Powershell LSOF / Parsing Netstat

Update 09/14/2012:

Other attempts at an lsof for Windows are here:

• thinking-about-network-security.blogspot.com/2010/10/powershell-lsof-parsing-netstat.html
• thinking-about-network-security.blogspot.com/2010/12/powershell-lsofparsing-netstat-part-ii.html
• thinking-about-network-security.blogspot.com/2010/05/lsof-for-windows-subsitute.html

These are very 1.0 and 2.0.  I will try to update my lsof attempts to 3.0 soon.

-RMF



This script, parse-netstat.ps1, successfully parses 'netstat -ano' for each PROTO (TCP,TCPv6,UDP, UDPv6) and then uses 'ps' to enumerate ID,NAME,PATH,FileVersion for the process associated with each networked PID. Thus we have a basic Powershell LSOF utility with room for calculated properties and additional text parsing. There is no spec of regex anywhere in my text parsing of netstat.  Sample output:


PS C:\ps1> .\parse-netstat.ps1
TCP Local Ports:
135
445
1025
1026
1027
1028
1031
9000
24800
47001
139
24800
139
1095
1099
1100
1101
1102
1679
1706
TCP PIDS:


  Id Name     Path                                                              FileVersion
  -- ----     ----                                                              -----------
1012 svchost  C:\Windows\system32\svchost.exe                                   6.0.6000.16386 (vista_rtm.061101-2205)
   4 System
 684 wininit  C:\Windows\system32\wininit.exe                                   6.0.6000.16386 (vista_rtm.061101-2205)
 460 svchost  C:\Windows\System32\svchost.exe                                   6.0.6000.16386 (vista_rtm.061101-2205)
 760 lsass    C:\Windows\system32\lsass.exe                                     6.0.6000.16386 (vista_rtm.061101-2205)
  12 svchost  C:\Windows\system32\svchost.exe                                   6.0.6000.16386 (vista_rtm.061101-2205)
 740 services C:\Windows\system32\services.exe                                  6.0.6000.16386 (vista_rtm.061101-2205)
   4 System
4244 synergys C:\Program Files (x86)\Synergy+\bin\synergys.exe
   4 System
   4 System
4244 synergys C:\Program Files (x86)\Synergy+\bin\synergys.exe
   4 System
 552 Picasa3  C:\Program Files (x86)\Google\Picasa3\Picasa3.exe                 3.6.105.67
 552 Picasa3  C:\Program Files (x86)\Google\Picasa3\Picasa3.exe                 3.6.105.67
 552 Picasa3  C:\Program Files (x86)\Google\Picasa3\Picasa3.exe                 3.6.105.67
 552 Picasa3  C:\Program Files (x86)\Google\Picasa3\Picasa3.exe                 3.6.105.67
 552 Picasa3  C:\Program Files (x86)\Google\Picasa3\Picasa3.exe                 3.6.105.67
   4 System
4460 chrome   C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe 0.0.0.0

Accessing (or not) GetOwnerModuleFromTcpEntry from Powershell

Normally on XP SP2, Vista, Win7 'netstat -ano' or 'netstat -anob' gives us the connected sockets, the PID of listening applications. With the '-b' option, netstat makes an attempt at finding the owner of the socket probably through the 'GetOwnerModuleFromTcpEntry function [which] retrieves data about the module that issued the context bind for a specific IPv4 TCP endpoint in a MIB table row.'  found in iphlpapi.dll (IP Helper). Finding this same information with Powershell I have found to be more than difficult. It is easy enough to find the listening and connected sockets with [System.NET.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().