Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / PowerShell / Checking Active TCP/IP Connections on Windows with PowerShell

March 17, 2024

Checking Active TCP/IP Connections on Windows with PowerShell

Many administrators usually use the netstat console tool or graphic TCPView to display information about active TCP/IP connections and open TCP ports in Windows. Instead of netstat, you can use the Get-NetTCPConnection cmdlet in PowerShell to get information about active network connections in Windows, open TCP ports, and run processes that are using the TCP/IP protocol. PowerShell makes it easy to write complex scripts to get information and monitor open TCP ports, processes, and established network connections.

Try to run the Get-NetTCPConnection command without any options.

Get-NetTCPConnection cmdlet: list current TCP connections

Like netstat, the command has displayed the list of all active connections with local and remote IP addresses, ports, connection state (Listen, Established Internet, TimeWait, Bound, CloseWait, SynReceived, SynSent), and process ID (PID) that is using this TCP connection.

You can display a list of open (listening) ports on your local computer:

Get-NetTCPConnection -State Listen | Select-Object -Property LocalAddress, LocalPort, RemoteAddress, RemotePort, State | Sort-Object LocalPort |ft

Find Listening Ports on Windows with PowerShell

The Get-NetUDPEndpoint cmdlet is used to get information about UDP ports.

You can display external (Internet) connections only:

Get-NetTCPConnection -AppliedSetting Internet

You can display DNS names of remote hosts and process names for TCP connections:

Get-NetTCPConnection -State Established |Select-Object -Property LocalAddress, LocalPort,@{name='RemoteHostName';expression={(Resolve-DnsName $_.RemoteAddress).NameHost}},RemoteAddress, RemotePort, State,@{name='ProcessName';expression={(Get-Process -Id $_.OwningProcess). Path}},OffloadState,CreationTime |ft

This PowerShell script resolved all host IP addresses to DNS names and specified process names for all connections.

Show network connections (remote IP addresses, ports) of Windows process with PowerShell

By the name of a parent process PID, you can display the list of related Windows services that are using the network:

Get-WmiObject Win32_Service | Where-Object -Property ProcessId -In (Get-NetTCPConnection).OwningProcess | Where-Object -Property State -eq Running | Format-Table ProcessId, Name, Caption, StartMode, State, Status, PathName

You can view only network connections initiated by the specific process. To do it, you can use the following PowerShell script:

$TrackProcessName = "*chrome*"
$EstablishedConnections = Get-NetTCPConnection -State Established |Select-Object -Property LocalAddress, LocalPort,@{name='RemoteHostName';expression={(Resolve-DnsName $_.RemoteAddress).NameHost}},RemoteAddress, RemotePort, State,@{name='ProcessName';expression={(Get-Process -Id $_.OwningProcess). Path}}, OffloadState,CreationTime
Foreach ($Connection in $EstablishedConnections)
{
If ($Connection.ProcessName -like $TrackProcessName)
{
$Connection|ft
}
}

You can use the Get-NetTCPConnection cmdlet in various scenarios. For example, you can create a simple PowerShell script to track if the connection is established from the specific IP address to the specified local port and display a pop-up notification to the administrator.

In the following example, a PowerShell script checks if a connection from the specified IP address appears on the default RDP port 3389. If the connection appears, the script will display a pop-up notification and log the date and time of the connection to a text file:

$SourceIP = “192.168.13.125”
$TargetPort =”3389”
$log = "C:\PS\rdp_connection_log.txt"
$EstablishedConnections = Get-NetTCPConnection -State Established
Foreach ($Connection in $EstablishedConnections)
{
If (($Connection.RemoteAddress -eq $SourceIP) -and ($Connection.LocalPort -eq $TargetPort))
{
Add-Type -AssemblyName System.Windows.Forms
$global:balmsg = New-Object System.Windows.Forms.NotifyIcon
$path = (Get-Process -id $pid).Path
$balmsg.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($path)
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Warning
$balmsg.BalloonTipText = "New RDP connection to your computer from $($Connection.RemoteAddress)"
$balmsg.BalloonTipTitle = "New RDP connection from ($Connection.RemoteAddress)"
$balmsg.Visible = $true
$balmsg.ShowBalloonTip(10000)
(Get-Date).ToString() + ' ' + $Connection.RemoteAddress + ' an RDP connection is established ' >> $log
}
}

Powershell script: show popup message after remote connection to your computer is established

In the same way, you can monitor and log network connections over any other protocol, like SSH, SMB, FTP, SMTP, etc. This PowerShell script may be converted into a Windows service that will start automatically.

You can use the script together with the one we discussed earlier: RDP Brute Force Attack Protection with Powershell.

You can get a list of open TCP ports and connections on remote computers using PowerShell remoting cmdlets (Enter-PSSession and Invoke-Command).

Invoke-Command -ComputerName be-dc01 {Get-NetTCPConnection -State Established}

The Get-NetTCPConnection cmdlet (as well as Test-NetConnection) may be very useful for tracking and diagnosing network connections in Windows.

2 comments
7
Facebook Twitter Google + Pinterest
PowerShellWindows 10Windows Server 2016
previous post
Using RDCMan (Remote Desktop Connection Manager) on Windows
next post
How to Install and Activate the RDS Licensing Role and CALs on Windows Server

Related Reading

PowerShell: Get Folder Size on Windows

April 2, 2024

How to Download Offline Installer (APPX/MSIX) for Microsoft...

March 12, 2024

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Install and Manage Windows Updates with PowerShell (PSWindowsUpdate)

March 17, 2024

How to Backup and Restore Websites and IIS...

June 8, 2023

Slow Access to Shared Folders and Network Drives...

March 11, 2024

How to Uninstall Built-in UWP (APPX) Apps on...

June 6, 2024

Using PowerShell Behind a Proxy Server

March 17, 2024

2 comments

Vic January 13, 2023 - 3:21 pm

Thanks for the article. Very useful.

One suggestion.
Insted of:
Foreach ($Connection in $EstablishedConnections)
{
If ($Connection.ProcessName -like $TrackProcessName)
{
$Connection|ft
}
}

Use:
$EstablishedConnections | Where-Object ProcessName -Like $TrackProcessName | Select-Object * | Format-Table

Reply
Szynkie May 5, 2023 - 12:13 pm

the command Get-NetTCPConnection show wrong IP addresses for some connections, eg in my case it shows:
0.0.0.0 49425 0.0.0.0 0 Bound – local address and remote address as 0.0.0.0 for port 49425 when command ‘netstat -ano’ and ‘resource monitor’ app shows 192.168.68.114 as local address and 40.113.103.199 as remote address:
TCP 192.168.68.114:49425 40.113.103.199:443 ESTABLISHED 6096

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Install and Manage Windows Updates with PowerShell (PSWindowsUpdate)
  • How to Download Offline Installer (APPX/MSIX) for Microsoft Store App
  • Configuring Port Forwarding in Windows
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Adding Drivers into VMWare ESXi Installation Image
  • Tracking and Analyzing Remote Desktop Connection Logs in Windows
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top