The Microsoft Port Reporter tool logs TCP and UDP ports as they are opened and closed. This makes a log that may be used to see what has occured on a system over time. This can be particularly useful in determining Malware actiuons over time and even in determining if a host has been compromised.
Both Windows Server 2003 and Windows XP systems support the port reporter service. It can be used to record the following information:
- The ports that are used
- The processes that use the port
- Whether a process is a service
- The modules that a process loaded
- The user accounts that run a process
Port Reporter will (if available) create its log files in the folder:
- The PR-INITIAL log file holds information collected covering the ports, processes, and modules that run on the host when the Port Reporter service is initiated.
- The PR-PORTS log holds information concerning any TCP and UDP port activity on the system in a CSV format. It holds the following fields - date,time,protocol,local port,local IP address,remote port,remote IP address,PID,module,user context (this is slightly different on Windows 2000).
- The PR-PIDS log holds detailed data that covers the ports, processes, related modules, and the user-account that the process is running as.
The user context that each process is running under is also logged.
This is a great free tool from Microsoft.