How To: Mastering PortQry.exe

At the end of 2003, beginning of 2004 Microsoft released Portqry 2.0 which was an upgrade from the first version. This newer version offers some newer features such as interactive mode, the ability for tracking of all ports associated with any particular process, as well as compatibility for firewall. The utility allows you to select a computer, analyze it and get a report of port status on TCP and/or UDP ports. Most recently upgraded to Version 2, PortQry is a tool that can help you solve network related issues once mastered.

What is PortQry?

Telnet is a good tool to use to test ports with but limited. If you need to see if your SMTP server is in service, you can test it by attaching to port 25 via telnet as follows:

telnet <ip address> 25


Example telnet command

This will connect you to an SMTP relay so that you can run commands to test with. Since many engineers and administrators are very comfortable with telnet, tools like Secure Shell *SSH* and PortQry are used less often. Since telnet can be used in the testing and troubleshooting of ports and connectivity, why would you want to use anything else? The telnet utility has its limitations for port testing, that’s why.

One example is that it cannot determine whether a port is being filtered which is very common these days with the amount of Internet facing routers out there ‘basically’ filtering, and the plethora of firewalls out there screening ports. Home PC’s have the ability to filter ports. Most major operating systems have had this functionality for a long time now. A tool like Telnet is also unable to test UDP traffic. In Microsoft based networks, (or just about any network today), you will want to be able to work with UDP based protocols like LDAP or RPC. Most of the NETBIOS protocol structure uses UDP. In the rest of this article, we will be using Microsoft Exchange Server (and SMTP) as the example.

Getting PortQry

So, where does PortQry.exe come in? PortQry is nothing more than a tool developed to aid in the troubleshooting of helping solve connectivity issues by allowing for the scanning of ports in a better way. We will look at it in such a way that you suddenly integrate it into your troubleshooting tool belt to help solve some issues you may come across in the future. You can download PortQry from here.

How PortQry works

Microsoft was kind enough to develop PortQry to aid in the troubleshooting of connectivity issues by allowing for better scanning of ports so let’s learn how it works so we can exploit its benefits in the field. Before you learn the mechanics of using it (it’s actually very easy to use), you should understand how it works because knowing that will show you its strengths.

PortQry when utilized will report the status of a port on a target host in one of three ways:

Listening A process is listening on the port on the computer that you selected. Portqry.exe received a response from the port
Not Listening No process is listening on the target port on the target system. Portqry.exe received an Internet Control Message Protocol (ICMP) “Destination Unreachable – Port Unreachable” message back from the target UDP port. Or if the target port is a TCP port, Portqry received a TCP acknowledgement packet with the Reset flag set
Filtered The port on the computer that you selected is being filtered. Portqry.exe did not receive a response from the port. A process may or may not be listening on the port. By default, TCP ports are queried three times, and UDP ports are queried one time before a report indicates that the port is filtered. Remember that with PortQry (and where it comes up a winner) is that it can report if a port is being filtered. Other tools will report that the port is ‘not listening’ or something like that and that is where this tool comes up a winner.

Using PortQry

Now that you understand the power of PortQry, let’s take a look at the mechanics. Using PortQry.exe is actually a pretty easy and straightforward. Once you learn the syntax, then you will be just as comfortable with it as you may be with Ping and Tracert, two other excellent tools to test connectivity with.

After you download PortQry, you have to set it up. Since it’s nothing but a simple executable, I usually extract it to my desktop and stick it in my C:\WINDOWS\SYSTEM32 folder because the system path is already set up that way in my system so I can just go to Start => Run => CMD => Hit Enter => type PortQry and hit enter. You will be all set up to use it.

Adding PortQry to system PATH

Here are some switches you can use with it. My advice to you would be that once you are at the command prompt and ready to use it. Take a couple of minutes and read through the syntax of the tool itself. Let’s take a look at this now.

List of switches you can use with PortQry

Here are some important switches to remember.

-n [server] IP address or name of system to query
-p [protocol] TCP or UDP or BOTH (default is TCP)
-e [endpoint] single port to query (valid range: 1-65535)
-r [endpoint range] range of ports to query (start:end)
-o [endpoint order] range of ports to query in an order (x,y,z)
-l  [logfile] name of log file to create
-s “slow link delay” waits longer for UDP replies from remote systems
-I bypasses default IP address-to-name lookup; ignored unless an IP address is specified after -n
-q “quiet” operation runs with no output

You can also analyze SNMP as well. Let’s look at some examples of this tool and their switches in action.

What is Interactive Mode?

There is also an Interactive Mode option with the following commands and switches. This mode will allow you to deal with another common issue that we have to deal with, which is ‘typing commands a million times’.

Because of this situation, you may want to spend some time looking at the command set for Interactive Mode. PortQry version 2.0 will allow you to run commands this way, but PortQry version 2.0 will allow you to function much like how NSLOOKUP operates.

At the prompt, you can type help for a list of options:

PortQry interactive mode commands

Use PortQry to check email servers

A common approach to seeing if your email servers are down would be to test connectivity to it by pinging it. Most likely though, you may be blocking inbound ICMP packets to hosts on your network so this may not work because you have a ‘filter’ in place – that’s ok, that’s where PortQry can help. So how do I verify that my email relay server is accepting connections?

Sometimes you might want to analyze your relay in order to see if it accepts incoming connections, this will help to verify not only connectivity, but also verify a working system! An example for this situation might be when your users are complaining (how often does this happen?) about email problems in general – now narrowed down to a lack of incoming mail. If this is what the problem has been boiled down to be, let’s query the relay and see if it’s operational:

PortQry use case example to check email servers

You can see from the output from the command (and the added in notes), that you have a functional relay. PortQry was used to verify that. Can you do it another way? I mentioned telnet earlier, and this can also show you how you can connect to a relay.

To telnet to it:

telnet port #

The hostname or IP address of the relay and the port (which is the TCP/IP port number for email such as 25 for SMTP, 110 for POP3)

If SMTP is not listening, PortQry will report:

TCP port 25 (SMTP service): NOT LISTENING

If SMTP is Filtered, PortQry will report:

TCP port 25 (SMTP service): FILTERED

Scanning for LDAP

So, how would you determine whether LDAP is available on a node or not? You can use PortQry to test it. As was discussed earlier, telnet doesn’t provide a good test for UDP-based ports, for example, lets say, you wanted to verify that your Windows client could verify connectivity to an Active Directory DC? How could you do this with telnet?

Here is an example where I scanned a Windows 2000 Domain Controller:

C:\WINDOWS\SYSTEM32>PortQry -n -p udp -e 389

Querying target system called:

Attempting to resolve IP address to a name…

IP address resolved to DC2


UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port
Sending LDAP query to UDP port 389…

LDAP query response:
currentdate: 11/1/2004 16:20:13 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=1,DC=com
dsServiceName: CN=NTDS Settings,CN= DC2,CN=Servers,CN=Default-First-Site-Name,CN=com
namingContexts: CN=Schema,CN=Configuration,DC=1,DC=com
defaultNamingContext: DC=1,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=1,DC=com
configurationNamingContext: CN=Configuration,DC=1,DC=com
rootDomainNamingContext: DC=1,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 241215
supportedSASLMechanisms: GSSAPI
dnsHostName: dc2.1.COM
ldapServiceName: 1.COM: [email protected]
serverName: CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
======== End of LDAP query response ========

UDP port 389 is LISTENING

So this looks familiar to the example above, correct? The only difference is the output, because it is listening as you can see from the last statement in the output.

To quickly remind you of the syntax used:

  • the -n identifies your server, which is
  • the -p identifies your protocol (in this case, UDP),
  • the -e signifies an endpoint or the port you specifically want to query such as LDAP, in this example, listening on port 389

Installing and using the PortQryUI

Port Query UI tool (portqueryui.exe) is a tool to query open ports on a machine. This tool makes use of command line version port query tool (portqry.exe) and provides an interface that can be viewed.

To get the tool from, click here.

Once you download it, it can be launched by opening up the source folder and clicking on the portqryui.exe file.

PortQryUI with a graphical user interface

Once you open it you will have many new (and cool) options. One of which is the automated predefined profiles for scanning as seen above. You can now pick a ‘class’ of what you want to scan and the UI will scan all the relevant services and then show you the output on the bottom of the Port Query UI tool.

PortQryUI results screen

With just a basic scan of ‘Domains and Trusts’, you can see that the output is in the ‘Query Result” Window on the bottom of the tool. Port 129 is not listening because it’s simply disabled. It doesn’t work. Try getting this much information with telnet.

You may want to run this tool against your own system (like I just showed you here with a lab system), the loopback address or IP that the system currently has will show you open ports on your own system! This tool can show you quickly what ports are open on your system. You can also get this information with Netstat:

Netstat example

Tweaking PortQry

While researching PortQry and what it could do, I found out that the tool actually uses a file in your %systemroot%\system32\drivers\etc directory called “Services”.

Services file containing port assignments

PortQry.exe uses this file to resolve the port numbers so it’s really important that you know this… if you change port numbers (like 80 to 8080 for example), you will have to change it in this file as well. If you need to change it back, then you can either have made a copy of it in this directory and named it ServicesBU or something, or you can visit the protocol number registry to get the standard port assignment back.


In this article we covered the basic and advanced uses of PortQry, a Microsoft developed tool that can help you to troubleshoot connectivity problems that you may encounter, much like the email issue shown in this article. PortQry is a great little tool to have in your tool belt when you need to verify if a port is open, closed, or being filtered somehow.

About The Author

1 thought on “How To: Mastering PortQry.exe”

  1. I’m still unsure about the status of the ports. For example, I have a voip server (udp/5060) that is returning as “LISTENING or FILTERED”.

    In the article, under LISTENING, it says “Portqry.exe received a response from the port”, but under FILTERED, it says “Portqry.exe did not receive a response from the port”.

    If it’s “LISTENING or FILTERED”, how can I tell if it got a response or not with a status like that?

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top