Using PortQry to Check TCP/UDP Open Ports (Port Scanner)

Windows has many tools to solve TCP/IP network problems (ping, telnet, pathping, etc.). But not all of them you can easily check the status or search for open network ports on a remote server. Portqry.exe is a useful tool for checking the TCP/UDP port response on remote hosts to diagnose problems with various network services and firewalls on TCP/IP networks. The Portqry utility is usually used as a more functional replacement for the telnet. Unlike telnet, you can also use it to check for open UDP ports.

Scanning open UDP/TCP ports with PortQry

The first version of PortQry for Windows Server 2003 does not work well on newer versions of the operating system (Windows Server 2008 and later), so a second version of the utility, PortQryV2, has been released. This is the version you should use today (you can download PortQryV2 here). On Windows 10 you can install PortQry via the Chocolatey package manager using the :

chocolate curtains

Download and unzip the PortQryV2.exe archive. Execute the command line and navigate to z. B. to the directory with the utility :

CD c:toolsPortQryV2


All the way to the z. B. To check the availability of the DNS server from the client, make sure that 53 TCP and UDP ports on the client are open. The syntax of the port control command is as follows:

PortQry -n server [-p protocol] [-e || -r ||| -o endpoint(s)].

  • -n is the name or IP address of the server whose availability you wish to check;
  • -e – number of the port to be controlled (from 1 to 65535) ;
  • -r is the range of the ports to be checked (e.g. 1:80) ;
  • -p is the protocol used for verification. This can be TCP, UDP or BOTH (default is TCP).

Pay attention. Unlike the PowerShell Test-NetConnection cmdlet, which can only be used to test the availability of TCP ports, the PortQry utility supports both the TCP and UDP protocols.

In our example, the command looks like this:

PortQry.exe -n -p both -e 53


Portqry refers to one of the three available port states:

  • Listen – means that the port is open (accepting connections) and a response is received from it;
  • No listening – indicates there is no process (service) on the target system that accepts connections at the specified port. PortQry received an ICMP Destination Unreachable – Port Unreachable response when checking a UDP port or TCP packet with the reset flag ;
  • Filtered – indicates that PortQry has not received a response from the specified port or that the response has been filtered. This means that this port will not be listened to on the target system or access will be restricted by the firewall or certain system settings. By default, the TCP ports are polished three times and the UDP ports one time.

In our example, the DNS server is accessible from the client via TCP and UDP ports.

TCP port 53 (domain service) : LIST
UDP port 53 (domain service) : LIST

You can use the -o attribute to specify a set of ports to check their availability:

portcry -n -p tcp -o 21 110 143

The following command scans the range of known TCP/IP port numbers and displays a list of ports that accept connections (works just like the TCP port scanner) :

Portqry -n -r 1:1024 | find : LIST

You can save the result of an open port scan in a text file:

portqry -n -p tcp -r 20:500 -l scan_port_log.txt

The portqry utility has an interactive mode:


You can now specify the remote computer name and port number in PortQry’s interactive mode:

srv-lic node
set port=80

To check the port on the specified server, press q and Enter.


Use the -wport and -wpid arguments to check the status of the specified port (wport) or all ports connected to the specified process (wpid) on the local host.

The following command checks z. For example, for 10 minutes, the response from the specified local port (e.g. RDP port 3389) and informs the administrator if the status changes (a detailed log is available in LogFile.txt). To exit port monitoring, press Ctrl-C :

portqry -wport 3389 -wt 600 -l LogFile.txt -y -v

You can get information about open ports and active TCP/UDP connections on the local computer:

portqry.exe -room

Advanced network services Open Port Status in PortQry

PortQry has integrated support for certain network services. These are LDAP, Remote Procedure Calls (RPC), SMTP/POP3/IMAP4, SNMP, FTP/TFTTP, NetBIOS Name Service, L2TP, etc. protocols. In addition to checking port availability, the tool executes protocol queries to obtain the status of the service.

For example, B. Use the following command to check the availability of the RPC Mapper (TCP/135) service and obtain a list of the names of the RPC terminals registered on the computer (including their name, UUID, the address to which they are linked and the application to which they belong).

portcry -n -p tcp -e 135

TCP port 135 (epmaps service) : USAGE
Using the ephemeral source port
Querying the end-point cartographic database … Response from server
UUID : d95afe72-a6d5-4259-822e-2c84da1ddb0d
ncacn_ip_tcp: [49152]
UUID : 8975497f-93f3-4376-9c9c-fd2277495c27 Frs2 Service
ncacn_ip_tcp: [5722]
UUID : 6b5bd21e-528c-422c-af8c-a4079be4a448 API
ncacn_ip_tcp: [63006]
UUID: 12345678-1234-abcd-ef22-0123456789ab IPSec Endpoint Agent Policy
ncacn_ip_tcp: [63006]
UUID: 367abb81-9844-35f1-ad32-912345001003
ncacn_ip_tcp: [63002]
UUID: 50cda2a3-574d-40b3-1d66-ee4aaa33a076
ncacn_ip_tcp: [56020]
UUID: 3c4428c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP client LRPC endpoint
ncacn_ip_tcp:10,0,25,6 [49153]
Total Found Endpoints : 61
==== RPC Endpoint Mapper ====
portqry.exe -n -e 135 -p The TCP response ends with the return value 0x0000.

You can also check the availability and responsiveness of the SQL Server browser service running on Microsoft SQL Server:

PortQry.exe -n rome-sql01 -e 1434 -p UDP

UDP port 1434 (ms-sql-m service) : LISTEN or FILTER
Send an SQL Server query to UDP port 1434 .
Response from the server :
Server name ROME-SQL01
Instance name MSSQLSERVER
IsClustered No
Version 15.0.2000.5
tcp 53200

Server name ROME-SQL01
Instance name DBINVENT
IsClustered No
Version 15.0.2000.5
tcp 1433
==== End of SQL server request ====
UDP port 1434 – LIST

As you can see, the PortQry tool not only showed the presence of port 1434/UDP, but also the version of the SQL server, as well as the names of the instances running on the SQL server and their TCP ports. The first instance of DBINVENT listens on the default port TCP/1433, the second instance of MSSQLSERVER uses a fixed port TCP/53200 of the RPC zone.


You can query the SNMP port of the device by entering the name of the community:

portqry -n rome-sql1 -cn !snmp_trap! -e 161 -p udp

If you check the TCP/25 port on the SMTP server, you can get an SMTP service banner:

portqry -n -p tcp -e 25

PortCurie GUI Version

PortQry was originally a console-based tool (CLI). To make it easier for users who do not like to use the command line, Microsoft has developed a simple graphical interface for portqry – PortQueryUI. You can download PortQueryUI from the official Microsoft website : PortQueryUI.

In fact PortQueryUI is a graphical extension that allows portqry to generate the command and return the result in a graphical window.

In addition, PortQueryUI contains several sets of predefined queries to check the availability of the most common Microsoft services:

  • Domains and trusts (control of ADDS services on an Active Directory domain controller)
  • Exchange server
  • SQL Server
  • Networking
  • IP range
  • web server
  • Network discussion

I don’t think PortQueryUI needs any particular comments. This should be clear if you look at the screenshot below. Enter the DNS name or IP address of the remote server, select one of the predefined services (Request Predefined Service) or enter the port numbers to manually check the ports (Enter Request Ports Manually) and click Request.


Possible return codes in PortQueryUI (highlighted in the screenshot) :

  • 0 (0x000000) – The connection is successful and the port is available;
  • 1 (0x000001) – The specified port is not available or is being filtered ;
  • 2 (0x000002 is the normal return value when checking a UDP connection, since no ACK response is returned.

Related Tags:

portqry download,test udp port windows powershell,how to test udp port connection,portqry run time check failure 2,query a port,portqry' is not recognized as an internal,portqryui.,port query powershell,version 2 of portqry exe,portqry not recognized as a command,portqry snmp example,portqry unknown service,portqry alternative,portqry gui,port query script,portqry in windows,portqr~1 exe,test-netconnection udp,netstat,portqry is not recognized,port query linux,portqry ss64,porqry,portqry gui download,portqryv2. download,portquiery,gui port query,portqry listening or filtered udp,portqry command to check udp port,portqry udp,portqry return codes,how to use portqry,udp port test tool,how to use port query tool