TCPView for Windows

See network activity

TCPView is a free Sysinternals utility for desktops that enumerates and monitors TCP and UDP endpoints and maps them to owning processes. The interface shows process, PID, protocol, addresses, ports, and TCP states, with optional DNS resolution. It has a one-second refresh that uses color-highlighting for additions, removals, and state changes.

TCPView runs on Windows Server 2012+. Commands support closing established TCP connections and saving the current listing to a file. The distribution includes Tcpvcon, a command-line tool. It supports switches for: showing all endpoints, suppressing name resolution, and CSV output. Both tools are portable binaries that run without installation.

TCPView queries the kernel networking APIs and enumerates active endpoints. The table displays process name, PID, protocol, addresses, ports, and, for TCP, the connection state. DNS name resolution can be toggled per session. Update speed is configurable; the default interval is one second. New rows are highlighted in green, closed rows in red, and state transitions in yellow during refresh cycles. 

TCP Tracker

Actions operate on selected endpoints and output. Established TCP connections can be closed on the local machine. The Save command writes the table to disk for later analysis. Each row is associated with an owning process and, when available, a service name. Sorting applies to all columns. Pausing freezes updates while preserving the local snapshot, enabling selection, filtering operations, and review without interference from refresh events.

The package includes Tcpvcon, a command-line counterpart that outputs a netstat-style listing and supports filtering. Switches include -a to include listening and non-listening endpoints, -n to disable name resolution, and -c to emit CSV. Tcpvcon accepts a process name or PID to scope results. Both tools can run directly from Sysinternals Live. Distributions include 32-bit and 64-bit builds. Some per-process details can potentially require elevated rights.

Map ports to apps

TCPView operates as a real-time endpoint enumerator and process mapper for Windows 8.1+ and Windows Server 2012+. It supports adjustable refresh, optional DNS resolution, color-coded deltas, per-row process association, connection termination for established TCP sessions, and export to file. Tcpvcon mirrors core functions for scripts through -a, -n, and -c switches. However, it lacks packet inspection, limited UDP control, and refresh-based (not event-driven) logging.