How to Use SecCheck

1. Download SecCheckUI DOS from http://www.mynetwatchman.com/tools/sc. Save the file to the desktop.



2. Double click the SecCheck file after the download is complete. The SecCheckUI window will appear.



3. Click the Do Text Check button in the upper right of the SecCheckUI window.
4. The results of the text check will appear in the window. Click Save Results to File.
5. Open this file using Wordpad or Notepad. You may also e-mail this file to MOREnet Security at security@more.net for assistance.
6. If MOREnet Security has requested that you find a service running on a specific port, find the TCP table section of the report. An example of this table appears below.

TCP Table:


PID     1048      0.0.0.0:135       LISTENING   (** Service **) C:\WINDOWS\system32\svchost.exe
PID        4      0.0.0.0:445       LISTENING   System
PID     1732      0.0.0.0:11573       LISTENING   (** Service **) C:\OfficeScan NT\tmlisten.exe
PID      448    127.0.0.1:1053       LISTENING   (** Service **) C:\WINDOWS\System32\alg.exe
PID        4   10.20.30.179:139       LISTENING   System
PID        4   10.20.30.179:1090   10.20.30.226:139   ESTABLISHED   System
PID     3616   10.20.30.179:1117   10.100.151.68:1135   ESTABLISHED   C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PID     3616   10.20.30.179:1123   10.100.151.29:5137   ESTABLISHED   C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PID     3820   10.20.30.179:1163   10.100.151.174:22   ESTABLISHED   C:\Documents and Settings\youngba\Desktop\Putty\putty.exe
PID     3616   10.20.30.179:1167   10.100.151.37:5137   ESTABLISHED   C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PID      280   10.20.30.179:1169   10.100.151.20:51516   ESTABLISHED   C:\Program Files\Remedy\Aruser.exe
PID     3616   10.20.30.179:2210   10.100.151.34:5137   ESTABLISHED   C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PID     3300   10.20.30.179:2280   192.203.228.196:22   ESTABLISHED   C:\Documents and Settings\youngba\Desktop\Putty\putty.exe
PID        0   10.20.30.179:2632   10.20.30.22:135    TIME_WAIT   
PID        0   10.20.30.179:2633   10.20.30.22:1025    TIME_WAIT   
PID        0   10.20.30.179:2634   10.20.30.22:389    TIME_WAIT   
PID        0   10.20.30.179:2635   10.20.30.22:389    TIME_WAIT   
PID        0   10.20.30.179:2636   10.20.30.22:445    TIME_WAIT   

Let's break down one line so it's easier to read:

PID        4   10.20.30.179:139       LISTENING   System

In this line, the process is PID 4. The local IP address is 10.20.30.179 and the local port is 139. The port is in a LISTENING state and the system is running the process.

Another line:

PID     3616   10.20.30.179:1117   10.100.151.68:1135   ESTABLISHED   C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

The PID number is 3616. The local IP address is 10.20.30.179 and the local port is 1117. The next IP address represents the remote server and is 10.100.151.68. The port on this server is 1135. The process that owns this connection is OUTLOOK.EXE.

If you were asked, then, to identify what service was listening on port 1053, you could locate the following line in the SecCheck TCP table:

PID      448    127.0.0.1:1053       LISTENING   (** Service **) C:\WINDOWS\System32\alg.exe

Alg.exe is the Windows Application Layer Gateway service, which is used by the Microsoft Windows Internet Connection Sharing and Internet Connection Firewall.