fb
Homepage 5 How-to Articles 5 How to Get a List of Active TCP Connections on Domain Computers

How to Get a List of Active TCP Connections on Domain Computers

Manage remote endpoints, deploy software and patches with Action1 cloud RMM solution.

Sign up and use free on up to 50 endpoints with no functionality limits or expiration.



November 16, 2018

Network port numbers can provide critical information about applications that access computers over the network. Knowing the applications that use the network and the corresponding network ports, you can create precise rules for the firewall and configure the remote host computers to only allow useful traffic. In addition, active TCP/IP ports on your endpoints can indicate potential malicious activity or exposure to cyber-attacks. Getting a list of all active TCP connections on each TCP endpoint on your network is a great first step to understanding the attack surface, as well as locking down your network from future security incidents and ransomware. Information should include source and destination IP address and port, process info, and other data. This manual describes some streamlined ways to create a list of active TCP connections on Windows operating systems. Also, you will know how to, with the help of PowerShell,, gets TCP connections.

Manually:

1. Execute WMI Query in ROOT\StandardCIMV2 Namespace:

Launch WMI Explorer or any other tool which can run WMI queries.
Run WMI query: SELECT * FROM MSFT_NetTCPConnection

2. Run This Simple Windows Powershell Script:

Thru WMI object: Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName

3. Use Following Code to Select Specific Columns:

Execute: Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName | Select-Object RemoteAddress, RemotePort, OwningProcess, PSComputerName

4. Sort the Results Using the Line Below:

Invoke command: Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName | Select-Object RemoteAddress, RemotePort, OwningProcess, PSComputerName | Sort-Object RemoteAddress

5. The Next Code Helps to Filter Results:

Use it: Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName | Select-Object RemoteAddress, RemotePort, OwningProcess, PSComputerName | Where-Object -FilterScript {$_.RemoteAddress -like “192.168.*”}

6. Save Results to CSV File:

Run: Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName | Select-Object RemoteAddress, RemotePort, OwningProcess, PSComputerName | Export-CSV “c:\file.csv” -Append -NoTypeInformation

7. The Next Step Is to Query Multiple Computers:

Computers from a text file: Get-Content -Path c:\computers.txt | ForEach-Object {Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer $_}
Computers from AD domain: Get-ADComputer -Filter {OperatingSystem -Like ‘Windows 10*’} | ForEach-Object {Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer $_.Name}

With Action1 RMM

Step 1 – Get Started for Free:

Action1 RMM is a cloud-based solution for automated patch management, software deployment, software/hardware inventory, endpoint management, and endpoint configuration. The free version with complete functionality is available to manage up to 50 endpoints.

Step 2 – Type Your Question in Plain English:

How to get a list of active TCP connections on all domain computers with help of WMI query or Powershell script and save a list tcp connections in CSV file - search query

Step 3 – Set Filters, If Necessary:

How to get a list of active TCP connections on all domain computers with help of WMI query or Powershell script and save a list tcp connections in CSV file - set filters

Step 4 – See Results from All Endpoints in Seconds:

Endpoint Name

mac.widgets.local
fred.widgets.local
rays.widgets.local

Local Address

192.168.0.245:59343
192.168.0.213:59213
192.168.0.223:58144

Process ID

3422
2342
7643

Remote Address

23.100.122.175:443
205.251.242.103:80
96.43.145.26:3389

Related Articles

How To Delete User Profiles Remotely with PowerShell

When a user logs onto the computer for the first time (not via the network to access shared folders or printers), Windows creates a user profile. Among its contents are the NTUSER.DAT file (user profile settings), user-specific folders (My Documents, Desktop, etc.),...

About Action1 RMM

Action1 RMM is a cloud-based IT solution for remote monitoring and management, patching, and remote support.

Start your free two-week trial of Action1, or use RMM tools for free forever on 50 endpoints with no functionality limitations!



0 Comments

Submit a Comment

Your email address will not be published.

cloud patch management solutions action1

MSP Solution

Centralize endpoint management and boost efficiency of IT service delivery.

automated server patch management action compliance

Patch Management

Identify and deploy missing OS and third-party software updates.

cloud software deployment tools windows

Software Deployment

Distribute software and updates across managed endpoints.

software distribution tools software inventory action1

IT Asset Inventory

Keep a detailed inventory and manage hardware and software assets.

web client remote desktop

Remote Desktop

Support users via seamless remote desktop connection.

web based rdp client

Unattended Access

Provide administrative support and manage remote devices.

automated patch management action1

Endpoint Management

Run PowerShell, custom scripts, reboot computers and restart services.

API integrations action1

RESTful API

Integrate Action1 RMM to your IT ecosystem.

computer inventory tool for compliance

Reports and Alerts

Conduct endpoint security audits with comprehensive reporting.