How to Check Open Ports on Windows 11: The Ultimate Step-by-Step Guide for Network Security and Troubleshooting

If you are a Windows 11 user, system administrator, or a cybersecurity enthusiast, understanding how to check open ports on your machine is a critical skill. Open ports act as doors through which network traffic enters and leaves your computer. While some ports are necessary for standard operations—like web browsing (port 80 or 443) or email (port 25 or 587)—unwanted open ports can expose your system to attacks, malware, and unauthorized access. In fact, a single unmonitored open port can be the gateway for a remote attacker to gain control over your device or network. With Windows 11 being the latest iteration of Microsoft’s operating system, many users are unaware of the built-in tools and advanced methods available to inspect network activity and port states. This guide will walk you through every possible way to check open ports on Windows 11, from command-line utilities to graphical third-party applications, ensuring that you can identify, analyze, and secure your system’s network behavior comprehensively.

Before diving into the techniques, it is essential to understand what “open port” means in networking. Every network service (like HTTP, FTP, SSH) listens on a specific port number. When that service is running and accepting connections, the port is considered open. A closed port, on the other hand, means no service is listening, and packets are rejected. A filtered port (often seen with firewalls) means the port is being blocked or the response is not returned. On Windows 11, the default firewall settings already close many ports, but third-party applications, background services, or even malware can open new ones. Therefore, regular port scanning is not just a troubleshooting technique but a fundamental part of a robust security hygiene. Whether you are diagnosing a connectivity issue, checking if a sharing service is active, or verifying that you have not been compromised, this article provides every method you need.

Understanding Open Ports on Windows 11: A Prerequisite

Before executing any commands, you should familiarize yourself with the concept of port states and how Windows 11 handles them. The operating system maintains a table of all active connections and listening ports, accessible through various system tools. Each listening port is bound to a specific IP address (or all interfaces) and a process (application or system service). The combination of local address, local port, remote address, and remote port defines a network socket. For example, if you are running a web server, you will see an entry like 0.0.0.0:80 indicating that port 80 is listening on all network interfaces. Understanding these columns is vital when interpreting the output of netstat, PowerShell, or Resource Monitor. Additionally, note that Windows 11 uses both IPv4 and IPv6; you may see addresses like :: for IPv6 all-interfaces or specific IPv6 addresses. Knowing the difference helps in identifying whether a service is accessible over the local network, internet, or only locally (e.g., 127.0.0.1:3306 for a database listening only on loopback).

Another crucial aspect is the Windows Defender Firewall. Even if a service is running and listening, the firewall can block incoming connections, making the port appear filtered or closed from external scanners. When you check open ports from within your own system (using netstat or Resource Monitor), you see what the system itself believes is listening, regardless of firewall rules. However, when scanning from another machine, the firewall may prevent the connection. Therefore, always verify from both perspectives: local and remote. In this tutorial, we will primarily focus on local detection methods, but we will also include how to test from an external perspective using tools like Nmap. This dual approach ensures you get the full picture of your port exposure.

Method 1: Using the Netstat Command (Command Prompt or PowerShell)

The most traditional and still one of the most powerful ways to check open ports on any Windows version is the netstat command. Windows 11 includes netstat as part of the TCP/IP stack, and it requires no additional installations. Open Command Prompt as Administrator (right-click Start -> Windows Terminal (Admin) or Command Prompt (Admin)) to avoid permission issues. The basic syntax is: netstat -an where -a shows all connections and listening ports, and -n displays addresses and port numbers in numerical form (without trying to resolve hostnames). This command will output a long list of all active TCP and UDP connections, including those in LISTENING state. To see only listening ports (open and waiting for connections), you can combine with findstr or Select-String in PowerShell: netstat -an | findstr LISTENING. However, this classic approach lacks the process identifier (PID) by default. To include the PID, use netstat -ano. The -o switch appends the PID column, which you can then match with Task Manager to identify the owning application.

For a more detailed breakdown, consider using the -b switch (netstat -anob), which shows the executable name involved in creating each connection or listening port. Note that the -b switch requires administrative privileges and may take longer because it enumerates process modules. Using netstat -anob is extremely useful when you want to know which program (e.g., chrome.exe, svchost.exe, or mysqld.exe) is holding a particular port open. However, be aware that on systems with many active connections, the output can be overwhelming. To filter for specific ports, you can pipe to findstr :80 or findstr :443. For example, netstat -ano | findstr :80 will show all connections involving port 80, both local and remote. This is perfect for checking if a web server is running or if a rogue process is using port 80. For UDP ports, which do not have a connection state (they are either listening or not), netstat will show them as UDP entries without a state column. Look for the local address with the port number to see if the system is listening on that UDP port. Remember that netstat output can be read in real-time, but it is a snapshot; you can use netstat -ano 5 (interval in seconds) to refresh every 5 seconds for monitoring changes.

Method 2: Using PowerShell Cmdlets (Get-NetTCPConnection and Get-NetUDPEndpoint)

For those who prefer PowerShell’s object-oriented approach, Windows 11 offers dedicated cmdlets to query TCP and UDP endpoints. Unlike netstat, these cmdlets provide structured output that can be filtered, sorted, and exported easily. To list all active TCP connections and listening ports, run Get-NetTCPConnection in an elevated PowerShell window. By default, it shows state, local address, local port, remote address, remote port, and owning process ID (OwningProcess). To see only listening ports, filter with Where-Object State -eq 'Listen': Get-NetTCPConnection | Where-Object State -eq 'Listen'. For UDP, use Get-NetUDPEndpoint which displays local address, local port, and owning process ID. The output is incredibly clean and easy to parse. For example, you can see all ports above 1024 that are listening: Get-NetTCPConnection | Where-Object {$_.State -eq 'Listen' -and $_.LocalPort -gt 1024}. To also get the process name associated with the PID, you can combine with Get-Process:

Get-NetTCPConnection | Where-Object State -eq 'Listen' | ForEach-Object {
    [PSCustomObject]@{
        LocalPort = $_.LocalPort
        ProcessName = (Get-Process -Id $_.OwningProcess).ProcessName
        State = $_.State
        LocalAddress = $_.LocalAddress
    }
}

This one-liner gives you a table with port numbers, process names, and other details. The same can be done for UDP endpoints using Get-NetUDPEndpoint. PowerShell cmdlets are particularly advantageous when you need to script the monitoring of open ports or integrate with other administrative tasks. For instance, you can export the list to a CSV file for documentation: Get-NetTCPConnection | Export-Csv -Path OpenPorts.csv. Additionally, the cmdlets support remote computers via CIM sessions, allowing you to check ports on multiple Windows 11 machines from a central workstation. Keep in mind that these cmdlets were introduced in Windows 8/Server 2012, so they are fully available on Windows 11. They are now the recommended method over netstat for advanced users because of their precision and flexibility.

Method 3: Using Resource Monitor (Graphical Interface)

If you prefer a graphical tool without typing commands, Windows 11’s built-in Resource Monitor is an excellent choice. To launch it, press Win+R, type resmon, and hit Enter. Alternatively, open Task Manager, go to the Performance tab, and click “Open Resource Monitor” at the bottom. In Resource Monitor, navigate to the “Network” tab. Here you will see multiple sections: “Processes with Network Activity,” “Network Activity,” “TCP Connections,” and “Listening Ports.” The “Listening Ports” section is exactly what you need—it displays every port that is currently being listened on, along with the process name, PID, protocol (TCPv4 or TCPv6), local address, and port number. You can sort by port number, process name, or protocol to quickly locate suspicious or unknown listeners. One major advantage of Resource Monitor is that it updates in real-time, so you can see when a new port opens or closes as you start or stop a service. You can also right-click on any entry to end the process or view its properties. The interface also allows you to filter by process name using the text box at the top of the list. For example, typing “svchost” will show only those entries. This method is ideal for less technical users who want a visual inspection of their system’s open ports without memorizing command-line switches.

However, Resource Monitor does have limitations. It only shows listening ports (TCP and UDP) but does not show connection states for remote connections beyond the TCP Connections section. Also, it does not provide a way to export the list natively; you would have to take screenshots or copy text manually. Despite these minor drawbacks, it remains one of the fastest and most user-friendly ways to check open ports on Windows 11. For a quick daily check, many IT professionals use Resource Monitor as the first line of investigation before diving into command-line tools. Additionally, because it integrates with the system’s performance monitoring, you can correlate port usage with CPU, memory, and disk activity—valuable when diagnosing performance issues caused by network services.

Method 4: Using Third-Party Port Scanners (TCPView, Nmap, and GlassWire)

While built-in tools are sufficient for most scenarios, third-party utilities offer extra features like historical logging, alerting, and more detailed port scanning. One of the most popular free tools is TCPView by Microsoft Sysinternals (now part of Microsoft). TCPView provides a real-time list of all TCP and UDP endpoints, including listening ports and active connections. It updates dynamically, allows you to close connections manually, and displays process names with color coding (green for new connections, red for closing). The interface is similar to Resource Monitor but with more detail—every connection endpoint is shown separately, including remote addresses. To use TCPView, download it from the official Microsoft Sysinternals site (https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview), unzip and run Tcpview.exe (no installation required). It runs as a standalone executable and does not require admin rights for viewing, but to close connections you need elevation. TCPView is particularly helpful for monitoring port changes over time because you can enable a checkbox to “Show Unconnected Endpoints” which reveals all listening ports even if no connections are active.

Another powerful tool is Nmap (Network Mapper), which is the de facto standard for port scanning across platforms. On Windows 11, you can install Nmap from https://nmap.org/download.html. Nmap can scan your local machine (nmap localhost) or a remote target to see which ports are open, filtered, or closed. For example, running nmap -sT -p- localhost (TCP connect scan on all 65535 ports) will show every open TCP port on your own system. Note that scanning your own machine with Nmap is often easier than using netstat because it actually attempts to connect to each port and reports the service version if you add -sV. However, be aware that the Windows firewall may interfere and cause false filtered ports; you may need to temporarily disable the firewall (not recommended) or allow Nmap through it. Additionally, Nmap can perform stealth scans, UDP scans, and OS detection. For daily use, a simple nmap -sT -p 1-1000 localhost is enough to check common ports. Nmap also outputs a structured XML report that can be parsed programmatically. The major advantage of Nmap over built-in commands is its ability to probe for open ports from an outsider’s perspective—even if a service is listening, the firewall may block the probe. That gives you a realistic view of what the network sees.

GlassWire is another third-party tool with a polished graphical interface that monitors all network activity, including open ports, data usage, and blocked connections. It runs as a system tray app and provides alerts when new ports are opened or when unknown applications attempt to listen. While GlassWire is not free for all features (the basic version is free with limited history), it is an excellent choice for proactive security monitoring. Similarly, Wireshark can capture all network packets and let you analyze port activity in extreme depth, but it is overkill for simply checking open ports. For most users, TCPView or Nmap will be sufficient. Whichever tool you choose, remember to download only from official sources to avoid malware.

Method 5: Checking Ports via Windows Firewall Logs and Advanced Security

Sometimes you need to know not just which ports are open, but also which ones are allowed or blocked by the firewall. The Windows Defender Firewall with Advanced Security (WF.msc) provides a comprehensive view of all inbound and outbound rules. Open it by pressing Win+R, typing wf.msc, and hitting Enter. In the left pane, you can view “Inbound Rules” and “Outbound Rules.” Each rule specifies which ports, protocols, and programs are allowed or blocked. To see a list of ports that are explicitly allowed, you can filter by “Local Port” column. However, this does not directly tell you if a service is actually listening on that port; it only tells you the firewall configuration. To bridge the gap, you can enable firewall logging. In the Windows Firewall with Advanced Security, right-click on “Windows Defender Firewall Properties” (for each profile: Domain, Private, Public) and go to the “Logging” section, then customize the log path (e.g., %systemroot%\System32\LogFiles\Firewall\pfirewall.log). After enabling logging, the firewall will record all dropped and successful connections. By parsing this log, you can see which ports are actually being accessed and whether they were allowed or blocked. This method is more advanced but provides a forensic trail of port activity over time.

Additionally, you can use the netsh command-line tool to query firewall rules programmatically. For example, netsh advfirewall firewall show rule name=all verbose dumps every rule with its port specifications. You can filter further with netsh advfirewall firewall show rule name=all dir=in protocol=tcp localport=80 to see rules involving port 80. While this does not replace checking listening services, it is crucial for understanding why a port might appear closed from an external scan even though a service is running. For full security assessment, you should combine port listening detection (netstat/PowerShell) with firewall rule analysis to ensure no misconfigurations.

Step-by-Step Guide: Performing a Complete Port Audit on Windows 11

Now that you are familiar with all the tools, let’s walk through a systematic step-by-step process to completely audit open ports on your Windows 11 machine. This method will combine both built-in and third-party utilities to give you a thorough understanding of your system’s port landscape. Follow these steps sequentially:

1. Step 1: Launch an Elevated Command Prompt or PowerShell. Press Win+X and select “Windows Terminal (Admin)” or “Command Prompt (Admin)”. Confirm the UAC prompt.
2. Step 2: Run netstat with full details. Type netstat -ano and press Enter. Note the list of all listening ports (state = LISTENING). If the output is too long, redirect to a text file: netstat -ano > C:\ports.txt. Open the file in Notepad for easier analysis.
3. Step 3: Identify the processes using the PIDs. Open Task Manager (Ctrl+Shift+Esc), go to the Details tab, and sort by PID. Match each PID from netstat to the process name. For services, you may need to look up service names using tasklist /svc or sc query.
4. Step 4: Use PowerShell for structured data. Run Get-NetTCPConnection | Where-Object State -eq 'Listen' | Select-Object LocalPort, OwningProcess, LocalAddress. Then use Get-Process -Id to get names. You can create a script that outputs a clean table.
5. Step 5: Open Resource Monitor and go to the Network tab -> Listening Ports. Cross-reference the list with what netstat and PowerShell showed. Any discrepancy may indicate transient services or permissions issues. Also check the “Processes with Network Activity” section for unusual processes.
6. Step 6: Download and run TCPView from Sysinternals. Allow it to run (no installation). Observe the dynamic list; note color changes and sort by “State” to see “LISTENING” entries. Right-click any unknown process and select “Properties” to see the file path.
7. Step 7: Perform an external scan with Nmap (if you have another machine on the same network or use a tool like https://www.whatismyip.com/port-scanner/). On the same machine, run nmap -sT -p- localhost (requires Nmap installed) to see which ports respond to connection attempts. Compare with the listening ports from internal tools to see if any are blocked by the firewall.
8. Step 8: Audit the Windows Firewall by opening wf.msc and reviewing inbound rules. Pay special attention to rules that allow “Any” port or “All ports”. Disable any rules that are unnecessary. Enable firewall logging temporarily and check the log for dropped packets that might indicate blocked services you actually need.
9. Step 9: Document your findings. Create a list of all listening ports with their associated services, protocols, and justification. For example, port 3389 (RDP) should be allowed only if you use remote desktop. Port 445 (SMB) is often needed for file sharing but is a frequent target for ransomware. Make a decision to close any port that does not have a legitimate business or personal need.
10. Step 10: Implement changes. To close an open port, you can stop the associated service (e.g., net stop wuauserv for Windows Update) or modify the firewall to block the port. For example, to block port 3389, create a new inbound rule in wf.msc that denies TCP port 3389. Alternatively, use the command: netsh advfirewall firewall add rule name="Block RDP" dir=in action=block protocol=TCP localport=3389.

After completing these steps, you will have a complete inventory of every open port on your Windows 11 machine and will have taken steps to harden your system. Perform this audit monthly or after installing new software to maintain security.

Tips and Best Practices for Managing Open Ports on Windows 11

Having the ability to check open ports is only half the battle. To keep your system secure, follow these best practices:

1. Tip 1: Minimize the Attack Surface. The fewer open ports, the better. Only keep ports open that are absolutely necessary for your workflow. For example, if you do not use Remote Desktop (RDP), ensure port 3389 is not listening. Disable unnecessary services like “Server” (which opens port 445) or “Print Spooler” if you don’t share printers. Use the Services console (services.msc) to set them to “Disabled”. Remember that every open port is a potential entry point for an attacker.
2. Tip 2: Use the Windows Firewall Wisely. Even if a service is listening, the firewall can block inbound connections. Always create custom inbound rules that restrict access to specific IP addresses or subnets. For instance, if you need RDP, only allow it from your office IP range. You can do this in wf.msc by specifying “Remote IP address” in the rule scope. Additionally, enable logging to monitor rejected connection attempts, which may indicate scanning or brute-force attacks.
3. Tip 3: Keep Your Software Updated. Vulnerabilities in services listening on open ports are a common attack vector. Ensure Windows Update is active and all third-party applications (like web servers, database servers, or remote access tools) are patched regularly. Using a vulnerability scanner (like OpenVAS or Nessus) can help identify services that need updates.
4. Tip 4: Monitor Port Changes with Alerts. Tools like GlassWire or TCPView can alert you when a new port opens unexpectedly, which could be a sign of malware. Set up a scheduled task that runs a PowerShell script to check for new listening ports daily and emails the results. Alternatively, use the built-in Event Viewer: Look for events from source “Microsoft-Windows-TCPIP” (Event ID 3000 for TCP listener creation). This advanced monitoring gives you real-time awareness.
5. Tip 5: Distinguish Between Local and Global Listening. Not all listening ports are dangerous. A service listening on 127.0.0.1 (localhost) is only accessible from your own machine, so it is relatively safe. For example, a local database server might listen on port 3306 bound to 127.0.0.1. However, if it binds to 0.0.0.0 (all interfaces), it becomes reachable from the network. Always check the local address column when reviewing open ports. Change bindings in the application configuration if possible to restrict to localhost.

FAQ: Frequently Asked Questions About Checking Open Ports on Windows 11

Common Port Numbers and Their Typical Services

Port Number	Protocol	Service Name	Common Use
21	TCP	FTP	File Transfer Protocol
22	TCP	SSH	Secure Shell
25	TCP	SMTP	Email sending
80	TCP	HTTP	Web traffic
443	TCP	HTTPS	Secure web
445	TCP	SMB	Windows file sharing
3389	TCP	RDP	Remote Desktop
5353	UDP	mDNS	Bonjour/ZeroConf

1. Q: How do I check if a specific port is open on Windows 11?
   A: The quickest way is to open Command Prompt (Admin) and type netstat -an | findstr :PORTNUMBER (replace PORTNUMBER with the actual number, e.g., :3389). If you see a line with state LISTENING, the port is open. Alternatively, use PowerShell: Get-NetTCPConnection -LocalPort 3389. For external checks from another machine, use Test-NetConnection -Port 3389 -ComputerName localhost (or the remote IP).
2. Q: What are the default open ports on Windows 11?
   A: Out of the box, Windows 11 typically has very few listening ports. Common default open ports include port 5353 (mDNS for Bonjour) if iTunes or similar is installed, port 5040 (Windows Updates), port 2179 (Hyper-V listener) if virtualization is enabled, and port 5985 (WinRM) if enabled. The list varies based on installed features. You should run a full audit after a clean installation to see your specific baseline.
3. Q: Is it safe to have port 445 open on Windows 11?
   A: Port 445 is used by SMB (Server Message Block) for file sharing and printer sharing. If you are on a home network and do not need to share files with other computers, it is safer to disable the Server service (via services.msc) or block the port in the firewall. Port 445 has been exploited by ransomware like WannaCry. For business environments where file sharing is required, ensure the system is patched and use a VPN if possible.
4. Q: How can I close an open port on Windows 11?
   A: To close a listening port, you have two main options. First, stop the service or application that is using the port. Identify the PID from netstat, then end the process via Task Manager, or stop the service with net stop "ServiceName". Second, use the Windows Firewall to block inbound connections to that port even if the service is listening. Create a new inbound rule: netsh advfirewall firewall add rule name="Block Port 8080" dir=in action=block protocol=TCP localport=8080. This prevents external access while the service may still run internally.
5. Q: What does “state LISTENING” mean in netstat output?
   A: In netstat, the “State” column indicates the current status of a TCP connection. “LISTENING” means the port is open and waiting for incoming connections. Other common states include “ESTABLISHED” (active connection), “TIME_WAIT” (closing), and “CLOSE_WAIT”. UDP does not have states because it is connectionless; therefore, UDP ports do not show a state column and are simply listed as UDP entries.
6. Q: Can I check open ports remotely on another Windows 11 machine?
   A: Yes, you can use PowerShell’s Get-NetTCPConnection with a CIM session to query remote computers, but this requires WinRM (port 5985) to be enabled and configured. Alternatively, use Nmap from your local machine to scan the remote computer’s IP address: nmap -sT -p- 192.168.1.100 (replace with the target IP). Note that the remote machine’s firewall may block the scan, so results may not reflect all listening ports.

Conclusion

Knowing how to check open ports on Windows 11 is an indispensable skill for anyone who cares about their system’s security and performance. From the classic netstat command to modern PowerShell cmdlets, from the visual simplicity of Resource Monitor to the power of third-party tools like TCPView and Nmap, you now have a complete toolkit to inspect every network door on your computer. By following the step-by-step audit guide provided in this article, you can systematically identify every listening port, associate it with a process, and then take action—whether that means closing unnecessary services, tightening firewall rules, or simply documenting your environment for future reference. Remember that the network attack surface is constantly changing as you install new software or updates. Therefore, make a habit of running a port scan at least once a month, and always investigate unexpected open ports immediately. Additionally, leverage the tips and best practices to reduce your exposure: minimize the number of open ports, restrict bindings to localhost where possible, and always use the Windows Firewall to filter inbound traffic. With these techniques, you can sleep better knowing your Windows 11 machine is not leaking sensitive services to the internet. Finally, the FAQ section should have addressed any lingering questions, but if you encounter a unique scenario, do not hesitate to explore the official Microsoft documentation or community forums. Port management is a continuous process, and mastery comes with practice. Start today by running your first comprehensive port audit—you might be surprised at what you find.

Comparison of Tools for Checking Open Ports on Windows 11

Tool	Type	Ease of Use	Real-Time Update	Shows Process Name	Requires Admin	External Scanning Capability
netstat	Command-line (built-in)	Medium	No (manual refresh)	Yes (with -b or -o)	Yes (for -b)	No
PowerShell cmdlets	Command-line (built-in)	Medium-High	No (manual refresh)	Yes (via Get-Process)	Recommended	No
Resource Monitor	GUI (built-in)	Easy	Yes	Yes	No	No
TCPView (Sysinternals)	GUI (third-party)	Easy	Yes	Yes	No (but for closing)	No
Nmap	Command-line/GUI (third-party)	Hard	No (scan based)	Yes (with -sV)	Yes (for certain scans)	Yes
GlassWire	GUI (third-party)	Easy	Yes	Yes	Yes	No