XP vrs. Vista, Netstat Tools!

There is absolutely no comparison between using netstat on XP and netstat on Vista. This example is limited to Googletalk because I have it on both machines and it seems to be the first program to make contact over the Internet when I bring my machines out of hibernation. I have used netstat to track uninvited connections some of which I blocked by turning off the process and some of which were blocked by changing the name of an executable. The reason I made a name change instead of a file deletion was in case I made a mistake, I could open in safe mode and reverse the process.

Lets slowly and carefully take a look at netstat outputs from XP and Vista.

C:\WINDOWS>netstat -ano (THIS IS XP)
Active Connections

Proto Local Address Foreign Address State PID
TCP 192.168.0.101:1053 216.239.51.125:5222 ESTABLISHED 1644
TCP 192.168.0.101:1054 64.233.163.189:80 TIME_WAIT 0

L:\Windows\system32>netstat -ano (THIS IS VISTA)

Active Connections

Proto Local Address Foreign Address State PID
TCP 12.197.52.45:49487 216.239.51.125:5222 ESTABLISHED 1028
TCP 12.197.54.76:49161 72.14.203.100:80 CLOSE_WAIT 1028

There is not much difference in the information which can be obtained. The two different machines are using difference ports and Process Identification Numbers (PID) but the information given is exactly the same. In both cases, the only way to prove that this is Google Talk connected to the Internet is to look up the IP using a DNS service.

Now let’s take a look at netstat -bv. I have discussed this deficiency of Vista before although not in complete detail.

C:\WINDOWS>netstat -bv (This is XP)
Active Connections

Proto Local Address Foreign Address State PID
TCP Whatever:1053 kc-in-f125.google.com:5222 ESTABLISHED 1644

C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\USER32.dll
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\kernel32.dll
— unknown component(s) —
[googletalk.exe]

TCP Whatever:1054 nz-in-f189.google.com:http TIME_WAIT 0

Take note that in XP, netstat -bv clearly identifies the URL of the connection to the Internet saving you the time to look it up. Also, the link between the port and the PID are connected to the URL or in some cases the IP but the connection is always clear. Also note that all of the subprocesses of Google Talk are identified and you can look them up one by one to identify whether they are legitimate or not. If any are suspect, a replacement can be downloaded to replace the suspect file or they can be renamed to find out what happens to your machine when they are deleted.

The following is the output from netstat -bv in Vista.

L:\Windows\system32>netstat -bv (This is Vista.)

Active Connections

Proto Local Address Foreign Address State
TCP 12.197.52.45:49534 ro-in-f100:http CLOSE_WAIT
[googletalk.exe]
TCP 12.197.52.45:50325 kc-in-f125:5222 ESTABLISHED
[googletalk.exe]

The above is the output from Vista and the information is worthless. There is no link bewtween the URL, the PID or the port and the ports which are identified are not the same ones identified by netstat -ano. Also, no subprocesses are identified so the search for problem exicuitibles is hindered.

There is no defensible reason why a powerful diagnostic tool like netstat should have been debased in Vista. It would have been easier for Microsoft to spin bullshit if it had been entirely eliminated.

Advertisements

One Response to “XP vrs. Vista, Netstat Tools!”

  1. IanV Says:

    You are not using the correct switches in netstat in Vista to get the information you require.
    First off, the -v switch is obscelete and does nothing so you are wasting your time typing that in.
    use the -f switch to show the complete domain name of the remote computer and use -o to show the process ID of the executable that createde the connection, this can be traced easily in task managers process view to the actual file responsible.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: