How to See What Web Sites Your Computer Is Secretly Connecting To

Your PC makes lots of Internet connections in a day’s business, and not all of them are necessarily sites you’re aware connections are happening with. While some of these connections are harmless, there is always a chance that you have some malware, spyware, or adware using your Internet connection in the background without your knowledge. Here’s how to see what’s going on under the hood.

We’re going to cover three ways you can view your PC’s active connections. The first uses the good old netstat command from PowerShell or the Command Prompt. Then, we’ll show you two free tools—TCPView and CurrPorts—that also get the job done and may be more convenient.

Option One: Check Active Connections with PowerShell (or Command Prompt)

This option uses the netstat command to generate a list of everything that has made an Internet connection in a specified amount of time. You can do this on any PC running Windows, from Windows XP Service Pack 2 all the way up to Windows 10. And, you can do it using either PowerShell or Command Prompt. The command works the same in both.

First, fire up PowerShell as an administrator by hitting Windows+X, and then selecting “PowerShell (Admin)” from the Power User menu. If you’re using the Command Prompt instead, you’d also have to run that as an administrator.

At the prompt, type the following command, and then press Enter.

netstat -abf 5 > activity.txt

We’re using four modifiers on the netstat command. The –a option tells it to show all connections and listening ports. The –b option adds what application is making the connection to the results. The –f option displays the full DNS name for each connection option, so that you can more easily understand where the connections are being made. The 5 option causes the command to poll every five seconds for connections (to make it more easy to track what is going on). We’re then using the piping symbol “>” to save the results to a text file named “activity.txt.”

After issuing the command, wait a couple of minutes, and then press Ctrl+C to stop the recording of data.

When you’ve stopped recording data, you’ll need to open the activity.txt file to see the results. You can open the file in Notepad immediately from the PowerShell prompt by just typing “activity.txt” and then hitting Enter.

The text file is stored in the \Windows\System32 folder if you want to find it later or open it in a different editor.

The activity.txt file lists all processes on your computer (browsers, IM clients, email programs, etc.) that have made an Internet connection in the time during which you left the command running. This includes both established connections and open ports on which apps or services are listening for traffic. The file also lists which processes connected to which websites.

If you see process names or website addresses with which you are not familiar, you can search for “what is (name of unknown process)” in Google and see what it is. It’s possible we’ve even covered it ourselves as part of our ongoing series explaining various processes found in Task Manager. However, if it seems like a bad site, you can use Google again to find out how to get rid of it.

Option Two: Check Active Connections By Using TCPView

The excellent TCPView utility that comes in the SysInternals toolkit lets you quickly see exactly what processes are connecting to what resources on the Internet, and even lets you end the process, close the connection, or do a quick Whois lookup to get more information. It’s definitely our first choice when it comes to diagnosing problems or just trying to get more information about your computer.

Note: When you first load TCPView, you might see a ton of connections from [System Process] to all sorts of Internet addresses, but this usually isn’t a problem. If all of the connections are in the TIME_WAIT state, that means that the connection is being closed, and there isn’t a process to assign the connection to, so they should up as assigned to PID 0 since there’s no PID to assign it to.

This usually happens when you load up TCPView after having connected to a bunch of things, but it should go away after all the connections close and you keep TCPView open.

Option Three: Check Active Connections By Using CurrPorts

You can also use a free tool named CurrPorts to display a list of all currently opened TCP/IP and UDP ports on your local computer. It’s a bit more focused tool than TCPView.

For each port, CurrPorts lists information about the process that opened the port. You can close connections, copy a port’s information to the clipboard, or save that information to various file formats. You can reorder the columns displayed on the CurrPorts main window and in the files you save. To sort the list by a specific column, just click on the header of that column.

CurrPorts runs on everything from Windows NT up through Windows 10. Just note that there is a separate download of CurrPorts for 64-bit versions of Windows. You can find more information about CurrPorts and how to use it on their website.


source :