windows - Cannot bind to some ports due to permission denied

Question

For the last 3 months or so I'm having random errors where I can't bind a specific port where our Identity server is running on my local development workstation. At first I thought it's my broken machine, so I reset everything, which kinda fixed the issue for 2 months and now it is back.

In the meanwhile other developers saw the same issue. All of us who experience the issue are running Windows 10, but not everyone with Windows 10 has that issue.

Restarting windows after it was shut down with shutdown /s /f /t 0 is the only reliable solution to open up the port again. After I restart normally (due to windows updates or similar) the issue comes up again an I need to shut down windows with that command.

I wrote a small f# script to test which ports are affected. The exact error message I get is

An attempt was made to access a socket in a way forbidden by its access permissions

When I looked for it, the suggested solutions where to restart the machine, but that seems more like a work around, not a real solution. I've also found https://stackoverflow.com/a/10461978/621366 - but netstat -o doesn't list the port, neither does the tool TCPView. All of us are pretty sure that the port isn't occupied by anything. I also tried running netstat in an administrator console and similar commands inside bash on windows, but couldn't find anything. I can't even connect to the port via telnet, it says nothing is listening on the port.

those ports in question are for instance:

• 49670 - 49689
• 49710 - 49749
• 49760 - 49779
• 49811 - 49830
• 49843 - 49882
• 50197 - 50216

None of us modified anything on the windows firewall or has any additional anti virus tools installed except the windows 10 default ones. So everything should be on default values. And it also worked normally for ~10 months before it broke the first time and afterwards for 2 months. In both cases after some windows updates where installed. The last time it was a bios update (probably due to the meltdown / spectre issues?).

Also trying to open up the ports explicitly on the firewall didn't help.

According to this answer https://stackoverflow.com/a/23982901/621366 TCPView and netstat shouldn't miss any occupied ports, but even when I enable showing unconnected endpoints in TCPView, I don't see any of the ports where I get permission denied when trying to bind them. Here a screen from the occupied ports (I marked the bordering occupied ports which are right before or after the group of permission-denied-ports)

UPDATE:

I've noticed that it always seems to be 160 or 180 (exact numbers) of ports which have permission denied in the ranges of 40,000+ This seems oddly coincidental to me, so obviously something is occupying the ports on purpose, but what? I can't seem to find anything in the windows event logs (although I wouldn't know what to look for exactly) and none of those ports shows up any any of my firewall rules. Also shutting down docker for windows doesn't make any difference and when a colleague mentioned that for them it's enough to restart docker for windows (in the UI go to Reset->Restart) and right now for me, even restarting with the shutdown command doesn't work anymore.

UPDATE 2:

The output of netstat -ano run from an administrator powershell:

Proto  Local Address          Foreign Address        State           PID
TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1152
TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
TCP    0.0.0.0:2179           0.0.0.0:0              LISTENING       4696
TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       6616
TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
TCP    0.0.0.0:5432           0.0.0.0:0              LISTENING       11100
TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING       7056
TCP    0.0.0.0:17500          0.0.0.0:0              LISTENING       9668
TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       784
TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1628
TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       2028
TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       3560
TCP    0.0.0.0:49800          0.0.0.0:0              LISTENING       856
TCP    0.0.0.0:49821          0.0.0.0:0              LISTENING       892
TCP    0.0.0.0:50000          0.0.0.0:0              LISTENING       11100
TCP    0.0.0.0:50001          0.0.0.0:0              LISTENING       11100
TCP    0.0.0.0:51000          0.0.0.0:0              LISTENING       11100
TCP    10.0.75.1:139          0.0.0.0:0              LISTENING       4
TCP    10.0.75.1:445          10.0.75.2:44848        ESTABLISHED     4
TCP    127.0.0.1:843          0.0.0.0:0              LISTENING       9668
TCP    127.0.0.1:944          0.0.0.0:0              LISTENING       688
TCP    127.0.0.1:944          127.0.0.1:50968        TIME_WAIT       0
TCP    127.0.0.1:944          127.0.0.1:50970        TIME_WAIT       0
TCP    127.0.0.1:944          127.0.0.1:50973        TIME_WAIT       0
TCP    127.0.0.1:944          127.0.0.1:50977        TIME_WAIT       0
TCP    127.0.0.1:944          127.0.0.1:50981        TIME_WAIT       0
TCP    127.0.0.1:944          127.0.0.1:50990        TIME_WAIT       0
TCP    127.0.0.1:944          127.0.0.1:50992        TIME_WAIT       0
TCP    127.0.0.1:944          127.0.0.1:50996        TIME_WAIT       0
TCP    127.0.0.1:944          127.0.0.1:51005        TIME_WAIT       0
TCP    127.0.0.1:944          127.0.0.1:51007        TIME_WAIT       0
TCP    127.0.0.1:944          127.0.0.1:51009        TIME_WAIT       0
TCP    127.0.0.1:944          127.0.0.1:51015        TIME_WAIT       0
TCP    127.0.0.1:944          127.0.0.1:51017        ESTABLISHED     688
TCP    127.0.0.1:4380         0.0.0.0:0              LISTENING       11024
TCP    127.0.0.1:6942         0.0.0.0:0              LISTENING       9296
TCP    127.0.0.1:17600        0.0.0.0:0              LISTENING       9668
TCP    127.0.0.1:49668        127.0.0.1:49669        ESTABLISHED     688
TCP    127.0.0.1:49669        127.0.0.1:49668        ESTABLISHED     688
TCP    127.0.0.1:50076        127.0.0.1:50077        ESTABLISHED     8828
TCP    127.0.0.1:50077        127.0.0.1:50076        ESTABLISHED     8828
TCP    127.0.0.1:50173        127.0.0.1:50174        ESTABLISHED     9668
TCP    127.0.0.1:50174        127.0.0.1:50173        ESTABLISHED     9668
TCP    127.0.0.1:50175        127.0.0.1:50176        ESTABLISHED     9668
TCP    127.0.0.1:50176        127.0.0.1:50175        ESTABLISHED     9668
TCP    127.0.0.1:50197        127.0.0.1:50198        ESTABLISHED     9668
TCP    127.0.0.1:50198        127.0.0.1:50197        ESTABLISHED     9668
TCP    127.0.0.1:50335        127.0.0.1:50336        ESTABLISHED     6424
TCP    127.0.0.1:50336        127.0.0.1:50335        ESTABLISHED     6424
TCP    127.0.0.1:50346        127.0.0.1:50347        ESTABLISHED     11100
TCP    127.0.0.1:50347        127.0.0.1:50346        ESTABLISHED     11100
TCP    127.0.0.1:51011        127.0.0.1:51012        ESTABLISHED     9296
TCP    127.0.0.1:51012        127.0.0.1:51011        ESTABLISHED     9296
TCP    127.0.0.1:51013        127.0.0.1:51014        ESTABLISHED     9296
TCP    127.0.0.1:51014        127.0.0.1:51013        ESTABLISHED     9296
TCP    127.0.0.1:51016        0.0.0.0:0              LISTENING       9296
TCP    127.0.0.1:51017        127.0.0.1:944          ESTABLISHED     8828
TCP    127.0.0.1:63342        0.0.0.0:0              LISTENING       9296
TCP    127.94.0.1:946         0.0.0.0:0              LISTENING       688
TCP    127.94.0.2:946         0.0.0.0:0              LISTENING       688
TCP    127.94.0.3:946         0.0.0.0:0              LISTENING       688
TCP    127.94.0.4:946         0.0.0.0:0              LISTENING       688
TCP    169.254.105.83:139     0.0.0.0:0              LISTENING       4
TCP    192.168.0.107:139      0.0.0.0:0              LISTENING       4
TCP    192.168.0.107:49415    111.221.29.134:443     ESTABLISHED     4316
TCP    192.168.0.107:49417    111.221.29.127:443     ESTABLISHED     4316
TCP    192.168.0.107:50185    162.125.66.3:443       CLOSE_WAIT      9668
TCP    192.168.0.107:50246    52.70.31.26:443        CLOSE_WAIT      9668
TCP    192.168.0.107:50253    35.177.204.73:443      ESTABLISHED     2804
TCP    192.168.0.107:50254    35.177.204.73:443      ESTABLISHED     2804
TCP    192.168.0.107:50256    35.177.204.73:443      ESTABLISHED     2804
TCP    192.168.0.107:50257    158.85.224.175:443     ESTABLISHED     10836
TCP    192.168.0.107:50258    13.69.14.160:443       ESTABLISHED     8620
TCP    192.168.0.107:50310    66.102.1.188:443       ESTABLISHED     11184
TCP    192.168.0.107:50329    157.240.20.15:443      ESTABLISHED     10836
TCP    192.168.0.107:50331    111.221.29.74:443      ESTABLISHED     10072
TCP    192.168.0.107:50332    162.125.18.133:443     ESTABLISHED     9668
TCP    192.168.0.107:50351    40.77.226.194:443      ESTABLISHED     8620
TCP    192.168.0.107:50460    66.102.1.189:443       ESTABLISHED     10836
TCP    192.168.0.107:50470    66.102.1.189:443       ESTABLISHED     10836
TCP    192.168.0.107:50501    192.30.253.125:443     ESTABLISHED     11184
TCP    192.168.0.107:50513    40.77.226.194:443      ESTABLISHED     8620
TCP    192.168.0.107:50529    87.98.218.198:443      ESTABLISHED     12540
TCP    192.168.0.107:50530    172.217.21.46:443      ESTABLISHED     10836
TCP    192.168.0.107:50616    172.217.21.46:443      ESTABLISHED     10836
TCP    192.168.0.107:50630    162.125.18.133:443     ESTABLISHED     9668
TCP    192.168.0.107:50641    172.217.21.37:443      ESTABLISHED     10836
TCP    192.168.0.107:50645    162.125.66.4:443       CLOSE_WAIT      9668
TCP    192.168.0.107:50668    87.98.218.198:443      ESTABLISHED     12540
TCP    192.168.0.107:50703    151.101.0.133:443      ESTABLISHED     11184
TCP    192.168.0.107:50709    192.30.253.125:443     ESTABLISHED     11184
TCP    192.168.0.107:50744    87.98.218.198:443      ESTABLISHED     12540
TCP    192.168.0.107:50828    162.125.66.3:443       CLOSE_WAIT      9668
TCP    192.168.0.107:50830    151.101.0.133:443      ESTABLISHED     11184
TCP    192.168.0.107:50831    151.101.0.133:443      ESTABLISHED     11184
TCP    192.168.0.107:50832    151.101.0.133:443      ESTABLISHED     11184
TCP    192.168.0.107:50834    151.101.0.133:443      ESTABLISHED     11184
TCP    192.168.0.107:50835    151.101.0.133:443      ESTABLISHED     11184
TCP    192.168.0.107:50836    151.101.0.133:443      ESTABLISHED     11184
TCP    192.168.0.107:50837    151.101.0.133:443      ESTABLISHED     11184
TCP    192.168.0.107:50839    192.30.253.125:443     ESTABLISHED     11184
TCP    192.168.0.107:50844    151.101.0.133:443      ESTABLISHED     11184
TCP    192.168.0.107:50847    192.30.253.124:443     ESTABLISHED     11184
TCP    192.168.0.107:50857    192.30.253.124:443     ESTABLISHED     11184
TCP    192.168.0.107:50863    162.125.34.137:443     CLOSE_WAIT      9668
TCP    192.168.0.107:50865    172.217.21.46:443      TIME_WAIT       0
TCP    192.168.0.107:50866    172.217.21.46:443      ESTABLISHED     10836
TCP    192.168.0.107:50910    35.186.213.138:

Answer 1

The reason is that Hyper-V takes over these ports, to prevent it from happening do the following:

1. dism.exe /Online /Disable-Feature:Microsoft-Hyper-V (will have to restart)
2. netsh int ipv4 add excludedportrange protocol=tcp startport=<your port> numberofports=1
3. dism.exe /Online /Enable-Feature:Microsoft-Hyper-V /All

The original solution is here.

If after that you still can't bind to the port do the following:

• netsh http add iplisten 0.0.0.0 for IPv4
• netsh http add iplisten :: for IPv6

More information is here.