Netstat Commands on Windows

Netstat is a useful command line tool to list the active TCP connections and the ports that are in use (Listening). Open a command prompt window and try a few of the commands below. It has lots of options (switches) that can be used and is handy for fault finding and killing the processes that are using them!

NETSTAT Quick Reference Guide

C:\>netstat options – This will list all the available options on the command line.

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-x] [-t] [interval]

-a Displays all connections and listening ports.

-b Displays the executable involved in creating each connection or listening port. In some  cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.

-e Displays Ethernet statistics. This may be combined with the -s option.

-f Displays Fully Qualified Domain Names (FQDN) for foreign addresses.

-n Displays addresses and port numbers in numerical form.

-o Displays the owning process ID associated with each connection.

-p proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.

-q Displays all connections, listening ports, and bound nonlistening TCP ports. Bound nonlistening ports may or may not be associated with an active connection.

-r Displays the routing table.

-s Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.

-t Displays the current connection offload state.

-x Displays NetworkDirect connections, listeners, and shared endpoints.

-y Displays the TCP connection template for all connections. Cannot be combined with the other options.

interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current
configuration information once.

I use netstat -an to quickly list the source and destination IP address as well as the port number. To kill one of these we will need to find out the process ID (PID) and use the killtask command to end that process.

Use netstat -o to list the TCP connections, ports with process numbers or tasklist with no port numbers listed in the results. Find the process or connection you want to end  then you can use the taskkill to end that process taskkill /PID (PID Number).

C:\>taskkill /PID 3100

C:\>taskkill /? – This lists all the available options with taskkill

TASKKILL [/S system [/U username [/P [password]]]] { [/FI filter] [/PID processid | /IM imagename] } [/T] [/F]

This tool is used to terminate tasks by process id (PID) or image name.

Parameter List:
/S system Specifies the remote system to connect to.

/U [domain\]user Specifies the user context under which the
command should execute.

/P [password] Specifies the password for the given user
context. Prompts for input if omitted.

/FI filter Applies a filter to select a set of tasks.
Allows “*” to be used. ex. imagename eq acme*

/PID processid Specifies the PID of the process to be terminated.
Use TaskList to get the PID.

/IM imagename Specifies the image name of the process
to be terminated. Wildcard ‘*’ can be used
to specify all tasks or image names.

/T Terminates the specified process and any
child processes which were started by it.

/F Specifies to forcefully terminate the process(es).

/? Displays this help message.

1) Wildcard ‘*’ for /IM switch is accepted only when a filter is applied.
2) Termination of remote processes will always be done forcefully (/F).
3) “WINDOWTITLE” and “STATUS” filters are not considered when a remote
machine is specified.

TASKKILL /IM notepad.exe
TASKKILL /PID 1230 /PID 1241 /PID 1253 /T
TASKKILL /F /IM cmd.exe /T
TASKKILL /F /FI “PID ge 1000” /FI “WINDOWTITLE ne untitle*”
TASKKILL /S system /U domain\username /FI “USERNAME ne NT*” /IM *
TASKKILL /S system /U username /P password /FI “IMAGENAME eq note*”


  • Was this Helpful ?
  • yes   no

satoms Author

Leave a Reply

Your email address will not be published. Required fields are marked *