Download TCPView for Windows

Yes, TCPView is safe. It is developed and published by Microsoft as part of the Sysinternals suite, which has been maintained by Mark Russinovich since the late 1990s and officially owned by Microsoft since 2006.

The TCPView download (version 4.19) is a 1.5 MB ZIP file that contains digitally signed executables. Security scanners like SpyShelter and VirusTotal consistently report zero detections on the official binaries. The tool runs entirely on your local machine, does not send data to external servers, and does not modify any system files. It simply reads your operating system’s TCP/IP stack information and displays it in a window. On Windows 10 and Windows 11, SmartScreen may briefly show a warning because the executable is extracted from a ZIP rather than installed through a traditional installer, but this is normal behavior for portable utilities.

• Publisher: Microsoft Corporation, digitally signed
• VirusTotal: 0/70+ engines flag the official download
• No installation required – runs directly from the extracted folder
• Does not write to the registry or modify system settings
• Open-source Tcpvcon companion tool included in the same package

Pro tip: Always verify the digital signature by right-clicking tcpview.exe, selecting Properties, and checking the Digital Signatures tab. The signer should be “Microsoft Corporation.”

For more details about the download, visit our download section.

TCPView from the official Microsoft Sysinternals page is completely free from malware, spyware, adware, and bundled software. There is no installer that sneaks in browser toolbars or third-party programs.

The official distribution is a simple ZIP archive containing tcpview.exe (both 32-bit and 64-bit builds), the Tcpvcon command-line companion, and a EULA text file. No background services get installed, and the program does not phone home or collect telemetry. Microsoft maintains a strict policy against bundling on Sysinternals tools. The danger comes only when you download TCPView from unofficial third-party sites that might repackage the tool with adware or trojans. Sites like FileHorse, Softonic mirrors, and random download portals have been known to wrap legitimate tools in their own installers.

1. Download only from the official Microsoft Learn page or our verified download link
2. Check the file size – the official ZIP is approximately 1.5 MB
3. Scan the download with Windows Defender or your antivirus before extracting
4. Verify the digital signature matches Microsoft Corporation

Pro tip: If you want the entire Sysinternals toolkit at once, download the Sysinternals Suite ZIP from Microsoft. It includes TCPView alongside Process Explorer, Autoruns, and 70+ other utilities, all verified and signed.

Check our system requirements to confirm compatibility before downloading.

The official download for TCPView is hosted on Microsoft Learn at learn.microsoft.com/en-us/sysinternals/downloads/tcpview. This is the only source maintained directly by Microsoft.

Microsoft moved the Sysinternals downloads from the old technet.microsoft.com domain to learn.microsoft.com in 2022. Some older blog posts and forum threads still reference the TechNet URLs, but they redirect automatically. The current version available on the official page is 4.19, last updated in early 2024. You can also access TCPView through the Microsoft Store or by downloading the complete Sysinternals Suite, which bundles all 70+ tools into a single ZIP file. Another safe option is Sysinternals Live, where you can run the tool directly from the web share at live.sysinternals.com without downloading anything to disk.

• Official page: learn.microsoft.com/en-us/sysinternals/downloads/tcpview
• Sysinternals Live: live.sysinternals.comtoolstcpview.exe
• Sysinternals Suite ZIP from Microsoft Learn (includes all tools)
• Microsoft Store listing (auto-updates included)

Pro tip: Use the Sysinternals Live path in a Run dialog (Win+R) to launch TCPView instantly without saving any files to your machine. Just type live.sysinternals.comtoolstcpview.exe and press Enter.

We link directly to the official source on our download page.

Yes, TCPView 4.19 works on Windows 11 without any issues. It is fully compatible with all Windows 11 versions, including 23H2 and 24H2.

The tool runs natively on both x64 and ARM64 builds of Windows 11. Microsoft tests Sysinternals tools against current Windows releases, and TCPView has been updated to support the newer networking APIs in Windows 11. The interface renders correctly on high-DPI displays and scales properly when using display scaling above 100%. Some users running Windows 11 on ARM processors (like the Surface Pro with Snapdragon X) report that the x64 version runs fine through emulation, though there is also a native ARM64 build available in the Sysinternals Suite.

• Windows 11 Home, Pro, Enterprise, and Education editions are all supported
• Works on both Intel/AMD (x64) and ARM64 processors
• Compatible with Windows 11 versions 21H2 through 24H2
• Supports high-DPI scaling (150%, 200%, 250%)
• No compatibility mode or special settings required

Pro tip: Run TCPView as Administrator on Windows 11 to see the full process names and PIDs for system services. Without elevation, some system-level connections show limited information.

See the full list of supported platforms on our system requirements page.

Yes, TCPView ships with both 32-bit and 64-bit executables inside the same ZIP download. The 32-bit version runs on any supported Windows version from Windows 8.1 onward.

When you extract the TCPView 4.19 ZIP archive (approximately 1.5 MB), you will find separate executable files for different architectures. The file tcpview.exe is the 64-bit build, and tcpview64a.exe targets ARM64 processors. For 32-bit systems, look for the 32-bit binary in the package. The tool automatically detects your system architecture when you launch it. On a 32-bit Windows 10 installation with 2 GB of RAM, TCPView runs without any performance problems because it has minimal resource requirements and uses very little memory, typically under 15 MB even when monitoring hundreds of connections.

• 32-bit (x86) and 64-bit (x64) builds included in every download
• ARM64 build available for Windows on ARM devices
• Minimum OS: Windows 8.1 (32-bit or 64-bit) or Windows Server 2012
• Memory usage: under 15 MB in typical operation

Pro tip: If you are managing older machines still running 32-bit Windows, you can put TCPView on a USB drive since it is fully portable. No installation required – just copy the folder and run the exe.

Review the full hardware specs on our system requirements page.

No, TCPView is a Windows-only utility. Microsoft Sysinternals tools are built specifically for the Windows kernel and do not have official macOS or Linux releases.

TCPView reads from the Windows TCP/IP stack using native Win32 APIs, so it cannot be ported directly to other operating systems. Some users have tried running it through Wine on Linux, but results are unreliable because Wine does not fully emulate the Windows networking subsystem that TCPView depends on. For Mac and Linux users, there are native alternatives that provide similar functionality. On macOS, the built-in lsof -i command shows open network connections with process information, and on Linux, ss -tunapl gives a comparable output to what TCPView displays on Windows.

• macOS alternatives: lsof -i -P, Activity Monitor (Network tab), or the third-party app Private Eye
• Linux alternatives: ss -tunapl, netstat -tunapl, or the GUI tool tcpview by chipmunk-sm on GitHub
• Cross-platform: Wireshark works on Windows, macOS, and Linux for deeper packet inspection
• Wine compatibility: partial and unreliable, not recommended

Pro tip: If you need a GUI similar to TCPView on Linux, check out the open-source project at github.com/chipmunk-sm/tcpview. It replicates the core TCPView interface using Qt and works on most Linux distributions.

For Windows-specific features, see what TCPView offers on our features page.

Yes, TCPView is 100% free. There is no paid version, no premium tier, no trial period, and no feature restrictions. You get the full tool at no cost.

Microsoft distributes all Sysinternals utilities as freeware under the Sysinternals Software License Terms (a Microsoft EULA). This has been the case since Mark Russinovich and Bryce Cogswell first created the tool in the late 1990s, and it continued after Microsoft acquired Sysinternals in 2006. There are no ads in the application, no nag screens asking you to upgrade, and no data collection that monetizes your usage. The license allows you to use TCPView for both personal and commercial purposes – system administrators in enterprise environments can deploy it across their networks without purchasing any license. The only restriction is redistribution: you cannot repackage and sell TCPView as your own product.

• Free for personal, educational, and commercial use
• No registration, no account creation, no email required
• No ads, no telemetry, no in-app purchases
• Licensed under the Microsoft Sysinternals EULA
• Redistribution as part of the original package is permitted

Pro tip: Bookmark the Sysinternals Suite download page on Microsoft Learn. It bundles TCPView with 70+ other free system utilities that are just as useful, including Process Explorer, Autoruns, and PsExec.

Grab the latest version from our download section.

TCPView uses the Microsoft Sysinternals Software License Terms, which is a standard Microsoft EULA. You can use it at work without purchasing any license.

The Sysinternals EULA grants you the right to use, copy, and distribute the software in its original form for any lawful purpose. This includes running it on corporate networks, on servers, on employee workstations, and in production environments. Many Fortune 500 IT departments keep the Sysinternals Suite on a network share for their support teams. Microsoft does not charge for the tools or require any kind of volume licensing agreement. The EULA does prohibit reverse engineering the binaries and using the software in ways that violate applicable laws.

• Permitted: personal use, corporate deployment, IT troubleshooting, educational use
• Permitted: placing on a shared network drive for team access
• Permitted: including in your company’s standard IT toolkit
• Not permitted: reverse engineering or decompilation
• Not permitted: rebranding and selling as a different product

Pro tip: For enterprise deployments, configure the Sysinternals Live UNC path live.sysinternals.comtools as a mapped network drive. Every employee can run the latest version of TCPView without downloading anything locally.

Learn more about getting TCPView set up at your organization in our getting started guide.

TCPView does not need a traditional installation. You download a ZIP file, extract it, and run the executable directly.

The entire process takes under a minute. The download is approximately 1.5 MB, so even on a slow connection it finishes quickly. There is no installer wizard, no registry entries created, and no Start Menu shortcuts added automatically. This portable design means you can carry TCPView on a USB drive and run it on any Windows machine from Windows 8.1 onward, including Windows 10 and Windows 11. When you first launch the tool, you will see the Sysinternals EULA – click Agree to proceed.

1. Visit our download section and click the download button to get the ZIP file
2. Right-click the downloaded ZIP and select “Extract All” (or use 7-Zip, WinRAR)
3. Open the extracted folder – you will see tcpview.exe along with tcpvcon.exe and a EULA file
4. Double-click tcpview.exe to launch the program
5. Accept the Sysinternals EULA on first run
6. TCPView immediately starts showing all active TCP and UDP connections on your system

Pro tip: Pin TCPView to your taskbar after launching it so you can access it quickly. Right-click the taskbar icon while it is running and select “Pin to taskbar.”

For detailed configuration steps after your first launch, see our getting started guide.

TCPView is fully portable. There is no installer. The program runs directly from wherever you extract it, and it leaves no traces when you delete the folder.

The ZIP download contains the executable files and nothing else. TCPView does not write to the Windows registry, does not create AppData folders, and does not install any background services or drivers. This makes it an ideal tool for IT support professionals who carry a USB drive with diagnostic utilities. You can copy the extracted folder to a thumb drive, plug it into any Windows machine running 8.1 or later, and launch tcpview.exe immediately. Since it writes no configuration files to disk, there is nothing to clean up afterward. The entire extracted folder is about 3.5 MB on disk, so it fits on virtually any storage device.

• No installation wizard – just extract and run
• No registry entries created or modified
• No AppData or Program Files folders used
• Runs from USB drives, network shares, or any local folder
• Extracted size: approximately 3.5 MB total
• Removal: just delete the folder

Pro tip: Create a “SysTools” folder on a USB drive and keep TCPView alongside Process Explorer and Autoruns. This gives you a portable IT diagnostic kit that works on any Windows PC without installation.

Get the portable ZIP from our download section.

If the Sent Packets, Recv Packets, Sent Bytes, and Recv Bytes columns are all blank, the issue is usually related to ETW (Event Tracing for Windows) kernel logging being stopped or interrupted.

TCPView relies on the NT Kernel Logger ETW session to track per-connection traffic statistics. If another application takes over the kernel logger session, or if a crash stops it, TCPView loses access to these counters and the columns go blank even though connections still appear. This problem is more common on Windows 11 Pro and Enterprise editions where security tools or performance monitors compete for the same ETW session. Simply closing and reopening TCPView usually does not fix it because the underlying ETW session remains in a bad state.

1. Close TCPView completely
2. Open Command Prompt as Administrator
3. Run: logman query -ets to check if “NT Kernel Logger” is listed
4. If it is missing or stopped, restart it with: logman start "NT Kernel Logger" -p "Microsoft-Windows-Kernel-Network" 0xFFFFFFFF 0x5 -ets
5. If that fails, reset the network stack: netsh winsock reset then netsh int ip reset
6. Reboot your machine and relaunch TCPView as Administrator

Pro tip: Running TCPView as Administrator from the start prevents most ETW permission issues. Right-click tcpview.exe and select “Run as administrator” every time, or set it permanently in the Properties compatibility tab.

If you continue having issues, review the full setup steps in our getting started guide.

Seeing many TIME_WAIT connections in TCPView is normal. TIME_WAIT is a standard TCP state that happens after a connection closes, and it lasts about 4 minutes by default on Windows.

When a TCP connection is closed, the operating system keeps the socket in TIME_WAIT to handle any delayed packets that might still arrive on the network. On a busy machine running a web browser with many tabs, you might see dozens or even hundreds of TIME_WAIT entries at any given moment. Each one represents a recently closed connection. Chrome, Edge, and Firefox are common sources because they open and close many short-lived HTTPS connections while loading web pages. This is not a sign of malware or a network problem. TCPView highlights these in yellow when the state changes, which can make them look alarming if you are not used to seeing them.

• TIME_WAIT duration on Windows: approximately 240 seconds (4 minutes) by default
• Common sources: web browsers, Windows Update, Microsoft Teams, Outlook
• Not harmful: this is standard TCP/IP behavior defined in RFC 793
• High counts from a single app could indicate a connection leak in that application
• Use Options > Filter to hide resolved TIME_WAIT entries if they clutter the view

Pro tip: If a specific application is creating an unusual number of TIME_WAIT connections (thousands per minute), that application might have a connection pooling bug. Use TCPView’s process filter to isolate it, then report the issue to that software’s developer.

Learn more about TCPView’s color coding and connection states on our features page.

If TCPView crashes, fails to launch, or shows errors after a Windows update, the fix is almost always to download the latest version. Older builds can break when Microsoft changes internal networking APIs.

Microsoft occasionally updates the kernel-level networking structures that TCPView reads from. When a major Windows update (like going from 23H2 to 24H2) changes these internal data formats, older TCPView versions might crash on launch or display corrupted data. Version 4.19 (the latest as of 2024) supports all current Windows 10 and Windows 11 releases. If you have been running an older version like 3.x or 4.0, upgrading to 4.19 will fix compatibility issues. Since TCPView is portable, upgrading is just a matter of downloading the new ZIP and replacing the old files.

1. Delete or rename your current TCPView folder (keep as backup if you want)
2. Download the latest version from our download section
3. Extract the new ZIP to your preferred location
4. Launch the new tcpview.exe – accept the EULA again if prompted
5. If it still crashes, try running it in compatibility mode for Windows 10

Pro tip: Set a calendar reminder to check for Sysinternals updates every few months. The tools are updated without fanfare, and running the latest version prevents most compatibility headaches after Windows patches.

Check our system requirements to confirm your Windows build is supported.

TCPView does not have a built-in auto-update feature. To update, download the latest ZIP from the official source and replace your existing files.

The current version is 4.19. Since TCPView is a portable application that does not use an installer, updating is straightforward: download the new ZIP, extract it, and replace your old tcpview.exe with the new one. You do not lose any settings because TCPView does not save configuration files between sessions – it starts fresh every time. If you installed TCPView through the Microsoft Store, updates are handled automatically through the Store’s update mechanism. For users who prefer the standalone download, there is no notification when a new version comes out. You can monitor the Sysinternals Blog on Microsoft Tech Community for announcements about updates.

1. Check your current version by running TCPView and looking at the title bar
2. Visit the official Sysinternals download page or our download section
3. Download the latest ZIP (currently v4.19, about 1.5 MB)
4. Close TCPView if it is running
5. Extract the new ZIP over your existing folder, replacing the old files
6. Relaunch – no EULA prompt if you already accepted previously

Pro tip: Subscribe to the Sysinternals Blog RSS feed at techcommunity.microsoft.com to get notified when any Sysinternals tool gets updated. Updates often coincide with major Windows releases.

For the current download, visit our download page.

TCPView 4.19 is the latest release. The 4.x series brought a complete UI redesign, dark mode support, and per-connection traffic statistics that were not available in the older 3.x builds.

The jump from version 3.x to 4.0 (released in early 2021) was the biggest update in TCPView’s history. Microsoft rebuilt the interface using modern Windows UI components, added columns for Sent Packets, Received Packets, Sent Bytes, and Received Bytes, and introduced a toolbar for filtering by connection state. Version 4.19 refined these features with bug fixes and improved stability on Windows 11. The visual refresh also added proper high-DPI support, so the interface scales cleanly on 4K monitors and displays using 200% or higher scaling. The older 3.x versions are still floating around on some download sites, but they lack the traffic statistics columns and have compatibility issues with recent Windows builds.

• v4.0+: complete UI redesign with modern Windows look
• v4.0+: Sent/Received packets and bytes columns
• v4.0+: connection state filtering in the toolbar
• v4.0+: high-DPI and multi-monitor improvements
• v4.19: stability fixes and Windows 11 24H2 compatibility

Pro tip: If you see TCPView version 3.x on a download site, skip it. Always get version 4.19 for the per-connection traffic tracking alone. It is far more useful for diagnosing bandwidth-hogging processes.

Download the latest version from our download section.

Both TCPView and CurrPorts are excellent free network monitors, but they suit different needs. TCPView is better for real-time monitoring with its auto-refresh and color-coded display. CurrPorts is stronger for filtering, exporting, and static analysis.

TCPView, developed by Microsoft, refreshes its display every 1 second by default and highlights new connections in green, closed ones in red, and changed ones in yellow. This makes it excellent for watching network activity happen live. CurrPorts, made by Nir Sofer at NirSoft, does not auto-refresh by default and focuses more on detailed static snapshots. CurrPorts shows additional columns that TCPView lacks, including the module filename, the product name, and the file version of the process owning each connection. It also has more powerful filtering with the Advanced Filters dialog, and it can export data to HTML, CSV, XML, and tab-delimited text files.

• Real-time monitoring: TCPView wins with 1/2/5-second auto-refresh and color coding
• Filtering and search: CurrPorts wins with its Advanced Filters and column sorting
• Data export: CurrPorts wins with HTML, CSV, XML, and text export options
• Process details: CurrPorts shows more metadata per connection (module path, product name)
• Closing connections: both tools let you close TCP connections via right-click
• Developer trust: TCPView is from Microsoft; CurrPorts is from NirSoft (equally well-regarded)

Pro tip: Many IT professionals keep both tools on their USB drive. Use TCPView when you need to watch connections happening in real time, and switch to CurrPorts when you need to filter, sort, or export connection data for a report.

See everything TCPView can do on our features page.

Tcpvcon is a command-line version of TCPView that comes in the same ZIP download. It outputs the same connection data to the console or to a file, which makes it useful for scripting and automation.

While TCPView gives you a graphical interface, Tcpvcon prints the same endpoint information as text output. This is useful when you need to capture a snapshot of all connections on a server, pipe the output to a log file, or parse it with a script. The output format matches what you see in the TCPView GUI columns: process name, PID, protocol, local address, local port, remote address, remote port, and connection state. You can filter the output to show only TCP connections, only UDP endpoints, or only listening ports.

1. Open Command Prompt or PowerShell as Administrator
2. Navigate to the folder where you extracted TCPView
3. Run tcpvcon -a to display all endpoints (TCP and UDP)
4. Run tcpvcon -c to output in CSV format for easy parsing
5. Run tcpvcon -n to skip DNS name resolution (faster output)
6. Combine flags: tcpvcon -a -c -n > connections.csv to save all connections as CSV

Pro tip: Create a scheduled task that runs tcpvcon -a -c -n > C:logsconnections_%date%.csv every hour. This builds a log of all network connections over time, which is invaluable for post-incident forensics or tracking down intermittent network issues.

Learn the basics of both tools in our getting started guide.

Right-click any connection in TCPView to close it or to terminate the process that owns it. Closing a connection resets that specific TCP socket. Killing the process ends the entire application.

TCPView gives you two distinct options in the right-click context menu. “Close Connection” sends a TCP RST (reset) packet to terminate just that one socket without affecting the parent process. This is useful when an application has a stuck or hung connection but is otherwise working fine. “End Process” calls TerminateProcess on the PID that owns the connection, which kills the entire application immediately without giving it a chance to save data. There is also a “Process Properties” option that opens the file location of the executable. Use these with caution on production systems since closing a database connection or killing a service process can cause data loss.

1. Find the connection you want to act on in the TCPView list
2. Right-click on the row to open the context menu
3. Select “Close Connection” to reset only that TCP socket
4. Or select “End Process” to terminate the entire application
5. Use “Whois…” to look up the remote IP address if you need to identify where the connection goes

Pro tip: Before killing a process, use “Process Properties” from the right-click menu to verify which executable owns the connection. Sometimes system services like svchost.exe host multiple services, and killing it can crash other unrelated functionality.

For a complete walkthrough of TCPView’s interface, visit our getting started guide.

Yes, TCPView works completely offline. It monitors your system’s local TCP/IP stack directly and does not need internet access to function.

TCPView reads connection data from the Windows kernel’s networking tables, not from any external server. You can run it on an air-gapped machine, a server behind a firewall, or a laptop in airplane mode. The only feature that requires internet access is the Whois lookup, which queries external WHOIS servers to identify who owns a remote IP address. If you are offline, the Whois button simply will not return results. DNS name resolution (the Resolve Addresses toggle, toggled with Ctrl+R) also requires network access if the DNS server is remote, but on a domain-joined machine, cached DNS entries will still resolve. Everything else – process names, PIDs, protocols, ports, connection states, and traffic counters – works without any network connectivity.

• Core monitoring: works fully offline
• Whois lookup: requires internet access (optional feature)
• DNS resolution: works with cached entries; remote DNS needs connectivity
• Traffic statistics (sent/recv bytes): works offline
• No license activation or phone-home check required

Pro tip: When working on an isolated network, turn off address resolution by pressing Ctrl+R. This speeds up the display and prevents TCPView from trying to look up hostnames for every connection, which would time out and slow down the interface on air-gapped systems.

See the complete feature list on our features page.