你目前正处于脱机状态,正在等待 Internet 重新连接

Port Reporter 工具的可用性和说明

针对 Windows XP 的支持已终止

Microsoft 已于 2014 年 4 月 8 日终止了针对 Windows XP 的支持。该更改已影响到您的软件更新和安全选项。 了解这一措施对于您的含义以及如何继续保持受保护状态。

针对 Windows Server 2003 的支持已于 2015 年 7 月 14 日终止。

Microsoft 已于 2015 年 7 月 14 日终止了对于 Windows Server 2003 的支持。该更改已影响到您的软件更新和安全选项。 了解这一措施对于您的含义以及如何继续保持受保护状态。

概要
本文讨论 Port Reporter 工具。Port Reporter 工具在运行 Windows Server 2003、Windows XP 和 Windows 2000 的计算机上作为一项服务运行。此工具可用于记录 TCP 和 UDP 端口活动。本文包含有关如何获取和安装此工具的信息。安装此工具时,安装程序会创建相应的注册表项并安装 Port Reporter 服务。

本文还包含有关如何使用启动参数配置 Port Reporter 服务的信息,以及有关 Port Reporter 服务所生成的 Port Reporter 日志文件的信息。
简介
本文包含有关如何获取、安装和配置 Port Reporter 工具的信息。Port Reporter 工具可用于记录运行 Microsoft Windows Server 2003、Microsoft Windows XP 或 Microsoft Windows 2000 的计算机上的 TCP/IP 端口数据。

返回页首

概述

Port Reporter 工具可用于记录 TCP 和 UDP 端口活动。此工具是一个小程序,它在运行 Windows Server 2003、Windows XP 或 Windows 2000 的计算机上作为一项服务运行。

在基于 Windows Server 2003 和 Windows XP 的计算机上,此服务可记录以下信息:
  • 所使用的端口
  • 使用端口的进程
  • 进程是否为一项服务
  • 进程已加载的模块
  • 运行进程的用户帐户
在基于 Windows 2000 的计算机上,此服务记录所使用的端口和使用端口的时间。

可以使用 Port Reporter 工具记录的信息来帮助您跟踪端口使用情况和解决某些问题。出于安全考虑,Port Reporter 工具所记录的信息也是非常有用的。

返回页首

获取 Port Reporter 工具

可以从 Microsoft 下载中心的以下链接下载 Port Reporter 工具:

重要说明:Port Reporter 分析器工具是一种用于 Port Reporter 日志文件的日志分析器。现在可通过下载获取该工具。Port Reporter 分析器包含许多功能,可帮助您分析 Port Reporter 日志文件。可以从下面的 Microsoft 网站下载 Port Reporter 分析器工具:
http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exe

返回页首

安装 Port Reporter 服务

运行安装程序 (Pr-Setup.exe) 以安装 Port Reporter 时,安装程序将执行以下操作:
  • 将以下注册表子项添加到 Windows 注册表中:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\PortReporter
    Port Reporter 服务要求此注册表项将相应项记录到计算机上的应用程序事件日志中。
  • 安装 Port Reporter 服务。

    安装程序将为 Port Reporter 工具创建一个服务对象,然后将此对象添加到服务控制管理器数据库中。
返回页首

将 Port Reporter 服务安装到默认位置

默认情况下,Port Reporter 服务安装在硬盘上的以下文件夹中:
drive:\Program Files\PortReporter
将 Port Reporter 服务安装到默认位置:
  1. 以本地管理员组成员的身份登录到计算机。
  2. 退出计算机上正在运行的所有程序,包括“管理工具”中的“服务”工具和“事件查看器”。
  3. 双击“Pr-Setup.exe”运行安装程序。
  4. 当系统提示您将 Port Reporter 工具安装到 Program Files 文件夹中时,请按 Y 键。

    按 Y 键后,安装程序将在 Program Files 文件夹中创建一个名为 PortReporter 的子文件夹。Portreporter.exe 被复制到此子文件夹中,并注册为服务控制管理器中的服务。
返回页首

将 Port Reporter 服务安装到默认位置以外的其他位置

将 Port Reporter 服务安装到默认位置以外的其他位置:
  1. 以本地管理员组成员的身份登录到计算机。
  2. 退出计算机上正在运行的所有程序,包括“管理工具”中的“服务”工具和“事件查看器”。
  3. 将 Pr-setup.exe 文件和 Portreporter.exe 文件复制到要安装 Port Reporter 工具的文件夹中。

    注意:必须从固定的本地驱动器运行此安装程序。不能从网络驱动器或 CD-ROM 驱动器运行此安装程序。
  4. 在命令提示符下,键入以下命令行,然后按 Enter 键,其中PathOfFolder 是驱动器和包含 Pr-setup.exe 文件和 Portreporter.exe 文件的文件夹的路径。
    pr-setup.exe -d 'PathOfFolder'
    例如,要将此工具安装到 D:\Tools\Port Reporter 文件夹中,请键入
    pr-setup.exe –d ‘d:\tools\port reporter\’
    您将在命令提示窗口中收到类似以下内容的输出:
    C:\temp>pr-setup.exe -d 'PathOfFolder'Installing Port Reporter service:PathOfFolderCreating service...completed successfullyCreating registry key and values...completed successfullySetup has successfully installed the Port Reporter serviceThe service is currently stopped and set to manual startup typePlease use the services applet in the control panel to configureand start the Port Reporter servicepress any key to exit setup
  5. 按任意键退出安装程序。
返回页首

配置和启动 Port Reporter 服务

要验证 Port Reporter 服务是否安装成功并启动此服务,请按照下列步骤操作:
  1. 单击“开始”,右击“我的电脑”,然后单击“管理”。
  2. 展开“服务和应用程序”,然后展开“服务”。
  3. 在右窗格中,验证是否列出了 Port Reporter 服务。
  4. 要启动该服务,请双击该服务名称,然后单击选择“启动服务”按钮。单击“确定”。

    Port Reporter 服务将在应用程序日志中创建一个日志项,表明此服务已启动。
默认情况下,Port Reporter 服务的启动类型设置为使用“手动”设置。如果希望 Windows 启动时此服务自动启动,请将启动类型设置为使用“自动”设置。

默认情况下,Port Reporter 服务使用本地系统帐户登录到计算机。通过使用本地系统帐户,Port Reporter 服务可以收集有关管理员帐户或其他用户帐户无权访问的进程的详细信息。因此,Microsoft 建议您不要修改此设置。

注意:因为此服务在本地系统帐户的上下文中运行,所以 Microsoft 建议您确保装有 Port Reporter 的文件夹的安全。无论将 Port Reporter 安装到默认位置 (%SystemDrive%\Program Files\PortReporter) 中,还是自定义位置中,都必须执行以下操作步骤:
  • 仅将 Port Reporter 安装在一个 NTFS 文件系统分区上
  • 调整安装文件夹上的访问控制列表 (ACL),以便只有本地 Administrators 组才能访问此文件夹。为此,请按照下列步骤操作:
    1. 启动 Windows 资源管理器,然后查找安装文件夹。默认情况下,安装文件夹是 %SystemDrive%\Program Files\PortReporter。
    2. 右键单击此文件夹,然后单击“属性”。
    3. 在文件夹属性对话框中,单击“安全”选项卡,然后检查有权访问此文件夹的组名和用户名。只有本地 Administrators 组和系统帐户才有权访问此文件夹。
    4. 选择列出的所有其他组和用户,然后单击“删除”。当列表中仅包含本地 Administrators 组和系统帐户时,请单击“应用”,然后单击“确定”。

日志文件的位置

默认情况下,Port Reporter 工具尝试在以下文件夹中创建日志文件:
%systemroot%\System32\LogFiles\PortReporter
如果此文件夹不存在,将自动创建。可以使用“Port Reporter”服务对话框的“常规”选项卡上指定的启动参数来配置日志文件的位置。要指定日志文件的文件夹,请使用 -ld 命令行选项,后跟要使用的文件夹的名称。必须用单引号 (') 将文件夹的名称括起来。例如,如果指定以下启动参数,则启动 Port Reporter 服务时,Port Reporter 服务将在 C:\Program Files\Port Reporter 文件夹中创建日志文件:
-ld ‘c:\program files\port reporter’

日志文件的大小

默认情况下,Port Reporter 服务不断写入日志文件,直到日志文件大小达到 5 MB。日志文件大小达到 5 MB 后,将创建一个新的日志文件。要配置日志文件的大小,请使用 -ls 命令行选项。可以指定介于 1000 KB 和 102400 KB 之间的日志文件大小。例如,如果您指定以下启动参数,每次日志文件达到 7000 KB 时,Port Reporter 服务都将创建一个新的日志文件:
-ls 7000
使用所需的启动参数配置 Port Reporter 服务后,启动此服务。启动 Port Reporter 服务时,以下两个事件将记录到应用程序事件日志中:

类型: 信息
来源: PortReporter
类别: 无
事件 ID: 100
描述:
Port Reporter 服务已启动。

类型: 信息
来源: PortReporter
类别: 无
事件 ID: 100
描述:
Port Reporter 服务在以下目录中成功创建了日志文件:PathOfLogFiles
返回页首

删除 Port Reporter 服务

要删除 Port Reporter 服务,请在命令提示符处键入以下命令行,然后按 Enter 键:
pr-setup.exe -u
您将在命令提示窗口中收到类似以下内容的输出:
Uninstalling Port Reporter service...Deleting service...Stopping service...completed successfullyRemoving service...completed successfullyDeleting service...completed successfullyDeleting registry key and values...completed successfullySetup successfully uninstalled the Port Reporter ServiceThe installation directory has been left intactpress any key to exit setup
删除 Port Reporter 服务时,安装程序执行以下操作:
  • 从服务控制管理器数据库中注消 Port Reporter 服务。
  • 删除安装 Port Reporter 服务时创建的注册表项。
删除 Port Reporter 服务时,安装程序不会删除包含 Pr-setup.exe 文件和 PortReporter.exe 文件的文件夹,也不会删除此服务创建的任何日志文件。

返回页首

解释 Port Reporter 日志文件

在以下情况下,Port Reporter 服务将创建日志文件:
  • 每次启动 Port Reporter 服务时
  • 每日午夜
  • 日志文件达到 5 MB 时或日志文件达到在启动参数中指定的自定义大小时
启动 Port Reporter 服务时,将创建以下日志文件:
  • PR-INITIAL-*.log
  • PR-PORTS-*.log
  • PR-PIDS-*.log
每个日志文件的名称都使用创建文件时的日期和时间(24 小时制格式)。日期和时间戳的格式是年-月-日-小时-分-秒。例如,以下三个文件创建于 2004 年 1 月 24 日上午 8:49:30:
  • PR-INITIAL-04-01-24-8-49-30.log
  • PR-PORTS-04-01-24-8-49-30.log
  • PR-PIDS-04-01-24-8-49-30.log
返回页首

PR-INITIAL 日志文件

PR-INITIAL 日志文件中包含 Port Reporter 服务收集的关于启动 Port Reporter 服务时计算机上运行的端口、进程和模块的数据。其中还记录了每个进程运行所在的用户上下文。下面是启动 Port Reporter 时在基于 Windows XP 的计算机上创建的 PR-INITIAL 日志文件内容的示例:
Port Reporter Version 1.0 Log FileService initialization logSystem Date:<Date and Time>Local computer name:<ComputerName>TCP/UDP Port to Process Mappings at service start-up36 mappings foundPID:Process		Port		Local IP	State		 Remote IP:Port0:System Idle		TCP 4857	169.254.66.8 	TIME WAIT	 169.254.44.123:804:System		TCP 445	0.0.0.0 	LISTENING	 0.0.0.0:62464:System		TCP 1026	0.0.0.0 	LISTENING	 0.0.0.0:287264:System		TCP 139	169.254.66.8 	LISTENING	 0.0.0.0:349254:System		UDP 445  	0.0.0.0 			 *:*4:System		UDP 137  	169.254.66.8 			 *:*4:System		UDP 138  	169.254.66.8 			 *:*664:iexplore.exe	TCP 4867	0.0.0.0 	LISTENING	 0.0.0.0:4225664:iexplore.exe	TCP 4870	0.0.0.0 	LISTENING	 0.0.0.0:45070664:iexplore.exe	TCP 4871	0.0.0.0 	LISTENING	 0.0.0.0:18494664:iexplore.exe	TCP 4872	0.0.0.0 	LISTENING	 0.0.0.0:6182664:iexplore.exe	TCP 4867	169.254.66.8 	ESTABLISHED	 169.254.44.123:80664:iexplore.exe	TCP 4870	169.254.66.8 	ESTABLISHED	 207.68.177.62:80664:iexplore.exe	TCP 4871	169.254.66.8 	ESTABLISHED	 207.46.248.110:80664:iexplore.exe	TCP 4872	169.254.66.8 	ESTABLISHED	 207.46.248.110:80664:iexplore.exe	UDP 4817  	127.0.0.1 			 *:*748:lsass.exe		UDP 500  	0.0.0.0 			 *:*952:svchost.exe	TCP 135	0.0.0.0 	LISTENING	 0.0.0.0:20961092:svchost.exe	TCP 1025	0.0.0.0 	LISTENING	 0.0.0.0:20641092:svchost.exe	TCP 3002	127.0.0.1 	LISTENING	 0.0.0.0:491931092:svchost.exe	TCP 3003	127.0.0.1 	LISTENING	 0.0.0.0:390781092:svchost.exe	UDP 123  	169.254.66.8 			 *:*1092:svchost.exe	UDP 123  	127.0.0.1 			 *:*1192:svchost.exe	UDP 3009  	0.0.0.0 			 *:*1192:svchost.exe	UDP 3015  	0.0.0.0 			 *:*1192:svchost.exe	UDP 3016  	0.0.0.0 			 *:*1228:svchost.exe	TCP 5000	0.0.0.0 	LISTENING	 0.0.0.0:452231228:svchost.exe	UDP 1900  	169.254.66.8 			 *:*1228:svchost.exe	UDP 1900  	127.0.0.1 			 *:*1536:alg.exe		TCP 3001	127.0.0.1 	LISTENING	 0.0.0.0:20641568:InoRpc.exe	TCP 42510	0.0.0.0 	LISTENING	 0.0.0.0:143731568:InoRpc.exe	UDP 43508  	169.254.66.8 			 *:*3764:msmsgs.exe	TCP 16521	169.254.66.8 	LISTENING	 0.0.0.0:452943764:msmsgs.exe	UDP 4803  	0.0.0.0 			 *:*3764:msmsgs.exe	UDP 9160  	169.254.66.8 			 *:*3764:msmsgs.exe	UDP 9586  	169.254.66.8 			 *:*=============================================================================Process ID:4 (System)System ProcessPID	Port		Local IP	State		 Remote IP:Port4	TCP 445	0.0.0.0 	LISTENING	 0.0.0.0:62464	TCP 1026	0.0.0.0 	LISTENING	 0.0.0.0:287264	TCP 139	169.254.66.8 	LISTENING	 0.0.0.0:349254	UDP 445  	0.0.0.0 			 *:*4	UDP 137  	169.254.66.8 			 *:*4	UDP 138  	169.254.66.8 			 *:*Port StatisticsTCP MAPPINGS: 3UDP MAPPINGS: 3TCP ports in a LISTENING state: 	3 = 100.00%Could not access module information for this process======================================================Process ID:748 (lsass.exe)User context:NT AUTHORITY\SYSTEMService Name:PolicyAgentDisplay Name:IPSEC ServicesService Type:shares a process with other servicesService Name:ProtectedStorageDisplay Name:Protected StorageService Name:SamSsDisplay Name:Security Accounts ManagerService Type:shares a process with other servicesPID	Port		Local IP	State		 Remote IP:Port748	UDP 500  	0.0.0.0 			 *:*Port StatisticsTCP MAPPINGS: 0UDP MAPPINGS: 1Loaded modules:D:\WINDOWS\system32\lsass.exe (0x01000000)D:\WINDOWS\System32\ntdll.dll (0x77F50000)D:\WINDOWS\system32\kernel32.dll (0x77E60000)D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)D:\WINDOWS\system32\RPCRT4.dll (0x78000000)D:\WINDOWS\system32\LSASRV.dll (0x74520000)D:\WINDOWS\system32\msvcrt.dll (0x77C10000)D:\WINDOWS\system32\Secur32.dll (0x76F90000)D:\WINDOWS\system32\USER32.dll (0x77D40000)D:\WINDOWS\system32\GDI32.dll (0x77C70000)D:\WINDOWS\system32\SAMSRV.dll (0x74440000)D:\WINDOWS\system32\cryptdll.dll (0x76790000)D:\WINDOWS\system32\DNSAPI.dll (0x76F20000)D:\WINDOWS\system32\WS2_32.dll (0x71AB0000)D:\WINDOWS\system32\WS2HELP.dll (0x71AA0000)D:\WINDOWS\system32\MSASN1.dll (0x762A0000)D:\WINDOWS\system32\NETAPI32.dll (0x71C20000)D:\WINDOWS\system32\SAMLIB.dll (0x71BF0000)D:\WINDOWS\system32\MPR.dll (0x71B20000)D:\WINDOWS\system32\NTDSAPI.dll (0x767A0000)D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)D:\WINDOWS\system32\msprivs.dll (0x743B0000)D:\WINDOWS\system32\kerberos.dll (0x71CF0000)D:\WINDOWS\system32\msv1_0.dll (0x76D10000)D:\WINDOWS\system32\netlogon.dll (0x744B0000)D:\WINDOWS\system32\w32time.dll (0x767C0000)D:\WINDOWS\system32\MSVCP60.dll (0x55900000)D:\WINDOWS\system32\iphlpapi.dll (0x76D60000)D:\WINDOWS\system32\USERENV.dll (0x75A70000)D:\WINDOWS\system32\schannel.dll (0x767F0000)D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)D:\WINDOWS\system32\wdigest.dll (0x74380000)D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)D:\WINDOWS\system32\setupapi.dll (0x76670000)D:\WINDOWS\system32\scecli.dll (0x74410000)D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)D:\WINDOWS\system32\OLE32.DLL (0x771B0000)D:\WINDOWS\system32\shell32.dll (0x773D0000)D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000)D:\WINDOWS\system32\comctl32.dll (0x77340000)D:\WINDOWS\system32\ipsecsvc.dll (0x743E0000)D:\WINDOWS\system32\oakley.DLL (0x745D0000)D:\WINDOWS\system32\WINIPSEC.DLL (0x74370000)D:\WINDOWS\system32\mswsock.dll (0x71A50000)D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)D:\WINDOWS\system32\pstorsvc.dll (0x743A0000)D:\WINDOWS\system32\psbase.dll (0x743C0000)D:\WINDOWS\System32\dssenh.dll (0x0FFA0000)======================================================Process ID:952 (svchost.exe)User context:NT AUTHORITY\SYSTEMService Name:RpcSsDisplay Name:Remote Procedure Call (RPC)Service Type:shares a process with other servicesPID	Port		Local IP	State		 Remote IP:Port952	TCP 135	0.0.0.0 	LISTENING	 0.0.0.0:2096Port StatisticsTCP MAPPINGS: 1UDP MAPPINGS: 0TCP ports in a LISTENING state: 	1 = 100.00%Loaded modules:D:\WINDOWS\system32\svchost.exe (0x01000000)D:\WINDOWS\System32\ntdll.dll (0x77F50000)D:\WINDOWS\system32\kernel32.dll (0x77E60000)D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)D:\WINDOWS\system32\RPCRT4.dll (0x78000000)d:\windows\system32\rpcss.dll (0x75850000)D:\WINDOWS\system32\msvcrt.dll (0x77C10000)d:\windows\system32\WS2_32.dll (0x71AB0000)d:\windows\system32\WS2HELP.dll (0x71AA0000)D:\WINDOWS\system32\USER32.dll (0x77D40000)D:\WINDOWS\system32\GDI32.dll (0x77C70000)d:\windows\system32\Secur32.dll (0x76F90000)D:\WINDOWS\system32\userenv.dll (0x75A70000)D:\WINDOWS\system32\mswsock.dll (0x71A50000)D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)D:\WINDOWS\system32\DNSAPI.dll (0x76F20000)D:\WINDOWS\system32\iphlpapi.dll (0x76D60000)D:\WINDOWS\System32\winrnr.dll (0x76FB0000)D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)D:\WINDOWS\system32\rasadhlp.dll (0x76FC0000)D:\WINDOWS\system32\CLBCATQ.DLL (0x76FD0000)D:\WINDOWS\system32\ole32.dll (0x771B0000)D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)D:\WINDOWS\system32\COMRes.dll (0x77050000)D:\WINDOWS\system32\VERSION.dll (0x77C00000)======================================================Process ID:1092 (svchost.exe)User context:NT AUTHORITY\SYSTEMService Name:AudioSrvDisplay Name:Windows AudioService Type:shares a process with other servicesService Name:BITSDisplay Name:Background Intelligent Transfer ServiceService Type:shares a process with other servicesService Name:CryptSvcDisplay Name:Cryptographic ServicesService Type:shares a process with other servicesService Name:DhcpDisplay Name:DHCP ClientService Type:shares a process with other servicesService Name:dmserverDisplay Name:Logical Disk ManagerService Type:shares a process with other servicesService Name:ERSvcDisplay Name:Error Reporting ServiceService Type:shares a process with other servicesService Name:EventSystemDisplay Name:COM+ Event SystemService Type:shares a process with other servicesService Name:helpsvcDisplay Name:Help and SupportService Type:shares a process with other servicesService Name:lanmanserverDisplay Name:ServerService Type:shares a process with other servicesService Name:lanmanworkstationDisplay Name:WorkstationService Type:shares a process with other servicesService Name:MessengerDisplay Name:MessengerService Type:shares a process with other servicesService Name:NetmanDisplay Name:Network ConnectionsService Name:NlaDisplay Name:Network Location Awareness (NLA)Service Type:shares a process with other servicesService Name:RasManDisplay Name:Remote Access Connection ManagerService Type:shares a process with other servicesService Name:ScheduleDisplay Name:Task SchedulerService Name:seclogonDisplay Name:Secondary LogonService Name:SENSDisplay Name:System Event NotificationService Type:shares a process with other servicesService Name:SharedAccessDisplay Name:Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)Service Type:shares a process with other servicesService Name:ShellHWDetectionDisplay Name:Shell Hardware DetectionService Type:shares a process with other servicesService Name:srserviceDisplay Name:System Restore ServiceService Type:shares a process with other servicesService Name:TapiSrvDisplay Name:TelephonyService Type:shares a process with other servicesService Name:TermServiceDisplay Name:Terminal ServicesService Type:shares a process with other servicesService Name:ThemesDisplay Name:ThemesService Type:shares a process with other servicesService Name:TrkWksDisplay Name:Distributed Link Tracking ClientService Type:shares a process with other servicesService Name:W32TimeDisplay Name:Windows TimeService Type:shares a process with other servicesService Name:winmgmtDisplay Name:Windows Management InstrumentationService Type:shares a process with other servicesService Name:wuauservDisplay Name:Automatic UpdatesService Type:shares a process with other servicesService Name:WZCSVCDisplay Name:Wireless Zero ConfigurationService Type:shares a process with other servicesPID	Port		Local IP	State		 Remote IP:Port1092	TCP 1025	0.0.0.0 	LISTENING	 0.0.0.0:20641092	TCP 3002	127.0.0.1 	LISTENING	 0.0.0.0:491931092	TCP 3003	127.0.0.1 	LISTENING	 0.0.0.0:390781092	UDP 123  	169.254.66.8 			 *:*1092	UDP 123  	127.0.0.1 			 *:*Port StatisticsTCP MAPPINGS: 3UDP MAPPINGS: 2TCP ports in a LISTENING state: 	3 = 100.00%Loaded modules:D:\WINDOWS\System32\svchost.exe (0x01000000)D:\WINDOWS\System32\ntdll.dll (0x77F50000)D:\WINDOWS\system32\kernel32.dll (0x77E60000)D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)D:\WINDOWS\system32\RPCRT4.dll (0x78000000)D:\WINDOWS\system32\ole32.dll (0x771B0000)D:\WINDOWS\system32\GDI32.dll (0x77C70000)D:\WINDOWS\system32\USER32.dll (0x77D40000)d:\windows\system32\shsvcs.dll (0x76BD0000)D:\WINDOWS\system32\msvcrt.dll (0x77C10000)D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)D:\WINDOWS\system32\shell32.dll (0x773D0000)D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000)D:\WINDOWS\system32\comctl32.dll (0x77340000)D:\WINDOWS\System32\WINSTA.dll (0x76360000)d:\windows\system32\dhcpcsvc.dll (0x76D80000)d:\windows\system32\DNSAPI.dll (0x76F20000)d:\windows\system32\WS2_32.dll (0x71AB0000)d:\windows\system32\WS2HELP.dll (0x71AA0000)d:\windows\system32\iphlpapi.dll (0x76D60000)d:\windows\system32\Secur32.dll (0x76F90000)D:\WINDOWS\System32\UxTheme.dll (0x5AD70000)D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)d:\windows\system32\wzcsvc.dll (0x70B50000)d:\windows\system32\rtutils.dll (0x76E80000)d:\windows\system32\WMI.dll (0x76D30000)D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)D:\WINDOWS\system32\MSASN1.dll (0x762A0000)d:\windows\system32\WTSAPI32.dll (0x76F50000)d:\windows\system32\ESENT.dll (0x69710000)D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)d:\windows\system32\NETAPI32.dll (0x71C20000)D:\WINDOWS\system32\mswsock.dll (0x71A50000)D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)D:\WINDOWS\System32\rastls.dll (0x555A0000)D:\WINDOWS\System32\ATL.DLL (0x76B20000)D:\WINDOWS\System32\CRYPTUI.dll (0x754D0000)D:\WINDOWS\System32\WINTRUST.dll (0x76C30000)D:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000)D:\WINDOWS\system32\WININET.dll (0x76200000)D:\WINDOWS\System32\MPRAPI.dll (0x76D40000)D:\WINDOWS\System32\ACTIVEDS.dll (0x76E40000)D:\WINDOWS\System32\adsldpc.dll (0x76E10000)D:\WINDOWS\System32\SAMLIB.dll (0x71BF0000)D:\WINDOWS\System32\SETUPAPI.dll (0x76670000)D:\WINDOWS\System32\RASAPI32.dll (0x76EE0000)D:\WINDOWS\System32\rasman.dll (0x76E90000)D:\WINDOWS\System32\TAPI32.dll (0x76EB0000)D:\WINDOWS\System32\WINMM.dll (0x76B40000)D:\WINDOWS\System32\SCHANNEL.dll (0x767F0000)D:\WINDOWS\system32\USERENV.dll (0x75A70000)D:\WINDOWS\System32\WinSCard.dll (0x723D0000)D:\WINDOWS\System32\raschap.dll (0x70AF0000)D:\WINDOWS\system32\msv1_0.dll (0x76D10000)D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)D:\WINDOWS\System32\COMRes.dll (0x77050000)D:\WINDOWS\system32\VERSION.dll (0x77C00000)d:\windows\system32\schedsvc.dll (0x751D0000)d:\windows\system32\NTDSAPI.dll (0x767A0000)D:\WINDOWS\System32\MSIDLE.DLL (0x74F50000)D:\WINDOWS\System32\NTMARTA.DLL (0x76CE0000)d:\windows\system32\audiosrv.dll (0x708B0000)d:\windows\system32\wkssvc.dll (0x75170000)d:\windows\system32\cryptsvc.dll (0x74FA0000)d:\windows\system32\certcli.dll (0x75350000)d:\windows\pchealth\helpctr\binaries\pchsvc.dll (0x74F40000)d:\windows\system32\es.dll (0x76B70000)d:\windows\system32\ersvc.dll (0x74F80000)d:\windows\system32\dmserver.dll (0x74F90000)d:\windows\system32\srvsvc.dll (0x75090000)d:\windows\system32\msgsvc.dll (0x74F60000)d:\windows\system32\netman.dll (0x76DE0000)d:\windows\system32\seclogon.dll (0x73D20000)d:\windows\system32\sens.dll (0x722D0000)d:\windows\system32\srsvc.dll (0x751A0000)d:\windows\system32\POWRPROF.dll (0x74AD0000)d:\windows\system32\tapisrv.dll (0x733E0000)d:\windows\system32\PSAPI.DLL (0x76BF0000)d:\windows\system32\trkwks.dll (0x75070000)d:\windows\system32\w32time.dll (0x767C0000)d:\windows\system32\MSVCP60.dll (0x55900000)d:\windows\system32\wbem\wmisvc.dll (0x597A0000)d:\windows\system32\wbem\wbemcomn.dll (0x75290000)D:\WINDOWS\System32\VSSAPI.DLL (0x753E0000)d:\windows\system32\wuauserv.dll (0x74EC0000)D:\WINDOWS\System32\wuaueng.dll (0x01B20000)D:\WINDOWS\System32\ADVPACK.dll (0x75260000)D:\WINDOWS\System32\sfc.dll (0x76BB0000)D:\WINDOWS\System32\sfc_os.dll (0x76C60000)d:\windows\system32\rasmans.dll (0x72480000)d:\windows\system32\WINIPSEC.DLL (0x74370000)d:\windows\system32\netcfgx.dll (0x755F0000)d:\windows\system32\CLUSAPI.dll (0x55560000)d:\windows\system32\browser.dll (0x74FE0000)D:\WINDOWS\System32\winspool.drv (0x73000000)D:\WINDOWS\System32\rastapi.dll (0x72060000)D:\WINDOWS\System32\SXS.DLL (0x75E90000)D:\WINDOWS\system32\comsvcs.dll (0x75730000)D:\WINDOWS\system32\MTXCLU.DLL (0x750F0000)D:\WINDOWS\system32\WSOCK32.dll (0x71AD0000)D:\WINDOWS\system32\colbact.DLL (0x75130000)D:\WINDOWS\System32\RESUTILS.DLL (0x750B0000)D:\WINDOWS\System32\mtxoci.dll (0x750D0000)D:\WINDOWS\System32\unimdm.tsp (0x57CC0000)D:\WINDOWS\System32\uniplat.dll (0x72000000)D:\WINDOWS\System32\kmddsp.tsp (0x57D40000)D:\WINDOWS\System32\ndptsp.tsp (0x57D20000)D:\WINDOWS\System32\ipconf.tsp (0x57D50000)D:\WINDOWS\System32\h323.tsp (0x57D70000)D:\WINDOWS\System32\hidphone.tsp (0x57D60000)D:\WINDOWS\System32\HID.DLL (0x688F0000)D:\WINDOWS\System32\rasppp.dll (0x72240000)D:\WINDOWS\System32\ntlsapi.dll (0x724B0000)d:\windows\system32\ipnathlp.dll (0x66460000)d:\windows\system32\netshell.dll (0x75CF0000)d:\windows\system32\credui.dll (0x76C00000)d:\windows\system32\HNetCfg.dll (0x68880000)D:\WINDOWS\System32\rasadhlp.dll (0x76FC0000)D:\WINDOWS\System32\Wbem\wbemcore.dll (0x75450000)D:\WINDOWS\System32\Wbem\esscli.dll (0x75310000)D:\WINDOWS\System32\Wbem\FastProx.dll (0x75690000)D:\WINDOWS\System32\wbem\wmiutils.dll (0x75020000)D:\WINDOWS\System32\wbem\repdrvfs.dll (0x75200000)D:\WINDOWS\System32\wbem\wmiprvsd.dll (0x597F0000)D:\WINDOWS\System32\NCObjAPI.DLL (0x5F770000)D:\WINDOWS\System32\wbem\wbemess.dll (0x75390000)D:\WINDOWS\System32\winhttp.dll (0x76080000)d:\windows\system32\termsrv.dll (0x752D0000)d:\windows\system32\ICAAPI.dll (0x74F70000)d:\windows\system32\AUTHZ.dll (0x76CC0000)d:\windows\system32\mstlsapi.dll (0x75110000)D:\WINDOWS\System32\REGAPI.dll (0x76BC0000)D:\WINDOWS\System32\wbem\ncprov.dll (0x5F740000)D:\WINDOWS\System32\catsrvut.dll (0x6FB10000)D:\WINDOWS\System32\MfcSubs.dll (0x61990000)D:\WINDOWS\system32\MPR.dll (0x71B20000)D:\WINDOWS\System32\msi.dll (0x76400000)D:\WINDOWS\System32\Cabinet.dll (0x75150000)D:\WINDOWS\system32\urlmon.dll (0x1A400000)D:\WINDOWS\System32\catsrv.dll (0x6FBD0000)D:\WINDOWS\System32\upnp.dll (0x555F0000)D:\WINDOWS\System32\SSDPAPI.dll (0x74F00000)D:\WINDOWS\System32\RASDLG.dll (0x75550000)d:\windows\system32\qmgr.dll (0x5DDD0000)d:\windows\system32\SHFOLDER.dll (0x76780000)D:\WINDOWS\System32\qmgrprxy.dll (0x5DDC0000)D:\WINDOWS\System32\sensapi.dll (0x722B0000)D:\WINDOWS\System32\winrnr.dll (0x76FB0000)D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000)D:\WINDOWS\System32\actxprxy.dll (0x71D40000)D:\WINDOWS\System32\wbem\wbemcons.dll (0x73D30000)
由于 Windows 2000 系统不支持端口到进程的映射,因此 PR-INITIAL 日志文件中将包含下面一行内容:
Port to process mappings are not available on this system.
返回页首

PR-PORTS 日志文件

PR-PORTS 日志文件中包含有关计算机上 TCP 和 UDP 端口活动的摘要数据。可使用逗号分隔值 (csv) 的格式列出数据,如下所示:
日期,时间,协议,本地端口,本地 IP 地址,远程端口,远程 IP 地址,PID,模块,用户上下文
在不支持端口到进程的映射的、基于 Windows 2000 的计算机上,Port Reporter 服务可用以下格式列出数据:
日期,时间,协议,本地端口,本地 IP 地址,远程端口,远程 IP 地址
下面是 PR-PORTS 日志文件内容的示例:
Port Reporter Version 1.0 Log File - Port usage logCheck PR-PIDS-04-01-24-8-49-30.log for corresponding process dataLog format:date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context04/1/24,8:52:21,TCP,4873,0.0.0.0,45070,0.0.0.0,664,iexplore.exe,<MYDOMAIN\user>04/1/24,8:52:21,TCP,4873,169.254.66.8,80,63.208.107.43,664,iexplore.exe,<MYDOMAIN\user>04/1/24,8:52:22,UDP,55441,169.254.66.8,*,*,3764,msmsgs.exe,<MYDOMAIN\user>04/1/24,8:52:41,TCP,4874,0.0.0.0,4225,0.0.0.0,664,iexplore.exe,<MYDOMAIN\user>04/1/24,8:52:41,TCP,4874,169.254.66.8,80,216.74.132.12,664,iexplore.exe,<MYDOMAIN\user>4/1/24,21:36:2,TCP,2682,169.254.66.8,445,169.254.133.55,4,System,04/1/24,21:51:2,TCP,2684,0.0.0.0,12390,0.0.0.0,4,System,04/1/24,21:51:2,TCP,2684,169.254.66.8,445,169.254.133.55,4,System,04/1/24,22:03:15,UDP,2686,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>04/1/24,22:03:15,UDP,2687,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>04/1/24,22:03:43,UDP,2688,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>04/1/24,22:04:9,TCP,2690,169.254.66.8,389,169.254.133.55,0,System Idle,04/1/24,22:04:35,TCP,2691,0.0.0.0,18644,0.0.0.0,1260,svchost.exe04/1/24,22:04:36,TCP,2691,169.254.66.8,80,169.254.133.55,1260,svchost.exe04/1/24,22:04:36,UDP,2692,127.0.0.1,*,*,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE>04/1/24,22:04:37,TCP,2693,0.0.0.0,2160,0.0.0.0,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE>04/1/24,22:04:40,TCP,2693,169.254.66.8,80,169.254.133.55,1260,svchost.exe,<NT AUTHORITY\NETWORK SERVICE>04/1/24,22:05:2,UDP,2697,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>04/1/24,22:06:2,TCP,2698,0.0.0.0,12390,0.0.0.0,4,System,04/1/24,22:06:2,TCP,2698,169.254.66.8,445,169.254.133.55,4,System,04/1/24,22:06:46,UDP,2700,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>04/1/24,22:06:47,UDP,2701,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>04/1/24,22:06:47,UDP,2702,0.0.0.0,*,*,2424,Virtual PC.exe,<MYDOMAIN\user>
在 PR-PORTS 日志文件中,可以看到类似以下内容的一些项:
04/1/24,22:06:2,TCP,2698,0.0.0.0,12390,0.0.0.0,4,System,
在这种情况下,缺少用户上下文。这些项表示 Port Reporter 服务无法确定与进程关联的用户帐户。这是为 System 进程和 System Idle 进程生成的预期输出。针对端口或进程查看 PR-PORTS 日志文件内容时,请注意要调查更多信息的项的日期和时间戳。在 PR-PIDS 日志文件中找到其对应项时,可以找到 PR-PORTS 日志文件中有关此项的其他详细信息。为此,请按照下列步骤操作:
  1. 启动记事本,然后打开 PR-PIDS 日志文件。
  2. 在“编辑”菜单上,单击“查找”。
  3. 在“查找内容”框中,键入要在 PR-PORTS 日志文件中查找有关其更多信息的项的日期和时间戳,然后单击“查找下一个”。

返回页首

PR-PIDS 日志文件

PR-PIDS 日志文件包含有关端口、进程、相关模块和运行进程所用的用户帐户的详细信息。下面是 PR-PIDS 日志文件内容的示例:
Port Reporter Version 1.0 Log FileProcess detail logSystem Date:Sat Jan 24 08:49:31 2004Local computer name:<ComputerName>======================================================Log entry below recorded at:<Date and Time>======================================================Process ID:664 (iexplore.exe)User context:MYDOMAIN\userProcess doesn't appear to be a servicePID	Port		Local IP	State		 Remote IP:Port664	TCP 4867	0.0.0.0 	LISTENING	 0.0.0.0:4225664	TCP 4873	0.0.0.0 	LISTENING	 0.0.0.0:45070664	TCP 4867	169.254.66.8  	ESTABLISHED	 169.254.44.12:80664	TCP 4873	169.254.66.8  	SYN SENT	 169.254.44.12:80664	UDP 4817  	127.0.0.1 			 *:*Port StatisticsTCP MAPPINGS: 4UDP MAPPINGS: 1TCP ports in a LISTENING state: 	2 = 50.00%TCP ports in a SYN SENT state: 		1 = 25.00%TCP ports in a ESTABLISHED state: 	1 = 25.00%Loaded modules:D:\Program Files\Internet Explorer\iexplore.exe (0x00400000)D:\WINDOWS\System32\ntdll.dll (0x77F50000)D:\WINDOWS\system32\kernel32.dll (0x77E60000)D:\WINDOWS\system32\msvcrt.dll (0x77C10000)D:\WINDOWS\system32\USER32.dll (0x77D40000)D:\WINDOWS\system32\GDI32.dll (0x77C70000)D:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)D:\WINDOWS\system32\RPCRT4.dll (0x78000000)D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)D:\WINDOWS\System32\SHDOCVW.dll (0x71700000)D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (0x71950000)D:\WINDOWS\system32\SHELL32.dll (0x773D0000)D:\WINDOWS\system32\comctl32.dll (0x77340000)D:\WINDOWS\system32\ole32.dll (0x771B0000)D:\WINDOWS\System32\uxtheme.dll (0x5AD70000)D:\WINDOWS\System32\BROWSEUI.dll (0x75F80000)D:\WINDOWS\System32\browselc.dll (0x72430000)D:\WINDOWS\system32\appHelp.dll (0x75F40000)D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)D:\WINDOWS\system32\OLEAUT32.dll (0x77120000)D:\WINDOWS\System32\COMRes.dll (0x77050000)D:\WINDOWS\system32\VERSION.dll (0x77C00000)D:\WINDOWS\system32\WININET.dll (0x76200000)D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)D:\WINDOWS\system32\MSASN1.dll (0x762A0000)D:\WINDOWS\System32\Secur32.dll (0x76F90000)D:\WINDOWS\System32\cscui.dll (0x76620000)D:\WINDOWS\System32\CSCDLL.dll (0x76600000)D:\WINDOWS\System32\SETUPAPI.dll (0x76670000)D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (0x10000000)D:\Program Files\Microsoft\Rights Management Add-on\mime_filter.dll (0x5F200000)D:\WINDOWS\System32\SXS.DLL (0x75E90000)D:\WINDOWS\system32\urlmon.dll (0x1A400000)D:\WINDOWS\System32\shdoclc.dll (0x00DE0000)D:\WINDOWS\System32\mlang.dll (0x74770000)D:\WINDOWS\System32\wsock32.dll (0x71AD0000)D:\WINDOWS\System32\WS2_32.dll (0x71AB0000)D:\WINDOWS\System32\WS2HELP.dll (0x71AA0000)D:\WINDOWS\system32\mswsock.dll (0x71A50000)D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)D:\WINDOWS\System32\RASAPI32.DLL (0x76EE0000)D:\WINDOWS\System32\rasman.dll (0x76E90000)D:\WINDOWS\System32\NETAPI32.dll (0x71C20000)D:\WINDOWS\System32\TAPI32.dll (0x76EB0000)D:\WINDOWS\System32\rtutils.dll (0x76E80000)D:\WINDOWS\System32\WINMM.dll (0x76B40000)D:\WINDOWS\System32\sensapi.dll (0x722B0000)D:\WINDOWS\system32\USERENV.dll (0x75A70000)D:\WINDOWS\System32\msi.dll (0x01370000)D:\WINDOWS\System32\DNSAPI.dll (0x76F20000)D:\WINDOWS\System32\winrnr.dll (0x76FB0000)D:\WINDOWS\system32\WLDAP32.dll (0x76F60000)D:\WINDOWS\System32\rasadhlp.dll (0x76FC0000)D:\WINDOWS\System32\mshtml.dll (0x63580000)D:\WINDOWS\System32\IMM32.DLL (0x76390000)D:\Program Files\Microsoft Office\Office10\msohev.dll (0x32520000)D:\WINDOWS\System32\jscript.dll (0x6B700000)D:\WINDOWS\System32\dxtrans.dll (0x6BDD0000)D:\WINDOWS\System32\ATL.DLL (0x76B20000)D:\WINDOWS\System32\ddrawex.dll (0x65000000)D:\WINDOWS\System32\DDRAW.dll (0x51000000)D:\WINDOWS\System32\DCIMAN32.dll (0x73BC0000)D:\WINDOWS\System32\dxtmsft.dll (0x6BE10000)D:\WINDOWS\System32\MSLS31.DLL (0x746C0000)D:\WINDOWS\System32\WINSPOOL.DRV (0x73000000)D:\WINDOWS\System32\wdmaud.drv (0x72D20000)D:\WINDOWS\System32\msacm32.drv (0x72D10000)D:\WINDOWS\System32\MSACM32.dll (0x77BE0000)D:\WINDOWS\System32\midimap.dll (0x77BD0000)D:\WINDOWS\System32\msxml3.dll (0x72E00000)D:\WINDOWS\System32\vbscript.dll (0x73300000)D:\WINDOWS\System32\IMGUTIL.DLL (0x66880000)D:\WINDOWS\System32\pngfilt.dll (0x5E310000)D:\WINDOWS\System32\wmp.dll (0x07680000)D:\WINDOWS\System32\MSVFW32.dll (0x73BD0000)D:\WINDOWS\System32\wmploc.dll (0x08110000)D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (0x6D440000)D:\WINDOWS\System32\OLEPRO32.DLL (0x5EDD0000)D:\Program Files\Java\j2re1.4.2\bin\jpiexp32.dll (0x6D310000)D:\Program Files\Java\j2re1.4.2\bin\jpishare.dll (0x6D380000)D:\PROGRA~1\Java\J2RE14~1.2\bin\client\jvm.dll (0x04F20000)D:\PROGRA~1\Java\J2RE14~1.2\bin\hpi.dll (0x02FE0000)D:\PROGRA~1\Java\J2RE14~1.2\bin\verify.dll (0x05070000)D:\PROGRA~1\Java\J2RE14~1.2\bin\java.dll (0x05080000)D:\PROGRA~1\Java\J2RE14~1.2\bin\zip.dll (0x050A0000)D:\Program Files\Java\j2re1.4.2\bin\awt.dll (0x083E0000)D:\Program Files\Java\j2re1.4.2\bin\fontmanager.dll (0x075F0000)D:\WINDOWS\System32\D3DIM700.DLL (0x5C000000)D:\Program Files\Java\j2re1.4.2\bin\jpicom32.dll (0x6D2F0000)D:\Program Files\Java\j2re1.4.2\bin\net.dll (0x07660000)D:\WINDOWS\System32\wintrust.dll (0x76C30000)D:\WINDOWS\system32\IMAGEHLP.dll (0x76C90000)D:\WINDOWS\System32\schannel.dll (0x767F0000)D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)D:\WINDOWS\System32\dssenh.dll (0x0FFA0000)D:\WINDOWS\System32\wmvcore.dll (0x09270000)D:\WINDOWS\System32\WMASF.DLL (0x09470000)D:\WINDOWS\System32\actxprxy.dll (0x71D40000)D:\WINDOWS\System32\dispex.dll (0x6CC60000)D:\WINDOWS\System32\mshtmled.dll (0x74CB0000)D:\WINDOWS\System32\wmnetmgr.dll (0x09D90000)D:\WINDOWS\system32\msv1_0.dll (0x76D10000)D:\WINDOWS\system32\wdigest.dll (0x74380000)D:\WINDOWS\System32\winhttp.dll (0x76080000)D:\WINDOWS\System32\MPRAPI.dll (0x76D40000)D:\WINDOWS\System32\ACTIVEDS.dll (0x76E40000)D:\WINDOWS\System32\adsldpc.dll (0x76E10000)D:\WINDOWS\System32\SAMLIB.dll (0x71BF0000)D:\WINDOWS\System32\iphlpapi.dll (0x76D60000)D:\WINDOWS\System32\netman.dll (0x76DE0000)D:\WINDOWS\System32\WZCSvc.DLL (0x70B50000)D:\WINDOWS\System32\WMI.dll (0x76D30000)D:\WINDOWS\System32\DHCPCSVC.DLL (0x76D80000)D:\WINDOWS\System32\WTSAPI32.dll (0x76F50000)D:\WINDOWS\System32\WINSTA.dll (0x76360000)D:\WINDOWS\System32\ESENT.dll (0x69710000)D:\WINDOWS\System32\hnetcfg.dll (0x68880000)D:\WINDOWS\System32\netshell.dll (0x75CF0000)D:\WINDOWS\System32\credui.dll (0x76C00000)D:\WINDOWS\System32\wbem\wbemprox.dll (0x74EF0000)D:\WINDOWS\System32\wbem\wbemcomn.dll (0x75290000)D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000)D:\WINDOWS\System32\wbem\fastprox.dll (0x75690000)D:\WINDOWS\System32\quartz.dll (0x35500000)D:\WINDOWS\System32\msdmo.dll (0x0ADF0000)D:\WINDOWS\System32\wmadmod.dll (0x0AE00000)D:\WINDOWS\System32\devenum.dll (0x35680000)D:\WINDOWS\System32\DSOUND.DLL (0x51080000)D:\WINDOWS\System32\KsUser.dll (0x5EF80000)======================================================Log entry below recorded at:<Date and Time>======================================================Process ID:3764 (msmsgs.exe)User context:MYDOMAIN\userProcess doesn't appear to be a servicePID	Port		Local IP	State		 Remote IP:Port3764	TCP 16521	169.254.66.8 	LISTENING	 0.0.0.0:452943764	UDP 4803  	0.0.0.0 			 *:*3764	UDP 9586  	169.254.66.8 			 *:*3764	UDP 55441  	169.254.66.8 			 *:*Port StatisticsTCP MAPPINGS: 1UDP MAPPINGS: 3TCP ports in a LISTENING state: 	1 = 100.00%Loaded modules:D:\Program Files\Messenger\msmsgs.exe (0x00400000)D:\WINDOWS\System32\ntdll.dll (0x77F50000)D:\WINDOWS\system32\kernel32.dll (0x77E60000)D:\WINDOWS\system32\ADVAPI32.DLL (0x77DD0000)D:\WINDOWS\system32\RPCRT4.dll (0x78000000)D:\WINDOWS\system32\GDI32.DLL (0x77C70000)D:\WINDOWS\system32\USER32.dll (0x77D40000)D:\WINDOWS\system32\OLE32.DLL (0x771B0000)D:\WINDOWS\system32\OLEAUT32.DLL (0x77120000)D:\WINDOWS\system32\MSVCRT.DLL (0x77C10000)D:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.DLL (0x71950000)D:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)D:\WINDOWS\system32\SHELL32.DLL (0x773D0000)D:\WINDOWS\System32\uxtheme.dll (0x5AD70000)D:\Program Files\Messenger\MSGSLANG.DLL (0x69200000)D:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)D:\WINDOWS\System32\COMRes.dll (0x77050000)D:\WINDOWS\system32\VERSION.dll (0x77C00000)D:\WINDOWS\System32\SXS.DLL (0x75E90000)D:\WINDOWS\System32\wtsapi32.dll (0x76F50000)D:\WINDOWS\System32\WINSTA.dll (0x76360000)D:\WINDOWS\System32\es.dll (0x76B70000)D:\WINDOWS\System32\WS2_32.dll (0x71AB0000)D:\WINDOWS\System32\WS2HELP.dll (0x71AA0000)D:\Program Files\Messenger\rtcimsp.dll (0x00F30000)D:\WINDOWS\System32\WSOCK32.dll (0x71AD0000)D:\WINDOWS\System32\rtcdll.dll (0x5D370000)D:\WINDOWS\System32\ATL.DLL (0x76B20000)D:\WINDOWS\System32\Secur32.dll (0x76F90000)D:\WINDOWS\system32\WININET.dll (0x76200000)D:\WINDOWS\system32\CRYPT32.dll (0x762C0000)D:\WINDOWS\system32\MSASN1.dll (0x762A0000)D:\WINDOWS\System32\WINMM.dll (0x76B40000)D:\WINDOWS\System32\iphlpapi.dll (0x76D60000)D:\WINDOWS\System32\DNSAPI.dll (0x76F20000)D:\WINDOWS\System32\termmgr.dll (0x5B6F0000)D:\WINDOWS\System32\rtutils.dll (0x76E80000)D:\WINDOWS\System32\quartz.dll (0x35500000)D:\WINDOWS\system32\mswsock.dll (0x71A50000)D:\WINDOWS\System32\wshtcpip.dll (0x71A90000)D:\WINDOWS\System32\dxmrtp.dll (0x6BE70000)D:\WINDOWS\System32\MSVFW32.dll (0x73BD0000)D:\WINDOWS\System32\DSOUND.dll (0x51080000)D:\WINDOWS\System32\PSAPI.DLL (0x76BF0000)D:\WINDOWS\System32\devenum.dll (0x35680000)D:\WINDOWS\System32\setupapi.dll (0x76670000)D:\WINDOWS\System32\wdmaud.drv (0x72D20000)D:\WINDOWS\System32\msacm32.drv (0x72D10000)D:\WINDOWS\System32\MSACM32.dll (0x77BE0000)D:\WINDOWS\System32\midimap.dll (0x77BD0000)D:\WINDOWS\System32\msdmo.dll (0x01450000)D:\WINDOWS\System32\dpnhupnp.dll (0x018A0000)D:\WINDOWS\System32\rsaenh.dll (0x0FFD0000)D:\WINDOWS\System32\rasapi32.dll (0x76EE0000)D:\WINDOWS\System32\rasman.dll (0x76E90000)D:\WINDOWS\System32\NETAPI32.dll (0x71C20000)D:\WINDOWS\System32\TAPI32.dll (0x76EB0000)D:\WINDOWS\System32\hnetcfg.dll (0x68880000)D:\WINDOWS\System32\netshell.dll (0x75CF0000)D:\WINDOWS\System32\credui.dll (0x76C00000)D:\WINDOWS\System32\DHCPCSVC.DLL (0x76D80000)D:\WINDOWS\System32\wbem\wbemprox.dll (0x74EF0000)D:\WINDOWS\System32\wbem\wbemcomn.dll (0x75290000)D:\WINDOWS\System32\wbem\wbemsvc.dll (0x74ED0000)D:\WINDOWS\System32\wbem\fastprox.dll (0x75690000)D:\WINDOWS\System32\netcfgx.dll (0x755F0000)D:\WINDOWS\System32\CLUSAPI.dll (0x55560000)D:\WINDOWS\System32\sensapi.dll (0x722B0000)======================================================Log entry below recorded at:<Date and Time>======================================================Process ID:2424 (Virtual PC.exe)User context:MYDOMAIN\userProcess doesn't appear to be a servicePID	Port		Local IP	State		 Remote IP:Port2424	TCP 1262	0.0.0.0 	LISTENING	 0.0.0.0:21922424	TCP 1731	0.0.0.0 	LISTENING	 0.0.0.0:534672424	TCP 2226	0.0.0.0 	LISTENING	 0.0.0.0:452142424	TCP 2229	0.0.0.0 	LISTENING	 0.0.0.0:21762424	TCP 4724	0.0.0.0 	LISTENING	 0.0.0.0:266342424	TCP 4725	0.0.0.0 	LISTENING	 0.0.0.0:21722424	TCP 4726	0.0.0.0 	LISTENING	 0.0.0.0:390492424	TCP 4727	0.0.0.0 	LISTENING	 0.0.0.0:371182424	TCP 4728	0.0.0.0 	LISTENING	 0.0.0.0:164912424	TCP 4729	0.0.0.0 	LISTENING	 0.0.0.0:207342424	TCP 4925	0.0.0.0 	LISTENING	 0.0.0.0:20642424	TCP 4930	0.0.0.0 	LISTENING	 0.0.0.0:82492424	TCP 4931	0.0.0.0 	LISTENING	 0.0.0.0:616392424	TCP 4932	0.0.0.0 	LISTENING	 0.0.0.0:225352424	TCP 2189	127.0.0.1 	LISTENING	 0.0.0.0:450952424	TCP 1262	169.254.66.8 	ESTABLISHED	 169.254.5.214:17452424	TCP 1731	169.254.66.8 	ESTABLISHED	 169.254.4.228:17452424	TCP 2226	169.254.66.8 	ESTABLISHED	 157.56.120.30:17452424	TCP 2229	169.254.66.8 	ESTABLISHED	 157.56.121.78:17452424	TCP 4724	169.254.66.8 	ESTABLISHED	 169.254.4.38:17452424	TCP 4725	169.254.66.8 	ESTABLISHED	 169.254.5.105:17452424	TCP 4726	169.254.66.8 	ESTABLISHED	 169.254.5.103:17452424	TCP 4727	169.254.66.8 	ESTABLISHED	 169.254.4.240:17452424	TCP 4728	169.254.66.8 	ESTABLISHED	 169.254.7.23:17452424	TCP 4729	169.254.66.8 	ESTABLISHED	 169.254.4.241:17452424	TCP 4925	169.254.66.8 	ESTABLISHED	 169.254.121.89:17452424	TCP 4930	169.254.66.8 	ESTABLISHED	 169.254.113.92:17452424	TCP 4931	169.254.66.8 	ESTABLISHED	 169.254.113.87:17452424	TCP 4932	169.254.66.8 	ESTABLISHED	 169.254.121.93:17452424	UDP 2686  	0.0.0.0 			 *:*2424	UDP 2687  	0.0.0.0 			 *:*Port StatisticsTCP MAPPINGS: 29UDP MAPPINGS: 2TCP ports in a LISTENING state: 	15 = 51.72%TCP ports in a ESTABLISHED state: 	14 = 48.28%Loaded modules:C:\Program Files\Microsoft Virtual PC\Virtual PC.exe (0x00400000)C:\WINDOWS\System32\ntdll.dll (0x77F50000)C:\WINDOWS\system32\kernel32.dll (0x77E60000)C:\WINDOWS\System32\DDRAW.dll (0x51000000)C:\WINDOWS\system32\msvcrt.dll (0x77C10000)C:\WINDOWS\system32\USER32.dll (0x77D40000)C:\WINDOWS\system32\GDI32.dll (0x77C70000)C:\WINDOWS\system32\ADVAPI32.dll (0x77DD0000)C:\WINDOWS\system32\RPCRT4.dll (0x78000000)C:\WINDOWS\System32\DCIMAN32.dll (0x73BC0000)C:\WINDOWS\System32\DINPUT.dll (0x72280000)C:\WINDOWS\System32\WINMM.dll (0x76B40000)C:\WINDOWS\System32\iphlpapi.dll (0x76D60000)C:\WINDOWS\System32\WS2_32.dll (0x71AB0000)C:\WINDOWS\System32\WS2HELP.dll (0x71AA0000)C:\WINDOWS\System32\PSAPI.DLL (0x76BF0000)C:\WINDOWS\system32\comdlg32.dll (0x763B0000)C:\WINDOWS\system32\SHLWAPI.dll (0x70A70000)C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.dll (0x71950000)C:\WINDOWS\system32\SHELL32.dll (0x773D0000)C:\WINDOWS\System32\WINSPOOL.DRV (0x73000000)C:\WINDOWS\system32\ole32.dll (0x771B0000)C:\WINDOWS\system32\OLEAUT32.dll (0x77120000)C:\WINDOWS\system32\VERSION.dll (0x77C00000)C:\WINDOWS\System32\OLEACC.dll (0x74C80000)C:\WINDOWS\System32\MSVCP60.dll (0x55900000)C:\WINDOWS\System32\uxtheme.dll (0x5AD70000)C:\WINDOWS\System32\MSCTF.dll (0x74720000)C:\WINDOWS\System32\CLBCATQ.DLL (0x76FD0000)C:\WINDOWS\System32\COMRes.dll (0x77050000)C:\WINDOWS\System32\msxml4.dll (0x69B10000)C:\WINDOWS\System32\LINKINFO.dll (0x76980000)C:\WINDOWS\System32\ntshrui.dll (0x76990000)C:\WINDOWS\System32\ATL.DLL (0x76B20000)C:\WINDOWS\System32\NETAPI32.dll (0x71C20000)C:\WINDOWS\system32\USERENV.dll (0x75A70000)C:\Program Files\Microsoft Firewall Client\wspwsp.dll (0x55600000)C:\WINDOWS\System32\mswsock.dll (0x71A50000)C:\WINDOWS\System32\DNSAPI.dll (0x76F20000)C:\WINDOWS\System32\winrnr.dll (0x76FB0000)C:\WINDOWS\system32\WLDAP32.dll (0x76F60000)C:\WINDOWS\System32\wshtcpip.dll (0x71A90000)C:\WINDOWS\System32\rasadhlp.dll (0x76FC0000)C:\WINDOWS\System32\wdmaud.drv (0x72D20000)C:\WINDOWS\System32\msacm32.drv (0x72D10000)C:\WINDOWS\System32\MSACM32.dll (0x77BE0000)C:\WINDOWS\System32\midimap.dll (0x77BD0000)C:\WINDOWS\System32\HID.DLL (0x688F0000)C:\WINDOWS\System32\SETUPAPI.DLL (0x76670000)C:\Documents and Settings\user\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll (0x10000000)C:\WINDOWS\System32\mslbui.dll (0x605D0000)C:\WINDOWS\System32\Secur32.dll (0x76F90000)C:\WINDOWS\System32\security.dll (0x71F80000)C:\WINDOWS\system32\msv1_0.dll (0x76D10000)C:\WINDOWS\system32\appHelp.dll (0x75F40000)C:\WINDOWS\System32\cscui.dll (0x76620000)C:\WINDOWS\System32\CSCDLL.dll (0x76600000)C:\WINDOWS\system32\MPR.dll (0x71B20000)C:\WINDOWS\System32\ntlanman.dll (0x71C10000)C:\WINDOWS\System32\NETUI0.dll (0x71CD0000)C:\WINDOWS\System32\NETUI1.dll (0x71C90000)C:\WINDOWS\System32\NETRAP.dll (0x71C80000)C:\WINDOWS\System32\SAMLIB.dll (0x71BF0000)C:\WINDOWS\System32\drprov.dll (0x75F60000)C:\WINDOWS\System32\davclnt.dll (0x75F70000)
Port Reporter 服务跟踪端口的更改并在日志文件中报告这些更改。这些更改可能包括端口上连接数目的增加或减少,或者现有连接的连接状态的更改。当建立到 TCP 端口的新连接或关闭现有连接时,Port Reporter 服务会进行报告。如果一个端口上的任一 TCP 连接发生更改,Port Reporter 也会报告。TCP 端口状态包括以下几种:
  • CLOSE_WAIT
  • CLOSED
  • ESTABLISHED
  • FIN_WAIT_1
  • LAST_ACK
  • LISTEN
  • SYN_RECEIVED
  • SYN_SEND
  • TIMED_WAIT
当使用 ESTABLISHED 状态的连接更改为使用 CLOSE_WAIT 状态时,会创建一个状态更改的示例。有时,Port Reporter 服务可能会报告 System Idle 进程 (PID 0) 使用多个 TCP 端口。当安装在计算机上的程序连接到一个 TCP 端口,然后迅速从该端口断开连接时,会发生此情况。尽管程序不再运行,但程序和端口之间的 TCP 连接可能仍保持“Timed Wait”状态。在这种情况下,Port Reporter 服务可能检测到端口正在使用,但由于使用端口的程序不再运行而无法识别该程序。尽管使用此端口的进程不再运行,但端口仍可能处于“Timed Wait”状态长达数分钟。

当安装在计算机上的程序开始使用新的 UDP 端口时,Port Reporter 服务也会创建一个日志项。例如,如果一个程序绑定到 UDP 端口 69,Port Reporter 服务会将此操作记录到 PR-PORTS 和 PR-PIDS 日志文件中。Port Reporter 服务不会记录发送到 UDP 端口的 UDP 数据报。Port Reporter 服务仅记录 UDP 端口被绑定,并且正在接受数据报。Microsoft 建议您检查系统事件日志和应用程序事件日志,以找到 Port Reporter 服务记录的事件。当启动此服务、此服务创建日志文件、此服务停止或此服务遇到错误时,Port Reporter 服务将记录事件。事件源被记录为“PortReporter”。事件 ID 介于 100 和 112 之间。

由于 Windows 2000 系统不支持端口到进程的映射,因此 PR-PIDS 日志文件中将包含下面一行内容:
Port to process mappings are not available on this system.


返回页首
更多信息
要查看有关 Port Reporter 的网络广播,请单击下面的 Microsoft 知识库文章编号:
840832 支持网络广播:Port Reporter
参考
PortQry 2.0 版是相关工具。此工具允许您跟踪单个端口或指定的进程使用的所有端口上的活动。 有关 PortQry 2.0 版的其他信息,请单击下面的文章编号,以查看 Microsoft 知识库中相应的文章:
832919PortQry 2.0 版中的新增特性和功能
重要说明:PortQueryUI 工具提供了一个图形用户界面并可以通过下载获取。PortQueryUI 包含多种功能,使您可以更加轻松地使用 PortQry。要获取此工具,请访问下面的 Microsoft 网站:重要说明:Port Reporter 分析器工具是一个用于 Port Reporter 日志文件的日志分析器,现在可通过下载获取该工具。Port Reporter 分析器包含许多高级功能,可帮助您分析 Port Reporter 日志文件。要获取 Port Reporter 分析器工具,请访问下面的 Microsoft 网站:返回页首
security ports tcp/ip logging TIME_WAIT PR-Parser, Port Reporter Parser, Incident Response, IR, hacking, malware
属性

文章 ID:837243 - 上次审阅时间:02/17/2005 04:04:00 - 修订版本: 6.1

Microsoft Windows Server 2003 Enterprise Edition, Microsoft Windows Server 2003 Standard Edition, Microsoft Windows XP Professional Edition, Microsoft Windows 2000 Professional Edition, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server

  • kbhowtomaster KB837243
反馈