How to see what is reserving ephemeral port ranges on Windows?

Question

I have a Windows application that needs to use ports 50005 and 50006 but it is being blocked.

I see the following when I run netsh int ip show excludedportrange protocol=tcp:

Protocol tcp Port Exclusion Ranges  Start Port    End Port ----------    -------- 5357        5357 49709       49808 49809       49908 49909       50008 50009       50108 50109       50208 50280       50379  * - Administered port exclusions. 

So something on my machine is reserving ports 49909 to 50008, which is presumably what is causing my application to fail. I've tried deleting this excludedportrange with the following command:

netsh int ip delete excludedportrange protocol=tcp numberofports=100 startport=49909 

But I see an error Access is denied., which makes me think that whatever is reserving this ports is actively running, but I have no idea what that could be.

What's also weird is that after running that command, even though I saw an error, if I reboot the excludedportrange will be different.

As a sanity check I've also run resmon.exe and confirmed that there is nothing running on ports 50005 and 50006.

How can I tell what is adding the excludedportrange?

EDIT: I've narrowed this down to Hyper-V. If I disable Hyper-V then those ports are not excluded.

Answer 1

Investigate and Free the Ports

It appears that Hyper-V reserves random ports (or something Hyper-V related at least). Use netsh int ip show excludedportrange protocol=tcp to confirm that the ports that aren't working are in the output.

This has worked for me to free the ports up. It doesn't seem intrusive to me (25 thumbs up):

This is often caused by the Windows NAT Driver (winnat), stopping and restarting that service may resolve the issue.

net stop winnat docker start ... net start winnat 

After this the ports were no longer reserved, but my WSL2 terminal no longer had connection to the internet, so I needed to reboot after this to get everything working again.

Reserve the Ports From Now On

If you don't do anything more, you'll likely run into this problem again. So to e.g. reserve ports 9012 and 9013 for your future use (so winnat never tries to use them):

netsh int ipv4 add excludedportrange protocol=tcp startport=9012 numberofports=2 

(Thanks @Venryx for reminding me)

Other Approaches

In an answer to a similar question about why docker couldn't open ports (24 thumbs up), this also worked for me:

netcfg -d --this will clean up all networking devices, and requires a reboot

Somebody does warn about it though (4 thumbs up). Your maileage may vary. It worked for me, mostly because I didn't see the following warning until after I ran it successfully....

that (netcfg -d) is dangerous command, it corrupted my docker and it does not start up anymore. Even after reinstalling HyperV. and rebooting machine. It seems that this command removes several network adapters. Also restart does nothing. I had to reset (loose) containers and images but that led me to another issue

another answer to a similar docker question (129 thumbs up) has this, but it seemed much more involed for me, so I didn't try it:

@veqryn the workaround worked for me, the steps are:

1. Disable hyper-v (which will required a couple of restarts)

   dism.exe /Online /Disable-Feature:Microsoft-Hyper-V

2. When you finish all the required restarts, reserve the port you want so hyper-v doesn't reserve it back

   netsh int ipv4 add excludedportrange protocol=tcp startport=50051 numberofports=1 store=persistent

3. Re-Enable hyper-V (which will require a couple of restart)

   dism.exe /Online /Enable-Feature:Microsoft-Hyper-V /All

when your system is back, you will be able to bind to that port successfully.

Answer 2

I had the same problem and uninstalled Hyper-V, but the reserver ports were still there. After several attempts I identified Windows Sandbox as the culprit to be disinstalled