This article in our series focused on Microsoft’s free security tools is on a tool called Portqry. This tool is a TCP/IP connectivity test tool, port scanner, and local port monitor. Portqry is useful for troubleshooting networking issues as well as verifying network security related configurations. Because of this broad functionality, I have heard some Information Technology (IT) Professionals refer to this tool as a “Swiss army knife” of tools.
I developed Portqry many years ago and released two versions. I originally developed this tool to help IT Professionals troubleshoot TCP/IP networking issues. The port scanning functionality helps determine if a remote port is listening, not listening, or being filtered/blocked. In 2001 when I released Portqry version 1 there were other network port scanners for Windows available, but most of them were only capable of scanning TCP ports. I didn’t find TCP port scanners very useful because you could use the Telnet.exe utility built into Windows to determine if a TCP port was listening, without downloading and installing a third party tool. I really wanted to build a tool that also scanned UDP ports as this made it much more useful. Portqry version 1 supported port scanning for four UDP protocols that were central to troubleshooting Active Directory issues and related name resolution issues: Lightweight Directory Access Protocol (LDAP), Remote Procedure Calls (RPC), Domain Name System (DNS), and NetBIOS Name Service. For many IT Professionals who were tasked with deploying and managing the relatively new Microsoft Active Directory (at that time), Portqry 1.0 was very helpful.
Another design goal I had in mind was to make Portqry as lightweight as possible. I didn’t want to require it to be installed using an installer. Many of the customers I worked with had ridged change control processes that required a Change Control Board to approve new software before it could be installed on a system. For some customers their Change Control Board only approved changes once or twice per month. So I wanted to develop a tool that helped IT Professionals avoid this process if possible. Portqry is a single executable file that does not require the administrator to run an installer. Portqry.exe can simply be copied onto a system into any directory and be used immediately without any changes to the Windows registry or other dependencies that change a system’s configuration. After use, Portqry.exe can simply be deleted, leaving the system in the same configuration state as before it was used.
I also wanted Portqry to be small enough that it could be emailed to IT Professionals when necessary. This is another reason I avoided requiring an installer. Back in 2001 the maximum file size you could reliably send via email was 4 MB and I wanted to ensure Portqry was nowhere near that size. Portqry version 1 was 213K in size, which was tiny compared to tools that provide a graphical user interface.
I have an interesting story to share regarding the file size of this tool. Shortly after the Blaster worm hit the Internet in 2003, I remember seeing the source code for one of its variants in an online magazine. The approach that the attackers took to keep the worm as small as possible was an epiphany to me. As a result, when I release Portqry version 2 later that year, I had added support for more than twice the number of UDP protocols that version 1 had, including Lightweight Directory Access Protocol (LDAP), Remote Procedure Calls (RPC), Domain Name System (DNS), NetBIOS Name Service, Simple Network Management Protocol (SNMP), Internet Security and Acceleration Server (ISA), SQL Server 2000 Named Instances, Trivial File Transfer Protocol (TFTP), Layer Two Tunneling Protocol (L2TP). Now Portqry could be used to troubleshoot Active Directory issues, name resolution issues, VPN connectivity issues, firewall issues and much many more types of networking problems. I also added support for local port to process mappings so that in addition to enabling port scanning of remote TCP and UDP ports, Portqry could also help troubleshoot network ports on the local system. I also added an interactive mode (portqry.exe –i) to version 2 for IT Professionals that wanted a bit more of a working environment beyond the command line. After adding all this extra functionality to Portqry version 2, more than tripling its functionality, it was 143K in size. This is actually 70K smaller than version 1. I owe this efficiency to learning how attackers managed to keep their worms so small.
I specifically designed Portqry to run on Windows operating systems that were supported at the time I released it, including Windows XP, Windows Server 2003, and Windows 2000. Portqry will also run on Windows Vista, Windows 7 and Windows 8, but with reduced functionality. Specifically, the local port to process mapping functionality (portqry.exe –local) will be limited on these newer operating systems as seen in Figure 1. IT Professionals looking for this functionality on newer operating systems can use the “netstat.exe –ano” command that is built into Windows. Portqry is still a great lightweight port scanner regardless of what version of Windows you are running.
This Knowledge Base article contains all the technical details you’ll need to know to use this tool: New features and functionality in PortQry version 2.0
While it’s still available, you can download Portqry version 2 from the Microsoft Download Center:
http://www.microsoft.com/downloads/details.aspx?familyid=89811747-C74B-4638-A2D5-AC828BDC6983&displaylang=en
Since I’m writing about a “legacy” tool, I will take the opportunity to remind you that support for Windows XP SP2 was retired on July 13, 2010 and end of support for Windows XP is April 8, 2014. If you are still running systems with Windows XP SP2 or Windows Vista SP1 in your environment, you need to install the latest service pack on these systems immediately as they are no longer automatically receiving security updates from Microsoft.
Tim Rains
Director
Trustworthy Computing
