Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is Administered port exclusions in windows 10?

I have hyper-v enabled in windows 10. When I check the excluded ports, I get:

C:\> netsh interface ipv4 show excludedportrange protocol=tcp

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
      5357        5357
      9800        9800
      9801        9801
     49671       49770
     49871       49970
     50000       50059     *
     61117       61216
     61220       61319
     61902       62001

* - Administered port exclusions.

Why Hyper-V reserves these ports?

How Administered port exclusions ( ie, range 50000-50059 ) differ from other port exclusions?

For example, when i tried to ping to all these ports using a net.Listen() in golang, all ports except 50000-50059 returns error:

listen tcp 127.0.0.1:9801: bind: An attempt was made to access a socket in a way forbidden by its access permissions. 
like image 589
AnjanaAK Avatar asked Oct 03 '19 09:10

AnjanaAK


1 Answers

In windows 10, sometimes we get an error for a particular port:

Ports are not available: listen tcp 0.0.0.0:55555: bind: An attempt was made to access a socket in a way forbidden by its access permissions. 

When seeing this error, our first instinct will be that somehow the port we need is being used by another application. So if we check for ports in use:

netstat -aon | find "55555"

But the result may show that the port was not already being used.

Then the problem may be that Windows reserves some ports, they are the excluded ports which we cannot use for our other purposes. We can list those ports with the command:

C:\Users\Xyz> netsh interface ipv4 show excludedportrange protocol=tcp

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
      1031        1130
      1131        1230
      1231        1330
      1331        1430
      1431        1530
      1561        1660
      2363        2462
      2463        2562
      2563        2662
      2663        2762
      2763        2862
      2863        2962
      5357        5357
     50000       50099     *
     55500       55599
 
* - Administered port exclusions.

Why windows reserves these ports?

  • Those ports might be blocked by Microsoft due to identified virus / malware activity.
  • We experienced this after a windows update. Then we installed the next update and rebooted the machine. The ranges changed this time and our ports got available.
  • Sometimes it is the enabled Hyper-V feature (we enable it for docker-for-windows installation) that does this.

There may be other reasons too.

But If we try to delete a port range exclusion with the following command (even as administrator), it will return an error saying that it doesn't have permission for this.

netsh int ipv4 delete excludedportrange protocol=tcp startport=55500 numberofports=100

Port exclusions introduced by Hyper-V


If the port exclusion is introduced by Hyper-V, we have two possible solutions in the end (there may be others):

  • Change the port that we were trying to use. The new port should be something that doesn't comes under the exclusions.

  • Disable Hyper-V, reserve a port range for our use, then enable Hyper-V again.

The steps to follow the second solution would be like this:

1. Disable Hyper-V

Method 1 - Windows Features tool:

In Control Panel -> select Programs and Features -> Select 'Turn Windows features on or off' -> Uncheck the option Hyper-V -> Apply

Method 2 - Via Powershell:

Open Powershell (as admin) and run the command:

Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All

Method 3 - via command prompt:

Open Command prompt (as admin) and run the command:

dism.exe /Online /Disable-Feature:Microsoft-Hyper-V

A system reboot will be required after this.

2. Reserve the port (range) you want so hyper-v doesn't reserve it back.

After that reboot, if we try listing the port exclusions, we can see that some of ranges are not there now (especially, those the one which we want). Now reserve the port range we need:

netsh int ipv4 add excludedportrange protocol=tcp startport=55500 numberofports=100

3. Re-Enable Hyper-V

You can use the all the three methods mentioned above to enable the feature too. For example, showing one with dism:

dism.exe /Online /Enable-Feature:Microsoft-Hyper-V /All

This will also require a system reboot.

When your system is back, try listing the port exclusions again.

What happens here is that the specified port range was added to Administered port exclusions. That means we reserved it for our purposes.

After doing this, Hyper-V is smart enough to start it’s own reserved ranges around our pre-reserved ranges (notice in the result below the range from 55500–55599 is protected ) :

C:\Users\Xyz> netsh interface ipv4 show excludedportrange protocol=tcp

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
      1031        1130
      1131        1230
      1231        1330
      1331        1430
      1431        1530
      1561        1660
      2363        2462
      2463        2562
      2563        2662
      2663        2762
      2763        2862
      2863        2962
      5357        5357
     50000       50099     *
     55500       55599     *

* - Administered port exclusions.

Now you will be able to bind to a port in that range successfully.

Port exclusions introduced after a Windows update


Sometimes, after a Windows update, suddenly you are unable to use a particular port, and when nothing is listed when checking the port usage with the netstat command.

Most importantly, you don't have Hyper-V enabled too!

In this case, here are 2 work around options you can try:

( Not sure if it will work for everyone, but you can give it a try!)

Option 1 :

  • Check the excluded port ranges

    netsh interface ipv4 show excludedportrange protocol=tcp

    For example, consider a port range 55485-55584 (which includes the port we need: 55555) was listed there as excluded after the windows update.

  • Enable Hyper-V

  • Check the excluded port ranges again:

    netsh interface ipv4 show excludedportrange protocol=tcp

    You may still see our required port as excluded. But this time, there could be a difference in that excluded range like 55506-555605 which is probably an override introduced by Hyper-V (Not sure if this is the actual reason).

  • Disable Hyper-V

  • Check the excluded port ranges again:

    netsh interface ipv4 show excludedportrange protocol=tcp

    This time, if you see that your required port is not included there in the excluded ranges, continue to follow the next step of reserving your port.

  • Reserve the port range we need:

    netsh int ipv4 add excludedportrange protocol=tcp startport=55500 numberofports=100

    This range will be listed as an Administered port exclusion.

Now try using the port that you need.

Option 2 :

Since the problem is often caused by the Windows NAT Driver (winnat), stopping and restarting that service may resolve the issue.

Caution! : Stopping the winnat service may disconnect your network.

  • Check the excluded port ranges

    netsh interface ipv4 show excludedportrange protocol=tcp

  • Stop winnat service:

    net stop winnat

  • Check what happens to the excluded port ranges:

    netsh interface ipv4 show excludedportrange protocol=tcp

  • Reserve the port range to prohibit dynamic reservation for your required port:

    netsh int ipv4 add excludedportrange protocol=tcp startport=55500 numberofports=100

  • Start winnat service:

    net start winnat

  • Check the excluded port ranges

    netsh interface ipv4 show excludedportrange protocol=tcp

    You can see that there are port exclusions, but yours is listed as Administered port exclusion.

Now try using the port that you need.

What is Administered port exclusions?


So basically, Administered port exclusions are those exclusions that we can add in Windows 10 to reserve some ports for our use.

like image 60
AnjanaAK Avatar answered Jan 02 '23 21:01

AnjanaAK