Processes - numbers - How do I?

Discussion in 'Port Explorer' started by Tony H, Jan 7, 2003.

Thread Status:
Not open for further replies.
  1. Tony H

    Tony H Registered Member

    Joined:
    Dec 5, 2002
    Posts:
    32
    Hi all,

    Well now, this is very nice :D.

    I am learning my Port Explorer and of course, the great stimulous is when you find something your a bit concerned about.

    I have read the (bits - to be honest) manual and looked over the posts and discovered about the asterisk and the Netstat, which I looked at in my WinXP command prompt.

    Nowhere can I discover What the process number 2028 is associated with. The right click is grayed out for Kill Socket and kill process is not permitted.

    What concerns me is that the url it seeks to link to is one that there is no good reason for, that I can think of. Also the port is one for Timbuktu server 3 (That may be coincidental of course)

    Any advice welcome, but I would like to know if there is any way that I can identify what is originiating this and finding out what is process ID 2028.

    Thanks in advance.

    Tony H
     
  2. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    I must assume you are saying PE does not list a name for the process. If so, that is indeed a strange thing on XP -- it should list a name for *every* process, AFAIK. If not, I would be concerned since it is apparently showing an end point outside your machine. I would suggest getting another tool to see what it says about the situation. A good, free one that comes to mind is Process Explorer from Sysinternals. Pick up TCPView while you are there to see what it has to say. If one of those is able to ID the process, please post your results here so Jason from DiamondCS can investigate.

    http://www.sysinternals.com/

    Phil
     
  3. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Nah it seems on Windows XP, as I discovered last night on my home machine, some sockets stay around even when the process is dead, but WinXP still says that process owns them. If you can go to a command prompt and type "netstat -ano" without the quotes, you will find those sockets with this ProcessID which isn't "active" or alive.

    So it seems Windows XP doesn't do its cleaning as well as it should, my Windows XP is on Service Pack1. The program which had these sockets with no name? Well it was Kazaa Lite... There is nothing you can do about it and every other netstat utility if it can read the undocumented XP stuff, will show the same thing. Odd but something we have to live with if on XP for the time being.

    *update :-

    The sockets actually got cleaned up when my internet connection disconnected, so Windows XP cleaned them up... eventually :cool:
    -Jason-
     
  4. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Humm -- very interesting. Thanks for the info, Jason! In fact, that behaviour has been around in one form or another since W95a. I was not aware XP has the same problem. In 9x if I remember correctly, it was the apps fault for not "cleaning up" properly when closing. The early versions of Netscape were notorious for leaving sockets open and the *only* way you could close them was boot.

    Phil
     
  5. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Yeah Phil, and as well as Netscape being poorly cleaned up by their programmers, Windows 9x was very poor at handling apps which didn't clean up, which compounded the problem.

    With Win2k/XP becoming so prevalent we will probably see a rise in badly cleaned up apps, well I have noticed it anyhow. Most software companies release the patches to fix them ;) , but you think why don't they just code it cleanly in the first place?

    -Jason-
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    Hmm, job security? Or was that a rhetorical question? ;)
     
  7. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Job security? :D
     
  8. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Dang! You beat me to the draw! :)

    Phil
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    It's my new avatar, no unnecessary bits slowing me down. ;)
     
  10. Tony H

    Tony H Registered Member

    Joined:
    Dec 5, 2002
    Posts:
    32
    Hi Each,

    Thanks for the replies. Always pleased to provide employment oppertunities.

    Jason - Your right about Kazaa - I have been playing with it the last few weeks and my pc is mostly left on for SETI@home with it running as well (hey - I'm a 'Deity' :rolleyes:)

    So I rebooted and the entry on PE is gone.

    Back to the manual I think. A black colour entry means that the process is closing?

    But how did you know it was Kazaa? PE gives the name of the associated process (tho' not in this case- just an asterisk) but is there another way to discover what the process id number is associated with?

    I tried to send an edited scrnprnt of it but it didn't work.

    btw - happy new year.

    Tony
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    If you tried to use the "Attach:" line in the posting window, but your image did not appear to come up with your post, there are a couple tricks to this. First, images can't be seen when you [Preview] a post. Second, once you preview, the attach line is blanked out again. You have to enter the attachment last thing, right before hitting the [Post] button. See this FAQ for this and other info on images:

    Screen Shots and Image Posting
    http://www.wilderssecurity.com/showthread.php?t=5513

    Hope this helps,
    LowWaterMark
     
  12. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Hi Tony,
    I only knew it was Kazaa because it was the only program I had closed recently that would have had sockets like it did. They were like "*.adsl.wa*" etc and I knew the only program which does that is Kazaa usually. When you say black sockets what do you mean? You mean there is a "black background bar" for that socket? Or just black text? On the normal colours a dieing socket will have a light red background, and on creation sockets will have a light green background.
    -Jason-
     
  13. Tony H

    Tony H Registered Member

    Joined:
    Dec 5, 2002
    Posts:
    32
    Jason :)
    Thanks for the fast reply.

    It was Black text. I figured that it was not compleating as ther were hyphens. Let me try to post the image again.

    Tony
     

    Attached Files:

  14. ChazJC

    ChazJC Registered Member

    Joined:
    Dec 27, 2002
    Posts:
    2
    :D hey I just found out about this prog from joining the Wilders and reading these forums and sure glad I did!!! I just downloaded your trial and wow, its really cool :D I tried a few others a while back when I was wanting to learn more about my security, but they were pretty tacky or buggy.

    This prog is great, real proffesional feel to it and easy to understand. I am surprised, I did not realise my Kerio PF actually made established connections too. Ive got ZAPro running too but its not in listening or established state!

    This is the shortest trial I have run, I am off to get the real thing right now. I dont even know how much £££ it will be, but it will be worth it.

    brill :D thanks!!!!
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi ChazJC,
    Welcome! Nice posting too.
    Once running there, don't forget to have a look at the ActionPack too. PE .. i've been in the beta testers team with lot is interest and pleasure -- can't imagine my system without it on internet. I't such a nicw those icons i'm familiar with and since Jason promised also the next WG generation will have an icon it's really going to be even nicer!


    I seldom or never see the blue system sockets, forgot they might be there, must be my win98se version i guess.
     
  16. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Tony, black text just means a normal socket :) . It's unfortunate that Windows XP doesn't clean up properly, I am not sure whether to just leave it as a blank filename or maybe add "no filename" or something along those lines. Ive only noticed this on Windows XP SP1 too, at the moment, odd. I think I will update the help file with this information.
    -Jason-
     
  17. JV

    JV Guest

    Hello,
    I am not sure I am in the right place but I need help and from reading this forum, you all sound like you really know what you are talking about. If I need to go somewhere else, please direct me.
    My problem is I have been told that my system has major trojans infections. I was also told that the only way to fix the problem was to copy my important files and folders and then completely delete the hard drive and reinstall WinXP.
    I am just not buying that. #1, I don't think because I am showing open ports that I have a major problem. When I run Anti-Trojan it says I am clean. When I run The Cleaner, it says no Trojans found. When I do port scans from Sygate, I am in Stealth mode so how have I gotten major infections? I was using Norton Firewall, then Sygate and now I am using ZoneAlarm Pro which I really prefer. I have to tell you that I am a novice and reformatting my hard drive is way over my head. I really need another way to go.

    Thank you very much. :)
     
  18. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Well you should really see the TDS3 forum for this, I'm sure someone will move it there ;) .

    Without blowing a horn, TDS-3 is widely accepted as the best trojan detection program. It picks up a lot more trojans then any other product and if you havn't scanned your system with it then you may have a trojan. It depends what trojan you may or may not have on your system as to what you should do. Scan with TDS-3, ask some questions on the TDS-3 forum and I am sure you will solve your problems.

    TDS-3 - http://tds.diamondcs.com.au

    The TDS-3 forum is on his same website (Wilderssecurity.com)

    -Jason-
     
  19. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks for telling about the move of the posting. Wondering who told about the major trojan infection.
    People might get shocked when seeing a netstat -an with all those lines and ports, if not knowing the meaning.
    I have the habit of looking frequently when visiting some webmailbox and killing all such proceses; i really should be serious in using the hosts file.
    Think the same panic about all those lines in the PE console can take place if not knowing about the meaning, but we have a fine helpfile with that. Such people should start at the "established" tab and "remote" and maybe the default install setting should be to not display the netstat sockets --- a novice / intermediary / advanced user setting?
    And the panic button brings the comforting explanation in the helpfile anyway.
     
  21. Tony H

    Tony H Registered Member

    Joined:
    Dec 5, 2002
    Posts:
    32
    Jason,

    Thanks for the info. I will leave it with you. :D

    I shall not be concerned unless it reappears again.

    I thought that I might track down the process via the process id number. If it was 'decaying', then I guess it was 'live' at some point in PE and I missed it.

    Regards - Tony
     
  22. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Yep, I am pretty sure though that if you had Port Explorer open all the time and this happened it would tell you that Kazaa Lite in this instance owned those sockets, because it had already worked out Kazaa Lite owned them before it closed down, if you know what I mean.

    The latest version of Port Explorer's help has a small section about this, you might want to read it. Its in "Troubleshooting -> Operating Specific Notes"

    -Jason-
     
Thread Status:
Not open for further replies.