networkingserviceswindows
I just found out by using TCPView that one of my svchost.exe had an http connection in "CLOSE_WAIT" to a strange IP address, although no other visible program was running.
With the help of Process Explorer I discovered that this svchost was using the WebClient Windows service.
I'm wondering how I can figure out what program used WebClient to connect to this IP, in order to determine if it's malware.
Yes, in Process Explorer, the application using the port will have a "File" handle called \Device\SerialN where N is a zero-based index.
Update:
The "N" in "serialN" is not the COM port number, it's the index into the list of active ports. If you only have one port in use, it will always (?) be "serial0", and the second one you open will be "serial1". If you open them in the opposite order, the numbers will be reversed.
Check out the QueryDosDevice API. You should be able to iterate through COM1...COM? and get the "\device\serialN" entry for each open port. I'm not aware of a utility that will do this, you may need to roll your own.
There's a more COM-port-specific example here.
As stated by Joe Internet in the comments, you can specify the Service you want to use. For that, you have to define a new outbound rule, but use "Custom" instead of "Program". There, you can choose the service, in your case "Windows Update", or also "wuauserv", which should be exactly what you're looking for.
Best Answer
Well, you can find it out in this way: