On a test Web server, I recently discovered an open TCP port that I couldn't link directly to a service running on the server. If I had made that discovery on a production Web server, I would have assumed that an intruder had planted an executable on the system and was using the port as a back door into the Web server. I don't know of a tool that can map every open TCP and UDP port to an executable running on the system. Do you know of such a tool?
Take a look at the fport.exe TCP/IP port-to-process mapper. Fport.exe is freeware that you can download from the Foundstone Web site at http://www.foundstone.com/knowledge/free_tools.html. Fport comes bundled with a set of other security tools. You can sort the tool's output several ways. Specifically, use the /p switch to sort by port, the /a switch to sort by application, the /ap switch to sort by application path, or the /I switch to sort by process identifier (PID).