Administered Port Exclusions blocking high ports

We noticed an issue following Windows 10 update 1809 where Windows would reserve a range of ports that included port 50,000. This was an issue for our developers who had long been using this port for test websites.

Whilst we were able to mitigate this, initially by moving the dynamic range from the default, we found that following the next update – I think KB4497934, ‘Administered port exclusions’ were made outside of our specified range resulting in the websites not being able to start.

Lots of other people have seen this too, with a few notable links pasted below:

http://blog.sixthimpulse.com/2019/01/docker-for-windows-port-reservations/

https://github.com/docker/for-win/issues/3171

After the updates, we saw the following results from netsh – you can see the asterisk against a range including port 50,000:

After moving the port range we still saw excluded ports in the high range (ie above 50,000) and our sites still failed. Following a support call with Microsoft we were informed of an entirely (at time of writing) undocumented registry key ‘EnableExcludedPortRange’ to disable the excluded port range (in effect the ports marked with an asterisk above. We then see:

In the end we knocked up a quick script to look for Hyper-V being installed (as this is where we saw the issue) and make the changes as described above – this will also undo the changes if Hyper-V is removed. Consider a better detection method as this isn’t the quickest, but we got bored of this issue so it will do for now:


rem Modify Dynamic Port Range for Development Users
dism /online /get-features | find /i "Microsoft-Hyper-V" && (
rem Modify Dynamic Port Range
start /wait "" netsh int ipv4 set dynamicport tcp start=20000 num=16384
start /wait "" netsh int ipv4 set dynamicport udp start=20000 num=16384

rem Add Registry Key
start /wait "" reg add HKLM\SYSTEM\CurrentControlSet\Services\hns\State /v EnableExcludedPortRange /d 0 /f

goto :eof

)

rem Set range to default
start /wait "" netsh int ipv4 set dynamicport tcp start=49152 num=16384
start /wait "" netsh int ipv4 set dynamicport udp start=49152 num=16384

rem Remove Registry Key
start /wait "" reg delete HKLM\SYSTEM\CurrentControlSet\Services\hns\State /v EnableExcludedPortRange /f

Advertisements

Leave a comment

Filed under Geeky stuff

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s