NETSH (Network Shell)

Configure Network Interfaces, Windows Firewall, Routing & remote access.

Syntax
      NETSH [Context] [sub-Context] command

Key
   The contexts and commands available vary by platform, the list below is for Windows Server 2016.
   Use interactive mode/help (described below) to check the commands available on your machine.

   abort           - Discard changes made while in offline mode.
   add             - Add a configuration entry to a list of entries.
      netsh add helper  - Install the specified helper DLL

   advfirewall    - Change the 'netsh advfirewall' context.

      netsh advfirewall consec ?              - Display a list of commands.
      netsh advfirewall consec add            - Add a new connection security rule.
      netsh advfirewall consec delete         - Delete all matching connection security rules.
      netsh advfirewall consec dump           - Display a configuration script.
      netsh advfirewall consec set            - Set new values for properties of an existing rule.
      netsh advfirewall consec show           - Display a specified connection security rule.

      netsh advfirewall dump    Create a script that contains the current configuration.
                                If saved to a file, this can be used to restore the configuration settings.

      netsh advfirewall export path\filename  - Export the current policy to the specified file.
      netsh advfirewall import path\filename  - Import policy from the specified file.

      netsh advfirewall firewall add          - Add a new inbound or outbound firewall rule.
      netsh advfirewall firewall delete       - Delete all matching inbound rules.
      netsh advfirewall firewall dump         - Display a configuration script.
      netsh advfirewall firewall set          - Set new values for properties of a existing rule.
      netsh advfirewall firewall show         - Display a specified firewall rule.
      netsh advfirewall firewall show rule name=all   - Show all firewall rules.

      netsh advfirewall monitor delete        - Delete all matching security associations.
      netsh advfirewall monitor dump          - Display a configuration script.
      netsh advfirewall monitor show          - Show all matching security associations.

      netsh advfirewall reset   - Reset to factory settings (Firewall=ON)

      netsh advfirewall set allprofiles    - Set properties in all profiles.
      netsh advfirewall set currentprofile - Set properties in the active profile.
      netsh advfirewall set domainprofile  - Set properties in the domain profile.
      netsh advfirewall set global         - Set the global properties.
      netsh advfirewall set privateprofile - Set properties in the private profile.
      netsh advfirewall set publicprofile  - Set properties in the public profile.

      netsh advfirewall show allprofiles    - Display firewall rules for all profiles.
      netsh advfirewall show currentprofile - Display firewall rules for the active profile.
      netsh advfirewall show domainprofile  - Display properties for the domain properties.
      netsh advfirewall show global         - Display the global firewall rules.
      netsh advfirewall show privateprofile - Display firewall rules for the private profile.
      netsh advfirewall show publicprofile  - Display firewall rules for the public profile.
      netsh advfirewall show store          - Display the policy store for the current interactive session.
  alias          - Add an alias.
  branchcache    - Change to the 'netsh branchcache' context.
  bridge         - Change to the 'netsh bridge' context.
      netsh bridge dump           - Display a configuration script.
      netsh bridge install        - Install the component corresponding to the current context.
      netsh bridge set            - Set configuration information.
      netsh bridge show           - Display information.
      netsh bridge uninstall      - Remove the component corresponding to the current context.
  bye            - Exit the program.
  commit         - Commit changes made while in offline mode.
  delete         - Delete a configuration entry from a list of entries.
      netsh delete helper   Remove the specified helper DLL from netsh.
      Note that after a helper is removed, it is no longer supported by netsh.
  dhcp           - Change to the 'DHCP' context.
  dhcpclient     - Change to the 'netsh dhcpclient' context.
      netsh dhcpclient list            - List all the commands available.
      netsh dhcpclient trace enable    - Enable tracing for DHCP client and DHCP QEC.
      netsh dhcpclient trace disable   - Disable tracing for DHCP client and DHCP QEC.
  dnsclient      - Change the 'netsh dnsclient' context.
  dump           - Display a configuration script.
      netsh dump    - Create a script that contains the current configuration.
                      If saved to a file, this can be used to restore the configuration settings.

  exec           - Run a script file.
  exit           - Exits the program.

  firewall       - Change to the 'netsh firewall' context.
      netsh firewall add                - Add firewall configuration.
      netsh firewall delete             - Delete firewall configuration.
      netsh firewall dump               - Display a configuration script.
      netsh firewall reset              - Reset firewall configuration to default.
      netsh firewall set allowedprogram - Set firewall allowed program configuration.
      netsh firewall set icmpsetting    - Set firewall ICMP configuration.
      netsh firewall set logging        - Set firewall logging configuration.
      netsh firewall set multicastbroadcastresponse - Set firewall multicast/broadcast response configuration.
      netsh firewall set notifications  - Set firewall notification configuration.
      netsh firewall set opmode         - Set firewall operational configuration.
      netsh firewall set portopening    - Set firewall port configuration.
      netsh firewall set service        - Set firewall service configuration.
      netsh firewall show allowedprogram - Show firewall allowed program configuration.
      netsh firewall show config         - Show firewall configuration.
      netsh firewall show currentprofile - Show current firewall profile.
      netsh firewall show icmpsetting    - Show firewall ICMP configuration.
      netsh firewall show logging        - Show firewall logging configuration.
      netsh firewall show multicastbroadcastresponse - Show firewall multicast/broadcast response configuration.
      netsh firewall show notifications  - Show firewall notification configuration.
      netsh firewall show opmode         - Show firewall operational configuration.
      netsh firewall show portopening    - Show firewall port configuration.
      netsh firewall show service        - Show firewall service configuration.
      netsh firewall show state          - Show current firewall state.

  help           - Display a list of netsh commands.
      netsh help

  http           - Change to the 'netsh http' context.
      netsh http add            - Add a configuration entry to a table.
      netsh http delete         - Delete a configuration entry from a table.
      netsh http delete sslcert ipport=0.0.0.0:443  - Delete an expired SSL cert.
      netsh http delete sslcert hostnameport=localhost:443  - Delete an expired SSL cert.
      netsh http dump           - Display a configuration script.
      netsh http flush          - Flush internal data.
      netsh http show           - Display information.
      netsh http show cacheparam - Show the cache parameters of the HTTP service.
      netsh http show cachestate  - List cached URI resources and their associated properties.
      netsh http show iplisten    - Display all the IP addresses in the IP listen list.
      netsh http show servicestate - Show a snapshot of the HTTP service.
      netsh http show setting   - Show the setting values of the service.
      netsh http show sslcert   - Display SSL certificate bindings.
      netsh http show timeout   - Show the timeout values of the service.
      netsh http show urlacl    - Display URL namespace reservations.

  interface      - Change to the 'netsh interface' context.
      netsh interface 6to4           + Change to the 'netsh interface 6to4' context.
      netsh interface add            - Add a configuration entry to a table.
      netsh interface delete         - Delete a configuration entry from a table.
      netsh interface dump           - Display a configuration script.
      netsh interface ipv4           + Change to the 'netsh interface ipv4' context.
      netsh interface ipv6           + Change to the 'netsh interface ipv6' context.
      netsh interface isatap         + Change to the 'netsh interface isatap' context.
      netsh interface portproxy      + Change to the 'netsh interface portproxy' context.
      netsh interface reset          - Reset information.
      netsh interface set            - Set configuration information.
      netsh interface show interface - Display the network interface status.
      netsh interface ip show interfaces - Display
      netsh interface tcp            + Change to the 'netsh interface tcp' context.
      netsh interface teredo         + Change to the 'netsh interface teredo' context.

  ipsec          - Change to the 'netsh ipsec' context.
      netsh ipsec dump                  - Display a configuration script.
      netsh ipsec dynamic add           - Add policy, filter, and actions to SPD.
      netsh ipsec dynamic delete        - Delete policy, filter, and actions from SPD.
      netsh ipsec dynamic dump          - Display a configuration script.
      netsh ipsec dynamic set           - Modifiy policy, filter, and actions in SPD.
      netsh ipsec dynamic show          - Display policy, filter, and actions from SPD.
      netsh ipsec static add            - Create new policies and related information.
      netsh ipsec static delete         - Delete policies and related information.
      netsh ipsec static dump           - Display a configuration script.
      netsh ipsec static exportpolicy   - Export all the policies from the policy store.
      netsh ipsec static importpolicy   - Import the policies from a file to the policy store.
      netsh ipsec static set            - Modify existing policies and related information.
      netsh ipsec static show           - Display details of policies and related information.

  ipsecdosprotection - Change to the 'netsh ipsecdosprotection' context.
  lan            - Change to the 'netsh lan' context.
      netsh lan add            - Add a configuration entry to a table.
      netsh lan delete         - Delete a configuration entry from a table.
      netsh lan dump           - Display a configuration script.
      netsh lan export         - Save LAN profiles to XML files.
      netsh lan reconnect      - Reconnect on an interface.
      netsh lan set            - Configure settings on interfaces.
      netsh lan show           - Display information.

  mbn           - Change to the 'netsh mbn context.
  namespace     - Change to the 'netsh namespace' context.

  netio          - Chang to the 'netsh netio' context.
      netsh netio add          - Add a configuration entry to a table.
      netsh netio delete       - Delete a configuration entry from a table.
      netsh netio dump         - Display a configuration script.
      netsh netio show         - Display information.
  offline       - Set the current mode to offline.
  online        - Set the current mode to online.
  p2p           - Change to the 'netsh p2p' context.
  popd          - Pop a context from the stack.
  pushd         - Pushe current context on stack.
  quit          - Exit the program.
  ras            - Change to the 'netsh ras' context. (Remote Access Server)
      netsh ras aaaa           - Change to the 'netsh ras aaaa' context.
      netsh ras add            - Add items to a table.
      netsh ras delete         - Remove items from a table.
      netsh ras diagnostics    - Change to the 'netsh ras diagnostics' context.
      netsh ras dump           - Display a configuration script.
      netsh ras ip             - Change to the 'netsh ras ip' context.
      netsh ras ipv6           - Change to the 'netsh ras ipv6' context.
      netsh ras set            - Set configuration information.
      netsh ras show           - Display information.

  routing        - Change to the 'netsh routing' context.
  rpc            - Change to the 'netsh rpc' context. (RPC firewall filter)
      netsh rpc add            - Create an Add list of subnets.
      netsh rpc delete         - Create a Delete list of subnets.
      netsh rpc dump           - Display a configuration script.
      netsh rpc filter         - Change to the 'netsh rpc filter' context.
      netsh rpc reset          - Reset the selective binding settings to 'none' (listen on all interfaces).
      netsh rpc show           - Display the selective binding state for each subnet on the system.

   set            - Update configuration settings on a remote machine.
      netsh set machine [name=] [user=][[DomainName\]UserName] [pwd=][Password | *]

   If a machine name is not specified, the local machine is used.
   A username and password cannot be used to connect to the local machine.

   show           - Display information.
      netsh show alias   - List all defined aliases.
      netsh show helper  - List all the top-level helpers.

   trace         - Change to the 'netsh trace' context.
      netsh trace convert   - Convert a trace file to an HTML export.
      netsh trace correlate - Normailse or filter a trace file to a new output file.
      netsh trace diagnose  - Start a dignose session.
      netsh trace dump    - Display a configuration script.
      netsh trace export  - Export a scenario to a WPR profile.
      netsh trace help    - display help
      netsh trace merge   - Merge trace files and add symbols metadata.
      netsh trace postreset - ?
      netsh trace start - Start tracing.
      netsh trace stop  - Stop tracing.

   unalias       - Delete an alias.
   wcn           - Change to the 'netsh wcn' context (Wireless config/connect).
   wfp           - Change to the 'netsh wfp' context, Windows Filtering Platform (WFP).
   winhttp       - Change to the 'netsh winhttp' context.
      netsh winhttp dump      - Display a configuration script.
      netsh winhttp import    - Import WinHTTP proxy settings.
      netsh winhttp reset     - Reset WinHTTP settings.
      netsh winhttp set       - Configure WinHTTP settings.
      netsh winhttp show      - Display currents settings.

   winsock        - Change to the 'netsh winsock' context.
      netsh winsock audit     - Display a list of Winsock LSPs that have been installed and removed.
      netsh winsock dump      - Display a configuration script.
      netsh winsock remove    - Remove a Winsock LSP from the system.
      netsh winsock reset     - Reset the Winsock Catalog to a clean state.
      netsh winsock show      - Display information.

   wlan        - Change to the 'netsh wlan' context (wireless lan).
      netsh wlan add          - Add a configuration entry to a table.
      netsh wlan connect      - Connect to a wireless network.
      netsh wlan delete       - Delete a configuration entry from a table.
      netsh wlan disconnect   - Disconnect from a wireless network.
      netsh wlan dump         - Display a configuration script.
      netsh wlan export       - Save WLAN profile to an XML file.
      netsh wlan help  or ?   - Display a list of commands.
      netsh wlan IHV          - Commands for IHV logging.
      netsh wlan refresh      - Refresh hosted network settings.
      netsh wlan reportissues - Generate WLAN smart trace report.
      netsh wlan set          - Set configuration information.
      netsh wlan show         - Display information.
      netsh wlan start        - Start hosted network.
      netsh wlan stop         - Stop hosted network.

   netsh                      - Interactive mode

In interactive mode, switch context by typing any context name: advfirewall, bridge, firewall, http, interface, ipsec.. etc
Then list the available commands with ?
Exit interactive mode with Quit or Exit.
To view help for any command, type the command, followed by a space and ?

For run Netsh against a remote machine, both File and Printer sharing must be enabled and the Remote Registry service must be running on the remote machine.

The syntax above is based on Windows 2016. For backwards compatibility dns is an alias for dnsserver and ip is an alias for ipv4.

Most NETSH options require elevation.

Examples

Enable or Disable File and Printer Sharing:

C:\> netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
C:\> netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=No

Install ipmontr.dll:

C:\> netsh advfirewall net add helper ipmontr.dll

Export the fiewall policy:

C:\> netsh advfirewall export "c:\advfirewallpolicy.wfw"

Enable or Disable the LAN connection:

C:\> netsh interface set interface name="Local Area Connection" admin=DISABLED
C:\> netsh interface set interface name="Local Area Connection" admin=ENABLED

Show TCP/IP settings:

C:\> netsh interface ip show config
C:\> netsh interface ipv4 show config
C:\> netsh interface ipv6 show config

Set a static IP address (e.g. for a laptop):

C:\> netsh interface ip set address name="Local Area Connection" source=static addr=192.168.0.10 mask=255.255.255.0 gateway=192.168.0.1 gwmetric=1

Set a dynamic IP address with DHCP:

C:\> netsh interface ip set address name="Local Area Connection" source=dhcp

Add multiple DNS servers:

C:\> netsh interface ipv4 add dns "Local Area Connection" 10.0.0.1
C:\> netsh interface ipv4 add dns "Local Area Connection" 10.0.0.3 index=2

index=2 adds the IP as a secondary dns server.

Set a static DNS server address:

C:\> netsh interface ip set dns name="Local Area Connection" source=static addr=192.168.0.2 register=none

Working with foreign locales: you cannot rely on the interface name being English e.g. in French the Local Area Network is called "Connexion au réseau local" To display the different interfaces with their index numbers:

C:\> netsh interface ip show interfaces

Knowing the index number (the main/active interface tends to be 13.) we can set a static address/gateway using the index number:

C:\> netsh interface ip set address 13 static 192.168.0.10 255.255.255.0 192.168.0.1 1

Set a dynamic DNS server address with DHCP:

C:\> netsh interface ip set dns name="Local Area Connection" source=dhcp

Set a static address for the WINS server:

C:\> netsh interface ip set wins name="Local Area Connection" source=static addr=192.168.100.3

To configure WINS from DHCP:

C:\> netsh interface ip set wins name="Local Area Connection" source=dhcp

List general configuration state including DirectAccess and DNSSEC:

C:\> netsh dns show state

Disable IPv6 privacy extensions:

C:\> netsh interface ipv6 set privacy state=disabled store=persistent (saved configuration)
C:\> netsh interface ipv6 set privacy state=disabled store=active (running configuration)

Backup the local DHCP server configuration to a file:

C:\> netsh dump dhcp > C:\backupDHCPconfig.dat
You can use this backup file to recreate the DHCP server with Netsh.

Work against a remote machine:

C:\> netsh set machine server64

Run a network capture to the file c:\temp\ss64.etl

C:\> netsh trace start capture=yes tracefile=c:\temp\ss64.etl report=no maxsize=500mb
C:\> netsh trace stop

Run a network capture with the persistent=yes argument. This will survive a reboot and capture network traffic while Windows is starting:

C:\> netsh trace start persistent=yes capture=yes tracefile=c:\temp\ss64.etl report=no maxsize=500mb
C:\> netsh trace stop

Backup the current network interface configuration to a file:

C:\> netsh dump interface > c:\backupInterfaceConfig.dat

Restore network interface configuration from a file:

C:\> netsh exec c:\backupInterfaceConfig.dat

Run Netsh from PowerShell (returns a Text object you can manipulate):

PS C:\> $myFWstate=netsh firewall show state
PS C:\> $myFWstate -match "disable"

Disable Network auto-tuning (certain routers and networking devices perform better with this off.):

PS C:\> netsh interface tcp set global autotuning=disabled

Enable Network auto-tuning (certain routers and networking devices perform better with this on.):

PS C:\> netsh interface tcp set global autotuning=normal

Remove a wireless network profile, (script to remove all insecure profiles):

PS C:\> netsh wlan delete profile name="CentralPerkCoffee"

"Once you eliminate your #1 problem, #2 gets a promotion" ~ Gerald Weinberg, "The Secrets of Consulting"

Related commands

Netsh command reference - Microsoft.com
Q242468 - How to Use the Netsh.exe Tool.
DNSCMD - Manage DNS servers.
NVSPBIND - Modify network bindings (Unsupported tool.)
NETSH - Change from Static IP Address to DHCP with NETSH.
ROUTE - Manipulate network routing tables.
PowerShell: New-NetEventSession
Equivalent bash command (Linux): ifconfig - Interface configurator


 
Copyright © 1999-2024 SS64.com
Some rights reserved