netstat -ano

Then check PID in Task Manager or:

tasklist | findstr <PID>

Even if a process listens on port 9000, the firewall may block external access.
Check effective rules:

Test-NetConnection -ComputerName localhost -Port 9000

For remote checking: Test-NetConnection -ComputerName remote-pc -Port 3389

To open port 8080 via PowerShell (Admin):

New-NetFirewallRule -DisplayName "Allow Port 8080" -Direction Inbound -LocalPort 8080 -Protocol TCP -Action Allow

In modern enterprise environments, the endpoint is the primary target for advanced persistent threats (APTs) and ransomware operators. While Windows 11 introduces significant architectural changes compared to its predecessor (Windows 10)—including hardware-enforced security via TPM 2.0 and Secure Boot—the underlying network stack retains compatibility with legacy protocols.

Understanding the "open ports" on a Windows 11 machine is not simply a matter of running a port scanner; it requires an understanding of the Windows Filtering Platform (WFP), the role of the Network Location Awareness (NLA) service, and the specific services bound to the TCP/IP stack. A default installation of Windows 11 is not a "stealth" machine; it listens on specific ports to facilitate file sharing, device discovery, and remote management.

| Port | Reason | |------|--------| | 53 | DNS client (outbound) | | 80/443 | Web browsing (outbound) | | 123 | NTP time sync | | 1900 | UPnP (if needed) – risky | | 3389 | RDP (only if remote desktop is used, change default port) |

Windows 11 does not have inbound web servers, SSH, or Telnet enabled by default.

Create an inbound rule blocking all ports except explicit allows — "whitelist" approach.

If netstat shows Port 445 open (SMB) but you don't need file sharing: