My keepass-rpc suddenly wouldn’t launch, with a “forbiden socket connection” error, it turns out that the default 12546 port (for kee and keepass-rpc to join) had become RESERVED by windows, and the AI-backed debugging steps below saved the day ![]()
I’m putting it here in case someone else gets stuck on that.
The keepass app’ had just been updated, along lots of other windows drivers, so I don’t know what triggered the “reserved ports” change exactly.
What the error actually means
The French line — “Une tentative d’accès à un socket de manière interdite par ses autorisations d’accès a été tentée” — is Windows error WSAEACCES (“an attempt was made to access a socket in a way forbidden by its access permissions”). This is not the same as “port already in use.” It means Windows is refusing the bind to port 12546, almost always because that port now falls inside a Windows-reserved (excluded) port range.
These exclusions are typically grabbed by Hyper-V / WinNAT — the networking stack used by WSL2, Docker Desktop, Windows Sandbox, virtualization features, and some VPN clients. If your app tries to bind to a port inside one of those excluded ranges, it fails with this socket permission error even when nothing is actually listening on the port — which is why netstat shows port 12546 as empty but the bind still fails. Position Is Everything
Why it looks like “the KeePass update broke it”
The update is mostly coincidental. This commonly appears after installing or updating Docker, WSL 2, Hyper-V, VPN software, or Windows networking components, and the reserved ranges get reshuffled on every reboot and after Windows updates — they’re not the same set each time. Your KeePass update triggered a restart at the moment a freshly-shuffled range happened to swallow 12546. This exact error has hit KeePassRPC users before right after a Windows patch (there’s a 2020 bug report titled almost identically, “since a Win10 update”). Position Is Everything
Diagnose it (30 seconds)
Open Command Prompt or PowerShell and run:
netsh interface ipv4 show excludedportrange protocol=tcp
Look at the Start/End columns. If 12546 falls inside any listed range, that’s your cause, confirmed.
Fixes, easiest first
1. Restart WinNAT (quick, sometimes enough). In an admin prompt:
net stop winnat
net start winnat
This reshuffles the exclusions and may free 12546. A plain reboot can do the same — but neither is guaranteed, since the new shuffle might re-grab it.
2. Pin port 12546 for yourself (permanent). Reserve it explicitly so the dynamic Hyper-V allocation stops claiming it. In an admin prompt:
net stop winnat
netsh int ipv4 add excludedportrange protocol=tcp startport=12546 numberofports=1
net start winnat
An explicitly administered exclusion like this reserves the port without blocking your own app from binding it — this is the documented fix for the identical “forbidden by its access permissions” bind error. Restart KeePass afterward. Medium
3. Change the port instead. Move KeePassRPC off the contested range. In KeePass: Tools → KeePassRPC (Kee) options, or edit KeePass.config.xml (in %APPDATA%\KeePass\) and set KeePassRPC.webSocket.port to something outside the excluded range. Important: you must set the same new port in the Kee browser extension’s settings, or the two won’t reconnect.
4. Reset the dynamic range away from 12546 (cleaner long-term). This keeps reservations up in the high range:
netsh int ipv4 set dynamicport tcp start=49152 num=16384
After this, only ports 49152–65535 can be reserved, so the ~12000 area stays clear. Reboot after.