Skip to main content

Stealth port exclusions on Windows 10

I guess this is a perfect example of how people get cynical of software updates after going through the routine for awhile. And this is coming from someone who enjoys solving technical problems when he is in the right mood!

So recently, I started having some long-running software complain that it can't bind to a certain TCP port because "the port is already in use". I immediately pulled out my trusty CurrPorts and check out which mysterious program is hogging the port behind my back (yeah I could use netstat, but who has time to memorize all those command line arguments, right?)

To my surprise, nothing, nadda. No one is using that port. Yet that port is mysteriously barred from use. It's like you suddenly cannot open the door to your home with your existing key. Incredibly frustrating.

Anyway, after 2 whole days of research, I finally found the culprit. Apparently after a certain Windows update (1809 or 2004 from various sources, I didn't care to verify), Windows now reserves certain ports (called "Administered port exclusions") for Hyper-V (not sure why that would affect me, since I am not using it). 

To view the list, using the command line:

netsh int ipv4 show excludedportrange tcp

You'd be surprised by how many ports are reserved. On my machine, this is the output:

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
      5357        5357
      7834        7933
      7934        8033
      8034        8133
      8134        8233
      8234        8333
      8334        8433
      8434        8533
      8637        8736
      8737        8836
      8837        8936
      8937        9036
      9037        9136
      9137        9236
      9237        9336
      9537        9636
      9637        9736
      9737        9836
      9837        9936
      9937       10036
     10037       10136
     10137       10236
     10551       10650
     10651       10750
     10751       10850
     10851       10950
     10951       11050
     11051       11150
     11151       11250
     11277       11376
     11377       11476
     11477       11576
     11577       11676

* - Administered port exclusions.

Here are some associated links from my research:

Anyway, the solution for me was to issue this command:

reg add HKLM\SYSTEM\CurrentControlSet\Services\hns\State /v EnableExcludedPortRange /d 0 /f

It basically sets the EnableExcludedPortRange registry value to 0. A reboot is required.

This is incredibly frustrating because it came out of nowhere, no meaningful error message was provided and even trying to research the problem took a lot of time to figure out the right keywords that will yield the right answer. It was as if the guys who came up with this wanted to inflict the maximum pain on the affected user (or more likely they didn't really give a f**k).

Update (1 Sep 2021):

Discovered that a better solution is to issue this command at an elevated CMD:

netsh int ipv4 set dynamic tcp start=49152 num=16384

After a reboot, the new reserved ports will be:

C:\>netsh int ipv4 show excludedportrange tcp

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
      2869        2869
      5357        5357
     49152       49251
     49370       49469
     49470       49569
     49725       49824
     49825       49924
     49925       50024
     50025       50124
     50125       50224
     50443       50542
     50543       50642
     50643       50742
     50743       50842
     50843       50942
     50943       51042
     51043       51142
     51457       51556
     51557       51656
     51657       51756
     51757       51856
     51857       51956
     51957       52056
     52151       52250
     60580       60679
     60883       60982
     61088       61187
     61356       61455
     64877       64976
     64977       65076
     65077       65176
     65177       65276
     65277       65376
     65377       65476

* - Administered port exclusions.


Popular posts from this blog

Adding "Stereo Mixer" to Windows 7 with Conexant sound card

This procedure worked for my laptop (Thinkpad E530) with a Conexant 20671 sound card, but I suspect it will work for other sound cards in the Conexant family. I was playing with CamStudio to do a video capture of a Flash-based cartoon so that I can put it on the WDTV media player and play it on the big screen in the living room for my kids. The video capture worked brilliantly, but to do a sound capture, I needed to do some hacking. Apparently, there was this recording device called "Stereo Mixer" that was pretty standard in the Windows XP days. This allowed you to capture whatever was played to the speaker in all its digital glory. Then under pressure from various organizations on the dark side of the force, Microsoft and soundcard makers starting disabling this wonderful feature from Windows Vista onwards. So after much Googling around, I found out that for most sound cards, the hardware feature is still there, just not enabled on the software side. Unfortunately, to

Hacking a USB-C to slim tip adapter cable to charge the Thinkpad T450s

This hack is inspired by this post . A year ago, I bought an adapter cable for my wife's Thinkpad X1 Carbon (2nd Gen) that allows her to power her laptop with a 60W-capable portable battery (20V x 3A). A USB-C cable goes from the battery into the adapter, which converts it to the slim tip output required by the laptop. Everything works out of the box, so I didn't give much thought about it. Recently, I decided to buy a similar cable for my Thinkpad T450s. I know technically it should work because the T450s can go as low as 45W (20V x 2.25A) in terms of charging (though I have the 65W charger - 20V x 3.25A).  I went with another adapter cable because it was cheaper and also I prefer the single cable design. So imagine my surprise when the cable came and I plugged it into my laptop and it didn't work! The power manager just cycle in and out of charging mode before giving up with an error message saying there is not enough power. After much research and reading the Thinkwiki

Using Google Dashboard to manage your Android device backup

I used to use AppBrain/Fast Web Install to keep track of which apps I have installed on my phone, and to make it easier to reinstall those apps when the phone gets wiped or replaced. But AppBrain had been going down the tubes, and Fast Web Install had always been a hit-and-miss affair. Android's own "backup to the cloud" system had previously been even more unusable. There isn't a place where you can see what has been backed up. And when you setup a new phone with your Google account, you just have to wait and pray that your favorite apps will be restored to the phone. Typically all the stars have to be aligned just right for this to happen. More often than not, after waiting for an hour or so and nothing happens, you just curse under your breath and proceed to install your favorites apps manually via the Play Store. But I just looked again recently and was pleasantly surprised that things are much more civilized now. Firstly there is a place now where you can loo