Wednesday, May 5, 2010

Which processes are communicating on Vista? Part II

This is a faster method of telling which processes are communicating. It feeds netstat output to tasklist:

@for /f "tokens=1-5" %a in ('@netstat -nto ^| findstr /V Active ^| findstr /V Proto') do @tasklist /FO CSV /V /FI "PID eq %e" /NH

If put in a batch file that is properly escaped:

@for /f "tokens=1-5" %%a in ('@netstat -nto ^| findstr /V Active ^| findstr /V Proto') do @tasklist /FO CSV /V /FI "PID eq %%e" /NH

and then run as below, it gives you process information on Established TCP connections. Tested on Vista. :

@ntob_ts.cmd | sort /+2
"chrome.exe","3192","Console","1","77,012 K","Running","RMFVista\Admin","0:02:54","Daily Alerts - Google Analytics - Google Chrome"
"chrome.exe","3192","Console","1","77,012 K","Running","RMFVista\Admin","0:02:54","Daily Alerts - Google Analytics - Google Chrome"
"opera.exe","4092","Console","1","346,284 K","Running","RMFVista\Admin","0:09:03","http://sn114w.snt114.mail.live.com/default.aspx?wa=wsignin1.0 - Opera"
"opera.exe","4092","Console","1","346,328 K","Running","RMFVista\Admin","0:09:03","http://sn114w.snt114.mail.live.com/default.aspx?wa=wsignin1.0 - Opera"



This  batch file below includes netstat endpoints but seems to randomly attach an IP address to the System Idle process ("0"):

@echo off
for /f "tokens=1-5" %%a in ('@netstat -nto ^| findstr /V Active ^| findstr /V Proto') do set EP=%%c& set PID=%%e& call :loop
goto EOF
:loop

@echo "%EP%", | findstr /V "ECHO" 
@tasklist /FO CSV /V /FI "PID eq %PID%" /NH
@echo " " >NUL

:EOF


[output]
"74.125.19.17:443",
"chrome.exe","3192","Console","1","89,400 K","Running","RMFVista\Admin","0:03:34","Blogger: Horizontal Logic - Edit Post "Which Processes are communicating on Vista? Part I...
" - Google Chrome"
"74.125.19.19:443",
"chrome.exe","3192","Console","1","89,400 K","Running","RMFVista\Admin","0:03:34","Blogger: Horizontal Logic - Edit Post "Which Processes are communicating on Vista? Part I...
" - Google Chrome"
"74.125.19.19:443",
"opera.exe","4092","Console","1","346,312 K","Running","RMFVista\Admin","0:09:40","http://sn114w.snt114.mail.live.com/default.aspx?wa=wsignin1.0 - Opera"
"74.125.19.19:443",
"opera.exe","4092","Console","1","346,324 K","Running","RMFVista\Admin","0:09:40","http://sn114w.snt114.mail.live.com/default.aspx?wa=wsignin1.0 - Opera"
"74.125.19.101:80",
"chrome.exe","3192","Console","1","89,400 K","Running","RMFVista\Admin","0:03:34","Blogger: Horizontal Logic - Edit Post "Which Processes are communicating on Vista? Part I...
" - Google Chrome"
"74.125.10.23:80",
"chrome.exe","3192","Console","1","89,400 K","Running","RMFVista\Admin","0:03:34","Blogger: Horizontal Logic - Edit Post "Which Processes are communicating on Vista? Part I...
" - Google Chrome"
"76.96.30.119:110",
"System Idle Process","0","Services","0","24 K","Unknown","NT AUTHORITY\SYSTEM","24:51:17","N/A"
"85.13.200.108:110",
"WinMail.exe","4456","Console","1","179,712 K","Running","RMFVista\Admin","0:34:00","Google Alert - TCP/IP"