Skip to main content

Stealth port exclusions on Windows 10

I guess this is a perfect example of how people get cynical of software updates after going through the routine for awhile. And this is coming from someone who enjoys solving technical problems when he is in the right mood!

So recently, I started having some long-running software complain that it can't bind to a certain TCP port because "the port is already in use". I immediately pulled out my trusty CurrPorts and check out which mysterious program is hogging the port behind my back (yeah I could use netstat, but who has time to memorize all those command line arguments, right?)

To my surprise, nothing, nadda. No one is using that port. Yet that port is mysteriously barred from use. It's like you suddenly cannot open the door to your home with your existing key. Incredibly frustrating.

Anyway, after 2 whole days of research, I finally found the culprit. Apparently after a certain Windows update (1809 or 2004 from various sources, I didn't care to verify), Windows now reserves certain ports (called "Administered port exclusions") for Hyper-V (not sure why that would affect me, since I am not using it). 

To view the list, using the command line:

netsh int ipv4 show excludedportrange tcp

You'd be surprised by how many ports are reserved. On my machine, this is the output:

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
      5357        5357
      7834        7933
      7934        8033
      8034        8133
      8134        8233
      8234        8333
      8334        8433
      8434        8533
      8637        8736
      8737        8836
      8837        8936
      8937        9036
      9037        9136
      9137        9236
      9237        9336
      9537        9636
      9637        9736
      9737        9836
      9837        9936
      9937       10036
     10037       10136
     10137       10236
     10551       10650
     10651       10750
     10751       10850
     10851       10950
     10951       11050
     11051       11150
     11151       11250
     11277       11376
     11377       11476
     11477       11576
     11577       11676

* - Administered port exclusions.

Here are some associated links from my research:

Anyway, the solution for me was to issue this command:

reg add HKLM\SYSTEM\CurrentControlSet\Services\hns\State /v EnableExcludedPortRange /d 0 /f

It basically sets the EnableExcludedPortRange registry value to 0. A reboot is required.

This is incredibly frustrating because it came out of nowhere, no meaningful error message was provided and even trying to research the problem took a lot of time to figure out the right keywords that will yield the right answer. It was as if the guys who came up with this wanted to inflict the maximum pain on the affected user (or more likely they didn't really give a f**k).

Update (1 Sep 2021):

Discovered that a better solution is to issue this command at an elevated CMD:

netsh int ipv4 set dynamic tcp start=49152 num=16384

After a reboot, the new reserved ports will be:

C:\>netsh int ipv4 show excludedportrange tcp

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
      2869        2869
      5357        5357
     49152       49251
     49370       49469
     49470       49569
     49725       49824
     49825       49924
     49925       50024
     50025       50124
     50125       50224
     50443       50542
     50543       50642
     50643       50742
     50743       50842
     50843       50942
     50943       51042
     51043       51142
     51457       51556
     51557       51656
     51657       51756
     51757       51856
     51857       51956
     51957       52056
     52151       52250
     60580       60679
     60883       60982
     61088       61187
     61356       61455
     64877       64976
     64977       65076
     65077       65176
     65177       65276
     65277       65376
     65377       65476

* - Administered port exclusions.

Comments

Popular posts from this blog

Adding "Stereo Mixer" to Windows 7 with Conexant sound card

This procedure worked for my laptop (Thinkpad E530) with a Conexant 20671 sound card, but I suspect it will work for other sound cards in the Conexant family. I was playing with CamStudio to do a video capture of a Flash-based cartoon so that I can put it on the WDTV media player and play it on the big screen in the living room for my kids. The video capture worked brilliantly, but to do a sound capture, I needed to do some hacking. Apparently, there was this recording device called "Stereo Mixer" that was pretty standard in the Windows XP days. This allowed you to capture whatever was played to the speaker in all its digital glory. Then under pressure from various organizations on the dark side of the force, Microsoft and soundcard makers starting disabling this wonderful feature from Windows Vista onwards. So after much Googling around, I found out that for most sound cards, the hardware feature is still there, just not enabled on the software side. Unfortunately, to

Attiny85 timer programming using Timer1

This Arduino sketch uses Timer1 to drive the LED blinker: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 /* * Program ATTiny85 to blink LED connected to PB1 at 1s interval. * Assumes ATTiny85 is running at 1MHz internal clock speed. */ #include <avr/io.h> #include <avr/wdt.h> #include <avr/sleep.h> #include <avr/interrupt.h> bool timer1 = false , led = true ; // Interrupt service routine for timer1 ISR(TIMER1_COMPA_vect) { timer1 = true ; } void setup() { // Setup output pins pinMode( 1 , OUTPUT); digitalWrite( 1 , led); set_sleep_mode(SLEEP_MODE_IDLE); // Setup timer1 to interrupt every second TCCR1 = 0 ; // Stop timer TCNT1 = 0 ; // Zero timer GTCCR = _BV(PSR1); // Reset prescaler OCR1A = 243 ; // T = prescaler / 1MHz = 0.004096s; OCR1A = (1s/T) - 1 = 243 OCR1C = 243 ; // Set to same value to reset timer1 to

Hacking an analog clock to sync with NTP - Part 5

This is how it looks after I have put everything together. The Arduino sketch is available here . The 2 jumper wires soldered to the clock mechanism are connected to pins D0 and D1 on the ESP-12 (in any order). When the device first boots up, it presents an access point which can be connected to via the PC or smartphone. Once connected, the captive portal redirects the web browser to the configuration page:     A custom field has been added to the WiFi configuration page to enter the current clock time in HHMMSS format. Try to set the clock time to as close to the current time as possible using the radial dial at the back of the clock so the clock will have less work to do catching up. In the config page, the HTML5 Geolocation API is also used to obtain your current location (so if your web browser asks if you would like to share your location, answer "yes"). This is then passed to the Google Time Zone API to obtain the time and DST offset of your time z