Suramya's Blog : Welcome to my crazy life…

November 2, 2007

Identify what files are being used by a given process/TCP connection

Filed under: Computer Security,Knowledgebase — Suramya @ 11:54 AM

In linux if you want to know what files are being used, all you have to do is run the lsof command which shows a list of all open files and the processes that opened them. So if you want to figure out what program is using that insane amount of RAM you can run lsof and grep by the process ID to find it.

In windows however there is no such command so we have to use alternative methods. If you are trying to identify a TCP connection you can try running “netstat -bv” (Without the quotes). It will give you the executable behind process, something like:

TCP fury:2433 imap.perfora.net:imap ESTABLISHED 2724
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
C:\Program Files\Mozilla Thunderbird\nspr4.dll
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\kernel32.dll
[thunderbird.exe]

For Windows XP and 2000 systems you can also download Fport, which is a free tool that will show you what programs on your system are opening which ports.

Hope this helps.

– Suramya

1 Comment »

  1. Got it, great!

    Comment by rao — November 26, 2007 @ 6:40 AM

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress