How to check the active ports and processes on Windows with PowerShell

A firewall can give us very useful information regarding the connections, ports, and traffic from Servers, and PCs to the Internet and the opposite.

Sometimes it's very difficult to collect the information that we need from the Firewalls because of different reasons that can limit the Firewall to track the traffic.

One of the most common commands to identify all the connections from and to a Device is the netstat which can give us a lot of useful information. 

However, a similar command can be found in PowerShell as Get-NetTcpConnection. Let's see what we can do with the PowerShell command instead of netstat.

I have separated the article in small examples for better understanding. 

Let's start

#Find out all the connections from and to a Workstation or Server.

As a first step just type the following command. The results are similar to the netstat command with a small differences.



#How to show the Process Name when run the Get-NetTcpconnection

If you want to see the process name in the list then we need to involve the Get_Process command.

What we need to do?

We create a hashtable including a key Name where retrieve the Process Name of the of the specific OwingProcess that will list from the Get-NetTCPConnection.

Then we run the Get-NetTCPConnection and include the results of the hashtable. Then the magic happened

Name="Process Name";Expression ={(Get-Process -Id $_.OwningProcess).Name}
Get-NetTCPConnection | Select-Object -Property Localport,$process


#Filter the Get-NetTcpconnection with the State

Let's see a simple command that we are filtering the TCP Connections when have been Established.

Get-NetTCPConnection  -State Established


#Fileter the Reusults by LocalPort or RemotePort

A very common scenario that we want to filtering the results to see a connections from our Server in specific LocalPort to the destination

Get-NetTCPConnection -LocalPort 3389


We can use the same command with multiple LocalPorts.

Get-NetTCPConnection -LocalPort 3389,445


Let's see where connected to Remote Port 445. All good. It connected to the Domain Controller in specific port.

Get-NetTCPConnection -RemotePort 3389,445



#Findout the RemoteAddress which connected.

Another one common scenario is to filtering the list to a specific Remote Address.

Get-NetTCPConnection -RemoteAddress


That's it!!. 

You can use a lot of combinations based on your requirements. These are some commands that i am using most often to identify where the Device connected or to find out suspicious IP Addresses that might be connected the device.