netsh communication networking

Network Netsh Communication Networking 1


Contents

Netsh Overview …………………………………………………………………… 3

Network Communications technologies that provide netsh functionality ……………………. 4 Features and other network Communications technologies ………………………………….. 4

Netsh Commands for All Contexts ………………………………………………………………. 7 Netsh Commands for Windows Firewall with Advanced Security ……………………………. 9 Netsh Commands for Network Bridge …………………………………………………………… 13 Netsh Commands for Dynamic Host Configuration Protocol client …………………………... 14 Netsh Commands for Windows Firewall ………………………………………………………… 15

Netsh Commands for Hypertext Transfer Protocol (HTTP) …………………………………… 30 Netsh Commands for Interface (IPv4 and IPv6) ……………………………………………….. 38 Netsh Commands for Interface 6to4 …………………………………………………………….. 42 Netsh Commands for Interface Internet Protocol version 4 (IPv4) …………………………… 46 Netsh Commands for Interface Internet Protocol version 6 (IPv6) …………………………… 67 Netsh Commands for Interface ISATAP ………………………………………………………… 95

Netsh Commands for Interface Portproxy ………………………………………………………. 96 Netsh Commands for Interface Transmission Control Protocol ……………………………… 105 Netsh Commands for Interface Teredo …………………………………………………………. 110 Netsh Commands for Interface Interface Protocol Security (IPSec) ………………………… 111 Netsh Commands for Wired Local Area Network (LAN) …………………………………….. 147

Netsh Commands for NAP Client ……………………………………………………………….. 152 Netsh Commands for Network Input Output (NETIO) ………………………………………… 162 Netsh Commands for Peer-to-peer Networking (P2P) ……………………………………….. 164 Netsh Commands for Remote Access …………………………………………………………. 174 Netsh Commands for Remote Procedure Call (RPC) ………………………………………… 200 Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP) …………………. 212

Netsh Commands for Windows Sockets (WINSOCK) ……………………………………….. 215 Netsh Commands for Wireless Local Area Network (WLAN) ……………………………….. 218


�etsh Overview

Network shell (netsh) is a command-line utility that allows you to configure and display the status of various network communications server roles and components after they are installed on computers running Windows Server® 2008.

Some client technologies, such as Network Access Protection (NAP) client, also provide netsh commands that allow you to configure client computers running Windows Vista®.

In most cases, netsh commands provide the same functionality that is available when using the Microsoft Management Console (MMC) snap-in for each server role or component. In addition, there are netsh commands for network functionality, such as for IPv6, network bridge, and remote procedure call (RPC), that are not available in the user interface as an MMC snap-in.

You can use netsh commands to configure and display the status of network components on the local computer and on remote computers.

In addition, netsh commands can be run manually by typing commands at the netsh prompt and they can be run in batch files and scripts.

Netsh commands are organized in a hierarchy of contexts. Each network technology with netsh command functionality has its own context. For example, the netsh context for remote access service is ras.


Network communications technologies that provide netsh functionality

Netsh functionality is provided for some server roles, role services, features, and technologies.

Server roles and role services

The following server roles provide netsh command functionality:

The Dynamic Host Configuration Protocol (DHCP) server role. After installing the DHCP server role, you can configure the DHCP server by using the commands at the netsh dhcp context. The context for DHCP is netsh dhcp.

The Network Policy and Access Services server role. This server role provides netsh functionality for

the following role services after the role services are installed:

Health Registration Authority (HRA). The context for HRA is netsh nap hra.

Network Policy Server (NPS). The context for NPS is netsh nps.

Routing and Remote Access. The contexts for Routing and Remote Access are netsh routing and netsh ras.

Features and other network communications technologies

The following features provide netsh command functionality:

Windows Internet Name Service (WINS). The context for WINS is netsh wins.

The following network communications technologies provide netsh functionality:

DHCP client. The context for DHCP client is netsh dhcpclient.

Firewall. See Windows Firewall and Windows Firewall with Advanced Security.

Hypertext Transfer Protocol (HTTP). The context for HTTP is netsh http.

Internet Authentication Service. IAS is renamed to Network Policy Server (NPS), and the context for NPS is netsh nps.

Internet Protocol version 4 (IPv4). The context for IPv4 is netsh interface ip.

Internet Protocol version 6 (IPv6). The context for IPv6 is netsh interface ipv6.

IPv4 and IPv6 network and application proxy. The context for the IPv4 and IPv6 network and

application proxy is netsh interface portproxy.

Internet Protocol security (IPsec). The context for IPsec is netsh ipsec.

Local Area Network. See Wired Local Area Network.

Network Access Protection (NAP). The context for NAP client is netsh nap. In addition, NPS provides

netsh commands at the netsh nps context that allow you to configure NPS as a NAP policy server.

Network Bridge. The context for network bridge is netsh bridge.


Network input output (netio). The context for netio is netsh netio.

Remote Procedure Call (RPC). The context for RPC is netsh rpc.

Windows Firewall. The context for Windows Firewall is netsh firewall.

Windows Firewall with Advanced Security. The context for Windows Firewall with Advanced Security is netsh advfirewall.

Windows HTTP. The context for Windows HTTP is netsh winhttp.

Windows Sockets (winsock). The context for Windows Sockets is netsh winsock.

Wired Local Area Network (LAN). The context for wired LAN is netsh lan.

Wireless LAN. The context for wireless LAN is netsh wlan.

The following sections provide information about the netsh commands and their use, including a comprehensive command reference with syntax and parameters for all commands.

You can use this procedure to start the network shell and enter a netsh context.

To enter a netsh context Open command prompt.

At the command prompt, type netsh, and then press ENTER.

Type one of the values from the following table, and then press ENTER.

Netsh contexts

Following are the values you can type to enter a netsh context.

Dynamic Host Configuration Protocol (DHCP) client dhcpclient

Dynamic Host Configuration Protocol (DHCP) server dhcp

Health Registration Authority (HRA) nap hra

Hypertext Transfer Protocol (HTTP) http

Interface (IPv4 and IPv6) interface

Internet Authentication Service (IAS). IAS is renamed to Network Policy Server. nps

Internet Protocol security ipsec

Network Access Protection (NAP) client nap

Network Bridge bridge

Network Input Output (NETIO) netio

Network Policy Server (NPS) nps


Remote Access ras

Routing routing

Remote Procedure Call (RPC) rpc

Windows Firewall firewall

Windows Firewall with Advanced Security advfirewall

Windows Hypertext Transfer Protocol (WinHTTP) winhttp

Windows Internet Name Service (WINS) wins

Windows Sockets (WINSOCK) winsock

Wired Local Area Network (LAN) lan

Wireless Local Area Network (LAN) wlan

Additional information

To enter a context, you can type only enough letters in the context name to allow netsh to uniquely identify the context. For example, to enter the winhttp context from the netsh prompt (that is, netsh>), you can type winh, and then press ENTER.

Some of these contexts are not available at the netsh prompt unless you have previously installed the server role, role service, feature, or other technology. For example, the DHCP server context netsh dhcp is not available at the netsh prompt until after you install the DHCP server role.

Many of the contexts listed above have one or more subcontexts. Subcontexts contain netsh

commands that can be run only within the subcontext. For example, to run the add scope command, you must be within the server subcontext of the dhcp context: netsh dhcp server add scope parameters

Where parameters are the properties of the scope that you can configure with the command.

Network Policy Server (NPS) was formerly known as Internet Authentication Service, and is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and

proxy, as well as a client health policy server for Network Access Protection (NAP).


Netsh Commands for All Contexts

Netsh uses the following standard commands in all contexts that you can run from a Netsh.exe command prompt (that is, netsh>).

Netsh standard commands

Following is the list of netsh commands that you can run in all netsh contexts. To view the command syntax, click a command:

add helper

Installs the helper dynamic-link library (DLL) in netsh.

Syntax

add helper DLLName

Parameters

DLLName

Required. Specifies the name of the helper DLL that you want to install. /?

Displays help at the command prompt.


alias

Adds an alias that consists of a user-defined character string, which netsh treats as equivalent to another character string. Used without parameters, alias displays all available aliases.

Syntax

alias[AliasName] [String1 [String2 ...]]

Parameters

alias[ AliasName]

Displays the specified alias. alias[ AliasName][ String1[ String2...]]

Sets AliasName to the specified strings. /?



Netsh Commands for Windows Firewall with Advanced Security

Netsh advfirewall is a command-line tool for Windows Firewall with Advanced Security that helps with the creation, administration, and monitoring of Windows Firewall and IPsec settings and provides an alternative to console-based management. This can be useful in the following situations:

When deploying Windows Firewall with Advanced Security settings to computers on a wide area network (WAN), commands can be used interactively at the Netsh command prompt to provide better performance than graphical utilities when used across slow-speed network links.

When deploying Windows Firewall with Advanced Security settings to a large number of computers,

commands can be used in batch mode at the Netsh command prompt to help script and automate recurring administrative tasks that must be performed.

You must have the required permissions to run the netsh advfirewall commands:

If you are a member of the Administrators group, and User Account Control is enabled on your computer, then run the commands from a command prompt with elevated permissions. To start a command prompt with elevated permissions, find the icon or Start menu entry that you use to start a command prompt session, right-click it, and then click Run as administrator.

If you are a member of the Network Operators group then you can run the commands from any

command prompt.

If you are a not a member of Administrators or Network Operators, and have not been delegated any other permissions to run this command, then you can run only those commands that display, but do not change settings.

Netsh AdvFirewall context

The following commands are available at the netsh advfirewall> prompt.

To start the advfirewall context at an elevated command prompt, type netsh, press ENTER, then type advfirewall and press ENTER.

To view the command syntax, click a command:

dump

This command is available for some netsh contexts, but is not implemented for the netsh

advfirewall context or any of its three subcontexts. It produces no output, but also generates no error. When the dump command is used from the root context, no Windows Firewall or IPsec configuration information is included in the output.

export

Exports the Windows Firewall with Advanced Security configuration in the current store to a file. This file can be used with the import command to restore the Windows Firewall with Advanced Security service configuration to a store on the same or to a different computer. The Windows Firewall with Advanced Security configuration on which the export command works is determined by the set store command. This command is the equivalent to the Export Policy command in the Windows Firewall with Advanced Security MMC snap-in.

Syntax

export [Path]FileName


Parameters

[Path]FileName

Required. Specifies, by name, the file where the Windows Firewall with Advanced Security configuration will be written. If the path, file name, or both contain spaces, quotation marks must be used. If you do specify Path then the command places the file in your current folder. The recommended file name extension is .wfw.

Examples

In the following example, the command exports the complete Windows Firewall with Advanced Security service configuration to the file C:\temp\wfas.wfw.

export c:\temp\wfas.wfw

import

Imports a Windows Firewall with Advanced Security service configuration from a file to the local service. The configuration file is created by using export command. This command is equivalent to the Import Policy command in the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in.

Syntax

import [Path]FileName

Parameters

[Path]FileName

Required. Specifies, by name, the file from which the Windows Firewall with Advanced Security configuration will be imported. If the path, the file name, or both contain spaces, quotation marks must be used. If you do not specify Path, then the command looks in the current folder for the file.

Examples

In the following example, the command imports the complete Windows Firewall with Advanced Security service configuration from the file c:\temp\wfas.wfw.

import c:\temp\wfas.wfw

reset

Restores Windows Firewall with Advanced Security to all of its default settings and rules. Optionally, it first backs up the current settings by using the export command to a configuration file. This command is equivalent to the Restore Defaults command in the Windows Firewall with Advanced Security MMC snap-in.

If the current focus of your commands is the local computer object, then the default settings and rules immediately take effect on the computer.

If the current focus of your commands is a GPO, then this command resets all policy settings in that

object to Not Configured, and deletes all connection security and firewall rules from the object. Changes do not take place until that policy is refreshed on those computers to which the policy applies. To use the Netsh tool to modify a GPO rather than the local computer's configuration store.

Syntax

reset [export [Path]FileName]

Parameters

[Export [Path]FileName]


Specifies that the current configuration is backed up to the specified file before Windows Firewall with Advanced Security is reset to all default configuration settings and rules. If you do specify Path, then the command places the file in your current folder. The recommended file name extension is .wfw.

Examples

In the following example, the command exports the complete Windows Firewall with Advanced

Security configuration to the file c:\Temp\wfas.wfw, and then resets the Windows Firewall with Advanced Security configuration to its default configuration settings and rules.

reset export c:\Temp\wfas.wfw

set

Configures settings that apply globally, or to the per-profile configurations of Windows Firewall with Advanced Security.

The Set commands available at the netsh advfirewall> prompt are:

set {ProfileType}

Configures options for the profile associated with the specified network location type. Windows only uses one profile at a time, regardless of the number and types of networks to which you are connected. To see which profile is currently active on your computer, use the netsh advfirewall show currentprofile command. The set {ProfileType} command is equivalent to using the Windows Firewall with Advanced Security Properties page, with the tabs for Domain, Private, and Public profiles.

When your computer is connected to multiple networks, the profile type that Windows Firewall with Advanced Security uses is the one that is expected to be more protective of your computer. For example, if your computer is connected to both a Public network and a Domain network, then Windows Firewall with Advanced Security will use the profile associated with the Public network location type, because it is expected to contain more restrictive and protective settings than the

Domain profile. The list of network location types in order of expected increasing restrictiveness is domain, private, and then public. We recommend that you maintain that expected order when you modify the profiles so that you do not unexpectedly use a less protective profile when you are connected to less secure network location type.

Syntax

set ProfileType Parameter Value

Parameters

ProfileType

Required. Can be any one of the following:

• allprofiles

• currentprofile

• domainprofile

• privateprofile

• publicprofile


Netsh Commands for Network Bridge

You can run these commands from the command prompt on a computer running Microsoft® Windows Vista® or Windows Server® 2008 from the netsh bridge context. To successfully run these commands at the command prompt on a computer running Windows Server 2008, you must type netsh bridge before typing the commands and parameters as they appear in this topic.

Netsh commands for Network Bridge

show adapter

Displays adapter identification, adapter names, and the state of the Layer 3 compatibility mode of adapters that are part of Network Bridge.

show adapter 2

This command lists the adapter ID, friendly name, and the state of the Layer 3 compatibility mode information for adapter 2.

set adapter

This command modifies the configuration of a specified adapter that is part of Network Bridge by setting the state of the adapter to either enable or disable network layer (Layer 3) compatibility mode.

set adapter 2 forcecompatmode=enable

This command is used to force adapter 2 to run in Layer 3 compatibility mode.


Netsh Commands for Dynamic Host Configuration Protocol client

The Netsh commands for Dynamic Host Configuration Protocol (DHCP) client offer a command-line tool that helps with the administration of DHCP clients.

Netsh commands for DHCP client

You can run these commands from the command prompt for the Netsh DHCP context. For these commands to work at the command prompt, you must type netsh dhcp before typing commands and parameters as they appear in the syntax below.

Netsh DHCP client

The following commands are available at the dhcpclient> prompt, which is rooted within the netsh environment.

trace

Specifies whether logging, which is also called tracing, is enabled or disabled for the DHCP client on the local computer.

Syntax

trace { enable | disable }

Parameters

Enable

Optional. Specifies that logging is enabled for the DHCP client service on the local computer. If the DHCP Network Access Protection (NAP) Enforcement Client is enabled, NAP events are also logged. Disable

Optional. Specifies that logging is disabled for the DHCP client service on the local computer. If the DHCP NAP Enforcement Client is enabled, logging of NAP events is also disabled.

Example

The following example enables tracing for the DHCP client service and the DHCP NAP Enforcement Client:

netsh dhcpclient trace enable


Netsh Commands for Windows Firewall

The Netsh commands for Windows Firewall provide a command-line alternative to the capabilities of the Windows Firewall Control Panel utility. By using the Netsh firewall commands, you can configure and view Windows Firewall exceptions and configuration settings.

The firewall context of the netsh command-line tool is provided only for backwards-compatibility with earlier versions of Windows. The firewall context works on computers that are running Microsoft® Windows Vista® and Windows Server® 2008, but it does not allow you to manage or interact with any of the firewall features that are new to Windows Vista or Windows Server 2008. This context does not allow you to work remotely on a computer to directly configure its firewall.

Microsoft recommends that you use the advfirewall context unless you are using this tool in a mixed environment and must maintain backwards-compatibility with earlier versions of Windows. To use the new firewall features included with Windows Vista and Windows Server 2008, you must use the advfirewall context instead. We recommend that you do not use this context on a computer that is running Windows Vista or Windows Server 2008, because by using it you can create and modify firewall rules only for the domain and private profiles. Earlier versions of Windows only supported a domain and standard profile. On Windows Vista or Windows Server 2008, standard maps to the private profile and domain continues to map to the domain profile. Rules for the public profile can only be manipulated when the computer is actually attached to a public network and the command is run against the "current" profile. You can run these commands from within the netsh tool at the netsh firewall> prompt.

For these commands to work at a standard Windows command prompt, you must preface each command with netsh firewall, followed by the specific command and parameters as they appear in the syntax below.

Netsh firewall

The following sections describe each command and its syntax.

add allowedprogram

Adds a program-based exception to the firewall.

Syntax

add allowedprogram [ program = ] PathAndFileName [ name = ] ProgramName [ [ mode = ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain | standard | all } ]

Parameters

[ program = ] PathAndFileName

Required. The path and file name of the program to be added to the firewall exception list. If the path or file name includes spaces, then you must use quotation marks around the path and file name. [ name = ] ProgramName

Required. Friendly name of the program to be added to the list. This value is displayed in the Firewall control panel exception list. [ [ mode = ] { enable | disable } ]

Specifies whether this exception is currently applied and active on the local computer. The default value is enable.


[ [ scope = ] { all | subnet | custom } ]

Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter. The default value is all.

[ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]

Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:

• An IPv4 or IPv6 address. For example, 192.168.0.15.

• An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example,

192.168.0.1-192.168.0.50.

• A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.

• A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.

• The keyword localsubnet, which includes all addresses that are on the local computer's

current subnet.

Multiple entry types can be combined on a command line by separating them with commas: 172.16.0.0/16, 10.0.0.0/255.0.0.0, 12AB:0000:0000:CD30::/60, localsubnet

[ [ profile = ] { current | domain | standard | all } ]

Specifies the firewall profile to which the command applies. The firewall profile is determined by the detected network location types accessible through the computer's network adapters.

• current specifies that the command applies to the profile that is currently active on the computer.

• domain specifies that the command applies only to the domain profile.

• standard specifies that the command applies only to the private profile.

• all specifies that the command applies to all profiles except the private profile.

• You must specify scope=custom to specify addresses. If scope=custom is used, then addresses cannot be blank.

• To specify the profile associated with the public network location type, you must specify

profile=current when the computer is attached to a public network.

• The addresses parameter cannot contain an unspecified IPv6 address, a loopback address,

or a multicast address.

Examples

Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.

add allowedprogram "C:\My App\MyApp.exe" "My Application" enable


add allowedprogram "C:\My App\MyApp.exe" "My Application" enable custom 157.60.0.1,172.16.0.0/16,12AB:0000:0000:CD30::/60,localsubnet

set allowedprogram

Modifies the settings of an existing program-based exception.

Syntax

set allowedprogram [ program = ] PathAndFileName [ [ name = ] ProgramName ] ] [ [ mode = ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain | standard | all } ]

Parameters

[ program = ] PathAndFileName ]

Required. The path and file name of the program whose exception you want to modify. If the path or file name includes spaces, then you must use quotation marks around the path and file name.

[ [ name = ] ProgramName ]

Friendly name of the program to be added to the list. This value is displayed in the Firewall control

panel exception list. [ [ mode = ] { enable | disable } ]

Specifies whether this exception is currently applied and active on the local computer. [ [ scope = ] { all | subnet | custom } ]

Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter.

[ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]




192.168.0.1-192.168.0.50.

• A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.



current subnet.




Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.





The default value is current.

You must specify at least one parameter other than program.

You must specify scope=custom to specify addresses. If scope=custom is used, then addresses

cannot be blank.

To specify the profile associated with the public network location type, you must specify

profile=current when the computer is attached to a public network.

The addresses parameter cannot contain an unspecified IPv6 address, a loopback address, or a

multicast address.

Examples


set allowedprogram "C:\My App\MyApp.exe" "My Application" enable

set allowedprogram "C:\My App\MyApp.exe" "My Application" enable custom 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet

set allowedprogram program="C:\My App\MyApp.exe" name=MyApp mode=enable scope=custom addresses=157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet

delete allowedprogram

Deletes an existing program-based exception.

Syntax

delete allowedprogram [ program = ] PathAndFileName [ [ profile = ] { current | domain | standard | all } ]

Parameters

[ program = ] PathAndFileName

Required. The path and file name of the program to be deleted from the firewall exception list. [ [ profile = ] { current | domain | standard | all } ]








Examples


delete allowedprogram C:\MyApp\MyApp.exe

delete allowedprogram program = C:\MyApp\MyApp.exe profile=all

set icmpsetting

Specifies the types of ICMP traffic that are permitted through the firewall.

Syntax

set icmpsetting [ type = ] { 2-5 | 8-9 | 11-13 | 17 | all } [ [ mode = ] { enable | disable} ] [ [ profile = ] { current | domain | standard | all } ]

Parameters

[ type = ] { 2-5 | 8-9 | 11-13 | 17 | all }

Required. The type of ICMP traffic to allow. The value must be one of the following ICMP message types:

• 2 - Outbound packet too big.

• 3 - Outbound destination unreachable.

• 4 - Outbound source quench.

• 5 - Redirect.

• 8 - Inbound echo request (ping).

• 9 - Inbound router request.

• 11 - Outbound time exceeded.

• 12 - Outbound parameter problem.

• 13 - Inbound timestamp request.

• 17 - Inbound mask request.

• all - All of the above types.

[ [ mode = ] { enable | disable} ]

Specifies whether this exception is currently applied and active on the local computer. The default value is enable.




• current specifies that the command applies to the profile that is currently active on the

computer.





Examples


set icmpsetting 8 enable all

set icmpsetting type=all mode=disable

set multicastbroadcastresponse

Specifies whether or not responses to a multicast or broadcast request are allowed through the firewall.

Syntax

set multicastbroadcastresponse [ mode = ] { enable | disable} [ [ profile = ] { current | domain | standard | all } ]

Parameters

[ mode = ] { enable | disable}

Required. Specifies whether to enable or disable responses to multicast or broadcast traffic. The default value is enable. [ [ profile = ] { current | domain | standard | all } ]



computer.






Examples


set multicastbroadcastresponse enable

set multicastbroadcastresponse mode=enable profile=all

set notifications

Specifies whether the firewall displays a pop-up notification to the user when a program attempts to listen on a port.

Syntax

set notifications [ mode = ] { enable | disable} [ [ profile = ] { current | domain | standard | all } ]

Parameters


Required. Specifies whether to enable or disable responses to multicast or broadcast traffic. [ [ profile = ] { current | domain | standard | all } ]



computer.





Examples


set notifications enable

set notifications disable

set notifications mode=enable profile=current

set logging

Specifies whether the firewall writes information to a log file, and what details are included. This command only affects the currently active profile.

Syntax

set logging [ [ filelocation = ] PathAndFileName ] [ [ maxfilesize = ] Integer ] [ [ droppedpackets = ] { enable | disable } ] [ [ connections = ] { enable | disable } ]


Parameters

[ [ filelocation = ] PathAndFileName ]

Specifies the path and file name of the file to which the firewall writes its log. The default value is %windir%\pfirewall.log. [ [ maxfilesize = ] Integer ]

Specifies the maximum file size in kilobytes. Must be an integer value from 1 to 32767. The default value is 4096. [ [ droppedpackets = ] { enable | disable } ]

Specifies whether to include an entry for each packet dropped by the firewall. The default value is disable. [ [ connections = ] { enable | disable } ] ]

Specifies whether to include an entry for each successful connection. The default value is disable.

Examples


set logging enable enable

set logging 4096 enable disable

set logging c:\mylogs\mylog.log 4096 enable enable

set opmode

Specifies the operating mode of Windows Firewall.

Syntax

set opmode [ mode = ] { enable | disable } [ [ exceptions = ] { enable | disable } ] [ [ profile = ] { current | domain | standard | all } ]

Parameters


Required. Specifies whether to turn the firewall on or off. [ [ exceptions = ] { enable | disable } ]

Specifies whether the firewall uses any currently defined port and program exceptions that are enabled. If exceptions=disable, then all enabled port and program exceptions are ignored. Default is enable.









Examples


set opmode enable

set opmode mode=enable exceptions=enable

add portopening

Creates a port-based exception.

Syntax

add portopening [ protocol = ] { tcp | udp | all } [ port = ] Integer [ name = ] ExceptionName [ [ mode = ] { enable | disable } ] [ [ scope = ] all | subnet | custom } ] [ [ addresses = ] addresses ] [ [ profile = ] current | domain | standard | all } ]

Parameters

[ protocol = ] { tcp | udp | all }

Required. Specifies whether the port number refers to TCP, UDP, or both. [ port = ] Integer

Required. Specifies the port number to be excepted. Must be an integer value from 1 to 65535. Only a single value can be specified and port ranges are not supported. [ name = ] ExceptionName

Required. Specifies the name of the exception. This value is displayed in the Firewall control panel exception list. [ [ mode = ] { enable | disable } ]

Specifies whether this exception is currently applied and active on the local computer. [ scope = ] { all | subnet | custom }

Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is

allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter. The default value is all. [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…]




192.168.0.1-192.168.0.50.


• A subnet indicated by the subnet address and subnet mask separated by a '/'. For example,

192.168.0.0/255.255.255.0.



current subnet.

Multiple entry types can be combined on a command line by separating them with commas: 172.16.0.0/16, 10.0.0.0/255.0.0.0, 12AB:0000:0000:CD30::/60, localsubnet [ profile = ] { current | domain | standard | all }

Specifies the firewall profile to which the command applies. The profile is determined by the

detected network location types accessible through the computer's network adapters.






Examples


add portopening tcp 80 MyWebPort

add portopening udp 500 "IKE Exception" enable all

add portopening all 53 DNS enable custom 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet

set portopening

Modifies the settings of an existing port-based exception.

Syntax

set portopening [ protocol = ] { tcp | udp | all } [ port = ] Integer [ [ name = ] ExceptionName ] ] [ [ mode = ] { enable | disable } ] [ [ scope = ] all | subnet | custom } ] [ [ addresses = ] addresses ] [ [ profile = ] current | domain | standard | all } ]

Parameters



Required. Specifies the port number of the exception to be modified. Must be an integer value from 1 to 65535. Only a single value can be specified and port ranges are not supported. [ [ name = ] ExceptionName ]


Specifies the name of the exception. This value is displayed in the Firewall control panel exception list. [ [ mode = ] { enable | disable } ]

Specifies whether this exception is currently applied and active on the local computer.

[ scope = ] { all | subnet | custom }

Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter. [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…]



• An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example, 192.168.0.1-192.168.0.50.


192.168.0.0/255.255.255.0.


• The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.

Multiple entry types can be combined on a command line by separating them with commas:

172.16.0.0/16, 10.0.0.0/255.0.0.0, 12AB:0000:0000:CD30::/60, localsubnet [ profile = ] { current | domain | standard | all }






Examples


set portopening tcp 80 "My Web Port"

set portopening udp 500 "IKE Exception" enable all


set portopening all 53 "DNS Exception" enable custom 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet

delete portopening

Deletes an existing port-based exception.

Syntax

delete portopening

[ protocol = ] { tcp | udp | all } [ port = ] Integer [ [ profile = ] current | domain | standard | all } ]

Parameters



Required. Specifies the port number to be excepted. Must be an integer value from 1 to 65535. [ profile = ] { current | domain | standard | all }



computer.





Examples


delete portopening tcp 80

delete portopening protocol=all port=25

set service

Enables or disables the pre-defined file and printer sharing, remote administration, remote desktop, and UPnP exceptions.

Syntax

set service [ type = ] { fileandprint | remoteadmin | remotedesktop | upnp | all } [ [ mode = ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain | standard | all } ]

Parameters

[ type = ] { fileandprint | remoteadmin | remotedesktop | upnp | all }


Required. Specifies the service whose pre-defined rules are enabled or disabled. The value must be one of the following:

• fileandprint. The file and printer sharing service.

• remoteadmin. The ability to remotely administer a computer running Windows.

• remotedesktop. The ability to use a Terminal Services client such as Remote Desktop.

• upnp. Universal Plug-and-Play protocol for networked devices.

• all. All of the above services.

[ [ mode = ] { enable | disable } ]

Specifies whether this exception is currently applied and active on the local computer. The default value is enable. [ [ scope = ] { all | subnet | custom } ]

Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter. [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]




192.168.0.1-192.168.0.50.


192.168.0.0/255.255.255.0.


• The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.










Examples


set service fileandprint

set service remoteadmin enable subnet

set service type=remotedesktop mode=enable scope=custom addresses=157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet

show commands

The following show commands are used to display the current configuration:

show allowedprogram [ [ verbose = ] { enable | disable } ] Displays the current list of program exceptions for the domain and standard profiles. Use the parameter verbose=enable to see additional details.

show config [ [ verbose = ] { enable | disable } ]

Displays the local configuration information for the domain and standard profiles, including the output of all other show commands. Use parameter verbose=enable to see additional details.

show currentprofile

Displays the current profile in use for the network location type.

• show icmpsetting [ [ verbose = ] { enable | disable } ] Displays the ICMP settings. Use parameter verbose=enable to see additional details.

• show logging

Displays the current logging settings.

• show multicastbroadcastresponse

Displays multicast/broadcast response settings for each profile.

• show notifications Displays whether the firewall displays pop-up notifications for each profile.

• show opmode Displays the operational mode for the firewall for each profile.

• show portopening

Displays the current list of port exceptions for each profile. Use parameter verbose=enable to see additional details.


• show service

Displays the service configuration for each profile. Use parameter verbose=enable to see additional details.

• show state

Displays the current state information for the firewall. Use parameter verbose=enable to see additional details.

reset

Resets the configuration of Windows Firewall to default settings. All manually configured changes are lost. There are no parameters for the reset command.


Netsh Commands for Hypertext Transfer Protocol (HTTP)

You can use commands in the netsh http context to configure properties of the HTTP service. The Netsh commands for HTTP can be run manually at the netsh prompt or in scripts and batch files.

To run these commands from the command prompt, you must either enter the netsh http context or prepend the context to the command. For example, if you are at the command prompt but have not typed netsh and then http to enter the netsh http context, you must type:

netsh http command

Where command is the command that you want to run, including all of the required parameters for the command.

Netsh http commands

The following entries provide details for each command.

add iplisten

Adds a new IP address to the IP listen list. This does not include the port number.

Syntax

add iplisten [ ipaddress= ] IPAddress

Parameters

ipaddress

Required. The IPv4 or IPv6 address to be added to the IP listen list. The IP listen list is used to scope the list of addresses to which the HTTP service binds. "0.0.0.0" means any IPv4 address and "::" means any IPv6 address. Examples

Following are four examples of the add iplisten command.

add iplisten ipaddress=fe80::1

add iplisten ipaddress=1.1.1.1

add iplisten ipaddress=0.0.0.0

add iplisten ipaddress=::

add sslcert

Adds a new SSL server certificate binding and corresponding client certificate policies for an IP address and port.

Syntax

add sslcert [ ipport= ] IPAddress:port [ certhash= ] CertHash [ appid= ] GUID [ [ certstorename= ] CertStoreName [ verifyclientcertrevocation= ] enable | disable [ verifyrevocationwithcachedclientcertonly= ] enable | disable [ usagecheck= ] enable | disable [ revocationfreshnesstime= ] U-Int [ urlretrievaltimeout= ] U-Int [ sslctlidentifier= ] SSLCTIdentifier [ sslctlstorename= ] SSLCtStoreName [ dsmapperusage= ] enable | disable [ clientcertnegotiation= ] enable | disable ] ]


Parameters

ipport

Required. Specifies the IP address and port for the binding. A colon character (:) is used as a delimiter between the IP address and the port number. certhash

Required. Specifies the SHA hash of the certificate. This hash is 20 bytes long and is specified as a hexadecimal string. appid

Required. Specifies the GUID to identify the owning application.

certstorename

Optional. Specifies the store name for the certificate. Defaults to MY. Certificate must be stored in the local machine context. verifyclientcertrevocation

Optional. Specifies the Turns on/off verification of revocation of client certificates. verifyrevocationwithcachedclientcertonly

Optional. Specifies whether the usage of only cached client certificate for revocation checking is enabled or disabled. usagecheck

Optional. Specifies whether the usage check is enabled or disabled. Default is enabled. revocationfreshnesstime

Optional. Specifies the time interval, in seconds, to check for an updated certificate revocation list

(CRL). If this value is zero, then the new CRL is updated only if the previous one expires. urlretrievaltimeout

Optional. Specifies the timeout interval (in milliseconds) after the attempt to retrieve the certificate revocation list for the remote URL. sslctlidentifier Optional. Specifies the list of the certificate issuers that can be trusted. This list can be a subset of the certificate issuers that are trusted by the computer. sslctlstorename

Optional. Specifies the certificate store name under LOCAL_MACHINE where SslCtlIdentifier is stored. dsmapperusage

Optional. Specifies whether DS mappers is enabled or disabled. Default is disabled. clientcertnegotiation Examples

Following is an example of the add sslcert command.

add sslcert ipport=1.1.1.1:443 certhash=0102030405060708090A0B0C0D0E0F1011121314 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

add timeout

Adds a global timeout to the service.

Syntax


add timeout [ timeouttype= ] IdleConnectionTimeout | HeaderWaitTimeout [ value= ] U-Short

Parameters

Timeouttype

Type of timeout for setting. Value

Value of the timeout (in seconds). If value is in hexadecimal notation, then add the prefix 0x. Examples

Following are two examples of the add timeout command.

add timeout timeouttype=idleconnectiontimeout value=120

add timeout timeouttype=headerwaittimeout value=0x40

add urlacl

Adds a Uniform Resource Locator (URL) reservation entry. This command reserves the URL for non-administrator users and accounts. The DACL can be specified by using an NT account name with the listen and delegate parameters or by using an SDDL string.

Syntax

add urlacl [ url= ] URL [ [user=] User [ [ listen= ] yes | no [ delegate= ] yes | no ] | [ sddl= ] SDDL ]

Parameters

url

Required. Specifies the fully qualified Uniform Resource Locator (URL). user

Required. Specifies the user or user-group name listen

Optional. Specifies one of the following values: yes: Allow the user to register URLs. This is the default value. no: Deny the user from registering URLs. delegate

Optional. Specifies one of the following values: yes: Allow the user to delegate URLs no: Deny the

user from delegating URLs. This is the default value. sddl

Optional. Specifies an SDDL string that describes the DACL. Examples

Following are four examples of the add urlacl command.

add urlacl url=http://+:80/MyUri user=DOMAIN\user


add urlacl url=http://www.contoso.com:80/MyUri user=DOMAIN\user listen=yes

add urlacl url=http://www.contoso.com:80/MyUri user=DOMAIN\user delegat

e=no

add urlacl url=http://+:80/MyUri sddl=...

delete cache

Deletes all entries or the specified entry from the HTTP service kernel URI cache.

Syntax

delete cache [ [ url= ] URL [ [recursive= ] yes | no ]

Parameters

url

Optional. Specifies the fully qualified Uniform Resource Locator (URL) that you want to delete. recursive

Optional. Specifies whether all entries under the specified url cache are removed. yes: all entries

are removed. no: all entries are not removed. Examples

Following are two examples of the delete cache command.

delete cache url=http://www.contoso.com:80/myresource/ recursive=yes

delete cache

delete iplisten

Deletes an IP address from the IP listen list. The IP listen list is used to scope the list of addresses to which the HTTP service binds.

Syntax

delete iplisten [ ipaddress= ] IPAddress

Parameters

ipaddress

Required. The IPv4 or IPv6 address to be deleted from the IP listen list. The IP listen list is used to scope the list of addresses to which the HTTP service binds. "0.0.0.0" means any IPv4 address and "::" means any IPv6 address. This does not include the port number. Examples

Following are four examples of the delete iplisten command.

delete iplisten ipaddress=fe80::1

delete iplisten ipaddress=1.1.1.1

delete iplisten ipaddress=0.0.0.0


delete iplisten ipaddress=::

delete sslcert

Deletes SSL server certificate bindings and corresponding client certificate policies for an IP address and port.

Syntax

delete sslcert [ ipport= ] IPAddress:port

Parameters

ipport

Required. Specifies the IPv4 or IPv6 address and port for for which the SSL certificate bindings will be deleted. A colon character (:) is used as a delimiter between the IP address and the port number. Examples

Following are three examples of the delete sslcert command.

delete sslcert ipport=1.1.1.1:443

delete sslcert ipport=0.0.0.0:443

delete sslcert ipport=[::]:443

delete timeout

Deletes a global timeout and makes the service revert to default values.

Syntax

delete timeout [ timeouttype= ] idleconnectiontimeout | headerwaittimeout

Parameters

timeouttype

Required. Specifies the type of timeout for setting. Examples

Following are two examples of the delete timeout command.

delete timeout timeouttype=idleconnectiontimeout

delete timeout timeouttype=headerwaittimeout

delete urlacl

Deletes a URL reservation.

Syntax

delete urlacl [ url= ] URL

Parameters

url


Required. Specifies the fully qualified Uniform Resource Locator (URL) that you want to delete. Examples

Following are two examples of the delete urlacl command.

delete urlacl url=http://+:80/MyUri

delete urlacl url=http://www.contoso.com:80/MyUri

flush logbuffer

Flushes the internal buffers for the logfiles.

Syntax

flush logbuffer

show cachestate

Lists cached URI resources and their associated properties. This command lists all resources and their associated properties that are cached in HTTP response cache or displays a single resource and its associated properties.

Syntax

show cachestate [ [url= ] URL]

Parameters

url

Optional. Specifies the fully qualified URL that you want to display. If unspecified, displays all URLs.

The URL could also be a prefix to registered URLs. Examples

Following are two examples of the show cachestate command

show cachestate url=http://www.contoso.com:80/myresource

show cachestate

show iplisten

Displays all IP addresses in the IP listen list. The IP listen list is used to scope the list of addresses

to which the HTTP service binds. "0.0.0.0" means any IPv4 address and "::" means any IPv6 address.

Syntax

show iplisten

show servicestate

Displays a snapshot of the HTTP service.

Syntax

show servicestate [ [ view= ] session | requestq ] [ [ verbose= ] yes |no ]


Parameters

View

Optional. Specifies whether to view a snapshot of the HTTP service state based on the server session or on the request queues. Verbose

Optional. Specifies whether to display verbose information that also shows property information. Examples

Following are two examples of the show servicestate command.

show servicestate view="session"

show servicestate view="requestq"

show sslcert

Displays Secure Sockets Layer (SSL) server certificate bindings and corresponding client certificate policies for an IP address and port.

Syntax

show sslcert [ ipport= ] IPAddress:port

Parameters

Ipport

Required. Specifies the IPv4 or IPv6 address and port for which the SSL certificate bindings will be displayed. A colon character (:) is used as a delimiter between the IP address and the port number. If you do not specify ipport, all bindings are displayed. Examples

Following are five examples of the show sslcert command.

show sslcert ipport=[fe80::1]:443

show sslcert ipport=1.1.1.1:443

show sslcert ipport=0.0.0.0:443

show sslcert ipport=[::]:443

show sslcert

show timeout

Displays, in seconds, the timeout values of the HTTP service.

Syntax

show timeout

show urlacl

Displays discretionary access control lists (DACLs) for the specified reserved URL or all reserved URLs.


Syntax

show urlacl [ [url= ] URL]

Parameters

url

Optional. Specifies the fully qualified URL that you want to display. If unspecified, displays all URLs. Examples

Following are three examples of the show urlacl command.

show urlacl url=http://+:80/MyUri

show urlacl url=http://www.contoso.com:80/MyUri

show urlacl


Netsh Commands for Interface (IPv4 and IPv6)

You can use commands in the Netsh Interface context and subcontexts to configure the TCP/IP version 4 protocol (including addresses, default gateways, Domain Name System (DNS) and WINS servers) and to display configuration and statistical information for IPv4.

In addition, you can use commands in this context and related subcontexts (6to4, isatap, portproxy, and teredo) to configure Internet Protocol version 6 (IPv6).

To run these commands from the command prompt, you must either enter the netsh interface context or prepend the context to the command. For example, if you are at the command prompt but have not typed netsh and then interface to enter the netsh interface context, you must type:

netsh interface command


The Netsh Interface context also includes several subcontexts.

Subcontexts of Netsh Interface

This context provides the following subcontexts:

Subcontext name Result

6to4 Changes to the netsh interface 6to4 context.

ipv4 Changes to the netsh interface ipv4 context.

ipv6 Changes to the netsh interface ipv6 context.

isatap Changes to the netsh interface isatap context.

portproxy Changes to the netsh interface portproxy context.

tcp Changes to the netsh interface tcp context.

teredo Changes to the netsh interface teredo context.

Netsh Interface command reference

Following are the details for the commands in the Netsh Interface context.

add

Adds an interface to the router. For full interfaces, a phone book entry with the same name must already exist on the system.

Syntax

add [name=] Name [[type=]full]


Parameters

name

Required. Specifies the name of the interface to be added. type

Optional. Specifies that a demand dial interface is created when full is designated. Examples

Following is an example of the add interface command that creates a demand dial interface.

add name="Demand-Dial Interface" type=full

delete

Deletes an interface from the router.

Syntax

delete [ name= ] Name

Parameters

name

Required. Specifies the name of the interface to be deleted. Examples:

The following example command deletes a demand dial interface at the router

delete name="Demand-Dial Interface"

reset

Deletes all of the interfaces that can be added through this context.

Syntax

reset

set credentials

Specifies the credentials that are used to connect to or add an interface.

Syntax

set credentials [ name= ] InterfaceName [ user= ]UserName [[ domain= ] Domain [password=] Password ]

Parameters

InterfaceName

Required. Specifies the name of the interface that you want to add. UserName

Required. Specifies the user account name that has the required permissions to add an interface.


Domain

Optional. Specifies the domain where the user account is located. Password

Optional. Specifies the password of the user account. Examples

Following are two examples of the set credentials command.

set credentials name="Demand-Dial Interface" user=guest

set credentials name="Demand-Dial Interface" user=admin domain=mydomain password=mypassword

set interface

Changes the parameters for an existing interface.

Syntax

set interface [name = ] IfName [ [admin = ] ENABLED|DISABLED [connect = ] CONNECTED|DISCONNECTED [newname = ] NewName ]

Parameters

IfName

Required. Specifies the name of the interface that you want to modify. admin

Optional. Specifies whether the interface should be enabled or disabled. connect

Optional. Specifies whether or not to enable and connect the interface (non-LAN only).

newname

Optional. Specifies a new name for the interface (LAN only).

show credentials

Displays the credentials that are used to connect to an interface.

Syntax

show credentials [name = ] IfName

Parameters

IfName

Required. Specifies the name of the interface whose credentials you want to display.


show interface

Displays a list of the configured interfaces, including their current Name, Admin State, State, and Type.

Syntax

show interface [[name=] Name]

Parameters

Name

Optional. Specifies the name of the interface that you want to display. If Name is not specified, all interfaces are displayed. Examples

Following is an example of the show interface command.

show interface name="Local Area Connection"


Netsh commands for Interface 6to4 Interface 6to4 commands


add

Adds an interface to the router. For full interfaces, a phone book entry with the same name must already exist on the system.

Syntax

add [name=] Name [[type=]full]

Parameters

name

Required. Specifies the name of the interface to be added. type

Optional. Specifies that a demand dial interface is created when full is designated.

Examples

Following is an example of the add command that creates a demand-dial interface.

add name="Demand-Dial Interface" type=full

delete

Deletes an interface from the router.

Syntax

delete [ name= ] Name

Parameters

name Required. Specifies the name of the interface to be deleted. Examples:

The following example command deletes a demand-dial interface at the router

delete name="Demand-Dial Interface"

reset

Deletes all of the interfaces that can be added through this context.

Syntax

reset


set interface

Sets 6to4 interface configuration information.

Syntax

set interface [ name= ] Name [ [ routing= ]( enabled | disabled | default )]

Parameters

name

Required. Specifies the interface name. routing

Optional. Specifies whether to act as a router. Examples

Following is an example of the set interface command.

set interface "Private" enabled

set relay

Sets 6to4 relay information.

Syntax

set relay [ [ name= ]( Name | default )] [ [ state= ] ( enabled | disabled | automatic | default ) ] [[ interval= ] Integer ]

Parameters

name

Optional. Specifies the name of the 6to4 relay.

state

Optional. Specifies whether relay name resolution is enabled or disabled. interval

Optional. Specifies an integer that is the resolution interval (in minutes). Examples

Following is an example of the set relay command.

set relay 6to4.ipv6.org. enabled 1440

set routing

Sets 6to4 routing information.

Syntax

set routing [ [ routing= ]( enabled | disabled | automatic | default ) ] [ [ sitelocals= ] (enabled | disabled | default ) ]


Parameters

routing

Optional. Specifies the state of 6to4 routing. sitelocalsq

Optional. Specifies whether to use Site-Local addresses. Examples

Following are two examples of the set routing command.

set routing default default

set routing routing=enabled sitelocals=enabled

set state

Sets the 6to4 configuration state.

Syntax

set state [ [ state= ] ( enabled |disabled | automatic | default ) ] [ [ undoonstop= ] ( enabled | disabled | default ) ]

Parameters

state

Optional. Specifies whether 6to4 is enabled. undoonstop

Optional. Specifies whether 6to4 is disabled on service stop. Examples

Following are two examples of the set state command.

set state default default

set state state=enabled undoonstop=disabled

show interface

Displays the 6to4 interface configuration information.

Syntax

show interface

show relay

Displays the 6to4 relay information.

Syntax

show relay

show routing

Displays the 6to4 routing state.


Syntax

show routing

show state

Displays the 6to4 state.

Syntax

show state


Netsh commands for Interface Internet Protocol version 4 (IPv4)

You can use commands in the Netsh Interface IP context to configure the TCP/IP protocol (including addresses, default gateways, DNS servers, and WINS servers) and to display configuration and statistical information.

You can run these commands at the command prompt for the netsh interface ip context. For these commands to work at the command prompt, you must type netsh interface ip before typing commands and parameters as they appear in the syntax below.

add address

Adds an IP address and a default gateway on a specified interface configured with a static IP address.

Syntax

add address [name=]InterfaceName [addr=]IPAddress [mask=]SubnetMask[[gateway=] DefaultGateway [gwmetric=]GatewayMetric]

Parameters

[name=] InterfaceName

Required. Specifies the name of the interface for which you want to add address and gateway information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ addr=] IPAddress[ mask=] SubnetMask

Required. Specifies the IP address to add and the subnet mask for that IP address. [ gateway=] DefaultGateway[ gwmetric=] GatewayMetric

Specifies the IP address of the default gateway to add and the metric for that default gateway. /?


add dnsserver

Adds a DNS server to a list of DNS servers for a specified interface.

Syntax

add dnsserver [name=]InterfaceName [addr=] DNSAddress [[index=]DNSIndex]

Parameters


Required. Specifies the name of the interface for which you want to add DNS information. The InterfaceName parameter must match the name of the interface as specified in Network

Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [addr=] DNSAddress

Required. Specifies the IP address of the DNS server to add. [index=] DNSIndex

Specifies the position of the added DNS server in the list of DNS servers for the interface.


/?


add neighbors

Specifies an entry in the neighbor cache.

Syntax

add neighbors [interface=]<string>[address=]<IPv4Address> [neighbor=]<string> [subinterface=]<string>[[store=]active|persistent]

Parameters

[interface=]<string>

Specifies an interface name or index. [address=]<IPv4Address>

Specifies the address of the neighbor. [neighbor=]<string>

Specifies the link layer address of the neighbor. [subinterface=]<string>

Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces.

[[store=]active|persistent]

One of the following values:

• active: Address will disappear on next boot.

• Persistent (default): Address will be persistent.

Examples

This example command adds an entry to the neighbor cache on the interface named "Private."

add neighbors "Private" "10.1.1.1" "12-34-56-78-9a-bc"

add route

Adds a route for a specified prefix. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.

Syntax

add route [prefix=]IP4Address/Integer [[interface=]String] [[nexthop=]IPv4Address] [[siteprefixlength=]Integer] [[metric=]Integer] [[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}] [[store=]{active | persistent}]

Parameters

[ prefix=] IPv6Address/Integer

Required. Specifies the prefix for which to add a route. Integer specifies the prefix length. [[ interface=] String]

Specifies an interface name or index. [[ nexthop=] IPv6Address]

Specifies the gateway address, if the prefix is not on-link.


[[ siteprefixlength=] Integer]

Specifies the prefix length for the entire site, if the prefix is not on-link. [[ metric=] Integer]

Specifies the route metric. [[ validlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the route is valid. The default value is infinite.

[[ preferredlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the route is preferred. The default value is infinite. [[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.

Examples

This example command adds a route on the interface named "Internet".

add route 10.2.0.0/16 "Internet" 10.0.0.1

add winsserver

Adds a WINS server to a list of WINS servers for a specified interface.

Syntax

add winsserver [name=]InterfaceName [addr=] WINSAddress [[index=]WINSIndex]

Parameters

[ name=] InterfaceName

Required. Specifies the name of the interface for which you want to add WINS information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ addr=] WINSAddress

Required. Specifies the IP address of the WINS server to add. [ index=] WINSIndex

Specifies the position of the added WINS server in the WINS server list for that interface. /?


delete address

Deletes an IP address or a default gateway on a statically configured interface.

Syntax

delete address [name=]InterfaceName [addr=] IPAddress [[gateway=]{DefaultGateway | all}]

Parameters



Required. Specifies the name of the interface for which you want to delete address and gateway information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ addr=] IPAddress

Required. Specifies the IP address to delete. [ gateway=]{ DefaultGateway| all}

Specifies whether to delete one default gateway or all default gateways. If only one default gateway should be deleted, DefaultGateway specifies the IP address of the default gateway to be deleted. /?


delete arpcache

Removes the entries in the Address Resolution Protocol (ARP) cache for a specified interface. Used without parameters, delete arpcache removes the entries in the ARP caches of all interfaces.

Syntax

delete arpcache [name=]<InterfaceName>

Parameters

[name=]<InterfaceName>

Specifies the name of the interface for which you want to remove the ARP cache entries. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?


delete destinationcache

Clears the destination cache. If an interface is specified, clears the cache only on that interface. If an address is also specified, deletes only that destination cache entry.

Syntax

delete destinationcache [[interface=]String] [[address=]IPv4Address]

Parameters

[[ interface=] String]

Specifies an interface name or index.

[[ address=] IPv4Address]

Specifies the address of the destination.

Examples

This example command deletes the destination cache for the interface named "Private."


delete destinationcache "Private"

delete dnsserver

Deletes a DNS server or all DNS servers from a list of DNS servers for a specified interface or for all interfaces.

Syntax

delete dnsserver [name=]InterfaceName [addr=]{DNSAddress | all}

Parameters


Required. Specifies the name of the interface for which you want to delete DNS information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ addr=]{ DNSAddress| all}

Required. Specifies whether to delete the address of one DNS server or all servers for all interfaces. If only one DNS server should be deleted, DNSAddress specifies the IP address of the DNS server to

delete. /?


delete neighbors

Specifies that all entries in the neighbor cache are deleted. If an interface is specified, clears the cache only on that interface. If an address is also specified, deletes only that neighbor cache entry.

Syntax

delete neighbors [[interface=]String] [[address=]IPv4Address]

Parameters


Specifies an interface name or index. [[ address=] IPv4Address]

Specifies the address of the neighbor.

Examples

This example command removes all entries from the neighbor cache on the interface named "Private."

delete neighbors "Private"

delete route

Deletes an IPv4 route.

Syntax

delete route [prefix=]IPv4Address/Integer [[interface=]String] [[nexthop=]IPv4Address] [[store=]{active | persistent}]


Parameters


Required. Specifies the prefix of the route to delete. [[ interface=] String]


[[ nexthop=] IPv4Address]

Specifies the gateway address, if the prefix is not on-link. [[ store=]{ active| persistent}]

Specifies whether the deletion lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.

Examples

This example command deletes a route from the interface named "Internet."

delete route 10.2/16 "Internet" 10.0.0.1

delete winsserver

Deletes a WINS server or servers from a list of WINS servers for a specified interface or all interfaces.

Syntax

delete winsserver [name=]InterfaceName [addr=]{WINSAddress | all}

Parameters


Required. Specifies the name of the interface for which you want to delete a WINS server or servers. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ addr=]{ WINSAddress| all}

Required. Specifies whether to delete only one server for an interface or all servers for all interfaces. If only one server should be deleted, WINSAddress specifies the IP address of the WINS server to delete. /?


dump

Displays the current configuration as a series of Netsh Interface IP commands.

Syntax

dump

Parameters

none


install

Installs the IPv4 protocol. A reboot is required for the installation to take effect.

Syntax

install

reset

Resets the IPv4 configuration state. A reboot is required for changes to take effect.

Syntax

reset

set address

Configures an IP address and a default gateway on a specified interface.

Syntax

set address [name=]InterfaceName [source=]{dhcp | static [addr=]IPAddress[mask=]SubnetMask [gateway=]{none | DefaultGateway [[gwmetric=]GatewayMetric]}}

Parameters

[ name =] InterfaceName

Required. Specifies the name of the interface for which you want to configure address and gateway information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ source=]{ dhcp| static[ addr=] IPAddress[ mask=] SubnetMask[ gateway=]{ none| DefaultGateway[[ gwmetric=] GatewayMetric]}}

Required. Specifies whether the IP address to configure originates from a Dynamic Host

Configuration Protocol (DHCP) server or is static. If the address is static, IPAddress specifies the address to configure, and SubnetMask specifies the subnet mask for the IP address being configured. If the address is static, you must also specify whether you want to leave the current default gateway (if any) in place or configure one for the address. If you configure a default gateway, DefaultGateway specifies the IP address of the default gateway to be configured, and GatewayMetric specifies the metric for the default gateway to be configured. /?


set compartment

Modifies compartment configuration parameters.

Syntax

set compartment [compartment=]<integer> [defaultcurhoplimit=]<integer>[store=]active|persistent

Parameters

[compartment=]<integer>

Specifies an interface name or index. [defaultcurhoplimit=]<integer>[


Specifies the address of the neighbor. [[store=]active|persistent]




Example

set compartment compartment=1 defaultcurhoplimit=255 store=active

set dnsserver

Configures a DNS server address for a specified interface.

Syntax

set dnsserver [name=]InterfaceName [source=]{dhcp | static } [addr=]{IP Address | none} [register=]{none | primary | both}

Parameters


Required. Specifies the name of the interface for which you want to set DNS information. The InterfaceName parameter must match the name of the interface as specified in Network

Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ source=]{ dhcp| static }

Required. Specifies whether the IP address of the DNS server is configured by DHCP or is static. [ addr=]{ IP Address| none }

If the IP address is static, IP Address specifies the IP address of the DNS server to configure, and none specifies that the DNS configuration should be removed. [ register=]{ none| primary| both }

None specifies whether to disable dynamic update. Primary registers the computer name under

the primary DNS suffix only. Both register the computer name under both the primary DNS suffix as well as under the connection-specific suffix. /?


Examples

set dnsserver name="Local Area Connection" source=dhcp

set dnsserver "Local Area Connection" static 10.0.0.1 primary

set dynamicportrange

Modifies the range of ports used for dynamic port assignment. Dynamic port assignment is also known as wildcard port assignment.


Syntax

set dynamicportrange [[protocol=]tcp|udp][startport=]<integer> [numberofports=]<integer>[[store=]active|persistent]

Parameters

[[protocol=[tcp|udp]


• TCP: Display the dynamic port range for TCP.

UDP: Display the dynamic port range for UDP. [startport=]<integer>

Specifies the starting port for dynamic port assignment. [numberofports=]<integer>

• Specifies the number of ports available for dynamic port assignment.



• Active: Address will disappear on next boot.

Example

set dynamicportrange protocol=tcp startport=10000 numberofports=20000

set global

Modifies global configuration parameters.

Syntax

set global [[defaultcurhoplimit=]Integer] [[neighborcachelimit=]Integer][[routecachelimit=]Integer] [[reassemblylimit=]Integer] [[store=]{active | persistent}]

Parameters

[[defaultcurhoplimit=] Integer]

Specifies the default hop limit of packets sent.

[[neighborcachelimit=] Integer

Required. Specifies the maximum number of neighbor cache entries. [[routecachelimit=] Integer]

Specifies the maximum number of route cache entries. [[reassemblylimit=] Integer]

Specifies the maximum size of the reassembly buffer. [[store=]active|persistent]



Examples

This example command sets global parameters for all IPv6-enabled interfaces on the computer. The default hop limit is set to 32, the maximum number of neighbor cache entries is set to 100, and the maximum number of route cache entries is 100,000.

set global 32 100 100000

set interface

Modifies interface configuration parameters.

Syntax

set interface [[interface=]String] [[forwarding=]{enabled | disabled}] [[advertise=]{enabled | disabled}] [[mtu=]Integer] [[siteid=]Integer] [[metric=]Integer] [[firewall=]{enabled | disabled}] [[siteprefixlength=]Integer] [[store=]{active | persistent}]

Parameters



[[ forwarding=]{ enabled| disabled}]

Specifies whether packets arriving on this interface can be forwarded to other interfaces. The default selection is disabled. [[ advertise=]{ enabled| disabled}]

Specifies whether Router Advertisements are sent on this interface. The default selection is disabled. [[ mtu=] Integer]

Specifies the Maximum Transfer Unit (MTU) of this interface. The default MTU is the natural MTU of the link.

[[ siteid=] Integer]

Specifies the site scope zone identifier. [[ metric=] Integer]

Specifies the interface metric, which is added to route metrics for all routes over the interface. [[ firewall=]{ enabled| disabled}]

Specifies whether to operate in firewall mode. [[ siteprefixlength=] Integer]

Specifies the default length of the global prefix for the entire site.

[[ store=]{ active| persistent}]



Examples

This example command sets the interface with the name "Private," with a siteid of two and a metric of two. All other parameter values are left at the default values.

set interface "Private" siteid=2 metric=2

set neighbors

Sets an entry in the neighbor cache.

Syntax

set neighbors [[interface=]String] [[address=]IPv4Address] [neighbor=]<string> [[subinterface=]<string>][[store=]active|persistent]

Parameters




Specifies the link layer address of the neighbor. [[subinterface=]<string>]

Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces. [[store=]active|persistent]




Examples

This example command sets an entry to the neighbor cache on the interface named "Private."

set neighbors "Private" "10.1.1.1" "12-34-56-78-9a-bc"

set route

Modifies route parameters. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.

Syntax

set route [prefix=]IPv4Address/Integer [[interface=]String] [[nexthop=]IPv4Address] [[siteprefixlength=]Integer] [[metric=]Integer] [publish=]{no | yes | immortal}] [[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}] [[store=]{active | persistent}]


Parameters


Required. Specifies the prefix (IPv6Address) and prefix length (Integer) of the route to modify. [[ interface=] String]


[[ nexthop=] IPv6Address]

Specifies the gateway address, if the prefix is not on-link. [[ siteprefixlength=] Integer]


Specifies the route metric. [[ publish=]{ no| yes| immortal}]

Specifies whether routes are advertised (yes), advertised with an infinite lifetime (immortal), or not advertised (no) in Route Advertisements. The default selection is no. [[ validlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the route is valid. The default value is infinite. [[ preferredlifetime=]{ Integer| infinite}]



Examples

This example command sets a route on the interface named "Internet."

set route 10.2.0.0/16 "Internet" 10.0.0.1 0 2 yes 5000 5000 store=active

set subinterface

Modifies subinterface configuration parameters.

Syntax

set subinterface [interface=]<string> [[mtu=]<integer>] [[subinterface=]<string>] [[store=]active|persistent]


Specifies an interface name or index. [[mtu=]<integer>]

Specifies the MTU of this subinterface. The default is the natural MTU of the link.


[[subinterface=]<string>]

Specifies the subinterface LUID. This is only required on interfaces with multiple subinterfaces. [[ store=][active|persistent]

Specifies whether active (active) or persistent (persistent) addresses are displayed. The default

selection is active.

Example

set subinterface "1" mtu=1500 store=active

set winsserver

Sets WINS server configuration to either DHCP or static mode for a specified interface.

Syntax

set winsserver [name=]InterfaceName [source=]{dhcp | static [addr=]{WINSAddress | none }}

Parameters


Required. Specifies the name of the interface for which you want to set WINS information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ source=]{ dhcp| static[ addr=]{ WINSAddress| none}}

Required. Specifies whether the IP address of the WINS server to configure should be assigned by DHCP or is static. If the IP address is static, WINSAddress specifies the IP address of the WINS server to configure, and none specifies that the WINS configuration should be removed. /?


show address

Displays information about static IP addresses and default gateways on a specified interface. Used without parameters, show address displays address information for all interfaces.

Syntax

show address [[name=]InterfaceName]

Parameters


Specifies the name of the interface for which you want to display address information. The InterfaceName must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?



show compartments

Displays information about all compartments, or about a given compartment if one is specified.

Syntax

show compartments [compartment=]<integer> [[level=]normal|verbose] [store=]active|persistent

Parameters


Specifies an interface name or index. [[level=]normal|verbose]


• normal: Display one line per compartment (default when no compartment is specified).

• verbose: Display extra information about each compartment( default when a compartment

is specified).





Example

show compartments

show config

Displays IP address and other configuration information for a specified interface. Used without parameters, show config displays configuration information for all interfaces.

Syntax

show config [[name=]InterfaceName]

Parameters


Specifies the name of the interface for which you want to display configuration information. The InterfaceName parameter must match the name of the interface as specified in Network

Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?


show destinationcache

Displays destination cache entries. If an interface is specified, displays the cache only on that interface. If an address is also specified, displays only that destination cache entry.


Syntax

show destinationcache [[interface=]String] [[address=]IPv4Address]

Parameters





show dnsservers

Displays the DNS configuration of a specified interface. Used without parameters, show dnsservers displays the DNS configurations of all interfaces.

Syntax

show dnsservers [[name=]InterfaceName]

Parameters


Specifies the name of the interface whose DNS configuration you want to display. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?


show dynamicportrange

Displays dynamic port range configuration parameters.

Syntax

show dynamicportrange [[protocol=]tcp|udp] [[store=]active|persistent]

Parameters



• TCP: Show the dynamic port range for TCP.

• UDP: Show the dynamic port range for UDP.






Example


show global

Displays global configuration parameters.

Syntax

show global [[store=]{active | persistent}]

Parameters


Specifies whether active (active) or persistent (persistent) information is displayed. The default selection is active.

show icmpstats

Displays ICMP statistics. Used without parameters, show icmp displays the statistics only once.

Syntax

show icmpstats [[rr=]RefreshRate]

Parameters

[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics). /?


show interfaces

Displays statistics for a specified interface. Used without parameters, show interfaces displays statistics for all interfaces only once.

Syntax

show interfaces [[index=]InterfaceIndex] [[rr=]RefreshRate]

Parameters

[ index=] InterfaceIndex

Specifies the interface index, an integer that identifies the interface. [ rr=] RefreshRate



show ipaddresses

Displays information for a specified IP address. Used without parameters, show ipaddresses displays information for all IP addresses on all interfaces once.


Syntax

show ipaddresses [[index=]IPAddress] [[rr=]RefreshRate]

Parameters

[ index=] IPAddress

Specifies an IP address of an interface.

[ rr=] RefreshRate



show ipnettomedia

Displays the contents of the Address Resolution Protocol (ARP) cache, which contains the hardware addresses of resolved next-hop IP addresses. Used without parameters, show ipnettomedia displays the information once.

Syntax

show ipnettomedia [[rr=]RefreshRate]

Parameters

[ rr=] RefreshRate



show ipstats

Displays IP statistics. Used without parameters, show ipstats displays the statistics once.

Syntax

show ipstats [[rr=]RefreshRate]

Parameters

[ rr=] RefreshRate



show joins

Displays IP multicast groups that have been joined for the specified IP address. Used without parameters, show joins displays information for all IP addresses.

Syntax

show joins [[index=]IPAddress]


Parameters

[ index=] IPAddress

Specifies an IP address of an interface. /?


show neighbors

Displays neighbor cache entries. If an interface is specified, the command displays the cache only on that interface. If a subinterface is also specified, the command shows only the cache for that subinterface. If an address is specified as well, the command displays only that specific neighbor cache entry.

Syntax

show neighbors [[interface=]String] [[address=]IPv4Address] [neighbor=]<string> [[subinterface=]<string>][[store=]active|persistent] [[level=]normal|verbose]

Parameters


Specifies an interface name or index. [[ address=] IP4Address]

Specifies the address of the neighbor. [[subinterface=]<string>]





[[level=]normal|verbose]


• normal: Display one line per subinterface (default when no subinterface is specified).

• verbose: Display extra information on each subinterface. (default when a subinterface is

specified).

Example

show neighbors

show offload

Displays the tasks that can be performed by the network adapter for the specified interface corresponding to installed network hardware. Used without parameters, show offload displays offload information for all interfaces corresponding to installed network hardware.


Syntax

show offload [[name=]InterfaceName ]

Parameters


Specifies the name of the interface for which you want to display offload information. The

InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?


show route

Displays route table entries.

Syntax

show route [[level=]normal | verbose] [[store=]active | persistent]

Parameters

[[ level=] normal| verbose]

Specifies whether only normal routes (normal) or routes used for loopback (verbose) are displayed. The default selection is normal. [[ store=]active| persistent]

Specifies whether active (active) or persistent (persistent) routes are displayed. The default selection is active.

show subinterfaces

Displays information about all subinterfaces, or about all subinterfaces on a given interface if one is specified.

Syntax

show subinterfaces [interface=]<string> [[ level=]normal| verbose] [[subinterface=]<string>] [[store=]active|persistent]


Specifies an interface name or index. [[ level=]normal|verbose]

Specifies whether only normal routes (normal) or routes used for loopback (verbose) are displayed. The default selection is normal. [[subinterface=]<string>]

Specifies the subinterface LUID. This is only required on interfaces with multiple subinterfaces.

[[ store=][active|persistent]

Specifies whether active (active) or persistent (persistent) addresses are displayed. The default selection is active.


Example

show subinterfaces

show tcpconnections

Displays information on a specified TCP connection. Used without parameters, show tcpconnections displays information for all TCP connections once.

Syntax

show tcpconnections [[index=]{LocalIPAddress | LocalPort | RemoteIPAddress | RemotePort}] [[rr=]RefreshRate]

Parameters

[ index=]{ LocalIPAddress| LocalPort| RemoteIPAddress| RemotePort}

Specifies the connection about which to display information. The LocalIPAddress parameter specifies an IP address of an interface. The LocalPort parameter specifies a TCP port for a local process. The RemoteIPAddress parameter specifies an IP address of a remote host. The RemotePort parameter specifies a TCP port for a remote process.

[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the information). /?


show tcpstats

Displays TCP statistics. Used without parameters, show tcpstats displays the statistics once.

Syntax

show tcpstats [[rr=]RefreshRate]

Parameters

[ rr=] RefreshRate



show udpconnections

Displays information about the (User Datagram Protocol) UDP ports used for each IP address. Used without parameters, show udpconnections displays UDP port information for all IP addresses once.

Syntax

show udpconnections [[index=]{LocalIPAddress | LocalPort}] [[rr=]RefreshRate]

Parameters

[ index=]{ LocalIPAddress| LocalPort}

Specifies the connection about which to display information. The LocalIPAddress parameter specifies an IP address of an interface. The LocalPort parameter specifies a UDP port for a local process.


[ rr=] RefreshRate



show udpstats

Displays UDP statistics. Used without parameters, show udpstats displays the statistics once.

Syntax

show udpstats [[rr=]RefreshRate]

Parameters

[ rr=] RefreshRate



show winsservers

Displays the WINS configuration for a specified interface. Used without parameters, show winsservers displays the WINS configuration for all interfaces.

Syntax

show winsservers [[name=]InterfaceName]

Parameters


Specifies the name of the interface whose WINS information you want to display. The InterfaceName parameter must match the name of the interface as specified in Network

Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?



Netsh commands for Interface Internet Protocol version 6

(IPv6) The Netsh commands for Interface IPv6 provide a command-line tool that you can use to query and configure IPv6 interfaces, address, caches, and routes.

In addition, the Interface IPv6 context of netsh has a subcontext for 6to4. You can use the commands in the netsh interface IPv6 6to4 context to configure or display the configuration of the 6to4 service on either a 6to4 host or a 6to4 router.

You can run these commands at the command prompt for the netsh interface ipv6 context. For these commands to work at the command, you must type netsh interface ipv6 before typing commands and parameters as they appear in the syntax below. To view help for a command at the command prompt, type CommandName/?, where CommandName is the name of the command.

6to4

Specifies that the 6to4 context of netsh interface IPv6 6to4 is used.

Syntax

6to4

add 6over4tunnel

Creates a 6over4 interface by using the specified IPv4 address.

Syntax

add 6over4tunnel [[interface=]String] [localaddress=]IPv4Address [[store=]{active | persistent}]

Parameters


Specifies an interface name or index. [ localaddress=] IPv4Address

Required. Specifies the IPv4 address that is encapsulated. [[ store=]{ active| persistent}]


Examples

This example command creates a 6over4 interface by using the IPv4 address 10.1.1.1 on the interface named "Private."

add 6over4tunnel "Private" 10.1.1.1

add address

Adds an IPv6 address to a specified interface. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.


Syntax

add address [[interface=]String] [address=]IPv6Address [[type=]{unicast | anycast}] [[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}] [[store=]{active | persistent}]

Parameters


Specifies an interface name or index. [ address=] IPv6Address

Required. Specifies the IPv6 address to add. [[ type=]{ unicast| anycast}]

Specifies whether a unicast address (unicast) or an anycast address (anycast) is added. The default selection is unicast. [[ validlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the address is valid. The default value is infinite.


Specifies the lifetime over which the address is preferred. The default value is infinite. [[ store=]{ active| persistent}]


Examples

This example command adds the IPv6 address FE80::2 to the interface named "Private."

add address "Private" FE80::2

add dnsserver

Adds a new DNS server IP address to the statically-configured list of DNS servers for the specified interface.

Syntax

add dnsserver [interface=]String [address=]IPAddress [[index=]Integer]

Parameters

[ interface=] String

Required. Specifies, by name, which interface will have a DNS server IP address added to its list of DNS server IP addresses. [ address=] IPAddress

Required. Specifies the IPv6 address of the DNS server to add to the list. [[ index=] Integer]

Specifies the position on the statically-configured list in which to place the DNS server IP address specified in address. By default, the DNS server IP address is added to the end of the list.


Remarks

If an index is specified, the Domain Name System (DNS) server is placed in that position in the list.

Examples

In the first example command, a DNS server with the IPv6 address FEC0:0:0:FFFF::1 is added to the list of DNS server IP addresses for the interface named "Local Area Connection." In the second

example, a DNS server with the IPv6 address FEC0:0:0:FFFF::2 is added at index 2 as the second server on the list of servers for the interface named "Local Area Connection."

add dnsserver "Local Area Connection" FEC0:0:0:FFFF::1

add dnserver "Local Area Connection" FEC0:0:0:FFFF::2 index=2

add neighbors

Specifies an entry in the neighbor cache.

Syntax

add neighbors [[interface=]String] [[address=]IPv4Address] [neighbor=]<string> [[subinterface=]<string>]

Parameters




[neighbor=]<string>






Examples

This example command adds an entry to the neighbor cache on the interface named "Private."

add neighbors "Private" "3f::2" "12-34-56-78-9a-bc"

add potentialrouter

Adds a potential router to a given interface.

Syntax

add potentialrouter [interface=]<string> [[address=]<IPv6 address>]


Parameters



Specifies the address of the potential router.

add prefixpolicy

Adds a source and destination address selection policy for a specified prefix.

Syntax

add prefixpolicy [prefix=]IPv6Address/Integer [precedence=]Integer [label=]Integer [[store=]{active | persistent}]

Parameters


Required. Specifies the prefix for which to add a policy in the policy table. Integer specifies the prefix length.

[ precedence=] Integer

Required. Specifies the precedence value used for sorting destination addresses in the policy table. [ label=] Integer

Required. Specifies the label value that allows for policies that require a specific source address prefix for use with a destination address prefix. [[ store=]{ active| persistent}]


Examples

This example command adds a prefix policy for prefix ::/96, with a precedence value of three and a label value of four.

add prefixpolicy ::/96 3 4

add route

Adds a route for a specified prefix. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.

Syntax

add route [prefix=]IPv6Address/Integer [[interface=]String] [[nexthop=]IPv6Address] [[siteprefixlength=]Integer] [[metric=]Integer] [[publish=]{no | yes | immortal}] [[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}] [[store=]{active | persistent}]

Parameters


Required. Specifies the prefix for which to add a route. Integer specifies the prefix length.







Specifies the route metric. [[ publish=]{ no| yes| immortal}]






Examples

This example command adds a route on the interface named "Internet" with a prefix of 3FFE:: and a prefix length of 16 bits (3FFE::/16). The nexthop value is FE80::1.

add route 3FFE::/16 "Internet" FE80::1

add v6v4tunnel

Creates an IPv6-in-IPv4 tunnel.

Syntax

add v6v4tunnel [[interface=]String] [localaddress=]IPv4Address [remoteaddress=]IPv4Address [[neighbordiscovery=]{enabled | disabled}] [[store=]{active | persistent}]

Parameters


Specifies an interface name or index. [ localaddress=] IPv4Address

Required. Specifies the IPv4 address of the local tunnel endpoint.

[ remoteaddress=] IPv4Address


Required. Specifies the IPv4 address of the remote tunnel endpoint. [[ neighbordiscovery=]{ enabled| disabled}]

Specifies whether Neighbor Discovery is enabled (enabled) or disabled (disabled) on the interface. The default selection is disabled.



Examples

This example command creates an IPv6-in-IPv4 tunnel between the local address 10.0.0.1 and the remote address 192.168.1.1 on the interface "Private."

add v6v4tunnel "Private" 10.0.0.1 192.168.1.1

delete address

Syntax

delete address [[interface=]String] [address=]IPv6Address [[store=]{active | persistent}]

Modifies an IPv6 address on a specified interface.

Parameters



[ address=] IPv6Address

Required. Specifies the IPv6 address to delete. [[ store=]{ active| persistent}]


Examples

This example command deletes the address FE80::2 from the interface named "Private."

delete address "Private" FE80::2

delete destinationcache

Clears the destination cache. If an interface is specified, clears the cache only on that interface. If an address is also specified, deletes only that destination cache entry.

Syntax

delete destinationcache [[interface=]String] [[address=]IPv6Address]

Parameters





Examples

This example command deletes the destination cache for the interface named "Private."

delete destinationcache "Private"

delete dnsserver

Deletes statically configured DNS server IPv6 addresses for a specific interface.

Syntax

delete dnsserver [interface=]String [[address=]{IPv6Address | all}]

Parameters

[ interface=] String

Required. Specifies the interface, by name, for which you want to remove a DNS server from the list of DNS servers. [[ address=]{ IPv6Address| all}]

Specifies the DNS server IPv6 address to delete. If all is specified, all DNS server IPv6 addresses on the list for the interface are deleted.

Examples

In the first example command, the DNS server IPv6 address FEC0:0:0:FFFF::1 is deleted from the list of addresses for the connection named "Local Area Connection." In the second example command, all DNS server IPv6 addresses are deleted for the connection named "Local Area Connection."

delete dnsserver "Local Area Connection" FEC0:0:0:FFFF::1

delete dnsserver "Local Area Connection" all

delete interface

Deletes a specified interface from the IPv6 stack.

Syntax

delete interface [[interface=]String] [[store=]{active | persistent}]

Parameters


Specifies an interface name or index. [[ store=]{ active| persistent}]


Examples

This example command deletes the interface named "Private."

delete interface "Private"


delete neighbors

Specifies that all entries in the neighbor cache are deleted. If an interface is specified, clears the cache only on that interface. If an address is also specified, deletes only that neighbor cache entry.

Syntax

delete neighbors [[interface=]String] [[address=]IPv6Address]

Parameters




Examples

This example command removes all entries from the neighbor cache on the interface named "Private."

delete neighbors "Private"

delete potentialrouter

Delete a potential router from a given interface.

Syntax

delete potentialrouter [interface=]<string> [[address=]<IPv6 address>]

Parameters



Specifies the address of the potential router.

delete prefixpolicy

Deletes the source and destination address selection policy for a specified prefix.

Syntax

delete prefixpolicy [prefix=]IPv6Address/Integer [[store=]{active | persistent}]

Parameters


Required. Specifies the prefix (IPv6Address) and prefix length (Integer) to delete from the policy table. [[ store=]{ active| persistent}]


Examples

This example command deletes the prefix ::/96 from the policy table.


delete prefixpolicy ::/96

delete route

Deletes an IPv6 route.

Syntax

delete route [prefix=]IPv6Address/Integer [[interface=]String] [[nexthop=]IPv6Address] [[store=]{active | persistent}]

Parameters


Required. Specifies the prefix of the route to delete. [[ interface=] String]





Examples

This example command deletes the route with the prefix 3FFE::/16 and the gateway FE80::1 from the interface named "Internet."

delete route 3FFE::/16 "Internet" FE80::1

dump

Dumps the network adapter IPv6 configuration to the command prompt window when run within the netsh context. When used in a batch file or script, output can be saved in a text file.

Syntax

netsh interface ipv6 dump > [PathAndFileName]

Parameters

[ PathAndFileName]

Specifies both the location where to the file is saved and the name of the destination file to which the configuration is saved.

Examples

In the first example, the command is run manually at the netsh interface ipv6 context of a command prompt. The IPv6 configuration is displayed in the command prompt window, and can be copied and pasted into a text file. In the second example, the dump command is run in a batch file, and the configuration is saved to a text file named Ipv6_conf.txt at the location C:\Temp.

dump

netsh interface ipv6 dump > C:\temp\ipv6_conf.txt


isatap

Specifies that the isatap context of netsh interface IPv6 isatap is used.

Syntax

isatap

reset

Resets the IPv6 configuration state.

Syntax

reset

set address

Modifies an IPv6 address on a specified interface. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.

Syntax

set address [[interface=]String] [address=]IPv6Address [[type=]{unicast | anycast}] [[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}] [[store=]{active | persistent}]

Parameters


Specifies an interface name or index. [ address=] IPv6Address

Required. Specifies the IPv6 address to modify. [[ type=]{ unicast| anycast}]

Specifies whether the address is marked as a unicast address (unicast) or as an anycast address (anycast). The default selection is unicast.

[[ validlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the address is valid. The default value is infinite. [[ preferredlifetime=]{ Integer| infinite}] Specifies the lifetime over which the address is preferred. The default value is infinite. [[ store=]{ active| persistent}]


Examples

This example command sets the address FE80::2 on the interface named "Private" as an anycast address.

set address "Private" FE80::2 anycast

set compartment

Modifies compartment configuration parameters.


Syntax

set compartment [compartment=]<integer> [defaultcurhoplimit=]<integer>[store=]active|persistent

Parameters


Specifies an interface name or index. [defaultcurhoplimit=]<integer>[

Specifies the address of the neighbor. [[store=]active|persistent]




Example

set compartment compartment=1 defaultcurhoplimit=255 store=active

set dnsserver

Configures a DNS server address for a specified interface.

Syntax

set dnsserver [name=]InterfaceName [source=]{dhcp | static } [addr=]{IP Address | none} [register=]{none | primary | both}

Parameters


Required. Specifies the name of the interface for which you want to set DNS information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name").

[ source=]{ dhcp| static }

Required. Specifies whether the IP address of the DNS server is configured by DHCP or is static. [ addr=]{ IP Address| none }

If the IP address is static, IP Address specifies the IP address of the DNS server to configure, and none specifies that the DNS configuration should be removed. [ register=]{ none| primary| both }

None specifies whether to disable dynamic update. Primary registers the computer name under the primary DNS suffix only. Both register the computer name under both the primary DNS suffix as well as under the connection-specific suffix.

/?



Examples

set dnsserver name="Local Area Connection" source=dhcp

set dnsserver "Local Area Connection" static fec0:0:0:ffff::1 primary

set dynamicportrange

Modifies the range of ports used for dynamic port assignment. Dynamic port assignment is also known as wildcard port assignment.

Syntax

set dynamicportrange [[protocol=]tcp|udp][startport=]<integer> [numberofports=]<integer>[[store=]active|persistent]

Parameters



• TCP: Display the dynamic port range for TCP.

UDP: Display the dynamic port range for UDP.

[startport=]<integer>

Specifies the starting port for dynamic port assignment. [numberofports=]<integer>

• Specifies the number of ports available for dynamic port assignment.




Example

set dynamicportrange protocol=tcp startport=10000 numberofports=20000

set global

Modifies global configuration parameters.

Syntax

set global [[defaultcurhoplimit=]Integer] [neighborcachelimit=]Integer [[routecachelimit=]Integer] [[reassemblylimit=]Integer] [[store=]{active | persistent}]

Parameters

[[ defaultcurhoplimit=] Integer]

Specifies the default hop limit of packets sent. [ neighborcachelimit=] Integer

Required. Specifies the maximum number of neighbor cache entries. [[ routecachelimit=] Integer]


Specifies the maximum number of route cache entries. [[ reassemblylimit=] Integer]

Specifies the maximum size of the reassembly buffer. [[ store=]{ active| persistent}]


Examples

This example command sets global parameters for all IPv6-enabled interfaces on the computer. The default hop limit is set to 32, the maximum number of neighbor cache entries is set to 100, and the maximum number of route cache entries is 100,000.

set global 32 100 100000

set interface

Modifies interface configuration parameters.

Syntax

set interface [[interface=]String] [[forwarding=]{enabled | disabled}] [[advertise=]{enabled | disabled}] [[mtu=]Integer] [[siteid=]Integer] [[metric=]Integer] [[firewall=]{enabled | disabled}] [[siteprefixlength=]Integer] [[store=]{active | persistent}]

Parameters


Specifies an interface name or index. [[ forwarding=]{ enabled| disabled}]

Specifies whether packets arriving on this interface can be forwarded to other interfaces. The default selection is disabled. [[ advertise=]{ enabled| disabled}]

Specifies whether Router Advertisements are sent on this interface. The default selection is disabled. [[ mtu=] Integer]

Specifies the Maximum Transfer Unit (MTU) of this interface. The default MTU is the natural MTU of the link. [[ siteid=] Integer]

Specifies the site scope zone identifier. [[ metric=] Integer]

Specifies the interface metric, which is added to route metrics for all routes over the interface.

[[ firewall=]{ enabled| disabled}]

The Firewall can no longer be configured from Netsh. The value specified is ignored.



Specifies the default length of the global prefix for the entire site. [[ store=]{ active| persistent}]


Examples

This example command sets the interface with the name "Private," with a siteid of two and a metric of two. All other parameter values are left at the default values.

set interface "Private" siteid=2 metric=2

set neighbors

Sets an entry in the neighbor cache.

Syntax

set neighbors [[interface=]String] [[address=]IPv6Address] [neighbor=]<string> [[subinterface=]<string>][[store=]active|persistent]

Parameters










Examples

This example command sets an entry to the neighbor cache on the interface named "Private."

set neighbors "Private" "fec0::2" "12-34-56-78-9a-bc"

set prefixpolicy

Modifies a source and destination address selection policy for a specified prefix.


Syntax

set prefixpolicy [prefix=]IPv6Address/Integer [precedence=]Integer [label=]Integer [[store=]{active | persistent}]

Parameters


Required. Specifies the prefix for which to add a policy in the policy table. Integer specifies the prefix length. [ precedence=] Integer

Required. Specifies the precedence value used for sorting destination addresses in the policy table. [ label=] Integer

Required. Specifies the label value that allows for policies that require a specific source address prefix for use with a destination address prefix. [[ store=]{ active| persistent}]


Examples

This example command sets a policy in the policy table for the prefix ::/96, with a precedence value of three and a label value of four.

set prefixpolicy ::/96 3 4

set privacy

Modifies parameters related to temporary address generation. If randomtime= is specified, maxrandomtime= is not used. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.

Syntax

set privacy [[state=]{enabled | disabled}] [[maxdadattempts=]Integer] [[maxvalidlifetime=]Integer] [[maxpreferredlifetime=]Integer] [[regeneratetime=]Integer] [[maxrandomtime=]Integer] [[randomtime=]Integer] [[store=]{active | persistent}]

Parameters

[[ state=]{ enabled| disabled}]

Specifies whether temporary addresses are enabled. [[ maxdadattempts=] Integer]

Specifies the number of duplicate address detection attempts made. The default value is five. [[ maxvalidlifetime=] Integer]

Specifies the maximum lifetime over which a temporary address is valid. The default value is 7d (seven days).

[[ maxpreferredlifetime=] Integer]

Specifies the maximum lifetime over which an anonymous is preferred. The default value is 1d (one day).


[[ regeneratetime=] Integer]

Specifies the duration of time that elapses when a new address is generated prior to deprecating a temporary address. The default value is 5s (five seconds). [[ maxrandomtime=] Integer]

Specifies the upper limit to use when computing a random delay at boot. The default value is 10m (10 minutes). [[ randomtime=] Integer]

Specifies a time value to use, instead of a value generated at boot. [[ store=]{ active| persistent}]


set route

Modifies route parameters. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.

Syntax

set route [prefix=]IPv6Address/Integer [[interface=]String] [[nexthop=]IPv6Address] [[siteprefixlength=]Integer] [[metric=]Integer] [publish=]{no | yes | immortal}] [[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}] [[store=]{active | persistent}]

Parameters


Required. Specifies the prefix (IPv6Address) and prefix length (Integer) of the route to modify.



Specifies the gateway address, if the prefix is not on-link. [[ siteprefixlength=] Integer]


Specifies the route metric.

[[ publish=]{ no| yes| immortal}]






Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).

The default selection is persistent.

Examples

This example command sets a route on the interface named "Internet." The route prefix is 3FFE::, and has a length of 16 bits. The gateway address, defined by the nexthop= parameter, is FE80::1.

set route 3FFE::/16 "Internet" FE80::1

set state

Enables or disables IPv4 compatibility. The default value for all parameters is disabled.

Syntax

set state [[6over4=]{enabled | disabled | default}] [[v4compat=]{enabled | disabled | default}]

Parameters

[[6over4=]{enabled| disabled| default}]

Specifies whether 6over4 interfaces are created. To both disable and delete 6over4 compatible interfaces, specify default. To disable 6over4 compatible interfaces without deleting them, specify disabled. [[ v4compat=]{ enabled| disabled| default}]

Specifies whether IPv4 compatible interfaces are created. To both disable and delete IPv4 compatible interfaces, specify default. To disable IPv4 compatible interfaces without deleting them, specify disabled.

Examples

In the first example command, IPv4-compatible addresses are disabled, and any previously existing interfaces are deleted. In the second example command, IPv4-compatible addresses are enabled.

set state default

set state 6over4=disabled v4compat=enabled

set subinterface

Modifies subinterface configuration parameters.

Syntax

set subinterface [interface=]<string> [[mtu=]<integer>] [[subinterface=]<string>] [[store=]active|persistent]

Parameters


Specifies an interface name or index. [[mtu=]<integer>]


Specifies the MTU of this subinterface. The default is the natural MTU of the link. [[subinterface=]<string>]

Specifies the subinterface LUID. This is only required on interfaces with multiple subinterfaces. [[ store=][active|persistent]


Example

set subinterface "1" mtu=1500 store=active

set teredo

Sets the Teredo state. A 'default' argument to a parameter sets it to the system default.

Syntax

set teredo [[type]=disabled|client|enterpriseclient|default][[servername=]<hostname>|<IPv4 address>|default][[refreshinterval=]<integer>|default][[clientport=]<integer>|default][[supernode=]<hostname>|<IPv4 address>|default]

Parameters

[[type]=disabled|client|enterpriseclient|default]


• Disabled: Disables the Teredo service.

• Client: Enables the Teredo client.

• Enterpriseclient: Skip managed network detection.

[servername=]<hostname>|<IPv4 address>|default]

Specifies the name or IPv4 address of the Teredo server. [refreshinterval=]<integer>|default]

Specifies the client refresh interval (in seconds). [clientport=]<integer>|default]

Specifies the client's UDP port (otherwise chosen by system). [supernode=]<hostname>|<IPv4 address>|default]

Specifies the super-node to use when behind a firewall.

Examples

set teredo disable

set teredo client teredo.ipv6.microsoft.com 60 34567

show address

Displays all IPv6 addresses, or all addresses on a specified interface.


Syntax

show address [[interface=]String] [[level=]{normal | verbose}] [[store=]{active | persistent}]

Parameters


Specifies an interface name or index. [[ level=]{ normal| verbose}]

Specifies whether one line per interface is displayed (normal) or additional information is displayed for each interface (verbose). When no interface is specified, the default selection is normal. When an interface is specified, the default selection is verbose. [[ store=]{ active| persistent}]


show compartments

Displays information about all compartments, or about a given compartment if one is specified.

Syntax

show compartments [compartment=]<integer> [[level=]normal|verbose] [store=]active|persistent

Parameters




• normal: Display one line per compartment (default when no compartment is specified).

• verbose: Display extra information about each compartment( default when a compartment

is specified).





Example

show compartments

show destinationcache

Displays destination cache entries. If an interface is specified, displays the cache only on that interface. If an address is also specified, displays only that destination cache entry.


Syntax

show destinationcache [[interface=]String] [[address=]IPv6Address]

Parameters





show dnsservers

Displays the DNS server configuration for a specific interface or interfaces.

Syntax

show dnsservers [[interface=]String]

Parameters


Specifies the interface, by name, for which you want to display configured DNS server IPv6 addresses. If no interface is specified, servers for all interfaces are displayed.

Examples

In this example command, DNS server IPv6 addresses configured on the "Local Area Connection" interface are displayed.

show dnsservers "Local Area Connection"


Displays dynamic port range configuration parameters.

Syntax

show dynamicportrange [[protocol=]tcp|udp] [[store=]active|persistent]

Parameters



• TCP: Show the dynamic port range for TCP.

• UDP: Show the dynamic port range for UDP.





Example



show global

Displays global configuration parameters.

Syntax

show global [[store=]{active | persistent}]

Parameters



show interfaces

Displays information about all interfaces, or about a specified interface.

Syntax

show interfaces [[interfaces=]String] [[level=]{normal | verbose}] [[store=]{active | persistent}]

Parameters

[[ interfaces=] String]


Specifies whether one line per interface is displayed (normal) or additional information is displayed for each interface (verbose). When no interface is specified, the default selection is normal. When an interface is specified, the default selection is verbose. [[ store=]{ active| persistent}]

Specifies whether active (active) or persistent (persistent) interfaces are displayed. The default selection is active.

show ipstats

Displays IP statistics. Used without parameters, show ipstats displays the statistics once.

Syntax

show ipstats [[rr=]RefreshRate]

Parameters

[ rr=] RefreshRate



show joins

Displays all IPv6 multicast addresses, or all multicast addresses on a specified interface.

Syntax

show joins [[interface=]String] [[level=]{normal | verbose}]


Parameters



Specifies whether one line per interface is displayed (normal) or additional information is displayed

for each interface (verbose). When no interface is specified, the default selection is normal. When an interface is specified, the default selection is verbose.

show neighbors

Displays neighbor cache entries. If an interface is specified, the command displays the cache only on that interface. If a subinterface is also specified, the command shows only the cache for that subinterface. If an address is specified as well, the command displays only that specific neighbor cache entry.

Syntax

show neighbors [[interface=]String] [[address=]IPv6Address] [neighbor=]<string> [[subinterface=]<string>][[store=]active|persistent] [[level=]normal|verbose]

Parameters


Specifies an interface name or index. [[ address=] IP6Address]

Specifies the address of the neighbor. [[subinterface=]<string>]





[[level=]normal|verbose]



• verbose: Display extra information on each subinterface. (default when a subinterface is

specified).

Example

show neighbors


show offload

Displays the tasks that can be performed by the network adapter for the specified interface corresponding to installed network hardware. Used without parameters, show offload displays offload information for all interfaces corresponding to installed network hardware.

Syntax

show offload [[name=]InterfaceName ]

Parameters


Specifies the name of the interface for which you want to display offload information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?


show potentialrouters

Displays all potential routers, or all potential routers on a given

interface if one is specified.

Syntax

show potentialrouter [interface=]<string> [[level=]normal|verbose]

Parameters





• verbose: Display extra information on each subinterface. (default when a subinterface is specified).

show prefixpolicies

Displays prefix policy table entries used in source and destination address selection.

Syntax

show prefixpolicies [[store=]{active | persistent}]

Parameters



show privacy

Displays privacy configuration parameters.


Syntax

show privacy [[store=]{active | persistent}]

Parameters


Specifies whether active (active) or persistent (persistent) information is displayed. The default

selection is active.

show route

Displays route table entries.

Syntax

show route [[level=]{normal | verbose}] [[store=]{active | persistent}]

Parameters

[[ level=]{ normal| verbose}]

Specifies whether only normal routes (normal) or routes used for loopback (verbose) are displayed. The default selection is normal.


Specifies whether active (active) or persistent (persistent) routes are displayed. The default selection is active.

show siteprefixes

Displays the site prefix table.

Syntax

show siteprefixes

show subinterfaces

Displays information about all subinterfaces, or about all subinterfaces on a given interface if one is specified.

Syntax

show subinterfaces [interface=]<string> [[ level=]normal| verbose] [[subinterface=]<string>] [[store=]active|persistent]


Specifies an interface name or index. [[ level=]normal|verbose]

Specifies whether only normal routes (normal) or routes used for loopback (verbose) are displayed. The default selection is normal. [[subinterface=]<string>]

Specifies the subinterface LUID. This is only required on interfaces with multiple subinterfaces.

[[ store=][active|persistent]



Example

show subinterfaces

show tcpstats

Displays TCP statistics. Used without parameters, show tcpstats displays the statistics once.

Syntax

show tcpstats [[rr=]RefreshRate]

Parameters

[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).

show teredo

shows the Teredo state.

Syntax

show teredo

Examples

show teredo

show udpstats

Displays UDP statistics. Used without parameters, show udpstats displays the statistics once.

Syntax

show udpstats [[rr=]RefreshRate]

Parameters

[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).

/?


Netsh interface IPv6 6to4

You can use the following commands in the netsh interface IPv6 6to4 context to display the configuration of or configure the 6to4 service on either a 6to4 host or a 6to4 router.

set interface

Configures the 6to4 service on an interface.

Syntax

set interface [name=] InterfaceName [[routing=] {enabled | disabled | default}]

Parameters



Required. Specifies the name of the interface for which you want to set 6to4 service configuration. InterfaceName must match the name of the interface specified in Network Connections. If InterfaceName contains any spaces, it must be enclosed in quotes. [[ routing=] { enabled| disabled| default}]

Specifies whether the forwarding of 6to4 packets received on the interface is enabled, disabled, or

set to its default value.

show interface

Displays the 6to4 service routing configuration on all interfaces, or on a specified interface.

Syntax

show interface [[name=] InterfaceName]

Parameters

[[ name=] InterfaceName]

Specifies the name of the interface for which you want to display the 6to4 service configuration. InterfaceName must match the name of the interface specified in Network Connections. If InterfaceName contains any spaces, it must be enclosed in quotes.

set relay

Configures the name of the 6to4 relay router for the 6to4 service. Additionally, specifies how often the name is resolved and the state of the relay component for the 6to4 service.

Syntax

set relay [[name=] {RelayDNSName | default}] [[state=] {enabled | disabled | automatic | default}] [[interval=] {ResInterval | default}]

Parameters

[[ name=] { RelayDNSName| default}]

Specifies either the fully qualified domain name (FQDN) of a 6to4 relay router on the IPv4 Internet

(RelayDNSName), or sets the relay name to its default value of 6to4.ipv6.microsoft.com (default). [[ state=] { enabled| disabled| automatic| default}]

Specifies whether the state of the relay component for the 6to4 service is enabled, disabled, automatically enabled if a public IPv4 address is configured, or set to its default value. [[ interval=] { ResInterval| default}]

Specifies how often the name of the relay router is resolved in minutes (ResInterval) or sets the resolution interval to its default value of 1440 minutes (default).

show relay

Displays the relay router configuration for the 6to4 service.

Syntax

show relay

set routing

Sets both the state of routing and the inclusion of site-local address prefixes in Router Advertisements that are sent by the 6to4 router.


Syntax

set routing [[routing=] {enabled | disabled | automatic | default}] [[sitelocals=] {enabled | disabled | default}]

Parameters

[[ routing=] { enabled| disabled| automatic| default}]

Specifies whether the state of routing on a 6to4 router is enabled, disabled, automatically enabled if Internet Connection Sharing (ICS) is enabled, or set to its default value. [[ sitelocals=] { enabled| disabled| default}]

Specifies whether the advertising of site-local address prefixes, in addition to 6to4 address prefixes, is enabled, disabled, or set to its default value.

show routing

Displays the routing configuration of the 6to4 service.

Syntax

show routing

set state

Configures the state of the 6to4 service.

Syntax

set state [[state=] {enabled | disabled | default}] [[undoonstop=] {enabled | disabled | default}] [[6over4=] {enabled | disabled | default}]

Parameters

[[ state=] { enabled| disabled| default}]

Specifies whether the state of the 6to4 service is enabled, disabled, or set to its default value.

[[ undoonstop=] { enabled| disabled| default}]

Specifies whether the reversal of all automatic configuration that has been performed by the 6to4 service occurs when the service stops is enabled, disabled, or set to its default value.

show state

Displays the state of the 6to4 service.

Syntax

show state

Netsh interface ipv6 isatap

Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is an address assignment and tunneling mechanism for communication between IPv6/IPv4 nodes within an IPv4 site. It is described in the

Internet draft titled "Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)" (draft-ietf-ngtrans-isatap-00.txt). You can use the following commands to configure the ISATAP router.

set router

Specifies the Intra-Site Automatic Tunneling Address Protocol (ISATAP) router information, including router name, state, and resolution interval.


Syntax

set router [[name=]{String | default}] [[state=]{Enabled | Disabled | Default}] [[interval]=Integer]

Parameters

[[ name=]{ String| default}]

Specifies whether the router is named with a string. If default is specified, the system reverts to using the default name. [[ state=]{ Enabled| Disabled| Default}]

Specifies whether the ISATAP router relays packets between subnets. [[ interval]= Integer]

Specifies the router resolution interval, in minutes. The default interval is 1440 (24 hours).

Examples

The following example command sets the router name to isatap, enables the router, and sets the resolution interval to 120 minutes:

set router isatap enabled 120

set state

Enables or disables IPv4 compatibility. The default value for all parameters is disabled.

Syntax

set state [[state=]{enabled | disabled | default}]

Parameters

[[state=]{enabled| disabled| default}]

Specifies whether isatap interfaces are created. To both disable and delete isatap compatible interfaces, specify default. To disable isatap compatible interfaces without deleting them, specify disabled.

Examples

In this example command, IPv6-compatible addresses are disabled, and any previously existing interfaces are deleted.

set state default

show router

Displays configuration information for the ISATAP router.

Syntax

show router

show state

Displays the ISATAP state.

Syntax

show state


Netsh commands for Interface ISATAP


set router

Sets Intra-site Automatic Tunnel Address Protocol ISATAP router information.

Syntax

set router [ [ name= ] (Name | default )] [ [ state= ] ( enabled | disabled | default ) ] [[interval=] Interval ]

Parameters

name

Optional. Specifies the name of the ISATAP router. state

Optional. Specifies the state of router name resolution. interval

Optional. Specifies an integer that is the resolution interval (in minutes). Examples

Following is an example of the set router command.

set router isatap enabled 1440

set state

Sets the ISATAP state.

Syntax

set state [ state= ] ( enabled | disabled | default)

Parameters

state

Optional. Specifies whether ISATAP is enabled.

show router

Shows the ISATAP router information.

Syntax

show router

show state

Shows the ISATAP state.

Syntax

show state


Netsh commands for Interface Portproxy

The Netsh Interface Portproxy commands provide a command-line tool for use in administering servers that act as proxies between IPv4 and IPv6 networks and applications. You can use these commands to establish proxy service in the following ways:

IPv4-configured computer and application messages sent to other IPv4-configured computers and applications.

IPv4-configured computer and application messages sent to IPv6-configured computers and

applications.

IPv6-configured computer and application messages sent to IPv4-configured computers and

applications.

IPv6-configured computer and application messages sent to other IPv6-configured computers and

applications.

When writing batch files or scripts using these commands, each command must be preceded by netsh interface portproxy. For example, when using the delete v4tov6 command to specify that the portproxy server delete an IPv4 port and address from the list of IPv4 addresses for which the server listens, the batch file or script must use the following syntax:

netsh interface portproxy delete v4tov6 listenport= {Integer | ServiceName} [[listenaddress=] {IPv4Address| HostName}] [[protocol=]tcp]

You can run these commands at the command prompt in a Windows Server®2008 operating system or at the command prompt for the netsh interface portproxy context. For these commands to work at the command prompt in Windows Server 2008, you must type netsh interface portproxy before typing commands and parameters as they appear in the syntax below.

add v4tov4

Specifies that the portproxy server listen for messages sent to a specific port and IPv4 address, and maps a port and IPv4 address to which to send the messages received after establishing a separate TCP connection.

Syntax

add v4tov4 listenport= {Integer | ServiceName} [[connectaddress=] {IPv4Address | HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv4Address| HostName}] [[protocol=]tcp]

Parameters

listenport

Required. Specifies the IPv4 port, by port number or service name, on which to listen. connectaddress

Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local

computer. connectport

Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer.


listenaddress

Specifies the IPv4 address for which to listen. Acceptable values are IP address, computer NetBIOS name, or computer Domain Name System (DNS) name. If an address is not specified, the default is the local computer.

protocol

Specifies the protocol to use. Currently, only Transmission Control Protocol (TCP) is supported. /?


add v4tov6


Syntax


Parameters

listenport


Specifies the IPv6 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer.

connectport

Specifies the IPv6 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer. listenaddress

Specifies the IPv4 address on which to listen. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. protocol

Specifies the protocol to use. Currently only TCP is supported.

/?


add v6tov4



Syntax


Parameters

listenport


Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. connectport


listenaddress


Specifies the protocol to use. Currently only TCP is supported. /?


add v6tov6

Specifies that the portproxy server listen for messages sent to a specific port and IPv6 address, and

maps a port and IPv6 address to which to send the messages received after establishing a separate TCP connection.

Syntax


Parameters

listenport

Required. Specifies the IPv6 port, by port number or service name, on which to listen.

connectaddress




listenaddress




delete v4tov4

Specifies that the portproxy server delete an IPv4 address from the list of IPv4 ports and addresses for which the server listens.

Syntax

delete v4tov4 listenport= {Integer | ServiceName} [[listenaddress=] {IPv4Address| HostName}] [[protocol=]tcp]

Parameters

listenport

Required. Specifies the IPv4 port to delete. listenaddress

Specifies the IPv4 address to delete. If an address is not specified, the default is the local computer. protocol



delete v4tov6

Specifies that the portproxy server delete an IPv4 port and address from the list of IPv4 addresses for which the server listens.

Syntax


Parameters

listenport





/?


delete v6tov4

Specifies that the portproxy server delete an IPv6 port and address from the list of IPv6 addresses for which the server listens.

Syntax


Parameters

listenport





delete v6tov6

Specifies that the portproxy server delete an IPv6 address from the list of IPv6 addresses for which the server listens.

Syntax


Parameters

listenport





reset

Resets the IPv6 configuration state.


Syntax

reset

set v4tov4

Modifies the parameter values of an existing entry on the portproxy server created with the add v4tov4 command, or adds a new entry to the list that maps port/address pairs.

Syntax

set v4tov4 listenport= {Integer | ServiceName} [[connectaddress=] {IPv4Address | HostName}] [[connectport=] {Integer | ServiceName}] [listenaddress=] {IPv4Address| HostName}] [[protocol=]tcp]

Parameters

listenport


Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer

NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. connectport


Specifies the IPv4 address for which to listen. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. protocol

Specifies the protocol to use. Currently, only Transmission Control Protocol (TCP) is supported. /?


set v4tov6


Syntax

set v4tov6 listenport= {Integer | ServiceName} [[connectaddress=] {IPv6Address | HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv4Address| HostName}] [[protocol=]tcp]

Parameters

listenport




Specifies the IPv6 port, by port number or service name, to which to connect. If connectport is not

specified, the default is the value of listenport on the local computer. listenaddress




set v6tov4


Syntax


Parameters

listenport

Required. Specifies the IPv6 port, by port number or service name, on which to listen.

connectaddress



Specifies the IPv6 address on which to listen. Acceptable values are IP address, computer NetBIOS

name, or computer DNS name. If an address is not specified, the default is the local computer. protocol




set v6tov6


Syntax


Parameters

listenport


Specifies the IPv6 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer.

connectport


Specifies the IPv6 address on which to listen. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If you do not specify an address, the default is the local computer. protocol


/?


show all

Displays all portproxy parameters, including port/address pairs for v4tov4, v4tov6, v6tov4, and v6tov6.

Syntax

show all

show v4tov4

Displays v4tov4 portproxy parameters.

Syntax

show v4tov4

show v4tov6



Syntax

show v4tov6

show v6tov4


Syntax

show v6tov4

show v6tov6


Syntax

show v6tov6


Netsh commands for Interface Transmission Control Protocol

The following sections provide details for each command.

add chimneyapplication

Sets the Transmission Control Protocol (TCP) chimney state for a particular application.

Syntax

add chimneyapplication [ state= ] disabled | enabled [ application= ] PathName

Parameters

state

Required. Specifies one of the following values: disabled: Disables TCP chimney offload for application. enabled: Enables TCP chimney offload for application. Applies to new connections only. application

Required. Specifies the application name and path. Examples

Following are two examples of the add chimneyapplication command.

add chimneyapplication disabled c:\path\database.exe

add chimneyapplication state=disabled application=c:\path\database.exe

add chimneyport

Sets the TCP chimney state for a source port, destination port pair.

Syntax

add chimneyport [ state= ] disabled | enabled [ localport= ] *| Integer [ remoteport= ] *| Integer

Parameters

state

Required. Specifies one of the following values: disabled: Disables TCP chimney offload for the local port, remote port pair. enabled: Enables TCP chimney offload for the local port, remote port pair. Applies to new connections only. localport

Required. Specifies the source port. An asterisk (*) specifies all ports. To specify a specific port number, provide a value for Integer. remoteport

Required. Specifies the destination port. An asterisk (*) specifies all ports. To specify a specific port number, provide a value for Integer. Examples

Following are two examples of the add chimneyport command.

add chimneyport disabled 10000 *


add chimneyport state=disabled localport=10000 remoteport=*

delete chimneyapplication

Deletes the application from the TCP chimney offload selection table.

Syntax

delete chimneyapplication [application=] ApplicationName

Parameters

application

Required. Specifies the application name and path. Example

Following are two examples of the delete chimneyapplication command.

delete chimneyapplication c:\path\database.exe

delete chimneyapplication application=c:\path\database.exe

delete chimneyport

Deletes the port entry from the TCP chimney offload selection table

Syntax

delete chimneyport [ localport= ] *| Integer [ remoteport= ] *| Integer

Parameters

localport

Required. Specifies the source port. An asterisk (*) specifies all ports. To specify a specific port number, provide a value for Integer. remoteport

Required. Specifies the destination port. An asterisk (*) specifies all ports. To specify a specific port number, provide a value for Integer. Examples

Following are two examples of the delete chimneyport command.

delete chimneyport 80 *

delete chimneyport localport=80 remoteport=*

reset

Removes all user configured settings and resets all TCP parameters to their default values.

Syntax

reset

set global

Sets TCP parameters that affect all connections.

Syntax


set global [ [ rss= ] disabled | enabled |default ] [ [ chimney= ] disabled | enabled | default ] [ [ autotuninglevel= ] disabled | highlyrestricted | restricted | normal |experimental ] [ [ congestionprovider= ] none |ctcp |default ] [ [ ecncapability= ] disabled | enabled | default ] [ [ timestamps= ] disabled | enabled | default ]

Parameters

rss

Optional. Specifies one of the following values: disabled: Disable receive-side scaling. enabled : Enable receive-side scaling.

default : Restore receive-side scaling state to the system default. Chimney

Optional. Specifies one of the following values: disabled: Disable Chimney offload. enabled : Enable Chimney offload. default : Restore Chimney offload state to the system default.

autotuninglevel

Optional. Specifies one of the following values:

disabled: Fix the receive window at its default value. highlyrestricted: Allow the receive window to grow beyond its default value, but do so very conservatively. restricted: Allow the receive window to grow beyond its default value, but limit such growth in some scenarios. normal: Allow the receive window to grow to accommodate almost all scenarios. experimental: Allow the receive window to grow to accommodate extreme scenarios. WARNING:

This can dramatically degrade performance in common scenarios and should only be used for research purposes. congestionprovider

Optional. Specifies one of the following values: none: Use the built-in standard congestion control algorithm. ctcp: Use the add-on Compound TCP congestion control algorithm. default: Restore the selected provider to the system default. ecncapability

Optional. Specifies one of the following values:

disabled: Disable ECN Capability. enabled: Enable ECN Capability. default: Restore ECN Capability state to the system default. timestamps


Optional. Specifies one of the following values: disabled: Disable RFC 1323 timestamps. enabled: Enable RFC 1323 timestamps.

default: Restore RFC 1323 timestamps state to the system default. Examples

Following are two examples of the set global command.

set global enabled enabled normal

set global rss=enabled chimney=enabled autotuninglevel=normal

show chimneyapplications

Shows TCP Chimney application filters.

Syntax

show chimneyapplications [ [ level= ] normal | verbose ]

Parameters:

level

Optional. Specifies one of the following values: normal: Display the TCP connect IPv4 filters in the TCP chimney offload table. This is the default value. verbose: Display filters for all events in the TCP chimney offload table.

show chimneyports

Shows TCP Chimney port filters.

Syntax

show chimneyports [ [ level= ] normal | verbose ]

Parameters:

level

Optional. Specifies one of the following values: normal: Display the TCP connect IPv4 filters in the TCP chimney offload table. This is the default value. verbose: Display filters for all events in the TCP chimney offload table.

show global

Shows TCP parameters that affect all connections.

Syntax

show global [ [ store= ] active | persistent ] ]

Parameters


store

Optional. Specifies one of the following values: active: Show information in the stack (default). persistent: Show persistent information.


Netsh commands for Interface Teredo

This section contains the following commands

set state

show state

Interface Teredo commands


set state

Sets the Teredo state. A default argument to a parameter sets it to the system default.

Syntax

set state [ [ type= ] disabled | client | enterpriseclient | default ] [ [ servername= ] HostName | IPv4Address | default ] [ [ refreshinterval= ] Integer | default ] [ [ clientport= ] Integer | default ] [ [ supernode= ] HostName | IPv4Address | default ]

Parameters

type

Optional. Specifies one of the following values: disabled: Disable the Teredo service. client: Enable the Teredo client. enterpriseclient: Skip managed network detection. servername

Optional. Specifies the Host Name or IPv4 address of the Teredo server. refreshinterval

Optional. Specifies an integer value for the client refresh interval (in seconds). clientport

Optional. Specifies the an integer that is the client's UDP port (if default is specified, this value is chosen by system).

supernode

Optional. Specifies the Super-Node to use when behind a firewall. Examples

Following are two examples of the set state command.

set state disable

set state client teredo.ipv6.microsoft.com 60 34567

show state

Shows the Teredo state.

Syntax

show state


Netsh Commands for Internet Protocol Security (IPsec)

The Netsh commands for Internet Protocol security (IPsec) provide an alternative to the console-based management and diagnostic capabilities provided by the IP Security Policy Management and IP Security Monitor snap-ins available for the Microsoft Management Console (MMC). By using the Netsh commands for IPsec, you can configure and view static or dynamic IPsec Main Mode settings, Quick Mode settings, rules, currently established security associations, and configuration parameters.

Administering IPsec from the command line is especially useful when you want to:

Script IPsec configuration.

Extend the security and manageability of IPsec by configuring the following features, which are not

available in the IP Security Policy Management snap-in: IPsec diagnostics, default traffic exemptions, strong certificate revocation list (CRL) checking, IKE (Oakley) logging, logging intervals, computer startup security, and computer startup traffic exemptions.

You can run these commands from within the netsh tool at the netsh ipsec> prompt.

For these commands to work at a standard Windows command prompt, you must preface each command with netsh firewall, followed by the specific command and parameters as they appear in the syntax below.

Netsh IPsec static-mode commands

You can use the netsh ipsec static commands to perform the same management and monitoring tasks that you can perform by using the IP Security Policy Management console. By using these commands, you can create and modify IPsec policies without immediately affecting the configuration of the active IPsec policy. Policies affect the operational state of computer when you

use the assign=Yes parameter on an add policy or set policy command. If you make changes to an assigned policy, they will take affect immediately. A Group Policy assigned to the computer will override a local policy, even when the assign=yes option is part of the local policy command.

Netsh IPsec dynamic-mode commands

You can use the netsh ipsec dynamic commands to display the active state of IPsec and to immediately affect the configuration of the active IPsec policy. These commands directly configure the security policy database (SPD). Changes that you make to an IPsec policy while using these commands take effect only while the IPsec service is running. If the IPsec service is stopped, the dynamic policy settings are discarded. Although most of these commands take effect immediately, several configuration commands still require you to restart the IPsec service or restart the computer before they take effect. For more information about these commands, see the syntax descriptions for the netsh ipsec dynamic set config commands.

Netsh IPsec

The following commands are available at the IPsec> prompt, which is rooted within the netsh environment.

While the netsh ipsec dynamic commands modify the currently active configuration without storing the change anywhere, the netsh ipsec static commands modify a store which contains an IPsec configuration which allows the changes to persist, be saved, and recalled later.

static

Switches to the IPsec static context. In static mode you configure an IPsec policy which can be

assigned to a computer at a later time. Changes made in this mode do not immediately affect the


current IPsec state of the computer on which they are made, unless the policy being modified has the assign=yes property currently set and a Group Policy assigned IPsec policy is not currently overriding the local policy.

Syntax

static

Parameters

none

dynamic

Switches to the IPsec dynamic context. In dynamic mode, you are making changes to active IPsec state of the computer on which you run the command. The changes are not saved to a policy that can then be deployed to another computer.

Syntax

dynamic

Parameters

none

Netsh IPsec static

The following commands are available at the ipsec static> prompt, which is rooted within the netsh environment.

add filter

Adds a filter to the specified filter list.

Syntax

add filter [ filterlist = ] FilterListName [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType } [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType } [ [ description = ] string ] [ [ protocol = ] { any | icmp | tcp | udp | raw | Integer } ] [ [ mirrored = ] { yes | no } ] [ [ srcmask = ] { Mask | Prefix } ] [ [ dstmask = ] { Mask | Prefix } ] [ [ srcport = ] Port ] [ [ dstport = ] Port ]

Parameters

[ filterlist = ] FilterListName

Required. Specifies the name of the filter list to which the filter is added. Each filter defines a set of inbound or outbound network traffic to be secured. [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}

Required. Specifies the source IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, Domain Name System (DNS) name, or server type for the IP traffic. For ServerType, you can use wins, dns, dhcp, or gateway to match the locally configured IP addresses of the computers providing those services. The me keyword matches the IP address(es) assigned to the local computer, even when they change. Any matches any IP address.

[ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}

Required. Specifies the destination IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name, or server type for the IP traffic. For ServerType, you can use wins, dns, dhcp, or gateway to match the locally configured IP addresses of the computers providing those services. The me keyword matches the IP address(es) assigned to the local computer, even when they change. Any matches any IP address.


[ [ description = ] String ]

Provides information about the filter. [ [ protocol = ] { any | icmp | tcp | udp | raw | Integer } ]

Specifies the IP protocol if, in addition to addressing information, you want to filter a specific IP protocol. The default value is any.

[ [ mirrored= ] { yes | no } ]

Specifies whether to create a mirrored filter. Use yes to create two filters based on the filter settings--one for traffic to the destination and one for traffic from the destination. Both source and destination addresses and ports are mirrored. The default value is yes. [ [ srcmask = ] {Mask|Prefix} ]

Specifies the source address subnet mask or the prefix of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ dstmask = ] {Mask|Prefix} ]

Specifies the destination address subnet mask or the prefix value of the packets to be filtered. You

can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ srcport = ] Port ]

Specifies the source port number of the packets to be filtered. This option only applies if you are filtering TCP or UDP packets. If 0 is specified, packets sent from any port are filtered. The default is any. [ [ dstport = ] Port ]

Specifies the destination port number of the packets to be filtered. This option only applies if you are filtering TCP or UDP packets. If 0 is specified, packets sent to any port are filtered. The default is any.

add filteraction

Creates a filter action with the specified Quick Mode security methods.

Syntax

add filteraction [ name = ] FilterActionName [ [ description = ] string ] [ [ qmpfs = ] { yes | no }] [ [ inpass = ] { yes | no } ] [ [ soft = ] { yes | no } ] [ [ action = ] { permit | block | negotiate } ] [ [ qmsecmethods = ] "SecMethodsString" ]

Parameters

[ name = ] FilterActionName

Required. Specifies the name of the filter action to be created.

[ [ description = ] string ]

Provides information about the filter action. [ [ qmpfs = ] { yes | no } ]


Specifies whether to enable session key perfect forward secrecy (PFS). If yes is specified, new master key material is renegotiated each time a new session key is required. The default value is no. [ [ inpass = ] { yes | no } ]

Specifies whether to allow an incoming packet that matches the configured filter list to be

unsecured, but require IPsec-secured communication when replying. The default value is no. [ [ soft = ] { yes | no } ]

Specifies whether to fall back to unsecured communication with other computers that do not support IPsec, or when IPsec negotiations with an IPsec-capable computer fail. The default value is no. [ [ action = ] {permit | block | negotiate } ]

Specifies the action to take on the traffic that matches the rule containing this filter action. If permit is specified, traffic is transmitted or received without requiring IPsec protection. If block is specified, traffic is blocked. If negotiate is specified, IPsec is used with the specified list of security methods. The default value is negotiate.

[ [ qmsecmethods = ] "SecMethodsString" ]

Specifies one or more security methods. Each method is described by one of the following formats, separated by spaces:

• ESP [ EncAlg,AuthAlg]:numk/nums

• AH [ HashAlg ]: num k/ num s

• AH [ HashAlg ]+ ESP[ EncAlg,AuthAlg]:numk/nums

Where: EncAlg

Specifies the encryption algorithm. EncAlg can be DES, 3DES, or none. AuthAlg

Specifies the integrity algorithm. AuthAlg can be MD5, SHA1, or none. HashAlg

Specifies the hash function. HashAlg can be MD5 or SHA1. num k

Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100000 kilobytes.

num s

Specifies the session key lifetime in seconds. The default value is 3600 seconds.

add filterlist

Creates an empty filter list with the specified name.

Syntax

add filterlist [ name = ] FilterListName [ [ description = ] string ]


Parameters

[ name = ] FilterListName

Required. Specifies the name of the filter list to be created. [ [ description = ] string ]

Provides information about the filter list.

add policy

Creates an IPsec policy with the specified name.

Syntax

add policy [ name = ] PolicyName [ [ description = ] string ] [ [ mmpfs = ] { yes | no } ] [ [ qmpermm = ] Integer ] [ [ mmlifetime = ] Integer ] [ [ activatedefaultrule = ] { yes | no } ] [ [ pollinginterval = ] Integer ] [ [ assign = ] { yes | no } ] [ [ mmsecmethods = ] "KeyExchMethods" ]

Parameters

[ name = ] PolicyName

Required. Specifies the name of the IPsec policy to be created. [ [ description = ] string ]

Provides information about the IPsec policy. [ [ mmpfs = ] { yes | no } ]

Specifies whether to enable master key perfect forward secrecy (PFS). If yes is specified, Main Mode security SAs are reauthenticated and new master key keying material is negotiated each time session key material for a Quick Mode SA is required. The default value is no. [ [ qmpermm = ] Integer ]

Specifies the number of times that master keying material can be used to derive the session key. The default value is 0, meaning an unlimited number of Quick Mode SAs can be derived from the Main Mode SA. [ [ mmlifetime = ] Integer ]

Specifies the number of minutes after which a new master key will be generated. The default value is 480 minutes. [ [ activatedefaultrule = ] { yes | no } ]

Specifies whether to activate the default response rule for this IPsec policy. The default value is no. This setting is not valid on Windows Vista or Windows Server 2008. When set through a Group

Policy that is shared with earlier versions of Windows, computers running Windows Vista or Windows Server 2008 ignore the value. If you are running the command locally on a computer running Windows Vista or Windows Server 2008, it generates an error. [ [ pollinginterval = ] Integer ]

Specifies how often IPsec polls for changes to this policy. The default value is 180 minutes. [ [ assign = ] { yes | no } ]


Specifies whether to assign this IPsec policy (only one IPsec policy can be assigned) The default value is no. [ [ mmsecmethods = ] "KeyExchMethods" ]

Specifies one or more key exchange security methods, separated by spaces. Each method is described by a string of the following format:

EncAlg-HashAlg-GroupNumb Where:

EncAlg

Specifies the encryption algorithm. EncAlg can be DES or 3DES. HashAlg

Specifies the hashing algorithm. HashAlg can be MD5 or SHA1. GroupNum

Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1 (low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high, protects with 2048 bits).

add rule

Creates a rule that links a specified IPsec policy, filter list, and filter action with specified authentication methods.

Syntax

add rule [ name = ] RuleName [ policy = ] PolicyName [ filterlist = ] FilterListName [ filteraction = ] FilterActionName [ [ tunnel = ] { IPAddress | DNSName } ] [ [ conntype = ] { lan | dialup | all } ] [ [ activate = ] { yes | no } ] [ [ description = ] string ] [ [ kerberos = ] { yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "String certmap:{ yes | no } excludecaname:{ yes | no }" ]

Parameters

[ name = ] RuleName

Required. Specifies the name of the IPsec rule to be created. [ policy = ] PolicyName

Required. Specifies the name of the IPsec policy that contains this rule. [ filterlist = ] FilterListName

Required. Specifies the name of the IP filter list for this rule. [ filteraction = ] FilterActionName

Required. Specifies the name of the filter action for this rule. [ [ tunnel = ] {IPAddress | DNSName} ]

Specifies the IP address (IPv4 or IPv6) or DNS name of the tunnel endpoint for tunnel mode. By default, this option is not specified and transport mode is used. [ [ conntype = ] { lan | dialup | all }]

Specifies whether the rule applies only to dial-up connections, only to local area network (LAN) connections, or to all connections. The default value is all.


[ [ activate = ]{ yes | no } ]

Specifies whether to enable this rule in the specified IPsec policy. The default value is yes. [ [ description = ] string]

Provides information about the rule. [ [ kerberos = ]{ yes | no } ]

Specifies whether to use the Kerberos V5 protocol as an authentication method. [ [ psk = ] PreSharedKey]

Specifies the string of characters to use for the preshared key, if a preshared key is used as an authentication method. [ [ rootca = ] "CertName certmap:{ yes | no } excludecaname:{ yes | no } "]

Specifies certificate authentication options. The argument is a string in quotes that contains the following elements:

CertName

Specifies the distinguished name of the certificate, if a certificate is used as an authentication method.

certmap:{ yes | no }

Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account mapping to verify that the certificate is being used by a trusted computer. excludecaname:{ yes | no }

Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.

delete all

Deletes all IPsec policies, filter lists, and filter actions.

Syntax

delete all

Parameters

None.

delete filter

Deletes a filter from a filter list that matches the specified parameters.

Syntax

delete filter [ filterlist = ] FilterListName [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType } [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType }

[ [ protocol = ] { any | icmp | tcp | udp | raw | Integer } ] [ [ srcmask = ] { Mask | Prefix } ] [ [ dstmask = ] { Mask | Prefix } ] [ [ srcport = ] Port ] [ [ dstport = ] Port ] [ [ mirrored = ] { yes | no } ]

Parameters

[ filterlist = ] FilterListName

Required. Specifies the name of the filter list to which the filter was added.


[ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}

Required. Specifies the source IP address or range, DNS name, or server type for the IP traffic being matched. For ServerType you can use WINS, DNS, DHCP, or gateway. [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}

Required. Specifies the destination IP address or range, DNS name, or server type for the IP traffic being matched. For ServerType you can use WINS, DNS, DHCP, or gateway. [ [ protocol = ] {ANY|ICMP|TCP|UDP|RAW|Integer} ]

Specifies the IP protocol if, in addition to addressing information, a specific IP protocol is filtered. A value of ANY matches filters with a protocol setting of any. [ [ srcmask = ] {Mask|Prefix} ]

Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 0 through 32. The default value is the mask of 255.255.255.255, equivalent to the prefix value of 32.

[ [ dstmask = ] {Mask|Prefix} ]

Specifies the destination address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 0 through 32. The default value is the mask of 255.255.255.255, equivalent to the prefix value of 32. [ [ srcport = ] Port ]

Specifies the source port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets. The default is to match any port number. [ [ dstport = ] Port ]

Specifies the destination port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets. The default is to match any port number.

[ [ mirrored = ] { yes | no } ]

Specifies whether a mirrored filter was created.

delete filteraction

Deletes the specified filter action, or all filter actions.

Syntax

delete filteraction { [ name = ] FilterActionName | all }

Parameters

{ [ name = ] FilterActionName | all}

Required. Specifies the name of the filter action to delete. Or, if all is specified, all filter actions are deleted.

delete filterlist

Deletes the specified filter list, or all filter lists.


Syntax

delete filterlist { [ name = ] FilterListName | all }

Parameters

{ [ name = ] FilterListName | all }

Required. Specifies the name of the filter list to delete. Or, if all is specified, all filter lists are

deleted.

delete policy

Deletes the specified IPsec policy and all associated rules, or all IPsec policies.

Syntax

delete policy { [ name = ] PolicyName | all }

Parameters

{ [ name = ] PolicyName | all }

Required. Specifies the name of the IPsec policy to delete. Or, if all is specified, all IPsec policies are deleted.

delete rule

Deletes a specified rule, or all rules from the specified IPsec policy.

Syntax

delete rule { [ name = ] RuleName | [ ID = ] Integer | all } [ policy = ] PolicyName

Parameters

{ [ name = ] RuleName | [ ID = ] Integer | all }

Required. Specifies the rule to delete. If either the rule name or the rule ID (the number identifying the position of the rule in the policy rule list) is specified, the corresponding rule is deleted. If all is specified, all rules are deleted.

[ policy = ] PolicyName

Required. Specifies the name of the policy from which one or more rules are deleted.

exportpolicy

Exports IPsec policy information to the specified file. You can export all policies, or a specified policy.

Syntax

Exportpolicy [ file = ] FilePathAndName [ name = ] PolicyName

Parameters

file= FilePathAndName

Required. Specifies the folder path and name of the file into which the IPsec policy information is exported. [ [ name = ] PolicyName ]

Specifies the policy to export. If no value is provided, then all polices are exported.


importpolicy

Imports IPsec policy information from the specified IPsec file.

Syntax

Importpolicy [ file = ] FilePathAndName

Parameters

[ file = ] FilePathAndName

Required. Specifies the folder path and name of the file from which the IPsec policy information is imported.

set batch

Sets batch mode. When batch mode is enabled, netsh caches information used during the processing of commands. When other commands reference that same information, the command can typically be processed much more quickly since it is in the cache memory. This can significantly improve performance of scripts that run a sequence of netsh commands.

Syntax

set batch [ mode = ] { enable | disable }

Parameters

[ mode = ] { enable | disable }

Required. Turns batch mode with its associated caching of information on or off. Use enable to turn it on before running a sequence of commands.

set defaultrule

Modifies the default response rule for the specified policy. This option is only applicable to computers running Windows XP or Windows Server 2003, and does not apply to Windows Vista or Windows Server 2008.

Syntax

set defaultrule [ policy = ] PolicyName [ [ qmpfs = ] { yes | no } ] [ [ activate = ] { yes | no } ] [ [ qmsecmethods = ] "SecMethodsString" ] [ [ kerberos = ] { yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "CertName certmap:{ yes | no } excludecaname:{ yes | no }"]

Parameters

[ policy = ] PolicyName

Required. Specifies the name of the IPsec policy for which the default response rule is to be modified. [ [ qmpfs = ]{ yes | no } ]

Specifies whether to enable session key perfect forward secrecy (PFS). If yes is specified, new

master key material is renegotiated each time a new session key is required. The default value is no. [ [ activate = ]{ yes | no } ]

Specifies whether to activate this rule for the specified IPsec policy. The default value is yes. [ [ qmsecmethods = ] "SecMethodsString" ]

Specifies one or more security methods, separated by spaces and defined by the following format:


{ESP [EncAlg,AuthAlg]:k/s | AH [HashAlg]:k/s | AH [HashAlg]+ESP[EncAlg,AuthAlg]:k/s}] Where:

EncAlg

Specifies the encryption algorithm. ConfigAlg can be DES (Data Encryption Standard), 3DES, or none.

AuthAlg

Specifies the integrity algorithm. AuthAlg can be MD5 (Message Digest 5), SHA1 (Secure Hash Algorithm 1), or none.

HashAlg

Specifies the hash function. HashAlg can be MD5 (Message Digest 5) or SHA1. k

Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000 kilobytes.

s

Specifies the session key lifetime in seconds. The default value is 3600 seconds. [ [ kerberos = ]{ yes | no } ]

Specifies whether to use the Kerberos V5 protocol as an authentication method. [ [ psk = ] PreSharedKey ]

Specifies the string of characters to use for the preshared key, if a preshared key is used as an authentication method. [ [ rootca = ] "CertName certmap:{ yes | no } excludecaname: { yes | no }"]

Specifies certificate authentication options. The argument is a string in quotes that contains the following elements:

String

Specifies the distinguished name of the certificate, if a certificate is used as an authentication method.

certmap:{ yes | no }



set filteraction

Modifies a filter action.

Syntax

set filteraction { [ name = ] FilterActionName | [ guid = ] FilterActionGUID } [ [ newname = ] NewFilterActionName ] [ [ description = ] String ] [ [ qmpfs = ] { yes | no } ] [ [ inpass = ] { yes | no } ] [ [ soft = ] { yes | no } ] [ [ action = ] { permit | block | negotiate } ] [ [ qmsecmethods = ] "SecMethodsString" ]


Parameters

{ [ name = FilterActionName | [ guid = ] FilterActionGUID }

Required. Specifies the name or global unique identifier (GUID) of the filter action to modify. [ [ newname = ] NewFilterActionName ]

Changes the name of the filter action to the specified value. If a value is not specified, then the

name is not changed. [ [ description = ] String ]

Changes the information about the filter action. If a value is not specified, then description is not changed. [ [ qmpfs = ] { yes | no } ]

Changes the value that specifies whether to enable session key perfect forward secrecy (PFS). If yes is specified, new master key material is renegotiated each time a new session key is required. If a value is not specified, then qmpfs is not changed.

[ [ inpass = ] { yes | no } ]

Changes the value that specifies whether to allow an incoming packet that matches the configured filter list to be unsecured, but require IPsec-secured communication when replying. If a value is not specified, then inpass is not changed. [ [ soft = ] { yes | no } ]

Changes the value that specifies whether to fall back to unsecured communications with other computers that do not support IPsec, or when IPsec negotiations with an IPsec-capable computer fail. If a value is not specified, then soft is not changed. [ [ action = ] { permit | block | negotiate } ]

Changes the value that specifies whether to permit traffic without negotiating IPsec. If permit is

specified, traffic is transmitted or received without negotiating or applying IP security. If block is specified, traffic is blocked. If negotiate is specified, IP security is used, with the specified list of security methods. If a value is not specified, then action is not changed. [ [ qmsecmethods = ] "SecMethodsString" ]

Changes the string that specifies one or more security methods. Each method is described by one of the following formats, separated by spaces:




Where: EncAlg

Specifies the encryption algorithm. EncAlg can be DES, 3DES, or none. AuthAlg



Specifies the hash function. HashAlg can be MD5 or SHA1. num k

Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100000 kilobytes.

num s

Specifies the session key lifetime in seconds. The default value is 3600 seconds. If a value is not specified, then qmsecmethods is not changed.

set filterlist

Modifies a filter list.

Syntax

set filterlist { [ name = FilterListName | [ guid = ] FilterListGUID } [ [ newname = ] NewFilterActionName ] [ [ description = ] String ]

Parameters

{ [ name = FilterListName | [ guid = ] FilterListGUID }

Required. Specifies the name or globally unique identifier (GUID) of the filter list to modify.

[ [ newname = ] NewFilterActionName ]

Changes the name of the filter list to the specified value. If a value is not specified, then the name is not changed. [ [ description = ] String ]

Changes the information about the filter list. If a value is not specified, then description is not changed.

set policy

Modifies an IPsec policy.

Syntax

set policy { [ name = PolicyName | [ guid = ] PolicyGUID } [ [ newname = ] NewPolicyName ] [ [ description = ] String ] [ [ mmpfs = ] { yes | no } ] [ [ qmpermm = ] Integer ] [ [ mmlifetime = ] Integer ] [ [ activatedefaultrule = ] { yes | no } ] [ [ pollinginterval = ] Integer ] [ [ assign = ] { yes | no } ] [ [ gponame = ] NameOfGPO ] [ [ mmsecmethods = ] "KeyExchMethods" ]

Parameters

name= String| guid=guid

Required. Specifies the name or GUID of the IPsec policy to modify. [ [ newname = ] String ]

Changes the name of the IPsec policy to the specified value. If a value is not specified, then the name is not changed. [ [ description = ] String ]

Changes the information about the IPsec policy. If a value is not specified, then description is not changed.


[ [ mmpfs = ] { yes | no } ]

Changes the value that specifies whether to enable master key perfect forward secrecy (PFS). If yes is specified, Main Mode security SAs are reauthenticated and new master key keying material is negotiated each time session key material for a Quick Mode SA is required. If a value is not specified, then mmpfs is not changed.

[ [ qmpermm = ] Integer ]

Changes the value that specifies the number of times that master keying material can be used to derive the session key. If a value is not specified, then qmpermm is not changed. [ [ mmlifetime = ] Integer ]

Changes the value that specifies the number of minutes after which a new master key will be generated. If a value is not specified, then mmlifetime is not changed. [ [ activatedefaultrule = ] { yes | no } ]

Changes the value that specifies whether to activate the default response rule for this IPsec policy. This setting is not valid on Windows Vista or Windows Server 2008. When set through a Group Policy that is shared with earlier versions of Windows, computers running Windows Vista or

Windows Server 2008 ignore the value. If you are running the command locally on a computer running Windows Vista or Windows Server 2008, it generates an error. If a value is not specified, then activatedefaultrule is not changed. [ [ pollinginterval = ] Integer ]

Changes the value that specifies how often IPsec polls for changes to this policy. If a value is not specified, then pollinginterval is not changed. [ [ assign={ yes| no}] ]

Changes the value that specifies whether to assign this IPsec policy (only one IPsec policy can be assigned) If a value is not specified, then assign is not changed.

[ [ gponame = ] NameOfGPO ]

Changes the value that specifies the name of the Group Policy object to which the IPsec policy is assigned. This parameter is only applicable if you are configuring policy for a computer that is an Active Directory domain member. If a value is not specified, then gponame is not changed. [ [ mmsecmethods = ] "KeyExchMethods" ]

Changes the string that specifies one or more key exchange security methods, separated by spaces. Each method is described by a string of the following format:

EncAlg - HashAlg - GroupNumb Where:

EncAlg



Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1 (low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high, protects with 2048 bits). If a value is not specified, then mmsecmethods is not changed.


set rule

Modifies a rule in an IPsec policy.

Syntax

set rule { [ name = ] RuleName | [ ID = ] Integer } [ policy = ] PolicyName [ [ newname = ] NewRuleName ] [ [ description = ] String ] [ [ filterlist = ] FilterListName ]

[ [ filteraction = ] FilterActionName ] [ [ tunnel = ] { IPAddress | DNSName } ] [ [ conntype = ] { lan | dialup | all } ] [ [ activate = ] { yes | no } ] [ [ kerberos = ] { yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "String certmap:{ yes | no } excludecaname:{ yes | no }" ]

Parameters

{ [ name = ] RuleName | [ ID = ] Integer }

Required. Specifies the name or ID (the number identifying the position of the rule in the policy rule list) of the rule to modify. [ policy = ] PolicyName

Required. Specifies the name of the IPsec policy that contains the rule to modify.

[ [ newname = ] NewRuleName ]

Changes the name of the rule to the specified value. If a value is not specified, then the name is not changed. [ [ description = ] String ]

Changes the information about the rule. If a value is not specified, then description is not changed. [ [ filterlist = ] FilterListName ]

Changes the IP filter list associated with this rule. If a value is not specified, then filterlist is not

changed. [ [ filteraction = ] FilterActionName ]

Changes the filter action associated with this rule. If a value is not specified, then filteraction is not changed. [ [ tunnel = ] {IPAddress|DNSName} ]

Changes the value that specifies the IP address or DNS name of the tunnel endpoint for tunnel mode. If a value is not specified, then tunnel is not changed. [ [ conntype = ] { lan | dialup | all }]

Changes the value that specifies whether the rule applies only to dial-up connections or to local area

network (LAN) connections, or to all connections. If a value is not specified, then conntype is not changed. [ [ activate = ] { yes | no } ]

Changes the value that specifies whether to enable this rule for the specified IPsec policy. If a value is not specified, then activate is not changed. [ [ kerberos = ] { yes | no } ]


Changes the value that specifies whether to use the Kerberos V5 protocol as an authentication method. [ [ psk = ] PreSharedKey]

Changes the string of characters to use for the preshared key, if a preshared key is used as an authentication method. If a value is not specified, then psk is not changed.

[ [ rootca = ] "String certmap:{ yes | no } excludecaname:{ yes | no } "]

Changes the value that specifies certificate authentication options. The argument is a string in quotes that contains the following elements:

String

Specifies the distinguished name of the certificate, if a certificate is used as an authentication method. certmap:{ yes | no }

Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account mapping to verify that the certificate is being used by a trusted computer.

excludecaname:{ yes | no }

Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted. If a value is not specified, then rootca is not changed.

set store

Sets the current IPsec policy storage location.

Syntax

set store [ location = ] { local | domain } [ [ domain = ] DomainName ]

Parameters

[ location = ] { local | domain }

Required. Specifies the storage location for the IPsec policy. [ [ domain = ] DomainName ]

Specifies the name of the domain where the IPsec policy is stored, if the policy is stored in Active Directory (when location=domain is specified).

show all

Displays configuration information for all IPsec policies, rules, filter lists, and filter actions.

Syntax

show all [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]

Parameters

[ [ format = ] { list | table} ]

Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format. [ [ wide = ] { yes | no } ]


Specifies whether to allow the display of IPsec configuration information to exceed the screen width of 80 characters. The default value is no, meaning that the display of configuration information is limited to the screen width.

show filteraction

Displays configuration information for one or more filter actions.

Syntax

show filteraction { [ name = ] FilterActionName | [ rule = ] RuleName | all } [ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]

Parameters

{ [ name = ] FilterActionName | [ rule = ] RuleName | all }

Required. Specifies one or more filter actions for which configuration information is to be displayed.

• If name is specified, then the filter action with the specified name is displayed.

• If rule is specified, then the filter action associated with the specified rule is displayed.

• If all is specified, all filter actions are displayed.

[ [ level = ] { verbose | normal } ]

Specifies the level of information to display. If verbose is specified, information about the security methods, policy storage location, and whether session key perfect forward secrecy (PFS) is enabled is displayed, in addition to basic filter action information. The default value is normal. [ [ format = ] { list | table } ]

Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format.

[ [ wide = ] { yes | no } ]


show filterlist

Displays configuration information for one or more filter lists.

Syntax

show filterlist { [ name = ] FilterListName | [ rule = ] RuleName | all } [ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ] [ [ resolvedns = ] { yes | no } ] [ [ wide = ] { yes | no } ]

Parameters

{ [ name = ] FilterListName | [ rule = ] RuleName | all }

Required. Specifies one or more filter lists to display. If name is specified, the filter list with the specified name is displayed. If rule is specified, all filter lists associated with the specified rule are displayed. If all is specified, all filter lists are displayed. [ [ level = ] { verbose | normal } ]


Specifies the level of information to display. If verbose is specified, information about the security methods, policy storage location, and whether session key perfect forward secrecy (PFS) is enabled is displayed, in addition to basic filter action information. The default value is normal. [ [ format = ] { list | table } ]

Specifies whether to display IPsec configuration information in screen or tab-delimited format. The

default value is list, meaning that output is displayed in screen format. [ [ resolvedns = ] { yes | no } ]

Specifies whether to resolve the DNS or NetBIOS computer name associated with an IP address when displaying sources or destinations. If yes is specified, level must also be set to verbose, or the DNS names are not displayed. The default value is no. [ [ wide = ] { yes | no } ]


show gpoassignedpolicy

Displays configuration information for the active IPsec policy assigned to the specified Group Policy object.

Syntax

show gpoassignedpolicy [ [ name = ] GPOName ]

Parameters

[ [ name = ] GPOName ]

Specifies the name of the Group Policy object to which the active IPsec policy is assigned. If no name is specified, the local IPsec policy is displayed.

show policy

Displays configuration information for the specified IPsec policy, or for all IPsec policies.

Syntax

show policy { [ name = ] PolicyName | all } [ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]

Parameters


Required. Specifies the name of the IPsec policy to display or, if all is specified, that all IPsec policies are displayed. [ [ level = ] { verbose | normal } ]

Specifies the level of information to display. If verbose is specified, the security methods and authentication method are displayed, in addition to information about filter actions and rules. The default value is normal. [ [ format = ] { list | table } ]



[ [ wide = ] { yes | no } ]


show rule

Displays configuration information for a rule for a specified policy, or for all rules for a specified policy.

Syntax

show rule { [ name = ] RuleName | [ id = ] Integer | all | default } [ policy = ] PolicyName [ [ type = ] { transport | tunnel } ] [ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]

Parameters

{ [ name = ] RuleName | [ id = ] Integer | all | default }

Required. Specifies one or more rules to display. If either the rule name or the rule ID (the number identifying the position of the rule in the policy rule list) is specified, the corresponding rule is displayed. If all is specified, all rules for the specified policy are displayed. If default is specified,

the default response rule is displayed. [ policy = ] PolicyName

Required. Specifies the name of the policy for which the specified rule, or all rules, are displayed. [ [ type = ] { transport | tunnel } ]

Specifies whether to display all transport rules or all tunnel rules. The default value is to display all rules. [ [ level = ] { verbose | normal } ]

Specifies the level of information to display. If verbose is specified, the security methods and

authentication method are displayed, in addition to information about filter actions and rules. The default value is normal. [ [ format = ] { list | table } ]

Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format. [ [ wide = ] { yes | no } ]


show store

Displays the current IPsec policy storage location. Commands that you enter to change the state of the IPsec configuration apply to the displayed location unless you use the set store command to change the location first.

Syntax

show store

Netsh IPsec dynamic


The following commands are available at the ipsec dynamic > prompt, which is rooted within the netsh environment.

add mmpolicy

Creates an IPsec Main Mode policy with the specified name and adds it to the security policy database (SPD).

Syntax

add mmpolicy name = PolicyName [ qmpermm = Integer ] [ mmlifetime = Integer ] [ softsaexpirationtime = Integer ] [ mmsecmethods = "KeyExchMethods" ]

Parameters

name = PolicyName

Required. Specifies the name of the IPsec policy to be created. [ qmpermm = Integer ]

Specifies the number of times that master keying material can be used to derive the session key. The default value is 0, meaning an unlimited number of Quick Mode SAs can be derived from the Main Mode SA.

[ mmlifetime=Integer ]

Specifies the number of minutes after which a new master key is generated. If a new master key is generated sooner because of the qmpermm parameter, then this timer is reset and begins counting again. A value of 0 specifies that the master key is never regenerated because of time. The default value is 480 minutes. [ softsaexpirationtime = Integer ]

Specifies the number of minutes after which an unprotected security association (a soft SA) expires. A value of 0 specifies that soft SAs do not expire. The default value is 480 minutes.

[ mmsecmethods = "KeyExchMethods" ]



EncAlg



Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1 (low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high,

protects with 2048 bits).

add qmpolicy

Creates an IPsec Quick Mode policy with the specified name and adds it to the SPD.


Syntax

add qmpolicy name = PolicyName [ soft = { yes | no } ] [ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ] [ qmsecmethods = "SecMethodsString" ]

Parameters

name= String

Required. Specifies the name of the IPsec Quick Mode policy to be created. [ soft={ yes| no}]

Specifies whether to fall back to unsecured communications with other computers that do not support IPsec, or when IPsec negotiations with an IPsec-capable computer fail. The default value is no. [ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ]

Specifies the Diffie-Hellman group to use for session key PFS. If grp1 is specified, Group 1 (low, with 768 bits of keying material) is used. If grp2 is specified, Group 2 (medium, with 1024 bits of

keying material) is used. If grp3 is specified, Group 3 (high, with 2048 bits of keying material) is used. If grpmm is specified, the group value is taken from the current Main Mode settings. The default value is nopfs, meaning session key PFS is disabled. [ qmsecmethods = "SecMethodsString" ]

Specifies one or more security methods. Each method is described by one of the following formats, separated by spaces:




Where: EncAlg

Specifies the encryption algorithm. ConfigAlg can be DES (Data Encryption Standard), 3DES, or none.

AuthAlg

Specifies the integrity algorithm. AuthAlg can be MD5 (Message Digest 5), SHA1 (Secure Hash Algorithm 1), or none.

HashAlg

Specifies the hash function. HashAlg can be MD5 (Message Digest 5) or SHA1.

k

Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000 kilobytes.

s



add rule

Creates an IPsec rule with the specified Main Mode policy and Quick Mode policy and adds it to the security policy database.

Syntax

add rule [ srcaddr = ]{ Me | Any | IPAddress | IPRange | ServerType }

[ dstaddr = ]{ Me | Any | IPAddress | IPRange | ServerType } [ mmpolicy = ] MMPolicyName [ [ qmpolicy = ] QMPolicyName ] [ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ srcport = ] Integer ] [ [ dstport = ] Integer ] [ [ mirrored = ] { yes | no } ] [ [ conntype = ]{ lan | dialup | all } ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ actionoutbound = ] { permit | block | negotiate } ] [ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ [ tunneldstaddress = ]{ IPAddress | DNSName } ] [ [ kerberos = ]{ yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "CertName certmap:{ yes | no } excludecaname:{ yes | no }"]

Parameters

[ srcaddr = ] { Me | Any | IPAddress | IPRange | dns | server }

Required. Specifies the source IPv4 or IPv6 address, an IP address range, a DNS name, or a server type for the IP traffic. For ServerType you can use WINS, DNS, DHCP, or gateway. [ dstaddr = ] { Me | Any | IPAddress | IPRange | dns | server }

Required. Specifies the source IPv4 or IPv6 address, an IP address range, a DNS name, or a server type for the IP traffic. For ServerType you can use WINS, DNS, DHCP, or gateway. [ mmpolicy = ] MMPolicyName

Required. Specifies the name of the Main Mode policy. [ [ qmpolicy = ] QMPolicyName ]

Specifies the name of the Quick Mode policy. Required if actioninbound=negotiate or actionoutbound=negotiate are specified. [ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]

Specifies the IP protocol if, in addition to address information, you want to filter a specific IP protocol. The default value is ANY, meaning all protocols are used for the filter. [ [ srcport = ] Integer ]

Specifies the source port number of the packets to be filtered. This option only applies if you are filtering TCP or UDP packets. If 0 is specified, packets sent from any port are filtered. The default is 0.

[ [ dstport = ] Integer ]

Specifies the destination port number of the packets to be filtered. This option only applies if you are filtering TCP or UDP packets. If 0 is specified, packets sent to any port are filtered. The default is 0. [ [ mirrored = ]{ yes | no } ]

Specifies whether to create a mirrored filter. Use yes to create two filters based on the filter settings, one for traffic to the destination and one for traffic from the destination. The default value is yes. [ [ conntype=] = ] { lan | dialup | all } ]


Specifies whether the rule applies only to remote access/dial-up connections, to local area network (LAN) connections, or to all connections. The default value is all. [ [ actioninbound = ] { permit | block | negotiate } ]

Specifies the action that IPsec is required to take for inbound traffic. If permit is specified, traffic is received without negotiating or applying IP security. If block is specified, traffic is blocked. If

negotiate is specified, IPsec is used, with the list of security methods specified in the Main Mode and Quick Mode policies. The default value is negotiate. [ [ actionoutbound = ] { permit | block | negotiate } ]

Specifies the action that IPsec is required to take for outbound traffic. If permit is specified, traffic is sent without negotiating or applying IP security. If block is specified, traffic is blocked. If negotiate is specified, IP security is used, with the list of security methods specified in the Main Mode and Quick Mode policies. The default value is negotiate. [ [ srcmask = ] { Mask | Prefix } ]

Specifies the source address subnet mask or the prefix of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.

[ [ dstmask = ] { Mask | Prefix } ]

Specifies the destination address subnet mask or the prefix value of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ tunneldstaddress = ] { IPAddress | DNSName } ]

Specifies whether the traffic is tunneled and, if it is, the IP address or DNS name of the tunnel destination (the computer or gateway on the other side of the tunnel). The default is to not create a tunnel, but to use IPsec in Transport mode. [ [ kerberos = ] { yes | no } ]


Specifies the string of characters to use for the preshared key, if a preshared key is used as an authentication method. [ [ rootca = ] "CertName certmap:{ yes | no } excludecaname:{ yes | no } "] Specifies certificate authentication options. The argument is a string in quotes that contains the following elements:

CertName





delete all

Deletes all IPsec policies, filters, and authentication methods, if possible, from the Security Policy Database (SPD).

Syntax

delete all

Parameters

None.

delete mmpolicy

Deletes the specified IPsec Main Mode policy, or all IPsec Main Mode policies, from the SPD.

Syntax

delete mmpolicy [ name = ]{ MMPolicyName | all }

Parameters

[ name = ] { MMPolicyName | all }

Required. Specifies the name of the IPsec Main Mode policy to delete. Or, if all is specified, all IPsec Main Mode policies are deleted.

delete qmpolicy

Deletes the specified IPsec Quick Mode policy, or all IPsec Quick Mode policies, from the SPD.

Syntax

delete qmpolicy [ name = ]{ QMPolicyName | all }

Parameters

[ name = ] { QMPolicyName | all }

Required. Specifies the name of the IPsec Quick Mode policy to delete. Or, if all is specified, all

IPsec Quick Mode policies are deleted.

delete rule

Deletes an IPsec rule from the security policy database.

Syntax

delete rule [ srcaddr = ]{ Me | Any | IPAddress | IPRange | ServerType } [ dstaddr = ]{ Me | Any | IPAddress | IPRange | ServerType } [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } [ srcport = ] Integer [ dstport = ] Integer [ mirrored = ]{ yes | no } [ conntype = ]{ lan | dialup | all } [ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ [ tunneldstaddress = ]{ IPAddress | DNSName } ]

Parameters

[ srcaddr = ] { Me | Any | IPAddress | IPRange | ServerType }

Required. Specifies the source IP address, DNS name, or server type for the IP traffic. You can use WINS, DNS, DHCP, or gateway for ServerType. [ dstaddr = ] { Me | Any | IPAddress | IPRange | ServerType }


Required. Specifies the destination IP address, DNS name, or server type for the IP traffic. You can use WINS, DNS, DHCP, or gateway for ServerType. [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer }

Required. Specifies the IP protocol used for the filter.

[ srcport = ] Integer

Required. Specifies the source port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets. [ dstport = ] Integer

Required. Specifies the destination port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets. [ mirrored = ]{ yes | no }

Required. Specifies whether the rule was created with mirrored filters. [ conntype=] = ] { lan | dialup | all }

Required. Specifies whether the rule to be deleted applies only to remote access/dial-up connections, to local area network (LAN) connections, or to all connections. [ [ srcmask = ] { Mask | Prefix } ]

Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ dstmask = ] { Mask | Prefix } ]

Specifies the destination address subnet mask or the prefix value of the packets being filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.

[ [ tunneldstaddress = ] { IPAddress | DNSName } ]

Specifies whether the traffic is tunneled and, if it is, the IP address or DNS name of the tunnel destination (the computer or gateway on the other side of the tunnel).

delete sa

Deletes Main Mode security associations.

Syntax

delete sa [ [ srcaddr = ]{ IPv4Address } ] [ [ dstaddr = ]{ IPv4Address } ]

Parameters

[ [ srcaddr = ] { IPv4Address } ]

Specifies the source IPv4 address to match against existing SAs. [ [ dstaddr = ] { IPv4Address } ]

Specifies the destination IPv4 address to match against existing SAs.


set config

Creates or modifies the following IPsec settings: IPsec diagnostics, default traffic exemptions, strong certificate revocation list (CRL) checking, IKE (Oakley) logging, logging intervals, computer startup security, and computer startup traffic exemptions.

Syntax

set config [ property = ]{ PropertyToSet } [ value = ] ValueToAssign

Parameters

The property must be specified, and can be any of the options shown here:

IPsecdiagnostics { 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 } Specifies whether to enable IPsec diagnostic logging and, if so, which level of logging to provide. The default value is 0, meaning that logging is disabled. If you change the value for this setting, you must restart the computer for the new value to take effect. You can specify other values as follows, to enable different levels of logging:

• 1: Bad SPI packets (the total number of packets for which the Security Parameters Index or SPI was incorrect), IKE negotiation failures, IPsec processing failures, packets received with packet syntax that is not valid, and other errors are recorded in the System log.

Unauthenticated hashes (with the exception of the "Clear text received when should have been secured" event) are logged as well.

• 2: Inbound per-packet drop events are recorded in the System log.

• 3: Level 1 and level 2 logging are performed. In addition, unexpected clear text events

(packets that are sent or received in plaintext) are also recorded.

• 4: Outbound per-packet drop events are recorded in the System log.

• 5: Level 1 and level 4 logging are performed.

• 6: Level 2 and level 4 logging are performed.

• 7: All levels of logging are performed.

ikelogging { 0 | 1 }

Specifies whether to enable IKE (Oakley) logging, to generate details about the SA establishment

process. The default value is 0, meaning that IKE logging is disabled. strongcrlcheck { 0 | 1 | 2 }

Specifies the level of CRL checking to use. The default value is 1.

• 0: CRL checking is disabled.

• 1: Standard CRL checking is used, and certificate validation fails only if the certificate is determined to be revoked.

• 2: Strong CRL checking is used, and certificate validation fails if any CRL check error occurs.

IPsecloginterval {Integer}


Specifies the interval, in seconds, after which IPsec event logs are sent to the System log. For Integer, valid values range from 60 through 86400. The default value is 3600. If you change the value for this setting, you must restart the computer for the new value to take effect. IPsecexempt { 0 | 1 | 2 | 3 }

Specifies whether to modify the default IPsec traffic exemption (traffic that is not matched against IPsec filters but is still permitted). The default value is 3. If you change the value for this setting,

you must restart the computer for the new value to take effect. You can specify other values as follows:

• 0: Multicast, broadcast, RSVP, Kerberos, and IKE traffic is exempted from IPsec filtering.

• 1: Only multicast, broadcast, and IKE traffic is exempted from IPsec filtering (Kerberos and

RSVP traffic is not exempted).

• 2: Only RSVP, Kerberos, and IKE is exempted from IPsec filtering (multicast and broadcast traffic is not exempted).

• 3: Only IKE traffic is exempted.

bootmode { stateful | block | permit } Specifies the action that IPsec is required to take when the computer starts.

• stateful: Only the following traffic is permitted during computer startup: outbound traffic

initiated by the computer during startup, inbound traffic that is sent in response to the outbound traffic, and DHCP traffic.

• block: All inbound and outbound traffic is blocked until a local IPsec policy or a domain-based IPsec policy is applied.

• permit: All traffic is transmitted and received.

The default value is stateful. If you use either of the values stateful or block, you can use the bootexemptions parameter to specify traffic types that you want to exempt from IPsec filtering during computer startup. If you change the value for this setting, you must restart the computer for the new value to take

effect. bootexemptions { none | "Exempt1 Exempt2 …" } Specifies one or more IPsec traffic exemptions from startup security, separated by spaces and defined by the following format for TCP and UDP traffic: protocol:srcport:dstport:direction and the following format for non-TCP/UDP traffic: protocol:direction, where: protocol ={ ICMP| TCP| UDP| RAW| Integer }

Specifies the IP protocol type to exempt from IPsec filtering during computer startup. srcport = Port

Specifies the source port number of the packets to exempt from IPsec filtering during computer

startup. A value of 0 means that any source port is exempted. dstport = Port

Specifies the destination port number of the packets to exempt from IPsec filtering during computer startup. A value of 0 means that any destination port is exempted.

direction ={ inbound | outbound}

Specifies the direction of the traffic to exempt from IPsec filtering during computer startup.


set mmpolicy

Modifies an IPsec Main Mode policy and writes the changes to the security policy database.

Syntax

set mmpolicy name = PolicyName [ qmperm = Integer ] [ mmlifetime = Integer ] [ softsaexpirationtime = Integer ] [ mmsecmethods = "KeyExchMethods" ]

Parameters

name = PolicyName

Required. Specifies the name of the IPsec Main Mode policy to modify. [ qmperm = Integer ]

Specifies the number of times that master keying material is used to derive the session key. A value of 0 means that an unlimited number of Quick Mode SAs can be derived from the Main Mode SA. [ mmlifetime = Integer ]

Specifies the number of minutes after which a new master key is generated.

[ softsaexpirationtime = Integer ]

Specifies the number of minutes after which an unprotected security association expires. [ mmsecmethods = "KeyExchMethods" ]



EncAlg



Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1 (low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high, protects with 2048 bits).

set qmpolicy

Modifies an IPsec Quick Mode policy and writes the changes to the SPD.

Syntax

set qmpolicy name = PolicyName [ soft = { yes | no } ] [ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ] [ qmsecmethods = "SecMethodsString" ]

Parameters

name = PolicyName

Required. Specifies the name of the IPsec Quick Mode policy to modify. [ soft = { yes | no } ]


Specifies whether to fall back to unsecured communications with other computers that do not support IPsec, or when IPsec negotiations with an IPsec-capable computer fail. [ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ]

Specifies the Diffie-Hellman group to use for session key PFS. If grp1 is specified, Group 1 (low, with 768 bits of keying material) is used. If grp2 is specified, Group 2 (medium, with 1024 bits of

keying material) is used. If grp3 is specified, Group 3 (high, with 2048 bits of keying material) is used. If grpmm is specified, the group value is taken from the current Main Mode settings. [ qmsecmethods = "SecMethodsString" ]

Changes the string that specifies one or more security methods. Each method is described by one of the following formats, separated by spaces:




Where: EncAlg

Specifies the encryption algorithm. ConfigAlg can be DES, 3DES, or none. AuthAlg


Specifies the hash function. HashAlg can be MD5 or SHA1. k

Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000

kilobytes. s


set rule

Modifies an IPsec rule that defines a set of filters and writes the changes to the SPD.

Syntax

set rule [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } [ srcport = ] Integer [ dstport = ] Integer [ mirrored = ]{ yes | no } [ conntype = ]{ lan | dialup | all }

[ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ [ tunneldstaddress = ] { IPAddress | DNSName } ] [ [ mmpolicy = ] MainModePolicyName ] [ [ qmpolicy = ] QuickModePolicyName ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ kerberos = ]{ yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "String certmap:{ yes | no } excludecaname:{ yes | no }" ]

Parameters

[ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}


Required. Specifies the source IP address or range, DNS name, or server type for the IP traffic being matched. For ServerType you can use WINS, DNS, DHCP, or gateway. [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}

Required. Specifies the destination IP address or range, DNS name, or server type for the IP traffic being matched. For ServerType you can use WINS, DNS, DHCP, or gateway.

[ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer }

Specifies the IP protocol if, in addition to addressing information, a specific IP protocol is filtered. A value of ANY matches filters with a protocol setting of any. [ srcport = ] Integer

Required. Specifies the source port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets. [ dstport = ] Integer

Required. Specifies the destination port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets.

[ mirrored = ] { yes | no }

Required. Specifies whether the rule was created with mirrored filters. [ conntype = ] { lan | dialup | all }

Required. Specifies whether the rule applies only to remote access or dial-up connections or to local area network (LAN) connections, or to all connections. [ [ srcmask = ] {Mask|Prefix} ]

Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ dstmask = ] {Mask|Prefix} ]

Specifies the destination address subnet mask or the prefix value of the packets being filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ tunneldstaddress = ] { IPAddress | DNSName } ]

Specifies whether the traffic is tunneled and, if it is, the IP address or DNS name of the tunnel destination (the computer or gateway on the other side of the tunnel). [ [ mmpolicy = ] MainModePolicyName ]

Specifies the name of the Main Mode policy.

[ [ qmpolicy = ] QuickModePolicyName ]

Specifies the name of the Quick Mode policy. [ [ actioninbound = ] { permit | block | negotiate } ]

Specifies the action that IPsec is required to take for inbound traffic. If permit is specified, traffic is received without negotiating or applying IP security. If block is specified, traffic is blocked. If


negotiate is specified, IP security is used, with the list of security methods specified in the Main Mode and Quick Mode policies. [ [ actioninbound = ] { permit | block | negotiate } ]

Specifies the action that IPsec is required to take for outbound traffic. If permit is specified, traffic is sent without negotiating or applying IP security. If block is specified, traffic is blocked. If

negotiate is specified, IP security is used, with the list of security methods specified in the Main Mode and Quick Mode policies. [ [ kerberos = ]{ yes | no } ]


Specifies the string of characters to use for the preshared key, if a preshared key is used as an authentication method. [ [ rootca = ] "String certmap:{ yes | no } excludecaname:{ yes | no } " ]

Specifies certificate authentication options. The argument is a string in quotes that contains the

following elements: String




show all

Displays configuration information for all IPsec policies, filters, statistics, and security associations in the security policy database.

Syntax

show all [ [ resolvedns = ]{ yes | no } ]

Parameters

[ [ resolvedns = ] { yes | no } ]

Specifies whether to resolve the Domain Name System (DNS) or NETBIOS computer name associated with an IP address when displaying sources or destinations.

show config

Displays values for the following IPsec settings: IPsec diagnostics, default traffic exemptions, strong certificate revocation list (CRL) checking, IKE (Oakley) logging, logging intervals, computer startup security, and computer startup traffic exemptions.

Syntax

show config


show mmfilter

Displays configuration information for the specified IPsec Main Mode filter, or for all IPsec Main Mode filters, in the SPD.

Syntax

show mmfilter { [ name = ] FilterName | all } [ [ type = ]{ generic | specific } ]

[ [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ] [ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ] [ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ resolvedns = { yes | no } ]

Parameters

{ [ name = ] FilterName | all }

Required. Specifies the name of the IPsec Main Mode filter to display. If all is specified, all IPsec Main Mode filters are displayed. [ [ type = ] { generic| specific} ]

Specifies whether to display generic or specific Main Mode filters. The default value is generic.

[ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies the source IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name, or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY. [ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies the destination IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name, or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY. [ [ srcmask = ] { Mask | Prefix } ]

Specifies the source address subnet mask or the prefix of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ dstmask = ] { Mask | Prefix } ]

Specifies the destination address subnet mask or the prefix value of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ resolvedns={ yes | no}]

Specifies whether to resolve the Domain Name System (DNS) or NETBIOS computer name associated with an IP address when displaying sources or destinations. The default value is no.

show mmpolicy

Displays configuration information for the specified IPsec Main Mode policy, or for all IPsec Main Mode policies, in the SPD.

Syntax

show mmpolicy { [ name = ] PolicyName | all }

Parameters



Required. Specifies the name of the IPsec Main Mode policy to display. Or, if all is specified, all IPsec Main Mode policies are displayed.

show mmsas

Displays the IPsec Main Mode security associations for the specified source and destination addresses, or all IPsec Main Mode security associations, in the SPD.

Syntax

show mmsa [ all ] [ [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ] [ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ] [ [ format = ]{ list | table } ] [ [ resolvedns = ]{ yes | no} ]

Parameters

[ all ]

Specifies that all Main Mode security associations are displayed. This is the default option if no other parameters are specified. [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies the source IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name,

or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY. [ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies the destination IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name, or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY. [ [ format = ] { list | table } ]


[ [ resolvedns={ yes | no} ] ]

Specifies whether to resolve the DNS or NETBIOS computer name associated with an IP address when displaying sources or destinations. The default value is no.

show qmfilter

Displays configuration information for the specified Quick Mode filter, or for all Quick Mode filters, in the SPD.

Syntax

show qmfilter { [ name = ] FilterName | all } [ [ type = ]{ generic | specific } ] [ [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ] [ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ]

[ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ srcport = ] Integer ] [ [ dstport = ] Integer ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ actionoutbound = ]{ permit | block | negotiate } ] [ [ resolvedns={ yes | no} ] ]

Parameters


Required. Specifies the name of the IPsec Quick Mode filter to display. If all is specified then all IPsec Quick Mode filters are displayed.


[ [ type = ] { generic | specific } ]

Specifies whether to display generic or specific Quick Mode filters. The default value is generic. [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies that only filters matching the specified source IP address, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.

[ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies that only filters matching the destination IP address, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType. [ [ srcmask = ] { Mask | Prefix } ]

Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 1 through 32. [ [ dstmask = ] { Mask | Prefix } ]

Specifies the destination address subnet mask or the prefix value of the packets being filtered. You can specify a prefix value in the range of 1 through 32.

[ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]

Specifies that only filters that match the IP protocol are displayed. [ [ srcport = ] Integer ]

Specifies that only filters that match the source port number are displayed. [ [ dstport = ] Integer ]

Specifies that only filters that match the destination port number are displayed. [ [ actioninbound = ] { permit | block | negotiate } ]

Specifies that only filters matching the action are displayed.

[ [ actionoutbound = ] { permit | block | negotiate } ]


show qmpolicy

Displays configuration information for the specified IPsec Quick Mode policy, or for all IPsec Quick Mode policies, in the SPD.

Syntax

show qmpolicy { [ name = ] FilterName | all }

Parameters


Required. Specifies the name of the IPsec Quick Mode policy to display. If all is specified then all IPsec Quick Mode policies are displayed.


show qmsas

Displays the IPsec Quick Mode security associations for the specified source and destination addresses, or all IPsec Quick Mode security associations, in the SPD.

Syntax

show qmsas [ all ] [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ]

[ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ] [ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ format = ] { list | table } ] [ [ resolvedns={ yes | no} ] ]

Parameters

[ all]

Specifies that all IPsec Quick Mode security associations are displayed. This is the default option if no other parameters are specified. [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ]

Specifies that only SAs that match the source IPv4 or IPv6 address, address range, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.

[ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ]

Specifies that only SAs that match the destination IPv4 or IPv6 address, address range, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType. [ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]

Specifies that only SAs that match the IP protocol if, in addition to addressing information, a specific IP protocol is being used for the security association. [ [ format = ] { list | table } ]

Specifies whether to display the results in screen or tab-delimited format. The default value is list,

meaning that output is displayed in screen format. [ [ resolvedns={ yes | no} ] ]

Specifies whether to resolve the Domain Name System (DNS) or NETBIOS computer name associated with an IP address when displaying sources or destinations. The default value is no.

show rule

Displays configuration information for one or more IPsec rules in the SPD.

Syntax

show rule [ [ type = ]{ transport | tunnel } ] [ [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr |ServerType} ] [ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

[ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ] { Mask | Prefix } ] [ [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ srcport = ] Integer ] [ [ dstport = ] Integer ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ actionoutbound = ]{ permit | block | negotiate } ] [ [ resolvedns = ]{ yes | no} ]

Parameters

[ [ type = ] { transport | tunnel } ]

Specifies whether to display transport rules or tunnel rules. The default value is to display all rules. [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]


Specifies that only rules matching the source IP address, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType. [ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies that only rules matching the destination IP address, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.

[ [ srcmask = ] { Mask | Prefix } ]

Specifies that only rules matching the source address subnet mask or the prefix of the packets are displayed. You can specify a prefix value in the range of 1 through 32. [ [ dstmask = ] { Mask | Prefix } ]

Specifies that only rules matching the source address subnet mask or the prefix of the packets are displayed. You can specify a prefix value in the range of 1 through 32. [ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]

Specifies that only filters that match the IP protocol are displayed.

[ [ srcport = ] Integer ]

Specifies that only filters that match the source port number are displayed. [ [ dstport = ] Integer ]

Specifies that only filters that match the destination port number are displayed. [ [ actioninbound = ] { permit | block | negotiate } ]

Specifies that only filters matching the action are displayed. [ [ actionoutbound = ] { permit | block | negotiate } ]


[ resolvedns={ yes | no}]

Specifies whether to resolve the DNS or NETBIOS computer name associated with an IP address when displaying sources or destinations. The default value is no.

show stats

Displays Main Mode and Quick Mode statistics for IPsec.

Syntax

show stats [ [type = ]{ all | ike | ipsec } ]

Parameters

[ [type=] { all | ike | ipsec } ]

Specifies the IPsec statistics to display. If all is specified, IPsec Main Mode and Quick Mode statistics are displayed. If ike is specified, only IPsec Main Mode statistics are displayed. If ipsec is specified, only IPsec Quick Mode statistics are displayed.


Netsh Commands for Wired Local Area Network (LAN)

The Netsh commands for wired local area network (LAN) provide methods to configure connectivity and security settings for computers running Windows Vista® and Windows Server® 2008. You can use the Netsh LAN commands to configure the local computer or to configure multiple computers by using a logon script. You can also use the netsh LAN commands to view wired 802.1X Group Policy and to administer user wired 802.1X settings.

Netsh LAN commands

add profile

Adds a LAN profile to the specified interface on the computer.

Syntax

add profile filename= PathAndProfileName [[interface=]InterfaceName]

Parameters

Filename

Required. Specifies the path and name of the XML file containing the profile data. Interface

Optional. Specifies the name of the interface on which the profile will be set (where InterfaceName is the name of the interface as displayed in Network Connections or as rendered by the netsh lan show interfaces command).

Example command

add profile filename=C:\Users\WiredUser\Documents\profile1.xml interface="Local Area Connection"

delete profile

Removes a LAN profile from one or multiple interfaces.

Syntax

delete profile interface= InterfaceName

Parameters

Interface

Required. Specifies the name of the interface on which the profile is to be deleted (where

InterfaceName is the name of the interface as displayed in Network Connections, or as rendered by the netsh lan show interfaces command).

Example commands

delete profile interface="Local Area Connection"

delete profile interface=L*

export profile

Saves LAN profiles as XML files to a specified location.


Syntax

export profile folder= PathAndFileName [[interface=]InterfaceName]

Parameters

Folder

Required. Specifies the path and file name for the profile XML file.

Interface

Optional. Specifies the name of the interface on which the profile is configured (where InterfaceName is the name of the interface as displayed in Network Connections, or as rendered by the netsh lan show interfaces command).

Example commands

export profile folder=c:\Users\user\Documents\ interface="Local Area Connection"

export profile folder=c:\Users\user\Documents\

reconnect

Attempts to reauthenticate to a wired network by using the specified interface.

Syntax

reconnect [[interface=]InterfaceName]

Parameters

Interface

Optional. Specifies the interface that is used for the connection attempt (where InterfaceName is the name of the interface as displayed in Network Connections, or as rendered by the netsh lan show interfaces command).

Example command

reconnect interface="Local Area Connection "

set autoconfig

Enables or disables Wired AutoConfig Service on an interface.

Syntax

set autoconfig enabled={yes|no} interface=InterfaceName

Parameters

Enabled

Required. Specifies whether to set Wired AutoConfig Service to enabled or disabled. Interface

Required. Specifies the name of the interface on which the service is enabled or disabled (where InterfaceName is the name of the interface as displayed in Network Connections, or as rendered by the netsh lan show interfaces command).


Example command

set autoconfig enabled=yes interface="Local Area Connection"

set profileparameter

Sets parameters in a wired network profile.

Syntax

set profileparameter name= ProfileName [[interface=]InterfaceName] [[authMode=]{machineOrUser|machineOnly|userOnly|guest}] [[ssoMode=]{preLogon|postLogon|none}] [[maxDelay=]1-120] [[allowDialog={yes|no}] [[userVLAN=]{yes|no}]

Parameters

Name

Required. Specifies the name of the profile to set (where ProfileName is the name of the profile, as rendered by the netsh lan show profile command). Interface

Optional. Specifies the name of the interface on which the profile is set (where InterfaceName is the name of the interface as displayed in Network Connections, or as rendered by the netsh lan show interfaces command). AuthMode

Optional [conditional, see "Remarks"]. Specifies the type of credentials to be used for

authentication. SSOMode

Optional [conditional, see "Remarks"].Specifies the type of single sign on (SSO) to be attempted if any. MaxDelay

Optional [conditional, see "Remarks"]. Specifies the timeout value allowed to establish the single sign-on connection. AllowDialog

Optional [conditional, see "Remarks"].Specifies whether to allow or disallow a dialog to be shown for preLogon. UserVLAN

Optional [conditional, see "Remarks"].Specifies if the network switches to a different VLAN on user

authentication.

Example commands

set profileparameter name="Profile 1" authMode=userOnly ssoMode=preLogon

set profileparameter name=Profile2 interface="Local Area Connection" ssoMode=none

set tracing

Enables or disables wired tracing.


Syntax

set tracing [[mode=]{yes|no|persistent}]

Parameters

Mode

Required. Specifies whether wired tracing is disabled, enabled and persistent, or enabled and

nonpersistent. See "Remarks" for additional information.

Example command

set tracing mode=persistent

show interfaces

Displays a list of the current wired interfaces on the computer.

Syntax

show interfaces

Parameters

There are no parameters for this command.

Example command

show interfaces

show profiles

Displays a list of wired profiles that are configured on the computer.

Syntax

show profiles [[interface=]InterfaceName]

Parameters

Interface

Optional. Specifies the name of the interface which has this profile configured (where InterfaceName is the name of the interface as displayed in Network Connections, or as rendered by the netsh lan show interfaces command).

Example commands

show profiles interface="Local Area Connection"

show profiles

show settings

Displays the current global settings of the wired LAN

Syntax

show settings


Parameters


Example command

show settings

show tracing

Displays whether wired tracing is enabled or disabled.

Syntax

show tracing

Parameters


Example command

show tracing


Netsh Commands for NAP Client

NAP client commands


add server

Adds the uniform resource locator (URL) of a Health Registration Authority (HRA) server to a trusted server group.

Syntax

add server [ group = ] group [ url = ] url [ [ processingorder = ] processingorder ]

Parameters

group

Required. Specifies the name of the trusted server group to which you want to add an HRA server. url

Required. Specifies the URL of an HRA server that you want to add to the trusted server group. If the trusted server group requires server verification (https:), then the URL must contain the

https:// prefix. processingorder

Optional. Designates the processing order of the HRA URL in the list of URLs in the trusted server group. If you do not specify the processing order, the URL is added to the end of the list and is processed last.

Example

add server group = "group1" url = "url1" processingorder = "1"

add trustedservergroup

Adds a trusted server group.

Syntax

add trustedservergroup [ name = ] name [ [ requirehttps = ] ENABLE | DISABLE ]

Parameters

name

Required. Specifies the name of the trusted server group that you want to add to the NAP client configuration. requirehttps

Optional. Specifies whether server verification (https:) is required for all servers in this group. If not specified, https: is enabled by default.

Example

add trustedservergroup name = "group1" requirehttps = "ENABLE"

delete server

Deletes the URL of an HRA server from the specified trusted server group.


Syntax

delete server [ group = ] group [ url = ] url

Parameters

group

Required. Specifies the name of the trusted server group from which you want to remove an HRA

server. url

Required. Specifies the URL of the HRA server that you want to remove from the trusted server group.

Example

delete server group = "group1" url = "url1"

delete trustedservergroup

Deletes a trusted server group.

Syntax

delete trustedservergroup [ name = ] name

Parameters

name

Required. Specifies the name of the trusted server group that you want to remove from the NAP client configuration.

Example

delete trustedservergroup name = "group1"

dump

Creates a script that contains the current NAP client configuration.

Syntax

dump

export

Exports an *.xml file that contains the current configuration settings for the NAP client.

Syntax

export [ filename = ] filename

Parameters

Filename

Required. Specifies the file name and folder location where you want to save the *.xml file.

Example

export filename = "c:\config.xml"


help

Displays a list of commands that are available at the netsh context where the command is run, and those inherited from the parent context.

Syntax

help

import

Imports an .xml file that contains configuration settings for the Network Access Protection (NAP) client.

Syntax

import [ filename = ] filename

Parameters

Filename

Required. Specifies the file name and folder location from which you want to import the *.xml file.

Example

import filename = "c:\config.xml"

rename server

Renames the HRA URL of an existing trusted server in the specified trusted server group.

Syntax

rename server [ group = ] group [ url = ] url [ newurl = ] newurl

Parameters

Group Required. Specifies the name of the trusted server group that contains the HRA server URL that you

want to change. url

Required. Specifies the existing HRA server URL. Newurl

Required. Specifies the new HRA server URL. If no value is supplied for newurl, the HRA server URL is not changed.

Example

rename server group = "group1" url = "url1" newurl = "url2"

rename trustedservergroup

Renames an existing trusted server group.

Syntax

rename trustedservergroup [ name = ] name [ newname = ] newname

Parameters

Name


Required. Specifies the name of the trusted server group that you want to rename. Newname

Required. Specifies the new name of the trusted server group.

Example

rename trustedservergroup name = "group1" newname = "group2"

reset configuration

Restores the NAP client configuration to the default settings.

Syntax

reset configuration

reset csp

Sets the cryptographic service provider (CSP) Request Policy to Microsoft Enhanced Cryptographic Provider v1.0.

Syntax

reset csp

reset enforcement

Sets the enforcement client parameter to DISABLED.

Syntax

reset enforcement

reset hash

Sets the hash algorithm Request Policy to sha1RSA (1.3.14.3.2.29).

Syntax

reset hash

reset server

Deletes all URLs in a specified trusted server group.

Syntax

reset server [ group = ] group

Parameters

Group

Required. Specifies the name of the trusted server group.

Example

reset server group = "group1"

reset tracing

Sets the tracing parameter to DISABLE.

Syntax

reset tracing


reset trustedservergroup

Deletes all trusted server groups and the list of all health registration authority servers (by URL) contained in each trusted server group.

Syntax

reset trustedservergroup

reset userinterface

Deletes all user interface settings in the NAP client configuration.

Syntax

reset userinterface

set csp

Changes the cryptographic service provider (CSP) in the NAP client configuration. You can display name of the currently available CSPs with the show csps command.

Syntax

set csp [ name = ] name [ [ keylength = ] keylength ]

Parameters

name

Required. Specifies the name of the cryptographic service provider (CSP). keylength

Optional. Specifies the length of the asymmetric key. The default key length is 2048.

Example

set csp name = "Microsoft RSA SChannel Cryptographic Provider" keylength = "2048"

set enforcement

Enables or disables NAP enforcement clients in the NAP client configuration. When NAP enforcement clients are enabled, NAP clients can connect to a network with the same type of enforcement server. For example, if a NAP client has the DHCP enforcement client enabled, the NAP client can connect to your network with a DHCP NAP enforcement server. You must specify one or more enforcement clients. By default, all enforcement clients are disabled.

Syntax

set enforcement [ ID = ] ID [ ADMIN = ] ENABLE | DISABLE

Parameters

ID

Required. Specifies the identifier of an installed enforcement client to be enabled or disabled. You

can view a list of available enforcement clients and their associated IDs with the show configuration command. ADMIN

Required. Specifies the administrative state of the specified enforcement client. You must specify ENABLE in order for a NAP client to connect to a network using the type of NAP enforcement method specified by the ID parameter.


Example

set enforcement ID = 79619 ADMIN = "ENABLE"

set hash

Sets the hash algorithm that will be used on the target computer. You can obtain the object identifier (OID) from the "show hashes" command.

Syntax

set hash [ oid = ] oid

Parameters

oid

Required. Specifies the OID of the hash algorithm. You can specify only one OID.

Example

set hash oid = "1.2.840.113549.1.1.5"

set server

Sets the URL and processing order of an HRA server within an existing trusted server group.

Syntax

set server [ group = ] group [ url = ] url [ processingorder = ] processingorder

Parameters

group

Required. Specifies the name of an existing trusted server group that contains the HRA server that you want to add or modify. url

Required. Specifies the HRA server URL. If the trusted server group requires server verification (https:), then the URL must use the https:// prefix. If the URL is not found in the specified trusted

server group, it will be added. processingorder

Required. Designates the processing order of the HRA URL in the list of URLs in the trusted server group.

Example

set server group = "group1" url = "url1" processingorder = "1"

set tracing

Specifies whether tracing is enabled and the amount of information that is logged by NAP client. Although both parameters are optional, you must specify at least one parameter.

Syntax

set tracing [ [ state = ] ENABLE | DISABLE [ level = ] BASIC | ADVANCED | VERBOSE ]

Parameters

state


Optional. Specifies whether tracing is enabled or disabled. If you specify ENABLE, NAP client creates a trace log file. If you specify DISABLE, NAP client does not create a trace log file. The default is DISABLE. If you enable tracing but do not specify a value for level, NAP client uses the default level value of BASIC level

Optional. Specifies the amount of information that is logged by NAP client and that appears in the tracing log file. If you specify BASIC, the least amount of information is logged in the trace log file. If you specify ADVANCED, a greater amount of information is logged in the trace log file. If you specify VERBOSE, all information is logged in the trace log file. The default is BASIC. If you do not specify a value for state, NAP client uses the default state value of DISABLE.

Example

set tracing state = "ENABLE" level = "ADVANCED"

set userinterface

Specifies the NAP client user interface settings. Although all parameters are optional, you must specify at least one parameter.

Syntax

set userinterface [ [ title = ] title [ text = ] text [ image = ] image ]

Parameters

title

Optional. Specifies the title that appears in the NAP client user interface. text

Optional. Specifies the description that appears in the NAP client user interface. Image

Optional. Specifies the image that appears in the NAP client user interface.

Example

set userinterface title = "My company" text = "Protecting your computer" image = "c:\Logo.jpg"

show configuration

Displays configuration settings and state information for NAP client, including CSP, enforcement client, tracing, and trusted server group configurations.

Syntax

show configuration

show csps

Displays all available cryptographic service providers (CSPs) on the target system. Use this command to obtain the names that you can use in the add csp and delete csp commands.

Syntax

show csps


show grouppolicy

Displays Group Policy configuration settings and state information for NAP client.

Syntax

show grouppolicy

show hashes

Displays all available hash algorithms on the target system. Use this command to obtain the OIDs that you can use in the add hash and delete hash commands.

Syntax

show hashes

Example

Following is an example of the information displayed when you run the show hashes command at the netsh nap client prompt.

Hash OID

sha1RSA 1.2.840.113549.1.1.5

md5RSA 1.2.840.113549.1.1.4

sha1DSA 1.2.840.10040.4.3

sha1RSA 1.3.14.3.2.29

shaRSA 1.3.14.3.2.15

md5RSA 1.3.14.3.2.3

md2RSA 1.2.840.113549.1.1.2

md4RSA 1.2.840.113549.1.1.3

md4RSA 1.3.14.3.2.2

md4RSA 1.3.14.3.2.4

md2RSA 1.3.14.7.2.3.1

sha1DSA 1.3.14.3.2.13

dsaSHA1 1.3.14.3.2.27

mosaicUpdatedSig 2.16.840.1.101.2.1.1.19

sha1NoSign 1.3.14.3.2.26

md5NoSign 1.2.840.113549.2.5

sha256NoSign 2.16.840.1.101.3.4.2.1


sha384NoSign 2.16.840.1.101.3.4.2.2

sha512NoSign 2.16.840.1.101.3.4.2.3

sha256RSA 1.2.840.113549.1.1.11

sha384RSA 1.2.840.113549.1.1.12

sha512RSA 1.2.840.113549.1.1.13

RSASSA-PSS 1.2.840.113549.1.1.10

sha1ECDSA 1.2.840.10045.4.1

sha256ECDSA 1.2.840.10045.4.3.2

sha384ECDSA 1.2.840.10045.4.3.3

sha512ECDSA 1.2.840.10045.4.3.4

specifiedECDSA 1.2.840.10045.4.3

show state

Displays state information, including client access restriction state, the state of installed enforcement clients and system health agents, and the client compliance and remediation results.

Syntax

show state

show trustedservergroup

Displays all trusted server groups and the HRA server URLs in each group.

Syntax

show trustedservergroup

Example

Following is an example of the information displayed when you run the show trustedservergroup command at the netsh nap client prompt.

Setting Value

Group Trusted server group 1

Require Https Enabled

URL https://www.example.com

Processing order 1




URL https://www.contoso.com

Processing order 1



URL https://www.example.com

Processing order 2


Netsh Commands for Network Input Output (NETIO)

You can use commands in the Netsh netio context to configure binding filters. The Netsh commands for netio can be run manually at the netsh prompt or in scripts and batch files.

To run these commands from the command prompt, you must either enter the netsh netio context or prepend the context to the command. For example, if you are at the command prompt but have not typed netsh and then netio to enter the netsh netio context, you must type:

netsh netio command


add bindingfilter

Adds a binding filter.

Syntax

add bindingfilter [npi=]NPI [client=] client [provider=] provider [[type=]block|singleclient] [[store=]active|persistent]

Parameters

npi

Required. Specifies the network programming interface GUID or name as a string value. client

Required. Specifies the client name or GUID as a string value.

provider

Required. Specifies the client name or GUID as a string value. type

Optional. Specifies either block or singleclient. Singleclient is the default. If you specify block, the specified client cannot bind to the provider. If you specify singleclient, only the specified client can bind to the provider. store

Optional. Specifies that the binding filter is either active or persistent. Persistent is the default. If you specify active, the filter is applied only until the computer is restarted; after it is restarted the binding filter is not applied. If you specify persistent, the filter is permanently applied.

Examples

The following example disables IPv4 loopback by installing an NMR filter to prevent the binding.

netsh netio add bindingfilter framing ipv4 fl4l block persistent

The following example disables IPv6 loopback by installing an NMR filter to prevent the binding.

netsh netio add bindingfilter framing ipv6 fl6l block persistent

delete bindingfilter

Deletes a binding filter.


Syntax

delete bindingfilter [npi=]NPI [client=] client [provider=] provider [[store=]active|persistent]

Parameters

npi

Required. Specifies the network programming interface guid or name as a string value. client

Required. Specifies the client name or guid as a string value. provider

Required. Specifies the client name or guid as a string value. store

Optional. Specifies that the deletion of the binding filter is either active or persistent. Persistent is the default. If you specify active, the filter is deleted only until the computer is restarted; after it is restarted the binding filter is applied again. If you specify persistent, the filter is permanently deleted.

show bindingfilters

Displays all binding filters.

Syntax

show bindingfilters [[store=]active|persistent]


Netsh Commands for Peer-to-Peer Networking (P2P)

Peer-to-peer (P2P) technologies are used to facilitate real-time communication and collaboration across distributed networks. In the peer-to-peer model, without using Internet servers, each computer user can do the following:

Exchange data

Share resources

Locate other users

Communicate

Collaborate directly in real time

By using peer-to-peer technologies, applications that coordinate the use of computer CPU cycles and storage can share resources among large or small groups of computers connected to the Internet. P2P is configured and administered by using Netsh commands.

You can run these commands from the command prompt for the Netsh P2P context. For these commands to work at the command prompt, you must type netsh p2p before typing commands and parameters as they appear in the syntax below.

Netsh P2P

The following commands are available at the p2p> prompt, which is rooted within the netsh environment.

collab

Changes to the netsh p2p collab context.

dump

Creates a script that contains the current configuration. If saved to a

file, this script can be used to restore altered configuration settings.

group

Changes to the netsh p2p group context.

idmgr

Changes to the netsh p2p idmgr context.

pnrp

Changes to the netsh p2p pnrp context.

Netsh P2P collab

The following commands are available at the p2p collab> prompt, which is rooted within the netsh environment.

contact

Changes to the netsh p2p collab contact context.


Netsh P2P collab contact

The following commands are available at the p2p collab contact> prompt, which is rooted within the netsh environment.

delete

Deletes a contact from the contact store.

Syntax

delete peer name

export

Exports the Me contact to a file name. This file can be later copied to another machine and is imported there.

Syntax

Export file name

import

Imports a contact from a file to the contact store.

Syntax

import file name

set

Sets the properties of a contact.

Syntax

set {Id=<Peer Name>]<FriendlyName=<friendly name>Watch=<true | false> WatchPerm=<allow | block>}

show contacts

Displays all contacts.

Syntax

show contacts

show xml

Displays the contents of the contact XML file.

Syntax

show xml file name

Netsh P2P group

The following commands are available at the p2p group> prompt, which is rooted within the netsh environment.

database

Changes to the netsh p2p group database context.

resolve

Resolves a participant in the group and lists its address.


Syntax

resolve {ANY | REMOTE} <group P2PID> [<cloud name>]

show acl

Lists access control list (ACL) information.

Syntax

show acl { identity <identity P2PID> | db <identity P2PID> <group P2PID>| <File path> }

show address

Resolves a participant in the current node and lists its address.

Syntax

show address <group P2PID> [ <cloud name> ]

Netsh P2P group database

The following commands are available at the p2p group database> prompt, which is rooted within the netsh environment.

show statistics

Lists database stats for given <identity P2PID> <group P2PID>.

Syntax

show statistics <identity P2PID> <group P2PID>

Netsh P2P idmgr

The following commands are available at the p2p idmgr> prompt, which is rooted within the netsh environment.

delete group

Deletes groups from identities.

Syntax

delete group <identity P2PID> { <group P2PID> | ALL | EXPIRED }

delete identity

Deletes identities.

Syntax

delete identity <identity P2PID> { <identity P2PID> | ALL | QUIET }

show groups

Displays identity and related group information.

Syntax

show groups { <identity P2PID> | ALL } [ EXPIRED ]

show identities

Displays identity information.

Syntax

show identities { ALL | <identity P2PID> }


show statistics

Displays a count of identities and associated groups.

Syntax

show statistics

Netsh P2P pnrp

The following commands are available at the p2p pnrp> prompt, which is rooted within the netsh environment.

cloud

Changes to the netsh p2p pnrp cloud context.

diagnostics

Changes to the netsh p2p pnrp diagnostics context.

peer

Changes to the netsh p2p pnrp peer context.

Netsh P2P pnrp cloud


flush

Deletes all cache entries.

Syntax

flush [cloud=]<cloud name>

Example

flush Global_

repair

Detects and repairs Peer Name Resolution Protocol (PNRP) cloud fragmentation.

Syntax

repair [cloud=]<cloud name>

Example

repair Global_

show initialization

Displays cloud bootstrap configuration and status.

Syntax

show initialization [[cloud=]{ * | <cloud name>}]

Examples

show initialization cloud=Global_

show initialization *


show list

Displays a list of clouds.

Syntax

show list [[cloud=] <cloud name>]

Examples

show list Global_

show list

show names

Displays all names registered on the local machine.

Syntax

show names [[cloud=]{ * | <cloud name>}]

Examples

show names cloud=Global_

show names

show pnrpmode

Displays PNRP mode configuration parameters.

Syntax

show pnrpmode [[cloud=]<cloud name>]

Example

show pnrpmode Global_

show seed

Displays PNRP seed server configuration parameters.

Syntax

show seed [cloud=]<cloud name>

Example

Show seed Global_

show statistics

Displays cloud statistics.

Syntax

show statistics [[cloud=]{ * | <cloud name>}]

Examples

Show statistics names cloud=Global_

show statistics names

start

Bootstraps a cloud.


Syntax

start [cloud=]<cloud name>

Example

start Global_

synchronize host

Queries a specified host for the addresses of other members of the cloud.

Syntax

synchronize host [host=]<host name> [cloud=]<cloud name>

Example

synchronize host host1 Global_

synchronize seed

Queries the seed server for the addresses of other members of the cloud.

Syntax

synchronize seed [cloud=]<cloud name>

Example

synchronize seed Global_

Netsh P2P pnrp diagnostics


ping host

Tests PNRP connectivity to a node by specifying an address or a host name.

Syntax

ping host [host=]{<ip address> | <host name>} [cloud=]<cloud name>

Example

ping host myhost Global_

ping seed

Tests PNRP connectivity to the configured seed server.

Syntax

ping seed [cloud=]<cloud name>

Example

ping seed Global_

Netsh P2P pnrp peer


add registration

Registers a peer name. (Note that the registration will only last as long as the Netsh instance.)


Syntax

add registration [peername=]<peer name> [cloud=]<cloud name>

[[comment]=<comment>]

Parameters

Peer name

<canonical pnrp name>|<dns encoded pnrp name>

Cloud

The cloud where the name should be registered. Default is all Clouds. Comment

The comment that should be registered for the name.

Examples

add registration peername=0.0

add registration 0.0 Global_

delete registration

Unregisters a peer name.

Syntax

delete registration [peername=]{ * | <peer name>} [cloud=]<cloud name>

Parameters

Peername

<canonical pnrp name>|<dns-encoded pnrp name>

Cloud

The cloud from which the name should be unregistered. Default is all Clouds.

Examples

delete registration *

delete registration peername=0.0 cloud=Global_

enumerate

Search for multiple registrations of a peer name in the specified cloud.

Syntax

enumerate [peername=]<peer name> [cloud=]<cloud name>

[[maxresults=]<number>]

Parameters

Peername



Cloud

The cloud where the enumeration should happen. Maxresults

Should be a number between one and 500. Default is 50.

Examples

enumerate 0.0 cloud=Global_ maxresults=2

enumerate peername=0.0 cloud=Global_

resolve

Resolves a peer name.

Syntax

resolve [peername=]<peer name> [[cloud=]<cloud name>]

Parameters

Peername


Examples

resolve peername=0.0 cloud=Global_

resolve 0.anyname

set file

Copies the console output to a file.

Syntax

set file [ mode= ] { open [ name= ] <filename> | append [ name = ]<filename> | close }

Parameters

Mode


Open: Creates a new file or overwrites an existing file and streams the console output to the file.

Append: Opens an existing file and streams the console output to the end of the existing file.

Close: Stops streaming and closes a file.

Name

Name of the file (full path optional)

Examples

set file open c:\logfiles\logfile.txt

The above command creates a file and logs all output to it.


set machinename

Configure the PNRP Machine Name Publication Service.

Syntax

set machinename [[name=]<PeerName>] [[publish=]Start|Stop] [[autopublish=]enable|disable]

Parameters

Name

The name to use as the machine name. If value is null, a secured name is automatically generated. Publish

If set to 'start,' will cause the name to start being published immediately. If set to 'stop,' will stop the publication of the name. Autopublish

Sets whether or not automatic publication is enabled. When autopublish is enabled, the machine automatically begins publishing the name at boot.

Examples

set machinename publish=start autopublish=enable

set mode

Sets the current mode to online or offline.

Syntax

set mode [ mode= ] { online | offline }

Parameters

Mode


online: Commit changes immediately

offline: Delay commit until explicitly requested

Example

Set mode online

show convertedname

Converts standard peer names to DNS encoded peer names and vice versa.

Syntax

show convertedname [peername=]<peer name>

Example

show convertedname 0.anyname

show machinename

Display the PNRP Machine Name Publication Service configuration.


Syntax

show machinename

Example

show machinename

show registration

List peer names registered by this instance of netsh.

Syntax

show registration [[cloud=]<cloud name>]

Example

show registration cloud=Global_

traceroute

Resolves a peer name with path tracing.

Syntax

traceroute [peername =]<peer name> [cloud=]<cloud name>

Examples

traceroute peername=0.0 Global_

traceroute 0.anyname Global_


Netsh Commands for Remote Access

You can use commands in the Netsh ras context to configure all aspects of remote access. The Netsh commands for remote access provide the same functionality as the Routing and Remote

Access console, and the commands can be run manually at the netsh prompt or in scripts and batch files.

To run these commands from the command prompt, you must either enter the netsh ras context

or prepend the context to the command. For example, if you are at the command prompt but have not typed netsh and then ras to enter the netsh ras context, you must type:

netsh ras command

Netsh RAS Commands

The following commands are specific to the ras context within the Netsh environment.

show activeservers

Displays a list of remote access server (RAS) advertisements.

Syntax

show activeservers

show client

Lists remote access clients connected to this server.

Syntax

show client

[[name=] Name]

Parameters

[[name=] Name]

Shows the status of a given client connected to the server. If this parameter is "*", show client enumerates the status of all clients. If no name is specified, show client shows which, if any, remote access clients are connected to the server.

set client

Resets the user statistics and disconnects a remote access client.

Syntax

set client

[name=] Name

[state=] {disconnect | resetstats}

Parameters

[name=] Name

Required. Specifies the user name of the client to disconnect or reset statistics. [state=] {disconnect | resetstats}


Required. Specifies the action to perform. The parameter disconnect disconnects the specified user. The parameter resetstats resets the statistics for the specified user.

dump

Displays the configuration of the remote access server in script form.

Syntax

dump

Example

The following command saves the current configuration as a script in the rascfg.dmp file.

dump > rascfg.dmp

show tracing

Shows whether tracing is enabled for the specified component. To see a list of all installed components and whether tracing is enabled for each, use the show tracing command without parameters.

Syntax

show tracing [component]

Parameters

component

Specifies the component for which to display information. If no component is specified, show tracing shows the state of all installed components.

set tracing

Enables or disables tracing for the specified component.

Syntax

set tracing component {enabled | disabled}

Parameters

Component

Required. Specifies the component for which you want to enable or disable tracing. Use "*" to

specify all components. {enabled | disabled}

Required. Specifies whether to enable or disable tracing for the specified component.

Example

To set tracing for the PPP component, type:

set tracing ppp enabled

show authmode

Shows whether dial-up clients using certain types of devices should be authenticated.

Syntax

show authmode


set authmode

Specifies whether dial-up clients using certain types of devices should be authenticated.

Syntax

set authmode {standard | nodcc | bypass}

Parameters

{standard | nodcc | bypass}

Required. Specifies whether dial-up clients using certain types of devices should be authenticated. The parameter standard specifies that clients using any type of device should be authenticated. The parameter nodcc specifies that clients using any type of device except a direct-connect device should be authenticated. The parameter bypass specifies that no clients should be authenticated.

add authtype

Adds an authentication type to the list of types through which the remote access server should attempt to negotiate authentication.

Syntax

add authtype {pap | md5chap | mschap | mschapv2 | eap}

Parameters

{pap | md5chap | mschap | mschapv2 | eap}

Required. Specifies which authentication type to add to the list of types through which the remote access server should attempt to negotiate authentication. The pap parameter specifies that the remote access server should use the Password Authentication Protocol (plaintext). The md5chap parameter specifies that the remote access server should use the Challenge Handshake Authentication Protocol (using the Message Digest 5 hashing scheme to encrypt the response). The mschap parameter specifies that the remote access server should use the Microsoft Challenge-Handshake Authentication Protocol. The mschapv2 parameter specifies that the remote access server should use version 2 of MSCHAP. The eap parameter specifies that the remote access server

should use Extensible Authentication Protocol.

delete authtype

Deletes an authentication type from the list of types through which the remote access server should attempt to negotiate authentication.

Syntax

delete authtype{pap | md5chap | mschap | mschapv2 | eap}

Parameters

{pap| md5chap | mschap | mschapv2 | eap}

Required. Specifies which authentication type to delete from the list of types through which the remote access server should attempt to negotiate authentication. The pap parameter specifies that

the remote access server should not use the Password Authentication Protocol (plaintext). The md5chap parameter specifies that the remote access server should not use the Challenge Handshake Authentication Protocol (using the Message Digest 5 hashing scheme to encrypt the response). The mschap parameter specifies that the remote access server should not use the Microsoft Challenge-Handshake Authentication Protocol. The mschapv2 parameter specifies that the remote access server should not use version 2 of MSCHAP. The eap parameter specifies that the remote access server should not use Extensible Authentication Protocol.

show authtype

Lists the authentication type (or types) that the remote access server uses to attempt to negotiate authentication.


Syntax

show authtype

add link

Adds a link property to the list of link properties PPP will negotiate.

Syntax

add link {swc | lcp}

Parameters

{swc | lcp}

Required. Specifies which link property to add to the list of link properties PPP will negotiate. The parameter swc specifies that software compression (MPPC) should be added. The parameter lcp specifies that Link Control Protocol extensions from the PPP suite of protocols should be added.

delete link

Deletes a link property from the list of link properties PPP will negotiate.

Syntax

delete link {swc | lcp}

Parameters

{swc | lcp}

Required. Specifies which link property to delete from the list of link properties PPP will negotiate. The parameter swc specifies that software compression (MPPC) should be deleted. The parameter lcp specifies that Link Control Protocol extensions from the PPP suite of protocols should be deleted.

show link

Displays the link properties PPP will negotiate.

Syntax

show link

add multilink

Adds a multilink type to the list of multilink types PPP will negotiate.

Syntax

add multilink {multi | bacp}

Parameters

{multi | bacp}

Required. Specifies which multilink type to add to the list of multilink types PPP will negotiate. The parameter multi specifies that multilink PPP sessions should be added. The parameter bacp

specifies that Bandwidth Allocation Control Protocol should be added.

delete multilink

Deletes a multilink type from the list of multilink types PPP will negotiate.

Syntax

delete multilink {multi | bacp}


Parameters

{multi | bacp}

Required. Specifies which multilink type to delete from the list of multilink types PPP will negotiate. The parameter multi specifies that multilink PPP sessions should be deleted. The parameter bacp specifies that Bandwidth Allocation Control Protocol should be deleted.

show multilink

Shows the multilink types PPP will negotiate.

Syntax

show multilink

add registeredserver

Registers the specified server as a remote access server in the specified Active Directory® domain. Used without parameters, add registeredserver registers the computer from which you type the command in its primary domain.

Syntax

add registeredserver

[[domain=] DomainName]

[[server=] ServerName]

Parameters


Specifies, by domain name, the domain in which to register the server. If you do not specify a domain, the server is registered in its primary domain. [[server=] ServerName]

Specifies, by Domain Name System (DNS) name or IP address, the server to register. If you do not specify a server, the computer from which you type the command is registered.

delete registeredserver

Deletes the registration of the specified server as a remote access server from the specified Active Directory domain. Used without parameters, delete registeredserver deletes the registration of the computer from which you type the command from its primary domain.

Syntax

delete registeredserver



Parameters


Specifies, by domain name, the domain from which to remove the registration. If you do not specify

a domain, the registration is removed from the primary domain of the computer from which you type the command. [[server=] ServerName]


Specifies, by IP address or DNS name, the server whose registration you want to remove. If you do not specify a server, the registration is removed for the computer from which you type the command.

show registeredserver

Displays status information about the specified server registered as a remote access server in the specified Active Directory domain. Used without parameters, the computer and primary domain from which the command is issued is assumed.

Syntax

show registeredserver



Parameters


Specifies, by domain name, the domain in which the server about which you want to display information is registered. If you do not specify a domain, the primary domain of the computer from which the command is issued is assumed. [[server=] ServerName]

Specifies, by IP address or DNS name, the server about which you want to display information. If you do not specify a server, the computer from which the command is issued is assumed.

show user

Displays the properties of a specified remote access user or users. Used without parameters, show user displays the properties of all remote access users.

Syntax

show user

[name=] UserName

[[mode=] {permit | report}]

Parameters

[name=] UserName

Specifies, by logon name, the user whose properties you want to display. If you do not specify a user, the properties of all users are displayed. [[mode=] {permit | report}]

Specifies whether to show properties for all users or only those whose dial-up permission is set to permit. The permit parameter specifies that properties should be displayed only for users whose dial-up permission is permit. The report parameter specifies that properties should be displayed for all users.

set user

Sets the properties of the specified remote access user.

Syntax

set user


[name=] UserName

[dialin=] {permit | deny | policy}

[cbpolicy=] {none | caller | admin

[cbnumber=] CallbackNumber}

Parameters

[name=] UserName

Required. Specifies, by logon name, the user for which you want to set properties. [dialin=] {permit | deny | policy}

Required. Specifies under what circumstances the user should be allowed to connect. The permit parameter specifies that the user should always be allowed to connect. The deny parameter specifies that the user should never be allowed to connect. The policy parameter specifies that remote access policies should determine whether the user is allowed to connect. [cbpolicy] {none | caller | admin [cbnumber=] CallbackNumber}

Required. Specifies the callback policy for the user. The callback feature saves the user the cost of the phone call used to connect to a remote access server. The none parameter specifies that the user should not be called back. The caller parameter specifies that the user should be called back at a number specified by the user at connection time. The admin parameter specifies that the user should be called back at the number specified by the CallbackNumber parameter.

Example

To allow GuestUser to connect and be called back at (425) 555-0110, type:

set user guestuser permit admin 4255550110

show status

Shows the status of server running Routing and Remote Access.

Syntax

show status

show conf

Shows the remote access configuration state of the server.

Syntax

show conf

set conf

Sets the remote access configuration state of the server.

Syntax

set conf

[confstate=] {enabled | disabled}

Parameters

[confstate=] {enabled | disabled}


Required. Specifies the remote access configuration state. The enabled parameter enables the server configuration. The disabled parameter disables the server configuration and removes the server from the list of remote access servers.

show portstatus

Shows the current status of RAS ports.

Syntax

show portstatus

[[name=] PortName]

[[state=] State]

Parameters

[[name=] PortName]

Specifies the port for which to display status. [[state=] State]

Display ports with the specified state.

nonoperational

Non-operational ports disconnected

Disconnected ports callingback

Ports calling back listening

Ports listening authenticating

Ports authenticating connected

Authenticated and connected ports initializing

Ports initializing

Examples

The following show the port status using the name and state parameters.

show portstatus name=VPN0-127

show portstatus state=connected


set portstatus

Resets the RAS ports statistics.

Syntax

set portstatus

[[name=] PortName]

Parameters

[[name=] PortName]

Specifies the name of the port. If none is specified, resets statistics of all active ports.

show type

Shows the router and RAS properties.

Syntax

show type

set type

Specifies the router and RAS roles of the server.

Syntax

set type

[ipv4rtrtype=] {lanonly | lananddd | none}


[rastype=] {ipv4 | ipv6 | both | none}

Parameters


Specifies the computer is configured as an IPv4 router. The lanonly parameter specifies that this computer is a LAN-only router and does not require demand-dial or VPN connections. The lananddd parameter specifies that this computer is a LAN and demand-dial router and supports

VPN connections. The none parameter specifies that this computer is not enabled as an IPv4 router. [ipv6rtrtype=] {lanonly | lananddd | none}

Specifies the computer is configured as an IPv6 router. The lanonly parameter specifies that this computer is a LAN-only router and does not require demand-dial or VPN connections. The lananddd parameter specifies that this computer is a LAN and demand-dial router and supports VPN connections. The none parameter specifies that this computer is not enabled as an IPv6 router. [rastype=] {ipv4 | ipv6 | both | none}

Specifies the computer is configured as a remote access server. The ipv4 parameter specifies the computer is configured for IPv4. The ipv6 parameter specifies the computer is configured for IPv6.

The both parameter specifies the computer is configured for IPv4 and IPv6. The none parameter specifies the computer is not configured as a remote access server.

Netsh RAS AAAA Context Commands

The following commands are specific to the ras AAAA context within the Netsh environment.


dump

Displays the AAAA configuration of a remote access server in script form.

Syntax

dump

You can dump the contents of the current configuration to a file that can be used to restore altered configuration settings.

Example

The following is the command to save the current configuration as a script in the rasaaaacfg.dmp file.

dump > rasaaaacfg.dmp

add acctserver

Specifies the IP address or the Domain Name System (DNS) name of a RADIUS server to use for accounting.

Syntax

add acctserver

[name=] ServerID

[[secret=] SharedSecret]

[[init-score=] ServerPriority]

[[port=] Port]

[[timeout=] Seconds]

[[messages] {enabled | disabled}]

Parameters

[name=] ServerID

Required. Specifies, by IP address or DNS name, the RADIUS server. [[secret=] SharedSecret]

Specifies the preshared key. [[init-score=] ServerPriority]

Specifies the initial score (server priority). [[port=] Port]

Specifies the port to which accounting requests should be sent. [[timeout=] Seconds]

Specifies the timeout period, in seconds, during which the RADIUS server can be idle before it should be marked unavailable.



Specifies whether to send accounting on/off messages. The enabled parameter specifies that messages should be sent. The disabled parameter specifies that messages should not be sent.

delete acctserver

Deletes a RADIUS accounting server.

Syntax

delete acctserver

[name=] ServerID

Parameters

[name=] ServerID

Required. Specifies, by DNS name or IP address, which server to delete.

set acctserver

Provides the IP address or the DNS name of a RADIUS server to use for accounting.

Syntax

add acctserver

[name=] ServerID



[[port=] Port]



Parameters

[name=] ServerID




Specifies the port on which to send the authentication requests.


Specifies, in seconds, the amount of time that should elapse before the RADIUS server is marked unavailable.


[[messages=] {enabled | disabled}]

Specifies whether accounting on/off messages should be sent.

show acctserver

Displays detailed information about an accounting server. Used without parameters, show acctserver displays information about all configured accounting servers.

Syntax

show acctserver

[[name=] ServerID]

Parameters

[name=] ServerID

Specifies, by DNS name or IP address, the RADIUS server about which to display information.

add authserver

Provides the IP address or the DNS name of a RADIUS server to which authentication requests should be passed.

Syntax

add authserver

[name=] ServerID



[[port=] Port]


[[signature] {enabled | disabled}]

Parameters

[name=] ServerID]




Specifies the port to which authentication requests should be sent. [[timeout=] Seconds]


Specifies the timeout period, in seconds, during which the RADIUS server can be idle before it should be marked unavailable. [[signature] {enabled | disabled}]

Specifies whether to use digital signatures. The enabled parameter specifies that digital signatures should be used. The disabled parameter specifies that digital signatures should not be used.

delete authserver

Deletes a RADIUS authentication server.

Syntax

delete authserver

[name=]ServerID

Parameters

[name=] ServerID

Required. Specifies, by DNS name or IP address, which server to delete.

set authserver

Provides the IP address or the DNS name of a RADIUS server to which authentication requests should be passed.

Syntax

set authserver

[name=] ServerID



[[port=] Port]


[[signature] {enabled | disabled}]

Parameters

[name=] ServerID]



Specifies the initial score (server priority).

[[port=] Port]

Specifies the port on which to send the authentication requests. [[timeout=] Seconds]


Specifies the amount of time, in seconds, that should elapse before the RADIUS server is marked unavailable. [[signature=] { enabled | disabled}]

Specifies whether digital signatures should be used.

show authserver

Displays detailed information about an authentication server. Used without parameters, show authserver displays information about all configured authentication servers.

Syntax

show authserver

[[name=] ServerID]

Parameters

[[name=] ServerID]

Specifies, by DNS name or IP address, the RADIUS server about which to display information.

set accounting

Specifies the accounting provider.

Syntax

set accounting {windows | radius | none}

Parameters

{windows | radius | none}

Required. Specifies whether accounting should be performed and by which server. The windows parameter specifies that Windows security should perform accounting. The radius parameter specifies that a RADIUS server should perform accounting. The none parameter specifies that no accounting should be performed.

show accounting

Displays the accounting provider.

Syntax

show accounting

set authentication

Specifies the authentication provider.

Syntax

set authentication {windows | radius}

Parameters

{windows | radius}

Required. Specifies which technology should perform authentication. The windows parameter specifies that Windows security should perform authentication. The radius parameter specifies that

a RADIUS server should perform authentication.


show authentication

Displays the authentication provider.

Syntax

show authentication

set ipsecpolicy

Sets the IPsec policy for the L2TP connection.

Syntax

set ipsecpolicy

[psk = ] {enabled | disabled}

[secret = ] SharedSecret

Parameters

[psk = ] {enabled | disabled}

Required. Specifies whether an L2TP connection can use a custom IPsec policy. The enabled parameter specifies that the IPsec policy is set to a custom IPsec policy using a preshared key. The disabled parameter specifies that the IPsec policy is set to certificate. [secret = ] SharedSecret

Required when psk authentication is enabled. Specifies the preshared key to be used with the custom IPsec policy.

Example

The following sets the IPsec policy for the L2TP connection.

set ipsecpolicy psk=enabled secret="P@ssword"

show ipsecpolicy

Shows the IPsec policy for the L2TP connection.

Syntax

show ipsecpolicy

Netsh RAS Diagnostic Context Commands

The following commands are specific to the ras diagnostics context within the Netsh environment.

dump

Displays the configuration of Remote Access Diagnostics in script form.

Syntax

dump

Example

The following is the command to save the current configuration as a script in the rasdiag.dmp file.

dump > rasdiag.dmp


show installation

Creates a Remote Access Diagnostic Report that includes only diagnostics results for Information Files, Installation Check, Installed Networking Components, and Registry Check and delivers the report to a location you specify.

Syntax

show installation

[type=] {file | email}

[destination=] {FileLocation | EmailAddress}

[[compression=] {enabled | disabled}]

[[hours=] NumberOfHours]

[[verbose=] {enabled | disabled}]

Parameters


Specifies whether the report should be saved to a file or sent to an e-mail address. [destination=] {FileLocation| EmailAddress}

Required. Specifies the full path and file name to which the report should be saved or the full e-mail address to which the report should be sent.


Specifies whether to compress the report into a .cab file. If you do not specify this parameter, the report is compressed if you send it to an e-mail address but not if you save it to a file. [[hours=] NumberOfHours]

Specifies the number of past hours for which to show activity in the report. This parameter must be an integer between 1 and 24. If you do not specify this parameter, all past information is included. [[verbose=] {enabled | disabled}]

Specifies the amount of data to include in the report. If you do not specify this parameter, only minimal data is included.

Example

To save a diagnostic report to c:\mytemp\rasdiag.htm, type:

show installation type=file destination="c:\mytemp\rasdiag"

show loglevel

Shows the global logging level for Routing and Remote Access service.

Syntax

show loglevel

set loglevel

Sets the global logging level for Routing and Remote Access service.


Syntax

set loglevel

[state=] {error | warn | all | none}

Parameters

[state=] {error | warn | all | none}

Required. Specifies the level of global logging. The none parameter specifies that no events are logged. The error parameter specifies that only errors are logged. The warn parameter specifies that errors and warnings are logged. The all parameter specifies that all events are logged.

show logs

Creates a Remote Access Diagnostic Report that contains only diagnostics results for Tracing Logs, Modem Logs, Connection Manager Logs, IP Security Log, Remote Access Event Logs, and Security Event Logs and delivers the report to a location you specify.

Syntax

show logs






Parameters


Required. Specifies whether the report should be saved to a file or sent to an e-mail address. [destination=] {FileLocation| EmailAddress}

Required. Specifies the full path and file name to which the report should be saved or the full e-mail address to which the report should be sent. [[compression=] {enabled | disabled}]


Specifies the number of past hours for which to show activity in the report. This parameter must be an integer between 1 and 24. If you do not specify this parameter, all past information will be included in the report. [[verbose=] {enabled | disabled}]

Specifies the amount of data to include in the report. If you do not specify this parameter, minimal data is included.

Example



show logs type=file destination="c:\mytemp\rasdiag"

show configuration

Creates a Remote Access Diagnostic Report that includes only diagnostics results for Installed Devices, Process Information, Command-line Utilities, and Phone Book Files and delivers the report to a location you specify.

Syntax

show configuration






Parameters



Required. Specifies the full path and file name to which the report should be saved or the full e-mail address to which the report should be sent.




Specifies the amount of data to include in the report. If you do not specify this parameter, minimal

data is included.

Example


show configuration type=file destination="c:\mytemp\rasdiag"

show all

Creates a Remote Access Diagnostic Report for all remote access logs and delivers the report to a location you specify.

Syntax

show all







Parameters



Required. Specifies the full path and file name to which the report should be saved or the full e-mail address to which the report should be sent. [[compression=] {enabled | disabled}]

Specifies whether to compress the report into a .cab file. If you do not specify this parameter, the

report is compressed if you send it to an e-mail address but not if you save it to a file. [[hours=] NumberOfHours]


Specifies the amount of data to include in the report. If you do not specify this parameter, minimal data is included.

Example

To save a diagnostic report to c:\mytemp\rasdiag.htm that includes all diagnostic information, type:

show all type=file destination="c:\mytemp\rasdiag"

show cmtracing

Shows whether information about Connection Manager connections is being logged.

Syntax

show cmtracing

set cmtracing

Enables or disables logging of information about all Connection Manager connections.

Syntax

set cmtracing {enabled | disabled}

Parameters

{enabled | disabled}

Required. Specifies whether you want information about Connection Manager connections to be logged. The enabled parameter specifies that you want information to be logged. The disabled parameter specifies that you do not want information to be logged.


show modemtracing

Shows whether modem tracing is enabled or disabled.

Syntax

show modemtracing

set modemtracing

Enables or disables modem tracing for all modems installed for the local computer.

Syntax

set modemtracing {enabled | disabled}

Parameters


Required. Specifies whether you want modem activity for each modem to be logged. The enabled parameter specifies that you want activity to be logged. The disabled parameter specifies that you do not want activity to be logged.

show rastracing

Shows whether tracing for the given component is enabled. If no component is specified, shows the state of all components.

Syntax

show rastracing [component=] Component

Parameters

[component=] Component

Specifies the component for which you want to determine whether tracing is enabled or disabled. If no component is specified, the state of all components is displayed.

set rastracing

Enables or disables tracing and logging of all activity for all remote access components or for a specific remote access component.

Syntax

set rastracing

[component=] {Component | *} {enabled | disabled}

[state=] {enabled | disabled}

Parameters

[ component=] {Component| *}

Required. Specifies whether you want to enable or disable tracing and logging for a component that you specify or for all components. The Component parameter specifies the component for which you want to enable or disable tracing and logging. Use '*' to denote all components. [state=] {enabled | disabled}

Required. Specifies whether you want activity to be traced and logged. The enabled parameter specifies that you want activity to be traced and logged. The disabled parameter specifies that you

do not want activity to be traced and logged.


show securityeventlog

Shows whether security events are being logged.

Syntax

show securityeventlog

set securityeventlog

Enables or disables logging of all security events.

Syntax

set securityeventlog {enabled | disabled}

Parameters


Required. Specifies whether you want security events to be logged. The enabled parameter specifies that you want security events to be logged. The disabled parameter specifies that you do not want security events to be logged.

show tracefacilities

Shows whether all activity for all remote access components or for a remote access component that you specify is being traced and logged.

Syntax

show tracefacilities

set tracefacilities

Enables or disables tracing and logging of all activity for all remote access components that are configured on the local computer.

Syntax

set tracefacilities

[state=] {enabled | disabled | clear}

Parameters

[state=] {enabled | disabled | clear}

Required. Specifies whether you want to enable tracing for all remote access components, to disable tracing, or to clear all logs generated by tracefacilities. The enabled parameter specifies that you want to enable tracing. The disabled parameter specifies that you want to disable tracing. The clear parameter specifies that you want to clear all logs.

Netsh RAS IP Context Commands The following commands are specific to the ras IP context within the Netsh environment.

dump

Displays the IP configuration of a remote access server in script form.

Syntax

dump

Example

Following is the command to save the current configuration as a script in the rasipcfg.dmp file.


dump > rasipcfg.dmp

show config

Displays the current IP configuration of the remote access server.

Syntax

show config

set negotiation

Specifies whether the remote access server should allow IP to be configured for any client connections the server accepts.

Syntax

set negotiation

[mode=] {allow | deny}

Parameters


Required. Specifies whether to permit IP over client connections. The allow parameter allows IP over client connections. The deny parameter prevents IP over client connections.

set access

Specifies whether IP network traffic from any client should be forwarded to the network or networks to which the remote access server is connected.

Syntax

set access

[mode=] {all | serveronly}

Parameters


Required. Specifies whether clients should be able to reach the remote access server and any networks to which it is connected. The all parameter allows clients to reach networks through the server. The serveronly parameter allows clients to reach only the server.

set addrassign

Sets the method by which the remote access server should assign IP addresses to its clients.

Syntax

set addrassign

[method=] {auto | pool}

Parameters

[method=] {auto | pool}

Required. Specifies whether IP addresses should be assigned by using DHCP or from a pool of addresses held by the remote access server. The auto parameter specifies that addresses should be assigned by using DHCP. If no DHCP server is available, a random, private address is assigned. The

pool parameter specifies that addresses should be assigned from a pool.


set addrreq

Specifies whether dial-in clients should be able to request their own IP addresses.

Syntax

set addrreq


Parameters


Required. Specifies whether clients should be able to request their own IP addresses. The allow parameter allows clients to request addresses. The deny parameter prevents clients from requesting addresses.

set broadcastnameresolution

Enables or disables broadcast name resolution using NetBIOS over TCP/IP.

Syntax

set broadcastnameresolution

[mode=] {enabled | disabled}

Parameters

[mode=] {enabled | disabled}

Required. Specifies whether to enable or disable broadcast name resolution using NetBIOS over TCP/IP. The enabled parameter enables broadcast name resolution using NetBIOS over TCP/IP.

The disabled parameter disables broadcast name resolution using NetBIOS over TCP/IP.

show broadcastnameresolution

Displays whether broadcast name resolution using NetBIOS over TCP/IP has been enabled or disabled for the remote access server.

Syntax

show broadcastnameresolution

add range

Adds a range of addresses to the pool of static IP addresses that the remote access server can assign to clients.

Syntax

add range

[from=] StartingIPAddress

[to=] EndingIPAddress

Parameters

[from=] StartingIPAddress [to=] EndingIPAddress

Required. Specifies the range of IP addresses to add. The StartingIPAddress parameter specifies the first IP address in the range. The EndingIPAddress parameter specifies the last IP address in the range.


Example

To add the range of IP addresses 10.2.2.10 to 10.2.2.20 to the static pool of IP addresses that the remote access server can assign, type:

add range from=10.2.2.10 to=10.2.2.20

delete range

Deletes a range of addresses from the pool of static IP addresses that the remote access server can assign to clients.

Syntax

delete range

[from=] StartingIPAddress

[to=] EndingIPAddress

Parameters

[from=] StartingIPAddress [to=] EndingIPAddress

Required. Specifies the range of IP addresses to delete. The StartingIPAddress parameter specifies the first IP address in the range. The EndingIPAddress parameter specifies the last IP address in the range.

Example

To delete the range of IP addresses 10.2.2.10 to 10.2.2.20 from the pool of static IP addresses that the remote access server can assign, type:

delete range from=10.2.2.10 to=10.2.2.20

delete pool

Deletes all addresses from the pool of static IP addresses that the remote access server can assign to clients.

Syntax

delete pool

set preferredadapter

Specifies the preferred adapter for Routing and Remote Access service.

Syntax

set preferredadapter


Parameters


Specifies that the adapter to be used to obtain the IP addresses for allocation (if configured to use DHCP) and the IP address of DHCP and WINS servers for assignment to remote access clients and demand-dial routers. If no interface is specified, the server randomly selects an adapter when the Routing and Remote Access service is started.

show preferredadapter

Displays the preferred adapter for Routing and Remote Access service.


Syntax

show preferredadapter

Netsh RAS IPv6 Context Commands

The following commands are specific to the ras IPv6 context within the Netsh environment.

dump

Displays the IPv6 configuration of a remote access server in script form.

Syntax

dump

You can dump the contents of the current configuration to a file that can be used to restore altered configuration settings.

Example

The following is the command to save the current configuration as a script in the rasipv6cfg.dmp file.

dump > rasipv6cfg.dmp

set negotiation

Specifies whether the remote access server should allow IPv6 to be configured for any client connections the server accepts.

Syntax

set negotiation


Parameters


Required. Specifies whether to permit IPv6 over client connections. The allow parameter allows IPv6 over client connections. The deny parameter prevents IPv6 over client connections.

set access

Specifies whether IPv6 network traffic from any client should be forwarded to the network or networks to which the remote access server is connected.

Syntax

set access


Parameters


Required. Specifies whether clients should be able to reach the remote access server and any networks to which it is connected. The all parameter allows clients to reach networks through the server. The serveronly parameter allows clients to reach only the server.

set prefix

Sets the static IPv6 prefix that the remote access server users to advertise to clients.


Syntax

set prefix

[prefix=] IPv6Prefix

Parameters

[prefix=] IPv6Prefix

Required. Specifies the IPv6 prefix in the form: 'x:x:x:x::'

Example

The following sets the IPv6 prefix to 3ffe:ffff:a:1.

set prefix prefix=3ffe:ffff:a:1::

show config

Displays the current IP configuration of the remote access server.

Syntax

show config


Netsh Commands for Remote Procedure Call (RPC)

netsh rpc is a command-line tool that you can use to create remote procedure call (RPC) Firewall Filters and the rules and conditions that are associated with the filters.

You can run the Netsh RPC commands from the command prompt for the netsh rpc context. For these commands to work at the Windows Server 2008 command prompt, you must type netsh rpc before typing commands and parameters as they appear in the syntax.

You must have the required permissions to run the netsh rpc commands:

If you are a member of the Administrators group, and User Account Control is enabled on your computer, run the commands from a command prompt with elevated permissions. To open a command prompt with elevated permissions, find the icon or Start menu entry that you use to start a command prompt session, right-click it, and then click Run as administrator.

If you are a member of the Network Operators group, you can run the commands from any command prompt.

If you are a not a member of Administrators or Network Operators and you have not been

delegated any other permissions to run this command, you can run only the commands that display the settings, not the commands that change the settings.

filter

This command changes the command-line context to the netsh rpc filter subcontext. This subcontext is for running commands that set rules and conditions for RPC Firewall filtering.

Parameters

add rule

Adds an RPC Firewall Filter rule.

add condition

Adds a condition to an existing RPC Firewall Filter rule. add filter

Adds an RPC Firewall Filter. show filter

Displays a list of active RPC Firewall Filters. delete filter

Deletes all active RPC Firewall Filters and the rules and conditions that are associated with those

filters. delete rule

Deletes the existing RPC Firewall Filter rules. /?



add rule

Adds a rule to specify an action when a given condition is met. Rules and conditions are combined to specify RPC Firewall Filters.

Use the following order when you add rules, conditions, and filters:

Add rule. The information in this "add rule" section provides details for step 1 (adding rules), including syntax, parameters, and allowed values.

Add conditions.

Add the filter that is created by the combination of rules and conditions that you enter.

filter add rule [layer=]<string> [actiontype=]<string> [[filterkey=]<string>] [[persistence=]volatile] [[audit=]enable]

Parameters

The following sections provide information about the Layer tag and the values of the parameters that are associated with the Layer tag.

Layer tag

RPC Firewall layers represent abstract connection types. Each layer applies to a different aspect of an RPC connection. RPC Firewall layers are not directly related to RPC architectural components, but they are used to specify an aspect or type of RPC connection.

Tag Required Default Description Allowed values

Layer Yes None Specifies an RPC communications protocol layer.

Um, Epmap, Ep_add, Proxy_conn, Proxy_if

Actiontype Yes None

Describes the action to take for the specified layer: block the item, permit the item to invoke a function that executes in another process, or continue processing the rule.

Block, Permit, Continue

Filterkey No

A randomly

generated Universally Unique Identifier (UUID)

A 128-bit, unique identifier to uniquely identify this filter.

UUID

Persistence No Persistent Persists or does not persist if the system is restarted.

Persistent, Volatile

Audit No Disabled

Allows auditing of the process or does not audit the process. In Audit mode, rules are not applied and traffic is not filtered. Instead, the RPC filtering engine logs events where a rule would have been applied.

Enabled, Disabled


Allowed values for the Layer tag

Value Name Description

um User Mode layer

An RPC communications protocol layer that is used for high-level policies, such as filtering on a user or application identity.

epmap The Endpoint Mapper layer

An RPC communications protocol layer that is used to write interface-specific rules.

ep_add Endpoint Addition layer

A layer that allows dynamic or static endpoint ports to be added for each interface. These layers are not used for filtering. Instead, they are containers that specify an interface and an endpoint to add to the process hosting the interfaces.

proxy_conn RPC Proxy Connect layer

An RPC communications protocol layer that is used to write non-interface-specific rules for an RPC proxy role.

proxy_if RPC Proxy Interface layer

An RPC communications protocol layer that is used to write interface-specific rules for an RPC proxy role.

Allowed values for the Actiontype tag

Value Description

Block Does not allow the specified item access over RPC.

Permit Allows the specified item access over RPC.

Continue Does not allow the specified item access over RPC until all rules in the filter are run. Access is based on the cumulative results of all the rules in the filter.

Allowed values for the Filterkey tag

Value Name Description

UUID Universally Unique Identifier A unique, 128-bit identifier that identifies this filter.

Allowed values for the Persistence tag

Value Description

Persistent The value is stored on the disk and persists through a system restart. This is the default value.


Volatile The value is not stored. If the system is restarted, the value is lost.

Allowed values for the Audit tag

Value Description

Enabled

Specifies that the RPC filtering engine runs in Audit mode. In Audit mode, rules are not applied and traffic is not filtered. Instead, the RPC filtering engine logs events when a rule would be applied.

Auditing is not allowed for the ep_add layer.

Disabled Specifies that the RPC filtering engine does not run in Audit mode. Instead, the RPC filtering engine actively filters traffic and applies the filtering rules. This is the default value.

Examples

The following example adds a rule to block RPC traffic that matches the given condition. This rule applies to the user mode (um) layer. A specific filter key identifies the filter.

add rule layer=um actiontype=block

The following example is a rule to add an endpoint to an interface. The rule references a specific filterkey. This is the only rule that is necessary for adding a dynamic endpoint to an interface.

add rule layer=epmap actiontype=permit filterkey=11111111-2222-3333-4444-555555555555

add condition

Adds a condition that must be met so that a filtering rule can be applied. Conditions are combined with rules to specify RPC Firewall Filters.


Add rule.

Add conditions. The information in this "add condition" section provides details for step 2, including

syntax, parameters, and allowed values

Add the filter that is created by the combination of rules and conditions that you enter.

Syntax

Filter add condition [field=]<string> [matchtype=]<string> [data=]<string>

Parameters

See the following tables for the add condition parameters and their values. The filtering engine checks that the condition you specify is met before the associated rule is run and the filtering is applied. An administrator can use the parameters and their values to fine-tune the filter so that it applies only to the specified RPC port, interface, or transport.

Tag Required Default Description Allowed Values

Field Yes None

Identifies the RPC field where the condition applies. The allowed values of the field tag vary, depending on the layer that is specified in the filtering rule.

See the tables in the section "Allowed values for the Field tag by Layer."


MatchType Yes None Defines the type of comparison to perform on a given field.

See the tables in the section "Allowed values for the MatchType tag."

Data Yes None

The data that is used for making comparisons to the value in the field to determine whether your condition is met or not met. The data is compared to the value using the comparison that is defined in the MatchType tag.

The value that is allowed for the Data tag varies for each field that is specified.

Allowed values for the Field tag by Layer

The allowed values for the Field tag depend on the RPC layer to which the rules apply. For each layer, there is a set of allowed Field values. The layer is specified in the add rule command. The following tables describe the allowed values for the Field tag by RPC layer.

Allowed values for the User Mode Layer

The following values for filtering are allowed for User Mode (UM) Layer conditions. There are no required fields for UM Layer conditions.

Allowed value Description

if_uuid

The 128-bit interface UUID. The UUID is formatted as follows:

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

if_version The version of the interface as defined in the RPC Interface Definition Language (IDL) file.

if_flag

The RPF Firewall Interface flag. The value is a hexadecimal number in 0x notation. The recognized flag as described in the following table.

Flag Value Description

RPC_FW_IF_FLAG_DCOM 0x0001 This flag indicates the condition applies to DCOM activations or calls to DCOM interfaces.

For example, to create a condition to block a DCOM activation, use the following command:

Netsh rpc filter add condition field=if_flag matchtype=equals data=0x0001

dcom_app_id

The UUID of the DCOM application where the condition is applied. The UUID is formatted as follows:


image_name

The name of the executable image. It is specified with an s preceding the name if the name is given in ASCII or with a w if the name is Unicode. For example, to apply this condition on Image.exe, use the following command:

Netsh rpc filter add condition field=image_name matchtype=equal data=simage.exe

protocol The protocol over which to block. It must be one of the following strings:


NCACN_IP_TCP to indicate the TCP protocol

NCACN_NP to indicate the named pipes protocol

For example, to create a rule that applies to the TCP protocol, use the following command:

netsh rpc filter add condition field=protocol matchtype=equal data=NCACN_IP_TCP

auth_type The authentication service type. The value is specified as a decimal number.

auth_level The authentication-level constant. This value represents authentication levels that are passed to various run-time functions. The value is specified as a decimal number in increasing order, starting with 0.

sec_encrypt_alg The certificate-based, security service provider interface (SSPI) encryption algorithm.

sec_key_size The certificate-based, SSPI encryption key size.

remote_user_token A data structure that contains authentication and authorization information for a remote user.

local_addr_v4 The local IP version 4 (IPv4) address over which to apply the condition. The data is in hexadecimal 0x notation.

local_addr_v6 The local IP version 6 (IPv6) address over which to apply the condition. The data is in standard colon notation.

remote_addr_v4 The remote IPv4 address over which to apply the condition. The data is in hexadecimal 0x notation.

remote_addr_v6 The remote IPv6 address over which to apply the condition. The data is in standard colon notation.

local_port The local port where the condition is applied. The port is a decimal number.

pipe The remote named pipe that provides communication between processes on different computers.

Allowed values for the Endpoint Mapper (EPMAP) Layer

The following values for filtering are allowed for EPMAP Layer conditions. Conditions for the EPMAP layer are used to create interface-specific rules. If_uuid and if_version are both required values. The if_uuid value must be the first value that is specified

Value Description

if_uuid

The 128-bit, interface UUID. The UUID is formatted as follows:


The if_uuid is a required value for the EPMAP Layer, and it must be the first value that is specified.


if_version

The version of the interface as defined in the RPC IDL file. This is a decimal number

The if_version field is a required value for the EPMAP Layer, and it must be the second value that is specified.

protocol

The protocol over which to block. It must be one of the following strings:

NCACN_IP_TCP, to indicate the TCP protocol

NCACN_NP, to indicate the named pipes protocol



auth_type

The authentication service type.

The value is specified as a decimal number.

auth_level

The authentication-level constant. This represents authentication levels that are passed to various run-time functions..

The value is specified as a decimal number in increasing order starting with 0.

sec_encrypt_alg The certificate-based, SSPI encryption algorithm.

sec_key_size The certificate-based, SSPI encryption key size.

remote_user_token A data structure that contains authentication and authorization information for a remote user.

local_addr_v4 The local IPv4 address over which to apply the condition. The data is in hexadecimal 0x notation.

local_addr_v6 The local IPv6 address over which to apply the condition. The data is in standard colon notation.

remote_addr_v4 The remote IPv4 address over which to apply the condition. The data is in hexadecimal 0x notation.

remote_addr_v6 The remote IPv6 address over which to apply the condition. The data is in standard colon notation.

local_port The local port on which to apply the condition. The port is a decimal number.

pipe The remote named pipe that provides communication between processes on different computers.

Allowed values for the Proxy Interface (PROXY_IF) layer

The following values for filtering are allowed for PROXY_IF Layer conditions. The proxy_if layer applies to interface-specific conditions and rules on an RPC proxy. The if_uuid value is required, and it must be the first value that is specified.


Value Description

if_uuid

The 128-bit interface UUID. The UUID is formatted as follows:


The if_uuid value is required, and it must be the first value that is specified.

if_version The version of the interface as defined in the RPC IDL file. This is a decimal number.

server_name The name of the server that is the target for the condition. The name is specified as a string, preceded by s for ASCII or w for Unicode.

server_port The server port that is the target for the condition. The port is specified as a decimal value.

proxy_auth_type The RPC proxy authentication service type.

client_token A data structure that contains authentication and authorization information for the client when it is using an RPC proxy.

client_cert_oid The object identifier in the client certificate.

cert_key_length The SSL key length in the client certificate.

Allowed values for the Endpoint Addition (EP_ADD) layer

The following values for filtering are allowed for EP_ADD Layer conditions. The EP_ADD layer allows

dynamic or static ports to be added to interfaces at run time, regardless of the application. The process_with_if_uuid value is required for the EP_ADD layer, and it must be the first value that is specified. The protocol value is required for the EP_ADD layer, and it must be the second value that is specified.

Value Description

process_with_if_uuid The UUID of the interface on which to add the dynamic endpoint port. This value is required, and it must be the first value that is specified.

Protocol

The protocol over which to block. It must be one of the following strings:

NCACN_IP_TCP, to indicate the TCP protocol.

NCACN_NP, to indicate the named pipes protocol.



The protocol value is a required value for the EP_ADD layer, and it must be the second value that is specified.

ep_value The port on which to add the endpoint. The value is specified as a decimal value. If it is not specified, a dynamic endpoint, rather than a static endpoint port, is added to the interface.


ep_flags

The RPC Firewall Interface flag. The value is a hexadecimal number in 0x notation. The recognized flag is described in the following table.

Flag Value Description

RPC_FW_IF_FLAG_DCOM 0x0001 This flag indicates that the condition applies to DCOM activations or calls to DCOM interfaces.

For example, to create a condition to block a DCOM activation, use the following command:

Netsh rpc filter add condition field=if_flag matchtype=equals data=0x0001

Allowed values for the Proxy Connect (PROXY_CONN) layer

The following values for filtering are allowed for PROXY_CONN Layer conditions. The PROXY_CONN layer is an RPC communications protocol layer that is used to write non-interface-specific rules for an RPC proxy role.

Value Description

server_name The name of the target server that the condition applies to. This is specified as a string preceded with s for ASCII or w for Unicode.

server_port The target server port that the condition applies to. This is specified as a decimal value.

proxy_auth_type The RPC proxy authentication service type.

client_token The client user identity that is produced by the front-end authentication.

client_cert_key_name The client certificate key name.

client_cert_oid The object identifier in the client certificate.

Allowed values for the MATCHTYPE tag

The match type specifies the type of comparison to perform on a given value.

Value Description

Equal Tests whether the value is equal to the condition value.

Greater Tests whether the value is greater than the condition value.

Less Tests whether the value is less than the condition value.

Greater or equal Tests whether the value is greater than or equal to the condition value.

Less or equal Tests whether the value is less than or equal to the condition value.


Range Tests whether the value is within a given range of condition values.

All set Tests whether all flags are set.

Any set Tests whether any flags are set.

None set Tests whether no flags are set.

add filter

You can specify the rule and the conditions and run the add filter command, which takes those

rules and conditions and adds them as a filter to the firewall. You must already have added at least one rule and one condition.


Add rule.

Add conditions.

Add the filter that is created by the combination of rules and conditions that you enter. This "add

filter" section provides the syntax.

Syntax

filter add filter

Parameters

This command has no parameters. The command combines the rule and conditions to create an RPC Firewall Filter.

show filter

Lists the active RPC Firewall Filters.

filter show filter

Parameters

This command has no parameters. This command lists the currently active RPC filters.

delete filter

Deletes all active RPC Firewall Filters.

Syntax

filter delete filter.<filter key>

Parameters

Value Description

All Deletes all filters. Removes all filters and all rules and conditions that are associated with the filters.

<GUID>

Globally unique identifier (GUID). The 128-bit filter identifier. This value is specified in the filterkey tag when you use the add filter command or it is automatically generated. If it is not specified, you can find the filter key by running the show filter command. The identifier is specified in the following notation:



Example

The following example deletes all RPC Firewall Filters:

delete filter filterkey=all

The following example deletes the filter identified by filter key 11111111-2222-3333-4444-555555555555:

Delete filter filterkey=11111111-2222-3333-4444-555555555555

delete rule

Deletes the current RPC Firewall Filter rule.

Syntax

filter delete rule

Parameters

This command has no parameters. This command deletes the current RPC Firewall Filter rule. The command deletes the firewall filter rule and associated conditions.

Examples of RPC Firewall Filter commands

The following examples demonstrate the use of RPC Firewall Filters in real-world situations.

To block all RPC connections over TCP:

netsh rpc filter add rule layer=um actiontype=block netsh rpc filter add condition field=protocol matchtype=equals data= NCACN_IP_TCP netsh rpc filter add filter

To block RPC connections on port 12345:

netsh rpc filter add rule layer=um actiontype=block netsh rpc filter add condition field=local_port matchtype=equals data=12345 netsh rpc filter add filter

To block RPC connections from server 192.168.1.1:

netsh rpc filter add rule layer=um actiontype=block netsh rpc filter add condition field=remot_addr_v4 matchtype=equals data=0xC0A80101 netsh rpc filter add filter

To add a dynamic endpoint for version 1 of the interface with UUID 11111111-1111-1111-1111-111111111111:

netsh rpc filter add rule layer=ep_add actiontype=permit netsh rpc filter add condition field= process_with_if_uuid matchtype=equal data=11111111-1111-1111-1111-111111111111 netsh rpc filter add condition field=protocol matchtype=equal data=ncacn_ip_tcp netsh rpc filter add filter

To block RPC connections for version 1 of the interface with UUID 11111111-1111-1111-1111-111111111111:


netsh rpc filter add rule layer=epmap actiontype=block netsh rpc filter add condition field=if_uuid matchtype=equal data=11111111-1111-1111-1111-111111111111 netsh rpc filter add condition field=if_version matchtype=equal data=1 netsh rpc filter add filter

For an RPC proxy, it is possible to block RPC connections through the RPC proxy where the target server is named TargetServer:

netsh rpc filter add rule layer=proxy_conn actiontype=block netsh rpc filter add condition field=server_name matchtype=equals data=sTargetServer netsh rpc filter add filter


Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP)

You can use commands in the netsh winhttp context to configure proxy and tracing settings for Windows HTTP. The Netsh commands for winhttp can be run manually at the netsh prompt or in scripts and batch files.

To run these commands from the command prompt, you must either enter the netsh winhttp context or prepend the context to the command. For example, if you are at the command prompt but have not typed netsh and then winhttp to enter the netsh winhttp context, you must type:

netsh winhttp command

Netsh winhttp commands


flush logbuffer

Flushes the internal buffers for the log files.

Syntax

flush loggbuffer

import proxy

Imports the proxy settings in the Internet Explorer Web browser's Internet Options. Importing settings from IE is the only available option

Syntax

import proxy source =ie

reset proxy

Resets the WinHTTP proxy setting to DIRECT.

Syntax

reset proxy

reset tracing

Resets the WinHTTP trace parameters to the default settings.

Syntax

reset tracing

Tracing State Disable

Trace-file-prefix None

Output File

Level Default

Format Ansi

Max-trace-file-size 65535


set proxy

Configures the WinHTTP proxy setting.

Syntax

set proxy [proxy-server=] ProxyServerName [bypass-list=] <HostsList>

Parameters

Proxy-Server

Required. Specifies the proxy server to use for http, secure http (https), or both http and https protocols. Bypass-list

Optional. Specifies a list of Web sites that should be visited without utilizing the proxy server. Use "<local>" to bypass all short name hosts.

Examples

Following are three examples of how to use the set proxy command.

set proxy myproxy set proxy myproxy:80 "<local>bar" set proxy proxy-server="http=myproxy;https=sproxy:88" bypass-list="*.contoso.com"

set tracing

Configures the WinHTTP tracing parameters.

Syntax

set tracing [output=] file | debugger | both [trace-file-prefix=] FilePrefix [level=] default | verbose [format=] ansi | hex [max-trace-file-size=] FileSize [state=] enabled |disabled

Parameters:

Output

Optional. Specifies whether tracing data is exported to a file, a debugger, or both. Trace-file-prefix

Optional. Specifies a string value that is a prefix for the log file. The file prefix can include a folder location/path. Type "*" to delete an existing prefix.

Level

Optional. Specifies the amount of information to log. Format

Optional. Specifies the display format of network traffic (hexadecimal or ansi). Max-trace-file-size

Optional. Specifies a numeric value that is the maximum size of the trace file in bytes. State

Required. Specifies whether tracing is enabled or disabled.


Examples

Following are two examples of how to use the set tracing command.

set tracing trace-file-prefix="C:\Temp\Test3" level=verbose format=hex set tracing output=debugger max-trace-file-size=512000 state=enabled

show proxy

Displays the current WinHTTP proxy setting.

Syntax

show proxy

show tracing

Displays the current WinHTTP tracing parameters.

Syntax

show tracing


Netsh Commands for Windows Sockets (WINSOCK)

You can use commands in the netsh winsock context to configure Windows Sockets. The Netsh commands for winsock can be run manually at the netsh prompt or in scripts and batch files.

To run these commands from the command prompt, you must either enter the netsh winsock context or prepend the context to the command. For example, if you are at the command prompt but have not typed netsh and then winsock to enter the netsh winsock context, you must type:

netsh winsock command

Netsh winsock command reference


audit trail

Shows the audit trail of Layered Service Providers (LSPs) that have been installed and uninstalled.

Syntax

audit trail

remove provider

Removes a Winsock Layered Service Provider (LSP) from the system.

Syntax

remove provider catalog_id

Parameters

catalog_id

Required. Specifies the catalog identifier of the Layered Service Provider (LSP) that you want to remove from the system.

reset

Restores the Winsock Catalog to a clean state and uninstalls all Winsock Layered Service Providers.

Syntax

reset

show catalog

Displays the contents of the Winsock Catalog.

Syntax

show catalog

Winsock Catalog Provider Entry

Entry Type: Base Service Provider

Description: MSAPD Tcpip [UDP/IP]


Provider ID: {E7041AA0-AB8B-11CF-8CA3-

00805F48A192}

Provider Path: %SystemRoot%\system32\mswsock.dll

Catalog Entry ID: 1002

Version: 2

Address Family: 2

Max Address Lenght: 16

Min Address Lenght: 16

Socket Type: 2

Protocol: 17

Protocol Chain Lenght: 1



Description: MSAPD Tcpip [RAW/IP]

Provider ID: {E7041AA0-AB8B-11CF-8CA3-

00805F48A192}



Version: 2

Address Family: 2



Socket Type: 3

Protocol: 0





Description: MSAPD Tcpip [TCP/IPv6]

Provider ID: {F9EAB0C0-26D4-11D0-BBBF-

00AA006C34E4}



Version: 2

Address Family: 23



Socket Type: 1

Protocol: 6



Netsh Commands for Wireless Local Area Network (WLAN)

The Netsh commands for wireless local area network (WLAN) provide methods to configure 802.11 wireless connectivity and security settings for computers running Windows Vista® and Windows Server® 2008. You can use the Netsh WLAN commands to configure the local computer or

to configure multiple computers by using a logon script. You can also use the netsh WLAN commands to view applied wireless Group Policy settings.

Wireless Network (IEEE 802.11) Policies profiles are read-only, and cannot be modified or deleted by using Netsh WLAN commands.

Running Netsh wlan commands on computers running

Windows Server2008

To run Netsh WLAN commands on computers running Windows Server 2008, you must first install the Wireless LAN Service.

Note:

On computers running Windows Server 2008, installing the Wireless LAN Service in Server Manager / Features, adds and starts the WLAN AutoConfig service. WLAN AutoConfig is located in Server Manager/Diagnostics/Services Microsoft Management Console (MMC). To remove the WLAN AutoConfig service from a Computer running Windows Server 2008, you must remove (uninstall) the Wireless LAN Service from Server Manager / Features.

To install Wireless LAN Service on computers running Windows Server 2008 Do one of the following:

In Initial Configuration Tasks, in Customize This Server, click Add Features. The Add Features Wizard opens.

Click Start, and then click Server Manager. In the left pane of Server Manager, click Features, and in the details pane, in Features Summary, click Add Features. The Add Features Wizard

opens.

In Select Features, in Features, scroll down the list, select Wireless LAN Service, and then click Next.

In Confirm installation selections, click Install.

In Installation Results, review your installation results, and then click Close.

Netsh WLAN commands

add filter

Adds a wireless network, by Service Set Identifier (SSID), to the wireless allowed or blocked list.

Syntax

add filter permission={allow|block|denyall} ssid=WirelessNetworkName networktype={infrastructure|adhoc}

Parameters

Permission

Required. Specifies the permission type of the filter.


SSID

Required [conditional, see "Remarks"]. SSID of the wireless network. Networktype

Required. Specifies the wireless network type.

Example commands

add filter permission=allow ssid=WiFiNetwork networktype=infrastructure

add filter permission=block ssid="Wireless Net" networktype=adhoc

add filter permission=denyall networktype=infrastructure

add profile

Adds a WLAN profile to the specified interface on the computer.

Syntax

add profile filename= PathAndFileName [[interface=]InterfaceName] [[user=]{all|current}]

Parameters

Filename

Required. Specifies both the path to, and name of the XML file containing the profile data. Interface

Optional. Specifies the name of the wireless interface on which to add the profile (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command) User

Optional. Specifies whether the profile is applied only to the current user or to all users.

Example commands

add profile filename=C:\Users\WirelessUser\Documents\profile1.xml interface="Wireless Network Connection"

add profile filename="C:\Wireless Profiles\WiFi Profile.xml" interface=w*

connect

Connects to a wireless network by using the specified parameter.

Syntax

connect [[ssid=]WirelessNetworkName] name=ProfileName interface=InterfaceName

Parameters

SSID

Optional [conditional, see "Remarks"]. Specifies the SSID of the wireless network.


Name Required. Specifies the name of the wireless profile to use for the connection attempt, (where ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show profiles command).

Interface

Required [conditional, see "Remarks"]. Specifies the wireless interface to use for the connection attempt, (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).

Examples

connect ssid=WiFiNetwork name=Profile1

connect ssid="Wireless Net" name=Profile2 interface="Wireless Network Connection"

delete filter

Removes a wireless network from the wireless allowed or blocked list.

Syntax

delete filter permission={allow|block|denyall} ssid=WirelessNetworkName networktype={infrastructure|adhoc}]

Parameters

Permission

Required. Specifies the permission type of the filter.

SSID

Required [conditional, see "Remarks"]. Specifies the SSID of the wireless network. Networktype

Required. Specifies whether the wireless network type is adhoc or infrastructure.

Example commands

delete filter permission=allow ssid=WiFiNetwork networktype=infrastructure

delete filter permission=block ssid="Wireless Net" networktype=adhoc

delete filter permission=denyall networktype=adhoc

delete profile

Removes a WLAN profile from one or multiple interfaces.

Syntax

delete profile name=ProfileName [[interface=]InterfaceName]

Parameters

Name


Required. Specifies the name of the wireless profile to delete, (where ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show profiles command). Interface

Optional. Specifies the name of the wireless interface on which to delete the profile, (where

InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).

Example commands

delete profile name="Profile 1" interface="Wireless Network Connection"

delete profile name=Profile2 interface=*

delete profile name="Profile 1" i=*

disconnect

Disconnects the specified interface from a wireless network.

Syntax

disconnect interface=InterfaceName

Parameters

Interface

Required [conditional, see "Remarks"]. Specifies which wireless interface is used for the disconnect attempt , (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).

Example commands

disconnect

disconnect interface="Wireless Network Connection"

export profile

Saves WLAN profiles as XML files to the specified location.

Syntax

export profile folder=PathAndFileName [[name=]ProfileName] [[interface=]InterfaceName]

Parameters

Folder

Optional. Specifies the path and file where the profile XML file is to be saved, and the name to use for the saved file. Name

Optional. Specifies the name of the wireless profile to export. (the name of the wireless profile, (where ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show profiles command).


Interface

Optional. Specifies the name of the wireless interface on which the profile is configured, (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).

Example commands

export profile folder=c:\profiles name="Profile 1" interface="Wireless Network Connection"

export profile folder="c:\wifi profiles" name=Profile2 interface=*

set autoconfig

Enables or disables WLAN Auto Config Service on an interface.

Syntax

set autoconfig enabled={yes|no} interface=InterfaceName

Parameters

enabled

Required. Specifies whether to set WLAN Auto Config Service to enabled or disabled. Interface

Required. Specifies the name of the interface on which the service has been enabled or disabled, (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).

Example command

set autoconfig enabled=yes interface="Wireless Network Connection"

set blockednetworks

Shows or hides the blocked networks in the visible network list.

Syntax

set blockednetworks display={show|hide}

Parameters

Display

Required. Specifies whether to show or hide the blocked networks in the list of available wireless.

Example command

set blockednetworks display=show

The example command specifies that blocked networks are shown in the list of available networks.


set createalluserprofile

Specifies whether users are allowed to create all-user profiles, regardless of whether they are members of the Administrators group. Users who have membership in the Administrators group can create all-user profiles no matter whether “set createalluserprofile enabled=” is set to “yes” or “no.”

Syntax

set createalluserprofile enabled={yes|no}

Parameters

Enabled

Required. Specifies whether all computer users are allowed to create all user profiles.

Example command

set createalluserprofile enabled=yes

set profileorder

Sets the preference order of a wireless network profile on a wireless network interface.

Syntax

set profileorder name=ProfileName interface=InterfaceName priority=integer

Parameters

Name

Required. Specifies the name of the profile to set, (where ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show profiles command). Interface

Required. Specifies the name of the interface that has this profile configured, (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command). Priority

Required. Specifies the new priority number for the profile.

Example command

set profileorder name="profile 1" interface="Wireless Network Connection" priority=1

set profileparameter

Sets parameters in a wireless network profile.

Syntax

set profileparameter name=ProfileName [[interface=]InterfaceName] [[authMode=]{machineOrUser|machineOnly|userOnly|guest}] [[ssoMode=]{preLogon|postLogon|none}] [[maxDelay=]1-120] [[allowDialog={yes|no}] [[userVLAN=]{yes|no}] [[fips=]{yes|no}]


Parameters

Name

Required. Specifies the name of the profile to set, (where ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show profiles command).

Interface

Optional. Specifies the name of the interface on which the profile is set, (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh

wlan show interfaces command).

AuthMode

Optional [conditional, see "Remarks"]. Specifies the type of credentials to use for authentication. SSOMode

Optional [conditional, see "Remarks"]. Specifies the type of single sign on to be attempted, if any. MaxDelay

Optional [conditional, see "Remarks"]. Specifies the timeout value to establish single sign-on connection. AllowDialog

Optional [conditional, see "Remarks"]. Specifies whether to allow or disallow a dialog to be shown for prelogon. UserVLAN

Optional [conditional, see "Remarks"]. Specifies if the network switches to a different VLAN upon user authentication. FIPS

Optional [conditional, see "Remarks"]. Specifies whether to enable or disable Federal Information Processing Standards Publications (FIPS) mode.

Example commands

set profileparameter name="Profile 1" authMode=userOnly ssoMode=preLogon

set profileparameter name=Profile2 ssoMode=none fips=yes

set tracing

Enables or disables WLAN tracing.

Syntax

set tracing mode={yes|no|persistent}

Parameters

Mode


Required. Specifies whether tracing is disabled, enabled and persistent, or enabled and nonpersistent. See "Remarks" for additional information.

Example command

set tracing mode=persistent

show all

Displays the entire collection of information about wireless network adapters, wireless profiles and wireless networks.

Syntax

show all

Parameters


Example command

show all

show autoconfig

Displays whether WLAN AutoConfig service is enabled or disabled

Syntax

show autoconfig

Parameters


Displays whether WLAN AutoConfig service is enabled or disabled on each wireless adapter interface.

Example command

show autoconfig

show blockednetworks

Displays the global setting whether to display or hide blocked networks in the visible network list

Syntax


Parameters


Example command


show drivers

Displays the properties of the wireless adapter drivers on the computer.


Syntax

show drivers [[interface=]InterfaceName]

Parameters

Interface

Optional. Specifies the name of the interface for which driver information is displayed, (where


Example command

show drivers interface="Wireless Network Connection"

show filters

Displays the current list of allowed and blocked wireless networks.

Syntax

show filters [[permission=]{allow|block}]

Parameters

Permission

Optional. Specifies whether to show the list of allowed and blocked networks configured on the

computer.

Example commands

show filters

show filters permission=allow

show filters permission=block

show interfaces

Displays a list of the current wireless interfaces on a computer.

Syntax

show interfaces

Parameters


Example command

show interfaces

show networks

Displays a list of wireless networks that are visible on the computer.

Syntax

show networks [[interface=]InterfaceName] [[mode=]{ssid|bssid}]


Parameters

Interface

Optional. Specifies for which interface the network information is returned, (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).

Mode

Optional. Specifies whether to display information for Basic Service Set Identifier (BSSID), or Service Set Identifier (SSID).

Example commands

show networks interface="Wireless Network Connection"

show networks mode=bssid

show networks

show profiles

Displays a list of wireless profiles that are configured on the computer.

Syntax

show profiles [[name=]ProfileName] [[interface=]InterfaceName]

Parameters

Name

Optional. Specifies the name of the profile to display, (where ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show profiles command). Interface

Optional. Specifies the name of the interface which has this profile configured, (where


Example commands

show profiles name="profile 1" interface="Wireless Network Connection"

show profiles name=profile2

show profiles

show settings

Displays the current global settings of the wireless LAN.

Syntax

show settings


Parameters


Example command

show settings

show tracing

Displays whether wireless tracing is enabled or disabled.

Syntax

show tracing

Parameters
