netstat -ano | findstr :53537So did procmon. So did resmon. So did task manager. As did everything else.
ncat -l -p 56789But I could NOT bind to a port that was in the range that was unavailable.
ncat -l -p 56789Ncat: bind to :::56789: An attempt was made to access a socket
netsh interface ipv4 show excludedportrange protocol=tcp
netsh interface ipv6 show excludedportrange protocol=tcp
net stop winnat The Windows NAT Driver service was stopped successfully.
net start winnat The Windows NAT Driver service was started successfully.
netsh interface ipv4 show excludedportrange protocol=tcp Protocol tcp Port Exclusion Ranges
UPDATE!
For years, a day or two after a Microsoft Update (I think - but I'm not sure), about once a month (or so) stunnel and/or adb would fail because
they couldn't bind to the ports that they normally bind to every day.
Privileged ports: Ports 0–1023
Registered Ports: Ports 1024–49151
Dynamic/Private Ports: Ports 49152–65535 (99 of these ports are excluded!)
They'd both fail because a port they normally use, wasn't available.
Binding service [x] to 127.0.0.1:53537: Permission denied (WSAEACCES) (10013)
For years, I tried to find out WHAT was "using" those ports.
It turns out nothing was using them, per se, so netstat returned nothing!
netstat -ano | findstr :53537So did procmon. So did resmon. So did task manager. As did everything else.
I could bind to any port that was not in a range of 99 ports unavailable.
ncat -l -p 56789But I could NOT bind to a port that was in the range that was unavailable.
ncat -l -p 56789Ncat: bind to :::56789: An attempt was made to access a socket
in a way forbidden by its access permissions. . QUITTING.
In desperation, I went to AI and after HOURS with AI, I finally got closer
to the problem, where this command lists 99 ports which are unavailable.
netsh interface ipv4 show excludedportrange protocol=tcp
netsh interface ipv6 show excludedportrange protocol=tcp
I still have no idea what is making the 99 ports unavailable after a reboot (often after a Windows Update) but AI thinks it's an underlying Windows process that has administrator capabilities. We don't know what that is.
But now I at least have a solution without resorting to another reboot!
Instead of rebooting (which was my only solution for years!) all that was needed was to run these stop/start commands to free the 99 excluded ports!
net stop winnat The Windows NAT Driver service was stopped successfully.
net start winnat The Windows NAT Driver service was started successfully.
netsh interface ipv4 show excludedportrange protocol=tcp Protocol tcp Port Exclusion Ranges
 Start Port  End Port
 ----------  --------
   5357    5357
   50000    50059   *
 * - Administered port exclusions.
Voila! (almost)
The only thing left is WHY those 99 ports are sometimes made unavailable. When you run (as admin) those commands, do you ever get 99 ports locked up?
Anyone have any experience with this problem set for debugging information? If not, at least others can benefit from the troubleshooting hours today.
I need adb for reasons that are so obvious I won't even explain why.
As for stunnel, my newsreader is telnet so I need stunnel for encryption.
Use Wireshark.
Fire up a browser, watch what ports are used. Ports in the ephemeral range, are sending to 443 (encrypted) on mine. Like 61038 ==> 443, which is https. These are ports assigned dynamically from the pool above 49152. A program doing that, could get EADDRINUSE if it uses a dynamic port currently in
usage by a second browser.
I don't think you are supposed to statically assign such ports to programs needing their own fixed port for some purpose. For example, if I put an XWindows
server on my PC (needed for Bash Shell and WSL1), it uses port 6000 as a static port. And that is defined in the ports list. That's an officially recognized usage, in the static port range.
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
6000¡V6063 Yes X11¡Xused between an X client and server over the network
You can communicate with 64 different Unix computers and put their Windows
on your screen, but people do not typically do that. The DISPLAY variable
:0 or :1 , corresponds to the usage of port 6000 or port 6001.
Those are statically defined ports, and between 1025 and 49151 or so.
At work, we had our own little registrar. She made sure, via phoning her up, that if you invented a new usage for a static port, she would check the list of experimental usages and make sure there wasn't a conflict. So if some twirp had used port 12345 for an Ethernet test program, and you decided
to do the same thing, she could tell you it was already in use. And for such a large company, there was really hardly any usage of static ports in that exact way. There's a reason for that. But she would have penciled in things like popular game engine assignments, because you would not want your
serious business case static port assignment, to suddenly start playing Quake :-)
I'm sure you have your reasons for doing this, but that's not exactly
the intended usage model for those port numbers. Just about any question
I've asked about networking, the answerer starts with "You're not supposed
to do that", and that's the essence of "learn while you earn" as a learning algorithm :-)
To give you some idea how pissy they were about network operations at work, one day we started a three node flight simulator on a LAN segment, and
the "Nazi" in control, phoned one of the employee phone numbers within 20 seconds
of the game showing up on the LAN. And this was after closing time, too.
You could use the flight sim on one node (no network traffic), and
I routinely used to fly my custom aircraft. A Borg Cube with a
one million pounds of thrust engine. You have to set the trim at +5 degrees to keep the flight stable. Because, well, it's a brick, not an aircraft.
netstat -ano | findstr :54321@echo off
netsh interface ipv4 show tcpconnectionsWin+R > services.msc {control+shift+enter}
netsh http show urlacl
Get-NetTCPConnection -LocalPort 54321 -Force_.Exception.Message)"}
Get-NetUDPEndpoint -LocalPort 54321 -Force
Get-NetTCPListen -LocalPort 54321 | Get-Process -Id {$_.OwningProcess} try {$listener = New-Object System.Net.Sockets.TcpListener ([System.Net.IPAddress]::Loopback, 32565); $listener.Start(); Write-Host "Successfully bound to 127.0.0.1:32565"; $listener.Stop()} catch {Write-Error "Failed to bind to 127.0.0.1:32565: $($
resmon > Network > Listening Ports > Port = 54321 > PID[Local Port] is 54321 then Include
procexp.exe > Find > Find Handle or DLL > 54321 > Search
procmon.exe > Filter (timing is crucial)
ncat -l -p 54321 (or... ncat -l -k -p 54321 -e exit)Ncat: bind to :::54321: An attempt was made to access a socket
netsh interface ipv4 delete excludedportrange protocol=tcp startport=54300 numberofports=100Access is denied.
netsh interface ipv4 show excludedportrange protocol=tcpProtocol tcp Port Exclusion Ranges
net stop winnatThe Windows NAT Driver service was stopped successfully.
netsh interface ipv4 show excludedportrange protocol=tcpProtocol tcp Port Exclusion Ranges
net start winnatThe Windows NAT Driver service was started successfully.
netsh interface ipv4 show excludedportrange protocol=tcpProtocol tcp Port Exclusion Ranges
netsh interface ipv4 show excludedportrange protocol=tcp
The only thing left is WHY those 99 ports are sometimes made unavailable. When you run (as admin) those commands, do you ever get 99 ports locked up?
netsh int ipv4 show dynamicport udpProtocol udp Dynamic Port Range
netsh int ipv4 show dynamicport tcpProtocol tcp Dynamic Port Range
netsh interface ipv4 show excludedportrange protocol=tcpProtocol tcp Port Exclusion Ranges
netsh interface ipv4 show excludedportrange protocol=tcp
net stop winnatThe Windows NAT Driver service was stopped successfully.
netsh interface ipv4 show excludedportrange protocol=tcpProtocol tcp Port Exclusion Ranges
net start winnatProtocol tcp Port Exclusion Ranges
netsh interface ipv4 show excludedportrange protocol=tcp
The next step is to understand why the Windows NAT Driver is randomly excluding roughly about 1400 ports upon a reboot, where some of them can conflict with static outgoing ports that stunnel & adb use every day.
adb devices* daemon not running; starting now at tcp:55555
netsh int ipv4 add excludedportrange protocol=tcp startport=55555 numberofports=1But you never know if any app uses adjacent ports so you want a wider range.
netsh int ipv4 add excludedportrange protocol=tcp startport=55563 numberofports=1
netsh int ipv4 add excludedportrange protocol=tcp startport=55500 numberofports=101The process cannot access the file because it is being used by another process.
netstat -ano | findstr "555"TCP 127.0.0.1:55555 0.0.0.0:0 LISTENING 11216
adb kill-serverTCP 127.0.0.1:55563 0.0.0.0:0 LISTENING 9380
netstat -ano | findstr "555"
tasklist /FI "PID eq 9380"Image Name PID Session Name Session# Mem Usage
taskkill /F /IM stunnel.exeOk.
netstat -ano | findstr "555"
netsh int ipv4 add excludedportrange protocol=tcp startport=55500 numberofports=101
netsh interface ipv4 show excludedportrange protocol=tcpProtocol tcp Port Exclusion Ranges
netstat -ano | findstr /I "UDP"(shows no conflicts with the excluded port range of 55500-55600)
ipconfig /all(shows some link-local IPv6 addresses in network interfaces)
This is getting long, but I document it carefully so that others
can make use of the debugging technique as these work on your system.
netsh int ipv4 add excludedportrange protocol=tcp startport=55500 numberofports=101
netsh interface ipv4 show excludedportrange protocol=tcpProtocol tcp Port Exclusion Ranges
net stop winnatThe Windows NAT Driver service was stopped successfully.
netsh interface ipv4 show excludedportrange protocol=tcpProtocol tcp Port Exclusion Ranges
When people run this command, do they get two lines or more of output?
netsh int ipv4 add excludedportrange protocol=tcp startport=55500 numberofports=101
netsh interface ipv4 show excludedportrange protocol=tcp
net stop winnatThe Windows NAT Driver service was stopped successfully.
I wonder... Do we event need the Winnat functionality?
To find out what happens if I don't restart it, I won't.
net stop winnatThe Windows NAT Driver service was stopped successfully.
I wonder... Do we event need the Winnat functionality?
To find out what happens if I don't restart it, I won't.
How else can I find out what uses Winnat on Windows 10?
You sure that it had nothing to do with the firewall and/or the free anti-virus scanner??
NAT should be automatic and working by default, I dunno....
netsh int ipv4 add excludedportrange protocol=tcp startport=55500 numberofports=101
Anyway, after about two years of these shenanigans, I finally figured
out the "problem" is "something" deep inside of Windows is excluding
a hundred random ports at a time. I "think" it's related to Windows
update, but I'm not sure really. It always happens at a boot though.
While I know Winnat is who is reserving the ports, I'm assuming a Hyper-V related app (like Docker) is commanding Winnat to reserve ports on bootup.
But I don't have Docker.
And I can't even spell Hyper-V.
netsh interface ipv4 show excludedportrange protocol=tcpProtocol tcp Port Exclusion Ranges
Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-AllFeatureName : Microsoft-Hyper-V-All
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All
shutdown /r /t 0
Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-AllFeatureName : Microsoft-Hyper-V-All
netsh interface ipv4 show excludedportrange protocol=tcpProtocol tcp Port Exclusion Ranges
As I recall (it was years ago) I made some progress in assigning
adb ports both on Android and on Windows that were of my choosing.
adb devices* daemon not running; starting now at tcp:55555
set ANDROID_ADB_SERVER_PORT=
adb devices* daemon not running; starting now at tcp:5037
On Fri, 9 May 2025 10:21:08 -0000 (UTC), Marion wrote :
If it's above 1023, you should reserve the port using:
C:\> netsh int ipv4 add excludedportrange protocol=tcp startport=55555 numberofports=1
And presumably you could check the exitcode of the netsh command, and if >>> it fail increment the port number and retry, finally setting the
environment variable to the actual port number?
y'mean some4thing like this?
@echo off
setlocal
set "targetPort=55555"
set "maxRetries=10"
set "retryCount=0"
:reservePort
echo Trying to reserve port %targetPort%...
netsh int ipv4 add excludedportrange protocol=tcp startport=%targetPort% numberofports=1
if errorlevel 1 (
echo Failed to reserve port %targetPort%. Error code: %errorlevel%
set /a retryCount+=1
if %retryCount% lss %maxRetries% (
set /a targetPort+=1
echo Retrying with port %targetPort%...
goto :reservePort
) else (
echo Failed to reserve a port after %maxRetries% retries. Exiting. >> goto :end
)
) else (
echo Successfully reserved port %targetPort%.
echo Setting ANDROID_ADB_SERVER_PORT environment variable to %targetPort%
setx ANDROID_ADB_SERVER_PORT %targetPort% /M
echo Please note that system environment variables changes may require a reboot to fully take effect for all processes.
goto :end
)
:end
endlocal
pause
y'mean some4thing like this?
I tried co-pilot
"write a script to reserve an tcp port"
it did it in Python
"in cmd.exe"
it wrote a one-liner using netsh
"make it retry until it finds an available port"
it added a loop
"limit to ten retries"
it obeyed
"set resulting port in a variable"
the result, which I haven't tried ...
@echo off
set /a port=8080
set /a retries=0
set /a max_retries=10
set reserved_port=
:retry
if %retries% GEQ %max_retries% (
echo Failed to find an available port after %max_retries% retries.
pause
exit /b 1
)
netsh int ipv4 add excludedportrange tcp %port% 1 >nul 2>&1
if %errorlevel% == 0 (
set reserved_port=%port%
echo Successfully reserved TCP port %reserved_port%
) else (
echo Port %port% is in use. Trying next...
set /a port+=1
set /a retries+=1
goto retry
)
echo The reserved port is: %reserved_port%
pause
netsh interface ipv4 show excludedportrange protocol=tcpIf you've enabled Hyper-V, you'll see excluded ports being random!
net stop winnat
netsh interface ipv4 show excludedportrange protocol=tcp
net start winnat
netsh interface ipv4 show excludedportrange protocol=tcp
netstat -ano | findstr :55555(finds nothing is binding to the port)
netsh interface ipv4 show tcpconnections
ncat -l -p 55555 (or... ncat -l -k -p 55555 -e exit)Ncat: bind to :::55555: An attempt was made to access a socket
netsh interface ipv4 show excludedportrange protocol=tcp(shows the port is excluded)
Did you activate Hyper-V in that PC? Or was it someone else? Maybe you
or that person forgot what had done....
telnet localhost 55563[Mixmin]
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 507 |
Nodes: | 16 (2 / 14) |
Uptime: | 198:12:28 |
Calls: | 9,965 |
Calls today: | 7 |
Files: | 13,828 |
Messages: | 6,356,955 |