The joy of netsh

Ever notice there are REALLY useful tools that you totally overlook? Well I do. All the time! One such mega-useful tool in Windows is netsh, a tool for getting and setting network settings on a box.

I found it a “Godsend” just recently when I had to troubleshoot a Windows XP SP 2 firewall problem. If you run these commands in a batch file:

netsh firewall show state > fw
netsh firewall show allowedprogram >> fw
netsh firewall show logging >> fw

You’ll see something like this:

Firewall status:
Profile                           = Domain
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable
Group policy version              = Windows Firewall
Remote admin mode                 = Disable

Ports currently open on all network interfaces:
Port   Protocol  Version  Program
3389   TCP       Any      (null)
4500   UDP       Any      C:\WINDOWS\system32\lsass.exe
500    UDP       Any      C:\WINDOWS\system32\lsass.exe

Allowed programs configuration for Domain profile:
Mode     Name / Program
Enable   MSN Messenger 7.0 / C:\Program Files\MSN Messenger\msnmsgr.exe

Allowed programs configuration for Standard profile:
Mode     Name / Program
Enable   Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable   AcceptConnection / C:\Junk\AcceptConnection\Debug\AcceptConnection.exe
Enable   MSN Messenger 7.0 / C:\Program Files\MSN Messenger\msnmsgr.exe

Log configuration:
File location   = C:\WINDOWS\pfirewall.log
Max file size   = 24096 KB
Dropped packets = Enable
Connections     = Disable

Note, you can use the tool to set and get settings, it’s not just a query tool. There’s a good rundown of using netsh to diagnose firewall issues here;en-us;875357

Other useful things to spelunk include the IPv6 support:

The command installs IPv6 support:

netsh interface ipv6 install

And this command dumps all the IPv6 interface data, it’s more detailed than ipconfig.

netsh interface ipv6 show address


Comments (11)

  1. Al says:

    I use netsh for setting up IPSec on Windows Server 2003 all the time. I knew the firewall info was there with sp1 – just never looked at it.

    netsh firewall show portopening verbose=enable could come in handy in the future.


  2. Michael says:

    Here’s a question for you Michael. Since you mention installing ipv6 support, is that something the average user would benefit from (either from a security perspective or otherwise)?

  3. I think for the average user, there is little to be gained right now – this may change over the years.

  4. If you’re struggling to get the balance right between the enhanced security gained by enabling the firewall…

  5. If you’re struggling to get the balance right between the enhanced security gained by enabling the firewall…

  6. M says:

    Netsh is absolutely one of those infinitely useful little known tools. I recently scripted changing DNS settings on some 6,000 machines using ipconfig, netsh, and a little awk. It’s a bit buggy in certain instances, but it works wonders. I’ve often wondered though: the verbosity of netsh, much like ntdsutil doesn’t really seem to jive with other MS command line tools… Anyone know why the disjoin? Different developers? Purchased technologies?