Most often than not, when dealing with Windows networking, to make sure that everything works, you have to go to the command line. Have you ever tried to configure or troubleshoot the network in Windows without using the graphical interface?
If so, you probably know Netsh which is a real time saver and we’ll show you today some time which you might don’t know yet what the tool is useful for.
Netsh is available inside of Microsoft operating systems since Windows 2000. It allows system administrators and users to manage the network.
Here are some of the usage scenarios:
- IP configuration
- Network card management
- Firewall administration
- Wireless connection configuration
- Reinitializations of configuration
- Show network stats
- Troubleshooting with Netsh trace
In this post we’ll show a small list of commands, which we find useful and which you can use with Netsh. To make the article easier to read, the examples of using Netsh have been organized into several categories.
Netsh – Configuring network interfaces
Classic and first usage that I eve done when I first started as an IT technician many years ago, was the configuration of network via netsh.
All commands are to be executed in a Command Prompt or PowerShell console. You must have “admin” rights to modify the system configuration (as with the graphical interface).
Display network interfaces
To begin, let’s see how to list all the network interfaces available on your Windows machine. This can be useful to quickly identify active or inactive interfaces.
This command displays a list of IPv4 network interfaces with details such as status, type and index.
Here is an example:
netsh interface ipv4 show interfaces
Configure a static IP address
If you want to configure a static IP address for a network interface, and no longer be in DHCP, you can do it with Netsh.
In this example, we assign the IP address 192.168.1.128 with a subnet mask of 255.255.255.0 and a default gateway of 192.168.1.254. In addition to adapting the IP address and mask, replace Ethernet0 with the name of your network interface (the previous command can help you identify the name).
netsh interface ipv4 set address name=”Ethernet0″ static 192.168.1.128 255.255.255.0 192.168.1.254
This command does not return any output in the console, when it runs successfully. The presence of the static keyword is important, knowing that it corresponds to the option named source, which could give source=static at the writing level.
Configure DNS Servers
The previous command does not allow you to set the DNS server on the network interface. Therefore, we need to run an additional command to accomplish this task.
In this example, we configure the primary DNS server to 192.168.1.7 and add a secondary DNS server 8.8.8.8.
netsh interface ipv4 set dns name="Ethernet0" static 192.168.1.7
netsh interface ipv4 add dns name="Ethernet0" 8.8.4.4 index=2
Using these few commands, we have completed the entire IP configuration using Netsh.
At any time, you can switch back to DHCP configuration using these two commands:
netsh interface ipv4 set address name="Ethernet0" dhcp
netsh interface ipv4 set dns name="Ethernet0" dhcpDisplay TCP/IP configuration
Following the TCP/IP configuration performed on the Ethernet0 network card using the previous commands, you can display the configuration using the following command:
netsh interface ip show config
This is equivalent to the ipconfig command but with a netsh twist.
Enable or disable a network interface
To enable or disable a network interface, use the following commands:
netsh interface set interface "Ethernet0" admin=enable
netsh interface set interface "Ethernet0" admin=disableThese commands are useful for quickly managing the status of network interfaces on the command line. The first command is used to enable the interface, while the second is used to disable the interface.
Netsh – Firewall Management
This second part of the article is dedicated to configuring the firewall with Netsh. This tool contains many options that meet this need and it allows you to go very far. It is quite capable of adding a new Windows firewall rule. All Netsh commands related to firewall management start with netsh advfirewall.
You can save the command into a txt file, which you can rename to .bat and execute.
Displaying firewall rules
To begin, we will consult the firewall rules currently configured on the local machine. Run the following command:
netsh advfirewall firewall show rule name=allThis command lists all firewall rules. Its output is not very usable since there are a large number of rules, so it is very verbose.
Adding a new firewall rule
To add a new rule allowing incoming traffic on a specific port, we must target the add rule option of Netsh.
In this example, we allow incoming traffic on the 23389 (Remote desktop prorotol – RDP) with a rule named Allow Remote Desktop. This can be useful if you want to allow Remote Desktop access on a special port (other than the default / 3389).
netsh advfirewall firewall add rule name="Allow RDP (In-23389)" protocol=TCP dir=in localport=23389 action=allow
Then, you can definitely use the Windows GUI to check the presence of the new rule created with Netsh.
If your goal is to allow ping, it is also possible with some adaptations.
netsh advfirewall firewall add rule name="Allow Ping (In-ICMP)" protocol=icmpv4 dir=in action=allowDisable the firewall
Sometimes you need to temporarily disable the firewall, especially to diagnose an access problem. You can use the following command:
netsh advfirewall set allprofiles state offDon’t forget to re-enable the firewall afterwards. Just replace off with on in the command:
netsh advfirewall set allprofiles state onThese commands, like many other commands executed via Netsh, simply return an Ok.
Block an IP address
To block all incoming traffic from a specific (and suspicious) IP address, you can add a deny firewall rule. The example below creates a rule to block the IP address 192.168.1.200
netsh advfirewall firewall add rule name="Block suspicious IP address" protocol=any dir=in interface=any action=block remoteip=192.168.1.200This rule will also be visible in the Windows GUI.
Tip: If you want to save one of those commands as CMD proceed as follow. Create a text file (in my case I named it rule.txt). Then paste at the first line @echo off , as you can see bellow. Then rename the file to rule.cmd
You can now execute and the command and it populates the rule into the Windows Firewall automatically too.
Netsh – Wi-Fi Configuration
Netsh is very interesting for manipulating Wi-Fi networks on a Windows machine, especially to display the current configuration, but not only… It is possible to export Wi-Fi profiles in XML format, which also offers the opportunity to do the opposite: import.
Show available Wi-Fi networks
To list available wireless networks, use the following command:
netsh wlan show networksThis command displays a list of Wi-Fi networks in range, with details such as SSID and security type.
Note: If you are running this command on Windows 11, you must enable location services (Settings > Privacy & Security > Location), otherwise this command will not work properly.
Show known Wi-Fi networks
You can also list the Wi-Fi networks that your machine knows about, i.e. those that you have already connected to or pushed by the administrator (via a GPO or other system).
netsh wlan show profiles
You can even get specific information about a specific profile. Here, we are targeting the profile named Bbox-859DBE88.
netsh wlan show profiles name="Bbox-859DBE88"By adding an additional parameter, you can even display the security key in plain text. For example:
netsh wlan show profile name=" Bbox-859DBE88" key=clear
In addition, you can also display the configuration of your wireless network card:
netsh wlan show driversConnect to a Wi-Fi network and import/export
We’re getting into it. Now we can connect to a wireless network, use the following command:
netsh wlan connect name="MyWiFi"Replace MyWiFi with the SSID of the network you want to connect to. It must already be known by your machine, i.e. be in the list of saved profiles.
If this is not the case, you must first export a configuration file from a machine that knows the network. The example below allows you to export the connection information to the FLOBOX network. The output XML file will be stored in C:\WifiExport and will contain the security key in clear text.
netsh wlan export profile name="Bbox-859DBE88" interface=”Wi-fi 2” folder="C:\WiFiExport" key=clear
Then, import this file on the machine that needs to connect to it:
netsh wlan add profile filename="C:\ImportWiFi\Wi-Fi-2-Bbox-859DBE88.xml"Then, it will be possible to establish a connection to the Wi-Fi network from the other machine. You can also use these commands to back up your network/wifi configurations and restore it in case you need to reinstall your system for example.
On Windows, Netsh is an essential tool when it comes to troubleshooting the network. It provides access to some very useful commands to act on the Windows network stack. Especially commands that can reset the network components.
Reset the TCP/IP stack
If you encounter network problems, resetting the TCP/IP stack can solve some problems. Especially when you start going around in circles, because all your other repair attempts, drivers updates or other things you trying to solve, are not working… In this case, you can try using the following command:
netsh int ip resetAfter running this command, restart your PC to apply the changes. It may solve your problems.
Final Words
We have seen many examples in this post concerning the netsh command tool. The list is not exhaustive so if you want ot explore more, you’re more than welcome. However, this is a tool which is built-in many (if not all) windows clients and server systems so it is pretty useful to master it in some level. You never know when you’ll need it for troubleshooting, monitoring or configuring.
