The joy of netsh - Michael Howard's Web Log - Site Home

Ever notice there are REALLY useful tools that you totally overlook? Well I do. All the time! One such mega-useful tool in Windows is netsh, a tool for getting and setting network settings on a box.

I found it a "Godsend" just recently when I had to troubleshoot a Windows XP SP 2 firewall problem. If you run these commands in a batch file:

netsh firewall show state > fw
netsh firewall show allowedprogram >> fw
netsh firewall show logging >> fw

You'll see something like this:

Firewall status:
-------------------------------------------------------------------
Profile                           = Domain
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable
Group policy version              = Windows Firewall
Remote admin mode                 = Disable

Ports currently open on all network interfaces:
Port   Protocol Version Program
-------------------------------------------------------------------
3389   TCP       Any      (null)
4500   UDP       Any      C:\WINDOWS\system32\lsass.exe
500    UDP       Any      C:\WINDOWS\system32\lsass.exe

Allowed programs configuration for Domain profile:
Mode Name / Program
-------------------------------------------------------------------
Enable MSN Messenger 7.0 / C:\Program Files\MSN Messenger\msnmsgr.exe

Allowed programs configuration for Standard profile:
Mode     Name / Program
-------------------------------------------------------------------
Enable   Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable   AcceptConnection / C:\Junk\AcceptConnection\Debug\AcceptConnection.exe
Enable   MSN Messenger 7.0 / C:\Program Files\MSN Messenger\msnmsgr.exe

Log configuration:
-------------------------------------------------------------------
File location   = C:\WINDOWS\pfirewall.log
Max file size   = 24096 KB
Dropped packets = Enable
Connections     = Disable

Note, you can use the tool to set and get settings, it's not just a query tool. There's a good rundown of using netsh to diagnose firewall issues here http://support.microsoft.com/default.aspx?scid=kb;en-us;875357

Other useful things to spelunk include the IPv6 support:

The command installs IPv6 support:

netsh interface ipv6 install

And this command dumps all the IPv6 interface data, it's more detailed than ipconfig.

netsh interface ipv6 show address