Even with the best spyware/malware/antivirus installed on your Windows installation along with a good software firewall still will not catch everything. There are times when you need to go right down to a process level to see what’s going on.
A utility already built-in to Windows is NETSTAT, a command line program. For example, you would use “NETSTAT -B” (without quotes) to see the all the apps that are currently accessing the network/internet.
Side note: In Vista and 7 you need to run a Command Prompt as Administrator to run NETSTAT -B.
NETSTAT is very good, but doesn’t give you the whole picture. It would be much better to use something GUI-based that not only shows all incoming/outgoing network activity, but also in a way that you can easily sort. In addition, it would also be great to have something where you could see individual processes for even further control.
You can have this control right now using two utilities provided by Microsoft, TCPView and Process Explorer. Both are tidy, small and best of all, free. Both will work in any NT-based Windows from 2000 to present. Click the links to get them.
TCPView
TCPView is GUI-based. And once you use it you’ll greatly prefer it over NETSTAT. From this you can sort by five different columns of information, that being Process, Protocol, Local Address, Remote Address and State.
It’s probably true the columns you’ll be most interested in are Process (the app that’s running) and Remote Address (where the app is connecting to).
Each entry is right-clickable. From there you can perform things like a quick WHOIS lookup:
..or find out instantly exactly what process is using what app:
..and so on.
Process Explorer
Note: This is sometimes referred to as “ProcEx”, pronounced “prock-ex”.
What Process Explorer does that TCPView doesn’t is show all processes whether they use the network or not. So for the ones in idle state that aren’t accessing the network but are running, they will show up here. Color coding and tree view is also there for easy management.
Process Explorer is a great utility for identifying spyware – especially the kind that does the fast-and-dash where it will access the network quickly but then immediately go idle as to avoid detection but still be running.
What’s the best part about both of these utilities?
Two things:
First, there is absolutely nothing that can happen on your computer network or process-wise that these two apps won’t “see”. Nothing can escape them – and that’s good. Both are real-time process/network applications, so the moment something occurs, it will be recorded.
Second, both these utilities allow you to kill any process – even the ones where Windows says “don’t do that”. However bear in mind not to get too trigger-happy with this, because if you shut down the wrong thing it might crash your Windows. 
Even so, the fact you kill any process with ease using these two utilities is great.
Leave A Reply (4 comments So Far)
You must be logged in to post a comment.
DravenX
1134 days ago
When I tried it, most of them wouldn’t go into the properties. Most of them are system process, like svchost. There are lots of those.
Rich Menga
1134 days ago
If you want to see where/why/what for the svchost, use Process Explorer for that. The TCPView gives you immediate network information, Process Explorer will show you the threads of where processes start. All you have to do is follow “up” the tree for each svchost.exe instance and you will see what process called for it initially.
Ken Williams
1125 days ago
Process Explorer link doesn’t work.
Rich Menga
1125 days ago
This one should:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx