I have a domain lockout issue and in troubleshooting, I found through netstat that my machine is pummeling the domain controllers on ports 445 and 139. It is creating thousands of user ports to do this: today it started at port 54000ish and within a couple of hours was up to 60000.
netstat -ob identifies the process as PID 4.
In my research so far, I keep hearing that a virus is the likely cause. I have trend micro and windows defender running–A full scan by windows defender identified nothing amiss.
Are there any other causes besides a virus that I could look into?
I was able to stop it by blocking the outbound ports in windows firewall, but obviously this is not ideal.
Anything I can do short of reinstalling the OS?
Best Answer
The offending service turned out to be Windows Media Player Network Sharing (wmpnetwk.exe). I don't recall using media player on this machine, so I'm not sure how that service got activated.
netstat -bo was reporting "Can not obtain ownership information" for the process name and PID 4 (which in task manager shows "NT Kernel & System")
Here's how I identified the culprit:
I checked the box in Windows Task Manager to "Show process from all users." Then I went to the "Services" tab and started stopping services, starting with the highest pids first, and checking netstat -bo a few times after each one until I no longer saw the "Can not obtain ownership information" process connecting to the domain controllers on the microsoft-ds and nb-ssn ports.