Sunday, May 6, 2012

UDP UPnP Ports Opening from SVCHOST.EXE NETSVCS (range 50k - 60k)

So, i noticed that one of my computers kept opening a UPnP rule on my firewall(if i kept UPnP on), but the other didn't. Searching with netstat -ano gave me the PID, which was svchost.exe netsvcs. Now, this doesn't say much since a lot of services run on svchost. Searching with the port number, or the services wouldn't give much results as the port was dynamic. After some more google persistance i found out the command to list each service that was running in each PID and the name of the services inside. tasklist /svc
Browser, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, ProfSvc, Schedule, SENS, ShellHWDetection, Themes, Winmgmt, wuauserv
So now i got something similar to this, and by trial and error i eventually found out that, if i stoped IPHLPSVC, i would stop listening to the port. In the end, when i searched the net with IPHLPSVC i found someone with the same questions i had and with some precious tip that might save me time next time:
This service is somehow responsible by the horrible teredo and other tunnels that appear in your ipconfig list since they invented IPv6. Somehow i suspected when i checked IKEEXT that this would have to do something to do with IPv6. But why did i have this open in one computer and not in the other?
Anyway, just to make sure, i reenabled the service, but nothing happened nevertheless. The UDP port will only get open when you actually attempt to do a IPv6 connection. It seems the UDP port will try to emulate IPv6 connections even if you're using IPv4. Something to try to understand in the future. For now i am happy that I didn't had a worm somewhere...
PS: If you want you can set it off by using netsh interface teredo / set state disabled (set state default - to reenable)


  1. Good sleuthing! I had made some way down this same path and then found your helpful post.

  2. Me three. Thanks, man!
    Btw, in addition to "netstat -ano" I recommend to use "netstat -anb" which gives you a specific service name right away without a trial and error step.
    I wonder why this weird protocol needs this port that badly so it even exposes it to the outside using UPnP of my router.