SOLVED: Windows 10 forbidden port bind

Angry budgie - Photo by Егор Камелев on Unsplash

Ever have this problem, launching a Docker container (in this case, Nginx on port 8000)?

Error: Unable to start container: Error response from daemon: Ports are not available: listen tcp 0.0.0.0:8000: bind: An attempt was made to access a socket in a way forbidden by its access permissions.

or maybe this problem, trying to run PHP’s built-in webserver?

php -S localhost:8080
[Fri Sep 11 09:00:09 2020] Failed to listen on localhost:8080 (reason: An attempt was made to access a socket in a way forbidden by its access permissions.)

Who to trust?

Like me, you may already have read many “solutions”, on a whole bunch of spammy websites. The “fixes” are often no more than workarounds – and in some cases, pretty bad workarounds, at that. Such as:

  • Disable VPN
  • Disable Internet Connection Sharing
  • Disable third party firewall
  • Disable antivirus (for goodness’ sake!)

More sensibly, use (e.g.) netstat to find out if something has already bound to the port.

None of these helped in my case. (Well I didn’t try disabling my antivirus or firewall, because c’mon!) Nothing was bound to the ports in question. I couldn’t disable ICS because I’m using its capabilities to provide NAT routing for Hyper-V networks.

The cause

It turns out the problem is down to Docker and Hyper-V reserving a shed load of ports. You can verify if this is the case for you by running the following command (which despite advice elsewhere on the internet does not need to be in an elevated PowerShell prompt; plain old no-privileges cmd will do):

netsh interface ipv4 show excludedportrange protocol=tcp

In my case, I could see that a lot of ports were reserved, between 1128 and 55437:

Start Port End Port
---------- --------
1128 1227
1228 1327
1328 1427
1428 1527
1528 1627
1628 1727
1728 1827
1828 1927
1928 2027
[snip]
50000 50059 *
53610 53709
53710 53809
54210 54309
54610 54709
54710 54809
54910 55009
55113 55212
55214 55313
55338 55437

* - Administered port exclusions.

I confirmed that this is the issue by picking a port that hadn’t been reserved:

php -S localhost:50080
[Fri Sep 11 09:12:21 2020] PHP 7.4.8 Development Server (http://localhost:50080) started

(For me, the PHP web server would also start quite happily on port 80, incidentally. But you probably shouldn’t do that!)

People who have identified this issue tend to recommend disabling Hyper-V, excluding whatever ports you need and re-enabling Hyper-V. I’m nervous of that approach however, having spent a lot of time configuring Hyper-V networking and having seen this approach nuke networking in the past.

If you’re happy taking that approach, I suggest reading and understanding this Microsoft article. Personally, I prefer to approach this as follows.

Find gaps in port reservations

Hyper-V and Docker between them seem to reserve different sets of ports on each reboot. Helpful. You can look for gaps in the port reservations using the following method, but note that these gaps will not persist, without other measures. Here’s how to find the gaps:

  1. Run the netsh command above.
  2. Copy and paste the output into Notepad++ and use search and replace (in regular expression mode) to turn all the spaces into tabs – replace ( +) with \t.
  3. Copy and paste the result into Excel (which will now put all the ports nicely into cells.
  4. Use an Excel formula to identify gaps in the reserved ranges: =IF(A4=(B3+1), "continuous", "## " & TEXT(A4-B3-1, "0") & " PORT GAP ##")
    List of reserved port ranges, showing any gaps
  5. Where “PORT GAP” appears, there is a gap between the end port on that line and the start port on the next (this would be 2115-2379 in the example above, which is 265 ports, inclusive).

As you can see, this approach does find you an available port (unless something else has bound to it):

php -S localhost:2115
[Fri Sep 11 09:36:58 2020] PHP 7.4.8 Development Server (http://localhost:2115) started

The fix: reserve your own ports

Well, two can play that game. Once you’ve found a gap, you can permanently reserve it for your own use. I found the largest gap between 12970 and 49670, so decided to reserve a memorable slice of ports: 20000- 21000. The appropriate incantation follows, which does need to be elevated this time. Swap port numbers and range to suit your environment and requirements:

netsh int ipv4 add excludedportrange protocol=tcp startport=20000 numberofports=1000 store=persistent

You will see that the range is now showing as administratively reserved (indicated by the asterisk):

netsh interface ipv4 show excludedportrange protocol=tcp

Protocol tcp Port Exclusion Ranges
Start Port End Port
---------- --------
1215 1314
…
20000 20999 *
…
51490 51589
- Administered port exclusions.

And once again, I can use a port within my preferred range:

php -S localhost:20080
[Fri Sep 11 10:37:23 2020] PHP 7.4.8 Development Server (http://localhost:20080) started

This exclusion persists between reboots and protects your range from being stolen by Hyper-V or anything else.

Angry budgie featured photo by Егор Камелев on Unsplash

SOLVED: “Access is denied, unable to remove” when deleting printer

It’s amazing to see that many years after I first wrote this post, visitors are still finding it useful!

If you really want to understand what’s going on under the hood, the Windows Internals books are the place to start. In the interests of transparency: this is an affiliate link. See my affiliate disclosure page for an explanation.

Many organisations push out printer installations via Active Directory. If you want to tidy up those printers (removing ones you don’t use) you may find Windows 7 doesn’t let you delete them, even though you may be a local administrator and even if you use an elevated Explorer session:

Access denied error

Use the following steps to resolve this annoyance.

From an elevated command prompt:

C:\Windows\system32>net stop spooler
The Print Spooler service is stopping.
The Print Spooler service was stopped successfully.

Then fire up regedit. Navigate to Computer\HKEY_CURRENT_USER\Printers\Connections and delete the offending printer:

printers regedit

Finally, restart the print spooler:

C:\Windows\system32>net start spooler
The Print Spooler service is starting.
The Print Spooler service was started successfully.

SOLVED: “Failed to initialize connection subsystem” in Cisco AnyConnect

AnyConnect logoTalk about obscure.

One of my end users was greeted by this informative error message recently. He was connecting to the internet using a 3G dongle and then to our network via Cisco AnyConnect VPN. “Software reinstall!” thought I. “Wrong!” said Google.

Although this is probably due to faulty programming on Cisco’s part, the culprit is Internet Explorer. (How I love to blame that historically stinky pile of poodoo.)

To resolve: load up IE. If you can’t see the [ File | Edit | View… ] menus, press Alt, to bring it up. On the File menu, “Work Offline” is almost certainly checked. Uncheck it. Connect again. Job done. Who knew.

If you’re using Internet Explorer 11, bad news: Microsoft removed the “Work offline” option from the File menu. Gone. So there’s no GUI interface to the relevant setting. In fact it’s a registry key called “GlobalUserOffline”, found at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings. You need to set it to 0, disable “Work offline”. This registry file should do the trick: DisableWorkOffline.reg.

SOLVED: Outlook 2007 IMAP “The folder … cannot be selected”

Outlook IMAP errorHere’s an obscure one. I was escalated a call today (my job involves, amongst other things, third line support for email issues) where a user was unable to delete or open some items of email within Outlook 2007. An error message pops up saying, “The folder … cannot be selected. This may be because of a limitation of your IMAP server or the folder may have been deleted or moved.”

It turns out the error message is a bit of a red herring. By a process of elimination (starting Outlook in safe mode and selectively disabling add-ins) I found the culprit to be AVG Free. Whether the blame lies with AVG or Outlook 2007 is a moot point. Microsoft has taken a long time to implement IMAP correctly, so I suspect the latter. Whichever the case, no one in a corporate environment should be using a product not licensed commercially, so I sent my user off to buy Kaspersky Anti-Virus.

Windows: keyboard layout has changed spontaneously

keyboard I’ve recently noticed that the keyboard layout on my Windows XP PCs is spontaneously changing from UK to US. I suspect that this is linked to a piece of software I use called Input Director (which allows you to control several PCs/monitors from one keyboard/mouse).

Whatever the cause, from time to time my UK keyboard starts operating in US mode (so, for example, the following symbols are all swapped around: ", ', #, £). This is inconvenient, to say the least.

The logical place to look would be in Regional Settings/Languages, within the Control Panel. Nothing had changed there however: UK was the only layout showing as installed. Advanced Text Services were switched off and all the relevant keyboard shortcuts were disabled.

In my search for a solution, I came across this page, which describes a similar situation. Within the comments on that page, one contributor has posted:

Try holding ‘alt’ and pressing ‘shift’ three times.
alt+shift+shift+shift

The mysterious Jim doesn’t explain why this works – and I have yet to find any documentation, but, sure enough, Alt-Shift-Shift-Shift does indeed reset the keyboard layout back to UK. Further repetitions of the keyboard combo have no other effect, so this is a reset rather than a toggle.

Office has a mind of its own

Microsoft Office products can exhibit a similar behaviour. If you’re finding that some MS Office product is using the wrong keyboard map (but other programs are fine), try this: First click on the Office program, somewhere you can enter text. Then press the left shift and alt keys together. You should be returned to your default keyboard mapping.

You can actually remove the unwanted keyboard layout from Office – note this is separately managed from the Windows keyboard layout, for some reason. In one of the Office programs (for 2010 onwards), click File -> Options -> Language. If you see more than one “Editing Language” in the list, select any you don’t want and click “Remove”.

Keyboard image copyright © yum9me, licensed under Creative Commons. Used with permission.