By Eric Geier

Netsh is a powerful command-line tool that is installed by default on Windows 2000, XP, Vista, and recent Server editions. It lets you view and change TCP/IP, authentication, firewall, and other network settings. The beauty is that you can configure multiple computers by using a logon script or other means, such as a batch file.

Without this you have to bring up the GUIs for the network settings on each computer and manually modify them. Instead, you can write a script and run it from one PC to push the changes to all the others, or take a batch file around to each and make the changes with one click. This takes much less clicking, typing and time.

We’ll discover a few different things you can do with the Netsh commands. More specifically, we’ll review how to view and modify the IP settings for adapters and how to manage Windows Firewall. Let’s get started!

Viewing the Network Settings

Netsh lets you view the network (TCP/IP) settings and statistics. Before you make changes you may want to check the current settings. The statistics can also help when troubleshooting. Here are several commands you may want to check out:

netsh interface ip show addresses
Shows IP addressing method and IP addresses for each adapter.

netsh interface ip show config
Shows same information from above but includes DNS and WINS details.

netsh interface ip show dnsservers
Displays just the DNS server addresses.

netsh interface ip show ipstats
Displays overall IP statistics.

netsh interface ip show tcpconnections
Displays the TCP connections.

netsh interface ip show tcpstats
Shows only TCP statistics.

netsh interface ip show udpconnections
Displays the UDP connections.

netsh interface ip show udpstats
Shows only UDP statistics.

Changing the Network Configuration

With Netsh you change the TCP/IP properties of network connections: static or dynamic (DHCP) addressing, client IP address, gateway IP address, subnet mask, and DNS servers.

This is useful, for example, if you want to change the addressing of multiple computers to static, or back to dynamic. Additionally, you could change the assigned static IP addresses or change the DNS servers to a different address.

In the following examples, you can replace Local Area Connection with Wireless Network Connection to configure the Wi-Fi adapter instead of the wired Ethernet card. If the default names aren’t used on your PC, replace it with the correct name of the desired adapter. You can see the exact names on the Network Connections window in Windows or when viewing the network details at the command-line.

Here’s an example of how to assign a network connection with a static IP:

netsh interface ip set address "Local Area Connection" static

(The IP address order is: client IP, subnet mask, and gateway IP.)

If you also want to manually assign the IP addresses for DNS servers, or change them from their current IP, try this:

netsh interface ip add dns "Local Area Connection"

netsh interface ip add dns "Local Area Connection" index=2

(These IP addresses are for the OpenDNS servers; feel free to use different ones. The second line configures the secondary server address.)

Here’s how to change to dynamic addressing:

netsh interface ip set address "Local Area Connection" dhcp

You can also tell the adapter to receive the DNS addresses automatically:

netsh interface ip delete dnsserver "Local Area Connection" all

(You could replace all with one of the current addresses to remove only it.)

Viewing the Windows Firewall Configuration

The Netsh also lets you manage the built-in Windows Firewall. Before you start adding or removing firewall entries or changing settings, you may want to check the current configuration. Here are several commands you may want to try:

netsh firewall show allowedprogram
Displays the details of programs added to the exception/allowed list.

netsh firewall show portopening
Displays the details of port added to the exception/allowed list.

netsh firewall show config
Shows the status of the main settings.

netsh firewall show currentprofile
Shows current firewall profile.

netsh firewall show logging
Displays logging file location and other details.

Modifying the Windows Firewall Settings

Changing the firewall settings via the command-line is also beneficial. Maybe you installed a local server and need to add the port to Windows Firewall on all the PCs. Whatever the reason, we’ll discuss adding program- and port-based exceptions.

Here’s an example of adding a program to the exception list:

netsh firewall set allowedprogram C:MyAppMyApp.exe "My Application" ENABLE

(Replace the path and filename, plus the application’s name for easier identification in firewall settings. To block the application, use DISABLE instead.)

Here’s how you might add a port to the firewall:

set portopening TCP 80 "My Web Port" ENABLE

(Replace TCP with UDP as necessary and insert name for exception within the quotes. To block the port, use DISABLE instead.)

We Passed the Command Line

There’s one last tip to take away: from the Command Prompt you can type netsh to enter the tool itself, so you don’t have to keep typing netsh before the command. Plus you can move to contexts, such as by entering netsh firewall. Then you can, for example, simply enter show configset allowedprogram, or other netsh firewall commands directly, without preceding them with netsh firewall.

You should now be able to quickly review the networking and firewall settings at the command-line with Netsh. Plus you should be able to make simple configuration changes. Remember, there are many more commands to discover; we reviewed the basic ones.



Eric Geier is the Founder and President of Sky-Nets, Ltd., a Wi-Fi Hotspot Network. He is also the author of many networking and computing books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft(R) Windows Vista (Que 2007).