Why is the 'System' process listening on port 443?
I bet it's Skype. Uncheck the checkbox shown below if you have it installed.
First off, I will answer this question directly and anyone reading this can ignore any answers talking about 3rd-party, non-Microsoft applications using the System Process.
The System process is listed as PID 4 on every modern-day Windows system. It is for kernel-mode access. This rules out most 3rd-party web products like Apache.
Since the inception of WinRM (Windows Remote Management), the HTTP service (%SystemRoot%\system32\drivers\http.sys) has been a standard part of Windows (Vista and later / Server 2008 and later). http.sys runs under the System process (PID 4).
Other Microsoft-developed software may also use the %SystemRoot%\system32\drivers\http.sys under the System process like IIS, SQL Reporting Services, and Microsoft Web Deployment Service (http://support.microsoft.com/kb/2597817)...
WinRM 1.0 default ports were:
HTTP = 80
HTTPS = 443
WinRM 2.0 and greater default ports are:
HTTP = 5985
HTTPS = 5986
Check with the following commands:
Winrm enumerate winrm/config/listener
Winrm get http://schemas.microsoft.com/wbem/wsman/1/config
Troubleshooting steps:
Get the process number of the port that you are looking for (443 in this case):
...from a non-mapped drive of Windows to avoid "Access Denied":
netstat -aon | find ":443"
Output should look like the following for the System process:
C:>netstat -ano |find ":443"
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
TCP [::]:443 [::]:0 LISTENING 4
The last column is the PID (4).
Running tasklist to find out what is running in the process proves unhelpful:
tasklist /SVC /FI "PID eq 4"
tasklist /m /FI "PID eq 4"Look in the registry for the HTTP service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters\UrlAclInfo
There will be a list of URLs (with the port numbers) which can lead you to which application is running and holding which ports:
http:// +:5985/wsman/ --> WinRM
https:// +:5986/wsman/ --> WinRM
http:// +:80/Reports/ --> SQL Reporting Server
http:// +:80/ReportServer/ --> SQL Reporting Server
https:// server_fqdn:443/Reports/ --> SQL Reporting Server
https:// server_fqdn:443/ReportsServer/ --> SQL Reporting Server
http://* :2869/ --> Simple Service Discovery Protocol service (SSDPSRV)
http://* :5357/ --> Web Services Dynamic Discovery (WS-Discovery)
https://* :5358/ --> Web Services Dynamic Discovery (WS-Discovery)
You can then find the corresponding service on the system and stop it and see that wanted port is released by confirming with another netstat -aon | find ":443" command.
Run the following from an elevated command prompt:
netstat -ab