How can I determine why the System process is listening on port 80?

A customer observed that the System process was listening on port 80 and couldn’t figure out why.

The netsh http show urlacl command will show which URLs have been reserved, as well as the access control lists (ACLs) associated with them.

Reserved URL : http://+:80/Temporary_Listen_Addresses/
  User: \Everyone
    Listen: Yes
    Delegate: No
    SDDL: D:(A;;GX;;;WD)

Reserved URL : http://+:80/0131501b-d67f-491b-9a40-c4bf27bcb4d4/
  User: NT AUTHORITY\NETWORK SERVICE
    Listen: Yes
    Delegate: No
    SDDL: D:(A;;GX;;;NS)

Reserved URL : http://+:80/116B50EB-ECE2-41ac-8429-9F9E963361B7/
  User: NT AUTHORITY\NETWORK SERVICE
    Listen: Yes
    Delegate: No
    SDDL: D:(A;;GX;;;NS)

At this point, you have information you can enter into a search engine to see what they’re about.

The first URL is used by the Windows Communication Framework; this web page tells you how to modify or delete it.

The second one is assigned to [MS-PCHC]: Peer Content Caching and Retrieval: Hosted Cache Protocol, which appears to be used for subnet-level peer caching as part of Windows BranchCache.

The third one is assigned to [MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol, which also part of Windows BranchCache.

The customer confirmed that disabling BranchCache caused Windows to stop listening on the second and third URLs.