Port Reporter Tools


Tim Rains let me know that they posted a Port Reporter Parser utility to the Microsoft Download Center. The Port Reporter Parser Utility makes it much easier to review your port reporter logs. There's a bunch of stuff to look at if you're interested in using these tools, so I'll list them out here:

Microsoft KB article explaining Port Reporter

Port Reporter Utility

Port Reporter Parser Utility

Here are some features of the Port Reporter Parser tool:

PR-Parser helps to identify data that is “interesting” and/or “suspicious”:

  • Identifies ports of interest that are used on the system.
  • Identifies “suspicious” processes running on the system.
  • Identifies “suspicious” modules (.dlls, .drvs, etc) loaded on the
    system.
  • Identifies “interesting” user accounts that are active on the
    system.
  • Helps to determine when IP addresses, fully qualified domain names (FQDNs),
    or computer names of interest are found communicating with the system.
  • Attempts to identify when a process using the name of a legitimate
    process is run from the wrong directory on a system. 

PR-Parser provides some log analysis data as well.  This data can help
profile the system and/or how users use the system.  This data includes:

  • Local TCP port usage - % of time a TCP port is used
  • Local process usage – what % of time each process is used
  • Remote IP address usage – how often the local system communicates
    with each remote host
  • User context usage – how often each user account is used to start
    local processes
  • Port usage by hour of the day – helps identify peek usage times for
    a Windows system
  • Svchost.exe enumeration – see all the services hosted by every
    instance of svchost.exe running on a system
  • Internet Explorer usage by user – see all the sites or firewalls
    that every user visits via Internet Explorer

Tim mentioned that there's a readme.doc file that's included with the Porter Reporter Parser utility that really explains how to use that utility in depth. I've been looking through it today and it's definitely worth reviewing as you start using these tools.

Skip to main content