下操作:
  • 将以下注册表子项添加到 Windows 注册表中:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\PortReporter
    Port Reporter 服务要求此注册表项将相应项记录到计算机上的应用程序事件日志中。
  • 安装 Port Reporter 服务。

    安装程序将为 Port Reporter 工具创建一个服务对象,然后将此对象添加到服务控制管理器数据库中。

将 Port Reporter 服务安装到默认位置

默认情况下,Port Reporter 服务安装在硬盘上的以下文件夹中:
drive:\Program Files\PortReporter
将 Port Reporter 服务安装到默认位置:
  1. 以本地管理员组成员的身份登录到计算机。
  2. 退出计算机上正在运行的所有程序,包括“管理工具”中的“服务”工具和“事件查看器”。
  3. 双击“Pr-Setup.exe”运行安装程序。
  4. 当系统提示您将 Port Reporter 工具安装到 Program Files 文件夹中时,请按 Y 键。

    按 Y 键后,安装程序将在 Program Files 文件夹中创建一个名为 PortReporter 的子文件夹。Portreporter.exe 被复制到此子文件夹中,并注册为服务控制管理器中的服务。

将 Port Reporter 服务安装到默认位置以外的其他位置

将 Port Reporter 服务安装到默认位置以外的其他位置:
  1. 以本地管理员组成员的身份登录到计算机。
  2. 退出计算机上正在运行的所有程序,包括“管理工具”中的“服务”工具和“事件查看器”。
  3. 将 Pr-setup.exe 文件和 Portreporter.exe 文件复制到要安装 Port Reporter 工具的文件夹中。

    注意:必须从固定的本地驱动器运行此安装程序。不能从网络驱动器或 CD-ROM 驱动器运行此安装程序。
  4. 在命令提示符下,键入以下命令行,然后按 Enter 键,其中PathOfFolder 是驱动器和包含 Pr-setup.exe 文件和 Portreporter.exe 文件的文件夹的路径。
    pr-setup.exe -d 'PathOfFolder'
    例如,要将此工具安装到 D:\Tools\Port Reporter 文件夹中,请键入
    pr-setup.exe –d ‘d:\tools\port reporter\’
    您将在命令提示窗口中收到类似以下内容的输出:
    C:\temp>pr-setup.exe -d 'PathOfFolder'
    
    Installing Port Reporter service:PathOfFolder
    
    Creating service...completed successfully
    
    Creating registry key and values...completed successfully
    
    Setup has successfully installed the Port Reporter service
    The service is currently stopped and set to manual startup type
    
    Please use the services applet in the control panel to configure
    and start the Port Reporter service
    
    
    press any key to exit setup
  5. 按任意键退出安装程序。

配置和启动 Port Reporter 服务

要验证 Port Reporter 服务是否安装成功并启动此服务,请按照下列步骤操作:
  1. 单击“开始”,右击“我的电脑”,然后单击“管理”。
  2. 展开“服务和应用程序”,然后展开“服务”。
  3. 在右窗格中,验证是否列出了 Port Reporter 服务。
  4. 要启动该服务,请双击该服务名称,然后单击选择“启动服务”按钮。单击“确定”。

    Port Reporter 服务将在应用程序日志中创建一个日志项,表明此服务已启动。
默认情况下,Port Reporter 服务的启动类型设置为使用“手动”设置。如果希望 Windows 启动时此服务自动启动,请将启动类型设置为使用“自动”设置。

默认情况下,Port Reporter 服务使用本地系统帐户登录到计算机。通过使用本地系统帐户,Port Reporter 服务可以收集有关管理员帐户或其他用户帐户无权访问的进程的详细信息。因此,Microsoft 建议您不要修改此设置。

注意:因为此服务在本地系统帐户的上下文中运行,所以 Microsoft 建议您确保装有 Port Reporter 的文件夹的安全。无论将 Port Reporter 安装到默认位置 (%SystemDrive%\Program Files\PortReporter) 中,还是自定义位置中,都必须执行以下操作步骤:
  • 仅将 Port Reporter 安装在一个 NTFS 文件系统分区上
  • 调整安装文件夹上的访问控制列表 (ACL),以便只有本地 Administrators 组才能访问此文件夹。为此,请按照下列步骤操作:
    1. 启动 Windows 资源管理器,然后查找安装文件夹。默认情况下,安装文件夹是 %SystemDrive%\Program Files\PortReporter。
    2. 右键单击此文件夹,然后单击“属性”。
    3. 在文件夹属性对话框中,单击“安全”选项卡,然后检查有权访问此文件夹的组名和用户名。只有本地 Administrators 组和系统帐户才有权访问此文件夹。
    4. 选择列出的所有其他组和用户,然后单击“删除”。当列表中仅包含本地 Administrators 组和系统帐户时,请单击“应用”,然后单击“确定”。

日志文件的位置

默认情况下,Port Reporter 工具尝试在以下文件夹中创建日志文件:
%systemroot%\System32\LogFiles\PortReporter
如果此文件夹不存在,将自动创建。可以使用“Port Reporter”服务对话框的“常规”选项卡上指定的启动参数来配置日志文件的位置。要指定日志文件的文件夹,请使用 -ld 命令行选项,后跟要使用的文件夹的名称。必须用单引号 (') 将文件夹的名称括起来。例如,如果指定以下启动参数,则启动 Port Reporter 服务时,Port Reporter 服务将在 C:\Program Files\Port Reporter 文件夹中创建日志文件:
-ld ‘c:\program files\port reporter’

日志文件的大小

默认情况下,Port Reporter 服务不断写入日志文件,直到日志文件大小达到 5 MB。日志文件大小达到 5 MB 后,将创建一个新的日志文件。要配置日志文件的大小,请使用 -ls 命令行选项。可以指定介于 1000 KB 和 102400 KB 之间的日志文件大小。例如,如果您指定以下启动参数,每次日志文件达到 7000 KB 时,Port Reporter 服务都将创建一个新的日志文件:
-ls 7000
使用所需的启动参数配置 Port Reporter 服务后,启动此服务。启动 Port Reporter 服务时,以下两个事件将记录到应用程序事件日志中:

类型: 信息
来源: PortReporter
类别: 无
事件 ID: 100
描述:
Port Reporter 服务已启动。

类型: 信息
来源: PortReporter
类别: 无
事件 ID: 100
描述:
Port Reporter 服务在以下目录中成功创建了日志文件:PathOfLogFiles

删除 Port Reporter 服务

要删除 Port Reporter 服务,请在命令提示符处键入以下命令行,然后按 Enter 键:
pr-setup.exe -u
您将在命令提示窗口中收到类似以下内容的输出:
Uninstalling Port Reporter service...

Deleting service...
Stopping service...completed successfully

Removing service...completed successfully

Deleting service...completed successfully

Deleting registry key and values...completed successfully


Setup successfully uninstalled the Port Reporter Service
The installation directory has been left intact


press any key to exit setup
删除 Port Reporter 服务时,安装程序执行以下操作:
  • 从服务控制管理器数据库中注消 Port Reporter 服务。
  • 删除安装 Port Reporter 服务时创建的注册表项。
删除 Port Reporter 服务时,安装程序不会删除包含 Pr-setup.exe 文件和 PortReporter.exe 文件的文件夹,也不会删除此服务创建的任何日志文件。

解释 Port Reporter 日志文件

在以下情况下,Port Reporter 服务将创建日志文件:
  • 每次启动 Port Reporter 服务时
  • 每日午夜
  • 日志文件达到 5 MB 时或日志文件达到在启动参数中指定的自定义大小时
启动 Port Reporter 服务时,将创建以下日志文件:
  • PR-INITIAL-*.log
  • PR-PORTS-*.log
  • PR-PIDS-*.log
每个日志文件的名称都使用创建文件时的日期和时间(24 小时制格式)。日期和时间戳的格式是年-月-日-小时-分-秒。例如,以下三个文件创建于 2004 年 1 月 24 日上午 8:49:30:
  • PR-INITIAL-04-01-24-8-49-30.log
  • PR-PORTS-04-01-24-8-49-30.log
  • PR-PIDS-04-01-24-8-49-30.log

PR-INITIAL 日志文件

PR-INITIAL 日志文件中包含 Port Reporter 服务收集的关于启动 Port Reporter 服务时计算机上运行的端口、进程和模块的数据。其中还记录了每个进程运行所在的用户上下文。下面是启动 Port Reporter 时在基于 Windows XP 的计算机上创建的 PR-INITIAL 日志文件内容的示例:
Port Reporter Version 1.0 Log File

Service initialization log

System Date:<Date and Time>


Local computer name:

<ComputerName>

TCP/UDP Port to Process Mappings at service start-up

36 mappings found

PID:Process		Port		Local IP	State		 Remote IP:Port
0:System Idle		TCP 4857	169.254.66.8 	TIME WAIT	 169.254.44.123:80
4:System		TCP 445	0.0.0.0 	LISTENING	 0.0.0.0:6246
4:System		TCP 1026	0.0.0.0 	LISTENING	 0.0.0.0:28726
4:System		TCP 139	169.254.66.8 	LISTENING	 0.0.0.0:34925
4:System		UDP 445  	0.0.0.0 			 *:*
4:System		UDP 137  	169.254.66.8 			 *:*
4:System		UDP 138  	169.254.66.8 			 *:*
664:iexplore.exe	TCP 4867	0.0.0.0 	LISTENING	 0.0.0.0:4225
664:iexplore.exe	TCP 4870	0.0.0.0 	LISTENING	 0.0.0.0:45070
664:iexplore.exe	TCP 4871	0.0.0.0 	LISTENING	 0.0.0.0:18494
664:iexplore.exe	TCP 4872	0.0.0.0 	LISTENING	 0.0.0.0:6182
664:iexplore.exe	TCP 4867	169.254.66.8 	ESTABLISHED	 169.254.44.123:80
664:iexplore.exe	TCP 4870	169.254.66.8 	ESTABLISHED	 207.68.177.62:80
664:iexplore.exe	TCP 4871	169.254.66.8 	ESTABLISHED	 207.46.248.110:80
664:iexplore.exe	TCP 4872	169.254.66.8 	ESTABLISHED	 207.46.248.110:80
664:iexplore.exe	UDP 4817  	127.0.0.1 			 *:*
748:lsass.exe		UDP 500  	0.0.0.0 			 *:*
952:svchost.exe	TCP 135	0.0.0.0 	LISTENING	 0.0.0.0:2096
1092:svchost.exe	TCP 1025	0.0.0.0 	LISTENING	 0.0.0.0:2064
1092:svchost.exe	TCP 3002	127.0.0.1 	LISTENING	 0.0.0.0:49193
1092:svchost.exe	TCP 3003	127.0.0.1 	LISTENING	 0.0.0.0:39078
1092:svchost.exe	UDP 123  	169.254.66.8 			 *:*
1092:svchost.exe	UDP 123  	127.0.0.1 			 *:*
1192:svchost.exe	UDP 3009  	0.0.0.0 			 *:*
1192:svchost.exe	UDP 3015  	0.0.0.0 			 *:*
1192:svchost.exe	UDP 3016  	0.0.0.0 			 *:*
1228:svchost.exe	TCP 5000	0.0.0.0 	LISTENING	 0.0.0.0:45223
1228:svchost.exe	UDP 1900  	169.254.66.8 			 *:*
1228:svchost.exe	UDP 1900  	127.0.0.1 			 *:*
1536:alg.exe		TCP 3001	127.0.0.1 	LISTENING	 0.0.0.0:2064
1568:InoRpc.exe	TCP 42510	0.0.0.0 	LISTENING	 0.0.0.0:14373
1568:InoRpc.exe	UDP 43508  	169.254.66.8 			 *:*
3764:msmsgs.exe	TCP 16521	169.254.66.8 	LISTENING	 0.0.0.0:45294
3764:msmsgs.exe	UDP 4803  	0.0.0.0 			 *:*
3764:msmsgs.exe	UDP 9160  	169.254.66.8 			 *:*
3764:msmsgs.exe	UDP 9586  	169.254.66.8 			 *:*
=======================

======================================================

Process ID:4 (System)

System Process

PID	Port		Local IP	State		 Remote IP:Port
4	TCP 445	0.0.0.0 	LISTENING	 0.0.0.0:6246
4	TCP 1026	0.0.0.0 	LISTENING	 0.0.0.0:28726
4	TCP 139	169.254.66.8 	LISTENING	 0.0.0.0:34925
4	UDP 445  	0.0.0.0 			 *:*
4	UDP 137  	169.254.66.8 			 *:*
4	UDP 138  	169.254.66.8 			 *:*

Port Statistics

TCP MAPPINGS: 3
UDP MAPPINGS: 3

TCP ports in a LISTENING state: 	3 = 100.00%


Could not access module information for this process

======================================================

Process ID:748 (lsass.exe)

User context:NT AUTHORITY\SYSTEM

Service Name:PolicyAgent
Display Name:IPSEC Services
Service Type:shares a process with other services

Service Name:ProtectedStorage
Display Name:Protected Storage

Service Name:SamSs
Display Name:Security Accounts Manager
Service Type:shares a process with other services

PID	Port		Local IP	State		 Remote IP:Port
748	UDP 500  	0.0.0.0 			 *:*

Port Statistics

TCP MAPPINGS: 0
UDP MAPPINGS: 1


Loaded modules:
D:\WINDOWS\system32\lsass.exe (0x01000000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
D:\WINDOWS\system32\LSASRV.dll (0x74520000)
D:\WINDOWS\system32\msvcrt.dll (0x77C10000)
D:\WINDOWS\system32\Secur32.dll (0x76F90000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
D:\WINDOWS\system32\GDI32.dll (0x77C70000)
D:\WINDOWS\system32\SAMSRV.dll (0x74440000)
D:\WINDOWS\system32\cryptdll.dll (0x76790000)
D:\WINDOWS\system32\DNSAPI.dll (0x76F20000)
D:\WINDOWS\system32\WS2_32.dll (0x71AB0000)
D:\WINDOWS\system32\WS2HELP.dll (0x71AA0000)
D:\WINDOWS\system32\MSASN1.dll (0x762A0000)
D:\WINDOWS\system32\NETAPI32.dll (0x71C20000)
D:\WINDOWS\system32\SAMLIB.dll (0x71BF0000)
D:\WINDOWS\system32\MPR.dll (0x71B20000)
D:\WINDOWS\system32\NTDSAPI.dll (0x767A0000)
D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
D:\WINDOWS\system32\msprivs.dll (0x743B0000)
D:\WINDOWS\system32\kerberos.dll (0x71CF0000)
D:\WINDOWS\system32\msv1_0.dll (0x76D10000)
D:\WINDOWS\system32\netlogon.dll (0x744B0000)
D:\WINDOWS\system32\w32time.dll (0x767C0000)
D:\WINDOWS\system32\MSVCP60.dll (0x55900000)
D:\WINDOWS\system32\iphlpapi.dll (0x76D60000)
D:\WINDOWS\system32\USERENV.dll (0x75A70000)
D:\WINDOWS\system32\schannel.dll (0x767F0000)
D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)
D:\WINDOWS\system32\wdigest.dll (0x74380000)
D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)
D:\WINDOWS\system32\setupapi.dll (0x76670000)
D:\WINDOWS\system32\scecli.dll (0x74410000)
D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
D:\WINDOWS\system32\OLE32.DLL (0x771B0000)
D:\WINDOWS\system32\shell32.dll (0x773D0000)
D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000)
D:\WINDOWS\system32\comctl32.dll (0x77340000)
D:\WINDOWS\system32\ipsecsvc.dll (0x743E0000)
D:\WINDOWS\system32\oakley.DLL (0x745D0000)
D:\WINDOWS\system32\WINIPSEC.DLL (0x74370000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\system32\pstorsvc.dll (0x743A0000)
D:\WINDOWS\system32\psbase.dll (0x743C0000)
D:\WINDOWS\System32\dssenh.dll (0x0FFA0000)
======================================================

Process ID:952 (svchost.exe)

User context:NT AUTHORITY\SYSTEM

Service Name:RpcSs
Display Name:Remote Procedure Call (RPC)
Service Type:shares a process with other services

PID	Port		Local IP	State		 Remote IP:Port
952	TCP 135	0.0.0.0 	LISTENING	 0.0.0.0:2096

Port Statistics

TCP MAPPINGS: 1
UDP MAPPINGS: 0

TCP ports in a LISTENING state: 	1 = 100.00%

Loaded modules:
D:\WINDOWS\system32\svchost.exe (0x01000000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
d:\windows\system32\rpcss.dll (0x75850000)
D:\WINDOWS\system32\msvcrt.dll (0x77C10000)
d:\windows\system32\WS2_32.dll (0x71AB0000)
d:\windows\system32\WS2HELP.dll (0x71AA0000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
D:\WINDOWS\system32\GDI32.dll (0x77C70000)
d:\windows\system32\Secur32.dll (0x76F90000)
D:\WINDOWS\system32\userenv.dll (0x75A70000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\system32\DNSAPI.dll (0x76F20000)
D:\WINDOWS\system32\iphlpapi.dll (0x76D60000)
D:\WINDOWS\System32\winrnr.dll (0x76FB0000)
D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
D:\WINDOWS\system32\rasadhlp.dll (0x76FC0000)
D:\WINDOWS\system32\CLBCATQ.DLL (0x76FD0000)
D:\WINDOWS\system32\ole32.dll (0x771B0000)
D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
D:\WINDOWS\system32\COMRes.dll (0x77050000)
D:\WINDOWS\system32\VERSION.dll (0x77C00000)
======================================================

Process ID:1092 (svchost.exe)

User context:NT AUTHORITY\SYSTEM

Service Name:AudioSrv
Display Name:Windows Audio
Service Type:shares a process with other services

Service Name:BITS
Display Name:Background Intelligent Transfer Service
Service Type:shares a process with other services

Service Name:CryptSvc
Display Name:Cryptographic Services
Service Type:shares a process with other services

Service Name:Dhcp
Display Name:DHCP Client
Service Type:shares a process with other services

Service Name:dmserver
Display Name:Logical Disk Manager
Service Type:shares a process with other services

Service Name:ERSvc
Display Name:Error Reporting Service
Service Type:shares a process with other services

Service Name:EventSystem
Display Name:COM+ Event System
Service Type:shares a process with other services

Service Name:helpsvc
Display Name:Help and Support
Service Type:shares a process with other services

Service Name:lanmanserver
Display Name:Server
Service Type:shares a process with other services

Service Name:lanmanworkstation
Display Name:Workstation
Service Type:shares a process with other services

Service Name:Messenger
Display Name:Messenger
Service Type:shares a process with other services

Service Name:Netman
Display Name:Network Connections

Service Name:Nla
Display Name:Network Location Awareness (NLA)
Service Type:shares a process with other services

Service Name:RasMan
Display Name:Remote Access Connection Manager
Service Type:shares a process with other services

Service Name:Schedule
Display Name:Task Scheduler

Service Name:seclogon
Display Name:Secondary Logon

Service Name:SENS
Display Name:System Event Notification
Service Type:shares a process with other services

Service Name:SharedAccess
Display Name:Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Service Type:shares a process with other services

Service Name:ShellHWDetection
Display Name:Shell Hardware Detection
Service Type:shares a process with other services

Service Name:srservice
Display Name:System Restore Service
Service Type:shares a process with other services

Service Name:TapiSrv
Display Name:Telephony
Service Type:shares a process with other services

Service Name:TermService
Display Name:Terminal Services
Service Type:shares a process with other services

Service Name:Themes
Display Name:Themes
Service Type:shares a process with other services

Service Name:TrkWks
Display Name:Distributed Link Tracking Client
Service Type:shares a process with other services

Service Name:W32Time
Display Name:Windows Time
Service Type:shares a process with other services

Service Name:winmgmt
Display Name:Windows Management Instrumentation
Service Type:shares a process with other services

Service Name:wuauserv
Display Name:Automatic Updates
Service Type:shares a process with other services

Service Name:WZCSVC
Display Name:Wireless Zero Configuration
Service Type:shares a process with other services

PID	Port		Local IP	State		 Remote IP:Port
1092	TCP 1025	0.0.0.0 	LISTENING	 0.0.0.0:2064
1092	TCP 3002	127.0.0.1 	LISTENING	 0.0.0.0:49193
1092	TCP 3003	127.0.0.1 	LISTENING	 0.0.0.0:39078
1092	UDP 123  	169.254.66.8 			 *:*
1092	UDP 123  	127.0.0.1 			 *:*

Port Statistics

TCP MAPPINGS: 3
UDP MAPPINGS: 2

TCP ports in a LISTENING state: 	3 = 100.00%

Loaded modules:
D:\WINDOWS\System32\svchost.exe (0x01000000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
D:\WINDOWS\system32\ole32.dll (0x771B0000)
D:\WINDOWS\system32\GDI32.dll (0x77C70000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
d:\windows\system32\shsvcs.dll (0x76BD0000)
D:\WINDOWS\system32\msvcrt.dll (0x77C10000)
D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
D:\WINDOWS\system32\shell32.dll (0x773D0000)
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000)
D:\WINDOWS\system32\comctl32.dll (0x77340000)
D:\WINDOWS\System32\WINSTA.dll (0x76360000)
d:\windows\system32\dhcpcsvc.dll (0x76D80000)
d:\windows\system32\DNSAPI.dll (0x76F20000)
d:\windows\system32\WS2_32.dll (0x71AB0000)
d:\windows\system32\WS2HELP.dll (0x71AA0000)
d:\windows\system32\iphlpapi.dll (0x76D60000)
d:\windows\system32\Secur32.dll (0x76F90000)
D:\WINDOWS\System32\UxTheme.dll (0x5AD70000)
D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)
d:\windows\system32\wzcsvc.dll (0x70B50000)
d:\windows\system32\rtutils.dll (0x76E80000)
d:\windows\system32\WMI.dll (0x76D30000)
D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)
D:\WINDOWS\system32\MSASN1.dll (0x762A0000)
d:\windows\system32\WTSAPI32.dll (0x76F50000)
d:\windows\system32\ESENT.dll (0x69710000)
D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
d:\windows\system32\NETAPI32.dll (0x71C20000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\System32\rastls.dll (0x555A0000)
D:\WINDOWS\System32\ATL.DLL (0x76B20000)
D:\WINDOWS\System32\CRYPTUI.dll (0x754D0000)
D:\WINDOWS\System32\WINTRUST.dll (0x76C30000)
D:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000)
D:\WINDOWS\system32\WININET.dll (0x76200000)
D:\WINDOWS\System32\MPRAPI.dll (0x76D40000)
D:\WINDOWS\System32\ACTIVEDS.dll (0x76E40000)
D:\WINDOWS\System32\adsldpc.dll (0x76E10000)
D:\WINDOWS\System32\SAMLIB.dll (0x71BF0000)
D:\WINDOWS\System32\SETUPAPI.dll (0x76670000)
D:\WINDOWS\System32\RASAPI32.dll (0x76EE0000)
D:\WINDOWS\System32\rasman.dll (0x76E90000)
D:\WINDOWS\System32\TAPI32.dll (0x76EB0000)
D:\WINDOWS\System32\WINMM.dll (0x76B40000)
D:\WINDOWS\System32\SCHANNEL.dll (0x767F0000)
D:\WINDOWS\system32\USERENV.dll (0x75A70000)
D:\WINDOWS\System32\WinSCard.dll (0x723D0000)
D:\WINDOWS\System32\raschap.dll (0x70AF0000)
D:\WINDOWS\system32\msv1_0.dll (0x76D10000)
D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)
D:\WINDOWS\System32\COMRes.dll (0x77050000)
D:\WINDOWS\system32\VERSION.dll (0x77C00000)
d:\windows\system32\schedsvc.dll (0x751D0000)
d:\windows\system32\NTDSAPI.dll (0x767A0000)
D:\WINDOWS\System32\MSIDLE.DLL (0x74F50000)
D:\WINDOWS\System32\NTMARTA.DLL (0x76CE0000)
d:\windows\system32\audiosrv.dll (0x708B0000)
d:\windows\system32\wkssvc.dll (0x75170000)
d:\windows\system32\cryptsvc.dll (0x74FA0000)
d:\windows\system32\certcli.dll (0x75350000)
d:\windows\pchealth\helpctr\binaries\pchsvc.dll (0x74F40000)
d:\windows\system32\es.dll (0x76B70000)
d:\windows\system32\ersvc.dll (0x74F80000)
d:\windows\system32\dmserver.dll (0x74F90000)
d:\windows\system32\srvsvc.dll (0x75090000)
d:\windows\system32\msgsvc.dll (0x74F60000)
d:\windows\system32\netman.dll (0x76DE0000)
d:\windows\system32\seclogon.dll (0x73D20000)
d:\windows\system32\sens.dll (0x722D0000)
d:\windows\system32\srsvc.dll (0x751A0000)
d:\windows\system32\POWRPROF.dll (0x74AD0000)
d:\windows\system32\tapisrv.dll (0x733E0000)
d:\windows\system32\PSAPI.DLL (0x76BF0000)
d:\windows\system32\trkwks.dll (0x75070000)
d:\windows\system32\w32time.dll (0x767C0000)
d:\windows\system32\MSVCP60.dll (0x55900000)
d:\windows\system32\wbem\wmisvc.dll (0x597A0000)
d:\windows\system32\wbem\wbemcomn.dll (0x75290000)
D:\WINDOWS\System32\VSSAPI.DLL (0x753E0000)
d:\windows\system32\wuauserv.dll (0x74EC0000)
D:\WINDOWS\System32\wuaueng.dll (0x01B20000)
D:\WINDOWS\System32\ADVPACK.dll (0x75260000)
D:\WINDOWS\System32\sfc.dll (0x76BB0000)
D:\WINDOWS\System32\sfc_os.dll (0x76C60000)
d:\windows\system32\rasmans.dll (0x72480000)
d:\windows\system32\WINIPSEC.DLL (0x74370000)
d:\windows\system32\netcfgx.dll (0x755F0000)
d:\windows\system32\CLUSAPI.dll (0x55560000)
d:\windows\system32\browser.dll (0x74FE0000)
D:\WINDOWS\System32\winspool.drv (0x73000000)
D:\WINDOWS\System32\rastapi.dll (0x72060000)
D:\WINDOWS\System32\SXS.DLL (0x75E90000)
D:\WINDOWS\system32\comsvcs.dll (0x75730000)
D:\WINDOWS\system32\MTXCLU.DLL (0x750F0000)
D:\WINDOWS\system32\WSOCK32.dll (0x71AD0000)
D:\WINDOWS\system32\colbact.DLL (0x75130000)
D:\WINDOWS\System32\RESUTILS.DLL (0x750B0000)
D:\WINDOWS\System32\mtxoci.dll (0x750D0000)
D:\WINDOWS\System32\unimdm.tsp (0x57CC0000)
D:\WINDOWS\System32\uniplat.dll (0x72000000)
D:\WINDOWS\System32\kmddsp.tsp (0x57D40000)
D:\WINDOWS\System32\ndptsp.tsp (0x57D20000)
D:\WINDOWS\System32\ipconf.tsp (0x57D50000)
D:\WINDOWS\System32\h323.tsp (0x57D70000)
D:\WINDOWS\System32\hidphone.tsp (0x57D60000)
D:\WINDOWS\System32\HID.DLL (0x688F0000)
D:\WINDOWS\System32\rasppp.dll (0x72240000)
D:\WINDOWS\System32\ntlsapi.dll (0x724B0000)
d:\windows\system32\ipnathlp.dll (0x66460000)
d:\windows\system32\netshell.dll (0x75CF0000)
d:\windows\system32\credui.dll (0x76C00000)
d:\windows\system32\HNetCfg.dll (0x68880000)
D:\WINDOWS\System32\rasadhlp.dll (0x76FC0000)
D:\WINDOWS\System32\Wbem\wbemcore.dll (0x75450000)
D:\WINDOWS\System32\Wbem\esscli.dll (0x75310000)
D:\WINDOWS\System32\Wbem\FastProx.dll (0x75690000)
D:\WINDOWS\System32\wbem\wmiutils.dll (0x75020000)
D:\WINDOWS\System32\wbem\repdrvfs.dll (0x75200000)
D:\WINDOWS\System32\wbem\wmiprvsd.dll (0x597F0000)
D:\WINDOWS\System32\NCObjAPI.DLL (0x5F770000)
D:\WINDOWS\System32\wbem\wbemess.dll (0x75390000)
D:\WINDOWS\System32\winhttp.dll (0x76080000)
d:\windows\system32\termsrv.dll (0x752D0000)
d:\windows\system32\ICAAPI.dll (0x74F70000)
d:\windows\system32\AUTHZ.dll (0x76CC0000)
d:\windows\system32\mstlsapi.dll (0x75110000)
D:\WINDOWS\System32\REGAPI.dll (0x76BC0000)
D:\WINDOWS\System32\wbem\ncprov.dll (0x5F740000)
D:\WINDOWS\System32\catsrvut.dll (0x6FB10000)
D:\WINDOWS\System32\MfcSubs.dll (0x61990000)
D:\WINDOWS\system32\MPR.dll (0x71B20000)
D:\WINDOWS\System32\msi.dll (0x76400000)
D:\WINDOWS\System32\Cabinet.dll (0x75150000)
D:\WINDOWS\system32\urlmon.dll (0x1A400000)
D:\WINDOWS\System32\catsrv.dll (0x6FBD0000)
D:\WINDOWS\System32\upnp.dll (0x555F0000)
D:\WINDOWS\System32\SSDPAPI.dll (0x74F00000)
D:\WINDOWS\System32\RASDLG.dll (0x75550000)
d:\windows\system32\qmgr.dll (0x5DDD0000)
d:\windows\system32\SHFOLDER.dll (0x76780000)
D:\WINDOWS\System32\qmgrprxy.dll (0x5DDC0000)
D:\WINDOWS\System32\sensapi.dll (0x722B0000)
D:\WINDOWS\System32\winrnr.dll (0x76FB0000)
D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000)
D:\WINDOWS\System32\actxprxy.dll (0x71D40000)
D:\WINDOWS\System32\wbem\wbemcons.dll (0x73D30000)
由于 Windows 2000 系统不支持端口到进程的映射,因此 PR-INITIAL 日志文件中将包含下面一行内容:
Port to process mappings are not available on this system.

PR-PORTS 日志文件

PR-PORTS 日志文件中包含有关计算机上 TCP 和 UDP 端口活动的摘要数据。可使用逗号分隔值 (csv) 的格式列出数据,如下所示:
日期,时间,协议,本地端口,本地 IP 地址,远程端口,远程 IP 地址,PID,模块,用户上下文
在不支持端口到进程的映射的、基于 Windows 2000 的计算机上,Port Reporter 服务可用以下格式列出数据:
日期,时间,协议,本地端口,本地 IP 地址,远程端口,远程 IP 地址
下面是 PR-PORTS 日志文件内容的示例:
Port Reporter Version 1.0 Log File - Port usage log

Check PR-PIDS-04-01-24-8-49-30.log for corresponding process data

Log format:
date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context

04/1/24,8:52:21,TCP,4873,0.0.0.0,45070,0.0.0.0,664,iexplore.exe,<MYDOMAIN\user>
04/1/24,8:52:21,TCP,4873,169.254.66.8,80,63.208.107.43,664,iexplore.exe,<MYDOMAIN\user>
04/1/24,8:52:22,UDP,55441,169.254.66.8,*,*,3764,msmsgs.exe,<MYDOMAIN\user>
04/1/24,8:52:41,TCP,4874,0.0.0.0,4225,0.0.0.0,664,iexplore.exe,<MYDOMAIN\user>
04/1/24,8:52:41,TCP,4874,169.254.66.8,80,216.74.132.12,664,iexplore.exe,<MYDOMAIN\user>
4/1/24,21:36:2,TCP,2682,169.254.66.8,445,169.254.133.55,4,System,
04/1/24,21:51:2,TCP,2684,0.0.0.0,12390,0.0.0.0,4,System,
04/1/24,21:51:2,TCP,2684,169.254.66.8,445,169.254.133.55,4,System,
04/1/24,22:03:15,UDP,2686,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:03:15,UDP,2687,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:03:43,UDP,2688,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:04:9,TCP,2690,169.254.66.8,389,169.254.133.55,0,System Idle,
04/1/24,22:04:35,TCP,2691,0.0.0.0,18644,0.0.0.0,1260,svchost.exe
04/1/24,22:04:36,TCP,2691,169.254.66.8,80,169.254.133.55,1260,svchost.exe
04/1/24,22:04:36,UDP,2692,127.0.0.1,*,*,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE>
04/1/24,22:04:37,TCP,2693,0.0.0.0,2160,0.0.0.0,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE>
04/1/24,22:04:40,TCP,2693,169.254.66.8,80,169.254.133.55,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE>
04/1/24,22:05:2,UDP,2697,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:06:2,TCP,2698,0.0.0.0,12390,0.0.0.0,4,System,
04/1/24,22:06:2,TCP,2698,169.254.66.8,445,169.254.133.55,4,System,
04/1/24,22:06:46,UDP,2700,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:06:47,UDP,2701,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
04/1/24,22:06:47,UDP,2702,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
在 PR-PORTS 日志文件中,可以看到类似以下内容的一些项:
04/1/24,22:06:2,TCP,2698,0.0.0.0,12390,0.0.0.0,4,System,
在这种情况下,缺少用户上下文。这些项表示 Port Reporter 服务无法确定与进程关联的用户帐户。这是为 System 进程和 System Idle 进程生成的预期输出。针对端口或进程查看 PR-PORTS 日志文件内容时,请注意要调查更多信息的项的日期和时间戳。在 PR-PIDS 日志文件中找到其对应项时,可以找到 PR-PORTS 日志文件中有关此项的其他详细信息。为此,请按照下列步骤操作:
  1. 启动记事本,然后打开 PR-PIDS 日志文件。
  2. 在“编辑”菜单上,单击“查找”。
  3. 在“查找内容”框中,键入要在 PR-PORTS 日志文件中查找有关其更多信息的项的日期和时间戳,然后单击“查找下一个”。

PR-PIDS 日志文件

PR-PIDS 日志文件包含有关端口、进程、相关模块和运行进程所用的用户帐户的详细信息。下面是 PR-PIDS 日志文件内容的示例:
Port Reporter Version 1.0 Log File

Process detail log

System Date:Sat Jan 24 08:49:31 2004


Local computer name:

<ComputerName>


======================================================

Log entry below recorded at:<Date and Time>

======================================================

Process ID:664 (iexplore.exe)

User context:MYDOMAIN\user

Process doesn't appear to be a service

PID	Port		Local IP	State		 Remote IP:Port
664	TCP 4867	0.0.0.0 	LISTENING	 0.0.0.0:4225
664	TCP 4873	0.0.0.0 	LISTENING	 0.0.0.0:45070
664	TCP 4867	169.254.66.8  	ESTABLISHED	 169.254.44.12:80
664	TCP 4873	169.254.66.8  	SYN SENT	 169.254.44.12:80
664	UDP 4817  	127.0.0.1 			 *:*

Port Statistics

TCP MAPPINGS: 4
UDP MAPPINGS: 1

TCP ports in a LISTENING state: 	2 = 50.00%
TCP ports in a SYN SENT state: 		1 = 25.00%
TCP ports in a ESTABLISHED state: 	1 = 25.00%

Loaded modules:
D:\Program Files\Internet Explorer\iexplore.exe (0x00400000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\msvcrt.dll (0x77C10000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
D:\WINDOWS\system32\GDI32.dll (0x77C70000)
D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
D:\WINDOWS\System32\SHDOCVW.dll (0x71700000)
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000)
D:\WINDOWS\system32\SHELL32.dll (0x773D0000)
D:\WINDOWS\system32\comctl32.dll (0x77340000)
D:\WINDOWS\system32\ole32.dll (0x771B0000)
D:\WINDOWS\System32\uxtheme.dll (0x5AD70000)
D:\WINDOWS\System32\BROWSEUI.dll (0x75F80000)
D:\WINDOWS\System32\browselc.dll (0x72430000)
D:\WINDOWS\system32\appHelp.dll (0x75F40000)
D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)
D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
D:\WINDOWS\System32\COMRes.dll (0x77050000)
D:\WINDOWS\system32\VERSION.dll (0x77C00000)
D:\WINDOWS\system32\WININET.dll (0x76200000)
D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)
D:\WINDOWS\system32\MSASN1.dll (0x762A0000)
D:\WINDOWS\System32\Secur32.dll (0x76F90000)
D:\WINDOWS\System32\cscui.dll (0x76620000)
D:\WINDOWS\System32\CSCDLL.dll (0x76600000)
D:\WINDOWS\System32\SETUPAPI.dll (0x76670000)
D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (0x10000000)
D:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll (0x5F200000)
D:\WINDOWS\System32\SXS.DLL (0x75E90000)
D:\WINDOWS\system32\urlmon.dll (0x1A400000)
D:\WINDOWS\System32\shdoclc.dll (0x00DE0000)
D:\WINDOWS\System32\mlang.dll (0x74770000)
D:\WINDOWS\System32\wsock32.dll (0x71AD0000)
D:\WINDOWS\System32\WS2_32.dll (0x71AB0000)
D:\WINDOWS\System32\WS2HELP.dll (0x71AA0000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\System32\RASAPI32.DLL (0x76EE0000)
D:\WINDOWS\System32\rasman.dll (0x76E90000)
D:\WINDOWS\System32\NETAPI32.dll (0x71C20000)
D:\WINDOWS\System32\TAPI32.dll (0x76EB0000)
D:\WINDOWS\System32\rtutils.dll (0x76E80000)
D:\WINDOWS\System32\WINMM.dll (0x76B40000)
D:\WINDOWS\System32\sensapi.dll (0x722B0000)
D:\WINDOWS\system32\USERENV.dll (0x75A70000)
D:\WINDOWS\System32\msi.dll (0x01370000)
D:\WINDOWS\System32\DNSAPI.dll (0x76F20000)
D:\WINDOWS\System32\winrnr.dll (0x76FB0000)
D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
D:\WINDOWS\System32\rasadhlp.dll (0x76FC0000)
D:\WINDOWS\System32\mshtml.dll (0x63580000)
D:\WINDOWS\System32\IMM32.DLL (0x76390000)
D:\Program Files\Microsoft Office\Office10\msohev.dll (0x32520000)
D:\WINDOWS\System32\jscript.dll (0x6B700000)
D:\WINDOWS\System32\dxtrans.dll (0x6BDD0000)
D:\WINDOWS\System32\ATL.DLL (0x76B20000)
D:\WINDOWS\System32\ddrawex.dll (0x65000000)
D:\WINDOWS\System32\DDRAW.dll (0x51000000)
D:\WINDOWS\System32\DCIMAN32.dll (0x73BC0000)
D:\WINDOWS\System32\dxtmsft.dll (0x6BE10000)
D:\WINDOWS\System32\MSLS31.DLL (0x746C0000)
D:\WINDOWS\System32\WINSPOOL.DRV (0x73000000)
D:\WINDOWS\System32\wdmaud.drv (0x72D20000)
D:\WINDOWS\System32\msacm32.drv (0x72D10000)
D:\WINDOWS\System32\MSACM32.dll (0x77BE0000)
D:\WINDOWS\System32\midimap.dll (0x77BD0000)
D:\WINDOWS\System32\msxml3.dll (0x72E00000)
D:\WINDOWS\System32\vbscript.dll (0x73300000)
D:\WINDOWS\System32\IMGUTIL.DLL (0x66880000)
D:\WINDOWS\System32\pngfilt.dll (0x5E310000)
D:\WINDOWS\System32\wmp.dll (0x07680000)
D:\WINDOWS\System32\MSVFW32.dll (0x73BD0000)
D:\WINDOWS\System32\wmploc.dll (0x08110000)
D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (0x6D440000)
D:\WINDOWS\System32\OLEPRO32.DLL (0x5EDD0000)
D:\Program Files\Java\j2re1.4.2\bin\jpiexp32.dll (0x6D310000)
D:\Program Files\Java\j2re1.4.2\bin\jpishare.dll (0x6D380000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\client\jvm.dll (0x04F20000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\hpi.dll (0x02FE0000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\verify.dll (0x05070000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\java.dll (0x05080000)
D:\PROGRA~1\Java\J2RE14~1.2\bin\zip.dll (0x050A0000)
D:\Program Files\Java\j2re1.4.2\bin\awt.dll (0x083E0000)
D:\Program Files\Java\j2re1.4.2\bin\fontmanager.dll (0x075F0000)
D:\WINDOWS\System32\D3DIM700.DLL (0x5C000000)
D:\Program Files\Java\j2re1.4.2\bin\jpicom32.dll (0x6D2F0000)
D:\Program Files\Java\j2re1.4.2\bin\net.dll (0x07660000)
D:\WINDOWS\System32\wintrust.dll (0x76C30000)
D:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000)
D:\WINDOWS\System32\schannel.dll (0x767F0000)
D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)
D:\WINDOWS\System32\dssenh.dll (0x0FFA0000)
D:\WINDOWS\System32\wmvcore.dll (0x09270000)
D:\WINDOWS\System32\WMASF.DLL (0x09470000)
D:\WINDOWS\System32\actxprxy.dll (0x71D40000)
D:\WINDOWS\System32\dispex.dll (0x6CC60000)
D:\WINDOWS\System32\mshtmled.dll (0x74CB0000)
D:\WINDOWS\System32\wmnetmgr.dll (0x09D90000)
D:\WINDOWS\system32\msv1_0.dll (0x76D10000)
D:\WINDOWS\system32\wdigest.dll (0x74380000)
D:\WINDOWS\System32\winhttp.dll (0x76080000)
D:\WINDOWS\System32\MPRAPI.dll (0x76D40000)
D:\WINDOWS\System32\ACTIVEDS.dll (0x76E40000)
D:\WINDOWS\System32\adsldpc.dll (0x76E10000)
D:\WINDOWS\System32\SAMLIB.dll (0x71BF0000)
D:\WINDOWS\System32\iphlpapi.dll (0x76D60000)
D:\WINDOWS\System32\netman.dll (0x76DE0000)
D:\WINDOWS\System32\WZCSvc.DLL (0x70B50000)
D:\WINDOWS\System32\WMI.dll (0x76D30000)
D:\WINDOWS\System32\DHCPCSVC.DLL (0x76D80000)
D:\WINDOWS\System32\WTSAPI32.dll (0x76F50000)
D:\WINDOWS\System32\WINSTA.dll (0x76360000)
D:\WINDOWS\System32\ESENT.dll (0x69710000)
D:\WINDOWS\System32\hnetcfg.dll (0x68880000)
D:\WINDOWS\System32\netshell.dll (0x75CF0000)
D:\WINDOWS\System32\credui.dll (0x76C00000)
D:\WINDOWS\System32\wbem\wbemprox.dll (0x74EF0000)
D:\WINDOWS\System32\wbem\wbemcomn.dll (0x75290000)
D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000)
D:\WINDOWS\System32\wbem\fastprox.dll (0x75690000)
D:\WINDOWS\System32\quartz.dll (0x35500000)
D:\WINDOWS\System32\msdmo.dll (0x0ADF0000)
D:\WINDOWS\System32\wmadmod.dll (0x0AE00000)
D:\WINDOWS\System32\devenum.dll (0x35680000)
D:\WINDOWS\System32\DSOUND.DLL (0x51080000)
D:\WINDOWS\System32\KsUser.dll (0x5EF80000)

======================================================

Log entry below recorded at:<Date and Time>
======================================================

Process ID:3764 (msmsgs.exe)

User context:MYDOMAIN\user

Process doesn't appear to be a service

PID	Port		Local IP	State		 Remote IP:Port
3764	TCP 16521	169.254.66.8 	LISTENING	 0.0.0.0:45294
3764	UDP 4803  	0.0.0.0 			 *:*
3764	UDP 9586  	169.254.66.8 			 *:*
3764	UDP 55441  	169.254.66.8 			 *:*

Port Statistics

TCP MAPPINGS: 1
UDP MAPPINGS: 3

TCP ports in a LISTENING state: 	1 = 100.00%

Loaded modules:
D:\Program Files\Messenger\msmsgs.exe (0x00400000)

D:\WINDOWS\System32\ntdll.dll (0x77F50000)
D:\WINDOWS\system32\kernel32.dll (0x77E60000)
D:\WINDOWS\system32\ADVAPI32.DLL (0x77DD0000)
D:\WINDOWS\system32\RPCRT4.dll (0x78000000)
D:\WINDOWS\system32\GDI32.DLL (0x77C70000)
D:\WINDOWS\system32\USER32.dll (0x77D40000)
D:\WINDOWS\system32\OLE32.DLL (0x771B0000)
D:\WINDOWS\system32\OLEAUT32.DLL (0x77120000)
D:\WINDOWS\system32\MSVCRT.DLL (0x77C10000)
D:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.DLL (0x71950000)
D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
D:\WINDOWS\system32\SHELL32.DLL (0x773D0000)
D:\WINDOWS\System32\uxtheme.dll (0x5AD70000)
D:\Program Files\Messenger\MSGSLANG.DLL (0x69200000)
D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)
D:\WINDOWS\System32\COMRes.dll (0x77050000)
D:\WINDOWS\system32\VERSION.dll (0x77C00000)
D:\WINDOWS\System32\SXS.DLL (0x75E90000)
D:\WINDOWS\System32\wtsapi32.dll (0x76F50000)
D:\WINDOWS\System32\WINSTA.dll (0x76360000)
D:\WINDOWS\System32\es.dll (0x76B70000)
D:\WINDOWS\System32\WS2_32.dll (0x71AB0000)
D:\WINDOWS\System32\WS2HELP.dll (0x71AA0000)
D:\Program Files\Messenger\rtcimsp.dll (0x00F30000)
D:\WINDOWS\System32\WSOCK32.dll (0x71AD0000)
D:\WINDOWS\System32\rtcdll.dll (0x5D370000)
D:\WINDOWS\System32\ATL.DLL (0x76B20000)
D:\WINDOWS\System32\Secur32.dll (0x76F90000)
D:\WINDOWS\system32\WININET.dll (0x76200000)
D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)
D:\WINDOWS\system32\MSASN1.dll (0x762A0000)
D:\WINDOWS\System32\WINMM.dll (0x76B40000)
D:\WINDOWS\System32\iphlpapi.dll (0x76D60000)
D:\WINDOWS\System32\DNSAPI.dll (0x76F20000)
D:\WINDOWS\System32\termmgr.dll (0x5B6F0000)
D:\WINDOWS\System32\rtutils.dll (0x76E80000)
D:\WINDOWS\System32\quartz.dll (0x35500000)
D:\WINDOWS\system32\mswsock.dll (0x71A50000)
D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
D:\WINDOWS\System32\dxmrtp.dll (0x6BE70000)
D:\WINDOWS\System32\MSVFW32.dll (0x73BD0000)
D:\WINDOWS\System32\DSOUND.dll (0x51080000)
D:\WINDOWS\System32\PSAPI.DLL (0x76BF0000)
D:\WINDOWS\System32\devenum.dll (0x35680000)
D:\WINDOWS\System32\setupapi.dll (0x76670000)
D:\WINDOWS\System32\wdmaud.drv (0x72D20000)
D:\WINDOWS\System32\msacm32.drv (0x72D10000)
D:\WINDOWS\System32\MSACM32.dll (0x77BE0000)
D:\WINDOWS\System32\midimap.dll (0x77BD0000)
D:\WINDOWS\System32\msdmo.dll (0x01450000)
D:\WINDOWS\System32\dpnhupnp.dll (0x018A0000)
D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)
D:\WINDOWS\System32\rasapi32.dll (0x76EE0000)
D:\WINDOWS\System32\rasman.dll (0x76E90000)
D:\WINDOWS\System32\NETAPI32.dll (0x71C20000)
D:\WINDOWS\System32\TAPI32.dll (0x76EB0000)
D:\WINDOWS\System32\hnetcfg.dll (0x68880000)
D:\WINDOWS\System32\netshell.dll (0x75CF0000)
D:\WINDOWS\System32\credui.dll (0x76C00000)
D:\WINDOWS\System32\DHCPCSVC.DLL (0x76D80000)
D:\WINDOWS\System32\wbem\wbemprox.dll (0x74EF0000)
D:\WINDOWS\System32\wbem\wbemcomn.dll (0x75290000)
D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000)
D:\WINDOWS\System32\wbem\fastprox.dll (0x75690000)
D:\WINDOWS\System32\netcfgx.dll (0x755F0000)
D:\WINDOWS\System32\CLUSAPI.dll (0x55560000)
D:\WINDOWS\System32\sensapi.dll (0x722B0000)

======================================================

Log entry below recorded at:<Date and Time>
======================================================

Process ID:2424 (Virtual PC.exe)

User context:MYDOMAIN\user

Process doesn't appear to be a service

PID	Port		Local IP	State		 Remote IP:Port
2424	TCP 1262	0.0.0.0 	LISTENING	 0.0.0.0:2192
2424	TCP 1731	0.0.0.0 	LISTENING	 0.0.0.0:53467
2424	TCP 2226	0.0.0.0 	LISTENING	 0.0.0.0:45214
2424	TCP 2229	0.0.0.0 	LISTENING	 0.0.0.0:2176
2424	TCP 4724	0.0.0.0 	LISTENING	 0.0.0.0:26634
2424	TCP 4725	0.0.0.0 	LISTENING	 0.0.0.0:2172
2424	TCP 4726	0.0.0.0 	LISTENING	 0.0.0.0:39049
2424	TCP 4727	0.0.0.0 	LISTENING	 0.0.0.0:37118
2424	TCP 4728	0.0.0.0 	LISTENING	 0.0.0.0:16491
2424	TCP 4729	0.0.0.0 	LISTENING	 0.0.0.0:20734
2424	TCP 4925	0.0.0.0 	LISTENING	 0.0.0.0:2064
2424	TCP 4930	0.0.0.0 	LISTENING	 0.0.0.0:8249
2424	TCP 4931	0.0.0.0 	LISTENING	 0.0.0.0:61639
2424	TCP 4932	0.0.0.0 	LISTENING	 0.0.0.0:22535
2424	TCP 2189	127.0.0.1 	LISTENING	 0.0.0.0:45095
2424	TCP 1262	169.254.66.8 	ESTABLISHED	 169.254.5.214:1745
2424	TCP 1731	169.254.66.8 	ESTABLISHED	 169.254.4.228:1745
2424	TCP 2226	169.254.66.8 	ESTABLISHED	 157.56.120.30:1745
2424	TCP 2229	169.254.66.8 	ESTABLISHED	 157.56.121.78:1745
2424	TCP 4724	169.254.66.8 	ESTABLISHED	 169.254.4.38:1745
2424	TCP 4725	169.254.66.8 	ESTABLISHED	 169.254.5.105:1745
2424	TCP 4726	169.254.66.8 	ESTABLISHED	 169.254.5.103:1745
2424	TCP 4727	169.254.66.8 	ESTABLISHED	 169.254.4.240:1745
2424	TCP 4728	169.254.66.8 	ESTABLISHED	 169.254.7.23:1745
2424	TCP 4729	169.254.66.8 	ESTABLISHED	 169.254.4.241:1745
2424	TCP 4925	169.254.66.8 	ESTABLISHED	 169.254.121.89:1745
2424	TCP 4930	169.254.66.8 	ESTABLISHED	 169.254.113.92:1745
2424	TCP 4931	169.254.66.8 	ESTABLISHED	 169.254.113.87:1745
2424	TCP 4932	169.254.66.8 	ESTABLISHED	 169.254.121.93:1745
2424	UDP 2686  	0.0.0.0 			 *:*
2424	UDP 2687  	0.0.0.0 			 *:*

Port Statistics

TCP MAPPINGS: 29
UDP MAPPINGS: 2

TCP ports in a LISTENING state: 	15 = 51.72%
TCP ports in a ESTABLISHED state: 	14 = 48.28%

Loaded modules:
C:\Program Files\Microsoft Virtual PC\Virtual PC.exe (0x00400000)

C:\WINDOWS\System32\ntdll.dll (0x77F50000)
C:\WINDOWS\system32\kernel32.dll (0x77E60000)
C:\WINDOWS\System32\DDRAW.dll (0x51000000)
C:\WINDOWS\system32\msvcrt.dll (0x77C10000)
C:\WINDOWS\system32\USER32.dll (0x77D40000)
C:\WINDOWS\system32\GDI32.dll (0x77C70000)
C:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)
C:\WINDOWS\system32\RPCRT4.dll (0x78000000)
C:\WINDOWS\System32\DCIMAN32.dll (0x73BC0000)
C:\WINDOWS\System32\DINPUT.dll (0x72280000)
C:\WINDOWS\System32\WINMM.dll (0x76B40000)
C:\WINDOWS\System32\iphlpapi.dll (0x76D60000)
C:\WINDOWS\System32\WS2_32.dll (0x71AB0000)
C:\WINDOWS\System32\WS2HELP.dll (0x71AA0000)
C:\WINDOWS\System32\PSAPI.DLL (0x76BF0000)
C:\WINDOWS\system32\comdlg32.dll (0x763B0000)
C:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.dll (0x71950000)
C:\WINDOWS\system32\SHELL32.dll (0x773D0000)
C:\WINDOWS\System32\WINSPOOL.DRV (0x73000000)
C:\WINDOWS\system32\ole32.dll (0x771B0000)
C:\WINDOWS\system32\OLEAUT32.dll (0x77120000)
C:\WINDOWS\system32\VERSION.dll (0x77C00000)
C:\WINDOWS\System32\OLEACC.dll (0x74C80000)
C:\WINDOWS\System32\MSVCP60.dll (0x55900000)
C:\WINDOWS\System32\uxtheme.dll (0x5AD70000)
C:\WINDOWS\System32\MSCTF.dll (0x74720000)
C:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)
C:\WINDOWS\System32\COMRes.dll (0x77050000)
C:\WINDOWS\System32\msxml4.dll (0x69B10000)
C:\WINDOWS\System32\LINKINFO.dll (0x76980000)
C:\WINDOWS\System32\ntshrui.dll (0x76990000)
C:\WINDOWS\System32\ATL.DLL (0x76B20000)
C:\WINDOWS\System32\NETAPI32.dll (0x71C20000)
C:\WINDOWS\system32\USERENV.dll (0x75A70000)
C:\Program Files\Microsoft Firewall Client\wspwsp.dll (0x55600000)
C:\WINDOWS\System32\mswsock.dll (0x71A50000)
C:\WINDOWS\System32\DNSAPI.dll (0x76F20000)
C:\WINDOWS\System32\winrnr.dll (0x76FB0000)
C:\WINDOWS\system32\WLDAP32.dll (0x76F60000)
C:\WINDOWS\System32\wshtcpip.dll (0x71A90000)
C:\WINDOWS\System32\rasadhlp.dll (0x76FC0000)
C:\WINDOWS\System32\wdmaud.drv (0x72D20000)
C:\WINDOWS\System32\msacm32.drv (0x72D10000)
C:\WINDOWS\System32\MSACM32.dll (0x77BE0000)
C:\WINDOWS\System32\midimap.dll (0x77BD0000)
C:\WINDOWS\System32\HID.DLL (0x688F0000)
C:\WINDOWS\System32\SETUPAPI.DLL (0x76670000)
C:\Documents and Settings\user\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll (0x10000000)
C:\WINDOWS\System32\mslbui.dll (0x605D0000)
C:\WINDOWS\System32\Secur32.dll (0x76F90000)
C:\WINDOWS\System32\security.dll (0x71F80000)
C:\WINDOWS\system32\msv1_0.dll (0x76D10000)
C:\WINDOWS\system32\appHelp.dll (0x75F40000)
C:\WINDOWS\System32\cscui.dll (0x76620000)
C:\WINDOWS\System32\CSCDLL.dll (0x76600000)
C:\WINDOWS\system32\MPR.dll (0x71B20000)
C:\WINDOWS\System32\ntlanman.dll (0x71C10000)
C:\WINDOWS\System32\NETUI0.dll (0x71CD0000)
C:\WINDOWS\System32\NETUI1.dll (0x71C90000)
C:\WINDOWS\System32\NETRAP.dll (0x71C80000)
C:\WINDOWS\System32\SAMLIB.dll (0x71BF0000)
C:\WINDOWS\System32\drprov.dll (0x75F60000)
C:\WINDOWS\System32\davclnt.dll (0x75F70000)

Port Reporter 服务跟踪端口的更改并在日志文件中报告这些更改。这些更改可能包括端口上连接数目的增加或减少,或者现有连接的连接状态的更改。当建立到 TCP 端口的新连接或关闭现有连接时,Port Reporter 服务会进行报告。如果一个端口上的任一 TCP 连接发生更改,Port Reporter 也会报告。TCP 端口状态包括以下几种:
  • CLOSE_WAIT
  • CLOSED
  • ESTABLISHED
  • FIN_WAIT_1
  • LAST_ACK
  • LISTEN
  • SYN_RECEIVED
  • SYN_SEND
  • TIMED_WAIT
当使用 ESTABLISHED 状态的连接更改为使用 CLOSE_WAIT 状态时,会创建一个状态更改的示例。有时,Port Reporter 服务可能会报告 System Idle 进程 (PID 0) 使用多个 TCP 端口。当安装在计算机上的程序连接到一个 TCP 端口,然后迅速从该端口断开连接时,会发生此情况。尽管程序不再运行,但程序和端口之间的 TCP 连接可能仍保持“Timed Wait”状态。在这种情况下,Port Reporter 服务可能检测到端口正在使用,但由于使用端口的程序不再运行而无法识别该程序。尽管使用此端口的进程不再运行,但端口仍可能处于“Timed Wait”状态长达数分钟。

当安装在计算机上的程序开始使用新的 UDP 端口时,Port Reporter 服务也会创建一个日志项。例如,如果一个程序绑定到 UDP 端口 69,Port Reporter 服务会将此操作记录到 PR-PORTS 和 PR-PIDS 日志文件中。Port Reporter 服务不会记录发送到 UDP 端口的 UDP 数据报。Port Reporter 服务仅记录 UDP 端口被绑定,并且正在接受数据报。Microsoft 建议您检查系统事件日志和应用程序事件日志,以找到 Port Reporter 服务记录的事件。当启动此服务、此服务创建日志文件、此服务停止或此服务遇到错误时,Port Reporter 服务将记录事件。事件源被记录为“PortReporter”。事件 ID 介于 100 和 112 之间。

由于 Windows 2000 系统不支持端口到进程的映射,因此 PR-PIDS 日志文件中将包含下面一行内容:
Port to process mappings are not available on this system.


更多信息

要查看有关 Port Reporter 的网络广播,请单击下面的 Microsoft 知识库文章编号:
840832 支持网络广播:Port Reporter

参考

PortQry 2.0 版是相关工具。此工具允许您跟踪单个端口或指定的进程使用的所有端口上的活动。 有关 PortQry 2.0 版的其他信息,请单击下面的文章编号,以查看 Microsoft 知识库中相应的文章:
832919 PortQry 2.0 版中的新增特性和功能
重要说明:PortQueryUI 工具提供了一个图形用户界面并可以通过下载获取。PortQueryUI 包含多种功能,使您可以更加轻松地使用 PortQry。要获取此工具,请访问下面的 Microsoft 网站:
http://download.microsoft.com/download/3/f/4/3f4c6a54-65f0-4164-bdec-a3411ba24d3a/PortQryUI.exe
重要说明:Port Reporter 分析器工具是一个用于 Port Reporter 日志文件的日志分析器,现在可通过下载获取该工具。Port Reporter 分析器包含许多高级功能,可帮助您分析 Port Reporter 日志文件。要获取 Port Reporter 分析器工具,请访问下面的 Microsoft 网站:
http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exe

属性

文章编号: 837243 - 最后修改: 2005年2月17日 - 修订: 6.1
这篇文章中的信息适用于:
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows XP Professional Edition
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
关键字:?
kbhowtomaster KB837243
Microsoft和/或其各供应商对于为任何目的而在本服务器上发布的文件及有关图形所含信息的适用性,不作任何声明。 所有该等文件及有关图形均"依样"提供,而不带任何性质的保证。Microsoft和/或其各供应商特此声明,对所有与该等信息有关的保证和条件不负任何责任,该等保证和条件包括关于适销性、符合特定用途、所有权和非侵权的所有默示保证和条件。在任何情况下,在由于使用或运行本服务器上的信息所引起的或与该等使用或运行有关的诉讼中,Microsoft和/或其各供应商就因丧失使用、数据或利润所导致的任何特别的、间接的、衍生性的损害或任何因使用而丧失所导致的之损害、数据或利润不负任何责任。

提供反馈

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com