The joy of netsh


Ever notice there are REALLY useful tools that you totally overlook? Well I do. All the time! One such mega-useful tool in Windows is netsh, a tool for getting and setting network settings on a box.


I found it a “Godsend” just recently when I had to troubleshoot a Windows XP SP 2 firewall problem. If you run these commands in a batch file:


netsh firewall show state > fw
netsh firewall show allowedprogram >> fw
netsh firewall show logging >> fw


You’ll see something like this:


Firewall status:
——————————————————————-
Profile                           = Domain
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable
Group policy version              = Windows Firewall
Remote admin mode                 = Disable


Ports currently open on all network interfaces:
Port   Protocol  Version  Program
——————————————————————-
3389   TCP       Any      (null)
4500   UDP       Any      C:\WINDOWS\system32\lsass.exe
500    UDP       Any      C:\WINDOWS\system32\lsass.exe



Allowed programs configuration for Domain profile:
Mode     Name / Program
——————————————————————-
Enable   MSN Messenger 7.0 / C:\Program Files\MSN Messenger\msnmsgr.exe


Allowed programs configuration for Standard profile:
Mode     Name / Program
——————————————————————-
Enable   Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable   AcceptConnection / C:\Junk\AcceptConnection\Debug\AcceptConnection.exe
Enable   MSN Messenger 7.0 / C:\Program Files\MSN Messenger\msnmsgr.exe



Log configuration:
——————————————————————-
File location   = C:\WINDOWS\pfirewall.log
Max file size   = 24096 KB
Dropped packets = Enable
Connections     = Disable


Note, you can use the tool to set and get settings, it’s not just a query tool. There’s a good rundown of using netsh to diagnose firewall issues here http://support.microsoft.com/default.aspx?scid=kb;en-us;875357


Other useful things to spelunk include the IPv6 support:


The command installs IPv6 support:


netsh interface ipv6 install


And this command dumps all the IPv6 interface data, it’s more detailed than ipconfig.


netsh interface ipv6 show address


 

Comments (11)

  1. Al says:

    I use netsh for setting up IPSec on Windows Server 2003 all the time. I knew the firewall info was there with sp1 – just never looked at it.

    netsh firewall show portopening verbose=enable could come in handy in the future.

    Thanks!

  2. Michael says:

    Here’s a question for you Michael. Since you mention installing ipv6 support, is that something the average user would benefit from (either from a security perspective or otherwise)?

  3. michael_HOWARD says:

    I think for the average user, there is little to be gained right now – this may change over the years.

  4. If you’re struggling to get the balance right between the enhanced security gained by enabling the firewall…

  5. If you’re struggling to get the balance right between the enhanced security gained by enabling the firewall…

  6. M says:

    Netsh is absolutely one of those infinitely useful little known tools. I recently scripted changing DNS settings on some 6,000 machines using ipconfig, netsh, and a little awk. It’s a bit buggy in certain instances, but it works wonders. I’ve often wondered though: the verbosity of netsh, much like ntdsutil doesn’t really seem to jive with other MS command line tools… Anyone know why the disjoin? Different developers? Purchased technologies?