Thursday, 28 August 2008

The "Port Reporter" tool by Microsoft.

The Microsoft Port Reporter tool logs TCP and UDP ports as they are opened and closed. This makes a log that may be used to see what has occured on a system over time. This can be particularly useful in determining Malware actiuons over time and even in determining if a host has been compromised.

Both Windows Server 2003 and Windows XP systems support the port reporter service. It can be used to record the following information:

  • The ports that are used
  • The processes that use the port
  • Whether a process is a service
  • The modules that a process loaded
  • The user accounts that run a process

Port Reporter will (if available) create its log files in the folder:
%systemroot%\System32\LogFiles\PortReporter

The service creates several logs - these inclue the following:

  • The PR-INITIAL log file holds information collected covering the ports, processes, and modules that run on the host when the Port Reporter service is initiated.
  • The PR-PORTS log holds information concerning any TCP and UDP port activity on the system in a CSV format. It holds the following fields - date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context (this is slightly different on Windows 2000).
  • The PR-PIDS log holds detailed data that covers the ports, processes, related modules, and the user-account that the process is running as.

The user context that each process is running under is also logged.

This is a great free tool from Microsoft.

No comments: