Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

Quickly Find Remote Open Ports

If you want to see all the used and listening ports on a remote computer use the PORTQRY.EXE command, which is available on any Windows 2000, XP or Windows Server 2003 computer.

PORTQRY.EXE reports the status of a TCP/IP port in one of the following three ways:

  • Listening – A process is listening on the port on the computer that you selected. PORTQRY.EXE received a response from the port.

    Sponsored Content

    Say Goodbye to Traditional PC Lifecycle Management

    Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

  • Not Listening – No process is listening on the target port on the target system. PORTQRY.EXE received an Internet Control Message Protocol (ICMP) "Destination Unreachable – Port Unreachable" message back from the target UDP port. Or if the target port is a TCP port, Portqry received a TCP acknowledgement packet with the Reset flag set.

  • Filtered – The port on the computer that you selected is being filtered. PORTQRY.EXE did not receive a response from the port. A process may or may not be listening on the port. By default, TCP ports are queried three times, and UDP ports are queried one time before a report indicates that the port is filtered.

PORTQRY.EXE can query a single port, an ordered list of ports, or a sequential range of ports.

Also, PORTQRY.EXE displays "extended information" that is returned from some ports. PORTQRY.EXE looks for "extended information" on ports where SMTP, POP3, IMAP4, and FTP services listen.

An example is SMTP. By default, SMTP listens on TCP port 25. When PORTQRY.EXE finds that TCP port 25 on a target computer is LISTENING, it returns any "extended" information that the answering service provides.

Scanning one port

For example:

​C:'WINDOWS>portqry -n -p tcp -e 80

Querying target system called:

Attempting to resolve name to IP address...

Name resolved to

TCP port 80 (http service): LISTENING

Scanning a range of ports

You can also query a range of ports:

​portqry -n -p tcp -r 21:143

The above command will scan server1 for any open port in the range of 21 to 143.

Note: This is NOT a quick operation, and scanning a whole range of ports in this manner will take a considerable amount of time. Microsoft makes it clear that this tool is not a "security verification tool," but rather it is a troubleshooting tool, much like Ping, Traceroute, and other built-in Windows network utilities.

Performing LDAP queries

Portqry is also capable of querying an LDAP service. It knows how to send an LDAP query (by using UDP and TCP) and interpret an LDAP server response to the query. The response from the LDAP server is parsed, formatted and returned to the user.

You run the following command:

​portqry -n -p udp -e 389

PORTQRY.EXE automatically resolves UDP port 389 by using the systemroot’system32’drivers’etc’services file that every NT/W2K/XP/Win2003 computer has. If it resolves the port to the LDAP service, it sends an unformatted user datagram to UDP port 389 on the target computer. PORTQRY.EXE does not receive a response from the port as the LDAP service only responds to a properly-formatted LDAP query. PORTQRY.EXE does report that the port is LISTENING or FILTERED. PORTQRY.EXE then sends a properly-formatted LDAP query to UDP port 389. If it receives a response to the query, it returns the entire response to the user, and reports that the port is LISTENING. If PORTQRY.EXE does not receive a response to the query, it reports that the port is FILTERED.

Example Output

​UDP port 389 (unknown service): LISTENING or FILTERED
Sending LDAP query to UDP port 389...
LDAP query response:

currentdate: 09/03/2001 05:42:40 (unadjusted GMT) 
dsServiceName: CN=NTDS 
namingContexts: DC=redmond,DC=eu,DC=reskit,DC=com
defaultNamingContext: DC=eu,DC=reskit,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=eu,DC=reskit,DC=com
configurationNamingContext: CN=Configuration,DC=eu,DC=reskit,DC=com
rootDomainNamingContext: DC=eu,DC=reskit,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 4259431
supportedSASLMechanisms: GSSAPI
ldapServiceName:[email protected]
serverName: CN=MYSERVER,CN=Servers,CN=Sites,CN=Configuration,DC=eu,DC=reskit,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE

======== End of LDAP query response ========
UDP port 389 is LISTENING 

In the preceding example, port 389 is listening and from the output, you can determine which LDAP service is listening on the port and some details about its configuration. This information may also be useful in troubleshooting various problems.

How to use the utility

Here are the various switches you can pass this utility from the command line:

  • -n [server]—IP address or name of server to query

  • -p [protocol]—TCP or UDP or BOTH (default is TCP)

  • -e [endpoint]—single port to query (valid range: 1-65535)

  • -r [endpoint range]—range of ports to query (start:end)

  • -o [endpoint order]—range of ports to query in an order (x,y,z)

  • -l [logfile]—name of log file to create

  • -s—"slow link delay" waits longer for UDP replies from remote systems

  • -I—bypasses default IP address-to-name lookup; ignored unless an IP address is specified after -n

  • -q—"quiet" operation runs with no output


How to Use Portqry.exe to Troubleshoot Microsoft Exchange Server Connectivity Issues- 310298

Description of the Portqry.exe Command-Line Utility- 310099

Related Articles

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (1)

One response to “Quickly Find Remote Open Ports”

Leave a Reply

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: