It can be done with GetExtendedXXXTable functions of IPHelper API , but i cannot use under Windows2000 , i only have GetXXXTable for it but they dont give me process ids , i mean i want to learn which processes do any thing on tcp/udp ports in Win2000. How can it be done like TCPView on Pre-XP Systems ?
There were sysinternal codes but i cant find them 
Also anyone used portuser.cpp of Gary Nebbet ?
Hello, Akin -
The sysinternals source code for netstatp - when it was available - only showed the public APIs, so for pre-XP, they did not show how to get the pid.
I’ve only taken a brief look at Nebbet’s portuser.cpp, a few years ago. It seems to me to be extremely unportable, and I’m sure there’s a better (though still undocumented) way to do this.
-Stephen Cleary
Thank you very much for your reply , i ve searched for IOCTLs but i am confused , do you know any IOCTL code to retrieve this info ?
Regards
Hi Akin,
You can get TCP/UDP ports and the owner process of the ports by using the following method in 2000.
Get the system handle table by using ZwQuerySystemInformation.
For each handle in the table, try to obtain a duplicate handle.
By using the duplicate handle, you can find the object name information by using ZwQueryObject with NT::ObjectNameInformation.
If the object name is \Device\Tcp or \Device\Udp, try to get the Local Port associated with the handle with IOCTL_TDI_QUERY_INFORMATION ioctl.
by doing above things, u can get Handle, Local Port and ProcessID.
Now use GetTcpTable to get the MIB_TCPROW s in the system.
You can map the Local Port you obtained in above steps & MIB_TCPROW.dwLocalAddr to map to socket state.
This worked for me in my TcpView tool. Try the following code to get Local Port associated with a handle. Please use carefully, I did this for experimental purpose by using google help.
WORD GetPortForHandle(HANDLE hObject)
{
NT::IO_STATUS_BLOCK IoStatusBlock;
NT::TDI_REQUEST_QUERY_INFORMATION TdiRequest = {{0}, TDI_QUERY_ADDRESS_INFO};
NT::PTDI_ADDRESS_INFO AddressInfo = NULL;
NT::PTDI_ADDRESS_IP AddressIp = NULL;
BYTE Buffer[256];
NTSTATUS NtStatus;
HANDLE hEvent;
/*
First Get local node address info (ip, port).
For this we have to send
Major Function: IRP_MJ_INTERNAL_DEVICE_CONTROL
Minor Function: TDI_QUERY_INFORMATION
Ioctl: IOCTL_TDI_QUERY_INFORMATION
TDI Request Type: TDI_QUERY_ADDRESS_INFO.
Refer DDK for more information
*/
hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
ZeroMemory(&TdiRequest,sizeof(TdiRequest));
ZeroMemory(Buffer , sizeof(Buffer));
TdiRequest.QueryType = TDI_QUERY_ADDRESS_INFO;
NtStatus= lpfnNtDeviceIoControlFile(hObject, hEvent, NULL, NULL, &IoStatusBlock, IOCTL_TDI_QUERY_INFORMATION,
&TdiRequest, sizeof(TdiRequest), &Buffer, sizeof(Buffer));
CloseHandle(hEvent);
if(NtStatus == STATUS_SUCCESS)
{
AddressInfo = (NT::PTDI_ADDRESS_INFO) Buffer;
AddressIp = (NT::PTDI_ADDRESS_IP)AddressInfo->Address.Address[0].Address;
return AddressIp->sin_port;
//return _ntohs(AddressIp->sin_port);
}
return 0;
}
xxxxx@hotmail.com wrote:
Thank you very much for your reply , i ve searched for IOCTLs but i am confused , do you know any IOCTL code to retrieve this info ?
Regards
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Keep Faith on the Supreme Lord Sri Sri Sri Krishna. He will take care of you.
Finding fabulous fares is fun.
Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains.