I want to get the list of window services and their ports in C#. I'm able to get all window services by using ServiceController but I'm unable to get ports of these services.
Asked
Active
Viewed 3,341 times
5
Victor Zakharov
- 25,801
- 18
- 85
- 151
Muhammad Umar
- 3,761
- 1
- 24
- 36
3 Answers
3
Please check this question on stackoverlow. It is not exactly the same as you are asking, but it points to a useful function called GetExtendedTcpTable available through PInvoke, that can do what you need. Also check this one.
Community
- 1
- 1
Victor Zakharov
- 25,801
- 18
- 85
- 151
1
After a lot of looking around I found that there's undocumented "OwningModuleInfo" in MIB_TCPROW_OWNER_MODULE structure.
Then looking for that I found this comment:
Weird issue regarding GetOwnerModuleFromTcpEntry when targeting x64
"I have reached the conclusion that the first item in the array is the index of the service in the list of running services, ..."
So the answer to the question would then be to use that to get name info that netstat -b shows (service name and address+port), filtering for your desired service. I found this https://github.com/Loriowar/IpHlpApidotnet lib which has bunch of related code already set up except for this feature.
Other useful links :
Marshalling Struct with Array of Struct Member
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366911(v=vs.85).aspx
Community
- 1
- 1
Anonymous Coward
- 11
- 1
0
The answers to similar questions always propose using Iphlpapi but it is not at all clear how would you get the RpcSs (service name) in this netstat -ban copy paste: TCP 0.0.0.0:135 0.0.0.0:0 LISTENING RpcSs [svchost.exe]
Or the Schedule here:
TCP [::]:49154 [::]:0 LISTENING Schedule [svchost.exe]
I looked for solution to this and didn't find anything (-easy). Netstat calls into some undocumented functions in Iphlpapi but it's not clear whether it gets the service name from Iphlpapi or somehow uses the pid from Iphlpapi and uses something else to get the service name. I'm not really tempted spend time with a debugger to answer this because..:
However ideally one wouldn't want to use a polling-style approach from C# anyway. It would be more appropriate to use ETW. I think the lack of examples of using it from C# is because there's some overhead to getting started with it and examples around may be specific to other type of tracing/monitoring scenarios.
Summary: If you are short on time to implement this, just saving the netstat output seems to be the "solution". Ideally I would have liked to find a simple to use C# example to monitor any network connections and figuring out what service or process handled/initiated them along with possible firewall changes. I believe doing both is possible with ETW but for my current needs its hard to justify the unknown amount of time needed to get that working. I have atleast figured out that "logman query providers" lists the providers, then you need to do something to enable the provider (and driver support for tracing in some cases like packet capture). There's a C# project for using ETW around. But it's not at all clear how much effort it would be to reproduce the netstat output with ETW.
