Windows 10 WINNAT and why your programs can't listen on certain ports.

You're probably here because You've been having Error's like "The default port is occupied by another application" or "An attempt was made to access a socket in a way forbidden by its access permissions." and you've tried using netstat, TCPView, and others to find out what is using that port (For me port 1143 for ProtonMail Bridge) But their is nothing that either program can see using the port.

If you're anything like me you've been searching for hours but keep finding the same posts telling you to run netstat and TcpView to find out what's using the port, but that's very unhelpful when those methods can't see what is using the port.
After many hours of research I discovered the Wonders of Windows NAT Driver (WINNAT) and that in a Windows update in 2018 they snuck in a feature that allows WINNAT to reserve ports for Windows use (even if Windows 10 isn't actually using them) so that no other programs on your computer can use these ports.

Windows NAT (WinNAT) -- Capabilities and limitations
First published on TECHNET on May 25, 2016 Author: Jason Messer How many devices (e.g. laptops, smart phones, tablets, DVRs, etc.) do you have at home which connect to the internet? Each of these devices probably has an IP address assigned to it, but did you know that that the public internet a…

Now enough yabberying from me, here's how to work around this.
Open an Admin Powershell or Windows terminal instance and run the following:
net stop winnat
followed by:
netsh int ipv4 add excludedportrange protocol=tcp startport=1143 numberofports=1 Replace 1143 with whatever port you are trying to use and change tcp to udp as needed.
And then
net start winnat
And try starting your program again and it should suddenly be working again

My Thoughts

While I get why Microsoft added this feature to Windows, I also think they do a terrible job of explaining to people what is happening and why.
They also do a terrible job telling you how to do a 'workaround'


Luckily there are people on the internet that worked out how to do a REAL workaround for this problem using the commands I showed you above. All the sources for this info are Sources section below.


Solved - An attempt was made to access a socket in a way forbidden
If you’re seeing an error that says “An attempt was made to access a socket in a way forbidden by its access permissions.” this may fix it.
Unable to start Kestrel getting ‘An attempt was made to access a socket in a way forbidden by its access permissions’
While running my Kestrel application from Visual Studio 2017 (Windows 10), I’m getting this line in my command prompt: “Unable to bind to http://localhost:50067 on the IPv4 loopback interface: ’An
Docker error “Ports are not available” on Windows 10
How to see what is reserving ephemeral port ranges on Windows?
I have a Windows application that needs to use ports 50005 and 50006 but it is being blocked. I see the following when I run netsh int ip show excludedportrange protocol=tcp: Protocol tcp Port