The joy of netsh

  • Article

Ever notice there are REALLY useful tools that you totally overlook? Well I do. All the time! One such mega-useful tool in Windows is netsh, a tool for getting and setting network settings on a box.

I found it a "Godsend" just recently when I had to troubleshoot a Windows XP SP 2 firewall problem. If you run these commands in a batch file:

netsh firewall show state > fw
netsh firewall show allowedprogram >> fw
netsh firewall show logging >> fw

You'll see something like this:

Firewall status:
-------------------------------------------------------------------
Profile = Domain
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Disable

Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
3389 TCP Any (null)
4500 UDP Any C:\WINDOWS\system32\lsass.exe
500 UDP Any C:\WINDOWS\system32\lsass.exe

Allowed programs configuration for Domain profile:
Mode Name / Program
-------------------------------------------------------------------
Enable MSN Messenger 7.0 / C:\Program Files\MSN Messenger\msnmsgr.exe

Allowed programs configuration for Standard profile:
Mode Name / Program
-------------------------------------------------------------------
Enable Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable AcceptConnection / C:\Junk\AcceptConnection\Debug\AcceptConnection.exe
Enable MSN Messenger 7.0 / C:\Program Files\MSN Messenger\msnmsgr.exe

Log configuration:
-------------------------------------------------------------------
File location = C:\WINDOWS\pfirewall.log
Max file size = 24096 KB
Dropped packets = Enable
Connections = Disable

Note, you can use the tool to set and get settings, it's not just a query tool. There's a good rundown of using netsh to diagnose firewall issues here https://support.microsoft.com/default.aspx?scid=kb;en-us;875357

Other useful things to spelunk include the IPv6 support:

The command installs IPv6 support:

netsh interface ipv6 install

And this command dumps all the IPv6 interface data, it's more detailed than ipconfig.

netsh interface ipv6 show address