I have hyper-v enabled in windows 10. When I check the excluded ports, I get:
C:\> netsh interface ipv4 show excludedportrange protocol=tcp
Protocol tcp Port Exclusion Ranges
Start Port End Port
---------- --------
5357 5357
9800 9800
9801 9801
49671 49770
49871 49970
50000 50059 *
61117 61216
61220 61319
61902 62001
* - Administered port exclusions.
Why Hyper-V reserves these ports?
How Administered port exclusions ( ie, range 50000-50059 ) differ from other port exclusions?
For example, when i tried to ping to all these ports using a net.Listen() in golang, all ports except 50000-50059 returns error:
listen tcp 127.0.0.1:9801: bind: An attempt was made to access a socket in a way forbidden by its access permissions.
In windows 10, sometimes we get an error for a particular port:
Ports are not available: listen tcp 0.0.0.0:55555: bind: An attempt was made to access a socket in a way forbidden by its access permissions.
When seeing this error, our first instinct will be that somehow the port we need is being used by another application. So if we check for ports in use:
netstat -aon | find "55555"
But the result may show that the port was not already being used.
Then the problem may be that Windows reserves some ports, they are the excluded ports which we cannot use for our other purposes. We can list those ports with the command:
C:\Users\Xyz> netsh interface ipv4 show excludedportrange protocol=tcp
Protocol tcp Port Exclusion Ranges
Start Port End Port
---------- --------
1031 1130
1131 1230
1231 1330
1331 1430
1431 1530
1561 1660
2363 2462
2463 2562
2563 2662
2663 2762
2763 2862
2863 2962
5357 5357
50000 50099 *
55500 55599
* - Administered port exclusions.
Why windows reserves these ports?
There may be other reasons too.
But If we try to delete a port range exclusion with the following command (even as administrator), it will return an error saying that it doesn't have permission for this.
netsh int ipv4 delete excludedportrange protocol=tcp startport=55500 numberofports=100
If the port exclusion is introduced by Hyper-V, we have two possible solutions in the end (there may be others):
Change the port that we were trying to use. The new port should be something that doesn't comes under the exclusions.
Disable Hyper-V, reserve a port range for our use, then enable Hyper-V again.
The steps to follow the second solution would be like this:
1. Disable Hyper-V
Method 1 - Windows Features tool:
In Control Panel -> select Programs and Features -> Select 'Turn Windows features on or off' -> Uncheck the option Hyper-V -> Apply
Method 2 - Via Powershell:
Open Powershell (as admin) and run the command:
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All
Method 3 - via command prompt:
Open Command prompt (as admin) and run the command:
dism.exe /Online /Disable-Feature:Microsoft-Hyper-V
A system reboot will be required after this.
2. Reserve the port (range) you want so hyper-v doesn't reserve it back.
After that reboot, if we try listing the port exclusions, we can see that some of ranges are not there now (especially, those the one which we want). Now reserve the port range we need:
netsh int ipv4 add excludedportrange protocol=tcp startport=55500 numberofports=100
3. Re-Enable Hyper-V
You can use the all the three methods mentioned above to enable the feature too. For example, showing one with dism:
dism.exe /Online /Enable-Feature:Microsoft-Hyper-V /All
This will also require a system reboot.
When your system is back, try listing the port exclusions again.
What happens here is that the specified port range was added to Administered port exclusions. That means we reserved it for our purposes.
After doing this, Hyper-V is smart enough to start it’s own reserved ranges around our pre-reserved ranges (notice in the result below the range from 55500–55599 is protected ) :
C:\Users\Xyz> netsh interface ipv4 show excludedportrange protocol=tcp
Protocol tcp Port Exclusion Ranges
Start Port End Port
---------- --------
1031 1130
1131 1230
1231 1330
1331 1430
1431 1530
1561 1660
2363 2462
2463 2562
2563 2662
2663 2762
2763 2862
2863 2962
5357 5357
50000 50099 *
55500 55599 *
* - Administered port exclusions.
Now you will be able to bind to a port in that range successfully.
Sometimes, after a Windows update, suddenly you are unable to use a particular port, and when nothing is listed when checking the port usage with the netstat
command.
Most importantly, you don't have Hyper-V enabled too!
In this case, here are 2 work around options you can try:
( Not sure if it will work for everyone, but you can give it a try!)
Option 1 :
Check the excluded port ranges
netsh interface ipv4 show excludedportrange protocol=tcp
For example, consider a port range 55485-55584
(which includes the port we need: 55555
) was listed there as excluded after the windows update.
Enable Hyper-V
Check the excluded port ranges again:
netsh interface ipv4 show excludedportrange protocol=tcp
You may still see our required port as excluded. But this time, there could be a difference in that excluded range like 55506-555605
which is probably an override introduced by Hyper-V (Not sure if this is the actual reason).
Disable Hyper-V
Check the excluded port ranges again:
netsh interface ipv4 show excludedportrange protocol=tcp
This time, if you see that your required port is not included there in the excluded ranges, continue to follow the next step of reserving your port.
Reserve the port range we need:
netsh int ipv4 add excludedportrange protocol=tcp startport=55500 numberofports=100
This range will be listed as an Administered port exclusion.
Now try using the port that you need.
Option 2 :
Since the problem is often caused by the Windows NAT Driver (winnat), stopping and restarting that service may resolve the issue.
Caution! : Stopping the winnat service may disconnect your network.
Check the excluded port ranges
netsh interface ipv4 show excludedportrange protocol=tcp
Stop winnat service:
net stop winnat
Check what happens to the excluded port ranges:
netsh interface ipv4 show excludedportrange protocol=tcp
Reserve the port range to prohibit dynamic reservation for your required port:
netsh int ipv4 add excludedportrange protocol=tcp startport=55500 numberofports=100
Start winnat service:
net start winnat
Check the excluded port ranges
netsh interface ipv4 show excludedportrange protocol=tcp
You can see that there are port exclusions, but yours is listed as Administered port exclusion.
Now try using the port that you need.
So basically, Administered port exclusions are those exclusions that we can add in Windows 10 to reserve some ports for our use.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With