Port 2869: Windows UPnP Event Listener — The Port IANA Forgot to Assign

What This Port Does

Port 2869 is where Windows listens for UPnP (Universal Plug and Play) event notifications over TCP. When a device on your local network — a printer, a smart TV, a NAS drive — wants to tell Windows that something has changed, it sends an event subscription or notification to port 2869.

It operates alongside port 1900 (UDP), which handles the initial SSDP discovery broadcasts. Think of them as a pair: 1900 is the shout into the room ("who's out there?"), 2869 is the return address Windows leaves so devices can write back.¹

Microsoft labels this service ICSLAP (Internet Connection Sharing/Firewall) and has used port 2869 since Windows XP Service Pack 2. It runs under the SSDP Discovery Service and Windows Event Notification components, and it's the same mechanism that powers Windows Media Player's library sharing, network printer discovery, and Xbox UPnP negotiation.²

The IANA Situation

IANA's official port registry lists port 2869 as unassigned in the registered range (1024–49151).³ Microsoft never formally registered it. This is not unusual — many widely-used ports were claimed informally and never submitted for official assignment. The port works on hundreds of millions of Windows machines regardless.

This matters if you're reading port documentation expecting the registry to tell the full story. It doesn't, here.

The Registered Port Range

Port 2869 sits in the registered port range (1024–49151). These ports are:

• Not restricted to privileged processes (unlike well-known ports below 1024)
• Officially tracked by IANA, though the registry has gaps and informal uses
• Commonly used by applications and services that need a consistent, known port

The registered range is where most application-layer protocols live. Some are formally registered (like 3306 for MySQL), some are informal conventions that stuck (like 2869 for Windows UPnP).

Security Considerations

Port 2869 should only be reachable on your local network. Windows Firewall, starting with XP SP2, restricts it to local subnet traffic. If you see port 2869 exposed to the Internet on a server, that's a misconfiguration worth investigating.

The UPnP protocol family has a long history of security issues — largely because it was designed for trusted home networks and often ends up in environments where that trust isn't warranted.⁴ Port 2869 itself is the event notification endpoint, not the initial discovery mechanism, so its exposure is narrower. But any UPnP service left open unnecessarily is an attack surface.

What's Listening on Your Machine

To check whether port 2869 is active on your system:

Windows:

netstat -ano | findstr :2869

The PID in the last column maps to a process in Task Manager. On most Windows machines, it will be svchost.exe running the SSDP Discovery service.

macOS / Linux:

lsof -i :2869

or:

ss -tlnp | grep 2869

If you see it listening and don't use UPnP device discovery, you can disable the SSDP Discovery service in Windows Services (services.msc). This also closes port 2869.

Related Ports

• 1900/UDP — SSDP multicast discovery (the other half of the UPnP pair)
• 5000/TCP — UPnP device description on some implementations
• 3074/TCP+UDP — Xbox network traffic, often appears alongside 2869 during UPnP negotiation