How to Check Open Ports on Windows 11 Using CMD and Advanced Network Tools

Open ports are like doors in your Windows 11 computer: some are meant to welcome traffic, while others should probably stay closed. Whether you are troubleshooting a game server, checking why an app cannot connect, investigating suspicious activity, or hardening a workstation, knowing how to inspect open ports is a valuable skill. Windows 11 gives you several built-in command-line tools, and when you need deeper visibility, advanced utilities can reveal exactly which services are listening and who they are talking to.

TLDR: You can check open ports on Windows 11 with Command Prompt using commands such as netstat, tasklist, and ipconfig. For more advanced analysis, use PowerShell, Resource Monitor, TCPView, Wireshark, or Nmap. The key is to identify listening ports, match them to process IDs, and decide whether the related application is legitimate. If a port looks suspicious, investigate the process, firewall rules, and network connections before taking action.

What Does an Open Port Mean?

A port is a numbered communication endpoint used by network protocols. Your computer has an IP address, and ports help direct traffic to the correct service or application. For example, web servers commonly use port 80 for HTTP and 443 for HTTPS. Remote Desktop often uses port 3389, while DNS commonly uses port 53.

An open port usually means a program or service is listening for incoming connections. This is not always dangerous. A file-sharing service, local development server, printer utility, VPN client, or game may legitimately open a port. The concern begins when a port is open unexpectedly, exposed to the internet, or tied to an unknown process.

In short: open ports are not automatically bad, but unexplained open ports deserve attention.

Method 1: Check Open Ports with Netstat in CMD

The classic Windows command for checking open ports is netstat. It is built into Windows 11 and works directly from Command Prompt.

To begin, open Command Prompt:

1. Click Start.
2. Type cmd.
3. Choose Run as administrator for the most complete results.

Then run:

netstat -ano

This command displays active network connections and listening ports. The options mean:

• -a: Shows all active connections and listening ports.
• -n: Displays addresses and port numbers numerically instead of resolving names.
• -o: Shows the PID, or Process ID, responsible for each connection.

You will see columns similar to these:

• Proto: The protocol, usually TCP or UDP.
• Local Address: Your computer’s IP address and port.
• Foreign Address: The remote IP address and port.
• State: The connection status, such as LISTENING or ESTABLISHED.
• PID: The process ID using the port.

For checking open ports, focus on entries marked LISTENING. These are services waiting for incoming connections. For example:

TCP    0.0.0.0:80      0.0.0.0:0      LISTENING      1234

This means a process with PID 1234 is listening on port 80 on all IPv4 interfaces.

Method 2: Filter Netstat Results for Listening Ports

If your system has many connections, the default output can be noisy. You can filter the results with findstr:

netstat -ano | findstr LISTENING

This shows only ports that are actively listening. To search for a specific port, such as port 443, run:

netstat -ano | findstr :443

This is especially useful when troubleshooting a service that should be running. If you started a local web server and expect it to listen on port 8080, you can check with:

netstat -ano | findstr :8080

If nothing appears, the application may not be running, may be bound to another port, or may be blocked by configuration settings.

Method 3: Match a Port to a Program Using the PID

Seeing an open port is only half the story. You also need to know which program opened it. That is where the PID from netstat -ano becomes useful.

Suppose you see this line:

TCP    0.0.0.0:3389    0.0.0.0:0    LISTENING    980

To identify the process, run:

tasklist /FI "PID eq 980"

Windows will return the process name, such as:

svchost.exe                   980 Services                   0     25,000 K

If the process is svchost.exe, it may host several Windows services. You can get more detail with:

tasklist /svc /FI "PID eq 980"

This command shows which services are running under that process. It is extremely helpful because many Windows networking features run inside shared service host processes.

Method 4: Use Netstat with Executable Names

Another useful variation is:

netstat -ab

This attempts to show the executable responsible for each connection. You must run Command Prompt as administrator. The output can take longer to appear, but it is easier to read because it tries to associate ports with actual program names.

You can also combine options:

netstat -abno

This displays executable names, numeric addresses, connections, listening ports, and PIDs. It is one of the most informative built-in CMD-based checks, though the output can be lengthy.

Tip: If you receive “The requested operation requires elevation,” close CMD and reopen it as administrator.

Understanding Common Port States

When reviewing network connections, the State column tells you what is happening. The most important states include:

• LISTENING: A service is waiting for incoming connections.
• ESTABLISHED: A connection is currently active between your PC and a remote system.
• TIME_WAIT: A recently closed connection is being kept briefly to prevent delayed packets from causing problems.
• CLOSE_WAIT: The remote side closed the connection, but the local application has not fully closed it yet.
• SYN_SENT: Your machine is trying to open a connection to another host.

For security checks, LISTENING and unexpected ESTABLISHED connections usually deserve the most attention.

Method 5: Check Ports with PowerShell

Although this article focuses on CMD, Windows 11 also includes PowerShell, which provides more structured networking commands. Open PowerShell or Windows Terminal and run:

Get-NetTCPConnection

To show only listening TCP ports:

Get-NetTCPConnection -State Listen

To match the owning process ID to an application name, use:

Get-Process -Id <PID>

For example:

Get-Process -Id 1234

PowerShell is particularly helpful if you want to sort, filter, or export results. For instance:

Get-NetTCPConnection -State Listen | Sort-Object LocalPort

This displays listening TCP ports in numerical order, making it easier to spot unusual entries.

Method 6: Use Resource Monitor for a Visual View

If you prefer a graphical tool, Windows 11 includes Resource Monitor. It is not as famous as Task Manager, but it is excellent for checking ports and network activity.

To open it:

1. Press Windows + R.
2. Type resmon.
3. Press Enter.
4. Go to the Network tab.

Look at sections such as Listening Ports, TCP Connections, and Processes with Network Activity. Resource Monitor lets you see the process name, PID, local port, firewall status, and remote address in one place. It is an excellent bridge between simple CMD checks and deeper network analysis.

Method 7: Advanced Tool TCPView

TCPView from Microsoft Sysinternals is one of the best lightweight tools for inspecting ports on Windows. It shows TCP and UDP endpoints in real time, including local addresses, remote addresses, process names, and connection states.

TCPView is especially useful because it updates live. If an application briefly opens a port, you may catch it more easily than with repeated netstat commands. You can also right-click a connection to close it or inspect the related process.

For administrators, developers, and security-minded users, TCPView is often the fastest way to answer the question: “What is using this port right now?”

Method 8: Scan with Nmap

Nmap is a powerful network scanning tool used by administrators, penetration testers, and security analysts. While netstat shows what your own machine believes is open, Nmap shows how ports appear from the network perspective.

To scan your own computer, you might run:

nmap localhost

To scan a specific local IP address:

nmap 192.168.1.25

Nmap can identify open ports, service names, and sometimes service versions. This is useful because a port may be listening locally but blocked by Windows Firewall, or it may be reachable from other devices when you did not expect it to be.

Important: Only scan systems you own or have permission to test. Unauthorized scanning can violate policies, laws, or terms of service.

Method 9: Analyze Traffic with Wireshark

If you need to go beyond “which port is open” and understand the actual traffic, use Wireshark. Wireshark captures packets and lets you inspect protocols, source addresses, destination addresses, ports, timing, and payload details where visible.

For example, if you see an unexpected connection to a remote IP address, Wireshark can help determine whether the traffic is DNS, HTTPS, SMB, gaming traffic, update traffic, or something more suspicious. You can filter traffic by port, such as:

tcp.port == 443

Or filter by IP address:

ip.addr == 192.168.1.25

Wireshark has a learning curve, but it is extremely valuable when troubleshooting complex network problems or investigating suspicious behavior.

How to Decide Whether an Open Port Is Safe

After collecting port information, interpret it carefully. A port number alone does not prove anything. Instead, ask these questions:

• Do you recognize the application? A known browser, database, game, or development tool may be expected.
• Is the port exposed externally? A local-only service is usually less risky than one reachable from the internet.
• Is the process signed by a trusted publisher? Check file properties and digital signatures.
• Does the port match the service? For example, a web server on 80 or 443 is normal, but an unknown process using a high random port may require investigation.
• Did you install something recently? New VPNs, remote tools, databases, and sync apps often create listening ports.

If you find a suspicious process, do not immediately delete random files. First, identify the executable path through Task Manager, Resource Monitor, or PowerShell. Then scan the file with Windows Security or a trusted security tool. You can also temporarily block the application in Windows Defender Firewall while you investigate.

How to Close or Block an Unwanted Port

To close a port, you usually need to stop the program or service that opened it. You can do this through Task Manager, services.msc, the application’s settings, or by uninstalling the software.

To block network access without removing the program, use Windows Firewall:

1. Open Windows Security.
2. Go to Firewall & network protection.
3. Select Advanced settings.
4. Create an Inbound Rule to block a specific port or program.

Blocking a port is useful, but make sure you understand the consequences. Blocking the wrong port can break file sharing, remote access, printers, game servers, development tools, or business applications.

Best Practices for Port Checking on Windows 11

• Run netstat -ano regularly if you manage sensitive systems.
• Document expected services and ports on servers or workstations.
• Disable services you do not use, especially remote access features.
• Keep Windows, drivers, browsers, and network applications updated.
• Use firewall rules to limit access to trusted networks only.
• Investigate unknown processes before assuming they are malicious.

Conclusion

Checking open ports on Windows 11 is not just a technical exercise; it is a practical way to understand what your computer is doing on the network. Start with netstat -ano in CMD, match ports to processes with tasklist, and then move to tools like Resource Monitor, TCPView, Nmap, and Wireshark when you need more detail. With a little practice, open port analysis becomes less mysterious and far more useful. You will be able to troubleshoot faster, secure your system more confidently, and spot unusual network behavior before it becomes a bigger problem.