Using the Windows Resource Monitor to monitor network activity

If you want to see the IP addresses to which a program on a Microsoft Windows system is establishing connections, you can use the Resource Monitor utility that is provided with Windows Vista and later versions of Windows to check on network connections from a particular application on the system. To start the program, you can click on the Windows Start button and type resmon or resmon.exe in the "Search programs and files" field on a Windows 7 system or the "Type here to search" field on a Windows 10 system. You should see the resmon utility returned as the best match.

When the Resource Monitor program is running, you can click on the Network tab and then TCP Connections to see network activity associated with programs currently running on the system . You can click on a column header, e.g. "Image" to sort the entries by the values in that column. E.g., in the example below, the entries are sorted on the image name, i.e., by the names of the running processes.

Udemy - April2516-25off-sitewide120x600

Resource Monitor - nis.exe

The column headers are as follows:

You can expand or contract the width of a column by clicking on the vertical line dividing it from an adjoining column and dragging the line left or right.

In the above example, I checked for the network connections established by a Norton Internet Security file, nis.exe. The location of the file on the system is shown below:

Learning Network Technology and Security
Learning Network Technology and Security
1x1 px

C:\Program Files\Norton Internet Security\Engine\22.11.2.7>dir nis.exe
 Volume in drive C has no label.
 Volume Serial Number is 2DF8-C431

 Directory of C:\Program Files\Norton Internet Security\Engine\22.11.2.7

11/10/2017  10:03 PM           288,504 nis.exe
               1 File(s)        288,504 bytes
               0 Dir(s)  52,797,091,840 bytes free

C:\Program Files\Norton Internet Security\Engine\22.11.2.7>

The Resource Monitor display shows the software connected to 152.195.12.171, an IP address assigned to ANS Communications, Inc (ANS) by the American Registry for Internet Numbers (ARIN), on port 80, the well-known port for HTTP connections, and 13.91.60.30 on port 443, the well-known port for HTTPS connections. The latter address is assigned to Microsoft by ARIN. The first address is associated with the fully qualified domain name (FQDN) liveupdate.symantecliveupdate.com, so the connection may represent the Norton antivirus software on the system checking for updates.

How to be an Independent security researcher Ethical Hacker
How to be an independent
security researcher / ethical hacker
1x1 px

C:\>nslookup liveupdate.symantecliveupdate.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    cs964.wpc.chicdn.net
Address:  152.195.12.171
Aliases:  liveupdate.symantecliveupdate.com
          symantecliveupdate.5A45F.edgecastdns.net


C:\>

You can also find the IP addresses of systems to which an application is connected from a command-line interface (CLI), e.g., a command prompt, using the tasklist and netstat commands. You can use a tasklist command like the one shown below to find the PID of a process and then pipe the output of netstat -ano into the findstr command and have findstr filter on lines containing the PID to view only network connections for the relevant processes. Options for the three commands are shown at tasklist, netstat and findstr.

C:\>tasklist /fi "imagename eq nis.exe"

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
nis.exe                       3336 Services                   0     17,700 K
nis.exe                        604 Console                    1      9,780 K

C:\>netstat -ano | findstr 3336
  TCP    0.0.0.0:49174          0.0.0.0:0              LISTENING       3336
  TCP    0.0.0.0:49175          0.0.0.0:0              LISTENING       3336
  TCP    192.168.5.10:58034     40.114.95.106:443      ESTABLISHED     3336
  TCP    [::]:49175             [::]:0                 LISTENING       3336

C:\>netstat -ano | findstr 604

C:\>

In the above example, nis.exe has established a connection to a website at 40.114.95.106, another Microsoft IP address. Note that the connections to particular IP addresses will vary depending on when you run the command, just as they vary when viewed with the Resource Monitor program as an application may not be constantly connected to a particular IP address.

Related articles:

  1. Determining which program is listening on a port under Windows
  2. Determining the program that is connecting to specific IP addresses