Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / PowerShell / Checking Active TCP/IP Connections on Windows with PowerShell

July 20, 2021 PowerShellWindows 10Windows Server 2016

Checking Active TCP/IP Connections on Windows with PowerShell

Many administrators usually use the netstat console tool or graphic TCPView to display information about active TCP/IP connections and open TCP ports in Windows. Instead of netstat, you can use the Get-NetTCPConnection cmdlet in PowerShell to get information about active network connections in Windows, open TCP ports, and running processes that are using the TCP/IP protocol. PowerShell makes it easy to write complex scripts to get information and monitor open TCP ports, processes, and established network connections.

Try to run the Get-NetTCPConnection command without any options.

Get-NetTCPConnection cmdlet: list current TCP connections

Like netstat, the command has displayed the list of all active connections with local and remote IP addresses, ports, connection state (Listen, Established Internet, TimeWait, Bound, CloseWait, SynReceived, SynSent), and process ID (PID) that is using this TCP connection.

You can display a list of open (listening) ports on your local computer:

Get-NetTCPConnection -State Listen | Select-Object -Property LocalAddress, LocalPort, RemoteAddress, RemotePort, State | Sort-Object LocalPort |ft

Find Listening Ports on Windows with PowerShell

The Get-NetUDPEndpoint cmdlet is used to get information about UDP ports.

You can display external (Internet) connections only:

Get-NetTCPConnection -AppliedSetting Internet

You can display DNS names of remote hosts and process names for TCP connections:

Get-NetTCPConnection -State Established |Select-Object -Property LocalAddress, LocalPort,@{name='RemoteHostName';expression={(Resolve-DnsName $_.RemoteAddress).NameHost}},RemoteAddress, RemotePort, State,@{name='ProcessName';expression={(Get-Process -Id $_.OwningProcess). Path}},OffloadState,CreationTime |ft

This PowerShell script resolved all host IP addresses to DNS names and specified process names for all connections.

Show network connections (remote IP addresses, ports) of Windows process with PowerShell

By the name of a parent process PID, you can display the list of related Windows services that are using the network:

Get-WmiObject Win32_Service | Where-Object -Property ProcessId -In (Get-NetTCPConnection).OwningProcess | Where-Object -Property State -eq Running | Format-Table ProcessId, Name, Caption, StartMode, State, Status, PathName

You can view only network connections initiated by the specific process. To do it, you can use the following PowerShell script:

$TrackProcessName = "*chrome*"
$EstablishedConnections = Get-NetTCPConnection -State Established |Select-Object -Property LocalAddress, LocalPort,@{name='RemoteHostName';expression={(Resolve-DnsName $_.RemoteAddress).NameHost}},RemoteAddress, RemotePort, State,@{name='ProcessName';expression={(Get-Process -Id $_.OwningProcess). Path}}, OffloadState,CreationTime
Foreach ($Connection in $EstablishedConnections)
{
If ($Connection.ProcessName -like $TrackProcessName)
{
$Connection|ft
}
}

You can use the Get-NetTCPConnection cmdlet in various scenarious. For example, you can create a simple PowerShell script to track if the connection is established from the specific IP address to the specified local port and display a pop-up notification to the administrator.

In the following example, a PowerShell script checks if a connection from the specified IP address appears on the default RDP port 3389. If the connection appears, the script will display a pop-up notification and logs the date and time of the connection to a text file:

$SourceIP = “192.168.13.125”
$TargetPort =”3389”
$log = "C:\PS\rdp_connection_log.txt"
$EstablishedConnections = Get-NetTCPConnection -State Established
Foreach ($Connection in $EstablishedConnections)
{
If (($Connection.RemoteAddress -eq $SourceIP) -and ($Connection.LocalPort -eq $TargetPort))
{
Add-Type -AssemblyName System.Windows.Forms
$global:balmsg = New-Object System.Windows.Forms.NotifyIcon
$path = (Get-Process -id $pid).Path
$balmsg.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($path)
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Warning
$balmsg.BalloonTipText = "New RDP connection to your computer from $($Connection.RemoteAddress)"
$balmsg.BalloonTipTitle = "New RDP connection from ($Connection.RemoteAddress)"
$balmsg.Visible = $true
$balmsg.ShowBalloonTip(10000)
(Get-Date).ToString() + ' ' + $Connection.RemoteAddress + ' an RDP connection is established ' >> $log
}
}

Powershell script: show popup message after remote connection to your computer is established

In the same way, you can monitor and log network connections over any other protocol, like SSH, SMB, FTP, SMTP, etc. This PowerShell script may be converted into a Windows service that will start automatically.

You can use the script together with the one we discussed earlier: RDP Brute Force Attack Protection with Powershell.

You can get a list of open TCP ports and connections on remote computers using PowerShell remoting cmdlets (Enter-PSSession and Invoke-Command).

Invoke-Command -ComputerName be-dc01 {Get-NetTCPConnection -State Established}

The Get-NetTCPConnection cmdlet (as well as Test-NetConnection) may be very useful to track and diagnose network connections in Windows.

1 comment
1
Facebook Twitter Google + Pinterest
previous post
Using RDCMan (Remote Desktop Connection Manager) on Windows
next post
How to Install and Activate the RDS Licensing Role and CALs on Windows Server 2019/2016?

Related Reading

Configure User’s Folder Redirection with Group Policy

February 3, 2023

Disable Built-in PDF Viewer in Microsoft Edge

February 3, 2023

Join a Windows Computer to an Active Directory...

February 2, 2023

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

1 comment

Vic January 13, 2023 - 3:21 pm

Thanks for the article. Very useful.

One suggestion.
Insted of:
Foreach ($Connection in $EstablishedConnections)
{
If ($Connection.ProcessName -like $TrackProcessName)
{
$Connection|ft
}
}

Use:
$EstablishedConnections | Where-Object ProcessName -Like $TrackProcessName | Select-Object * | Format-Table

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configuring Port Forwarding in Windows
  • Installing RSAT Administration Tools on Windows 10 and 11
  • Manage Windows Updates with PSWindowsUpdate PowerShell Module
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Hide Installed Programs in Windows 10 and 11?
  • Adding Drivers into VMWare ESXi Installation Image
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top