July 3rd, 2018

How can I determine why the System process is listening on port 80?

A customer observed that the System process was listening on port 80 and couldn’t figure out why.

The netsh http show urlacl command will show which URLs have been reserved, as well as the access control lists (ACLs) associated with them.

Reserved URL : http://+:80/Temporary_Listen_Addresses/
  User: \Everyone
    Listen: Yes
    Delegate: No
    SDDL: D:(A;;GX;;;WD)

Reserved URL : http://+:80/0131501b-d67f-491b-9a40-c4bf27bcb4d4/
  User: NT AUTHORITY\NETWORK SERVICE
    Listen: Yes
    Delegate: No
    SDDL: D:(A;;GX;;;NS)

Reserved URL : http://+:80/116B50EB-ECE2-41ac-8429-9F9E963361B7/
  User: NT AUTHORITY\NETWORK SERVICE
    Listen: Yes
    Delegate: No
    SDDL: D:(A;;GX;;;NS)

At this point, you have information you can enter into a search engine to see what they’re about.

The first URL is used by the Windows Communication Framework; this web page tells you how to modify or delete it.

The second one is assigned to [MS-PCHC]: Peer Content Caching and Retrieval: Hosted Cache Protocol, which appears to be used for subnet-level peer caching as part of Windows BranchCache.

The third one is assigned to [MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol, which also part of Windows BranchCache.

The customer confirmed that disabling BranchCache caused Windows to stop listening on the second and third URLs.

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.