In the previous tip we introduced the Get-NetTCPConnection cmdlet as a better alternative to the netstat.exe network utility on Windows systems. It can list open ports and connections, and we left off with an example that lists all connections to HTTPS (port 443):

PS> Get-NetTCPConnection -RemotePort 443 -State Established 

LocalAddress  LocalPort RemoteAddress  RemotePort State       AppliedSetting OwningProcess
------------  --------- -------------  ---------- -----       -------------- ------------- 58640  443        Established Internet       14204 56201  443        Established Internet       9432 56200 443        Established Internet       13736 56199   443        Established Internet       12752 56198   443        Established Internet       9432 56192  443        Established Internet       9432 56188  443        Established Internet       10276 56181  443        Established Internet       10276 56103   443        Established Internet       9432 56095   443        Established Internet       9432 56094   443        Established Internet       9432 55959  443        Established Internet       21588 55568 443        Established Internet       13736 55555   443        Established Internet       12752 49638   443        Established Internet       5464   

This list is not very useful per se because it does not resolve IP addresses and won’t tell you which programs maintain the connections. With a little bit of PowerShell magic, though, you can resolve these items:

$Process = @{
        # return process path
        (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Path

$HostName = @{
        $remoteHost = $_.RemoteAddress
        try { 
            # try to resolve IP address
        } catch {
            # if that fails, return IP anyway

# get all connections to port 443 (HTTPS)
Get-NetTCPConnection -RemotePort 443 -State Established | 
  # where there is a remote address
  Where-Object RemoteAddress |
  # and resolve IP and process ID
  Select-Object -Property $HostName, OwningProcess, $Process

Select-Object selects the objects you want to display. It supports “calculated properties”. $Process defines a calculated property named “Process”: it takes the original OwningProcess property and runs the process ID in it through Get-Process to get the path to the application.

The same occurs in $HostName: here, the .NET GetHostEntry() method is used to resolve the IP and return the resolved hostname. The result now looks like this:

Host                            OwningProcess Process                                                          
----                            ------------- -------                                                                              9432 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE                                  9432 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE         21588 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe                                  9432 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE                          13736 C:\Users\tobia\AppData\Local\Microsoft\Teams\current\Teams.exe                            12752 C:\Users\tobia\AppData\Local\Microsoft\OneDrive\OneDrive.exe    

The cost for this can be tremendous though because resolving IP addresses can take a long time, especially when the query times out. In our next part we’ll take a look at parallel processing to speed things up.

Twitter This Tip! ReTweet this Tip!

  • Nice! I always encounteres like it does not resolve IP addresses and won’t tell which programs maintain the connections and I wasn't aware of this PowerShell magic, lol. I hired some experts in Round Rock Shower Remodel Company just to fix this kind of issue without knowing that there is easy way to do that. Thank you so much.

  • Done reading part 1 and this part 2. Very useful and informative for my current project since I encountered errors and I am really confused  because it does not resolve IP addresses and didn't know which programs maintain the connections. Now I know the root cause. Thank you so much. 



    Click here