Attention: We are retiring the ASP.NET Community Blogs. Learn more >

MSWMI.exe blocking port 80

Started out the week solving a mysterious problem. Come to find out that on our web server (running IIS) that port 80 was being used by some other process than inetinfo.exe. Trying to start IIS yielded the "Address already in use" message. At first I tried netstat -an but that didn't give me anything very useful. Next I ran TDIMon to see which processes was blocking port 80. It turned out to be mswmi.exe . I have no idea how that happened. I don't think we got hacked but, I could be wrong. So I went to Task Manager to kill mswmi.exe but it wouldn't let me. "Access denied", as they say. So I ran ActivePorts 1.4 which confirmed that it was indeed mswmi.exe blocking port 80, but, more importantly, allowed me to kill the process and start the website so that inetinfo.exe could bind to port 80 again.

Anybody know what mswmi.exe is? From the name I guessed it had something to do with the "WMI" we all know of but, that doesn't seem to be the case. The file itself was in %system32% so I am reluctant to delete it.

2 Comments

  • Spyware? Nothing should be listening on port 80 except a web server...

  • A google search showed references to it (and other similarly named files that get started as services) being of the type to spoof DNS servers and *attempt* to redirect HTTP and HTTPS messages.



    icky.



    Maybe soemone was using that server to do file sharing or surfing sites that know how to take advantage of holes in IE?



    Dunno.

Comments have been disabled for this content.