Network 1 Netsh Communication Networking

Contents

Netsh Overview …………………………………………………………………… 3

Network Communications technologies that provide netsh functionality ……………………. 4
Features and other network Communications technologies ………………………………….. 4
Netsh Commands for All Contexts ………………………………………………………………. 7
Netsh Commands for Windows Firewall with Advanced Security ……………………………. 9
Netsh Commands for Network Bridge …………………………………………………………… 13
Netsh Commands for Dynamic Host Configuration Protocol client …………………………... 14
Netsh Commands for Windows Firewall ………………………………………………………… 15
Netsh Commands for Hypertext Transfer Protocol (HTTP) …………………………………… 30
Netsh Commands for Interface (IPv4 and IPv6) ……………………………………………….. 38
Netsh Commands for Interface 6to4 …………………………………………………………….. 42
Netsh Commands for Interface Internet Protocol version 4 (IPv4) …………………………… 46
Netsh Commands for Interface Internet Protocol version 6 (IPv6) …………………………… 67
Netsh Commands for Interface ISATAP ………………………………………………………… 95
Netsh Commands for Interface Portproxy ………………………………………………………. 96
Netsh Commands for Interface Transmission Control Protocol ……………………………… 105
Netsh Commands for Interface Teredo …………………………………………………………. 110
Netsh Commands for Interface Interface Protocol Security (IPSec) ………………………… 111
Netsh Commands for Wired Local Area Network (LAN) …………………………………….. 147
Netsh Commands for NAP Client ……………………………………………………………….. 152
Netsh Commands for Network Input Output (NETIO) ………………………………………… 162
Netsh Commands for Peer-to-peer Networking (P2P) ……………………………………….. 164
Netsh Commands for Remote Access …………………………………………………………. 174
Netsh Commands for Remote Procedure Call (RPC) ………………………………………… 200
Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP) …………………. 212
Netsh Commands for Windows Sockets (WINSOCK) ……………………………………….. 215
Netsh Commands for Wireless Local Area Network (WLAN) ……………………………….. 218

Network 2 Netsh Communication Networking

etsh Overview
Network shell (netsh) is a command-line utility that allows you to configure and display the status of
various network communications server roles and components after they are installed on computers
running Windows Server® 2008.

Some client technologies, such as Network Access Protection (NAP) client, also provide netsh
commands that allow you to configure client computers running Windows Vista®.

In most cases, netsh commands provide the same functionality that is available when using the
Microsoft Management Console (MMC) snap-in for each server role or component. In addition, there
are netsh commands for network functionality, such as for IPv6, network bridge, and remote
procedure call (RPC), that are not available in the user interface as an MMC snap-in.

You can use netsh commands to configure and display the status of network components on the
local computer and on remote computers.

In addition, netsh commands can be run manually by typing commands at the netsh prompt and
they can be run in batch files and scripts.

Netsh commands are organized in a hierarchy of contexts. Each network technology with netsh
command functionality has its own context. For example, the netsh context for remote access
service is ras.

Network 3 Netsh Communication Networking

 Network communications technologies that provide netsh functionality
Netsh functionality is provided for some server roles, role services, features, and technologies.

Server roles and role services

The following server roles provide netsh command functionality:

The Dynamic Host Configuration Protocol (DHCP) server role. After installing the DHCP server role,
you can configure the DHCP server by using the commands at the netsh dhcp context. The context
for DHCP is netsh dhcp.

The Network Policy and Access Services server role. This server role provides netsh functionality for
the following role services after the role services are installed:

Health Registration Authority (HRA). The context for HRA is netsh nap hra.

Network Policy Server (NPS). The context for NPS is netsh nps.

Routing and Remote Access. The contexts for Routing and Remote Access are netsh routing and
netsh ras.

Features and other network communications technologies

The following features provide netsh command functionality:

Windows Internet Name Service (WINS). The context for WINS is netsh wins.

The following network communications technologies provide netsh functionality:

DHCP client. The context for DHCP client is netsh dhcpclient.

Firewall. See Windows Firewall and Windows Firewall with Advanced Security.

Hypertext Transfer Protocol (HTTP). The context for HTTP is netsh http.

Internet Authentication Service. IAS is renamed to Network Policy Server (NPS), and the context for
NPS is netsh nps.

Internet Protocol version 4 (IPv4). The context for IPv4 is netsh interface ip.

Internet Protocol version 6 (IPv6). The context for IPv6 is netsh interface ipv6.

IPv4 and IPv6 network and application proxy. The context for the IPv4 and IPv6 network and
application proxy is netsh interface portproxy.

Internet Protocol security (IPsec). The context for IPsec is netsh ipsec.

Local Area Network. See Wired Local Area Network.

Network Access Protection (NAP). The context for NAP client is netsh nap. In addition, NPS provides
netsh commands at the netsh nps context that allow you to configure NPS as a NAP policy server.

Network Bridge. The context for network bridge is netsh bridge.

Network 4 Netsh Communication Networking

Network input output (netio). The context for netio is netsh netio.

Remote Procedure Call (RPC). The context for RPC is netsh rpc.

Windows Firewall. The context for Windows Firewall is netsh firewall.

Windows Firewall with Advanced Security. The context for Windows Firewall with Advanced Security
is netsh advfirewall.

Windows HTTP. The context for Windows HTTP is netsh winhttp.

Windows Sockets (winsock). The context for Windows Sockets is netsh winsock.

Wired Local Area Network (LAN). The context for wired LAN is netsh lan.

Wireless LAN. The context for wireless LAN is netsh wlan.

The following sections provide information about the netsh commands and their use, including a
comprehensive command reference with syntax and parameters for all commands.

You can use this procedure to start the network shell and enter a netsh context.

To enter a netsh context

Open command prompt.

At the command prompt, type netsh, and then press ENTER.

Type one of the values from the following table, and then press ENTER.

Netsh contexts
Following are the values you can type to enter a netsh context.

Dynamic Host Configuration Protocol (DHCP) client dhcpclient

Dynamic Host Configuration Protocol (DHCP) server dhcp

Health Registration Authority (HRA) nap hra

Hypertext Transfer Protocol (HTTP) http

Interface (IPv4 and IPv6) interface

Internet Authentication Service (IAS). IAS is renamed to Network Policy Server. nps

Internet Protocol security ipsec

Network Access Protection (NAP) client nap

Network Bridge bridge

Network Input Output (NETIO) netio

Network Policy Server (NPS) nps

Network 5 Netsh Communication Networking

 Remote Access ras

Routing routing

Remote Procedure Call (RPC) rpc

Windows Firewall firewall

Windows Firewall with Advanced Security advfirewall

Windows Hypertext Transfer Protocol (WinHTTP) winhttp

Windows Internet Name Service (WINS) wins

Windows Sockets (WINSOCK) winsock

Wired Local Area Network (LAN) lan

Wireless Local Area Network (LAN) wlan

Additional information

To enter a context, you can type only enough letters in the context name to allow netsh to uniquely
identify the context. For example, to enter the winhttp context from the netsh prompt (that is,
netsh>), you can type winh, and then press ENTER.

Some of these contexts are not available at the netsh prompt unless you have previously installed
the server role, role service, feature, or other technology. For example, the DHCP server context
netsh dhcp is not available at the netsh prompt until after you install the DHCP server role.

Many of the contexts listed above have one or more subcontexts. Subcontexts contain netsh
commands that can be run only within the subcontext. For example, to run the add scope command,
you must be within the server subcontext of the dhcp context:

netsh dhcp server add scope parameters

Where parameters are the properties of the scope that you can configure with the command.

Network Policy Server (NPS) was formerly known as Internet Authentication Service, and is the
Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and
proxy, as well as a client health policy server for Network Access Protection (NAP).

Network 6 Netsh Communication Networking

Netsh Commands for All Contexts
Netsh uses the following standard commands in all contexts that you can run from a Netsh.exe
command prompt (that is, netsh>).

Netsh standard commands

Following is the list of netsh commands that you can run in all netsh contexts. To view the
command syntax, click a command:

add helper
Installs the helper dynamic-link library (DLL) in netsh.

Syntax
add helper DLLName

Parameters
DLLName

Required. Specifies the name of the helper DLL that you want to install.

/?

Displays help at the command prompt.

Network 7 Netsh Communication Networking

alias
Adds an alias that consists of a user-defined character string, which netsh treats as equivalent to
another character string. Used without parameters, alias displays all available aliases.

Syntax
alias[AliasName] [String1 [String2 ...]]

Parameters
alias[ AliasName]

Displays the specified alias.

alias[ AliasName][ String1[ String2...]]

Sets AliasName to the specified strings.

/?

Displays help at the command prompt.

Network 8 Netsh Communication Networking

 Netsh Commands for Windows Firewall with Advanced Security
Netsh advfirewall is a command-line tool for Windows Firewall with Advanced Security that helps
with the creation, administration, and monitoring of Windows Firewall and IPsec settings and
provides an alternative to console-based management. This can be useful in the following
situations:

When deploying Windows Firewall with Advanced Security settings to computers on a wide area
network (WAN), commands can be used interactively at the Netsh command prompt to provide
better performance than graphical utilities when used across slow-speed network links.

When deploying Windows Firewall with Advanced Security settings to a large number of computers,
commands can be used in batch mode at the Netsh command prompt to help script and automate
recurring administrative tasks that must be performed.

You must have the required permissions to run the netsh advfirewall commands:

If you are a member of the Administrators group, and User Account Control is enabled on your
computer, then run the commands from a command prompt with elevated permissions. To start a
command prompt with elevated permissions, find the icon or Start menu entry that you use to start
a command prompt session, right-click it, and then click Run as administrator.

If you are a member of the Network Operators group then you can run the commands from any
command prompt.

If you are a not a member of Administrators or Network Operators, and have not been delegated any
other permissions to run this command, then you can run only those commands that display, but do
not change settings.

Netsh AdvFirewall context

The following commands are available at the netsh advfirewall> prompt.

To start the advfirewall context at an elevated command prompt, type netsh, press ENTER, then
type advfirewall and press ENTER.

To view the command syntax, click a command:

dump
This command is available for some netsh contexts, but is not implemented for the netsh
advfirewall context or any of its three subcontexts. It produces no output, but also generates no
error. When the dump command is used from the root context, no Windows Firewall or IPsec
configuration information is included in the output.

export
Exports the Windows Firewall with Advanced Security configuration in the current store to a file.
This file can be used with the import command to restore the Windows Firewall with Advanced
Security service configuration to a store on the same or to a different computer. The Windows
Firewall with Advanced Security configuration on which the export command works is determined by
the set store command. This command is the equivalent to the Export Policy command in the
Windows Firewall with Advanced Security MMC snap-in.

Syntax
export [Path]FileName

Network 9 Netsh Communication Networking

 Parameters
[Path]FileName

Required. Specifies, by name, the file where the Windows Firewall with Advanced Security
configuration will be written. If the path, file name, or both contain spaces, quotation marks must
be used. If you do specify Path then the command places the file in your current folder. The
recommended file name extension is .wfw.

Examples

In the following example, the command exports the complete Windows Firewall with Advanced
Security service configuration to the file C:\temp\wfas.wfw.

export c:\temp\wfas.wfw

import
Imports a Windows Firewall with Advanced Security service configuration from a file to the local
service. The configuration file is created by using export command. This command is equivalent to
the Import Policy command in the Windows Firewall with Advanced Security Microsoft
Management Console (MMC) snap-in.

Syntax
import [Path]FileName

Parameters
[Path]FileName

Required. Specifies, by name, the file from which the Windows Firewall with Advanced Security
configuration will be imported. If the path, the file name, or both contain spaces, quotation marks
must be used. If you do not specify Path, then the command looks in the current folder for the file.

Examples
In the following example, the command imports the complete Windows Firewall with Advanced
Security service configuration from the file c:\temp\wfas.wfw.

import c:\temp\wfas.wfw

reset
Restores Windows Firewall with Advanced Security to all of its default settings and rules. Optionally,
it first backs up the current settings by using the export command to a configuration file. This
command is equivalent to the Restore Defaults command in the Windows Firewall with Advanced
Security MMC snap-in.

If the current focus of your commands is the local computer object, then the default settings and
rules immediately take effect on the computer.

If the current focus of your commands is a GPO, then this command resets all policy settings in that
object to Not Configured, and deletes all connection security and firewall rules from the object.
Changes do not take place until that policy is refreshed on those computers to which the policy
applies. To use the Netsh tool to modify a GPO rather than the local computer's configuration store.

Syntax
reset [export [Path]FileName]

Parameters
[Export [Path]FileName]

Network 10 Netsh Communication Networking

Specifies that the current configuration is backed up to the specified file before Windows Firewall
with Advanced Security is reset to all default configuration settings and rules. If you do specify Path,
then the command places the file in your current folder. The recommended file name extension is
.wfw.

Examples

In the following example, the command exports the complete Windows Firewall with Advanced
Security configuration to the file c:\Temp\wfas.wfw, and then resets the Windows Firewall with
Advanced Security configuration to its default configuration settings and rules.

reset export c:\Temp\wfas.wfw

set
Configures settings that apply globally, or to the per-profile configurations of Windows Firewall with
Advanced Security.

The Set commands available at the netsh advfirewall> prompt are:

set {ProfileType}
Configures options for the profile associated with the specified network location type. Windows only
uses one profile at a time, regardless of the number and types of networks to which you are
connected. To see which profile is currently active on your computer, use the netsh advfirewall
show currentprofile command. The set {ProfileType} command is equivalent to using the
Windows Firewall with Advanced Security Properties page, with the tabs for Domain, Private, and
Public profiles.

When your computer is connected to multiple networks, the profile type that Windows Firewall with
Advanced Security uses is the one that is expected to be more protective of your computer. For
example, if your computer is connected to both a Public network and a Domain network, then
Windows Firewall with Advanced Security will use the profile associated with the Public network
location type, because it is expected to contain more restrictive and protective settings than the
Domain profile. The list of network location types in order of expected increasing restrictiveness is
domain, private, and then public. We recommend that you maintain that expected order when you
modify the profiles so that you do not unexpectedly use a less protective profile when you are
connected to less secure network location type.

Syntax
set ProfileType Parameter Value

Parameters
ProfileType

Required. Can be any one of the following:

• allprofiles

• currentprofile

• domainprofile

• privateprofile

• publicprofile

Network 11 Netsh Communication Networking

Network 12 Netsh Communication Networking
Netsh Commands for Network Bridge
You can run these commands from the command prompt on a computer running Microsoft®
Windows Vista® or Windows Server® 2008 from the netsh bridge context. To successfully run
these commands at the command prompt on a computer running Windows Server 2008, you must
type netsh bridge before typing the commands and parameters as they appear in this topic.

Netsh commands for Network Bridge

show adapter
Displays adapter identification, adapter names, and the state of the Layer 3 compatibility mode of
adapters that are part of Network Bridge.

show adapter 2

This command lists the adapter ID, friendly name, and the state of the Layer 3 compatibility mode
information for adapter 2.

set adapter
This command modifies the configuration of a specified adapter that is part of Network Bridge by
setting the state of the adapter to either enable or disable network layer (Layer 3) compatibility
mode.

set adapter 2 forcecompatmode=enable

This command is used to force adapter 2 to run in Layer 3 compatibility mode.

Network 13 Netsh Communication Networking

Netsh Commands for Dynamic Host Configuration Protocol
client
The Netsh commands for Dynamic Host Configuration Protocol (DHCP) client offer a command-line
tool that helps with the administration of DHCP clients.

Netsh commands for DHCP client

You can run these commands from the command prompt for the Netsh DHCP context. For these
commands to work at the command prompt, you must type netsh dhcp before typing commands
and parameters as they appear in the syntax below.

Netsh DHCP client

The following commands are available at the dhcpclient> prompt, which is rooted within the netsh
environment.

trace
Specifies whether logging, which is also called tracing, is enabled or disabled for the DHCP client on
the local computer.

Syntax
trace { enable | disable }

Parameters
Enable

Optional. Specifies that logging is enabled for the DHCP client service on the local computer. If the
DHCP Network Access Protection (NAP) Enforcement Client is enabled, NAP events are also logged.
Disable

Optional. Specifies that logging is disabled for the DHCP client service on the local computer. If the
DHCP NAP Enforcement Client is enabled, logging of NAP events is also disabled.

Example
The following example enables tracing for the DHCP client service and the DHCP NAP Enforcement
Client:

netsh dhcpclient trace enable

Network 14 Netsh Communication Networking

Netsh Commands for Windows Firewall
The Netsh commands for Windows Firewall provide a command-line alternative to the capabilities of
the Windows Firewall Control Panel utility. By using the Netsh firewall commands, you can configure
and view Windows Firewall exceptions and configuration settings.

The firewall context of the netsh command-line tool is provided only for backwards-compatibility with
earlier versions of Windows. The firewall context works on computers that are running Microsoft®
Windows Vista® and Windows Server® 2008, but it does not allow you to manage or interact with any of
the firewall features that are new to Windows Vista or Windows Server 2008. This context does not allow
you to work remotely on a computer to directly configure its firewall.

Microsoft recommends that you use the advfirewall context unless you are using this tool in a mixed
environment and must maintain backwards-compatibility with earlier versions of Windows. To use the new
firewall features included with Windows Vista and Windows Server 2008, you must use the advfirewall
context instead.
We recommend that you do not use this context on a computer that is running Windows Vista or Windows
Server 2008, because by using it you can create and modify firewall rules only for the domain and private
profiles. Earlier versions of Windows only supported a domain and standard profile. On Windows Vista or
Windows Server 2008, standard maps to the private profile and domain continues to map to the domain
profile. Rules for the public profile can only be manipulated when the computer is actually attached to a
public network and the command is run against the "current" profile.
You can run these commands from within the netsh tool at the netsh firewall> prompt.

For these commands to work at a standard Windows command prompt, you must preface each
command with netsh firewall, followed by the specific command and parameters as they appear in
the syntax below.

Netsh firewall
The following sections describe each command and its syntax.

add allowedprogram
Adds a program-based exception to the firewall.

Syntax
add allowedprogram [ program = ] PathAndFileName [ name = ] ProgramName [ [ mode = ] {
enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] { IPAddress |
IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain | standard | all } ]

Parameters
[ program = ] PathAndFileName

Required. The path and file name of the program to be added to the firewall exception list. If the
path or file name includes spaces, then you must use quotation marks around the path and file
name.

[ name = ] ProgramName

Required. Friendly name of the program to be added to the list. This value is displayed in the
Firewall control panel exception list.

[ [ mode = ] { enable | disable } ]

Specifies whether this exception is currently applied and active on the local computer. The default
value is enable.

Network 15 Netsh Communication Networking

[ [ scope = ] { all | subnet | custom } ]

Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is
allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed
from computers on the local computer's subnet only. custom indicates that traffic is allowed from
only those computers whose IP address matches the addresses parameter. The default value is
all.

[ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]

Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:

• An IPv4 or IPv6 address. For example, 192.168.0.15.

• An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example,
192.168.0.1-192.168.0.50.

• A subnet indicated by the subnet address and subnet mask separated by a '/'. For example,
192.168.0.0/255.255.255.0.

• A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For
example, 10.1.0.0/16.

• The keyword localsubnet, which includes all addresses that are on the local computer's
current subnet.

Multiple entry types can be combined on a command line by separating them with commas:
172.16.0.0/16, 10.0.0.0/255.0.0.0, 12AB:0000:0000:CD30::/60, localsubnet
[ [ profile = ] { current | domain | standard | all } ]

Specifies the firewall profile to which the command applies. The firewall profile is
determined by the detected network location types accessible through the computer's
network adapters.

• current specifies that the command applies to the profile that is currently active on the
computer.

• domain specifies that the command applies only to the domain profile.

• standard specifies that the command applies only to the private profile.

• all specifies that the command applies to all profiles except the private profile.
• You must specify scope=custom to specify addresses. If scope=custom is used, then
addresses cannot be blank.

• To specify the profile associated with the public network location type, you must specify
profile=current when the computer is attached to a public network.

• The addresses parameter cannot contain an unspecified IPv6 address, a loopback address,
or a multicast address.

Examples
Each example must be entered as a single command line. The examples may be displayed on
multiple lines below for space reasons.

add allowedprogram "C:\My App\MyApp.exe" "My Application" enable

Network 16 Netsh Communication Networking

add allowedprogram "C:\My App\MyApp.exe" "My Application" enable custom
157.60.0.1,172.16.0.0/16,12AB:0000:0000:CD30::/60,localsubnet

set allowedprogram
Modifies the settings of an existing program-based exception.

Syntax
set allowedprogram [ program = ] PathAndFileName [ [ name = ] ProgramName ] ] [ [ mode
= ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] {
IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain |
standard | all } ]

Parameters
[ program = ] PathAndFileName ]

Required. The path and file name of the program whose exception you want to modify. If the path
or file name includes spaces, then you must use quotation marks around the path and file name.

[ [ name = ] ProgramName ]

Friendly name of the program to be added to the list. This value is displayed in the Firewall control
panel exception list.

[ [ mode = ] { enable | disable } ]

Specifies whether this exception is currently applied and active on the local computer.

[ [ scope = ] { all | subnet | custom } ]

Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is
allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed
from computers on the local computer's subnet only. custom indicates that traffic is allowed from
only those computers whose IP address matches the addresses parameter.

[ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]

Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:

• An IPv4 or IPv6 address. For example, 192.168.0.15.

• An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example,
192.168.0.1-192.168.0.50.

• A subnet indicated by the subnet address and subnet mask separated by a '/'. For example,
192.168.0.0/255.255.255.0.

• A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For
example, 10.1.0.0/16.

• The keyword localsubnet, which includes all addresses that are on the local computer's
current subnet.

Multiple entry types can be combined on a command line by separating them with commas:
172.16.0.0/16, 10.0.0.0/255.0.0.0, 12AB:0000:0000:CD30::/60, localsubnet
[ [ profile = ] { current | domain | standard | all } ]

Network 17 Netsh Communication Networking

 Specifies the firewall profile to which the command applies. The profile is determined by the
detected network location types accessible through the computer's network adapters.

• current specifies that the command applies to the profile that is currently active on the
computer.

• domain specifies that the command applies only to the domain profile.

• standard specifies that the command applies only to the private profile.

• all specifies that the command applies to all profiles except the private profile.

The default value is current.

You must specify at least one parameter other than program.

You must specify scope=custom to specify addresses. If scope=custom is used, then addresses
cannot be blank.

To specify the profile associated with the public network location type, you must specify
profile=current when the computer is attached to a public network.

The addresses parameter cannot contain an unspecified IPv6 address, a loopback address, or a
multicast address.

Examples
Each example must be entered as a single command line. The examples may be displayed on
multiple lines below for space reasons.

set allowedprogram "C:\My App\MyApp.exe" "My Application" enable

set allowedprogram "C:\My App\MyApp.exe" "My Application" enable custom

157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet

set allowedprogram program="C:\My App\MyApp.exe" name=MyApp mode=enable

scope=custom addresses=157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet

delete allowedprogram
Deletes an existing program-based exception.

Syntax
delete allowedprogram [ program = ] PathAndFileName [ [ profile = ] { current | domain |
standard | all } ]

Parameters
[ program = ] PathAndFileName

Required. The path and file name of the program to be deleted from the firewall exception list.

[ [ profile = ] { current | domain | standard | all } ]

Specifies the firewall profile to which the command applies. The profile is determined by the
detected network location types accessible through the computer's network adapters.

• current specifies that the command applies to the profile that is currently active on the
computer.

Network 18 Netsh Communication Networking

 • domain specifies that the command applies only to the domain profile.

• standard specifies that the command applies only to the private profile.

• all specifies that the command applies to all profiles except the private profile.

The default value is current.

Examples
Each example must be entered as a single command line. The examples may be displayed on
multiple lines below for space reasons.

delete allowedprogram C:\MyApp\MyApp.exe

delete allowedprogram program = C:\MyApp\MyApp.exe profile=all

set icmpsetting
Specifies the types of ICMP traffic that are permitted through the firewall.

Syntax
set icmpsetting [ type = ] { 2-5 | 8-9 | 11-13 | 17 | all } [ [ mode = ] { enable | disable} ] [
[ profile = ] { current | domain | standard | all } ]

Parameters
[ type = ] { 2-5 | 8-9 | 11-13 | 17 | all }

Required. The type of ICMP traffic to allow. The value must be one of the following ICMP message
types:

• 2 - Outbound packet too big.

• 3 - Outbound destination unreachable.

• 4 - Outbound source quench.

• 5 - Redirect.

• 8 - Inbound echo request (ping).

• 9 - Inbound router request.

• 11 - Outbound time exceeded.

• 12 - Outbound parameter problem.

• 13 - Inbound timestamp request.

• 17 - Inbound mask request.

• all - All of the above types.

[ [ mode = ] { enable | disable} ]

Specifies whether this exception is currently applied and active on the local computer. The default
value is enable.

Network 19 Netsh Communication Networking

[ [ profile = ] { current | domain | standard | all } ]

Specifies the firewall profile to which the command applies. The profile is determined by the
detected network location types accessible through the computer's network adapters.

• current specifies that the command applies to the profile that is currently active on the
computer.

• domain specifies that the command applies only to the domain profile.

• standard specifies that the command applies only to the private profile.

• all specifies that the command applies to all profiles except the private profile.

The default value is current.

Examples
Each example must be entered as a single command line. The examples may be displayed on
multiple lines below for space reasons.

set icmpsetting 8 enable all

set icmpsetting type=all mode=disable

set multicastbroadcastresponse
Specifies whether or not responses to a multicast or broadcast request are allowed through the
firewall.

Syntax
set multicastbroadcastresponse [ mode = ] { enable | disable} [ [ profile = ] { current |
domain | standard | all } ]

Parameters
[ mode = ] { enable | disable}

Required. Specifies whether to enable or disable responses to multicast or broadcast traffic. The
default value is enable.

[ [ profile = ] { current | domain | standard | all } ]

Specifies the firewall profile to which the command applies. The profile is determined by the
detected network location types accessible through the computer's network adapters.

• current specifies that the command applies to the profile that is currently active on the
computer.

• domain specifies that the command applies only to the domain profile.

• standard specifies that the command applies only to the private profile.

• all specifies that the command applies to all profiles except the private profile.

The default value is current.

Network 20 Netsh Communication Networking

Examples
Each example must be entered as a single command line. The examples may be displayed on
multiple lines below for space reasons.

set multicastbroadcastresponse enable

set multicastbroadcastresponse mode=enable profile=all

set notifications
Specifies whether the firewall displays a pop-up notification to the user when a program attempts to
listen on a port.

Syntax
set notifications [ mode = ] { enable | disable} [ [ profile = ] { current | domain | standard
| all } ]

Parameters
[ mode = ] { enable | disable}

Required. Specifies whether to enable or disable responses to multicast or broadcast traffic.

[ [ profile = ] { current | domain | standard | all } ]

Specifies the firewall profile to which the command applies. The profile is determined by the
detected network location types accessible through the computer's network adapters.

• current specifies that the command applies to the profile that is currently active on the
computer.

• domain specifies that the command applies only to the domain profile.

• standard specifies that the command applies only to the private profile.

• all specifies that the command applies to all profiles except the private profile.

The default value is current.

Examples
Each example must be entered as a single command line. The examples may be displayed on
multiple lines below for space reasons.

set notifications enable

set notifications disable

set notifications mode=enable profile=current

set logging
Specifies whether the firewall writes information to a log file, and what details are included. This
command only affects the currently active profile.

Syntax
set logging [ [ filelocation = ] PathAndFileName ] [ [ maxfilesize = ] Integer ] [ [
droppedpackets = ] { enable | disable } ] [ [ connections = ] { enable | disable } ]

Network 21 Netsh Communication Networking

Parameters
[ [ filelocation = ] PathAndFileName ]

Specifies the path and file name of the file to which the firewall writes its log. The default value is
%windir%\pfirewall.log.

[ [ maxfilesize = ] Integer ]

Specifies the maximum file size in kilobytes. Must be an integer value from 1 to 32767. The default
value is 4096.

[ [ droppedpackets = ] { enable | disable } ]

Specifies whether to include an entry for each packet dropped by the firewall. The default value is
disable.

[ [ connections = ] { enable | disable } ] ]

Specifies whether to include an entry for each successful connection. The default value is disable.

Examples
Each example must be entered as a single command line. The examples may be displayed on
multiple lines below for space reasons.

set logging enable enable

set logging 4096 enable disable

set logging c:\mylogs\mylog.log 4096 enable enable

set opmode
Specifies the operating mode of Windows Firewall.

Syntax
set opmode [ mode = ] { enable | disable } [ [ exceptions = ] { enable | disable } ] [ [
profile = ] { current | domain | standard | all } ]

Parameters
[ mode = ] { enable | disable}

Required. Specifies whether to turn the firewall on or off.

[ [ exceptions = ] { enable | disable } ]

Specifies whether the firewall uses any currently defined port and program exceptions that are
enabled. If exceptions=disable, then all enabled port and program exceptions are ignored.
Default is enable.

[ [ profile = ] { current | domain | standard | all } ]

Specifies the firewall profile to which the command applies. The profile is determined by the
detected network location types accessible through the computer's network adapters.

• current specifies that the command applies to the profile that is currently active on the
computer.

• domain specifies that the command applies only to the domain profile.

Network 22 Netsh Communication Networking

 • standard specifies that the command applies only to the private profile.

• all specifies that the command applies to all profiles except the private profile.

The default value is current.

Examples
Each example must be entered as a single command line. The examples may be displayed on
multiple lines below for space reasons.

set opmode enable

set opmode mode=enable exceptions=enable

add portopening
Creates a port-based exception.

Syntax
add portopening [ protocol = ] { tcp | udp | all } [ port = ] Integer [ name = ]
ExceptionName [ [ mode = ] { enable | disable } ] [ [ scope = ] all | subnet | custom } ] [ [
addresses = ] addresses ] [ [ profile = ] current | domain | standard | all } ]

Parameters
[ protocol = ] { tcp | udp | all }

Required. Specifies whether the port number refers to TCP, UDP, or both.

[ port = ] Integer

Required. Specifies the port number to be excepted. Must be an integer value from 1 to 65535.
Only a single value can be specified and port ranges are not supported.

[ name = ] ExceptionName

Required. Specifies the name of the exception. This value is displayed in the Firewall control panel
exception list.

[ [ mode = ] { enable | disable } ]

Specifies whether this exception is currently applied and active on the local computer.

[ scope = ] { all | subnet | custom }

Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is
allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed
from computers on the local computer's subnet only. custom indicates that traffic is allowed from
only those computers whose IP address matches the addresses parameter. The default value is
all.

[ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…]

Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:

• An IPv4 or IPv6 address. For example, 192.168.0.15.

• An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example,
192.168.0.1-192.168.0.50.

Network 23 Netsh Communication Networking

 • A subnet indicated by the subnet address and subnet mask separated by a '/'. For example,
192.168.0.0/255.255.255.0.

• A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For
example, 10.1.0.0/16.

• The keyword localsubnet, which includes all addresses that are on the local computer's
current subnet.

Multiple entry types can be combined on a command line by separating them with commas:
172.16.0.0/16, 10.0.0.0/255.0.0.0, 12AB:0000:0000:CD30::/60, localsubnet
[ profile = ] { current | domain | standard | all }

Specifies the firewall profile to which the command applies. The profile is determined by the
detected network location types accessible through the computer's network adapters.

• current specifies that the command applies to the profile that is currently active on the
computer.

• domain specifies that the command applies only to the domain profile.

• standard specifies that the command applies only to the private profile.

• all specifies that the command applies to all profiles except the private profile.

The default value is current.

Examples
Each example must be entered as a single command line. The examples may be displayed on
multiple lines below for space reasons.

add portopening tcp 80 MyWebPort

add portopening udp 500 "IKE Exception" enable all

add portopening all 53 DNS enable custom

157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet

set portopening
Modifies the settings of an existing port-based exception.

Syntax
set portopening [ protocol = ] { tcp | udp | all } [ port = ] Integer [ [ name = ]
ExceptionName ] ] [ [ mode = ] { enable | disable } ] [ [ scope = ] all | subnet | custom } ] [
[ addresses = ] addresses ] [ [ profile = ] current | domain | standard | all } ]

Parameters
[ protocol = ] { tcp | udp | all }

Required. Specifies whether the port number refers to TCP, UDP, or both.

[ port = ] Integer

Required. Specifies the port number of the exception to be modified. Must be an integer value from
1 to 65535. Only a single value can be specified and port ranges are not supported.

[ [ name = ] ExceptionName ]

Network 24 Netsh Communication Networking

Specifies the name of the exception. This value is displayed in the Firewall control panel exception
list.

[ [ mode = ] { enable | disable } ]

Specifies whether this exception is currently applied and active on the local computer.

[ scope = ] { all | subnet | custom }

Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is
allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed
from computers on the local computer's subnet only. custom indicates that traffic is allowed from
only those computers whose IP address matches the addresses parameter.

[ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…]

Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:

• An IPv4 or IPv6 address. For example, 192.168.0.15.

• An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example,
192.168.0.1-192.168.0.50.

• A subnet indicated by the subnet address and subnet mask separated by a '/'. For example,
192.168.0.0/255.255.255.0.

• A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For
example, 10.1.0.0/16.

• The keyword localsubnet, which includes all addresses that are on the local computer's
current subnet.

Multiple entry types can be combined on a command line by separating them with commas:
172.16.0.0/16, 10.0.0.0/255.0.0.0, 12AB:0000:0000:CD30::/60, localsubnet
[ profile = ] { current | domain | standard | all }

Specifies the firewall profile to which the command applies. The profile is determined by the
detected network location types accessible through the computer's network adapters.

• current specifies that the command applies to the profile that is currently active on the
computer.

• domain specifies that the command applies only to the domain profile.

• standard specifies that the command applies only to the private profile.

• all specifies that the command applies to all profiles except the private profile.

Examples
Each example must be entered as a single command line. The examples may be displayed on
multiple lines below for space reasons.

set portopening tcp 80 "My Web Port"

set portopening udp 500 "IKE Exception" enable all

Network 25 Netsh Communication Networking

set portopening all 53 "DNS Exception" enable custom
157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet

delete portopening
Deletes an existing port-based exception.

Syntax
delete portopening

[ protocol = ] { tcp | udp | all } [ port = ] Integer [ [ profile = ] current | domain | standard
| all } ]

Parameters
[ protocol = ] { tcp | udp | all }

Required. Specifies whether the port number refers to TCP, UDP, or both.
[ port = ] Integer

Required. Specifies the port number to be excepted. Must be an integer value from 1 to 65535.

[ profile = ] { current | domain | standard | all }

Specifies the firewall profile to which the command applies. The profile is determined by the
detected network location types accessible through the computer's network adapters.

• current specifies that the command applies to the profile that is currently active on the
computer.

• domain specifies that the command applies only to the domain profile.

• standard specifies that the command applies only to the private profile.

• all specifies that the command applies to all profiles except the private profile.

The default value is current.

Examples
Each example must be entered as a single command line. The examples may be displayed on
multiple lines below for space reasons.

delete portopening tcp 80

delete portopening protocol=all port=25

set service
Enables or disables the pre-defined file and printer sharing, remote administration, remote desktop,
and UPnP exceptions.

Syntax
set service [ type = ] { fileandprint | remoteadmin | remotedesktop | upnp | all } [ [ mode
= ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] {
IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain |
standard | all } ]

Parameters
[ type = ] { fileandprint | remoteadmin | remotedesktop | upnp | all }

Network 26 Netsh Communication Networking

Required. Specifies the service whose pre-defined rules are enabled or disabled. The value must be
one of the following:

• fileandprint. The file and printer sharing service.

• remoteadmin. The ability to remotely administer a computer running Windows.

• remotedesktop. The ability to use a Terminal Services client such as Remote Desktop.

• upnp. Universal Plug-and-Play protocol for networked devices.

• all. All of the above services.

[ [ mode = ] { enable | disable } ]

Specifies whether this exception is currently applied and active on the local computer. The default
value is enable.

[ [ scope = ] { all | subnet | custom } ]

Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is
allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed
from computers on the local computer's subnet only. custom indicates that traffic is allowed from
only those computers whose IP address matches the addresses parameter.

[ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]

Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:

• An IPv4 or IPv6 address. For example, 192.168.0.15.

• An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example,
192.168.0.1-192.168.0.50.

• A subnet indicated by the subnet address and subnet mask separated by a '/'. For example,
192.168.0.0/255.255.255.0.

• A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For
example, 10.1.0.0/16.

• The keyword localsubnet, which includes all addresses that are on the local computer's
current subnet.

Multiple entry types can be combined on a command line by separating them with commas:
172.16.0.0/16, 10.0.0.0/255.0.0.0, 12AB:0000:0000:CD30::/60, localsubnet
[ [ profile = ] { current | domain | standard | all } ]

Specifies the firewall profile to which the command applies. The profile is determined by the
detected network location types accessible through the computer's network adapters.

• current specifies that the command applies to the profile that is currently active on the
computer.

• domain specifies that the command applies only to the domain profile.

• standard specifies that the command applies only to the private profile.

Network 27 Netsh Communication Networking

 • all specifies that the command applies to all profiles except the private profile.

The default value is current.

Examples
Each example must be entered as a single command line. The examples may be displayed on
multiple lines below for space reasons.

set service fileandprint

set service remoteadmin enable subnet

set service type=remotedesktop mode=enable scope=custom

addresses=157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet

show commands
The following show commands are used to display the current configuration:

show allowedprogram [ [ verbose = ] { enable | disable } ]

Displays the current list of program exceptions for the domain and standard profiles. Use the
parameter verbose=enable to see additional details.

show config [ [ verbose = ] { enable | disable } ]

Displays the local configuration information for the domain and standard profiles, including the output
of all other show commands. Use parameter verbose=enable to see additional details.

show currentprofile

Displays the current profile in use for the network location type.

• show icmpsetting [ [ verbose = ] { enable | disable } ]

Displays the ICMP settings. Use parameter verbose=enable to see additional details.

• show logging

Displays the current logging settings.

• show multicastbroadcastresponse

Displays multicast/broadcast response settings for each profile.

• show notifications

Displays whether the firewall displays pop-up notifications for each profile.

• show opmode

Displays the operational mode for the firewall for each profile.

• show portopening

Displays the current list of port exceptions for each profile. Use parameter
verbose=enable to see additional details.

Network 28 Netsh Communication Networking

 • show service

Displays the service configuration for each profile. Use parameter verbose=enable to see
additional details.

• show state
Displays the current state information for the firewall. Use parameter verbose=enable to
see additional details.

reset
Resets the configuration of Windows Firewall to default settings. All manually configured changes
are lost. There are no parameters for the reset command.

Network 29 Netsh Communication Networking

Netsh Commands for Hypertext Transfer Protocol (HTTP)
You can use commands in the netsh http context to configure properties of the HTTP service. The
Netsh commands for HTTP can be run manually at the netsh prompt or in scripts and batch files.

To run these commands from the command prompt, you must either enter the netsh http context
or prepend the context to the command. For example, if you are at the command prompt but have
not typed netsh and then http to enter the netsh http context, you must type:

netsh http command

Where command is the command that you want to run, including all of the required parameters for
the command.

Netsh http commands

The following entries provide details for each command.

add iplisten
Adds a new IP address to the IP listen list. This does not include the port number.

Syntax

add iplisten [ ipaddress= ] IPAddress

Parameters

ipaddress

Required. The IPv4 or IPv6 address to be added to the IP listen list. The IP listen list is used to
scope the list of addresses to which the HTTP service binds. "0.0.0.0" means any IPv4 address and
"::" means any IPv6 address.
Examples

Following are four examples of the add iplisten command.

add iplisten ipaddress=fe80::1

add iplisten ipaddress=1.1.1.1

add iplisten ipaddress=0.0.0.0

add iplisten ipaddress=::

add sslcert
Adds a new SSL server certificate binding and corresponding client certificate policies for an IP
address and port.

Syntax

add sslcert [ ipport= ] IPAddress:port [ certhash= ] CertHash [ appid= ] GUID [ [

certstorename= ] CertStoreName [ verifyclientcertrevocation= ] enable | disable [
verifyrevocationwithcachedclientcertonly= ] enable | disable [ usagecheck= ] enable |
disable [ revocationfreshnesstime= ] U-Int [ urlretrievaltimeout= ] U-Int [ sslctlidentifier=
] SSLCTIdentifier [ sslctlstorename= ] SSLCtStoreName [ dsmapperusage= ] enable | disable
[ clientcertnegotiation= ] enable | disable ] ]

Network 30 Netsh Communication Networking

Parameters

ipport

Required. Specifies the IP address and port for the binding. A colon character (:) is used as a
delimiter between the IP address and the port number.
certhash

Required. Specifies the SHA hash of the certificate. This hash is 20 bytes long and is specified as a
hexadecimal string.
appid

Required. Specifies the GUID to identify the owning application.

certstorename

Optional. Specifies the store name for the certificate. Defaults to MY. Certificate must be stored in
the local machine context.
verifyclientcertrevocation

Optional. Specifies the Turns on/off verification of revocation of client certificates.

verifyrevocationwithcachedclientcertonly

Optional. Specifies whether the usage of only cached client certificate for revocation checking is
enabled or disabled.
usagecheck

Optional. Specifies whether the usage check is enabled or disabled. Default is enabled.
revocationfreshnesstime

Optional. Specifies the time interval, in seconds, to check for an updated certificate revocation list
(CRL). If this value is zero, then the new CRL is updated only if the previous one expires.
urlretrievaltimeout

Optional. Specifies the timeout interval (in milliseconds) after the attempt to retrieve the certificate
revocation list for the remote URL.
sslctlidentifier
Optional. Specifies the list of the certificate issuers that can be trusted. This list can be a subset of
the certificate issuers that are trusted by the computer.
sslctlstorename

Optional. Specifies the certificate store name under LOCAL_MACHINE where SslCtlIdentifier is
stored.
dsmapperusage

Optional. Specifies whether DS mappers is enabled or disabled. Default is disabled.

clientcertnegotiation
Examples

Following is an example of the add sslcert command.

add sslcert ipport=1.1.1.1:443

certhash=0102030405060708090A0B0C0D0E0F1011121314 appid={00112233-4455-
6677-8899-AABBCCDDEEFF}

add timeout
Adds a global timeout to the service.

Syntax

Network 31 Netsh Communication Networking

add timeout [ timeouttype= ] IdleConnectionTimeout | HeaderWaitTimeout [ value= ] U-Short

Parameters

Timeouttype

Type of timeout for setting.

Value

Value of the timeout (in seconds). If value is in hexadecimal notation, then add the prefix 0x.

Examples

Following are two examples of the add timeout command.

add timeout timeouttype=idleconnectiontimeout value=120

add timeout timeouttype=headerwaittimeout value=0x40

add urlacl
Adds a Uniform Resource Locator (URL) reservation entry. This command reserves the URL for non-
administrator users and accounts. The DACL can be specified by using an NT account name with the
listen and delegate parameters or by using an SDDL string.

Syntax

add urlacl [ url= ] URL [ [user=] User [ [ listen= ] yes | no [ delegate= ] yes | no ] | [ sddl=
] SDDL ]

Parameters

url

Required. Specifies the fully qualified Uniform Resource Locator (URL).

user

Required. Specifies the user or user-group name

listen

Optional. Specifies one of the following values: yes: Allow the user to register URLs. This is the
default value. no: Deny the user from registering URLs.

delegate

Optional. Specifies one of the following values: yes: Allow the user to delegate URLs no: Deny the
user from delegating URLs. This is the default value.

sddl

Optional. Specifies an SDDL string that describes the DACL.

Examples

Following are four examples of the add urlacl command.

add urlacl url=http://+:80/MyUri user=DOMAIN\user

Network 32 Netsh Communication Networking

add urlacl url=http://www.contoso.com:80/MyUri user=DOMAIN\user listen=yes

add urlacl url=http://www.contoso.com:80/MyUri user=DOMAIN\user delegat

e=no

add urlacl url=http://+:80/MyUri sddl=...

delete cache
Deletes all entries or the specified entry from the HTTP service kernel URI cache.

Syntax

delete cache [ [ url= ] URL [ [recursive= ] yes | no ]

Parameters

url

Optional. Specifies the fully qualified Uniform Resource Locator (URL) that you want to delete.

recursive

Optional. Specifies whether all entries under the specified url cache are removed. yes: all entries
are removed. no: all entries are not removed.

Examples

Following are two examples of the delete cache command.

delete cache url=http://www.contoso.com:80/myresource/ recursive=yes

delete cache

delete iplisten
Deletes an IP address from the IP listen list. The IP listen list is used to scope the list of addresses
to which the HTTP service binds.

Syntax

delete iplisten [ ipaddress= ] IPAddress

Parameters

ipaddress

Required. The IPv4 or IPv6 address to be deleted from the IP listen list. The IP listen list is used to
scope the list of addresses to which the HTTP service binds. "0.0.0.0" means any IPv4 address and
"::" means any IPv6 address. This does not include the port number.

Examples

Following are four examples of the delete iplisten command.

delete iplisten ipaddress=fe80::1

delete iplisten ipaddress=1.1.1.1

delete iplisten ipaddress=0.0.0.0

Network 33 Netsh Communication Networking

delete iplisten ipaddress=::

delete sslcert
Deletes SSL server certificate bindings and corresponding client certificate policies for an IP address
and port.

Syntax

delete sslcert [ ipport= ] IPAddress:port

Parameters

ipport

Required. Specifies the IPv4 or IPv6 address and port for for which the SSL certificate bindings will
be deleted. A colon character (:) is used as a delimiter between the IP address and the port
number.

Examples

Following are three examples of the delete sslcert command.

delete sslcert ipport=1.1.1.1:443

delete sslcert ipport=0.0.0.0:443

delete sslcert ipport=[::]:443

delete timeout
Deletes a global timeout and makes the service revert to default values.

Syntax

delete timeout [ timeouttype= ] idleconnectiontimeout | headerwaittimeout

Parameters

timeouttype

Required. Specifies the type of timeout for setting.

Examples

Following are two examples of the delete timeout command.

delete timeout timeouttype=idleconnectiontimeout

delete timeout timeouttype=headerwaittimeout

delete urlacl
Deletes a URL reservation.

Syntax

delete urlacl [ url= ] URL

Parameters

url

Network 34 Netsh Communication Networking

Required. Specifies the fully qualified Uniform Resource Locator (URL) that you want to delete.

Examples

Following are two examples of the delete urlacl command.

delete urlacl url=http://+:80/MyUri

delete urlacl url=http://www.contoso.com:80/MyUri

flush logbuffer

Flushes the internal buffers for the logfiles.

Syntax

flush logbuffer

show cachestate
Lists cached URI resources and their associated properties. This command lists all resources and
their associated properties that are cached in HTTP response cache or displays a single resource and
its associated properties.

Syntax

show cachestate [ [url= ] URL]

Parameters

url

Optional. Specifies the fully qualified URL that you want to display. If unspecified, displays all URLs.
The URL could also be a prefix to registered URLs.

Examples

Following are two examples of the show cachestate command

show cachestate url=http://www.contoso.com:80/myresource

show cachestate

show iplisten
Displays all IP addresses in the IP listen list. The IP listen list is used to scope the list of addresses
to which the HTTP service binds. "0.0.0.0" means any IPv4 address and "::" means any IPv6
address.

Syntax

show iplisten

show servicestate
Displays a snapshot of the HTTP service.

Syntax

show servicestate [ [ view= ] session | requestq ] [ [ verbose= ] yes |no ]

Network 35 Netsh Communication Networking

Parameters

View

Optional. Specifies whether to view a snapshot of the HTTP service state based on the server
session or on the request queues.

Verbose

Optional. Specifies whether to display verbose information that also shows property information.

Examples

Following are two examples of the show servicestate command.

show servicestate view="session"

show servicestate view="requestq"

show sslcert
Displays Secure Sockets Layer (SSL) server certificate bindings and corresponding client certificate
policies for an IP address and port.

Syntax

show sslcert [ ipport= ] IPAddress:port

Parameters

Ipport

Required. Specifies the IPv4 or IPv6 address and port for which the SSL certificate bindings will be
displayed. A colon character (:) is used as a delimiter between the IP address and the port number.
If you do not specify ipport, all bindings are displayed.

Examples

Following are five examples of the show sslcert command.

show sslcert ipport=[fe80::1]:443

show sslcert ipport=1.1.1.1:443

show sslcert ipport=0.0.0.0:443

show sslcert ipport=[::]:443

show sslcert

show timeout
Displays, in seconds, the timeout values of the HTTP service.

Syntax

show timeout

show urlacl
Displays discretionary access control lists (DACLs) for the specified reserved URL or all reserved
URLs.

Network 36 Netsh Communication Networking

Syntax

show urlacl [ [url= ] URL]

Parameters

url

Optional. Specifies the fully qualified URL that you want to display. If unspecified, displays all URLs.

Examples

Following are three examples of the show urlacl command.

show urlacl url=http://+:80/MyUri

show urlacl url=http://www.contoso.com:80/MyUri

show urlacl

Network 37 Netsh Communication Networking

Netsh Commands for Interface (IPv4 and IPv6)
You can use commands in the Netsh Interface context and subcontexts to configure the TCP/IP
version 4 protocol (including addresses, default gateways, Domain Name System (DNS) and WINS
servers) and to display configuration and statistical information for IPv4.

In addition, you can use commands in this context and related subcontexts (6to4, isatap, portproxy,
and teredo) to configure Internet Protocol version 6 (IPv6).

To run these commands from the command prompt, you must either enter the netsh interface
context or prepend the context to the command. For example, if you are at the command prompt
but have not typed netsh and then interface to enter the netsh interface context, you must
type:

netsh interface command

Where command is the command that you want to run, including all of the required parameters for
the command.

The Netsh Interface context also includes several subcontexts.

Subcontexts of Netsh Interface

This context provides the following subcontexts:

Subcontext name Result

6to4 Changes to the netsh interface 6to4 context.

ipv4 Changes to the netsh interface ipv4 context.

ipv6 Changes to the netsh interface ipv6 context.

isatap Changes to the netsh interface isatap context.

portproxy Changes to the netsh interface portproxy context.

tcp Changes to the netsh interface tcp context.

teredo Changes to the netsh interface teredo context.

Netsh Interface command reference

Following are the details for the commands in the Netsh Interface context.

add
Adds an interface to the router. For full interfaces, a phone book entry with the same name must
already exist on the system.

Syntax

add [name=] Name [[type=]full]

Network 38 Netsh Communication Networking

Parameters

name

Required. Specifies the name of the interface to be added.

type

Optional. Specifies that a demand dial interface is created when full is designated.

Examples

Following is an example of the add interface command that creates a demand dial interface.

add name="Demand-Dial Interface" type=full

delete
Deletes an interface from the router.

Syntax

delete [ name= ] Name

Parameters

name

Required. Specifies the name of the interface to be deleted.

Examples:

The following example command deletes a demand dial interface at the router

delete name="Demand-Dial Interface"

reset
Deletes all of the interfaces that can be added through this context.

Syntax

reset

set credentials
Specifies the credentials that are used to connect to or add an interface.

Syntax

set credentials [ name= ] InterfaceName [ user= ]UserName [[ domain= ] Domain

[password=] Password ]

Parameters

InterfaceName

Required. Specifies the name of the interface that you want to add.

UserName

Required. Specifies the user account name that has the required permissions to add an interface.

Network 39 Netsh Communication Networking

Domain

Optional. Specifies the domain where the user account is located.

Password

Optional. Specifies the password of the user account.

Examples

Following are two examples of the set credentials command.

set credentials name="Demand-Dial Interface" user=guest

set credentials name="Demand-Dial Interface" user=admin domain=mydomain

password=mypassword

set interface
Changes the parameters for an existing interface.

Syntax

set interface [name = ] IfName [ [admin = ] ENABLED|DISABLED [connect = ]

CONNECTED|DISCONNECTED [newname = ] NewName ]

Parameters

IfName

Required. Specifies the name of the interface that you want to modify.

admin

Optional. Specifies whether the interface should be enabled or disabled.

connect

Optional. Specifies whether or not to enable and connect the interface (non-LAN only).

newname

Optional. Specifies a new name for the interface (LAN only).

show credentials
Displays the credentials that are used to connect to an interface.

Syntax

show credentials [name = ] IfName

Parameters

IfName

Required. Specifies the name of the interface whose credentials you want to display.

Network 40 Netsh Communication Networking

show interface
Displays a list of the configured interfaces, including their current Name, Admin State, State, and
Type.

Syntax

show interface [[name=] Name]

Parameters

Name

Optional. Specifies the name of the interface that you want to display. If Name is not specified, all
interfaces are displayed.

Examples

Following is an example of the show interface command.

show interface name="Local Area Connection"

Network 41 Netsh Communication Networking

Netsh commands for Interface 6to4

Interface 6to4 commands

The following entries provide details for each command.

add
Adds an interface to the router. For full interfaces, a phone book entry with the same name must
already exist on the system.

Syntax

add [name=] Name [[type=]full]

Parameters

name

Required. Specifies the name of the interface to be added.

type

Optional. Specifies that a demand dial interface is created when full is designated.

Examples

Following is an example of the add command that creates a demand-dial interface.

add name="Demand-Dial Interface" type=full

delete
Deletes an interface from the router.

Syntax

delete [ name= ] Name

Parameters

name

Required. Specifies the name of the interface to be deleted.

Examples:

The following example command deletes a demand-dial interface at the router

delete name="Demand-Dial Interface"

reset
Deletes all of the interfaces that can be added through this context.

Syntax

reset

Network 42 Netsh Communication Networking

set interface
Sets 6to4 interface configuration information.

Syntax

set interface [ name= ] Name [ [ routing= ]( enabled | disabled | default )]

Parameters

name

Required. Specifies the interface name.

routing

Optional. Specifies whether to act as a router.

Examples

Following is an example of the set interface command.

set interface "Private" enabled

set relay
Sets 6to4 relay information.

Syntax

set relay [ [ name= ]( Name | default )] [ [ state= ] ( enabled | disabled | automatic |

default ) ] [[ interval= ] Integer ]

Parameters

name

Optional. Specifies the name of the 6to4 relay.

state

Optional. Specifies whether relay name resolution is enabled or disabled.

interval

Optional. Specifies an integer that is the resolution interval (in minutes).

Examples

Following is an example of the set relay command.

set relay 6to4.ipv6.org. enabled 1440

set routing
Sets 6to4 routing information.

Syntax

set routing [ [ routing= ]( enabled | disabled | automatic | default ) ] [ [ sitelocals= ]

(enabled | disabled | default ) ]

Network 43 Netsh Communication Networking

Parameters

routing

Optional. Specifies the state of 6to4 routing.

sitelocalsq

Optional. Specifies whether to use Site-Local addresses.

Examples

Following are two examples of the set routing command.

set routing default default

set routing routing=enabled sitelocals=enabled

set state
Sets the 6to4 configuration state.

Syntax

set state [ [ state= ] ( enabled |disabled | automatic | default ) ] [ [ undoonstop= ] (

enabled | disabled | default ) ]

Parameters

state

Optional. Specifies whether 6to4 is enabled.

undoonstop

Optional. Specifies whether 6to4 is disabled on service stop.

Examples

Following are two examples of the set state command.

set state default default

set state state=enabled undoonstop=disabled

show interface
Displays the 6to4 interface configuration information.

Syntax

show interface

show relay
Displays the 6to4 relay information.

Syntax

show relay

show routing
Displays the 6to4 routing state.

Network 44 Netsh Communication Networking

Syntax

show routing

show state
Displays the 6to4 state.

Syntax

show state

Network 45 Netsh Communication Networking

Netsh commands for Interface Internet Protocol version 4
(IPv4)
You can use commands in the Netsh Interface IP context to configure the TCP/IP protocol (including
addresses, default gateways, DNS servers, and WINS servers) and to display configuration and
statistical information.

You can run these commands at the command prompt for the netsh interface ip context. For
these commands to work at the command prompt, you must type netsh interface ip before typing
commands and parameters as they appear in the syntax below.

add address
Adds an IP address and a default gateway on a specified interface configured with a static IP
address.

Syntax
add address [name=]InterfaceName [addr=]IPAddress [mask=]SubnetMask[[gateway=]
DefaultGateway [gwmetric=]GatewayMetric]

Parameters
[name=] InterfaceName

Required. Specifies the name of the interface for which you want to add address and gateway
information. The InterfaceName parameter must match the name of the interface as specified in
Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for
example, "Interface Name").
[ addr=] IPAddress[ mask=] SubnetMask

Required. Specifies the IP address to add and the subnet mask for that IP address.
[ gateway=] DefaultGateway[ gwmetric=] GatewayMetric

Specifies the IP address of the default gateway to add and the metric for that default gateway.
/?

Displays help at the command prompt.

add dnsserver
Adds a DNS server to a list of DNS servers for a specified interface.

Syntax
add dnsserver [name=]InterfaceName [addr=] DNSAddress [[index=]DNSIndex]

Parameters
[name=] InterfaceName

Required. Specifies the name of the interface for which you want to add DNS information. The
InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example,
"Interface Name").
[addr=] DNSAddress

Required. Specifies the IP address of the DNS server to add.

[index=] DNSIndex

Specifies the position of the added DNS server in the list of DNS servers for the interface.

Network 46 Netsh Communication Networking

/?

Displays help at the command prompt.

add neighbors
Specifies an entry in the neighbor cache.

Syntax
add neighbors [interface=]<string>[address=]<IPv4Address> [neighbor=]<string>
[subinterface=]<string>[[store=]active|persistent]

Parameters
[interface=]<string>

Specifies an interface name or index.

[address=]<IPv4Address>

Specifies the address of the neighbor.

[neighbor=]<string>

Specifies the link layer address of the neighbor.

[subinterface=]<string>

Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces.
[[store=]active|persistent]

One of the following values:

• active: Address will disappear on next boot.

• Persistent (default): Address will be persistent.

Examples
This example command adds an entry to the neighbor cache on the interface named "Private."

add neighbors "Private" "10.1.1.1" "12-34-56-78-9a-bc"

add route
Adds a route for a specified prefix. Time values can be expressed in days (d), hours (h), minutes
(m), and seconds (s). For example, 2d represents two days.

Syntax
add route [prefix=]IP4Address/Integer [[interface=]String] [[nexthop=]IPv4Address]
[[siteprefixlength=]Integer] [[metric=]Integer] [[validlifetime=]{Integer | infinite}]
[[preferredlifetime=]{Integer | infinite}] [[store=]{active | persistent}]

Parameters
[ prefix=] IPv6Address/Integer

Required. Specifies the prefix for which to add a route. Integer specifies the prefix length.
[[ interface=] String]

Specifies an interface name or index.

[[ nexthop=] IPv6Address]

Specifies the gateway address, if the prefix is not on-link.

Network 47 Netsh Communication Networking

[[ siteprefixlength=] Integer]

Specifies the prefix length for the entire site, if the prefix is not on-link.
[[ metric=] Integer]

Specifies the route metric.

[[ validlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the route is valid. The default value is infinite.
[[ preferredlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the route is preferred. The default value is infinite.
[[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command adds a route on the interface named "Internet".

add route 10.2.0.0/16 "Internet" 10.0.0.1

add winsserver
Adds a WINS server to a list of WINS servers for a specified interface.

Syntax
add winsserver [name=]InterfaceName [addr=] WINSAddress [[index=]WINSIndex]

Parameters
[ name=] InterfaceName

Required. Specifies the name of the interface for which you want to add WINS information. The
InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example,
"Interface Name").

[ addr=] WINSAddress

Required. Specifies the IP address of the WINS server to add.

[ index=] WINSIndex

Specifies the position of the added WINS server in the WINS server list for that interface.

/?

Displays help at the command prompt.

delete address
Deletes an IP address or a default gateway on a statically configured interface.

Syntax
delete address [name=]InterfaceName [addr=] IPAddress [[gateway=]{DefaultGateway | all}]

Parameters
[ name=] InterfaceName

Network 48 Netsh Communication Networking

Required. Specifies the name of the interface for which you want to delete address and gateway
information. The InterfaceName parameter must match the name of the interface as specified in
Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for
example, "Interface Name").

[ addr=] IPAddress

Required. Specifies the IP address to delete.

[ gateway=]{ DefaultGateway| all}

Specifies whether to delete one default gateway or all default gateways. If only one default gateway
should be deleted, DefaultGateway specifies the IP address of the default gateway to be deleted.

/?

Displays help at the command prompt.

delete arpcache
Removes the entries in the Address Resolution Protocol (ARP) cache for a specified interface. Used
without parameters, delete arpcache removes the entries in the ARP caches of all interfaces.

Syntax
delete arpcache [name=]<InterfaceName>

Parameters
[name=]<InterfaceName>

Specifies the name of the interface for which you want to remove the ARP cache entries. The
InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example,
"Interface Name").

/?

Displays help at the command prompt.

delete destinationcache
Clears the destination cache. If an interface is specified, clears the cache only on that interface. If
an address is also specified, deletes only that destination cache entry.

Syntax
delete destinationcache [[interface=]String] [[address=]IPv4Address]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ address=] IPv4Address]

Specifies the address of the destination.

Examples
This example command deletes the destination cache for the interface named "Private."

Network 49 Netsh Communication Networking

delete destinationcache "Private"

delete dnsserver
Deletes a DNS server or all DNS servers from a list of DNS servers for a specified interface or for all
interfaces.

Syntax
delete dnsserver [name=]InterfaceName [addr=]{DNSAddress | all}

Parameters
[ name=] InterfaceName

Required. Specifies the name of the interface for which you want to delete DNS information. The
InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example,
"Interface Name").

[ addr=]{ DNSAddress| all}

Required. Specifies whether to delete the address of one DNS server or all servers for all interfaces.
If only one DNS server should be deleted, DNSAddress specifies the IP address of the DNS server to
delete.

/?

Displays help at the command prompt.

delete neighbors
Specifies that all entries in the neighbor cache are deleted. If an interface is specified, clears the
cache only on that interface. If an address is also specified, deletes only that neighbor cache entry.

Syntax
delete neighbors [[interface=]String] [[address=]IPv4Address]

Parameters

[[ interface=] String]

Specifies an interface name or index.

[[ address=] IPv4Address]

Specifies the address of the neighbor.

Examples
This example command removes all entries from the neighbor cache on the interface named
"Private."

delete neighbors "Private"

delete route
Deletes an IPv4 route.

Syntax
delete route [prefix=]IPv4Address/Integer [[interface=]String] [[nexthop=]IPv4Address]
[[store=]{active | persistent}]

Network 50 Netsh Communication Networking

Parameters

[ prefix=] IPv4Address/Integer

Required. Specifies the prefix of the route to delete.

[[ interface=] String]

Specifies an interface name or index.

[[ nexthop=] IPv4Address]

Specifies the gateway address, if the prefix is not on-link.

[[ store=]{ active| persistent}]

Specifies whether the deletion lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command deletes a route from the interface named "Internet."

delete route 10.2/16 "Internet" 10.0.0.1

delete winsserver
Deletes a WINS server or servers from a list of WINS servers for a specified interface or all
interfaces.

Syntax
delete winsserver [name=]InterfaceName [addr=]{WINSAddress | all}

Parameters
[ name=] InterfaceName

Required. Specifies the name of the interface for which you want to delete a WINS server or
servers. The InterfaceName parameter must match the name of the interface as specified in
Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for
example, "Interface Name").

[ addr=]{ WINSAddress| all}

Required. Specifies whether to delete only one server for an interface or all servers for all
interfaces. If only one server should be deleted, WINSAddress specifies the IP address of the WINS
server to delete.

/?

Displays help at the command prompt.

dump
Displays the current configuration as a series of Netsh Interface IP commands.

Syntax
dump

Parameters
none

Network 51 Netsh Communication Networking

install
Installs the IPv4 protocol. A reboot is required for the installation to take effect.

Syntax
install

reset
Resets the IPv4 configuration state. A reboot is required for changes to take effect.

Syntax
reset

set address
Configures an IP address and a default gateway on a specified interface.

Syntax
set address [name=]InterfaceName [source=]{dhcp | static
[addr=]IPAddress[mask=]SubnetMask [gateway=]{none | DefaultGateway
[[gwmetric=]GatewayMetric]}}

Parameters
[ name =] InterfaceName

Required. Specifies the name of the interface for which you want to configure address and gateway
information. The InterfaceName parameter must match the name of the interface as specified in
Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for
example, "Interface Name").

[ source=]{ dhcp| static[ addr=] IPAddress[ mask=] SubnetMask[ gateway=]{ none|

DefaultGateway[[ gwmetric=] GatewayMetric]}}

Required. Specifies whether the IP address to configure originates from a Dynamic Host
Configuration Protocol (DHCP) server or is static. If the address is static, IPAddress specifies the
address to configure, and SubnetMask specifies the subnet mask for the IP address being
configured. If the address is static, you must also specify whether you want to leave the current
default gateway (if any) in place or configure one for the address. If you configure a default
gateway, DefaultGateway specifies the IP address of the default gateway to be configured, and
GatewayMetric specifies the metric for the default gateway to be configured.

/?

Displays help at the command prompt.

set compartment
Modifies compartment configuration parameters.

Syntax
set compartment [compartment=]<integer>
[defaultcurhoplimit=]<integer>[store=]active|persistent

Parameters
[compartment=]<integer>

Specifies an interface name or index.

[defaultcurhoplimit=]<integer>[

Network 52 Netsh Communication Networking

Specifies the address of the neighbor.

[[store=]active|persistent]

One of the following values:

• active: Address will disappear on next boot.

• Persistent (default): Address will be persistent.

Example
set compartment compartment=1 defaultcurhoplimit=255 store=active

set dnsserver
Configures a DNS server address for a specified interface.

Syntax
set dnsserver [name=]InterfaceName [source=]{dhcp | static } [addr=]{IP Address | none}
[register=]{none | primary | both}

Parameters

[ name=] InterfaceName

Required. Specifies the name of the interface for which you want to set DNS information. The
InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example,
"Interface Name").

[ source=]{ dhcp| static }

Required. Specifies whether the IP address of the DNS server is configured by DHCP or is static.

[ addr=]{ IP Address| none }

If the IP address is static, IP Address specifies the IP address of the DNS server to configure, and
none specifies that the DNS configuration should be removed.

[ register=]{ none| primary| both }

None specifies whether to disable dynamic update. Primary registers the computer name under
the primary DNS suffix only. Both register the computer name under both the primary DNS suffix
as well as under the connection-specific suffix.

/?

Displays help at the command prompt.

Examples
set dnsserver name="Local Area Connection" source=dhcp

set dnsserver "Local Area Connection" static 10.0.0.1 primary

set dynamicportrange
Modifies the range of ports used for dynamic port assignment. Dynamic port assignment is also
known as wildcard port assignment.

Network 53 Netsh Communication Networking

Syntax
set dynamicportrange [[protocol=]tcp|udp][startport=]<integer>
[numberofports=]<integer>[[store=]active|persistent]

Parameters
[[protocol=[tcp|udp]

One of the following values:

• TCP: Display the dynamic port range for TCP.

UDP: Display the dynamic port range for UDP.

[startport=]<integer>

Specifies the starting port for dynamic port assignment.

[numberofports=]<integer>

• Specifies the number of ports available for dynamic port assignment.

[[store=]active|persistent]

One of the following values:

• Active: Address will disappear on next boot.

Example
set dynamicportrange protocol=tcp startport=10000 numberofports=20000

set global

Modifies global configuration parameters.

Syntax
set global [[defaultcurhoplimit=]Integer]
[[neighborcachelimit=]Integer][[routecachelimit=]Integer] [[reassemblylimit=]Integer]
[[store=]{active | persistent}]

Parameters
[[defaultcurhoplimit=] Integer]

Specifies the default hop limit of packets sent.

[[neighborcachelimit=] Integer

Required. Specifies the maximum number of neighbor cache entries.

[[routecachelimit=] Integer]

Specifies the maximum number of route cache entries.

[[reassemblylimit=] Integer]

Specifies the maximum size of the reassembly buffer.

[[store=]active|persistent]

Network 54 Netsh Communication Networking

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command sets global parameters for all IPv6-enabled interfaces on the computer. The
default hop limit is set to 32, the maximum number of neighbor cache entries is set to 100, and the
maximum number of route cache entries is 100,000.

set global 32 100 100000

set interface
Modifies interface configuration parameters.

Syntax

set interface [[interface=]String] [[forwarding=]{enabled | disabled}]

[[advertise=]{enabled | disabled}] [[mtu=]Integer] [[siteid=]Integer] [[metric=]Integer]
[[firewall=]{enabled | disabled}] [[siteprefixlength=]Integer] [[store=]{active |
persistent}]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ forwarding=]{ enabled| disabled}]

Specifies whether packets arriving on this interface can be forwarded to other interfaces. The
default selection is disabled.

[[ advertise=]{ enabled| disabled}]

Specifies whether Router Advertisements are sent on this interface. The default selection is
disabled.

[[ mtu=] Integer]

Specifies the Maximum Transfer Unit (MTU) of this interface. The default MTU is the natural MTU of
the link.

[[ siteid=] Integer]

Specifies the site scope zone identifier.

[[ metric=] Integer]

Specifies the interface metric, which is added to route metrics for all routes over the interface.

[[ firewall=]{ enabled| disabled}]

Specifies whether to operate in firewall mode.

[[ siteprefixlength=] Integer]

Specifies the default length of the global prefix for the entire site.

[[ store=]{ active| persistent}]

Network 55 Netsh Communication Networking

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command sets the interface with the name "Private," with a siteid of two and a metric
of two. All other parameter values are left at the default values.

set interface "Private" siteid=2 metric=2

set neighbors
Sets an entry in the neighbor cache.

Syntax
set neighbors [[interface=]String] [[address=]IPv4Address] [neighbor=]<string>
[[subinterface=]<string>][[store=]active|persistent]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ address=] IPv4Address]

Specifies the address of the neighbor.

[neighbor=]<string>

Specifies the link layer address of the neighbor.

[[subinterface=]<string>]

Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces.

[[store=]active|persistent]

One of the following values:

• active: Address will disappear on next boot.

• Persistent (default): Address will be persistent.

Examples

This example command sets an entry to the neighbor cache on the interface named "Private."

set neighbors "Private" "10.1.1.1" "12-34-56-78-9a-bc"

set route
Modifies route parameters. Time values can be expressed in days (d), hours (h), minutes (m), and
seconds (s). For example, 2d represents two days.

Syntax
set route [prefix=]IPv4Address/Integer [[interface=]String] [[nexthop=]IPv4Address]
[[siteprefixlength=]Integer] [[metric=]Integer] [publish=]{no | yes | immortal}]
[[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}]
[[store=]{active | persistent}]

Network 56 Netsh Communication Networking

Parameters
[ prefix=] IPv6Address/Integer

Required. Specifies the prefix (IPv6Address) and prefix length (Integer) of the route to modify.

[[ interface=] String]

Specifies an interface name or index.

[[ nexthop=] IPv6Address]

Specifies the gateway address, if the prefix is not on-link.

[[ siteprefixlength=] Integer]

Specifies the prefix length for the entire site, if the prefix is not on-link.

[[ metric=] Integer]

Specifies the route metric.

[[ publish=]{ no| yes| immortal}]

Specifies whether routes are advertised (yes), advertised with an infinite lifetime (immortal), or
not advertised (no) in Route Advertisements. The default selection is no.

[[ validlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the route is valid. The default value is infinite.

[[ preferredlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the route is preferred. The default value is infinite.

[[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command sets a route on the interface named "Internet."

set route 10.2.0.0/16 "Internet" 10.0.0.1 0 2 yes 5000 5000 store=active

set subinterface
Modifies subinterface configuration parameters.

Syntax
set subinterface [interface=]<string> [[mtu=]<integer>] [[subinterface=]<string>]
[[store=]active|persistent]

[[ interface=] String]

Specifies an interface name or index.

[[mtu=]<integer>]

Specifies the MTU of this subinterface. The default is the natural MTU of the link.

Network 57 Netsh Communication Networking

[[subinterface=]<string>]

Specifies the subinterface LUID. This is only required on interfaces with multiple subinterfaces.

[[ store=][active|persistent]

Specifies whether active (active) or persistent (persistent) addresses are displayed. The default
selection is active.

Example
set subinterface "1" mtu=1500 store=active

set winsserver
Sets WINS server configuration to either DHCP or static mode for a specified interface.

Syntax
set winsserver [name=]InterfaceName [source=]{dhcp | static [addr=]{WINSAddress | none
}}

Parameters
[ name=] InterfaceName

Required. Specifies the name of the interface for which you want to set WINS information. The
InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example,
"Interface Name").

[ source=]{ dhcp| static[ addr=]{ WINSAddress| none}}

Required. Specifies whether the IP address of the WINS server to configure should be assigned by
DHCP or is static. If the IP address is static, WINSAddress specifies the IP address of the WINS
server to configure, and none specifies that the WINS configuration should be removed.

/?

Displays help at the command prompt.

show address
Displays information about static IP addresses and default gateways on a specified interface. Used
without parameters, show address displays address information for all interfaces.

Syntax
show address [[name=]InterfaceName]

Parameters
[ name=] InterfaceName

Specifies the name of the interface for which you want to display address information. The
InterfaceName must match the name of the interface as specified in Network Connections. If
InterfaceName contains spaces, use quotation marks around the text (for example,
"Interface Name").

/?

Displays help at the command prompt.

Network 58 Netsh Communication Networking

show compartments
Displays information about all compartments, or about a given compartment if one is specified.

Syntax
show compartments [compartment=]<integer> [[level=]normal|verbose]
[store=]active|persistent

Parameters
[compartment=]<integer>

Specifies an interface name or index.

[[level=]normal|verbose]

One of the following values:

• normal: Display one line per compartment (default when no compartment is specified).

• verbose: Display extra information about each compartment( default when a compartment
is specified).

[[store=]active|persistent]

One of the following values:

• active: Address will disappear on next boot.

• Persistent (default): Address will be persistent.

Example
show compartments

show config
Displays IP address and other configuration information for a specified interface. Used without
parameters, show config displays configuration information for all interfaces.

Syntax
show config [[name=]InterfaceName]

Parameters
[ name=] InterfaceName

Specifies the name of the interface for which you want to display configuration information. The
InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example,
"Interface Name").

/?

Displays help at the command prompt.

show destinationcache
Displays destination cache entries. If an interface is specified, displays the cache only on that
interface. If an address is also specified, displays only that destination cache entry.

Network 59 Netsh Communication Networking

Syntax
show destinationcache [[interface=]String] [[address=]IPv4Address]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ address=] IPv4Address]

Specifies the address of the destination.

show dnsservers
Displays the DNS configuration of a specified interface. Used without parameters, show
dnsservers displays the DNS configurations of all interfaces.

Syntax
show dnsservers [[name=]InterfaceName]

Parameters

[ name=] InterfaceName

Specifies the name of the interface whose DNS configuration you want to display. The
InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example,
"Interface Name").

/?

Displays help at the command prompt.

show dynamicportrange
Displays dynamic port range configuration parameters.

Syntax
show dynamicportrange [[protocol=]tcp|udp] [[store=]active|persistent]

Parameters
[[protocol=[tcp|udp]

One of the following values:

• TCP: Show the dynamic port range for TCP.

• UDP: Show the dynamic port range for UDP.

[[store=]active|persistent]

One of the following values:

• Active: Address will disappear on next boot.

• Persistent (default): Address will be persistent.

Network 60 Netsh Communication Networking

Example
show dynamicportrange

show global
Displays global configuration parameters.

Syntax
show global [[store=]{active | persistent}]

Parameters
[[ store=]{ active| persistent}]

Specifies whether active (active) or persistent (persistent) information is displayed. The default
selection is active.

show icmpstats
Displays ICMP statistics. Used without parameters, show icmp displays the statistics only once.

Syntax
show icmpstats [[rr=]RefreshRate]

Parameters
[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).

/?

Displays help at the command prompt.

show interfaces
Displays statistics for a specified interface. Used without parameters, show interfaces displays
statistics for all interfaces only once.

Syntax
show interfaces [[index=]InterfaceIndex] [[rr=]RefreshRate]

Parameters
[ index=] InterfaceIndex

Specifies the interface index, an integer that identifies the interface.

[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).

/?

Displays help at the command prompt.

show ipaddresses
Displays information for a specified IP address. Used without parameters, show ipaddresses
displays information for all IP addresses on all interfaces once.

Network 61 Netsh Communication Networking

Syntax
show ipaddresses [[index=]IPAddress] [[rr=]RefreshRate]

Parameters
[ index=] IPAddress

Specifies an IP address of an interface.

[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).

/?

Displays help at the command prompt.

show ipnettomedia
Displays the contents of the Address Resolution Protocol (ARP) cache, which contains the hardware
addresses of resolved next-hop IP addresses. Used without parameters, show ipnettomedia
displays the information once.

Syntax
show ipnettomedia [[rr=]RefreshRate]

Parameters
[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).

/?

Displays help at the command prompt.

show ipstats
Displays IP statistics. Used without parameters, show ipstats displays the statistics once.

Syntax
show ipstats [[rr=]RefreshRate]

Parameters
[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).

/?

Displays help at the command prompt.

show joins
Displays IP multicast groups that have been joined for the specified IP address. Used without
parameters, show joins displays information for all IP addresses.

Syntax
show joins [[index=]IPAddress]

Network 62 Netsh Communication Networking

Parameters
[ index=] IPAddress

Specifies an IP address of an interface.

/?

Displays help at the command prompt.

show neighbors
Displays neighbor cache entries. If an interface is specified, the command displays the cache only
on that interface. If a subinterface is also specified, the command shows only the cache for that
subinterface. If an address is specified as well, the command displays only that specific neighbor
cache entry.

Syntax
show neighbors [[interface=]String] [[address=]IPv4Address] [neighbor=]<string>
[[subinterface=]<string>][[store=]active|persistent] [[level=]normal|verbose]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ address=] IP4Address]

Specifies the address of the neighbor.

[[subinterface=]<string>]

Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces.

[[store=]active|persistent]

One of the following values:

• active: Address will disappear on next boot.

• Persistent (default): Address will be persistent.

[[level=]normal|verbose]

One of the following values:

• normal: Display one line per subinterface (default when no subinterface is specified).

• verbose: Display extra information on each subinterface. (default when a subinterface is

specified).

Example
show neighbors

show offload
Displays the tasks that can be performed by the network adapter for the specified interface
corresponding to installed network hardware. Used without parameters, show offload displays
offload information for all interfaces corresponding to installed network hardware.

Network 63 Netsh Communication Networking

Syntax
show offload [[name=]InterfaceName ]

Parameters
[ name=] InterfaceName

Specifies the name of the interface for which you want to display offload information. The
InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example,
"Interface Name").

/?

Displays help at the command prompt.

show route
Displays route table entries.

Syntax
show route [[level=]normal | verbose] [[store=]active | persistent]

Parameters
[[ level=] normal| verbose]

Specifies whether only normal routes (normal) or routes used for loopback (verbose) are
displayed. The default selection is normal.

[[ store=]active| persistent]

Specifies whether active (active) or persistent (persistent) routes are displayed. The default
selection is active.

show subinterfaces
Displays information about all subinterfaces, or about all subinterfaces on a given interface if one is
specified.

Syntax
show subinterfaces [interface=]<string> [[ level=]normal| verbose]
[[subinterface=]<string>] [[store=]active|persistent]

[[ interface=] String]

Specifies an interface name or index.

[[ level=]normal|verbose]

Specifies whether only normal routes (normal) or routes used for loopback (verbose) are
displayed. The default selection is normal.

[[subinterface=]<string>]

Specifies the subinterface LUID. This is only required on interfaces with multiple subinterfaces.

[[ store=][active|persistent]

Specifies whether active (active) or persistent (persistent) addresses are displayed. The default
selection is active.

Network 64 Netsh Communication Networking

Example
show subinterfaces

show tcpconnections
Displays information on a specified TCP connection. Used without parameters, show
tcpconnections displays information for all TCP connections once.

Syntax
show tcpconnections [[index=]{LocalIPAddress | LocalPort | RemoteIPAddress | RemotePort}]
[[rr=]RefreshRate]

Parameters
[ index=]{ LocalIPAddress| LocalPort| RemoteIPAddress| RemotePort}

Specifies the connection about which to display information. The LocalIPAddress parameter specifies
an IP address of an interface. The LocalPort parameter specifies a TCP port for a local process. The
RemoteIPAddress parameter specifies an IP address of a remote host. The RemotePort parameter
specifies a TCP port for a remote process.

[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the
information).

/?

Displays help at the command prompt.

show tcpstats
Displays TCP statistics. Used without parameters, show tcpstats displays the statistics once.

Syntax
show tcpstats [[rr=]RefreshRate]

Parameters
[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).

/?

Displays help at the command prompt.

show udpconnections
Displays information about the (User Datagram Protocol) UDP ports used for each IP address. Used
without parameters, show udpconnections displays UDP port information for all IP addresses
once.

Syntax
show udpconnections [[index=]{LocalIPAddress | LocalPort}] [[rr=]RefreshRate]

Parameters
[ index=]{ LocalIPAddress| LocalPort}

Specifies the connection about which to display information. The LocalIPAddress parameter specifies
an IP address of an interface. The LocalPort parameter specifies a UDP port for a local process.

Network 65 Netsh Communication Networking

[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).

/?

Displays help at the command prompt.

show udpstats
Displays UDP statistics. Used without parameters, show udpstats displays the statistics once.

Syntax
show udpstats [[rr=]RefreshRate]

Parameters
[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).

/?

Displays help at the command prompt.

show winsservers
Displays the WINS configuration for a specified interface. Used without parameters, show
winsservers displays the WINS configuration for all interfaces.

Syntax
show winsservers [[name=]InterfaceName]

Parameters

[ name=] InterfaceName

Specifies the name of the interface whose WINS information you want to display. The
InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example,
"Interface Name").

/?

Displays help at the command prompt.

Network 66 Netsh Communication Networking

Netsh commands for Interface Internet Protocol version 6
(IPv6)

The Netsh commands for Interface IPv6 provide a command-line tool that you can use to query and
configure IPv6 interfaces, address, caches, and routes.

In addition, the Interface IPv6 context of netsh has a subcontext for 6to4. You can use the
commands in the netsh interface IPv6 6to4 context to configure or display the configuration of
the 6to4 service on either a 6to4 host or a 6to4 router.

You can run these commands at the command prompt for the netsh interface ipv6 context. For
these commands to work at the command, you must type netsh interface ipv6 before typing
commands and parameters as they appear in the syntax below. To view help for a command at the
command prompt, type CommandName/?, where CommandName is the name of the command.

6to4
Specifies that the 6to4 context of netsh interface IPv6 6to4 is used.

Syntax
6to4

add 6over4tunnel
Creates a 6over4 interface by using the specified IPv4 address.

Syntax
add 6over4tunnel [[interface=]String] [localaddress=]IPv4Address [[store=]{active |
persistent}]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[ localaddress=] IPv4Address

Required. Specifies the IPv4 address that is encapsulated.

[[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command creates a 6over4 interface by using the IPv4 address 10.1.1.1 on the
interface named "Private."

add 6over4tunnel "Private" 10.1.1.1

add address
Adds an IPv6 address to a specified interface. Time values can be expressed in days (d), hours (h),
minutes (m), and seconds (s). For example, 2d represents two days.

Network 67 Netsh Communication Networking

Syntax
add address [[interface=]String] [address=]IPv6Address [[type=]{unicast | anycast}]
[[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}]
[[store=]{active | persistent}]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[ address=] IPv6Address

Required. Specifies the IPv6 address to add.

[[ type=]{ unicast| anycast}]

Specifies whether a unicast address (unicast) or an anycast address (anycast) is added. The
default selection is unicast.

[[ validlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the address is valid. The default value is infinite.

[[ preferredlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the address is preferred. The default value is infinite.

[[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command adds the IPv6 address FE80::2 to the interface named "Private."

add address "Private" FE80::2

add dnsserver
Adds a new DNS server IP address to the statically-configured list of DNS servers for the specified
interface.

Syntax
add dnsserver [interface=]String [address=]IPAddress [[index=]Integer]

Parameters
[ interface=] String

Required. Specifies, by name, which interface will have a DNS server IP address added to its list of
DNS server IP addresses.

[ address=] IPAddress

Required. Specifies the IPv6 address of the DNS server to add to the list.

[[ index=] Integer]

Specifies the position on the statically-configured list in which to place the DNS server IP address
specified in address. By default, the DNS server IP address is added to the end of the list.

Network 68 Netsh Communication Networking

Remarks
If an index is specified, the Domain Name System (DNS) server is placed in that position in the list.

Examples
In the first example command, a DNS server with the IPv6 address FEC0:0:0:FFFF::1 is added to
the list of DNS server IP addresses for the interface named "Local Area Connection." In the second
example, a DNS server with the IPv6 address FEC0:0:0:FFFF::2 is added at index 2 as the second
server on the list of servers for the interface named "Local Area Connection."

add dnsserver "Local Area Connection" FEC0:0:0:FFFF::1

add dnserver "Local Area Connection" FEC0:0:0:FFFF::2 index=2

add neighbors
Specifies an entry in the neighbor cache.

Syntax
add neighbors [[interface=]String] [[address=]IPv4Address] [neighbor=]<string>
[[subinterface=]<string>]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ address=] IPv4Address]

Specifies the address of the neighbor.

[neighbor=]<string>

Specifies the link layer address of the neighbor.

[[subinterface=]<string>]

Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces.

[[store=]active|persistent]

One of the following values:

• active: Address will disappear on next boot.

• Persistent (default): Address will be persistent.

Examples

This example command adds an entry to the neighbor cache on the interface named "Private."

add neighbors "Private" "3f::2" "12-34-56-78-9a-bc"

add potentialrouter
Adds a potential router to a given interface.

Syntax
add potentialrouter [interface=]<string> [[address=]<IPv6 address>]

Network 69 Netsh Communication Networking

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ address=] IPv6Address]

Specifies the address of the potential router.

add prefixpolicy
Adds a source and destination address selection policy for a specified prefix.

Syntax
add prefixpolicy [prefix=]IPv6Address/Integer [precedence=]Integer [label=]Integer
[[store=]{active | persistent}]

Parameters
[ prefix=] IPv6Address/Integer

Required. Specifies the prefix for which to add a policy in the policy table. Integer specifies the
prefix length.

[ precedence=] Integer

Required. Specifies the precedence value used for sorting destination addresses in the policy table.

[ label=] Integer

Required. Specifies the label value that allows for policies that require a specific source address
prefix for use with a destination address prefix.

[[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command adds a prefix policy for prefix ::/96, with a precedence value of three and a
label value of four.

add prefixpolicy ::/96 3 4

add route
Adds a route for a specified prefix. Time values can be expressed in days (d), hours (h), minutes
(m), and seconds (s). For example, 2d represents two days.

Syntax
add route [prefix=]IPv6Address/Integer [[interface=]String] [[nexthop=]IPv6Address]
[[siteprefixlength=]Integer] [[metric=]Integer] [[publish=]{no | yes | immortal}]
[[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}]
[[store=]{active | persistent}]

Parameters
[ prefix=] IPv6Address/Integer

Required. Specifies the prefix for which to add a route. Integer specifies the prefix length.

Network 70 Netsh Communication Networking

[[ interface=] String]

Specifies an interface name or index.

[[ nexthop=] IPv6Address]

Specifies the gateway address, if the prefix is not on-link.

[[ siteprefixlength=] Integer]

Specifies the prefix length for the entire site, if the prefix is not on-link.

[[ metric=] Integer]

Specifies the route metric.

[[ publish=]{ no| yes| immortal}]

Specifies whether routes are advertised (yes), advertised with an infinite lifetime (immortal), or
not advertised (no) in Route Advertisements. The default selection is no.

[[ validlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the route is valid. The default value is infinite.

[[ preferredlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the route is preferred. The default value is infinite.

[[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command adds a route on the interface named "Internet" with a prefix of 3FFE:: and
a prefix length of 16 bits (3FFE::/16). The nexthop value is FE80::1.

add route 3FFE::/16 "Internet" FE80::1

add v6v4tunnel
Creates an IPv6-in-IPv4 tunnel.

Syntax
add v6v4tunnel [[interface=]String] [localaddress=]IPv4Address
[remoteaddress=]IPv4Address [[neighbordiscovery=]{enabled | disabled}]
[[store=]{active | persistent}]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[ localaddress=] IPv4Address

Required. Specifies the IPv4 address of the local tunnel endpoint.

[ remoteaddress=] IPv4Address

Network 71 Netsh Communication Networking

Required. Specifies the IPv4 address of the remote tunnel endpoint.

[[ neighbordiscovery=]{ enabled| disabled}]

Specifies whether Neighbor Discovery is enabled (enabled) or disabled (disabled) on the interface.
The default selection is disabled.

[[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command creates an IPv6-in-IPv4 tunnel between the local address 10.0.0.1 and the
remote address 192.168.1.1 on the interface "Private."

add v6v4tunnel "Private" 10.0.0.1 192.168.1.1

delete address

Syntax
delete address [[interface=]String] [address=]IPv6Address [[store=]{active | persistent}]

Modifies an IPv6 address on a specified interface.

Parameters
[[ interface=] String]

Specifies an interface name or index.

[ address=] IPv6Address

Required. Specifies the IPv6 address to delete.

[[ store=]{ active| persistent}]

Specifies whether the deletion lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command deletes the address FE80::2 from the interface named "Private."

delete address "Private" FE80::2

delete destinationcache
Clears the destination cache. If an interface is specified, clears the cache only on that interface. If
an address is also specified, deletes only that destination cache entry.

Syntax
delete destinationcache [[interface=]String] [[address=]IPv6Address]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ address=] IPv6Address]

Network 72 Netsh Communication Networking

Specifies the address of the destination.

Examples
This example command deletes the destination cache for the interface named "Private."

delete destinationcache "Private"

delete dnsserver
Deletes statically configured DNS server IPv6 addresses for a specific interface.

Syntax
delete dnsserver [interface=]String [[address=]{IPv6Address | all}]

Parameters
[ interface=] String

Required. Specifies the interface, by name, for which you want to remove a DNS server from the list
of DNS servers.

[[ address=]{ IPv6Address| all}]

Specifies the DNS server IPv6 address to delete. If all is specified, all DNS server IPv6 addresses on
the list for the interface are deleted.

Examples
In the first example command, the DNS server IPv6 address FEC0:0:0:FFFF::1 is deleted from the
list of addresses for the connection named "Local Area Connection." In the second example
command, all DNS server IPv6 addresses are deleted for the connection named "Local Area
Connection."

delete dnsserver "Local Area Connection" FEC0:0:0:FFFF::1

delete dnsserver "Local Area Connection" all

delete interface
Deletes a specified interface from the IPv6 stack.

Syntax
delete interface [[interface=]String] [[store=]{active | persistent}]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ store=]{ active| persistent}]

Specifies whether the deletion lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command deletes the interface named "Private."

delete interface "Private"

Network 73 Netsh Communication Networking

delete neighbors
Specifies that all entries in the neighbor cache are deleted. If an interface is specified, clears the
cache only on that interface. If an address is also specified, deletes only that neighbor cache entry.

Syntax
delete neighbors [[interface=]String] [[address=]IPv6Address]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ address=] IPv6Address]

Specifies the address of the neighbor.

Examples
This example command removes all entries from the neighbor cache on the interface named
"Private."

delete neighbors "Private"

delete potentialrouter
Delete a potential router from a given interface.

Syntax
delete potentialrouter [interface=]<string> [[address=]<IPv6 address>]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ address=] IPv6Address]

Specifies the address of the potential router.

delete prefixpolicy
Deletes the source and destination address selection policy for a specified prefix.

Syntax
delete prefixpolicy [prefix=]IPv6Address/Integer [[store=]{active | persistent}]

Parameters
[ prefix=] IPv6Address/Integer

Required. Specifies the prefix (IPv6Address) and prefix length (Integer) to delete from the policy
table.

[[ store=]{ active| persistent}]

Specifies whether the deletion lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command deletes the prefix ::/96 from the policy table.

Network 74 Netsh Communication Networking

delete prefixpolicy ::/96

delete route
Deletes an IPv6 route.

Syntax
delete route [prefix=]IPv6Address/Integer [[interface=]String] [[nexthop=]IPv6Address]
[[store=]{active | persistent}]

Parameters
[ prefix=] IPv6Address/Integer

Required. Specifies the prefix of the route to delete.

[[ interface=] String]

Specifies an interface name or index.

[[ nexthop=] IPv6Address]

Specifies the gateway address, if the prefix is not on-link.

[[ store=]{ active| persistent}]

Specifies whether the deletion lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command deletes the route with the prefix 3FFE::/16 and the gateway FE80::1 from
the interface named "Internet."

delete route 3FFE::/16 "Internet" FE80::1

dump
Dumps the network adapter IPv6 configuration to the command prompt window when run within the
netsh context. When used in a batch file or script, output can be saved in a text file.

Syntax
netsh interface ipv6 dump > [PathAndFileName]

Parameters
[ PathAndFileName]

Specifies both the location where to the file is saved and the name of the destination file to which
the configuration is saved.

Examples
In the first example, the command is run manually at the netsh interface ipv6 context of a
command prompt. The IPv6 configuration is displayed in the command prompt window, and can be
copied and pasted into a text file. In the second example, the dump command is run in a batch file,
and the configuration is saved to a text file named Ipv6_conf.txt at the location C:\Temp.

dump

netsh interface ipv6 dump > C:\temp\ipv6_conf.txt

Network 75 Netsh Communication Networking

isatap
Specifies that the isatap context of netsh interface IPv6 isatap is used.

Syntax
isatap

reset
Resets the IPv6 configuration state.

Syntax
reset

set address
Modifies an IPv6 address on a specified interface. Time values can be expressed in days (d), hours
(h), minutes (m), and seconds (s). For example, 2d represents two days.

Syntax
set address [[interface=]String] [address=]IPv6Address [[type=]{unicast | anycast}]
[[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}]
[[store=]{active | persistent}]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[ address=] IPv6Address

Required. Specifies the IPv6 address to modify.

[[ type=]{ unicast| anycast}]

Specifies whether the address is marked as a unicast address (unicast) or as an anycast address
(anycast). The default selection is unicast.

[[ validlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the address is valid. The default value is infinite.

[[ preferredlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the address is preferred. The default value is infinite.

[[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command sets the address FE80::2 on the interface named "Private" as an anycast
address.

set address "Private" FE80::2 anycast

set compartment
Modifies compartment configuration parameters.

Network 76 Netsh Communication Networking

Syntax
set compartment [compartment=]<integer>
[defaultcurhoplimit=]<integer>[store=]active|persistent

Parameters
[compartment=]<integer>

Specifies an interface name or index.

[defaultcurhoplimit=]<integer>[

Specifies the address of the neighbor.

[[store=]active|persistent]

One of the following values:

• active: Address will disappear on next boot.

• Persistent (default): Address will be persistent.

Example
set compartment compartment=1 defaultcurhoplimit=255 store=active

set dnsserver
Configures a DNS server address for a specified interface.

Syntax
set dnsserver [name=]InterfaceName [source=]{dhcp | static } [addr=]{IP Address | none}
[register=]{none | primary | both}

Parameters
[ name=] InterfaceName

Required. Specifies the name of the interface for which you want to set DNS information. The
InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example,
"Interface Name").

[ source=]{ dhcp| static }

Required. Specifies whether the IP address of the DNS server is configured by DHCP or is static.

[ addr=]{ IP Address| none }

If the IP address is static, IP Address specifies the IP address of the DNS server to configure, and
none specifies that the DNS configuration should be removed.

[ register=]{ none| primary| both }

None specifies whether to disable dynamic update. Primary registers the computer name under
the primary DNS suffix only. Both register the computer name under both the primary DNS suffix
as well as under the connection-specific suffix.

/?

Displays help at the command prompt.

Network 77 Netsh Communication Networking

Examples
set dnsserver name="Local Area Connection" source=dhcp

set dnsserver "Local Area Connection" static fec0:0:0:ffff::1 primary

set dynamicportrange
Modifies the range of ports used for dynamic port assignment. Dynamic port assignment is also
known as wildcard port assignment.

Syntax
set dynamicportrange [[protocol=]tcp|udp][startport=]<integer>
[numberofports=]<integer>[[store=]active|persistent]

Parameters
[[protocol=[tcp|udp]

One of the following values:

• TCP: Display the dynamic port range for TCP.

UDP: Display the dynamic port range for UDP.

[startport=]<integer>

Specifies the starting port for dynamic port assignment.

[numberofports=]<integer>

• Specifies the number of ports available for dynamic port assignment.

[[store=]active|persistent]

One of the following values:

• Active: Address will disappear on next boot.

Example
set dynamicportrange protocol=tcp startport=10000 numberofports=20000

set global
Modifies global configuration parameters.

Syntax
set global [[defaultcurhoplimit=]Integer] [neighborcachelimit=]Integer
[[routecachelimit=]Integer] [[reassemblylimit=]Integer] [[store=]{active | persistent}]

Parameters
[[ defaultcurhoplimit=] Integer]

Specifies the default hop limit of packets sent.

[ neighborcachelimit=] Integer

Required. Specifies the maximum number of neighbor cache entries.

[[ routecachelimit=] Integer]

Network 78 Netsh Communication Networking

Specifies the maximum number of route cache entries.

[[ reassemblylimit=] Integer]

Specifies the maximum size of the reassembly buffer.

[[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command sets global parameters for all IPv6-enabled interfaces on the computer. The
default hop limit is set to 32, the maximum number of neighbor cache entries is set to 100, and the
maximum number of route cache entries is 100,000.

set global 32 100 100000

set interface
Modifies interface configuration parameters.

Syntax
set interface [[interface=]String] [[forwarding=]{enabled | disabled}]
[[advertise=]{enabled | disabled}] [[mtu=]Integer] [[siteid=]Integer] [[metric=]Integer]
[[firewall=]{enabled | disabled}] [[siteprefixlength=]Integer] [[store=]{active |
persistent}]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ forwarding=]{ enabled| disabled}]

Specifies whether packets arriving on this interface can be forwarded to other interfaces. The
default selection is disabled.

[[ advertise=]{ enabled| disabled}]

Specifies whether Router Advertisements are sent on this interface. The default selection is
disabled.

[[ mtu=] Integer]

Specifies the Maximum Transfer Unit (MTU) of this interface. The default MTU is the natural MTU of
the link.

[[ siteid=] Integer]

Specifies the site scope zone identifier.

[[ metric=] Integer]

Specifies the interface metric, which is added to route metrics for all routes over the interface.

[[ firewall=]{ enabled| disabled}]

The Firewall can no longer be configured from Netsh. The value specified is ignored.

Network 79 Netsh Communication Networking

[[ siteprefixlength=] Integer]

Specifies the default length of the global prefix for the entire site.

[[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command sets the interface with the name "Private," with a siteid of two and a metric
of two. All other parameter values are left at the default values.

set interface "Private" siteid=2 metric=2

set neighbors
Sets an entry in the neighbor cache.

Syntax
set neighbors [[interface=]String] [[address=]IPv6Address] [neighbor=]<string>
[[subinterface=]<string>][[store=]active|persistent]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ address=] IPv6Address]

Specifies the address of the neighbor.

[neighbor=]<string>

Specifies the link layer address of the neighbor.

[[subinterface=]<string>]

Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces.

[[store=]active|persistent]

One of the following values:

• active: Address will disappear on next boot.

• Persistent (default): Address will be persistent.

Examples
This example command sets an entry to the neighbor cache on the interface named "Private."

set neighbors "Private" "fec0::2" "12-34-56-78-9a-bc"

set prefixpolicy
Modifies a source and destination address selection policy for a specified prefix.

Network 80 Netsh Communication Networking

Syntax
set prefixpolicy [prefix=]IPv6Address/Integer [precedence=]Integer [label=]Integer
[[store=]{active | persistent}]

Parameters
[ prefix=] IPv6Address/Integer

Required. Specifies the prefix for which to add a policy in the policy table. Integer specifies the
prefix length.

[ precedence=] Integer

Required. Specifies the precedence value used for sorting destination addresses in the policy table.

[ label=] Integer

Required. Specifies the label value that allows for policies that require a specific source address
prefix for use with a destination address prefix.

[[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command sets a policy in the policy table for the prefix ::/96, with a precedence value
of three and a label value of four.

set prefixpolicy ::/96 3 4

set privacy
Modifies parameters related to temporary address generation. If randomtime= is specified,
maxrandomtime= is not used. Time values can be expressed in days (d), hours (h), minutes (m),
and seconds (s). For example, 2d represents two days.

Syntax
set privacy [[state=]{enabled | disabled}] [[maxdadattempts=]Integer]
[[maxvalidlifetime=]Integer] [[maxpreferredlifetime=]Integer] [[regeneratetime=]Integer]
[[maxrandomtime=]Integer] [[randomtime=]Integer] [[store=]{active | persistent}]

Parameters
[[ state=]{ enabled| disabled}]

Specifies whether temporary addresses are enabled.

[[ maxdadattempts=] Integer]

Specifies the number of duplicate address detection attempts made. The default value is five.

[[ maxvalidlifetime=] Integer]

Specifies the maximum lifetime over which a temporary address is valid. The default value is 7d
(seven days).

[[ maxpreferredlifetime=] Integer]

Specifies the maximum lifetime over which an anonymous is preferred. The default value is 1d (one
day).

Network 81 Netsh Communication Networking

[[ regeneratetime=] Integer]

Specifies the duration of time that elapses when a new address is generated prior to deprecating a
temporary address. The default value is 5s (five seconds).

[[ maxrandomtime=] Integer]

Specifies the upper limit to use when computing a random delay at boot. The default value is 10m
(10 minutes).

[[ randomtime=] Integer]

Specifies a time value to use, instead of a value generated at boot.

[[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

set route
Modifies route parameters. Time values can be expressed in days (d), hours (h), minutes (m), and
seconds (s). For example, 2d represents two days.

Syntax
set route [prefix=]IPv6Address/Integer [[interface=]String] [[nexthop=]IPv6Address]
[[siteprefixlength=]Integer] [[metric=]Integer] [publish=]{no | yes | immortal}]
[[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}]
[[store=]{active | persistent}]

Parameters
[ prefix=] IPv6Address/Integer

Required. Specifies the prefix (IPv6Address) and prefix length (Integer) of the route to modify.

[[ interface=] String]

Specifies an interface name or index.

[[ nexthop=] IPv6Address]

Specifies the gateway address, if the prefix is not on-link.

[[ siteprefixlength=] Integer]

Specifies the prefix length for the entire site, if the prefix is not on-link.

[[ metric=] Integer]

Specifies the route metric.

[[ publish=]{ no| yes| immortal}]

Specifies whether routes are advertised (yes), advertised with an infinite lifetime (immortal), or
not advertised (no) in Route Advertisements. The default selection is no.

[[ validlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the route is valid. The default value is infinite.

Network 82 Netsh Communication Networking

[[ preferredlifetime=]{ Integer| infinite}]

Specifies the lifetime over which the route is preferred. The default value is infinite.

[[ store=]{ active| persistent}]

Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.

Examples
This example command sets a route on the interface named "Internet." The route prefix is 3FFE::,
and has a length of 16 bits. The gateway address, defined by the nexthop= parameter, is FE80::1.

set route 3FFE::/16 "Internet" FE80::1

set state
Enables or disables IPv4 compatibility. The default value for all parameters is disabled.

Syntax
set state [[6over4=]{enabled | disabled | default}] [[v4compat=]{enabled | disabled |
default}]

Parameters
[[6over4=]{enabled| disabled| default}]

Specifies whether 6over4 interfaces are created. To both disable and delete 6over4 compatible
interfaces, specify default. To disable 6over4 compatible interfaces without deleting them, specify
disabled.
[[ v4compat=]{ enabled| disabled| default}]

Specifies whether IPv4 compatible interfaces are created. To both disable and delete IPv4
compatible interfaces, specify default. To disable IPv4 compatible interfaces without deleting them,
specify disabled.

Examples
In the first example command, IPv4-compatible addresses are disabled, and any previously existing
interfaces are deleted. In the second example command, IPv4-compatible addresses are enabled.

set state default

set state 6over4=disabled v4compat=enabled

set subinterface
Modifies subinterface configuration parameters.

Syntax
set subinterface [interface=]<string> [[mtu=]<integer>] [[subinterface=]<string>]
[[store=]active|persistent]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[mtu=]<integer>]

Network 83 Netsh Communication Networking

Specifies the MTU of this subinterface. The default is the natural MTU of the link.

[[subinterface=]<string>]

Specifies the subinterface LUID. This is only required on interfaces with multiple subinterfaces.

[[ store=][active|persistent]

Specifies whether active (active) or persistent (persistent) addresses are displayed. The default
selection is active.

Example
set subinterface "1" mtu=1500 store=active

set teredo
Sets the Teredo state. A 'default' argument to a parameter sets it to the system default.

Syntax
set teredo
[[type]=disabled|client|enterpriseclient|default][[servername=]<hostname>|<IPv4
address>|default][[refreshinterval=]<integer>|default][[clientport=]<integer>|default][[sup
ernode=]<hostname>|<IPv4 address>|default]

Parameters
[[type]=disabled|client|enterpriseclient|default]

One of the following values:

• Disabled: Disables the Teredo service.

• Client: Enables the Teredo client.

• Enterpriseclient: Skip managed network detection.

[servername=]<hostname>|<IPv4 address>|default]

Specifies the name or IPv4 address of the Teredo server.

[refreshinterval=]<integer>|default]

Specifies the client refresh interval (in seconds).

[clientport=]<integer>|default]

Specifies the client's UDP port (otherwise chosen by system).

[supernode=]<hostname>|<IPv4 address>|default]

Specifies the super-node to use when behind a firewall.

Examples
set teredo disable

set teredo client teredo.ipv6.microsoft.com 60 34567

show address
Displays all IPv6 addresses, or all addresses on a specified interface.

Network 84 Netsh Communication Networking

Syntax
show address [[interface=]String] [[level=]{normal | verbose}] [[store=]{active |
persistent}]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ level=]{ normal| verbose}]

Specifies whether one line per interface is displayed (normal) or additional information is displayed
for each interface (verbose). When no interface is specified, the default selection is normal. When
an interface is specified, the default selection is verbose.

[[ store=]{ active| persistent}]

Specifies whether active (active) or persistent (persistent) addresses are displayed. The default
selection is active.

show compartments
Displays information about all compartments, or about a given compartment if one is specified.

Syntax
show compartments [compartment=]<integer> [[level=]normal|verbose]
[store=]active|persistent

Parameters
[compartment=]<integer>

Specifies an interface name or index.

[[level=]normal|verbose]

One of the following values:

• normal: Display one line per compartment (default when no compartment is specified).

• verbose: Display extra information about each compartment( default when a compartment
is specified).

[[store=]active|persistent]

One of the following values:

• active: Address will disappear on next boot.

• Persistent (default): Address will be persistent.

Example
show compartments

show destinationcache
Displays destination cache entries. If an interface is specified, displays the cache only on that
interface. If an address is also specified, displays only that destination cache entry.

Network 85 Netsh Communication Networking

Syntax
show destinationcache [[interface=]String] [[address=]IPv6Address]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ address=] IPv6Address]

Specifies the address of the destination.

show dnsservers
Displays the DNS server configuration for a specific interface or interfaces.

Syntax
show dnsservers [[interface=]String]

Parameters
[[ interface=] String]

Specifies the interface, by name, for which you want to display configured DNS server IPv6
addresses. If no interface is specified, servers for all interfaces are displayed.

Examples
In this example command, DNS server IPv6 addresses configured on the "Local Area Connection"
interface are displayed.

show dnsservers "Local Area Connection"

show dynamicportrange
Displays dynamic port range configuration parameters.

Syntax
show dynamicportrange [[protocol=]tcp|udp] [[store=]active|persistent]

Parameters
[[protocol=[tcp|udp]

One of the following values:

• TCP: Show the dynamic port range for TCP.

• UDP: Show the dynamic port range for UDP.

[[store=]active|persistent]

One of the following values:

• Active: Address will disappear on next boot.

• Persistent (default): Address will be persistent.

Example
show dynamicportrange

Network 86 Netsh Communication Networking

show global
Displays global configuration parameters.

Syntax
show global [[store=]{active | persistent}]

Parameters
[[ store=]{ active| persistent}]

Specifies whether active (active) or persistent (persistent) information is displayed. The default
selection is active.

show interfaces
Displays information about all interfaces, or about a specified interface.

Syntax
show interfaces [[interfaces=]String] [[level=]{normal | verbose}] [[store=]{active |
persistent}]

Parameters
[[ interfaces=] String]

Specifies an interface name or index.

[[ level=]{ normal| verbose}]

Specifies whether one line per interface is displayed (normal) or additional information is displayed
for each interface (verbose). When no interface is specified, the default selection is normal. When
an interface is specified, the default selection is verbose.

[[ store=]{ active| persistent}]

Specifies whether active (active) or persistent (persistent) interfaces are displayed. The default
selection is active.

show ipstats
Displays IP statistics. Used without parameters, show ipstats displays the statistics once.

Syntax
show ipstats [[rr=]RefreshRate]

Parameters
[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).

/?

Displays help at the command prompt.

show joins
Displays all IPv6 multicast addresses, or all multicast addresses on a specified interface.

Syntax
show joins [[interface=]String] [[level=]{normal | verbose}]

Network 87 Netsh Communication Networking

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ level=]{ normal| verbose}]

Specifies whether one line per interface is displayed (normal) or additional information is displayed
for each interface (verbose). When no interface is specified, the default selection is normal. When
an interface is specified, the default selection is verbose.

show neighbors
Displays neighbor cache entries. If an interface is specified, the command displays the cache only
on that interface. If a subinterface is also specified, the command shows only the cache for that
subinterface. If an address is specified as well, the command displays only that specific neighbor
cache entry.

Syntax
show neighbors [[interface=]String] [[address=]IPv6Address] [neighbor=]<string>
[[subinterface=]<string>][[store=]active|persistent] [[level=]normal|verbose]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[ address=] IP6Address]

Specifies the address of the neighbor.

[[subinterface=]<string>]

Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces.

[[store=]active|persistent]

One of the following values:

• active: Address will disappear on next boot.

• Persistent (default): Address will be persistent.

[[level=]normal|verbose]

One of the following values:

• normal: Display one line per subinterface (default when no subinterface is specified).

• verbose: Display extra information on each subinterface. (default when a subinterface is

specified).

Example
show neighbors

Network 88 Netsh Communication Networking

show offload
Displays the tasks that can be performed by the network adapter for the specified interface
corresponding to installed network hardware. Used without parameters, show offload displays
offload information for all interfaces corresponding to installed network hardware.

Syntax
show offload [[name=]InterfaceName ]

Parameters
[ name=] InterfaceName

Specifies the name of the interface for which you want to display offload information. The
InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example,
"Interface Name").

/?

Displays help at the command prompt.

show potentialrouters
Displays all potential routers, or all potential routers on a given

interface if one is specified.

Syntax
show potentialrouter [interface=]<string> [[level=]normal|verbose]

Parameters
[[ interface=] String]

Specifies an interface name or index.

[[level=]normal|verbose]

One of the following values:

• normal: Display one line per subinterface (default when no subinterface is specified).

• verbose: Display extra information on each subinterface. (default when a subinterface is

specified).

show prefixpolicies
Displays prefix policy table entries used in source and destination address selection.

Syntax
show prefixpolicies [[store=]{active | persistent}]

Parameters
[[ store=]{ active| persistent}]

Specifies whether active (active) or persistent (persistent) information is displayed. The default
selection is active.

show privacy
Displays privacy configuration parameters.

Network 89 Netsh Communication Networking

Syntax
show privacy [[store=]{active | persistent}]

Parameters
[[ store=]{ active| persistent}]

Specifies whether active (active) or persistent (persistent) information is displayed. The default
selection is active.

show route
Displays route table entries.

Syntax
show route [[level=]{normal | verbose}] [[store=]{active | persistent}]

Parameters
[[ level=]{ normal| verbose}]

Specifies whether only normal routes (normal) or routes used for loopback (verbose) are
displayed. The default selection is normal.

[[ store=]{ active| persistent}]

Specifies whether active (active) or persistent (persistent) routes are displayed. The default
selection is active.

show siteprefixes
Displays the site prefix table.

Syntax
show siteprefixes

show subinterfaces
Displays information about all subinterfaces, or about all subinterfaces on a given interface if one is
specified.

Syntax
show subinterfaces [interface=]<string> [[ level=]normal| verbose]
[[subinterface=]<string>] [[store=]active|persistent]

[[ interface=] String]

Specifies an interface name or index.

[[ level=]normal|verbose]

Specifies whether only normal routes (normal) or routes used for loopback (verbose) are
displayed. The default selection is normal.

[[subinterface=]<string>]

Specifies the subinterface LUID. This is only required on interfaces with multiple subinterfaces.

[[ store=][active|persistent]

Specifies whether active (active) or persistent (persistent) addresses are displayed. The default
selection is active.

Network 90 Netsh Communication Networking

Example
show subinterfaces

show tcpstats
Displays TCP statistics. Used without parameters, show tcpstats displays the statistics once.

Syntax
show tcpstats [[rr=]RefreshRate]

Parameters
[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).

show teredo
shows the Teredo state.

Syntax
show teredo

Examples
show teredo

show udpstats
Displays UDP statistics. Used without parameters, show udpstats displays the statistics once.

Syntax
show udpstats [[rr=]RefreshRate]

Parameters
[ rr=] RefreshRate

Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).

/?

Displays help at the command prompt.

Netsh interface IPv6 6to4

You can use the following commands in the netsh interface IPv6 6to4 context to display the
configuration of or configure the 6to4 service on either a 6to4 host or a 6to4 router.

set interface
Configures the 6to4 service on an interface.

Syntax
set interface [name=] InterfaceName [[routing=] {enabled | disabled | default}]

Parameters
[ name=] InterfaceName

Network 91 Netsh Communication Networking

Required. Specifies the name of the interface for which you want to set 6to4 service configuration.
InterfaceName must match the name of the interface specified in Network Connections. If
InterfaceName contains any spaces, it must be enclosed in quotes.

[[ routing=] { enabled| disabled| default}]

Specifies whether the forwarding of 6to4 packets received on the interface is enabled, disabled, or
set to its default value.

show interface
Displays the 6to4 service routing configuration on all interfaces, or on a specified interface.

Syntax
show interface [[name=] InterfaceName]

Parameters
[[ name=] InterfaceName]

Specifies the name of the interface for which you want to display the 6to4 service configuration.
InterfaceName must match the name of the interface specified in Network Connections. If
InterfaceName contains any spaces, it must be enclosed in quotes.

set relay
Configures the name of the 6to4 relay router for the 6to4 service. Additionally, specifies how often
the name is resolved and the state of the relay component for the 6to4 service.

Syntax
set relay [[name=] {RelayDNSName | default}] [[state=] {enabled | disabled | automatic |
default}] [[interval=] {ResInterval | default}]

Parameters
[[ name=] { RelayDNSName| default}]

Specifies either the fully qualified domain name (FQDN) of a 6to4 relay router on the IPv4 Internet
(RelayDNSName), or sets the relay name to its default value of 6to4.ipv6.microsoft.com (default).

[[ state=] { enabled| disabled| automatic| default}]

Specifies whether the state of the relay component for the 6to4 service is enabled, disabled,
automatically enabled if a public IPv4 address is configured, or set to its default value.

[[ interval=] { ResInterval| default}]

Specifies how often the name of the relay router is resolved in minutes (ResInterval) or sets the
resolution interval to its default value of 1440 minutes (default).

show relay
Displays the relay router configuration for the 6to4 service.

Syntax
show relay

set routing
Sets both the state of routing and the inclusion of site-local address prefixes in Router
Advertisements that are sent by the 6to4 router.

Network 92 Netsh Communication Networking

Syntax
set routing [[routing=] {enabled | disabled | automatic | default}] [[sitelocals=] {enabled
| disabled | default}]

Parameters
[[ routing=] { enabled| disabled| automatic| default}]

Specifies whether the state of routing on a 6to4 router is enabled, disabled, automatically enabled if
Internet Connection Sharing (ICS) is enabled, or set to its default value.

[[ sitelocals=] { enabled| disabled| default}]

Specifies whether the advertising of site-local address prefixes, in addition to 6to4 address prefixes,
is enabled, disabled, or set to its default value.

show routing
Displays the routing configuration of the 6to4 service.

Syntax
show routing

set state
Configures the state of the 6to4 service.

Syntax
set state [[state=] {enabled | disabled | default}] [[undoonstop=] {enabled | disabled |
default}] [[6over4=] {enabled | disabled | default}]

Parameters
[[ state=] { enabled| disabled| default}]

Specifies whether the state of the 6to4 service is enabled, disabled, or set to its default value.

[[ undoonstop=] { enabled| disabled| default}]

Specifies whether the reversal of all automatic configuration that has been performed by the 6to4
service occurs when the service stops is enabled, disabled, or set to its default value.

show state
Displays the state of the 6to4 service.

Syntax
show state

Netsh interface ipv6 isatap

Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is an address assignment and tunneling
mechanism for communication between IPv6/IPv4 nodes within an IPv4 site. It is described in the
Internet draft titled "Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)" (draft-ietf-ngtrans-
isatap-00.txt). You can use the following commands to configure the ISATAP router.

set router
Specifies the Intra-Site Automatic Tunneling Address Protocol (ISATAP) router information, including
router name, state, and resolution interval.

Network 93 Netsh Communication Networking

Syntax
set router [[name=]{String | default}] [[state=]{Enabled | Disabled | Default}]
[[interval]=Integer]

Parameters
[[ name=]{ String| default}]

Specifies whether the router is named with a string. If default is specified, the system reverts to
using the default name.

[[ state=]{ Enabled| Disabled| Default}]

Specifies whether the ISATAP router relays packets between subnets.

[[ interval]= Integer]

Specifies the router resolution interval, in minutes. The default interval is 1440 (24 hours).

Examples
The following example command sets the router name to isatap, enables the router, and sets the
resolution interval to 120 minutes:

set router isatap enabled 120

set state
Enables or disables IPv4 compatibility. The default value for all parameters is disabled.

Syntax
set state [[state=]{enabled | disabled | default}]

Parameters
[[state=]{enabled| disabled| default}]

Specifies whether isatap interfaces are created. To both disable and delete isatap compatible
interfaces, specify default. To disable isatap compatible interfaces without deleting them, specify
disabled.

Examples
In this example command, IPv6-compatible addresses are disabled, and any previously existing
interfaces are deleted.

set state default

show router
Displays configuration information for the ISATAP router.

Syntax
show router

show state
Displays the ISATAP state.

Syntax
show state

Network 94 Netsh Communication Networking

Netsh commands for Interface ISATAP
The following entries provide details for each command.

set router
Sets Intra-site Automatic Tunnel Address Protocol ISATAP router information.

Syntax

set router [ [ name= ] (Name | default )] [ [ state= ] ( enabled | disabled | default ) ]

[[interval=] Interval ]

Parameters

name

Optional. Specifies the name of the ISATAP router.

state

Optional. Specifies the state of router name resolution.

interval

Optional. Specifies an integer that is the resolution interval (in minutes).

Examples

Following is an example of the set router command.

set router isatap enabled 1440

set state
Sets the ISATAP state.

Syntax

set state [ state= ] ( enabled | disabled | default)

Parameters

state

Optional. Specifies whether ISATAP is enabled.

show router
Shows the ISATAP router information.

Syntax

show router

show state
Shows the ISATAP state.

Syntax

show state

Network 95 Netsh Communication Networking

 Netsh commands for Interface Portproxy
The Netsh Interface Portproxy commands provide a command-line tool for use in administering
servers that act as proxies between IPv4 and IPv6 networks and applications. You can use these
commands to establish proxy service in the following ways:

IPv4-configured computer and application messages sent to other IPv4-configured computers and
applications.

IPv4-configured computer and application messages sent to IPv6-configured computers and

applications.

IPv6-configured computer and application messages sent to IPv4-configured computers and

applications.

IPv6-configured computer and application messages sent to other IPv6-configured computers and
applications.

When writing batch files or scripts using these commands, each command must be preceded by
netsh interface portproxy. For example, when using the delete v4tov6 command to specify that
the portproxy server delete an IPv4 port and address from the list of IPv4 addresses for which the
server listens, the batch file or script must use the following syntax:

netsh interface portproxy delete v4tov6 listenport= {Integer | ServiceName}

[[listenaddress=] {IPv4Address| HostName}] [[protocol=]tcp]

You can run these commands at the command prompt in a Windows Server®2008 operating system
or at the command prompt for the netsh interface portproxy context. For these commands to
work at the command prompt in Windows Server 2008, you must type netsh interface portproxy
before typing commands and parameters as they appear in the syntax below.

add v4tov4
Specifies that the portproxy server listen for messages sent to a specific port and IPv4 address, and
maps a port and IPv4 address to which to send the messages received after establishing a separate
TCP connection.

Syntax
add v4tov4 listenport= {Integer | ServiceName} [[connectaddress=] {IPv4Address |
HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv4Address|
HostName}] [[protocol=]tcp]

Parameters
listenport

Required. Specifies the IPv4 port, by port number or service name, on which to listen.

connectaddress

Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer
NetBIOS name, or computer DNS name. If an address is not specified, the default is the local
computer.

connectport

Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not
specified, the default is the value of listenport on the local computer.

Network 96 Netsh Communication Networking

listenaddress

Specifies the IPv4 address for which to listen. Acceptable values are IP address, computer NetBIOS
name, or computer Domain Name System (DNS) name. If an address is not specified, the default is
the local computer.

protocol

Specifies the protocol to use. Currently, only Transmission Control Protocol (TCP) is supported.

/?

Displays help at the command prompt.

add v4tov6
Specifies that the portproxy server listen for messages sent to a specific port and IPv4 address, and
maps a port and IPv6 address to which to send the messages received after establishing a separate
TCP connection.

Syntax
add v4tov6 listenport= {Integer | ServiceName} [[connectaddress=] {IPv6Address |
HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv4Address|
HostName}] [[protocol=]tcp]

Parameters
listenport

Required. Specifies the IPv4 port, by port number or service name, on which to listen.

connectaddress

Specifies the IPv6 address to which to connect. Acceptable values are IP address, computer
NetBIOS name, or computer DNS name. If an address is not specified, the default is the local
computer.

connectport

Specifies the IPv6 port, by port number or service name, to which to connect. If connectport is not
specified, the default is the value of listenport on the local computer.

listenaddress

Specifies the IPv4 address on which to listen. Acceptable values are IP address, computer NetBIOS
name, or computer DNS name. If an address is not specified, the default is the local computer.

protocol

Specifies the protocol to use. Currently only TCP is supported.

/?

Displays help at the command prompt.

add v6tov4
Specifies that the portproxy server listen for messages sent to a specific port and IPv6 address, and
maps a port and IPv4 address to which to send the messages received after establishing a separate
TCP connection.

Network 97 Netsh Communication Networking

Syntax
add v6tov4 listenport= {Integer | ServiceName} [[connectaddress=] {IPv4Address |
HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv6Address|
HostName}] [[protocol=]tcp]

Parameters
listenport

Required. Specifies the IPv6 port, by port number or service name, on which to listen.

connectaddress

Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer
NetBIOS name, or computer DNS name. If an address is not specified, the default is the local
computer.

connectport

Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not
specified, the default is the value of listenport on the local computer.

listenaddress

Specifies the IPv6 address on which to listen. Acceptable values are IP address, computer NetBIOS
name, or computer DNS name. If an address is not specified, the default is the local computer.
protocol

Specifies the protocol to use. Currently only TCP is supported.

/?

Displays help at the command prompt.

add v6tov6
Specifies that the portproxy server listen for messages sent to a specific port and IPv6 address, and
maps a port and IPv6 address to which to send the messages received after establishing a separate
TCP connection.

Syntax
add v6tov6 listenport= {Integer | ServiceName} [[connectaddress=] {IPv6Address |
HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv6Address|
HostName}] [[protocol=]tcp]

Parameters
listenport

Required. Specifies the IPv6 port, by port number or service name, on which to listen.

connectaddress

Specifies the IPv6 address to which to connect. Acceptable values are IP address, computer
NetBIOS name, or computer DNS name. If an address is not specified, the default is the local
computer.

connectport

Specifies the IPv6 port, by port number or service name, to which to connect. If connectport is not
specified, the default is the value of listenport on the local computer.

Network 98 Netsh Communication Networking

listenaddress

Specifies the IPv6 address on which to listen. Acceptable values are IP address, computer NetBIOS
name, or computer DNS name. If an address is not specified, the default is the local computer.

protocol

Specifies the protocol to use. Currently only TCP is supported.

/?

Displays help at the command prompt.

delete v4tov4
Specifies that the portproxy server delete an IPv4 address from the list of IPv4 ports and addresses
for which the server listens.

Syntax
delete v4tov4 listenport= {Integer | ServiceName} [[listenaddress=] {IPv4Address|
HostName}] [[protocol=]tcp]

Parameters
listenport

Required. Specifies the IPv4 port to delete.

listenaddress

Specifies the IPv4 address to delete. If an address is not specified, the default is the local computer.
protocol

Specifies the protocol to use. Currently only TCP is supported.

/?

Displays help at the command prompt.

delete v4tov6
Specifies that the portproxy server delete an IPv4 port and address from the list of IPv4 addresses
for which the server listens.

Syntax
delete v4tov6 listenport= {Integer | ServiceName} [[listenaddress=] {IPv4Address|
HostName}] [[protocol=]tcp]

Parameters
listenport

Required. Specifies the IPv4 port to delete.

listenaddress

Specifies the IPv4 address to delete. If an address is not specified, the default is the local computer.

protocol

Specifies the protocol to use. Currently only TCP is supported.

Network 99 Netsh Communication Networking

/?

Displays help at the command prompt.

delete v6tov4
Specifies that the portproxy server delete an IPv6 port and address from the list of IPv6 addresses
for which the server listens.

Syntax
delete v6tov4 listenport= {Integer | ServiceName} [[listenaddress=] {IPv6Address|
HostName}] [[protocol=]tcp]

Parameters
listenport

Required. Specifies the IPv6 port to delete.

listenaddress

Specifies the IPv6 address to delete. If an address is not specified, the default is the local computer.

protocol

Specifies the protocol to use. Currently only TCP is supported.

/?

Displays help at the command prompt.

delete v6tov6
Specifies that the portproxy server delete an IPv6 address from the list of IPv6 addresses for which
the server listens.

Syntax
delete v6tov6 listenport= {Integer | ServiceName} [[listenaddress=] {IPv6Address|
HostName}] [[protocol=]tcp]

Parameters

listenport

Required. Specifies the IPv6 port to delete.

listenaddress

Specifies the IPv6 address to delete. If an address is not specified, the default is the local computer.

protocol

Specifies the protocol to use. Currently only TCP is supported.

/?

Displays help at the command prompt.

reset
Resets the IPv6 configuration state.

Network 100 Netsh Communication Networking

Syntax
reset

set v4tov4
Modifies the parameter values of an existing entry on the portproxy server created with the add
v4tov4 command, or adds a new entry to the list that maps port/address pairs.

Syntax
set v4tov4 listenport= {Integer | ServiceName} [[connectaddress=] {IPv4Address |
HostName}] [[connectport=] {Integer | ServiceName}] [listenaddress=] {IPv4Address|
HostName}] [[protocol=]tcp]

Parameters
listenport

Required. Specifies the IPv4 port, by port number or service name, on which to listen.

connectaddress

Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer
NetBIOS name, or computer DNS name. If an address is not specified, the default is the local
computer.

connectport

Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not
specified, the default is the value of listenport on the local computer.

listenaddress

Specifies the IPv4 address for which to listen. Acceptable values are IP address, computer NetBIOS
name, or computer DNS name. If an address is not specified, the default is the local computer.

protocol

Specifies the protocol to use. Currently, only Transmission Control Protocol (TCP) is supported.

/?

Displays help at the command prompt.

set v4tov6
Modifies the parameter values of an existing entry on the portproxy server created with the add
v4tov6 command, or adds a new entry to the list that maps port/address pairs.

Syntax
set v4tov6 listenport= {Integer | ServiceName} [[connectaddress=] {IPv6Address |
HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv4Address|
HostName}] [[protocol=]tcp]

Parameters
listenport

Required. Specifies the IPv4 port, by port number or service name, on which to listen.

connectaddress

Network 101 Netsh Communication Networking

Specifies the IPv6 address to which to connect. Acceptable values are IP address, computer
NetBIOS name, or computer DNS name. If an address is not specified, the default is the local
computer.

connectport

Specifies the IPv6 port, by port number or service name, to which to connect. If connectport is not
specified, the default is the value of listenport on the local computer.

listenaddress

Specifies the IPv4 address on which to listen. Acceptable values are IP address, computer NetBIOS
name, or computer DNS name. If an address is not specified, the default is the local computer.

protocol

Specifies the protocol to use. Currently only TCP is supported.

/?

Displays help at the command prompt.

set v6tov4
Modifies the parameter values of an existing entry on the portproxy server created with the add
v6tov4 command, or adds a new entry to the list that maps port/address pairs.

Syntax
set v6tov4 listenport= {Integer | ServiceName} [[connectaddress=] {IPv4Address |
HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv6Address|
HostName}] [[protocol=]tcp]

Parameters
listenport

Required. Specifies the IPv6 port, by port number or service name, on which to listen.

connectaddress

Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer
NetBIOS name, or computer DNS name. If an address is not specified, the default is the local
computer.

connectport

Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not
specified, the default is the value of listenport on the local computer.

listenaddress

Specifies the IPv6 address on which to listen. Acceptable values are IP address, computer NetBIOS
name, or computer DNS name. If an address is not specified, the default is the local computer.

protocol

Specifies the protocol to use. Currently only TCP is supported.

/?

Displays help at the command prompt.

Network 102 Netsh Communication Networking

set v6tov6
Modifies the parameter values of an existing entry on the portproxy server created with the add
v6tov6 command, or adds a new entry to the list that maps port/address pairs.

Syntax
set v6tov6 listenport= {Integer | ServiceName} [[connectaddress=] {IPv6Address |
HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv6Address|
HostName}] [[protocol=]tcp]

Parameters
listenport

Required. Specifies the IPv6 port, by port number or service name, on which to listen.

connectaddress

Specifies the IPv6 address to which to connect. Acceptable values are IP address, computer
NetBIOS name, or computer DNS name. If an address is not specified, the default is the local
computer.

connectport

Specifies the IPv6 port, by port number or service name, to which to connect. If connectport is not
specified, the default is the value of listenport on the local computer.

listenaddress

Specifies the IPv6 address on which to listen. Acceptable values are IP address, computer NetBIOS
name, or computer DNS name. If you do not specify an address, the default is the local computer.

protocol

Specifies the protocol to use. Currently only TCP is supported.

/?

Displays help at the command prompt.

show all
Displays all portproxy parameters, including port/address pairs for v4tov4, v4tov6, v6tov4, and
v6tov6.

Syntax
show all

show v4tov4
Displays v4tov4 portproxy parameters.

Syntax
show v4tov4

show v4tov6
Displays v4tov6 portproxy parameters.

Network 103 Netsh Communication Networking

Syntax
show v4tov6

show v6tov4
Displays v6tov4 portproxy parameters.

Syntax
show v6tov4

show v6tov6
Displays v6tov6 portproxy parameters.

Syntax
show v6tov6

Network 104 Netsh Communication Networking

Netsh commands for Interface Transmission Control Protocol
The following sections provide details for each command.

add chimneyapplication
Sets the Transmission Control Protocol (TCP) chimney state for a particular application.

Syntax

add chimneyapplication [ state= ] disabled | enabled [ application= ] PathName

Parameters

state

Required. Specifies one of the following values: disabled: Disables TCP chimney offload for
application. enabled: Enables TCP chimney offload for application. Applies to new connections only.
application

Required. Specifies the application name and path.

Examples

Following are two examples of the add chimneyapplication command.

add chimneyapplication disabled c:\path\database.exe

add chimneyapplication state=disabled application=c:\path\database.exe

add chimneyport
Sets the TCP chimney state for a source port, destination port pair.

Syntax

add chimneyport [ state= ] disabled | enabled [ localport= ] *| Integer [ remoteport= ] *|

Integer

Parameters

state

Required. Specifies one of the following values: disabled: Disables TCP chimney offload for the
local port, remote port pair. enabled: Enables TCP chimney offload for the local port, remote port
pair. Applies to new connections only.
localport

Required. Specifies the source port. An asterisk (*) specifies all ports. To specify a specific port
number, provide a value for Integer.
remoteport

Required. Specifies the destination port. An asterisk (*) specifies all ports. To specify a specific port
number, provide a value for Integer.
Examples

Following are two examples of the add chimneyport command.

add chimneyport disabled 10000 *

Network 105 Netsh Communication Networking

add chimneyport state=disabled localport=10000 remoteport=*

delete chimneyapplication
Deletes the application from the TCP chimney offload selection table.

Syntax

delete chimneyapplication [application=] ApplicationName

Parameters

application

Required. Specifies the application name and path.

Example

Following are two examples of the delete chimneyapplication command.

delete chimneyapplication c:\path\database.exe

delete chimneyapplication application=c:\path\database.exe

delete chimneyport
Deletes the port entry from the TCP chimney offload selection table

Syntax

delete chimneyport [ localport= ] *| Integer [ remoteport= ] *| Integer

Parameters

localport

Required. Specifies the source port. An asterisk (*) specifies all ports. To specify a specific port
number, provide a value for Integer.
remoteport

Required. Specifies the destination port. An asterisk (*) specifies all ports. To specify a specific port
number, provide a value for Integer.
Examples

Following are two examples of the delete chimneyport command.

delete chimneyport 80 *

delete chimneyport localport=80 remoteport=*

reset
Removes all user configured settings and resets all TCP parameters to their default values.

Syntax

reset

set global
Sets TCP parameters that affect all connections.

Syntax

Network 106 Netsh Communication Networking

set global [ [ rss= ] disabled | enabled |default ] [ [ chimney= ] disabled | enabled |
default ] [ [ autotuninglevel= ] disabled | highlyrestricted | restricted | normal
|experimental ] [ [ congestionprovider= ] none |ctcp |default ] [ [ ecncapability= ]
disabled | enabled | default ] [ [ timestamps= ] disabled | enabled | default ]

Parameters

rss

Optional. Specifies one of the following values:

disabled: Disable receive-side scaling.

enabled : Enable receive-side scaling.

default : Restore receive-side scaling state to the system default.

Chimney

Optional. Specifies one of the following values:

disabled: Disable Chimney offload.

enabled : Enable Chimney offload.

default : Restore Chimney offload state to the system default.

autotuninglevel

Optional. Specifies one of the following values:

disabled: Fix the receive window at its default value.

highlyrestricted: Allow the receive window to grow beyond its default value, but do so very
conservatively.

restricted: Allow the receive window to grow beyond its default value, but limit such growth in
some scenarios.

normal: Allow the receive window to grow to accommodate almost all scenarios.

experimental: Allow the receive window to grow to accommodate extreme scenarios. WARNING:
This can dramatically degrade performance in common scenarios and should only be used for
research purposes.
congestionprovider

Optional. Specifies one of the following values:

none: Use the built-in standard congestion control algorithm.

ctcp: Use the add-on Compound TCP congestion control algorithm.

default: Restore the selected provider to the system default.

ecncapability

Optional. Specifies one of the following values:

disabled: Disable ECN Capability.

enabled: Enable ECN Capability.

default: Restore ECN Capability state to the system default.

timestamps

Network 107 Netsh Communication Networking

Optional. Specifies one of the following values:

disabled: Disable RFC 1323 timestamps.

enabled: Enable RFC 1323 timestamps.

default: Restore RFC 1323 timestamps state to the system default.

Examples

Following are two examples of the set global command.

set global enabled enabled normal

set global rss=enabled chimney=enabled autotuninglevel=normal

show chimneyapplications
Shows TCP Chimney application filters.

Syntax

show chimneyapplications [ [ level= ] normal | verbose ]

Parameters:

level

Optional. Specifies one of the following values:

normal: Display the TCP connect IPv4 filters in the TCP chimney offload table. This is the default
value.

verbose: Display filters for all events in the TCP chimney offload table.

show chimneyports
Shows TCP Chimney port filters.

Syntax

show chimneyports [ [ level= ] normal | verbose ]

Parameters:

level

Optional. Specifies one of the following values:

normal: Display the TCP connect IPv4 filters in the TCP chimney offload table. This is the default
value.

verbose: Display filters for all events in the TCP chimney offload table.

show global
Shows TCP parameters that affect all connections.

Syntax

show global [ [ store= ] active | persistent ] ]

Parameters

Network 108 Netsh Communication Networking

store

Optional. Specifies one of the following values:

active: Show information in the stack (default).

persistent: Show persistent information.

Network 109 Netsh Communication Networking

 Netsh commands for Interface Teredo
This section contains the following commands

set state

show state

Interface Teredo commands

The following entries provide details for each command.

set state
Sets the Teredo state. A default argument to a parameter sets it to the system default.

Syntax

set state [ [ type= ] disabled | client | enterpriseclient | default ] [ [ servername= ]

HostName | IPv4Address | default ] [ [ refreshinterval= ] Integer | default ] [ [ clientport= ]
Integer | default ] [ [ supernode= ] HostName | IPv4Address | default ]

Parameters

type

Optional. Specifies one of the following values: disabled: Disable the Teredo service. client:
Enable the Teredo client. enterpriseclient: Skip managed network detection.
servername

Optional. Specifies the Host Name or IPv4 address of the Teredo server.
refreshinterval

Optional. Specifies an integer value for the client refresh interval (in seconds).
clientport

Optional. Specifies the an integer that is the client's UDP port (if default is specified, this value is
chosen by system).
supernode

Optional. Specifies the Super-Node to use when behind a firewall.

Examples

Following are two examples of the set state command.

set state disable

set state client teredo.ipv6.microsoft.com 60 34567

show state
Shows the Teredo state.

Syntax

show state

Network 110 Netsh Communication Networking

 Netsh Commands for Internet Protocol Security (IPsec)
The Netsh commands for Internet Protocol security (IPsec) provide an alternative to the console-
based management and diagnostic capabilities provided by the IP Security Policy Management and
IP Security Monitor snap-ins available for the Microsoft Management Console (MMC). By using the
Netsh commands for IPsec, you can configure and view static or dynamic IPsec Main Mode settings,
Quick Mode settings, rules, currently established security associations, and configuration
parameters.

Administering IPsec from the command line is especially useful when you want to:

Script IPsec configuration.

Extend the security and manageability of IPsec by configuring the following features, which are not
available in the IP Security Policy Management snap-in: IPsec diagnostics, default traffic exemptions,
strong certificate revocation list (CRL) checking, IKE (Oakley) logging, logging intervals, computer
startup security, and computer startup traffic exemptions.

You can run these commands from within the netsh tool at the netsh ipsec> prompt.

For these commands to work at a standard Windows command prompt, you must preface each
command with netsh firewall, followed by the specific command and parameters as they appear in
the syntax below.

Netsh IPsec static-mode commands

You can use the netsh ipsec static commands to perform the same management and monitoring
tasks that you can perform by using the IP Security Policy Management console. By using these
commands, you can create and modify IPsec policies without immediately affecting the
configuration of the active IPsec policy. Policies affect the operational state of computer when you
use the assign=Yes parameter on an add policy or set policy command. If you make changes to
an assigned policy, they will take affect immediately. A Group Policy assigned to the computer will
override a local policy, even when the assign=yes option is part of the local policy command.

Netsh IPsec dynamic-mode commands

You can use the netsh ipsec dynamic commands to display the active state of IPsec and to
immediately affect the configuration of the active IPsec policy. These commands directly configure
the security policy database (SPD). Changes that you make to an IPsec policy while using these
commands take effect only while the IPsec service is running. If the IPsec service is stopped, the
dynamic policy settings are discarded. Although most of these commands take effect immediately,
several configuration commands still require you to restart the IPsec service or restart the computer
before they take effect. For more information about these commands, see the syntax descriptions
for the netsh ipsec dynamic set config commands.

Netsh IPsec
The following commands are available at the IPsec> prompt, which is rooted within the netsh
environment.

While the netsh ipsec dynamic commands modify the currently active configuration without
storing the change anywhere, the netsh ipsec static commands modify a store which contains an
IPsec configuration which allows the changes to persist, be saved, and recalled later.

static
Switches to the IPsec static context. In static mode you configure an IPsec policy which can be
assigned to a computer at a later time. Changes made in this mode do not immediately affect the

Network 111 Netsh Communication Networking

current IPsec state of the computer on which they are made, unless the policy being modified has
the assign=yes property currently set and a Group Policy assigned IPsec policy is not currently
overriding the local policy.

Syntax
static

Parameters
none

dynamic
Switches to the IPsec dynamic context. In dynamic mode, you are making changes to active IPsec
state of the computer on which you run the command. The changes are not saved to a policy that
can then be deployed to another computer.

Syntax
dynamic

Parameters
none

Netsh IPsec static

The following commands are available at the ipsec static> prompt, which is rooted within the
netsh environment.

add filter
Adds a filter to the specified filter list.

Syntax
add filter [ filterlist = ] FilterListName [ srcaddr = ] { me | any | IPAddr | IPAddr-
IPAddr | ServerType } [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType }
[ [ description = ] string ] [ [ protocol = ] { any | icmp | tcp | udp | raw | Integer } ]
[ [ mirrored = ] { yes | no } ] [ [ srcmask = ] { Mask | Prefix } ]
[ [ dstmask = ] { Mask | Prefix } ] [ [ srcport = ] Port ] [ [ dstport = ] Port ]

Parameters
[ filterlist = ] FilterListName

Required. Specifies the name of the filter list to which the filter is added. Each filter defines a set of
inbound or outbound network traffic to be secured.

[ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}

Required. Specifies the source IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range,
Domain Name System (DNS) name, or server type for the IP traffic. For ServerType, you can use
wins, dns, dhcp, or gateway to match the locally configured IP addresses of the computers
providing those services. The me keyword matches the IP address(es) assigned to the local
computer, even when they change. Any matches any IP address.

[ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}

Required. Specifies the destination IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address
range, DNS name, or server type for the IP traffic. For ServerType, you can use wins, dns, dhcp,
or gateway to match the locally configured IP addresses of the computers providing those services.
The me keyword matches the IP address(es) assigned to the local computer, even when they
change. Any matches any IP address.

Network 112 Netsh Communication Networking

[ [ description = ] String ]

Provides information about the filter.

[ [ protocol = ] { any | icmp | tcp | udp | raw | Integer } ]

Specifies the IP protocol if, in addition to addressing information, you want to filter a specific IP
protocol. The default value is any.

[ [ mirrored= ] { yes | no } ]

Specifies whether to create a mirrored filter. Use yes to create two filters based on the filter
settings--one for traffic to the destination and one for traffic from the destination. Both source and
destination addresses and ports are mirrored. The default value is yes.

[ [ srcmask = ] {Mask|Prefix} ]

Specifies the source address subnet mask or the prefix of the packets to be filtered. You can specify
a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.

[ [ dstmask = ] {Mask|Prefix} ]

Specifies the destination address subnet mask or the prefix value of the packets to be filtered. You
can specify a prefix value in the range of 1 through 32. The default value is the mask of
255.255.255.255.

[ [ srcport = ] Port ]

Specifies the source port number of the packets to be filtered. This option only applies if you are
filtering TCP or UDP packets. If 0 is specified, packets sent from any port are filtered. The default is
any.

[ [ dstport = ] Port ]

Specifies the destination port number of the packets to be filtered. This option only applies if you
are filtering TCP or UDP packets. If 0 is specified, packets sent to any port are filtered. The default
is any.

add filteraction
Creates a filter action with the specified Quick Mode security methods.

Syntax
add filteraction [ name = ] FilterActionName [ [ description = ] string ]
[ [ qmpfs = ] { yes | no }] [ [ inpass = ] { yes | no } ] [ [ soft = ] { yes | no } ]
[ [ action = ] { permit | block | negotiate } ] [ [ qmsecmethods = ] "SecMethodsString" ]

Parameters
[ name = ] FilterActionName

Required. Specifies the name of the filter action to be created.

[ [ description = ] string ]

Provides information about the filter action.

[ [ qmpfs = ] { yes | no } ]

Network 113 Netsh Communication Networking

Specifies whether to enable session key perfect forward secrecy (PFS). If yes is specified, new
master key material is renegotiated each time a new session key is required. The default value is
no.

[ [ inpass = ] { yes | no } ]

Specifies whether to allow an incoming packet that matches the configured filter list to be
unsecured, but require IPsec-secured communication when replying. The default value is no.

[ [ soft = ] { yes | no } ]

Specifies whether to fall back to unsecured communication with other computers that do not
support IPsec, or when IPsec negotiations with an IPsec-capable computer fail. The default value is
no.

[ [ action = ] {permit | block | negotiate } ]

Specifies the action to take on the traffic that matches the rule containing this filter action. If
permit is specified, traffic is transmitted or received without requiring IPsec protection. If block is
specified, traffic is blocked. If negotiate is specified, IPsec is used with the specified list of security
methods. The default value is negotiate.

[ [ qmsecmethods = ] "SecMethodsString" ]

Specifies one or more security methods. Each method is described by one of the following formats,
separated by spaces:

• ESP [ EncAlg,AuthAlg]:numk/nums

• AH [ HashAlg ]: num k/ num s

• AH [ HashAlg ]+ ESP[ EncAlg,AuthAlg]:numk/nums

Where:
EncAlg

Specifies the encryption algorithm. EncAlg can be DES, 3DES, or none.

AuthAlg

Specifies the integrity algorithm. AuthAlg can be MD5, SHA1, or none.

HashAlg

Specifies the hash function. HashAlg can be MD5 or SHA1.

num k

Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is
transferred, a new session key for the Quick Mode SA is generated. The default value is 100000
kilobytes.
num s

Specifies the session key lifetime in seconds. The default value is 3600 seconds.

add filterlist
Creates an empty filter list with the specified name.

Syntax
add filterlist [ name = ] FilterListName [ [ description = ] string ]

Network 114 Netsh Communication Networking

Parameters
[ name = ] FilterListName

Required. Specifies the name of the filter list to be created.

[ [ description = ] string ]

Provides information about the filter list.

add policy
Creates an IPsec policy with the specified name.

Syntax
add policy [ name = ] PolicyName [ [ description = ] string ] [ [ mmpfs = ] { yes | no } ]
[ [ qmpermm = ] Integer ] [ [ mmlifetime = ] Integer ]
[ [ activatedefaultrule = ] { yes | no } ] [ [ pollinginterval = ] Integer ]
[ [ assign = ] { yes | no } ] [ [ mmsecmethods = ] "KeyExchMethods" ]

Parameters
[ name = ] PolicyName

Required. Specifies the name of the IPsec policy to be created.

[ [ description = ] string ]

Provides information about the IPsec policy.

[ [ mmpfs = ] { yes | no } ]

Specifies whether to enable master key perfect forward secrecy (PFS). If yes is specified, Main
Mode security SAs are reauthenticated and new master key keying material is negotiated each time
session key material for a Quick Mode SA is required. The default value is no.

[ [ qmpermm = ] Integer ]

Specifies the number of times that master keying material can be used to derive the session key.
The default value is 0, meaning an unlimited number of Quick Mode SAs can be derived from the
Main Mode SA.

[ [ mmlifetime = ] Integer ]

Specifies the number of minutes after which a new master key will be generated. The default value
is 480 minutes.

[ [ activatedefaultrule = ] { yes | no } ]

Specifies whether to activate the default response rule for this IPsec policy. The default value is no.
This setting is not valid on Windows Vista or Windows Server 2008. When set through a Group
Policy that is shared with earlier versions of Windows, computers running Windows Vista or
Windows Server 2008 ignore the value. If you are running the command locally on a computer
running Windows Vista or Windows Server 2008, it generates an error.

[ [ pollinginterval = ] Integer ]

Specifies how often IPsec polls for changes to this policy. The default value is 180 minutes.

[ [ assign = ] { yes | no } ]

Network 115 Netsh Communication Networking

Specifies whether to assign this IPsec policy (only one IPsec policy can be assigned) The default
value is no.

[ [ mmsecmethods = ] "KeyExchMethods" ]

Specifies one or more key exchange security methods, separated by spaces. Each method is
described by a string of the following format:
EncAlg-HashAlg-GroupNumb
Where:
EncAlg

Specifies the encryption algorithm. EncAlg can be DES or 3DES.

HashAlg

Specifies the hashing algorithm. HashAlg can be MD5 or SHA1.

GroupNum

Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1
(low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high,
protects with 2048 bits).

add rule
Creates a rule that links a specified IPsec policy, filter list, and filter action with specified
authentication methods.

Syntax
add rule [ name = ] RuleName [ policy = ] PolicyName [ filterlist = ] FilterListName
[ filteraction = ] FilterActionName [ [ tunnel = ] { IPAddress | DNSName } ]
[ [ conntype = ] { lan | dialup | all } ] [ [ activate = ] { yes | no } ]
[ [ description = ] string ] [ [ kerberos = ] { yes | no } ] [ [ psk = ] PreSharedKey ]
[ [ rootca = ] "String certmap:{ yes | no } excludecaname:{ yes | no }" ]

Parameters
[ name = ] RuleName

Required. Specifies the name of the IPsec rule to be created.

[ policy = ] PolicyName

Required. Specifies the name of the IPsec policy that contains this rule.

[ filterlist = ] FilterListName

Required. Specifies the name of the IP filter list for this rule.

[ filteraction = ] FilterActionName

Required. Specifies the name of the filter action for this rule.

[ [ tunnel = ] {IPAddress | DNSName} ]

Specifies the IP address (IPv4 or IPv6) or DNS name of the tunnel endpoint for tunnel mode. By
default, this option is not specified and transport mode is used.

[ [ conntype = ] { lan | dialup | all }]

Specifies whether the rule applies only to dial-up connections, only to local area network (LAN)
connections, or to all connections. The default value is all.

Network 116 Netsh Communication Networking

[ [ activate = ]{ yes | no } ]

Specifies whether to enable this rule in the specified IPsec policy. The default value is yes.

[ [ description = ] string]

Provides information about the rule.

[ [ kerberos = ]{ yes | no } ]

Specifies whether to use the Kerberos V5 protocol as an authentication method.

[ [ psk = ] PreSharedKey]

Specifies the string of characters to use for the preshared key, if a preshared key is used as an
authentication method.

[ [ rootca = ] "CertName certmap:{ yes | no } excludecaname:{ yes | no } "]

Specifies certificate authentication options. The argument is a string in quotes that contains the
following elements:
CertName

Specifies the distinguished name of the certificate, if a certificate is used as an authentication

method.

certmap:{ yes | no }

Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account

mapping to verify that the certificate is being used by a trusted computer.

excludecaname:{ yes | no }

Specifies whether to exclude from the certificate request the list of trusted root CA names from
which a certificate is accepted.

delete all
Deletes all IPsec policies, filter lists, and filter actions.

Syntax
delete all

Parameters
None.

delete filter
Deletes a filter from a filter list that matches the specified parameters.

Syntax
delete filter [ filterlist = ] FilterListName [ srcaddr = ] { me | any | IPAddr | IPAddr-
IPAddr | ServerType } [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType }
[ [ protocol = ] { any | icmp | tcp | udp | raw | Integer } ] [ [ srcmask = ] { Mask | Prefix } ]
[ [ dstmask = ] { Mask | Prefix } ] [ [ srcport = ] Port ] [ [ dstport = ] Port ]
[ [ mirrored = ] { yes | no } ]

Parameters
[ filterlist = ] FilterListName

Required. Specifies the name of the filter list to which the filter was added.

Network 117 Netsh Communication Networking

[ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}

Required. Specifies the source IP address or range, DNS name, or server type for the IP traffic
being matched. For ServerType you can use WINS, DNS, DHCP, or gateway.

[ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}

Required. Specifies the destination IP address or range, DNS name, or server type for the IP traffic
being matched. For ServerType you can use WINS, DNS, DHCP, or gateway.

[ [ protocol = ] {ANY|ICMP|TCP|UDP|RAW|Integer} ]

Specifies the IP protocol if, in addition to addressing information, a specific IP protocol is filtered. A
value of ANY matches filters with a protocol setting of any.

[ [ srcmask = ] {Mask|Prefix} ]

Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify
a prefix value in the range of 0 through 32. The default value is the mask of 255.255.255.255,
equivalent to the prefix value of 32.

[ [ dstmask = ] {Mask|Prefix} ]

Specifies the destination address subnet mask or the prefix of the packets being filtered. You can
specify a prefix value in the range of 0 through 32. The default value is the mask of
255.255.255.255, equivalent to the prefix value of 32.

[ [ srcport = ] Port ]

Specifies the source port number of the packets being filtered. This option only applies if you are
filtering TCP or UDP packets. The default is to match any port number.

[ [ dstport = ] Port ]

Specifies the destination port number of the packets being filtered. This option only applies if you
are filtering TCP or UDP packets. The default is to match any port number.

[ [ mirrored = ] { yes | no } ]

Specifies whether a mirrored filter was created.

delete filteraction
Deletes the specified filter action, or all filter actions.

Syntax
delete filteraction { [ name = ] FilterActionName | all }

Parameters
{ [ name = ] FilterActionName | all}

Required. Specifies the name of the filter action to delete. Or, if all is specified, all filter actions are
deleted.

delete filterlist
Deletes the specified filter list, or all filter lists.

Network 118 Netsh Communication Networking

Syntax
delete filterlist { [ name = ] FilterListName | all }

Parameters
{ [ name = ] FilterListName | all }

Required. Specifies the name of the filter list to delete. Or, if all is specified, all filter lists are
deleted.

delete policy
Deletes the specified IPsec policy and all associated rules, or all IPsec policies.

Syntax
delete policy { [ name = ] PolicyName | all }

Parameters
{ [ name = ] PolicyName | all }

Required. Specifies the name of the IPsec policy to delete. Or, if all is specified, all IPsec policies
are deleted.

delete rule
Deletes a specified rule, or all rules from the specified IPsec policy.

Syntax
delete rule { [ name = ] RuleName | [ ID = ] Integer | all } [ policy = ] PolicyName

Parameters
{ [ name = ] RuleName | [ ID = ] Integer | all }

Required. Specifies the rule to delete. If either the rule name or the rule ID (the number
identifying the position of the rule in the policy rule list) is specified, the corresponding rule is
deleted. If all is specified, all rules are deleted.

[ policy = ] PolicyName

Required. Specifies the name of the policy from which one or more rules are deleted.

exportpolicy
Exports IPsec policy information to the specified file. You can export all policies, or a specified
policy.

Syntax
Exportpolicy [ file = ] FilePathAndName [ name = ] PolicyName

Parameters
file= FilePathAndName

Required. Specifies the folder path and name of the file into which the IPsec policy information is
exported.
[ [ name = ] PolicyName ]

Specifies the policy to export. If no value is provided, then all polices are exported.

Network 119 Netsh Communication Networking

importpolicy
Imports IPsec policy information from the specified IPsec file.

Syntax
Importpolicy [ file = ] FilePathAndName

Parameters
[ file = ] FilePathAndName

Required. Specifies the folder path and name of the file from which the IPsec policy information is
imported.

set batch
Sets batch mode. When batch mode is enabled, netsh caches information used during the
processing of commands. When other commands reference that same information, the command
can typically be processed much more quickly since it is in the cache memory. This can significantly
improve performance of scripts that run a sequence of netsh commands.

Syntax
set batch [ mode = ] { enable | disable }

Parameters
[ mode = ] { enable | disable }

Required. Turns batch mode with its associated caching of information on or off. Use enable to
turn it on before running a sequence of commands.

set defaultrule
Modifies the default response rule for the specified policy. This option is only applicable to
computers running Windows XP or Windows Server 2003, and does not apply to Windows Vista or
Windows Server 2008.

Syntax
set defaultrule [ policy = ] PolicyName [ [ qmpfs = ] { yes | no } ]
[ [ activate = ] { yes | no } ] [ [ qmsecmethods = ] "SecMethodsString" ]
[ [ kerberos = ] { yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "CertName
certmap:{ yes | no } excludecaname:{ yes | no }"]

Parameters
[ policy = ] PolicyName

Required. Specifies the name of the IPsec policy for which the default response rule is to be
modified.

[ [ qmpfs = ]{ yes | no } ]

Specifies whether to enable session key perfect forward secrecy (PFS). If yes is specified, new
master key material is renegotiated each time a new session key is required. The default value is
no.

[ [ activate = ]{ yes | no } ]

Specifies whether to activate this rule for the specified IPsec policy. The default value is yes.

[ [ qmsecmethods = ] "SecMethodsString" ]

Specifies one or more security methods, separated by spaces and defined by the following format:

Network 120 Netsh Communication Networking

{ESP [EncAlg,AuthAlg]:k/s | AH [HashAlg]:k/s | AH [HashAlg]+ESP[EncAlg,AuthAlg]:k/s}]
Where:
EncAlg

Specifies the encryption algorithm. ConfigAlg can be DES (Data Encryption Standard), 3DES, or
none.
AuthAlg

Specifies the integrity algorithm. AuthAlg can be MD5 (Message Digest 5), SHA1 (Secure Hash
Algorithm 1), or none.
HashAlg

Specifies the hash function. HashAlg can be MD5 (Message Digest 5) or SHA1.
k

Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is
transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000
kilobytes.
s

Specifies the session key lifetime in seconds. The default value is 3600 seconds.

[ [ kerberos = ]{ yes | no } ]

Specifies whether to use the Kerberos V5 protocol as an authentication method.

[ [ psk = ] PreSharedKey ]

Specifies the string of characters to use for the preshared key, if a preshared key is used as an
authentication method.

[ [ rootca = ] "CertName certmap:{ yes | no } excludecaname: { yes | no }"]

Specifies certificate authentication options. The argument is a string in quotes that contains the
following elements:
String

Specifies the distinguished name of the certificate, if a certificate is used as an authentication

method.

certmap:{ yes | no }

Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account

mapping to verify that the certificate is being used by a trusted computer.

excludecaname:{ yes | no }

Specifies whether to exclude from the certificate request the list of trusted root CA names from
which a certificate is accepted.

set filteraction
Modifies a filter action.

Syntax
set filteraction { [ name = ] FilterActionName | [ guid = ] FilterActionGUID }
[ [ newname = ] NewFilterActionName ] [ [ description = ] String ] [ [ qmpfs = ] { yes | no } ]
[ [ inpass = ] { yes | no } ] [ [ soft = ] { yes | no } ]
[ [ action = ] { permit | block | negotiate } ] [ [ qmsecmethods = ] "SecMethodsString" ]

Network 121 Netsh Communication Networking

Parameters
{ [ name = FilterActionName | [ guid = ] FilterActionGUID }

Required. Specifies the name or global unique identifier (GUID) of the filter action to modify.

[ [ newname = ] NewFilterActionName ]

Changes the name of the filter action to the specified value. If a value is not specified, then the
name is not changed.

[ [ description = ] String ]

Changes the information about the filter action. If a value is not specified, then description is not
changed.

[ [ qmpfs = ] { yes | no } ]

Changes the value that specifies whether to enable session key perfect forward secrecy (PFS). If
yes is specified, new master key material is renegotiated each time a new session key is required.
If a value is not specified, then qmpfs is not changed.

[ [ inpass = ] { yes | no } ]

Changes the value that specifies whether to allow an incoming packet that matches the configured
filter list to be unsecured, but require IPsec-secured communication when replying. If a value is not
specified, then inpass is not changed.

[ [ soft = ] { yes | no } ]

Changes the value that specifies whether to fall back to unsecured communications with other
computers that do not support IPsec, or when IPsec negotiations with an IPsec-capable computer
fail. If a value is not specified, then soft is not changed.

[ [ action = ] { permit | block | negotiate } ]

Changes the value that specifies whether to permit traffic without negotiating IPsec. If permit is
specified, traffic is transmitted or received without negotiating or applying IP security. If block is
specified, traffic is blocked. If negotiate is specified, IP security is used, with the specified list of
security methods. If a value is not specified, then action is not changed.

[ [ qmsecmethods = ] "SecMethodsString" ]

Changes the string that specifies one or more security methods. Each method is described by one of
the following formats, separated by spaces:

• ESP [ EncAlg,AuthAlg]:numk/nums

• AH [ HashAlg ]: num k/ num s

• AH [ HashAlg ]+ ESP[ EncAlg,AuthAlg]:numk/nums

Where:
EncAlg

Specifies the encryption algorithm. EncAlg can be DES, 3DES, or none.

AuthAlg

Specifies the integrity algorithm. AuthAlg can be MD5, SHA1, or none.

HashAlg

Network 122 Netsh Communication Networking

Specifies the hash function. HashAlg can be MD5 or SHA1.
num k

Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is
transferred, a new session key for the Quick Mode SA is generated. The default value is 100000
kilobytes.
num s

Specifies the session key lifetime in seconds. The default value is 3600 seconds.
If a value is not specified, then qmsecmethods is not changed.

set filterlist
Modifies a filter list.

Syntax
set filterlist { [ name = FilterListName | [ guid = ] FilterListGUID }
[ [ newname = ] NewFilterActionName ] [ [ description = ] String ]

Parameters
{ [ name = FilterListName | [ guid = ] FilterListGUID }

Required. Specifies the name or globally unique identifier (GUID) of the filter list to modify.

[ [ newname = ] NewFilterActionName ]

Changes the name of the filter list to the specified value. If a value is not specified, then the name
is not changed.

[ [ description = ] String ]

Changes the information about the filter list. If a value is not specified, then description is not
changed.

set policy
Modifies an IPsec policy.

Syntax
set policy { [ name = PolicyName | [ guid = ] PolicyGUID } [ [ newname = ] NewPolicyName ]
[ [ description = ] String ] [ [ mmpfs = ] { yes | no } ] [ [ qmpermm = ] Integer ]
[ [ mmlifetime = ] Integer ] [ [ activatedefaultrule = ] { yes | no } ]
[ [ pollinginterval = ] Integer ] [ [ assign = ] { yes | no } ] [ [ gponame = ] NameOfGPO ]
[ [ mmsecmethods = ] "KeyExchMethods" ]

Parameters
name= String| guid=guid

Required. Specifies the name or GUID of the IPsec policy to modify.

[ [ newname = ] String ]

Changes the name of the IPsec policy to the specified value. If a value is not specified, then the
name is not changed.

[ [ description = ] String ]

Changes the information about the IPsec policy. If a value is not specified, then description is not
changed.

Network 123 Netsh Communication Networking

[ [ mmpfs = ] { yes | no } ]

Changes the value that specifies whether to enable master key perfect forward secrecy (PFS). If
yes is specified, Main Mode security SAs are reauthenticated and new master key keying material is
negotiated each time session key material for a Quick Mode SA is required. If a value is not
specified, then mmpfs is not changed.

[ [ qmpermm = ] Integer ]

Changes the value that specifies the number of times that master keying material can be used to
derive the session key. If a value is not specified, then qmpermm is not changed.

[ [ mmlifetime = ] Integer ]

Changes the value that specifies the number of minutes after which a new master key will be
generated. If a value is not specified, then mmlifetime is not changed.

[ [ activatedefaultrule = ] { yes | no } ]

Changes the value that specifies whether to activate the default response rule for this IPsec policy.
This setting is not valid on Windows Vista or Windows Server 2008. When set through a Group
Policy that is shared with earlier versions of Windows, computers running Windows Vista or
Windows Server 2008 ignore the value. If you are running the command locally on a computer
running Windows Vista or Windows Server 2008, it generates an error. If a value is not specified,
then activatedefaultrule is not changed.

[ [ pollinginterval = ] Integer ]

Changes the value that specifies how often IPsec polls for changes to this policy. If a value is not
specified, then pollinginterval is not changed.

[ [ assign={ yes| no}] ]

Changes the value that specifies whether to assign this IPsec policy (only one IPsec policy can be
assigned) If a value is not specified, then assign is not changed.

[ [ gponame = ] NameOfGPO ]

Changes the value that specifies the name of the Group Policy object to which the IPsec policy is
assigned. This parameter is only applicable if you are configuring policy for a computer that is an
Active Directory domain member. If a value is not specified, then gponame is not changed.

[ [ mmsecmethods = ] "KeyExchMethods" ]

Changes the string that specifies one or more key exchange security methods, separated by spaces.
Each method is described by a string of the following format:
EncAlg - HashAlg - GroupNumb
Where:
EncAlg

Specifies the encryption algorithm. EncAlg can be DES or 3DES.

HashAlg

Specifies the hashing algorithm. HashAlg can be MD5 or SHA1.

GroupNum

Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1
(low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high,
protects with 2048 bits).
If a value is not specified, then mmsecmethods is not changed.

Network 124 Netsh Communication Networking

set rule
Modifies a rule in an IPsec policy.

Syntax
set rule { [ name = ] RuleName | [ ID = ] Integer } [ policy = ] PolicyName
[ [ newname = ] NewRuleName ] [ [ description = ] String ] [ [ filterlist = ] FilterListName ]
[ [ filteraction = ] FilterActionName ] [ [ tunnel = ] { IPAddress | DNSName } ]
[ [ conntype = ] { lan | dialup | all } ] [ [ activate = ] { yes | no } ]
[ [ kerberos = ] { yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "String
certmap:{ yes | no } excludecaname:{ yes | no }" ]

Parameters
{ [ name = ] RuleName | [ ID = ] Integer }

Required. Specifies the name or ID (the number identifying the position of the rule in the policy
rule list) of the rule to modify.

[ policy = ] PolicyName

Required. Specifies the name of the IPsec policy that contains the rule to modify.

[ [ newname = ] NewRuleName ]

Changes the name of the rule to the specified value. If a value is not specified, then the name is not
changed.

[ [ description = ] String ]

Changes the information about the rule. If a value is not specified, then description is not
changed.

[ [ filterlist = ] FilterListName ]

Changes the IP filter list associated with this rule. If a value is not specified, then filterlist is not
changed.

[ [ filteraction = ] FilterActionName ]

Changes the filter action associated with this rule. If a value is not specified, then filteraction is
not changed.

[ [ tunnel = ] {IPAddress|DNSName} ]

Changes the value that specifies the IP address or DNS name of the tunnel endpoint for tunnel
mode. If a value is not specified, then tunnel is not changed.

[ [ conntype = ] { lan | dialup | all }]

Changes the value that specifies whether the rule applies only to dial-up connections or to local area
network (LAN) connections, or to all connections. If a value is not specified, then conntype is not
changed.

[ [ activate = ] { yes | no } ]

Changes the value that specifies whether to enable this rule for the specified IPsec policy. If a value
is not specified, then activate is not changed.

[ [ kerberos = ] { yes | no } ]

Network 125 Netsh Communication Networking

Changes the value that specifies whether to use the Kerberos V5 protocol as an authentication
method.

[ [ psk = ] PreSharedKey]

Changes the string of characters to use for the preshared key, if a preshared key is used as an
authentication method. If a value is not specified, then psk is not changed.

[ [ rootca = ] "String certmap:{ yes | no } excludecaname:{ yes | no } "]

Changes the value that specifies certificate authentication options. The argument is a string in
quotes that contains the following elements:
String

Specifies the distinguished name of the certificate, if a certificate is used as an authentication

method.

certmap:{ yes | no }

Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account

mapping to verify that the certificate is being used by a trusted computer.

excludecaname:{ yes | no }

Specifies whether to exclude from the certificate request the list of trusted root CA names from
which a certificate is accepted.
If a value is not specified, then rootca is not changed.

set store
Sets the current IPsec policy storage location.

Syntax
set store [ location = ] { local | domain } [ [ domain = ] DomainName ]

Parameters
[ location = ] { local | domain }

Required. Specifies the storage location for the IPsec policy.

[ [ domain = ] DomainName ]

Specifies the name of the domain where the IPsec policy is stored, if the policy is stored in Active
Directory (when location=domain is specified).

show all
Displays configuration information for all IPsec policies, rules, filter lists, and filter actions.

Syntax
show all [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]

Parameters
[ [ format = ] { list | table} ]

Specifies whether to display IPsec configuration information in screen or tab-delimited format. The
default value is list, meaning that output is displayed in screen format.

[ [ wide = ] { yes | no } ]

Network 126 Netsh Communication Networking

Specifies whether to allow the display of IPsec configuration information to exceed the screen width
of 80 characters. The default value is no, meaning that the display of configuration information is
limited to the screen width.

show filteraction
Displays configuration information for one or more filter actions.

Syntax
show filteraction { [ name = ] FilterActionName | [ rule = ] RuleName | all }
[ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]

Parameters
{ [ name = ] FilterActionName | [ rule = ] RuleName | all }

Required. Specifies one or more filter actions for which configuration information is to be
displayed.

• If name is specified, then the filter action with the specified name is displayed.

• If rule is specified, then the filter action associated with the specified rule is displayed.

• If all is specified, all filter actions are displayed.

[ [ level = ] { verbose | normal } ]

Specifies the level of information to display. If verbose is specified, information about the security
methods, policy storage location, and whether session key perfect forward secrecy (PFS) is enabled
is displayed, in addition to basic filter action information. The default value is normal.

[ [ format = ] { list | table } ]

Specifies whether to display IPsec configuration information in screen or tab-delimited format. The
default value is list, meaning that output is displayed in screen format.

[ [ wide = ] { yes | no } ]

Specifies whether to allow the display of IPsec configuration information to exceed the screen width
of 80 characters. The default value is no, meaning that the display of configuration information is
limited to the screen width.

show filterlist
Displays configuration information for one or more filter lists.

Syntax
show filterlist { [ name = ] FilterListName | [ rule = ] RuleName | all }
[ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ]
[ [ resolvedns = ] { yes | no } ] [ [ wide = ] { yes | no } ]

Parameters
{ [ name = ] FilterListName | [ rule = ] RuleName | all }

Required. Specifies one or more filter lists to display. If name is specified, the filter list with the
specified name is displayed. If rule is specified, all filter lists associated with the specified rule are
displayed. If all is specified, all filter lists are displayed.

[ [ level = ] { verbose | normal } ]

Network 127 Netsh Communication Networking

Specifies the level of information to display. If verbose is specified, information about the security
methods, policy storage location, and whether session key perfect forward secrecy (PFS) is enabled
is displayed, in addition to basic filter action information. The default value is normal.

[ [ format = ] { list | table } ]

Specifies whether to display IPsec configuration information in screen or tab-delimited format. The
default value is list, meaning that output is displayed in screen format.

[ [ resolvedns = ] { yes | no } ]

Specifies whether to resolve the DNS or NetBIOS computer name associated with an IP address
when displaying sources or destinations. If yes is specified, level must also be set to verbose, or
the DNS names are not displayed. The default value is no.

[ [ wide = ] { yes | no } ]

Specifies whether to allow the display of IPsec configuration information to exceed the screen width
of 80 characters. The default value is no, meaning that the display of configuration information is
limited to the screen width.

show gpoassignedpolicy
Displays configuration information for the active IPsec policy assigned to the specified Group Policy
object.

Syntax
show gpoassignedpolicy [ [ name = ] GPOName ]

Parameters
[ [ name = ] GPOName ]

Specifies the name of the Group Policy object to which the active IPsec policy is assigned. If no
name is specified, the local IPsec policy is displayed.

show policy
Displays configuration information for the specified IPsec policy, or for all IPsec policies.

Syntax
show policy { [ name = ] PolicyName | all } [ [ level = ] { verbose | normal } ]
[ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]

Parameters
{ [ name = ] PolicyName | all }

Required. Specifies the name of the IPsec policy to display or, if all is specified, that all IPsec
policies are displayed.

[ [ level = ] { verbose | normal } ]

Specifies the level of information to display. If verbose is specified, the security methods and
authentication method are displayed, in addition to information about filter actions and rules. The
default value is normal.

[ [ format = ] { list | table } ]

Specifies whether to display IPsec configuration information in screen or tab-delimited format. The
default value is list, meaning that output is displayed in screen format.

Network 128 Netsh Communication Networking

[ [ wide = ] { yes | no } ]

Specifies whether to allow the display of IPsec configuration information to exceed the screen width
of 80 characters. The default value is no, meaning that the display of configuration information is
limited to the screen width.

show rule
Displays configuration information for a rule for a specified policy, or for all rules for a specified
policy.

Syntax
show rule { [ name = ] RuleName | [ id = ] Integer | all | default } [ policy = ] PolicyName
[ [ type = ] { transport | tunnel } ] [ [ level = ] { verbose | normal } ]
[ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]

Parameters
{ [ name = ] RuleName | [ id = ] Integer | all | default }

Required. Specifies one or more rules to display. If either the rule name or the rule ID (the number
identifying the position of the rule in the policy rule list) is specified, the corresponding rule is
displayed. If all is specified, all rules for the specified policy are displayed. If default is specified,
the default response rule is displayed.

[ policy = ] PolicyName

Required. Specifies the name of the policy for which the specified rule, or all rules, are displayed.

[ [ type = ] { transport | tunnel } ]

Specifies whether to display all transport rules or all tunnel rules. The default value is to display all
rules.

[ [ level = ] { verbose | normal } ]

Specifies the level of information to display. If verbose is specified, the security methods and
authentication method are displayed, in addition to information about filter actions and rules. The
default value is normal.

[ [ format = ] { list | table } ]

Specifies whether to display IPsec configuration information in screen or tab-delimited format. The
default value is list, meaning that output is displayed in screen format.

[ [ wide = ] { yes | no } ]

Specifies whether to allow the display of IPsec configuration information to exceed the screen width
of 80 characters. The default value is no, meaning that the display of configuration information is
limited to the screen width.

show store
Displays the current IPsec policy storage location. Commands that you enter to change the state of
the IPsec configuration apply to the displayed location unless you use the set store command to
change the location first.

Syntax
show store

Netsh IPsec dynamic

Network 129 Netsh Communication Networking

The following commands are available at the ipsec dynamic > prompt, which is rooted within the
netsh environment.

add mmpolicy
Creates an IPsec Main Mode policy with the specified name and adds it to the security policy
database (SPD).

Syntax
add mmpolicy name = PolicyName [ qmpermm = Integer ] [ mmlifetime = Integer ]
[ softsaexpirationtime = Integer ] [ mmsecmethods = "KeyExchMethods" ]

Parameters
name = PolicyName

Required. Specifies the name of the IPsec policy to be created.

[ qmpermm = Integer ]

Specifies the number of times that master keying material can be used to derive the session key.
The default value is 0, meaning an unlimited number of Quick Mode SAs can be derived from the
Main Mode SA.

[ mmlifetime=Integer ]

Specifies the number of minutes after which a new master key is generated. If a new master key is
generated sooner because of the qmpermm parameter, then this timer is reset and begins
counting again. A value of 0 specifies that the master key is never regenerated because of time.
The default value is 480 minutes.

[ softsaexpirationtime = Integer ]

Specifies the number of minutes after which an unprotected security association (a soft SA) expires.
A value of 0 specifies that soft SAs do not expire. The default value is 480 minutes.

[ mmsecmethods = "KeyExchMethods" ]

Specifies one or more key exchange security methods, separated by spaces. Each method is
described by a string of the following format:
EncAlg-HashAlg-GroupNumb
Where:
EncAlg

Specifies the encryption algorithm. EncAlg can be DES or 3DES.

HashAlg

Specifies the hashing algorithm. HashAlg can be MD5 or SHA1.

GroupNum

Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1
(low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high,
protects with 2048 bits).

add qmpolicy
Creates an IPsec Quick Mode policy with the specified name and adds it to the SPD.

Network 130 Netsh Communication Networking

Syntax
add qmpolicy name = PolicyName [ soft = { yes | no } ]
[ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ]
[ qmsecmethods = "SecMethodsString" ]

Parameters
name= String

Required. Specifies the name of the IPsec Quick Mode policy to be created.

[ soft={ yes| no}]

Specifies whether to fall back to unsecured communications with other computers that do not
support IPsec, or when IPsec negotiations with an IPsec-capable computer fail. The default value is
no.

[ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ]

Specifies the Diffie-Hellman group to use for session key PFS. If grp1 is specified, Group 1 (low,
with 768 bits of keying material) is used. If grp2 is specified, Group 2 (medium, with 1024 bits of
keying material) is used. If grp3 is specified, Group 3 (high, with 2048 bits of keying material) is
used. If grpmm is specified, the group value is taken from the current Main Mode settings. The
default value is nopfs, meaning session key PFS is disabled.

[ qmsecmethods = "SecMethodsString" ]

Specifies one or more security methods. Each method is described by one of the following formats,
separated by spaces:

• ESP [ EncAlg,AuthAlg]:numk/nums

• AH [ HashAlg ]: num k/ num s

• AH [ HashAlg ]+ ESP[ EncAlg,AuthAlg]:numk/nums

Where:
EncAlg

Specifies the encryption algorithm. ConfigAlg can be DES (Data Encryption Standard), 3DES, or
none.
AuthAlg

Specifies the integrity algorithm. AuthAlg can be MD5 (Message Digest 5), SHA1 (Secure Hash
Algorithm 1), or none.
HashAlg

Specifies the hash function. HashAlg can be MD5 (Message Digest 5) or SHA1.
k

Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is
transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000
kilobytes.
s

Specifies the session key lifetime in seconds. The default value is 3600 seconds.

Network 131 Netsh Communication Networking

add rule
Creates an IPsec rule with the specified Main Mode policy and Quick Mode policy and adds it to the
security policy database.

Syntax
add rule [ srcaddr = ]{ Me | Any | IPAddress | IPRange | ServerType }
[ dstaddr = ]{ Me | Any | IPAddress | IPRange | ServerType } [ mmpolicy = ] MMPolicyName
[ [ qmpolicy = ] QMPolicyName ]
[ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ srcport = ] Integer ]
[ [ dstport = ] Integer ] [ [ mirrored = ] { yes | no } ] [ [ conntype = ]{ lan | dialup | all } ]
[ [ actioninbound = ]{ permit | block | negotiate } ]
[ [ actionoutbound = ] { permit | block | negotiate } ] [ [ srcmask = ]{ Mask | Prefix } ]
[ [ dstmask = ]{ Mask | Prefix } ] [ [ tunneldstaddress = ]{ IPAddress | DNSName } ]
[ [ kerberos = ]{ yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "CertName
certmap:{ yes | no } excludecaname:{ yes | no }"]

Parameters
[ srcaddr = ] { Me | Any | IPAddress | IPRange | dns | server }

Required. Specifies the source IPv4 or IPv6 address, an IP address range, a DNS name, or a server
type for the IP traffic. For ServerType you can use WINS, DNS, DHCP, or gateway.

[ dstaddr = ] { Me | Any | IPAddress | IPRange | dns | server }

Required. Specifies the source IPv4 or IPv6 address, an IP address range, a DNS name, or a server
type for the IP traffic. For ServerType you can use WINS, DNS, DHCP, or gateway.

[ mmpolicy = ] MMPolicyName

Required. Specifies the name of the Main Mode policy.

[ [ qmpolicy = ] QMPolicyName ]

Specifies the name of the Quick Mode policy. Required if actioninbound=negotiate or

actionoutbound=negotiate are specified.

[ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]

Specifies the IP protocol if, in addition to address information, you want to filter a specific IP
protocol. The default value is ANY, meaning all protocols are used for the filter.

[ [ srcport = ] Integer ]

Specifies the source port number of the packets to be filtered. This option only applies if you are
filtering TCP or UDP packets. If 0 is specified, packets sent from any port are filtered. The default is
0.

[ [ dstport = ] Integer ]

Specifies the destination port number of the packets to be filtered. This option only applies if you
are filtering TCP or UDP packets. If 0 is specified, packets sent to any port are filtered. The default
is 0.

[ [ mirrored = ]{ yes | no } ]

Specifies whether to create a mirrored filter. Use yes to create two filters based on the filter
settings, one for traffic to the destination and one for traffic from the destination. The default value
is yes.

[ [ conntype=] = ] { lan | dialup | all } ]

Network 132 Netsh Communication Networking

Specifies whether the rule applies only to remote access/dial-up connections, to local area network
(LAN) connections, or to all connections. The default value is all.

[ [ actioninbound = ] { permit | block | negotiate } ]

Specifies the action that IPsec is required to take for inbound traffic. If permit is specified, traffic is
received without negotiating or applying IP security. If block is specified, traffic is blocked. If
negotiate is specified, IPsec is used, with the list of security methods specified in the Main Mode
and Quick Mode policies. The default value is negotiate.

[ [ actionoutbound = ] { permit | block | negotiate } ]

Specifies the action that IPsec is required to take for outbound traffic. If permit is specified, traffic
is sent without negotiating or applying IP security. If block is specified, traffic is blocked. If
negotiate is specified, IP security is used, with the list of security methods specified in the Main
Mode and Quick Mode policies. The default value is negotiate.

[ [ srcmask = ] { Mask | Prefix } ]

Specifies the source address subnet mask or the prefix of the packets to be filtered. You can specify
a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.

[ [ dstmask = ] { Mask | Prefix } ]

Specifies the destination address subnet mask or the prefix value of the packets to be filtered. You
can specify a prefix value in the range of 1 through 32. The default value is the mask of
255.255.255.255.

[ [ tunneldstaddress = ] { IPAddress | DNSName } ]

Specifies whether the traffic is tunneled and, if it is, the IP address or DNS name of the tunnel
destination (the computer or gateway on the other side of the tunnel). The default is to not create a
tunnel, but to use IPsec in Transport mode.

[ [ kerberos = ] { yes | no } ]

Specifies whether to use the Kerberos V5 protocol as an authentication method.

[ [ psk = ] PreSharedKey ]

Specifies the string of characters to use for the preshared key, if a preshared key is used as an
authentication method.

[ [ rootca = ] "CertName certmap:{ yes | no } excludecaname:{ yes | no } "]

Specifies certificate authentication options. The argument is a string in quotes that contains the
following elements:
CertName

Specifies the distinguished name of the certificate, if a certificate is used as an authentication

method.

certmap:{ yes | no }

Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account

mapping to verify that the certificate is being used by a trusted computer.

excludecaname:{ yes | no }

Specifies whether to exclude from the certificate request the list of trusted root CA names from
which a certificate is accepted.

Network 133 Netsh Communication Networking

delete all
Deletes all IPsec policies, filters, and authentication methods, if possible, from the Security Policy
Database (SPD).

Syntax
delete all

Parameters
None.

delete mmpolicy
Deletes the specified IPsec Main Mode policy, or all IPsec Main Mode policies, from the SPD.

Syntax
delete mmpolicy [ name = ]{ MMPolicyName | all }

Parameters
[ name = ] { MMPolicyName | all }

Required. Specifies the name of the IPsec Main Mode policy to delete. Or, if all is specified, all IPsec
Main Mode policies are deleted.

delete qmpolicy
Deletes the specified IPsec Quick Mode policy, or all IPsec Quick Mode policies, from the SPD.

Syntax
delete qmpolicy [ name = ]{ QMPolicyName | all }

Parameters
[ name = ] { QMPolicyName | all }

Required. Specifies the name of the IPsec Quick Mode policy to delete. Or, if all is specified, all
IPsec Quick Mode policies are deleted.

delete rule
Deletes an IPsec rule from the security policy database.

Syntax
delete rule [ srcaddr = ]{ Me | Any | IPAddress | IPRange | ServerType }
[ dstaddr = ]{ Me | Any | IPAddress | IPRange | ServerType } [ protocol = ]{ ANY |
ICMP | TCP | UDP | RAW | Integer } [ srcport = ] Integer [ dstport = ] Integer
[ mirrored = ]{ yes | no } [ conntype = ]{ lan | dialup | all }
[ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ]
[ [ tunneldstaddress = ]{ IPAddress | DNSName } ]

Parameters
[ srcaddr = ] { Me | Any | IPAddress | IPRange | ServerType }

Required. Specifies the source IP address, DNS name, or server type for the IP traffic. You can use
WINS, DNS, DHCP, or gateway for ServerType.

[ dstaddr = ] { Me | Any | IPAddress | IPRange | ServerType }

Network 134 Netsh Communication Networking

Required. Specifies the destination IP address, DNS name, or server type for the IP traffic. You can
use WINS, DNS, DHCP, or gateway for ServerType.

[ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer }

Required. Specifies the IP protocol used for the filter.

[ srcport = ] Integer

Required. Specifies the source port number of the packets being filtered. This option only applies if
you are filtering TCP or UDP packets.

[ dstport = ] Integer

Required. Specifies the destination port number of the packets being filtered. This option only
applies if you are filtering TCP or UDP packets.

[ mirrored = ]{ yes | no }

Required. Specifies whether the rule was created with mirrored filters.

[ conntype=] = ] { lan | dialup | all }

Required. Specifies whether the rule to be deleted applies only to remote access/dial-up
connections, to local area network (LAN) connections, or to all connections.

[ [ srcmask = ] { Mask | Prefix } ]

Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify
a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.

[ [ dstmask = ] { Mask | Prefix } ]

Specifies the destination address subnet mask or the prefix value of the packets being filtered. You
can specify a prefix value in the range of 1 through 32. The default value is the mask of
255.255.255.255.

[ [ tunneldstaddress = ] { IPAddress | DNSName } ]

Specifies whether the traffic is tunneled and, if it is, the IP address or DNS name of the tunnel
destination (the computer or gateway on the other side of the tunnel).

delete sa
Deletes Main Mode security associations.

Syntax
delete sa [ [ srcaddr = ]{ IPv4Address } ] [ [ dstaddr = ]{ IPv4Address } ]

Parameters
[ [ srcaddr = ] { IPv4Address } ]

Specifies the source IPv4 address to match against existing SAs.

[ [ dstaddr = ] { IPv4Address } ]

Specifies the destination IPv4 address to match against existing SAs.

Network 135 Netsh Communication Networking

set config
Creates or modifies the following IPsec settings: IPsec diagnostics, default traffic exemptions,
strong certificate revocation list (CRL) checking, IKE (Oakley) logging, logging intervals, computer
startup security, and computer startup traffic exemptions.

Syntax
set config [ property = ]{ PropertyToSet } [ value = ] ValueToAssign

Parameters
The property must be specified, and can be any of the options shown here:

IPsecdiagnostics { 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 }
Specifies whether to enable IPsec diagnostic logging and, if so, which level of logging to provide.
The default value is 0, meaning that logging is disabled. If you change the value for this setting,
you must restart the computer for the new value to take effect.
You can specify other values as follows, to enable different levels of logging:

• 1: Bad SPI packets (the total number of packets for which the Security Parameters Index or
SPI was incorrect), IKE negotiation failures, IPsec processing failures, packets received
with packet syntax that is not valid, and other errors are recorded in the System log.
Unauthenticated hashes (with the exception of the "Clear text received when should
have been secured" event) are logged as well.

• 2: Inbound per-packet drop events are recorded in the System log.

• 3: Level 1 and level 2 logging are performed. In addition, unexpected clear text events
(packets that are sent or received in plaintext) are also recorded.

• 4: Outbound per-packet drop events are recorded in the System log.

• 5: Level 1 and level 4 logging are performed.

• 6: Level 2 and level 4 logging are performed.

• 7: All levels of logging are performed.

ikelogging { 0 | 1 }

Specifies whether to enable IKE (Oakley) logging, to generate details about the SA establishment
process. The default value is 0, meaning that IKE logging is disabled.

strongcrlcheck { 0 | 1 | 2 }

Specifies the level of CRL checking to use. The default value is 1.

• 0: CRL checking is disabled.

• 1: Standard CRL checking is used, and certificate validation fails only if the certificate is
determined to be revoked.

• 2: Strong CRL checking is used, and certificate validation fails if any CRL check error
occurs.

IPsecloginterval {Integer}

Network 136 Netsh Communication Networking

Specifies the interval, in seconds, after which IPsec event logs are sent to the System log. For
Integer, valid values range from 60 through 86400. The default value is 3600. If you change the
value for this setting, you must restart the computer for the new value to take effect.
IPsecexempt { 0 | 1 | 2 | 3 }

Specifies whether to modify the default IPsec traffic exemption (traffic that is not matched against
IPsec filters but is still permitted). The default value is 3. If you change the value for this setting,
you must restart the computer for the new value to take effect.
You can specify other values as follows:

• 0: Multicast, broadcast, RSVP, Kerberos, and IKE traffic is exempted from IPsec filtering.

• 1: Only multicast, broadcast, and IKE traffic is exempted from IPsec filtering (Kerberos and
RSVP traffic is not exempted).

• 2: Only RSVP, Kerberos, and IKE is exempted from IPsec filtering (multicast and broadcast
traffic is not exempted).

• 3: Only IKE traffic is exempted.

bootmode { stateful | block | permit }

Specifies the action that IPsec is required to take when the computer starts.

• stateful: Only the following traffic is permitted during computer startup: outbound traffic
initiated by the computer during startup, inbound traffic that is sent in response to the
outbound traffic, and DHCP traffic.

• block: All inbound and outbound traffic is blocked until a local IPsec policy or a domain-
based IPsec policy is applied.

• permit: All traffic is transmitted and received.

The default value is stateful. If you use either of the values stateful or block, you can use the
bootexemptions parameter to specify traffic types that you want to exempt from IPsec filtering
during computer startup.
If you change the value for this setting, you must restart the computer for the new value to take
effect.

bootexemptions { none | "Exempt1 Exempt2 …" }

Specifies one or more IPsec traffic exemptions from startup security, separated by spaces and
defined by the following format for TCP and UDP traffic: protocol:srcport:dstport:direction and the
following format for non-TCP/UDP traffic: protocol:direction, where:

protocol ={ ICMP| TCP| UDP| RAW| Integer }

Specifies the IP protocol type to exempt from IPsec filtering during computer startup.
srcport = Port

Specifies the source port number of the packets to exempt from IPsec filtering during computer
startup. A value of 0 means that any source port is exempted.
dstport = Port

Specifies the destination port number of the packets to exempt from IPsec filtering during computer
startup. A value of 0 means that any destination port is exempted.
direction ={ inbound | outbound}

Specifies the direction of the traffic to exempt from IPsec filtering during computer startup.

Network 137 Netsh Communication Networking

set mmpolicy
Modifies an IPsec Main Mode policy and writes the changes to the security policy database.

Syntax
set mmpolicy name = PolicyName [ qmperm = Integer ] [ mmlifetime = Integer ]
[ softsaexpirationtime = Integer ] [ mmsecmethods = "KeyExchMethods" ]

Parameters
name = PolicyName

Required. Specifies the name of the IPsec Main Mode policy to modify.

[ qmperm = Integer ]

Specifies the number of times that master keying material is used to derive the session key. A value
of 0 means that an unlimited number of Quick Mode SAs can be derived from the Main Mode SA.

[ mmlifetime = Integer ]

Specifies the number of minutes after which a new master key is generated.

[ softsaexpirationtime = Integer ]

Specifies the number of minutes after which an unprotected security association expires.

[ mmsecmethods = "KeyExchMethods" ]

Specifies one or more key exchange security methods, separated by spaces. Each method is
described by a string of the following format:
EncAlg-HashAlg-GroupNumb
Where:
EncAlg

Specifies the encryption algorithm. EncAlg can be DES or 3DES.

HashAlg

Specifies the hashing algorithm. HashAlg can be MD5 or SHA1.

GroupNum

Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1
(low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high,
protects with 2048 bits).

set qmpolicy
Modifies an IPsec Quick Mode policy and writes the changes to the SPD.

Syntax
set qmpolicy name = PolicyName [ soft = { yes | no } ]
[ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ]
[ qmsecmethods = "SecMethodsString" ]

Parameters
name = PolicyName

Required. Specifies the name of the IPsec Quick Mode policy to modify.

[ soft = { yes | no } ]

Network 138 Netsh Communication Networking

Specifies whether to fall back to unsecured communications with other computers that do not
support IPsec, or when IPsec negotiations with an IPsec-capable computer fail.

[ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ]

Specifies the Diffie-Hellman group to use for session key PFS. If grp1 is specified, Group 1 (low,
with 768 bits of keying material) is used. If grp2 is specified, Group 2 (medium, with 1024 bits of
keying material) is used. If grp3 is specified, Group 3 (high, with 2048 bits of keying material) is
used. If grpmm is specified, the group value is taken from the current Main Mode settings.

[ qmsecmethods = "SecMethodsString" ]

Changes the string that specifies one or more security methods. Each method is described by one of
the following formats, separated by spaces:

• ESP [ EncAlg,AuthAlg]:numk/nums

• AH [ HashAlg ]: num k/ num s

• AH [ HashAlg ]+ ESP[ EncAlg,AuthAlg]:numk/nums

Where:
EncAlg

Specifies the encryption algorithm. ConfigAlg can be DES, 3DES, or none.

AuthAlg

Specifies the integrity algorithm. AuthAlg can be MD5, SHA1, or none.

HashAlg

Specifies the hash function. HashAlg can be MD5 or SHA1.

k

Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is
transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000
kilobytes.
s

Specifies the session key lifetime in seconds. The default value is 3600 seconds.

set rule
Modifies an IPsec rule that defines a set of filters and writes the changes to the SPD.

Syntax
set rule [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType }
[ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType }
[ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } [ srcport = ] Integer
[ dstport = ] Integer [ mirrored = ]{ yes | no } [ conntype = ]{ lan | dialup | all }
[ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ]
[ [ tunneldstaddress = ] { IPAddress | DNSName } ] [ [ mmpolicy = ] MainModePolicyName ]
[ [ qmpolicy = ] QuickModePolicyName ] [ [ actioninbound = ]{ permit | block | negotiate } ]
[ [ actioninbound = ]{ permit | block | negotiate } ] [ [ kerberos = ]{ yes | no } ]
[ [ psk = ] PreSharedKey ] [ [ rootca = ] "String certmap:{ yes | no }
excludecaname:{ yes | no }" ]

Parameters
[ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}

Network 139 Netsh Communication Networking

Required. Specifies the source IP address or range, DNS name, or server type for the IP traffic
being matched. For ServerType you can use WINS, DNS, DHCP, or gateway.

[ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}

Required. Specifies the destination IP address or range, DNS name, or server type for the IP traffic
being matched. For ServerType you can use WINS, DNS, DHCP, or gateway.
[ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer }

Specifies the IP protocol if, in addition to addressing information, a specific IP protocol is filtered. A
value of ANY matches filters with a protocol setting of any.

[ srcport = ] Integer

Required. Specifies the source port number of the packets being filtered. This option only applies if
you are filtering TCP or UDP packets.

[ dstport = ] Integer

Required. Specifies the destination port number of the packets being filtered. This option only
applies if you are filtering TCP or UDP packets.

[ mirrored = ] { yes | no }

Required. Specifies whether the rule was created with mirrored filters.

[ conntype = ] { lan | dialup | all }

Required. Specifies whether the rule applies only to remote access or dial-up connections or to local
area network (LAN) connections, or to all connections.

[ [ srcmask = ] {Mask|Prefix} ]

Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify
a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.

[ [ dstmask = ] {Mask|Prefix} ]

Specifies the destination address subnet mask or the prefix value of the packets being filtered. You
can specify a prefix value in the range of 1 through 32. The default value is the mask of
255.255.255.255.

[ [ tunneldstaddress = ] { IPAddress | DNSName } ]

Specifies whether the traffic is tunneled and, if it is, the IP address or DNS name of the tunnel
destination (the computer or gateway on the other side of the tunnel).

[ [ mmpolicy = ] MainModePolicyName ]

Specifies the name of the Main Mode policy.

[ [ qmpolicy = ] QuickModePolicyName ]

Specifies the name of the Quick Mode policy.

[ [ actioninbound = ] { permit | block | negotiate } ]

Specifies the action that IPsec is required to take for inbound traffic. If permit is specified, traffic is
received without negotiating or applying IP security. If block is specified, traffic is blocked. If

Network 140 Netsh Communication Networking

negotiate is specified, IP security is used, with the list of security methods specified in the Main
Mode and Quick Mode policies.

[ [ actioninbound = ] { permit | block | negotiate } ]

Specifies the action that IPsec is required to take for outbound traffic. If permit is specified, traffic
is sent without negotiating or applying IP security. If block is specified, traffic is blocked. If
negotiate is specified, IP security is used, with the list of security methods specified in the Main
Mode and Quick Mode policies.

[ [ kerberos = ]{ yes | no } ]

Specifies whether to use the Kerberos V5 protocol as an authentication method.

[ [ psk = ] PreSharedKey ]

Specifies the string of characters to use for the preshared key, if a preshared key is used as an
authentication method.

[ [ rootca = ] "String certmap:{ yes | no } excludecaname:{ yes | no } " ]

Specifies certificate authentication options. The argument is a string in quotes that contains the
following elements:
String

Specifies the distinguished name of the certificate, if a certificate is used as an authentication

method.

certmap:{ yes | no }

Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account

mapping to verify that the certificate is being used by a trusted computer.

excludecaname:{ yes | no }

Specifies whether to exclude from the certificate request the list of trusted root CA names from
which a certificate is accepted.

show all
Displays configuration information for all IPsec policies, filters, statistics, and security associations in
the security policy database.

Syntax
show all [ [ resolvedns = ]{ yes | no } ]

Parameters
[ [ resolvedns = ] { yes | no } ]

Specifies whether to resolve the Domain Name System (DNS) or NETBIOS computer name
associated with an IP address when displaying sources or destinations.

show config
Displays values for the following IPsec settings: IPsec diagnostics, default traffic exemptions, strong
certificate revocation list (CRL) checking, IKE (Oakley) logging, logging intervals, computer startup
security, and computer startup traffic exemptions.

Syntax
show config

Network 141 Netsh Communication Networking

show mmfilter
Displays configuration information for the specified IPsec Main Mode filter, or for all IPsec Main Mode
filters, in the SPD.

Syntax
show mmfilter { [ name = ] FilterName | all } [ [ type = ]{ generic | specific } ]
[ [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ]
[ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ]
[ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ]
[ resolvedns = { yes | no } ]

Parameters
{ [ name = ] FilterName | all }

Required. Specifies the name of the IPsec Main Mode filter to display. If all is specified, all IPsec
Main Mode filters are displayed.

[ [ type = ] { generic| specific} ]

Specifies whether to display generic or specific Main Mode filters. The default value is generic.

[ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies the source IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name,
or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY.

[ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies the destination IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS
name, or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or
GATEWAY.

[ [ srcmask = ] { Mask | Prefix } ]

Specifies the source address subnet mask or the prefix of the packets to be filtered. You can specify
a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.

[ [ dstmask = ] { Mask | Prefix } ]

Specifies the destination address subnet mask or the prefix value of the packets to be filtered. You
can specify a prefix value in the range of 1 through 32. The default value is the mask of
255.255.255.255.

[ resolvedns={ yes | no}]

Specifies whether to resolve the Domain Name System (DNS) or NETBIOS computer name
associated with an IP address when displaying sources or destinations. The default value is no.

show mmpolicy
Displays configuration information for the specified IPsec Main Mode policy, or for all IPsec Main
Mode policies, in the SPD.

Syntax
show mmpolicy { [ name = ] PolicyName | all }

Parameters
{ [ name = ] PolicyName | all }

Network 142 Netsh Communication Networking

Required. Specifies the name of the IPsec Main Mode policy to display. Or, if all is specified, all
IPsec Main Mode policies are displayed.

show mmsas
Displays the IPsec Main Mode security associations for the specified source and destination
addresses, or all IPsec Main Mode security associations, in the SPD.

Syntax
show mmsa [ all ] [ [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ]
[ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ]
[ [ format = ]{ list | table } ] [ [ resolvedns = ]{ yes | no} ]

Parameters
[ all ]

Specifies that all Main Mode security associations are displayed. This is the default option if no other
parameters are specified.

[ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies the source IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name,
or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY.

[ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies the destination IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS
name, or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or
GATEWAY.

[ [ format = ] { list | table } ]

Specifies whether to display IPsec configuration information in screen or tab-delimited format. The
default value is list, meaning that output is displayed in screen format.

[ [ resolvedns={ yes | no} ] ]

Specifies whether to resolve the DNS or NETBIOS computer name associated with an IP address
when displaying sources or destinations. The default value is no.

show qmfilter
Displays configuration information for the specified Quick Mode filter, or for all Quick Mode filters, in
the SPD.

Syntax
show qmfilter { [ name = ] FilterName | all } [ [ type = ]{ generic | specific } ]
[ [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ]
[ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ]
[ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ]
[ [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ srcport = ] Integer ]
[ [ dstport = ] Integer ] [ [ actioninbound = ]{ permit | block | negotiate } ]
[ [ actionoutbound = ]{ permit | block | negotiate } ] [ [ resolvedns={ yes | no} ] ]

Parameters
{ [ name = ] FilterName | all }

Required. Specifies the name of the IPsec Quick Mode filter to display. If all is specified then all
IPsec Quick Mode filters are displayed.

Network 143 Netsh Communication Networking

[ [ type = ] { generic | specific } ]

Specifies whether to display generic or specific Quick Mode filters. The default value is generic.
[ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies that only filters matching the specified source IP address, DNS name, or server type are
displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.

[ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies that only filters matching the destination IP address, DNS name, or server type are
displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.

[ [ srcmask = ] { Mask | Prefix } ]

Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify
a prefix value in the range of 1 through 32.

[ [ dstmask = ] { Mask | Prefix } ]

Specifies the destination address subnet mask or the prefix value of the packets being filtered. You
can specify a prefix value in the range of 1 through 32.

[ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]

Specifies that only filters that match the IP protocol are displayed.

[ [ srcport = ] Integer ]

Specifies that only filters that match the source port number are displayed.

[ [ dstport = ] Integer ]

Specifies that only filters that match the destination port number are displayed.

[ [ actioninbound = ] { permit | block | negotiate } ]

Specifies that only filters matching the action are displayed.

[ [ actionoutbound = ] { permit | block | negotiate } ]

Specifies that only filters matching the action are displayed.

show qmpolicy
Displays configuration information for the specified IPsec Quick Mode policy, or for all IPsec Quick
Mode policies, in the SPD.

Syntax
show qmpolicy { [ name = ] FilterName | all }

Parameters
{ [ name = ] FilterName | all }

Required. Specifies the name of the IPsec Quick Mode policy to display. If all is specified then all
IPsec Quick Mode policies are displayed.

Network 144 Netsh Communication Networking

show qmsas
Displays the IPsec Quick Mode security associations for the specified source and destination
addresses, or all IPsec Quick Mode security associations, in the SPD.

Syntax
show qmsas [ all ] [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ]
[ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ]
[ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ format = ] { list | table } ]
[ [ resolvedns={ yes | no} ] ]

Parameters
[ all]

Specifies that all IPsec Quick Mode security associations are displayed. This is the default option if
no other parameters are specified.

[ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ]

Specifies that only SAs that match the source IPv4 or IPv6 address, address range, DNS name, or
server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.

[ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ]

Specifies that only SAs that match the destination IPv4 or IPv6 address, address range, DNS name,
or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.

[ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]

Specifies that only SAs that match the IP protocol if, in addition to addressing information, a specific
IP protocol is being used for the security association.

[ [ format = ] { list | table } ]

Specifies whether to display the results in screen or tab-delimited format. The default value is list,
meaning that output is displayed in screen format.

[ [ resolvedns={ yes | no} ] ]

Specifies whether to resolve the Domain Name System (DNS) or NETBIOS computer name
associated with an IP address when displaying sources or destinations. The default value is no.

show rule
Displays configuration information for one or more IPsec rules in the SPD.

Syntax
show rule [ [ type = ]{ transport | tunnel } ] [ [ srcaddr = ]{ me | any | IPAddr | IPAddr-
IPAddr |ServerType} ] [ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
[ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ] { Mask | Prefix } ]
[ [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ srcport = ] Integer ]
[ [ dstport = ] Integer ] [ [ actioninbound = ]{ permit | block | negotiate } ]
[ [ actionoutbound = ]{ permit | block | negotiate } ] [ [ resolvedns = ]{ yes | no} ]

Parameters
[ [ type = ] { transport | tunnel } ]

Specifies whether to display transport rules or tunnel rules. The default value is to display all rules.

[ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Network 145 Netsh Communication Networking

Specifies that only rules matching the source IP address, DNS name, or server type are displayed.
You can use WINS, DNS, DHCP, or gateway for ServerType.

[ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]

Specifies that only rules matching the destination IP address, DNS name, or server type are
displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.

[ [ srcmask = ] { Mask | Prefix } ]

Specifies that only rules matching the source address subnet mask or the prefix of the packets are
displayed. You can specify a prefix value in the range of 1 through 32.

[ [ dstmask = ] { Mask | Prefix } ]

Specifies that only rules matching the source address subnet mask or the prefix of the packets are
displayed. You can specify a prefix value in the range of 1 through 32.

[ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]

Specifies that only filters that match the IP protocol are displayed.

[ [ srcport = ] Integer ]

Specifies that only filters that match the source port number are displayed.

[ [ dstport = ] Integer ]

Specifies that only filters that match the destination port number are displayed.

[ [ actioninbound = ] { permit | block | negotiate } ]

Specifies that only filters matching the action are displayed.

[ [ actionoutbound = ] { permit | block | negotiate } ]

Specifies that only filters matching the action are displayed.

[ resolvedns={ yes | no}]

Specifies whether to resolve the DNS or NETBIOS computer name associated with an IP address
when displaying sources or destinations. The default value is no.

show stats
Displays Main Mode and Quick Mode statistics for IPsec.

Syntax
show stats [ [type = ]{ all | ike | ipsec } ]

Parameters
[ [type=] { all | ike | ipsec } ]

Specifies the IPsec statistics to display. If all is specified, IPsec Main Mode and Quick Mode statistics
are displayed. If ike is specified, only IPsec Main Mode statistics are displayed. If ipsec is specified,
only IPsec Quick Mode statistics are displayed.

Network 146 Netsh Communication Networking

Netsh Commands for Wired Local Area Network (LAN)
The Netsh commands for wired local area network (LAN) provide methods to configure connectivity
and security settings for computers running Windows Vista® and Windows Server® 2008. You can
use the Netsh LAN commands to configure the local computer or to configure multiple computers by
using a logon script. You can also use the netsh LAN commands to view wired 802.1X Group Policy
and to administer user wired 802.1X settings.

Netsh LAN commands

add profile
Adds a LAN profile to the specified interface on the computer.

Syntax
add profile filename= PathAndProfileName [[interface=]InterfaceName]

Parameters
Filename

Required. Specifies the path and name of the XML file containing the profile data.
Interface

Optional. Specifies the name of the interface on which the profile will be set (where InterfaceName
is the name of the interface as displayed in Network Connections or as rendered by the netsh
lan show interfaces command).

Example command

add profile filename=C:\Users\WiredUser\Documents\profile1.xml interface="Local

Area Connection"

delete profile
Removes a LAN profile from one or multiple interfaces.

Syntax
delete profile interface= InterfaceName

Parameters
Interface

Required. Specifies the name of the interface on which the profile is to be deleted (where
InterfaceName is the name of the interface as displayed in Network Connections, or as rendered
by the netsh lan show interfaces command).

Example commands

delete profile interface="Local Area Connection"

delete profile interface=L*

export profile
Saves LAN profiles as XML files to a specified location.

Network 147 Netsh Communication Networking

Syntax
export profile folder= PathAndFileName [[interface=]InterfaceName]

Parameters
Folder

Required. Specifies the path and file name for the profile XML file.

Interface

Optional. Specifies the name of the interface on which the profile is configured (where
InterfaceName is the name of the interface as displayed in Network Connections, or as rendered
by the netsh lan show interfaces command).

Example commands

export profile folder=c:\Users\user\Documents\ interface="Local Area Connection"

export profile folder=c:\Users\user\Documents\

reconnect
Attempts to reauthenticate to a wired network by using the specified interface.

Syntax
reconnect [[interface=]InterfaceName]

Parameters
Interface

Optional. Specifies the interface that is used for the connection attempt (where InterfaceName is
the name of the interface as displayed in Network Connections, or as rendered by the netsh lan
show interfaces command).

Example command

reconnect interface="Local Area Connection "

set autoconfig
Enables or disables Wired AutoConfig Service on an interface.

Syntax
set autoconfig enabled={yes|no} interface=InterfaceName

Parameters
Enabled

Required. Specifies whether to set Wired AutoConfig Service to enabled or disabled.

Interface

Required. Specifies the name of the interface on which the service is enabled or disabled (where
InterfaceName is the name of the interface as displayed in Network Connections, or as rendered
by the netsh lan show interfaces command).

Network 148 Netsh Communication Networking

Example command

set autoconfig enabled=yes interface="Local Area Connection"

set profileparameter
Sets parameters in a wired network profile.

Syntax
set profileparameter name= ProfileName [[interface=]InterfaceName]
[[authMode=]{machineOrUser|machineOnly|userOnly|guest}]
[[ssoMode=]{preLogon|postLogon|none}] [[maxDelay=]1-120] [[allowDialog={yes|no}]
[[userVLAN=]{yes|no}]

Parameters
Name

Required. Specifies the name of the profile to set (where ProfileName is the name of the profile, as
rendered by the netsh lan show profile command).
Interface

Optional. Specifies the name of the interface on which the profile is set (where InterfaceName is the
name of the interface as displayed in Network Connections, or as rendered by the netsh lan
show interfaces command).
AuthMode

Optional [conditional, see "Remarks"]. Specifies the type of credentials to be used for
authentication.

SSOMode

Optional [conditional, see "Remarks"].Specifies the type of single sign on (SSO) to be attempted if
any.

MaxDelay

Optional [conditional, see "Remarks"]. Specifies the timeout value allowed to establish the single
sign-on connection.

AllowDialog

Optional [conditional, see "Remarks"].Specifies whether to allow or disallow a dialog to be shown for
preLogon.

UserVLAN

Optional [conditional, see "Remarks"].Specifies if the network switches to a different VLAN on user
authentication.

Example commands

set profileparameter name="Profile 1" authMode=userOnly ssoMode=preLogon

set profileparameter name=Profile2 interface="Local Area Connection" ssoMode=none

set tracing
Enables or disables wired tracing.

Network 149 Netsh Communication Networking

Syntax
set tracing [[mode=]{yes|no|persistent}]

Parameters

Mode

Required. Specifies whether wired tracing is disabled, enabled and persistent, or enabled and
nonpersistent. See "Remarks" for additional information.

Example command

set tracing mode=persistent

show interfaces
Displays a list of the current wired interfaces on the computer.

Syntax
show interfaces

Parameters
There are no parameters for this command.

Example command

show interfaces

show profiles
Displays a list of wired profiles that are configured on the computer.

Syntax
show profiles [[interface=]InterfaceName]

Parameters
Interface

Optional. Specifies the name of the interface which has this profile configured (where
InterfaceName is the name of the interface as displayed in Network Connections, or as rendered
by the netsh lan show interfaces command).

Example commands

show profiles interface="Local Area Connection"

show profiles

show settings
Displays the current global settings of the wired LAN

Syntax
show settings

Network 150 Netsh Communication Networking

Parameters
There are no parameters for this command.

Example command

show settings

show tracing
Displays whether wired tracing is enabled or disabled.

Syntax
show tracing

Parameters
There are no parameters for this command.

Example command

show tracing

Network 151 Netsh Communication Networking

Netsh Commands for NAP Client

NAP client commands

The following entries provide details for each command.

add server
Adds the uniform resource locator (URL) of a Health Registration Authority (HRA) server to a trusted
server group.

Syntax
add server [ group = ] group [ url = ] url [ [ processingorder = ] processingorder ]

Parameters
group

Required. Specifies the name of the trusted server group to which you want to add an HRA server.
url

Required. Specifies the URL of an HRA server that you want to add to the trusted server group. If
the trusted server group requires server verification (https:), then the URL must contain the
https:// prefix.
processingorder

Optional. Designates the processing order of the HRA URL in the list of URLs in the trusted server
group. If you do not specify the processing order, the URL is added to the end of the list and is
processed last.

Example
add server group = "group1" url = "url1" processingorder = "1"

add trustedservergroup
Adds a trusted server group.

Syntax
add trustedservergroup [ name = ] name [ [ requirehttps = ] ENABLE | DISABLE ]

Parameters
name

Required. Specifies the name of the trusted server group that you want to add to the NAP client
configuration.
requirehttps

Optional. Specifies whether server verification (https:) is required for all servers in this group. If not
specified, https: is enabled by default.

Example
add trustedservergroup name = "group1" requirehttps = "ENABLE"

delete server
Deletes the URL of an HRA server from the specified trusted server group.

Network 152 Netsh Communication Networking

Syntax
delete server [ group = ] group [ url = ] url

Parameters

group

Required. Specifies the name of the trusted server group from which you want to remove an HRA
server.

url

Required. Specifies the URL of the HRA server that you want to remove from the trusted server
group.

Example
delete server group = "group1" url = "url1"

delete trustedservergroup
Deletes a trusted server group.

Syntax
delete trustedservergroup [ name = ] name

Parameters
name

Required. Specifies the name of the trusted server group that you want to remove from the NAP
client configuration.

Example
delete trustedservergroup name = "group1"

dump
Creates a script that contains the current NAP client configuration.

Syntax
dump

export
Exports an *.xml file that contains the current configuration settings for the NAP client.

Syntax
export [ filename = ] filename

Parameters
Filename

Required. Specifies the file name and folder location where you want to save the *.xml file.

Example
export filename = "c:\config.xml"

Network 153 Netsh Communication Networking

help
Displays a list of commands that are available at the netsh context where the command is run, and
those inherited from the parent context.

Syntax
help

import
Imports an .xml file that contains configuration settings for the Network Access Protection (NAP)
client.

Syntax
import [ filename = ] filename

Parameters
Filename

Required. Specifies the file name and folder location from which you want to import the *.xml file.

Example
import filename = "c:\config.xml"

rename server
Renames the HRA URL of an existing trusted server in the specified trusted server group.

Syntax
rename server [ group = ] group [ url = ] url [ newurl = ] newurl

Parameters
Group

Required. Specifies the name of the trusted server group that contains the HRA server URL that you
want to change.

url

Required. Specifies the existing HRA server URL.

Newurl

Required. Specifies the new HRA server URL. If no value is supplied for newurl, the HRA server URL
is not changed.

Example
rename server group = "group1" url = "url1" newurl = "url2"

rename trustedservergroup
Renames an existing trusted server group.

Syntax
rename trustedservergroup [ name = ] name [ newname = ] newname

Parameters
Name

Network 154 Netsh Communication Networking

Required. Specifies the name of the trusted server group that you want to rename.

Newname

Required. Specifies the new name of the trusted server group.

Example
rename trustedservergroup name = "group1" newname = "group2"

reset configuration
Restores the NAP client configuration to the default settings.

Syntax
reset configuration

reset csp
Sets the cryptographic service provider (CSP) Request Policy to Microsoft Enhanced
Cryptographic Provider v1.0.

Syntax
reset csp

reset enforcement
Sets the enforcement client parameter to DISABLED.

Syntax
reset enforcement

reset hash
Sets the hash algorithm Request Policy to sha1RSA (1.3.14.3.2.29).

Syntax
reset hash

reset server
Deletes all URLs in a specified trusted server group.

Syntax
reset server [ group = ] group

Parameters
Group

Required. Specifies the name of the trusted server group.

Example
reset server group = "group1"

reset tracing
Sets the tracing parameter to DISABLE.

Syntax
reset tracing

Network 155 Netsh Communication Networking

reset trustedservergroup
Deletes all trusted server groups and the list of all health registration authority servers (by URL)
contained in each trusted server group.

Syntax
reset trustedservergroup

reset userinterface
Deletes all user interface settings in the NAP client configuration.

Syntax
reset userinterface

set csp
Changes the cryptographic service provider (CSP) in the NAP client configuration. You can display
name of the currently available CSPs with the show csps command.

Syntax
set csp [ name = ] name [ [ keylength = ] keylength ]

Parameters
name

Required. Specifies the name of the cryptographic service provider (CSP).

keylength

Optional. Specifies the length of the asymmetric key. The default key length is 2048.

Example
set csp name = "Microsoft RSA SChannel Cryptographic Provider" keylength = "2048"

set enforcement
Enables or disables NAP enforcement clients in the NAP client configuration. When NAP enforcement
clients are enabled, NAP clients can connect to a network with the same type of enforcement server.
For example, if a NAP client has the DHCP enforcement client enabled, the NAP client can connect to
your network with a DHCP NAP enforcement server. You must specify one or more enforcement
clients. By default, all enforcement clients are disabled.

Syntax
set enforcement [ ID = ] ID [ ADMIN = ] ENABLE | DISABLE

Parameters
ID

Required. Specifies the identifier of an installed enforcement client to be enabled or disabled. You
can view a list of available enforcement clients and their associated IDs with the show
configuration command.

ADMIN

Required. Specifies the administrative state of the specified enforcement client. You must specify
ENABLE in order for a NAP client to connect to a network using the type of NAP enforcement
method specified by the ID parameter.

Network 156 Netsh Communication Networking

Example
set enforcement ID = 79619 ADMIN = "ENABLE"

set hash
Sets the hash algorithm that will be used on the target computer. You can obtain the object
identifier (OID) from the "show hashes" command.

Syntax
set hash [ oid = ] oid

Parameters
oid

Required. Specifies the OID of the hash algorithm. You can specify only one OID.

Example
set hash oid = "1.2.840.113549.1.1.5"

set server
Sets the URL and processing order of an HRA server within an existing trusted server group.

Syntax
set server [ group = ] group [ url = ] url [ processingorder = ] processingorder

Parameters
group

Required. Specifies the name of an existing trusted server group that contains the HRA server that
you want to add or modify.

url

Required. Specifies the HRA server URL. If the trusted server group requires server verification
(https:), then the URL must use the https:// prefix. If the URL is not found in the specified trusted
server group, it will be added.

processingorder

Required. Designates the processing order of the HRA URL in the list of URLs in the trusted server
group.

Example
set server group = "group1" url = "url1" processingorder = "1"

set tracing
Specifies whether tracing is enabled and the amount of information that is logged by NAP client.
Although both parameters are optional, you must specify at least one parameter.

Syntax
set tracing [ [ state = ] ENABLE | DISABLE [ level = ] BASIC | ADVANCED | VERBOSE ]

Parameters
state

Network 157 Netsh Communication Networking

Optional. Specifies whether tracing is enabled or disabled. If you specify ENABLE, NAP client
creates a trace log file. If you specify DISABLE, NAP client does not create a trace log file. The
default is DISABLE. If you enable tracing but do not specify a value for level, NAP client uses the
default level value of BASIC

level

Optional. Specifies the amount of information that is logged by NAP client and that appears in the
tracing log file. If you specify BASIC, the least amount of information is logged in the trace log file.
If you specify ADVANCED, a greater amount of information is logged in the trace log file. If you
specify VERBOSE, all information is logged in the trace log file. The default is BASIC. If you do not
specify a value for state, NAP client uses the default state value of DISABLE.

Example
set tracing state = "ENABLE" level = "ADVANCED"

set userinterface
Specifies the NAP client user interface settings. Although all parameters are optional, you must
specify at least one parameter.

Syntax
set userinterface [ [ title = ] title [ text = ] text [ image = ] image ]

Parameters

title

Optional. Specifies the title that appears in the NAP client user interface.

text

Optional. Specifies the description that appears in the NAP client user interface.

Image

Optional. Specifies the image that appears in the NAP client user interface.

Example
set userinterface title = "My company" text = "Protecting your computer" image =
"c:\Logo.jpg"

show configuration
Displays configuration settings and state information for NAP client, including CSP, enforcement
client, tracing, and trusted server group configurations.

Syntax
show configuration

show csps
Displays all available cryptographic service providers (CSPs) on the target system. Use this
command to obtain the names that you can use in the add csp and delete csp commands.

Syntax
show csps

Network 158 Netsh Communication Networking

show grouppolicy
Displays Group Policy configuration settings and state information for NAP client.

Syntax
show grouppolicy

show hashes
Displays all available hash algorithms on the target system. Use this command to obtain the OIDs
that you can use in the add hash and delete hash commands.

Syntax
show hashes

Example
Following is an example of the information displayed when you run the show hashes command at
the netsh nap client prompt.

Hash OID
sha1RSA 1.2.840.113549.1.1.5

md5RSA 1.2.840.113549.1.1.4

sha1DSA 1.2.840.10040.4.3

sha1RSA 1.3.14.3.2.29

shaRSA 1.3.14.3.2.15

md5RSA 1.3.14.3.2.3

md2RSA 1.2.840.113549.1.1.2

md4RSA 1.2.840.113549.1.1.3

md4RSA 1.3.14.3.2.2

md4RSA 1.3.14.3.2.4

md2RSA 1.3.14.7.2.3.1

sha1DSA 1.3.14.3.2.13

dsaSHA1 1.3.14.3.2.27

mosaicUpdatedSig 2.16.840.1.101.2.1.1.19

sha1NoSign 1.3.14.3.2.26

md5NoSign 1.2.840.113549.2.5

sha256NoSign 2.16.840.1.101.3.4.2.1

Network 159 Netsh Communication Networking

sha384NoSign 2.16.840.1.101.3.4.2.2

sha512NoSign 2.16.840.1.101.3.4.2.3

sha256RSA 1.2.840.113549.1.1.11

sha384RSA 1.2.840.113549.1.1.12

sha512RSA 1.2.840.113549.1.1.13

RSASSA-PSS 1.2.840.113549.1.1.10

sha1ECDSA 1.2.840.10045.4.1

sha256ECDSA 1.2.840.10045.4.3.2

sha384ECDSA 1.2.840.10045.4.3.3

sha512ECDSA 1.2.840.10045.4.3.4

specifiedECDSA 1.2.840.10045.4.3

show state
Displays state information, including client access restriction state, the state of installed
enforcement clients and system health agents, and the client compliance and remediation results.

Syntax
show state

show trustedservergroup
Displays all trusted server groups and the HRA server URLs in each group.

Syntax
show trustedservergroup

Example
Following is an example of the information displayed when you run the show trustedservergroup
command at the netsh nap client prompt.

Setting Value
Group Trusted server group 1

Require Https Enabled

URL https://www.example.com

Processing order 1

Group Trusted server group 2

Network 160 Netsh Communication Networking

Require Https Enabled

URL https://www.contoso.com

Processing order 1

Group Trusted server group 2

Require Https Enabled

URL https://www.example.com

Processing order 2

Network 161 Netsh Communication Networking

Netsh Commands for Network Input Output (NETIO)
You can use commands in the Netsh netio context to configure binding filters. The Netsh commands
for netio can be run manually at the netsh prompt or in scripts and batch files.

To run these commands from the command prompt, you must either enter the netsh netio context
or prepend the context to the command. For example, if you are at the command prompt but have
not typed netsh and then netio to enter the netsh netio context, you must type:

netsh netio command

Where command is the command that you want to run, including all of the required parameters for
the command.

add bindingfilter
Adds a binding filter.

Syntax

add bindingfilter [npi=]NPI [client=] client [provider=] provider [[type=]block|singleclient]

[[store=]active|persistent]

Parameters
npi

Required. Specifies the network programming interface GUID or name as a string value.

client

Required. Specifies the client name or GUID as a string value.

provider

Required. Specifies the client name or GUID as a string value.

type

Optional. Specifies either block or singleclient. Singleclient is the default. If you specify block,
the specified client cannot bind to the provider. If you specify singleclient, only the specified client
can bind to the provider.
store

Optional. Specifies that the binding filter is either active or persistent. Persistent is the default. If
you specify active, the filter is applied only until the computer is restarted; after it is restarted the
binding filter is not applied. If you specify persistent, the filter is permanently applied.

Examples

The following example disables IPv4 loopback by installing an NMR filter to prevent the binding.

netsh netio add bindingfilter framing ipv4 fl4l block persistent

The following example disables IPv6 loopback by installing an NMR filter to prevent the binding.

netsh netio add bindingfilter framing ipv6 fl6l block persistent

delete bindingfilter
Deletes a binding filter.

Network 162 Netsh Communication Networking

Syntax

delete bindingfilter [npi=]NPI [client=] client [provider=] provider

[[store=]active|persistent]

Parameters
npi

Required. Specifies the network programming interface guid or name as a string value.

client

Required. Specifies the client name or guid as a string value.

provider

Required. Specifies the client name or guid as a string value.

store

Optional. Specifies that the deletion of the binding filter is either active or persistent. Persistent
is the default. If you specify active, the filter is deleted only until the computer is restarted; after it
is restarted the binding filter is applied again. If you specify persistent, the filter is permanently
deleted.

show bindingfilters
Displays all binding filters.

Syntax

show bindingfilters [[store=]active|persistent]

Network 163 Netsh Communication Networking

Netsh Commands for Peer-to-Peer Networking (P2P)
Peer-to-peer (P2P) technologies are used to facilitate real-time communication and collaboration
across distributed networks. In the peer-to-peer model, without using Internet servers, each
computer user can do the following:

Exchange data

Share resources

Locate other users

Communicate

Collaborate directly in real time

By using peer-to-peer technologies, applications that coordinate the use of computer CPU cycles
and storage can share resources among large or small groups of computers connected to the
Internet. P2P is configured and administered by using Netsh commands.

You can run these commands from the command prompt for the Netsh P2P context. For these
commands to work at the command prompt, you must type netsh p2p before typing commands
and parameters as they appear in the syntax below.

Netsh P2P
The following commands are available at the p2p> prompt, which is rooted within the netsh
environment.

collab
Changes to the netsh p2p collab context.

dump
Creates a script that contains the current configuration. If saved to a

file, this script can be used to restore altered configuration settings.

group
Changes to the netsh p2p group context.

idmgr
Changes to the netsh p2p idmgr context.

pnrp
Changes to the netsh p2p pnrp context.

Netsh P2P collab

The following commands are available at the p2p collab> prompt, which is rooted within the netsh
environment.

contact
Changes to the netsh p2p collab contact context.

Network 164 Netsh Communication Networking

Netsh P2P collab contact
The following commands are available at the p2p collab contact> prompt, which is rooted within
the netsh environment.

delete
Deletes a contact from the contact store.

Syntax
delete peer name

export
Exports the Me contact to a file name. This file can be later copied to another machine and is
imported there.

Syntax
Export file name

import
Imports a contact from a file to the contact store.

Syntax
import file name

set
Sets the properties of a contact.

Syntax
set {Id=<Peer Name>]<FriendlyName=<friendly name>Watch=<true | false>
WatchPerm=<allow | block>}

show contacts
Displays all contacts.

Syntax
show contacts

show xml
Displays the contents of the contact XML file.

Syntax
show xml file name

Netsh P2P group

The following commands are available at the p2p group> prompt, which is rooted within the netsh
environment.

database
Changes to the netsh p2p group database context.

resolve
Resolves a participant in the group and lists its address.

Network 165 Netsh Communication Networking

Syntax
resolve {ANY | REMOTE} <group P2PID> [<cloud name>]

show acl
Lists access control list (ACL) information.

Syntax
show acl { identity <identity P2PID> | db <identity P2PID> <group P2PID>| <File path> }

show address
Resolves a participant in the current node and lists its address.

Syntax
show address <group P2PID> [ <cloud name> ]

Netsh P2P group database

The following commands are available at the p2p group database> prompt, which is rooted within
the netsh environment.

show statistics
Lists database stats for given <identity P2PID> <group P2PID>.

Syntax
show statistics <identity P2PID> <group P2PID>

Netsh P2P idmgr

The following commands are available at the p2p idmgr> prompt, which is rooted within the netsh
environment.

delete group
Deletes groups from identities.

Syntax
delete group <identity P2PID> { <group P2PID> | ALL | EXPIRED }

delete identity
Deletes identities.

Syntax
delete identity <identity P2PID> { <identity P2PID> | ALL | QUIET }

show groups
Displays identity and related group information.

Syntax
show groups { <identity P2PID> | ALL } [ EXPIRED ]

show identities
Displays identity information.

Syntax
show identities { ALL | <identity P2PID> }

Network 166 Netsh Communication Networking

show statistics
Displays a count of identities and associated groups.

Syntax
show statistics

Netsh P2P pnrp

The following commands are available at the p2p pnrp> prompt, which is rooted within the netsh
environment.

cloud
Changes to the netsh p2p pnrp cloud context.

diagnostics
Changes to the netsh p2p pnrp diagnostics context.

peer
Changes to the netsh p2p pnrp peer context.

Netsh P2P pnrp cloud

The following commands are available at the p2p pnrp> prompt, which is rooted within the netsh
environment.

flush
Deletes all cache entries.

Syntax
flush [cloud=]<cloud name>

Example
flush Global_

repair
Detects and repairs Peer Name Resolution Protocol (PNRP) cloud fragmentation.

Syntax
repair [cloud=]<cloud name>

Example
repair Global_

show initialization
Displays cloud bootstrap configuration and status.

Syntax
show initialization [[cloud=]{ * | <cloud name>}]

Examples
show initialization cloud=Global_

show initialization *

Network 167 Netsh Communication Networking

show list
Displays a list of clouds.

Syntax
show list [[cloud=] <cloud name>]

Examples
show list Global_

show list

show names
Displays all names registered on the local machine.

Syntax
show names [[cloud=]{ * | <cloud name>}]

Examples
show names cloud=Global_

show names

show pnrpmode
Displays PNRP mode configuration parameters.

Syntax
show pnrpmode [[cloud=]<cloud name>]

Example
show pnrpmode Global_

show seed
Displays PNRP seed server configuration parameters.

Syntax
show seed [cloud=]<cloud name>

Example
Show seed Global_

show statistics
Displays cloud statistics.

Syntax
show statistics [[cloud=]{ * | <cloud name>}]

Examples
Show statistics names cloud=Global_

show statistics names

start
Bootstraps a cloud.

Network 168 Netsh Communication Networking

Syntax
start [cloud=]<cloud name>

Example
start Global_

synchronize host
Queries a specified host for the addresses of other members of the cloud.

Syntax
synchronize host [host=]<host name> [cloud=]<cloud name>

Example
synchronize host host1 Global_

synchronize seed
Queries the seed server for the addresses of other members of the cloud.

Syntax
synchronize seed [cloud=]<cloud name>

Example
synchronize seed Global_

Netsh P2P pnrp diagnostics

The following commands are available at the p2p pnrp> prompt, which is rooted within the netsh
environment.

ping host
Tests PNRP connectivity to a node by specifying an address or a host name.

Syntax
ping host [host=]{<ip address> | <host name>} [cloud=]<cloud name>

Example
ping host myhost Global_

ping seed
Tests PNRP connectivity to the configured seed server.

Syntax
ping seed [cloud=]<cloud name>

Example
ping seed Global_

Netsh P2P pnrp peer

The following commands are available at the p2p pnrp> prompt, which is rooted within the netsh
environment.

add registration
Registers a peer name. (Note that the registration will only last as long as the Netsh instance.)

Network 169 Netsh Communication Networking

Syntax
add registration [peername=]<peer name> [cloud=]<cloud name>

[[comment]=<comment>]

Parameters
Peer name

<canonical pnrp name>|<dns encoded pnrp name>

Cloud

The cloud where the name should be registered. Default is all Clouds.

Comment

The comment that should be registered for the name.

Examples
add registration peername=0.0

add registration 0.0 Global_

delete registration
Unregisters a peer name.

Syntax
delete registration [peername=]{ * | <peer name>} [cloud=]<cloud name>

Parameters
Peername

<canonical pnrp name>|<dns-encoded pnrp name>

Cloud

The cloud from which the name should be unregistered. Default is all Clouds.

Examples
delete registration *

delete registration peername=0.0 cloud=Global_

enumerate
Search for multiple registrations of a peer name in the specified cloud.

Syntax
enumerate [peername=]<peer name> [cloud=]<cloud name>

[[maxresults=]<number>]

Parameters
Peername

<canonical pnrp name>|<dns-encoded pnrp name>

Network 170 Netsh Communication Networking

Cloud

The cloud where the enumeration should happen.

Maxresults

Should be a number between one and 500. Default is 50.

Examples
enumerate 0.0 cloud=Global_ maxresults=2

enumerate peername=0.0 cloud=Global_

resolve
Resolves a peer name.

Syntax
resolve [peername=]<peer name> [[cloud=]<cloud name>]

Parameters
Peername

<canonical pnrp name>|<dns-encoded pnrp name>

Examples
resolve peername=0.0 cloud=Global_

resolve 0.anyname

set file
Copies the console output to a file.

Syntax
set file [ mode= ] { open [ name= ] <filename> | append [ name = ]<filename> | close }

Parameters
Mode

One of the following values:

Open: Creates a new file or overwrites an existing file and streams the console output to the file.

Append: Opens an existing file and streams the console output to the end of the existing file.

Close: Stops streaming and closes a file.

Name

Name of the file (full path optional)

Examples
set file open c:\logfiles\logfile.txt

The above command creates a file and logs all output to it.

Network 171 Netsh Communication Networking

set machinename
Configure the PNRP Machine Name Publication Service.

Syntax
set machinename [[name=]<PeerName>] [[publish=]Start|Stop]
[[autopublish=]enable|disable]

Parameters
Name

The name to use as the machine name. If value is null, a secured name is automatically generated.

Publish

If set to 'start,' will cause the name to start being published immediately. If set to 'stop,' will stop
the publication of the name.

Autopublish

Sets whether or not automatic publication is enabled. When autopublish is enabled, the machine
automatically begins publishing the name at boot.

Examples
set machinename publish=start autopublish=enable

set mode
Sets the current mode to online or offline.

Syntax
set mode [ mode= ] { online | offline }

Parameters
Mode

One of the following values:

online: Commit changes immediately

offline: Delay commit until explicitly requested

Example
Set mode online

show convertedname
Converts standard peer names to DNS encoded peer names and vice versa.

Syntax
show convertedname [peername=]<peer name>

Example
show convertedname 0.anyname

show machinename
Display the PNRP Machine Name Publication Service configuration.

Network 172 Netsh Communication Networking

Syntax
show machinename

Example
show machinename

show registration
List peer names registered by this instance of netsh.

Syntax
show registration [[cloud=]<cloud name>]

Example
show registration cloud=Global_

traceroute
Resolves a peer name with path tracing.

Syntax
traceroute [peername =]<peer name> [cloud=]<cloud name>

Examples
traceroute peername=0.0 Global_

traceroute 0.anyname Global_

Network 173 Netsh Communication Networking

Netsh Commands for Remote Access
You can use commands in the Netsh ras context to configure all aspects of remote access. The
Netsh commands for remote access provide the same functionality as the Routing and Remote
Access console, and the commands can be run manually at the netsh prompt or in scripts and batch
files.

To run these commands from the command prompt, you must either enter the netsh ras context
or prepend the context to the command. For example, if you are at the command prompt but have
not typed netsh and then ras to enter the netsh ras context, you must type:

netsh ras command

Netsh RAS Commands

The following commands are specific to the ras context within the Netsh environment.

show activeservers
Displays a list of remote access server (RAS) advertisements.

Syntax
show activeservers

show client
Lists remote access clients connected to this server.

Syntax
show client

[[name=] Name]

Parameters
[[name=] Name]

Shows the status of a given client connected to the server. If this parameter is "*", show client
enumerates the status of all clients. If no name is specified, show client shows which, if any,
remote access clients are connected to the server.

set client
Resets the user statistics and disconnects a remote access client.

Syntax
set client

[name=] Name

[state=] {disconnect | resetstats}

Parameters
[name=] Name

Required. Specifies the user name of the client to disconnect or reset statistics.

[state=] {disconnect | resetstats}

Network 174 Netsh Communication Networking

Required. Specifies the action to perform. The parameter disconnect disconnects the specified
user. The parameter resetstats resets the statistics for the specified user.

dump
Displays the configuration of the remote access server in script form.

Syntax
dump

Example
The following command saves the current configuration as a script in the rascfg.dmp file.

dump > rascfg.dmp

show tracing
Shows whether tracing is enabled for the specified component. To see a list of all installed
components and whether tracing is enabled for each, use the show tracing command without
parameters.

Syntax
show tracing [component]

Parameters
component

Specifies the component for which to display information. If no component is specified, show
tracing shows the state of all installed components.

set tracing
Enables or disables tracing for the specified component.

Syntax
set tracing component {enabled | disabled}

Parameters
Component

Required. Specifies the component for which you want to enable or disable tracing. Use "*" to
specify all components.

{enabled | disabled}

Required. Specifies whether to enable or disable tracing for the specified component.

Example
To set tracing for the PPP component, type:

set tracing ppp enabled

show authmode
Shows whether dial-up clients using certain types of devices should be authenticated.

Syntax
show authmode

Network 175 Netsh Communication Networking

set authmode
Specifies whether dial-up clients using certain types of devices should be authenticated.

Syntax
set authmode {standard | nodcc | bypass}

Parameters
{standard | nodcc | bypass}

Required. Specifies whether dial-up clients using certain types of devices should be authenticated.
The parameter standard specifies that clients using any type of device should be authenticated.
The parameter nodcc specifies that clients using any type of device except a direct-connect device
should be authenticated. The parameter bypass specifies that no clients should be authenticated.

add authtype
Adds an authentication type to the list of types through which the remote access server should
attempt to negotiate authentication.

Syntax
add authtype {pap | md5chap | mschap | mschapv2 | eap}

Parameters
{pap | md5chap | mschap | mschapv2 | eap}

Required. Specifies which authentication type to add to the list of types through which the remote
access server should attempt to negotiate authentication. The pap parameter specifies that the
remote access server should use the Password Authentication Protocol (plaintext). The md5chap
parameter specifies that the remote access server should use the Challenge Handshake
Authentication Protocol (using the Message Digest 5 hashing scheme to encrypt the response). The
mschap parameter specifies that the remote access server should use the Microsoft Challenge-
Handshake Authentication Protocol. The mschapv2 parameter specifies that the remote access
server should use version 2 of MSCHAP. The eap parameter specifies that the remote access server
should use Extensible Authentication Protocol.

delete authtype
Deletes an authentication type from the list of types through which the remote access server should
attempt to negotiate authentication.

Syntax
delete authtype{pap | md5chap | mschap | mschapv2 | eap}

Parameters
{pap| md5chap | mschap | mschapv2 | eap}

Required. Specifies which authentication type to delete from the list of types through which the
remote access server should attempt to negotiate authentication. The pap parameter specifies that
the remote access server should not use the Password Authentication Protocol (plaintext). The
md5chap parameter specifies that the remote access server should not use the Challenge
Handshake Authentication Protocol (using the Message Digest 5 hashing scheme to encrypt the
response). The mschap parameter specifies that the remote access server should not use the
Microsoft Challenge-Handshake Authentication Protocol. The mschapv2 parameter specifies that
the remote access server should not use version 2 of MSCHAP. The eap parameter specifies that
the remote access server should not use Extensible Authentication Protocol.

show authtype
Lists the authentication type (or types) that the remote access server uses to attempt to negotiate
authentication.

Network 176 Netsh Communication Networking

Syntax
show authtype

add link
Adds a link property to the list of link properties PPP will negotiate.

Syntax
add link {swc | lcp}

Parameters
{swc | lcp}

Required. Specifies which link property to add to the list of link properties PPP will negotiate. The
parameter swc specifies that software compression (MPPC) should be added. The parameter lcp
specifies that Link Control Protocol extensions from the PPP suite of protocols should be added.

delete link
Deletes a link property from the list of link properties PPP will negotiate.

Syntax
delete link {swc | lcp}

Parameters
{swc | lcp}

Required. Specifies which link property to delete from the list of link properties PPP will negotiate.
The parameter swc specifies that software compression (MPPC) should be deleted. The parameter
lcp specifies that Link Control Protocol extensions from the PPP suite of protocols should be deleted.

show link
Displays the link properties PPP will negotiate.

Syntax
show link

add multilink
Adds a multilink type to the list of multilink types PPP will negotiate.

Syntax
add multilink {multi | bacp}

Parameters
{multi | bacp}

Required. Specifies which multilink type to add to the list of multilink types PPP will negotiate. The
parameter multi specifies that multilink PPP sessions should be added. The parameter bacp
specifies that Bandwidth Allocation Control Protocol should be added.

delete multilink
Deletes a multilink type from the list of multilink types PPP will negotiate.

Syntax
delete multilink {multi | bacp}

Network 177 Netsh Communication Networking

Parameters
{multi | bacp}

Required. Specifies which multilink type to delete from the list of multilink types PPP will negotiate.
The parameter multi specifies that multilink PPP sessions should be deleted. The parameter bacp
specifies that Bandwidth Allocation Control Protocol should be deleted.

show multilink
Shows the multilink types PPP will negotiate.

Syntax
show multilink

add registeredserver
Registers the specified server as a remote access server in the specified Active Directory® domain.
Used without parameters, add registeredserver registers the computer from which you type the
command in its primary domain.

Syntax
add registeredserver

[[domain=] DomainName]

[[server=] ServerName]

Parameters
[[domain=] DomainName]

Specifies, by domain name, the domain in which to register the server. If you do not specify a
domain, the server is registered in its primary domain.
[[server=] ServerName]

Specifies, by Domain Name System (DNS) name or IP address, the server to register. If you do not
specify a server, the computer from which you type the command is registered.

delete registeredserver
Deletes the registration of the specified server as a remote access server from the specified Active
Directory domain. Used without parameters, delete registeredserver deletes the registration of
the computer from which you type the command from its primary domain.

Syntax
delete registeredserver

[[domain=] DomainName]

[[server=] ServerName]

Parameters
[[domain=] DomainName]

Specifies, by domain name, the domain from which to remove the registration. If you do not specify
a domain, the registration is removed from the primary domain of the computer from which you
type the command.

[[server=] ServerName]

Network 178 Netsh Communication Networking

Specifies, by IP address or DNS name, the server whose registration you want to remove. If you do
not specify a server, the registration is removed for the computer from which you type the
command.

show registeredserver
Displays status information about the specified server registered as a remote access server in the
specified Active Directory domain. Used without parameters, the computer and primary domain
from which the command is issued is assumed.

Syntax
show registeredserver

[[domain=] DomainName]

[[server=] ServerName]

Parameters
[[domain=] DomainName]

Specifies, by domain name, the domain in which the server about which you want to display
information is registered. If you do not specify a domain, the primary domain of the computer from
which the command is issued is assumed.

[[server=] ServerName]

Specifies, by IP address or DNS name, the server about which you want to display information. If
you do not specify a server, the computer from which the command is issued is assumed.

show user
Displays the properties of a specified remote access user or users. Used without parameters, show
user displays the properties of all remote access users.

Syntax
show user

[name=] UserName

[[mode=] {permit | report}]

Parameters
[name=] UserName

Specifies, by logon name, the user whose properties you want to display. If you do not specify a
user, the properties of all users are displayed.
[[mode=] {permit | report}]

Specifies whether to show properties for all users or only those whose dial-up permission is set to
permit. The permit parameter specifies that properties should be displayed only for users whose
dial-up permission is permit. The report parameter specifies that properties should be displayed for
all users.

set user
Sets the properties of the specified remote access user.

Syntax
set user

Network 179 Netsh Communication Networking

[name=] UserName

[dialin=] {permit | deny | policy}

[cbpolicy=] {none | caller | admin

[cbnumber=] CallbackNumber}

Parameters

[name=] UserName

Required. Specifies, by logon name, the user for which you want to set properties.
[dialin=] {permit | deny | policy}

Required. Specifies under what circumstances the user should be allowed to connect. The permit
parameter specifies that the user should always be allowed to connect. The deny parameter
specifies that the user should never be allowed to connect. The policy parameter specifies that
remote access policies should determine whether the user is allowed to connect.

[cbpolicy] {none | caller | admin [cbnumber=] CallbackNumber}

Required. Specifies the callback policy for the user. The callback feature saves the user the cost of
the phone call used to connect to a remote access server. The none parameter specifies that the
user should not be called back. The caller parameter specifies that the user should be called back
at a number specified by the user at connection time. The admin parameter specifies that the user
should be called back at the number specified by the CallbackNumber parameter.

Example
To allow GuestUser to connect and be called back at (425) 555-0110, type:

set user guestuser permit admin 4255550110

show status
Shows the status of server running Routing and Remote Access.

Syntax
show status

show conf
Shows the remote access configuration state of the server.

Syntax
show conf

set conf
Sets the remote access configuration state of the server.

Syntax
set conf

[confstate=] {enabled | disabled}

Parameters
[confstate=] {enabled | disabled}

Network 180 Netsh Communication Networking

Required. Specifies the remote access configuration state. The enabled parameter enables the
server configuration. The disabled parameter disables the server configuration and removes the
server from the list of remote access servers.

show portstatus
Shows the current status of RAS ports.

Syntax
show portstatus

[[name=] PortName]

[[state=] State]

Parameters

[[name=] PortName]

Specifies the port for which to display status.

[[state=] State]

Display ports with the specified state.

nonoperational

Non-operational ports

disconnected

Disconnected ports

callingback

Ports calling back

listening

Ports listening

authenticating

Ports authenticating

connected

Authenticated and connected ports

initializing

Ports initializing

Examples
The following show the port status using the name and state parameters.

show portstatus name=VPN0-127

show portstatus state=connected

Network 181 Netsh Communication Networking

set portstatus
Resets the RAS ports statistics.

Syntax
set portstatus

[[name=] PortName]

Parameters
[[name=] PortName]

Specifies the name of the port. If none is specified, resets statistics of all active ports.

show type
Shows the router and RAS properties.

Syntax
show type

set type
Specifies the router and RAS roles of the server.

Syntax
set type

[ipv4rtrtype=] {lanonly | lananddd | none}

[ipv6rtrtype=] {lanonly | lananddd | none}

[rastype=] {ipv4 | ipv6 | both | none}

Parameters
[ipv4rtrtype=] {lanonly | lananddd | none}

Specifies the computer is configured as an IPv4 router. The lanonly parameter specifies that this
computer is a LAN-only router and does not require demand-dial or VPN connections. The
lananddd parameter specifies that this computer is a LAN and demand-dial router and supports
VPN connections. The none parameter specifies that this computer is not enabled as an IPv4 router.

[ipv6rtrtype=] {lanonly | lananddd | none}

Specifies the computer is configured as an IPv6 router. The lanonly parameter specifies that this
computer is a LAN-only router and does not require demand-dial or VPN connections. The
lananddd parameter specifies that this computer is a LAN and demand-dial router and supports
VPN connections. The none parameter specifies that this computer is not enabled as an IPv6 router.

[rastype=] {ipv4 | ipv6 | both | none}

Specifies the computer is configured as a remote access server. The ipv4 parameter specifies the
computer is configured for IPv4. The ipv6 parameter specifies the computer is configured for IPv6.
The both parameter specifies the computer is configured for IPv4 and IPv6. The none parameter
specifies the computer is not configured as a remote access server.

Netsh RAS AAAA Context Commands

The following commands are specific to the ras AAAA context within the Netsh environment.

Network 182 Netsh Communication Networking

 dump
Displays the AAAA configuration of a remote access server in script form.

Syntax
dump

You can dump the contents of the current configuration to a file that can be used to restore altered
configuration settings.

Example
The following is the command to save the current configuration as a script in the rasaaaacfg.dmp
file.

dump > rasaaaacfg.dmp

add acctserver
Specifies the IP address or the Domain Name System (DNS) name of a RADIUS server to use for
accounting.

Syntax
add acctserver

[name=] ServerID

[[secret=] SharedSecret]

[[init-score=] ServerPriority]

[[port=] Port]

[[timeout=] Seconds]

[[messages] {enabled | disabled}]

Parameters

[name=] ServerID

Required. Specifies, by IP address or DNS name, the RADIUS server.

[[secret=] SharedSecret]

Specifies the preshared key.

[[init-score=] ServerPriority]

Specifies the initial score (server priority).

[[port=] Port]

Specifies the port to which accounting requests should be sent.

[[timeout=] Seconds]

Specifies the timeout period, in seconds, during which the RADIUS server can be idle before it
should be marked unavailable.

Network 183 Netsh Communication Networking

[[messages] {enabled | disabled}]

Specifies whether to send accounting on/off messages. The enabled parameter specifies that
messages should be sent. The disabled parameter specifies that messages should not be sent.

delete acctserver
Deletes a RADIUS accounting server.

Syntax
delete acctserver

[name=] ServerID

Parameters
[name=] ServerID

Required. Specifies, by DNS name or IP address, which server to delete.

set acctserver
Provides the IP address or the DNS name of a RADIUS server to use for accounting.

Syntax
add acctserver

[name=] ServerID

[[secret=] SharedSecret]

[[init-score=] ServerPriority]

[[port=] Port]

[[timeout=] Seconds]

[[messages] {enabled | disabled}]

Parameters
[name=] ServerID

Required. Specifies, by IP address or DNS name, the RADIUS server.

[[secret=] SharedSecret]

Specifies the preshared key.

[[init-score=] ServerPriority]

Specifies the initial score (server priority).

[[port=] Port]

Specifies the port on which to send the authentication requests.

[[timeout=] Seconds]

Specifies, in seconds, the amount of time that should elapse before the RADIUS server is marked
unavailable.

Network 184 Netsh Communication Networking

[[messages=] {enabled | disabled}]

Specifies whether accounting on/off messages should be sent.

show acctserver
Displays detailed information about an accounting server. Used without parameters, show
acctserver displays information about all configured accounting servers.

Syntax
show acctserver

[[name=] ServerID]

Parameters

[name=] ServerID

Specifies, by DNS name or IP address, the RADIUS server about which to display information.

add authserver
Provides the IP address or the DNS name of a RADIUS server to which authentication requests
should be passed.

Syntax
add authserver

[name=] ServerID

[[secret=] SharedSecret]

[[init-score=] ServerPriority]

[[port=] Port]

[[timeout=] Seconds]

[[signature] {enabled | disabled}]

Parameters
[name=] ServerID]

Required. Specifies, by IP address or DNS name, the RADIUS server.

[[secret=] SharedSecret]

Specifies the preshared key.

[[init-score=] ServerPriority]

Specifies the initial score (server priority).

[[port=] Port]

Specifies the port to which authentication requests should be sent.

[[timeout=] Seconds]

Network 185 Netsh Communication Networking

Specifies the timeout period, in seconds, during which the RADIUS server can be idle before it
should be marked unavailable.

[[signature] {enabled | disabled}]

Specifies whether to use digital signatures. The enabled parameter specifies that digital signatures
should be used. The disabled parameter specifies that digital signatures should not be used.

delete authserver
Deletes a RADIUS authentication server.

Syntax
delete authserver

[name=]ServerID

Parameters
[name=] ServerID

Required. Specifies, by DNS name or IP address, which server to delete.

set authserver
Provides the IP address or the DNS name of a RADIUS server to which authentication requests
should be passed.

Syntax
set authserver

[name=] ServerID

[[secret=] SharedSecret]

[[init-score=] ServerPriority]

[[port=] Port]

[[timeout=] Seconds]

[[signature] {enabled | disabled}]

Parameters
[name=] ServerID]

Required. Specifies, by IP address or DNS name, the RADIUS server.

[[secret=] SharedSecret]

Specifies the preshared key.

[[init-score=] ServerPriority]

Specifies the initial score (server priority).

[[port=] Port]

Specifies the port on which to send the authentication requests.

[[timeout=] Seconds]

Network 186 Netsh Communication Networking

Specifies the amount of time, in seconds, that should elapse before the RADIUS server is marked
unavailable.

[[signature=] { enabled | disabled}]

Specifies whether digital signatures should be used.

show authserver
Displays detailed information about an authentication server. Used without parameters, show
authserver displays information about all configured authentication servers.

Syntax
show authserver

[[name=] ServerID]

Parameters
[[name=] ServerID]

Specifies, by DNS name or IP address, the RADIUS server about which to display information.

set accounting
Specifies the accounting provider.

Syntax
set accounting {windows | radius | none}

Parameters
{windows | radius | none}

Required. Specifies whether accounting should be performed and by which server. The windows
parameter specifies that Windows security should perform accounting. The radius parameter
specifies that a RADIUS server should perform accounting. The none parameter specifies that no
accounting should be performed.

show accounting
Displays the accounting provider.

Syntax
show accounting

set authentication
Specifies the authentication provider.

Syntax
set authentication {windows | radius}

Parameters
{windows | radius}

Required. Specifies which technology should perform authentication. The windows parameter
specifies that Windows security should perform authentication. The radius parameter specifies that
a RADIUS server should perform authentication.

Network 187 Netsh Communication Networking

show authentication
Displays the authentication provider.

Syntax
show authentication

set ipsecpolicy
Sets the IPsec policy for the L2TP connection.

Syntax
set ipsecpolicy

[psk = ] {enabled | disabled}

[secret = ] SharedSecret

Parameters
[psk = ] {enabled | disabled}

Required. Specifies whether an L2TP connection can use a custom IPsec policy. The enabled
parameter specifies that the IPsec policy is set to a custom IPsec policy using a preshared key. The
disabled parameter specifies that the IPsec policy is set to certificate.

[secret = ] SharedSecret

Required when psk authentication is enabled. Specifies the preshared key to be used with the
custom IPsec policy.

Example
The following sets the IPsec policy for the L2TP connection.

set ipsecpolicy psk=enabled secret="P@ssword"

show ipsecpolicy
Shows the IPsec policy for the L2TP connection.

Syntax
show ipsecpolicy

Netsh RAS Diagnostic Context Commands

The following commands are specific to the ras diagnostics context within the Netsh environment.

dump
Displays the configuration of Remote Access Diagnostics in script form.

Syntax
dump

Example
The following is the command to save the current configuration as a script in the rasdiag.dmp file.

dump > rasdiag.dmp

Network 188 Netsh Communication Networking

show installation
Creates a Remote Access Diagnostic Report that includes only diagnostics results for Information
Files, Installation Check, Installed Networking Components, and Registry Check and delivers the
report to a location you specify.

Syntax
show installation

[type=] {file | email}

[destination=] {FileLocation | EmailAddress}

[[compression=] {enabled | disabled}]

[[hours=] NumberOfHours]

[[verbose=] {enabled | disabled}]

Parameters
[type=] {file | email}

Specifies whether the report should be saved to a file or sent to an e-mail address.

[destination=] {FileLocation| EmailAddress}

Required. Specifies the full path and file name to which the report should be saved or the full e-mail
address to which the report should be sent.

[[compression=] {enabled | disabled}]

Specifies whether to compress the report into a .cab file. If you do not specify this parameter, the
report is compressed if you send it to an e-mail address but not if you save it to a file.

[[hours=] NumberOfHours]

Specifies the number of past hours for which to show activity in the report. This parameter must be
an integer between 1 and 24. If you do not specify this parameter, all past information is included.

[[verbose=] {enabled | disabled}]

Specifies the amount of data to include in the report. If you do not specify this parameter, only
minimal data is included.

Example
To save a diagnostic report to c:\mytemp\rasdiag.htm, type:

show installation type=file destination="c:\mytemp\rasdiag"

show loglevel
Shows the global logging level for Routing and Remote Access service.

Syntax
show loglevel

set loglevel
Sets the global logging level for Routing and Remote Access service.

Network 189 Netsh Communication Networking

Syntax
set loglevel

[state=] {error | warn | all | none}

Parameters
[state=] {error | warn | all | none}

Required. Specifies the level of global logging. The none parameter specifies that no events are
logged. The error parameter specifies that only errors are logged. The warn parameter specifies
that errors and warnings are logged. The all parameter specifies that all events are logged.

show logs
Creates a Remote Access Diagnostic Report that contains only diagnostics results for Tracing Logs,
Modem Logs, Connection Manager Logs, IP Security Log, Remote Access Event Logs, and Security
Event Logs and delivers the report to a location you specify.

Syntax
show logs

[type=] {file | email}

[destination=] {FileLocation | EmailAddress}

[[compression=] {enabled | disabled}]

[[hours=] NumberOfHours]

[[verbose=] {enabled | disabled}]

Parameters
[type=] {file | email}

Required. Specifies whether the report should be saved to a file or sent to an e-mail address.

[destination=] {FileLocation| EmailAddress}

Required. Specifies the full path and file name to which the report should be saved or the full e-mail
address to which the report should be sent.

[[compression=] {enabled | disabled}]

Specifies whether to compress the report into a .cab file. If you do not specify this parameter, the
report is compressed if you send it to an e-mail address but not if you save it to a file.

[[hours=] NumberOfHours]

Specifies the number of past hours for which to show activity in the report. This parameter must be
an integer between 1 and 24. If you do not specify this parameter, all past information will be
included in the report.

[[verbose=] {enabled | disabled}]

Specifies the amount of data to include in the report. If you do not specify this parameter, minimal
data is included.

Example
To save a diagnostic report to c:\mytemp\rasdiag.htm, type:

Network 190 Netsh Communication Networking

show logs type=file destination="c:\mytemp\rasdiag"

show configuration
Creates a Remote Access Diagnostic Report that includes only diagnostics results for Installed
Devices, Process Information, Command-line Utilities, and Phone Book Files and delivers the report
to a location you specify.

Syntax
show configuration

[type=] {file | email}

[destination=] {FileLocation | EmailAddress}

[[compression=] {enabled | disabled}]

[[hours=] NumberOfHours]

[[verbose=] {enabled | disabled}]

Parameters
[type=] {file | email}

Required. Specifies whether the report should be saved to a file or sent to an e-mail address.

[destination=] {FileLocation| EmailAddress}

Required. Specifies the full path and file name to which the report should be saved or the full e-mail
address to which the report should be sent.

[[compression=] {enabled | disabled}]

Specifies whether to compress the report into a .cab file. If you do not specify this parameter, the
report is compressed if you send it to an e-mail address but not if you save it to a file.

[[hours=] NumberOfHours]

Specifies the number of past hours for which to show activity in the report. This parameter must be
an integer between 1 and 24. If you do not specify this parameter, all past information is included.

[[verbose=] {enabled | disabled}]

Specifies the amount of data to include in the report. If you do not specify this parameter, minimal
data is included.

Example
To save a diagnostic report to c:\mytemp\rasdiag.htm, type:

show configuration type=file destination="c:\mytemp\rasdiag"

show all
Creates a Remote Access Diagnostic Report for all remote access logs and delivers the report to a
location you specify.

Syntax
show all

[type=] {file | email}

Network 191 Netsh Communication Networking

[destination=] {FileLocation | EmailAddress}

[[compression=] {enabled | disabled}]

[[hours=] NumberOfHours]

[[verbose=] {enabled | disabled}]

Parameters
[type=] {file | email}

Required. Specifies whether the report should be saved to a file or sent to an e-mail address.

[destination=] {FileLocation| EmailAddress}

Required. Specifies the full path and file name to which the report should be saved or the full e-mail
address to which the report should be sent.

[[compression=] {enabled | disabled}]

Specifies whether to compress the report into a .cab file. If you do not specify this parameter, the
report is compressed if you send it to an e-mail address but not if you save it to a file.

[[hours=] NumberOfHours]

Specifies the number of past hours for which to show activity in the report. This parameter must be
an integer between 1 and 24. If you do not specify this parameter, all past information is included.

[[verbose=] {enabled | disabled}]

Specifies the amount of data to include in the report. If you do not specify this parameter, minimal
data is included.

Example
To save a diagnostic report to c:\mytemp\rasdiag.htm that includes all diagnostic information, type:

show all type=file destination="c:\mytemp\rasdiag"

show cmtracing
Shows whether information about Connection Manager connections is being logged.

Syntax
show cmtracing

set cmtracing
Enables or disables logging of information about all Connection Manager connections.

Syntax
set cmtracing {enabled | disabled}

Parameters
{enabled | disabled}

Required. Specifies whether you want information about Connection Manager connections to be
logged. The enabled parameter specifies that you want information to be logged. The disabled
parameter specifies that you do not want information to be logged.

Network 192 Netsh Communication Networking

show modemtracing
Shows whether modem tracing is enabled or disabled.

Syntax
show modemtracing

set modemtracing
Enables or disables modem tracing for all modems installed for the local computer.

Syntax
set modemtracing {enabled | disabled}

Parameters
{enabled | disabled}

Required. Specifies whether you want modem activity for each modem to be logged. The enabled
parameter specifies that you want activity to be logged. The disabled parameter specifies that you
do not want activity to be logged.

show rastracing
Shows whether tracing for the given component is enabled. If no component is specified, shows the
state of all components.

Syntax
show rastracing [component=] Component

Parameters
[component=] Component

Specifies the component for which you want to determine whether tracing is enabled or disabled. If
no component is specified, the state of all components is displayed.

set rastracing
Enables or disables tracing and logging of all activity for all remote access components or for a
specific remote access component.

Syntax
set rastracing

[component=] {Component | *} {enabled | disabled}

[state=] {enabled | disabled}

Parameters
[ component=] {Component| *}

Required. Specifies whether you want to enable or disable tracing and logging for a component that
you specify or for all components. The Component parameter specifies the component for which you
want to enable or disable tracing and logging. Use '*' to denote all components.

[state=] {enabled | disabled}

Required. Specifies whether you want activity to be traced and logged. The enabled parameter
specifies that you want activity to be traced and logged. The disabled parameter specifies that you
do not want activity to be traced and logged.

Network 193 Netsh Communication Networking

show securityeventlog
Shows whether security events are being logged.

Syntax
show securityeventlog

set securityeventlog
Enables or disables logging of all security events.

Syntax
set securityeventlog {enabled | disabled}

Parameters
{enabled | disabled}

Required. Specifies whether you want security events to be logged. The enabled parameter
specifies that you want security events to be logged. The disabled parameter specifies that you do
not want security events to be logged.

show tracefacilities
Shows whether all activity for all remote access components or for a remote access component that
you specify is being traced and logged.

Syntax
show tracefacilities

set tracefacilities
Enables or disables tracing and logging of all activity for all remote access components that are
configured on the local computer.

Syntax
set tracefacilities

[state=] {enabled | disabled | clear}

Parameters
[state=] {enabled | disabled | clear}

Required. Specifies whether you want to enable tracing for all remote access components, to disable
tracing, or to clear all logs generated by tracefacilities. The enabled parameter specifies that you
want to enable tracing. The disabled parameter specifies that you want to disable tracing. The
clear parameter specifies that you want to clear all logs.

Netsh RAS IP Context Commands

The following commands are specific to the ras IP context within the Netsh environment.

dump
Displays the IP configuration of a remote access server in script form.

Syntax
dump

Example
Following is the command to save the current configuration as a script in the rasipcfg.dmp file.

Network 194 Netsh Communication Networking

dump > rasipcfg.dmp

show config
Displays the current IP configuration of the remote access server.

Syntax
show config

set negotiation
Specifies whether the remote access server should allow IP to be configured for any client
connections the server accepts.

Syntax
set negotiation

[mode=] {allow | deny}

Parameters
[mode=] {allow | deny}

Required. Specifies whether to permit IP over client connections. The allow parameter allows IP
over client connections. The deny parameter prevents IP over client connections.

set access
Specifies whether IP network traffic from any client should be forwarded to the network or networks
to which the remote access server is connected.

Syntax
set access

[mode=] {all | serveronly}

Parameters
[mode=] {all | serveronly}

Required. Specifies whether clients should be able to reach the remote access server and any
networks to which it is connected. The all parameter allows clients to reach networks through the
server. The serveronly parameter allows clients to reach only the server.

set addrassign
Sets the method by which the remote access server should assign IP addresses to its clients.

Syntax
set addrassign

[method=] {auto | pool}

Parameters
[method=] {auto | pool}

Required. Specifies whether IP addresses should be assigned by using DHCP or from a pool of
addresses held by the remote access server. The auto parameter specifies that addresses should be
assigned by using DHCP. If no DHCP server is available, a random, private address is assigned. The
pool parameter specifies that addresses should be assigned from a pool.

Network 195 Netsh Communication Networking

set addrreq
Specifies whether dial-in clients should be able to request their own IP addresses.

Syntax
set addrreq

[mode=] {allow | deny}

Parameters
[mode=] {allow | deny}

Required. Specifies whether clients should be able to request their own IP addresses. The allow
parameter allows clients to request addresses. The deny parameter prevents clients from
requesting addresses.

set broadcastnameresolution
Enables or disables broadcast name resolution using NetBIOS over TCP/IP.

Syntax
set broadcastnameresolution

[mode=] {enabled | disabled}

Parameters
[mode=] {enabled | disabled}

Required. Specifies whether to enable or disable broadcast name resolution using NetBIOS over
TCP/IP. The enabled parameter enables broadcast name resolution using NetBIOS over TCP/IP.
The disabled parameter disables broadcast name resolution using NetBIOS over TCP/IP.

show broadcastnameresolution
Displays whether broadcast name resolution using NetBIOS over TCP/IP has been enabled or
disabled for the remote access server.

Syntax
show broadcastnameresolution

add range
Adds a range of addresses to the pool of static IP addresses that the remote access server can
assign to clients.

Syntax
add range

[from=] StartingIPAddress

[to=] EndingIPAddress

Parameters
[from=] StartingIPAddress [to=] EndingIPAddress

Required. Specifies the range of IP addresses to add. The StartingIPAddress parameter specifies the
first IP address in the range. The EndingIPAddress parameter specifies the last IP address in the
range.

Network 196 Netsh Communication Networking

Example
To add the range of IP addresses 10.2.2.10 to 10.2.2.20 to the static pool of IP addresses that the
remote access server can assign, type:

add range from=10.2.2.10 to=10.2.2.20

delete range
Deletes a range of addresses from the pool of static IP addresses that the remote access server can
assign to clients.

Syntax
delete range

[from=] StartingIPAddress

[to=] EndingIPAddress

Parameters
[from=] StartingIPAddress [to=] EndingIPAddress

Required. Specifies the range of IP addresses to delete. The StartingIPAddress parameter specifies
the first IP address in the range. The EndingIPAddress parameter specifies the last IP address in the
range.

Example
To delete the range of IP addresses 10.2.2.10 to 10.2.2.20 from the pool of static IP addresses that
the remote access server can assign, type:

delete range from=10.2.2.10 to=10.2.2.20

delete pool
Deletes all addresses from the pool of static IP addresses that the remote access server can assign
to clients.

Syntax
delete pool

set preferredadapter
Specifies the preferred adapter for Routing and Remote Access service.

Syntax
set preferredadapter

[name=] InterfaceName

Parameters
[name=] InterfaceName

Specifies that the adapter to be used to obtain the IP addresses for allocation (if configured to use
DHCP) and the IP address of DHCP and WINS servers for assignment to remote access clients and
demand-dial routers. If no interface is specified, the server randomly selects an adapter when the
Routing and Remote Access service is started.

show preferredadapter
Displays the preferred adapter for Routing and Remote Access service.

Network 197 Netsh Communication Networking

 Syntax
show preferredadapter

Netsh RAS IPv6 Context Commands

The following commands are specific to the ras IPv6 context within the Netsh environment.

dump
Displays the IPv6 configuration of a remote access server in script form.

Syntax
dump

You can dump the contents of the current configuration to a file that can be used to restore altered
configuration settings.

Example
The following is the command to save the current configuration as a script in the rasipv6cfg.dmp
file.

dump > rasipv6cfg.dmp

set negotiation
Specifies whether the remote access server should allow IPv6 to be configured for any client
connections the server accepts.

Syntax
set negotiation

[mode=] {allow | deny}

Parameters
[mode=] {allow | deny}

Required. Specifies whether to permit IPv6 over client connections. The allow parameter allows
IPv6 over client connections. The deny parameter prevents IPv6 over client connections.

set access
Specifies whether IPv6 network traffic from any client should be forwarded to the network or
networks to which the remote access server is connected.

Syntax
set access

[mode=] {all | serveronly}

Parameters
[mode=] {all | serveronly}

Required. Specifies whether clients should be able to reach the remote access server and any
networks to which it is connected. The all parameter allows clients to reach networks through the
server. The serveronly parameter allows clients to reach only the server.

set prefix
Sets the static IPv6 prefix that the remote access server users to advertise to clients.

Network 198 Netsh Communication Networking

Syntax
set prefix

[prefix=] IPv6Prefix

Parameters
[prefix=] IPv6Prefix

Required. Specifies the IPv6 prefix in the form: 'x:x:x:x::'

Example
The following sets the IPv6 prefix to 3ffe:ffff:a:1.

set prefix prefix=3ffe:ffff:a:1::

show config
Displays the current IP configuration of the remote access server.

Syntax
show config

Network 199 Netsh Communication Networking

 Netsh Commands for Remote Procedure Call (RPC)
netsh rpc is a command-line tool that you can use to create remote procedure call (RPC) Firewall
Filters and the rules and conditions that are associated with the filters.

You can run the Netsh RPC commands from the command prompt for the netsh rpc context. For
these commands to work at the Windows Server 2008 command prompt, you must type netsh rpc
before typing commands and parameters as they appear in the syntax.

You must have the required permissions to run the netsh rpc commands:

If you are a member of the Administrators group, and User Account Control is enabled on your
computer, run the commands from a command prompt with elevated permissions. To open a
command prompt with elevated permissions, find the icon or Start menu entry that you use to start
a command prompt session, right-click it, and then click Run as administrator.

If you are a member of the Network Operators group, you can run the commands from any
command prompt.

If you are a not a member of Administrators or Network Operators and you have not been
delegated any other permissions to run this command, you can run only the commands that display
the settings, not the commands that change the settings.

filter
This command changes the command-line context to the netsh rpc filter subcontext. This
subcontext is for running commands that set rules and conditions for RPC Firewall filtering.

Parameters
add rule

Adds an RPC Firewall Filter rule.

add condition

Adds a condition to an existing RPC Firewall Filter rule.

add filter

Adds an RPC Firewall Filter.

show filter

Displays a list of active RPC Firewall Filters.

delete filter

Deletes all active RPC Firewall Filters and the rules and conditions that are associated with those
filters.

delete rule

Deletes the existing RPC Firewall Filter rules.

/?

Displays help at the command prompt.

Network 200 Netsh Communication Networking

add rule
Adds a rule to specify an action when a given condition is met. Rules and conditions are combined
to specify RPC Firewall Filters.

Use the following order when you add rules, conditions, and filters:

Add rule. The information in this "add rule" section provides details for step 1 (adding rules),
including syntax, parameters, and allowed values.

Add conditions.

Add the filter that is created by the combination of rules and conditions that you enter.

filter add rule [layer=]<string> [actiontype=]<string> [[filterkey=]<string>]

[[persistence=]volatile] [[audit=]enable]

Parameters
The following sections provide information about the Layer tag and the values of the parameters
that are associated with the Layer tag.

Layer tag
RPC Firewall layers represent abstract connection types. Each layer applies to a different aspect of
an RPC connection. RPC Firewall layers are not directly related to RPC architectural components, but
they are used to specify an aspect or type of RPC connection.

Tag Required Default Description Allowed values

Um, Epmap,
Specifies an RPC communications protocol Ep_add,
Layer Yes None
layer. Proxy_conn,
Proxy_if

Describes the action to take for the

specified layer: block the item, permit the
Block, Permit,
Actiontype Yes None item to invoke a function that executes in
Continue
another process, or continue processing
the rule.

A randomly
generated
A 128-bit, unique identifier to uniquely
Filterkey No Universally UUID
identify this filter.
Unique Identifier
(UUID)

Persists or does not persist if the system is Persistent,

Persistence No Persistent
restarted. Volatile

Allows auditing of the process or does not

audit the process. In Audit mode, rules are
not applied and traffic is not filtered. Enabled,
Audit No Disabled
Instead, the RPC filtering engine logs Disabled
events where a rule would have been
applied.

Network 201 Netsh Communication Networking

Allowed values for the Layer tag

Value Name Description

User Mode An RPC communications protocol layer that is used for high-level policies,
um
layer such as filtering on a user or application identity.

The Endpoint An RPC communications protocol layer that is used to write interface-specific
epmap
Mapper layer rules.

A layer that allows dynamic or static endpoint ports to be added for each
Endpoint interface. These layers are not used for filtering. Instead, they are
ep_add
Addition layer containers that specify an interface and an endpoint to add to the process
hosting the interfaces.

RPC Proxy An RPC communications protocol layer that is used to write non-interface-
proxy_conn
Connect layer specific rules for an RPC proxy role.

RPC Proxy
An RPC communications protocol layer that is used to write interface-specific
proxy_if Interface
rules for an RPC proxy role.
layer

Allowed values for the Actiontype tag

Value Description

Block Does not allow the specified item access over RPC.

Permit Allows the specified item access over RPC.

Does not allow the specified item access over RPC until all rules in the filter are run. Access is
Continue
based on the cumulative results of all the rules in the filter.

Allowed values for the Filterkey tag

Value Name Description

UUID Universally Unique Identifier A unique, 128-bit identifier that identifies this filter.

Allowed values for the Persistence tag

Value Description

The value is stored on the disk and persists through a system restart. This is the default
Persistent
value.

Network 202 Netsh Communication Networking

Volatile The value is not stored. If the system is restarted, the value is lost.

Allowed values for the Audit tag

Value Description

Specifies that the RPC filtering engine runs in Audit mode. In Audit mode, rules are not applied
and traffic is not filtered. Instead, the RPC filtering engine logs events when a rule would be
Enabled
applied.

Auditing is not allowed for the ep_add layer.

Specifies that the RPC filtering engine does not run in Audit mode. Instead, the RPC filtering
Disabled
engine actively filters traffic and applies the filtering rules. This is the default value.

Examples
The following example adds a rule to block RPC traffic that matches the given condition. This rule
applies to the user mode (um) layer. A specific filter key identifies the filter.

add rule layer=um actiontype=block

The following example is a rule to add an endpoint to an interface. The rule references a specific
filterkey. This is the only rule that is necessary for adding a dynamic endpoint to an interface.

add rule layer=epmap actiontype=permit filterkey=11111111-2222-3333-4444-555555555555

add condition
Adds a condition that must be met so that a filtering rule can be applied. Conditions are combined
with rules to specify RPC Firewall Filters.

Use the following order when you add rules, conditions, and filters:

Add rule.

Add conditions. The information in this "add condition" section provides details for step 2, including
syntax, parameters, and allowed values

Add the filter that is created by the combination of rules and conditions that you enter.

Syntax
Filter add condition [field=]<string> [matchtype=]<string> [data=]<string>

Parameters
See the following tables for the add condition parameters and their values. The filtering engine
checks that the condition you specify is met before the associated rule is run and the filtering is
applied. An administrator can use the parameters and their values to fine-tune the filter so that it
applies only to the specified RPC port, interface, or transport.

Tag Required Default Description Allowed Values

Identifies the RPC field where the condition See the tables in the
applies. The allowed values of the field tag vary, section "Allowed
Field Yes None
depending on the layer that is specified in the values for the Field
filtering rule. tag by Layer."

Network 203 Netsh Communication Networking

 See the tables in the
Defines the type of comparison to perform on a section "Allowed
MatchType Yes None
given field. values for the
MatchType tag."

The data that is used for making comparisons to

The value that is
the value in the field to determine whether your
allowed for the Data
Data Yes None condition is met or not met. The data is
tag varies for each
compared to the value using the comparison
field that is specified.
that is defined in the MatchType tag.

Allowed values for the Field tag by Layer

The allowed values for the Field tag depend on the RPC layer to which the rules apply. For each
layer, there is a set of allowed Field values. The layer is specified in the add rule command. The
following tables describe the allowed values for the Field tag by RPC layer.

Allowed values for the User Mode Layer

The following values for filtering are allowed for User Mode (UM) Layer conditions. There are no
required fields for UM Layer conditions.

Allowed value Description

The 128-bit interface UUID. The UUID is formatted as follows:
if_uuid
XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

The version of the interface as defined in the RPC Interface Definition Language
if_version
(IDL) file.

The RPF Firewall Interface flag. The value is a hexadecimal number in 0x notation.
The recognized flag as described in the following table.

Flag Value Description

This flag indicates the condition applies to

if_flag RPC_FW_IF_FLAG_DCOM 0x0001 DCOM activations or calls to DCOM
interfaces.

For example, to create a condition to block a DCOM activation, use the following
command:

Netsh rpc filter add condition field=if_flag matchtype=equals data=0x0001

The UUID of the DCOM application where the condition is applied. The UUID is
formatted as follows:
dcom_app_id
XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

The name of the executable image. It is specified with an s preceding the name if
the name is given in ASCII or with a w if the name is Unicode. For example, to apply
this condition on Image.exe, use the following command:
image_name
Netsh rpc filter add condition field=image_name matchtype=equal
data=simage.exe

protocol The protocol over which to block. It must be one of the following strings:

Network 204 Netsh Communication Networking

 NCACN_IP_TCP to indicate the TCP protocol

NCACN_NP to indicate the named pipes protocol

For example, to create a rule that applies to the TCP protocol, use the following
command:

netsh rpc filter add condition field=protocol matchtype=equal

data=NCACN_IP_TCP

auth_type The authentication service type. The value is specified as a decimal number.

The authentication-level constant. This value represents authentication levels that

auth_level are passed to various run-time functions. The value is specified as a decimal number
in increasing order, starting with 0.

The certificate-based, security service provider interface (SSPI) encryption

sec_encrypt_alg
algorithm.

sec_key_size The certificate-based, SSPI encryption key size.

A data structure that contains authentication and authorization information for a

remote_user_token
remote user.

The local IP version 4 (IPv4) address over which to apply the condition. The data is
local_addr_v4
in hexadecimal 0x notation.

The local IP version 6 (IPv6) address over which to apply the condition. The data is
local_addr_v6
in standard colon notation.

The remote IPv4 address over which to apply the condition. The data is in
remote_addr_v4
hexadecimal 0x notation.

The remote IPv6 address over which to apply the condition. The data is in standard
remote_addr_v6
colon notation.

local_port The local port where the condition is applied. The port is a decimal number.

The remote named pipe that provides communication between processes on

pipe
different computers.

Allowed values for the Endpoint Mapper (EPMAP) Layer

The following values for filtering are allowed for EPMAP Layer conditions. Conditions for the EPMAP
layer are used to create interface-specific rules. If_uuid and if_version are both required values. The
if_uuid value must be the first value that is specified

Value Description

The 128-bit, interface UUID. The UUID is formatted as follows:

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
if_uuid

The if_uuid is a required value for the EPMAP Layer, and it must be the first value
that is specified.

Network 205 Netsh Communication Networking

 The version of the interface as defined in the RPC IDL file. This is a decimal number
if_version
The if_version field is a required value for the EPMAP Layer, and it must be the
second value that is specified.

The protocol over which to block. It must be one of the following strings:

NCACN_IP_TCP, to indicate the TCP protocol

NCACN_NP, to indicate the named pipes protocol

protocol
For example, to create a rule that applies to the TCP protocol, use the following
command:

netsh rpc filter add condition field=protocol matchtype=equal

data=NCACN_IP_TCP

The authentication service type.

auth_type
The value is specified as a decimal number.

The authentication-level constant. This represents authentication levels that are

passed to various run-time functions..
auth_level
The value is specified as a decimal number in increasing order starting with 0.

sec_encrypt_alg The certificate-based, SSPI encryption algorithm.

sec_key_size The certificate-based, SSPI encryption key size.

A data structure that contains authentication and authorization information for a

remote_user_token
remote user.

The local IPv4 address over which to apply the condition. The data is in hexadecimal
local_addr_v4
0x notation.

The local IPv6 address over which to apply the condition. The data is in standard
local_addr_v6
colon notation.

The remote IPv4 address over which to apply the condition. The data is in
remote_addr_v4
hexadecimal 0x notation.

The remote IPv6 address over which to apply the condition. The data is in standard
remote_addr_v6
colon notation.

local_port The local port on which to apply the condition. The port is a decimal number.

The remote named pipe that provides communication between processes on

pipe
different computers.

Allowed values for the Proxy Interface (PROXY_IF) layer

The following values for filtering are allowed for PROXY_IF Layer conditions. The proxy_if layer
applies to interface-specific conditions and rules on an RPC proxy. The if_uuid value is required, and
it must be the first value that is specified.

Network 206 Netsh Communication Networking

Value Description

The 128-bit interface UUID. The UUID is formatted as follows:

if_uuid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

The if_uuid value is required, and it must be the first value that is specified.

if_version The version of the interface as defined in the RPC IDL file. This is a decimal number.

The name of the server that is the target for the condition. The name is specified as a
server_name
string, preceded by s for ASCII or w for Unicode.

The server port that is the target for the condition. The port is specified as a decimal
server_port
value.

proxy_auth_type The RPC proxy authentication service type.

A data structure that contains authentication and authorization information for the
client_token
client when it is using an RPC proxy.

client_cert_oid The object identifier in the client certificate.

cert_key_length The SSL key length in the client certificate.

Allowed values for the Endpoint Addition (EP_ADD) layer

The following values for filtering are allowed for EP_ADD Layer conditions. The EP_ADD layer allows
dynamic or static ports to be added to interfaces at run time, regardless of the application. The
process_with_if_uuid value is required for the EP_ADD layer, and it must be the first value that is
specified. The protocol value is required for the EP_ADD layer, and it must be the second value that
is specified.

Value Description

The UUID of the interface on which to add the dynamic endpoint port. This value is
process_with_if_uuid
required, and it must be the first value that is specified.

The protocol over which to block. It must be one of the following strings:

NCACN_IP_TCP, to indicate the TCP protocol.

NCACN_NP, to indicate the named pipes protocol.

Protocol For example, to create a rule that applies to the TCP protocol, use the following
command:

netsh rpc filter add condition field=protocol matchtype=equal

data=NCACN_IP_TCP

The protocol value is a required value for the EP_ADD layer, and it must be the
second value that is specified.

The port on which to add the endpoint. The value is specified as a decimal value. If
ep_value it is not specified, a dynamic endpoint, rather than a static endpoint port, is added
to the interface.

Network 207 Netsh Communication Networking

 The RPC Firewall Interface flag. The value is a hexadecimal number in 0x notation.
The recognized flag is described in the following table.

Flag Value Description

This flag indicates that the condition

ep_flags RPC_FW_IF_FLAG_DCOM 0x0001 applies to DCOM activations or calls to
DCOM interfaces.

For example, to create a condition to block a DCOM activation, use the following
command:

Netsh rpc filter add condition field=if_flag matchtype=equals

data=0x0001

Allowed values for the Proxy Connect (PROXY_CONN) layer

The following values for filtering are allowed for PROXY_CONN Layer conditions. The PROXY_CONN
layer is an RPC communications protocol layer that is used to write non-interface-specific rules for
an RPC proxy role.

Value Description

The name of the target server that the condition applies to. This is specified as a
server_name
string preceded with s for ASCII or w for Unicode.

The target server port that the condition applies to. This is specified as a decimal
server_port
value.

proxy_auth_type The RPC proxy authentication service type.

client_token The client user identity that is produced by the front-end authentication.

client_cert_key_name The client certificate key name.

client_cert_oid The object identifier in the client certificate.

Allowed values for the MATCHTYPE tag

The match type specifies the type of comparison to perform on a given value.

Value Description

Equal Tests whether the value is equal to the condition value.

Greater Tests whether the value is greater than the condition value.

Less Tests whether the value is less than the condition value.

Greater or equal Tests whether the value is greater than or equal to the condition value.

Less or equal Tests whether the value is less than or equal to the condition value.

Network 208 Netsh Communication Networking

Range Tests whether the value is within a given range of condition values.

All set Tests whether all flags are set.

Any set Tests whether any flags are set.

None set Tests whether no flags are set.

add filter
You can specify the rule and the conditions and run the add filter command, which takes those
rules and conditions and adds them as a filter to the firewall. You must already have added at least
one rule and one condition.

Use the following order when you add rules, conditions, and filters:

Add rule.

Add conditions.

Add the filter that is created by the combination of rules and conditions that you enter. This "add
filter" section provides the syntax.

Syntax
filter add filter

Parameters
This command has no parameters. The command combines the rule and conditions to create an RPC
Firewall Filter.

show filter
Lists the active RPC Firewall Filters.

filter show filter

Parameters
This command has no parameters. This command lists the currently active RPC filters.

delete filter
Deletes all active RPC Firewall Filters.

Syntax
filter delete filter.<filter key>

Parameters
Value Description
Deletes all filters. Removes all filters and all rules and conditions that are associated with the
All
filters.

Globally unique identifier (GUID). The 128-bit filter identifier. This value is specified in the
filterkey tag when you use the add filter command or it is automatically generated. If it is not
<GUID>
specified, you can find the filter key by running the show filter command. The identifier is
specified in the following notation:

Network 209 Netsh Communication Networking

 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Example
The following example deletes all RPC Firewall Filters:

delete filter filterkey=all

The following example deletes the filter identified by filter key 11111111-2222-3333-4444-
555555555555:

Delete filter filterkey=11111111-2222-3333-4444-555555555555

delete rule
Deletes the current RPC Firewall Filter rule.

Syntax
filter delete rule

Parameters
This command has no parameters. This command deletes the current RPC Firewall Filter rule. The
command deletes the firewall filter rule and associated conditions.

Examples of RPC Firewall Filter commands

The following examples demonstrate the use of RPC Firewall Filters in real-world situations.

To block all RPC connections over TCP:

netsh rpc filter add rule layer=um actiontype=block

netsh rpc filter add condition field=protocol matchtype=equals data= NCACN_IP_TCP
netsh rpc filter add filter

To block RPC connections on port 12345:

netsh rpc filter add rule layer=um actiontype=block

netsh rpc filter add condition field=local_port matchtype=equals data=12345
netsh rpc filter add filter

To block RPC connections from server 192.168.1.1:

netsh rpc filter add rule layer=um actiontype=block

netsh rpc filter add condition field=remot_addr_v4 matchtype=equals data=0xC0A80101
netsh rpc filter add filter

To add a dynamic endpoint for version 1 of the interface with UUID 11111111-1111-1111-1111-
111111111111:

netsh rpc filter add rule layer=ep_add actiontype=permit

netsh rpc filter add condition field= process_with_if_uuid matchtype=equal data=11111111-
1111-1111-1111-111111111111

netsh rpc filter add condition field=protocol matchtype=equal data=ncacn_ip_tcp

netsh rpc filter add filter

To block RPC connections for version 1 of the interface with UUID 11111111-1111-1111-1111-
111111111111:

Network 210 Netsh Communication Networking

netsh rpc filter add rule layer=epmap actiontype=block
netsh rpc filter add condition field=if_uuid matchtype=equal data=11111111-1111-1111-
1111-111111111111
netsh rpc filter add condition field=if_version matchtype=equal data=1
netsh rpc filter add filter

For an RPC proxy, it is possible to block RPC connections through the RPC proxy where the target
server is named TargetServer:

netsh rpc filter add rule layer=proxy_conn actiontype=block

netsh rpc filter add condition field=server_name matchtype=equals data=sTargetServer
netsh rpc filter add filter

Network 211 Netsh Communication Networking

Netsh Commands for Windows Hypertext Transfer Protocol
(WINHTTP)
You can use commands in the netsh winhttp context to configure proxy and tracing settings for
Windows HTTP. The Netsh commands for winhttp can be run manually at the netsh prompt or in
scripts and batch files.

To run these commands from the command prompt, you must either enter the netsh winhttp
context or prepend the context to the command. For example, if you are at the command prompt
but have not typed netsh and then winhttp to enter the netsh winhttp context, you must type:

netsh winhttp command

Netsh winhttp commands

The following entries provide details for each command.

flush logbuffer
Flushes the internal buffers for the log files.

Syntax
flush loggbuffer

import proxy
Imports the proxy settings in the Internet Explorer Web browser's Internet Options. Importing
settings from IE is the only available option

Syntax
import proxy source =ie

reset proxy
Resets the WinHTTP proxy setting to DIRECT.

Syntax
reset proxy

reset tracing
Resets the WinHTTP trace parameters to the default settings.

Syntax
reset tracing

Tracing State Disable

Trace-file-prefix None

Output File

Level Default

Format Ansi

Max-trace-file-size 65535

Network 212 Netsh Communication Networking

set proxy
Configures the WinHTTP proxy setting.

Syntax
set proxy [proxy-server=] ProxyServerName [bypass-list=] <HostsList>

Parameters
Proxy-Server

Required. Specifies the proxy server to use for http, secure http (https), or both http and https
protocols.

Bypass-list

Optional. Specifies a list of Web sites that should be visited without utilizing the proxy server. Use
"<local>" to bypass all short name hosts.

Examples
Following are three examples of how to use the set proxy command.

set proxy myproxy

set proxy myproxy:80 "<local>bar"
set proxy proxy-server="http=myproxy;https=sproxy:88" bypass-list="*.contoso.com"

set tracing
Configures the WinHTTP tracing parameters.

Syntax
set tracing [output=] file | debugger | both [trace-file-prefix=] FilePrefix [level=] default |
verbose [format=] ansi | hex [max-trace-file-size=] FileSize [state=] enabled |disabled

Parameters:

Output

Optional. Specifies whether tracing data is exported to a file, a debugger, or both.

Trace-file-prefix

Optional. Specifies a string value that is a prefix for the log file. The file prefix can include a folder
location/path. Type "*" to delete an existing prefix.

Level

Optional. Specifies the amount of information to log.

Format

Optional. Specifies the display format of network traffic (hexadecimal or ansi).

Max-trace-file-size

Optional. Specifies a numeric value that is the maximum size of the trace file in bytes.

State

Required. Specifies whether tracing is enabled or disabled.

Network 213 Netsh Communication Networking

Examples

Following are two examples of how to use the set tracing command.

set tracing trace-file-prefix="C:\Temp\Test3" level=verbose format=hex

set tracing output=debugger max-trace-file-size=512000 state=enabled

show proxy
Displays the current WinHTTP proxy setting.

Syntax
show proxy

show tracing
Displays the current WinHTTP tracing parameters.

Syntax
show tracing

Network 214 Netsh Communication Networking

Netsh Commands for Windows Sockets (WINSOCK)
You can use commands in the netsh winsock context to configure Windows Sockets. The Netsh
commands for winsock can be run manually at the netsh prompt or in scripts and batch files.

To run these commands from the command prompt, you must either enter the netsh winsock
context or prepend the context to the command. For example, if you are at the command prompt
but have not typed netsh and then winsock to enter the netsh winsock context, you must type:

netsh winsock command

Netsh winsock command reference

The following entries provide details for each command.

audit trail
Shows the audit trail of Layered Service Providers (LSPs) that have been installed and uninstalled.

Syntax

audit trail

remove provider
Removes a Winsock Layered Service Provider (LSP) from the system.

Syntax

remove provider catalog_id

Parameters
catalog_id

Required. Specifies the catalog identifier of the Layered Service Provider (LSP) that you want to
remove from the system.

reset
Restores the Winsock Catalog to a clean state and uninstalls all Winsock Layered Service Providers.

Syntax

reset

show catalog
Displays the contents of the Winsock Catalog.

Syntax

show catalog

Winsock Catalog Provider Entry

Entry Type: Base Service Provider

Description: MSAPD Tcpip [UDP/IP]

Network 215 Netsh Communication Networking

Provider ID: {E7041AA0-AB8B-11CF-8CA3-
00805F48A192}

Provider Path: %SystemRoot%\system32\mswsock.dll

Catalog Entry ID: 1002

Version: 2

Address Family: 2

Max Address Lenght: 16

Min Address Lenght: 16

Socket Type: 2

Protocol: 17

Protocol Chain Lenght: 1

Winsock Catalog Provider Entry

Entry Type: Base Service Provider

Description: MSAPD Tcpip [RAW/IP]

Provider ID: {E7041AA0-AB8B-11CF-8CA3-

00805F48A192}

Provider Path: %SystemRoot%\system32\mswsock.dll

Catalog Entry ID: 1003

Version: 2

Address Family: 2

Max Address Lenght: 16

Min Address Lenght: 16

Socket Type: 3

Protocol: 0

Protocol Chain Lenght: 1

Network 216 Netsh Communication Networking

Winsock Catalog Provider Entry

Entry Type: Base Service Provider

Description: MSAPD Tcpip [TCP/IPv6]

Provider ID: {F9EAB0C0-26D4-11D0-BBBF-

00AA006C34E4}

Provider Path: %SystemRoot%\system32\mswsock.dll

Catalog Entry ID: 1004

Version: 2

Address Family: 23

Max Address Lenght: 28

Min Address Lenght: 28

Socket Type: 1

Protocol: 6

Protocol Chain Lenght: 1

Network 217 Netsh Communication Networking

Netsh Commands for Wireless Local Area Network (WLAN)
The Netsh commands for wireless local area network (WLAN) provide methods to configure 802.11
wireless connectivity and security settings for computers running Windows Vista® and
Windows Server® 2008. You can use the Netsh WLAN commands to configure the local computer or
to configure multiple computers by using a logon script. You can also use the netsh WLAN
commands to view applied wireless Group Policy settings.

Wireless Network (IEEE 802.11) Policies profiles are read-only, and cannot be modified or deleted
by using Netsh WLAN commands.

Running Netsh wlan commands on computers running

Windows Server2008
To run Netsh WLAN commands on computers running Windows Server 2008, you must first install
the Wireless LAN Service.

Note:

On computers running Windows Server 2008, installing the Wireless LAN Service in Server Manager /
Features, adds and starts the WLAN AutoConfig service. WLAN AutoConfig is located in Server
Manager/Diagnostics/Services Microsoft Management Console (MMC). To remove the WLAN AutoConfig
service from a Computer running Windows Server 2008, you must remove (uninstall) the Wireless LAN
Service from Server Manager / Features.

To install Wireless LAN Service on computers running Windows Server 2008

Do one of the following:

In Initial Configuration Tasks, in Customize This Server, click Add Features. The Add
Features Wizard opens.

Click Start, and then click Server Manager. In the left pane of Server Manager, click Features,
and in the details pane, in Features Summary, click Add Features. The Add Features Wizard
opens.

In Select Features, in Features, scroll down the list, select Wireless LAN Service, and then click
Next.

In Confirm installation selections, click Install.

In Installation Results, review your installation results, and then click Close.

Netsh WLAN commands

add filter
Adds a wireless network, by Service Set Identifier (SSID), to the wireless allowed or blocked list.

Syntax
add filter permission={allow|block|denyall} ssid=WirelessNetworkName
networktype={infrastructure|adhoc}

Parameters
Permission

Required. Specifies the permission type of the filter.

Network 218 Netsh Communication Networking

 SSID

Required [conditional, see "Remarks"]. SSID of the wireless network.

Networktype

Required. Specifies the wireless network type.

Example commands

add filter permission=allow ssid=WiFiNetwork networktype=infrastructure

add filter permission=block ssid="Wireless Net" networktype=adhoc

add filter permission=denyall networktype=infrastructure

add profile
Adds a WLAN profile to the specified interface on the computer.

Syntax
add profile filename= PathAndFileName [[interface=]InterfaceName] [[user=]{all|current}]

Parameters
Filename

Required. Specifies both the path to, and name of the XML file containing the profile data.

Interface

Optional. Specifies the name of the wireless interface on which to add the profile (where
InterfaceName is the name of the wireless interface, as listed in Network Connections, or as
rendered by the netsh wlan show interfaces command)

User

Optional. Specifies whether the profile is applied only to the current user or to all users.

Example commands

add profile filename=C:\Users\WirelessUser\Documents\profile1.xml interface="Wireless

Network Connection"

add profile filename="C:\Wireless Profiles\WiFi Profile.xml" interface=w*

connect
Connects to a wireless network by using the specified parameter.

Syntax
connect [[ssid=]WirelessNetworkName] name=ProfileName interface=InterfaceName

Parameters
SSID

Optional [conditional, see "Remarks"]. Specifies the SSID of the wireless network.

Network 219 Netsh Communication Networking

 Name

Required. Specifies the name of the wireless profile to use for the connection attempt, (where
ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks, or as
rendered by the netsh wlan show profiles command).

Interface

Required [conditional, see "Remarks"]. Specifies the wireless interface to use for the connection
attempt, (where InterfaceName is the name of the wireless interface, as listed in Network
Connections, or as rendered by the netsh wlan show interfaces command).

Examples

connect ssid=WiFiNetwork name=Profile1

connect ssid="Wireless Net" name=Profile2 interface="Wireless Network Connection"

delete filter
Removes a wireless network from the wireless allowed or blocked list.

Syntax
delete filter permission={allow|block|denyall} ssid=WirelessNetworkName
networktype={infrastructure|adhoc}]

Parameters
Permission

Required. Specifies the permission type of the filter.

SSID

Required [conditional, see "Remarks"]. Specifies the SSID of the wireless network.

Networktype

Required. Specifies whether the wireless network type is adhoc or infrastructure.

Example commands

delete filter permission=allow ssid=WiFiNetwork networktype=infrastructure

delete filter permission=block ssid="Wireless Net" networktype=adhoc

delete filter permission=denyall networktype=adhoc

delete profile
Removes a WLAN profile from one or multiple interfaces.

Syntax
delete profile name=ProfileName [[interface=]InterfaceName]

Parameters
Name

Network 220 Netsh Communication Networking

Required. Specifies the name of the wireless profile to delete, (where ProfileName is the name of
the wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan
show profiles command).

Interface

Optional. Specifies the name of the wireless interface on which to delete the profile, (where
InterfaceName is the name of the wireless interface, as listed in Network Connections, or as
rendered by the netsh wlan show interfaces command).

Example commands

delete profile name="Profile 1" interface="Wireless Network Connection"

delete profile name=Profile2 interface=*

delete profile name="Profile 1" i=*

disconnect
Disconnects the specified interface from a wireless network.

Syntax
disconnect interface=InterfaceName

Parameters
Interface

Required [conditional, see "Remarks"]. Specifies which wireless interface is used for the disconnect
attempt , (where InterfaceName is the name of the wireless interface, as listed in Network
Connections, or as rendered by the netsh wlan show interfaces command).

Example commands

disconnect

disconnect interface="Wireless Network Connection"

export profile
Saves WLAN profiles as XML files to the specified location.

Syntax
export profile folder=PathAndFileName [[name=]ProfileName] [[interface=]InterfaceName]

Parameters
Folder

Optional. Specifies the path and file where the profile XML file is to be saved, and the name to use
for the saved file.

Name

Optional. Specifies the name of the wireless profile to export. (the name of the wireless profile,
(where ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks,
or as rendered by the netsh wlan show profiles command).

Network 221 Netsh Communication Networking

 Interface

Optional. Specifies the name of the wireless interface on which the profile is configured, (where
InterfaceName is the name of the wireless interface, as listed in Network Connections, or as
rendered by the netsh wlan show interfaces command).

Example commands

export profile folder=c:\profiles name="Profile 1" interface="Wireless Network

Connection"

export profile folder="c:\wifi profiles" name=Profile2 interface=*

set autoconfig
Enables or disables WLAN Auto Config Service on an interface.

Syntax
set autoconfig enabled={yes|no} interface=InterfaceName

Parameters
enabled

Required. Specifies whether to set WLAN Auto Config Service to enabled or disabled.

Interface

Required. Specifies the name of the interface on which the service has been enabled or disabled,
(where InterfaceName is the name of the wireless interface, as listed in Network Connections, or
as rendered by the netsh wlan show interfaces command).

Example command

set autoconfig enabled=yes interface="Wireless Network Connection"

set blockednetworks
Shows or hides the blocked networks in the visible network list.

Syntax
set blockednetworks display={show|hide}

Parameters
Display

Required. Specifies whether to show or hide the blocked networks in the list of available wireless.

Example command

set blockednetworks display=show

The example command specifies that blocked networks are shown in the list of available networks.

Network 222 Netsh Communication Networking

 set createalluserprofile
Specifies whether users are allowed to create all-user profiles, regardless of whether they are
members of the Administrators group. Users who have membership in the Administrators group can
create all-user profiles no matter whether “set createalluserprofile enabled=” is set to “yes” or “no.”

Syntax
set createalluserprofile enabled={yes|no}

Parameters
Enabled

Required. Specifies whether all computer users are allowed to create all user profiles.

Example command

set createalluserprofile enabled=yes

set profileorder
Sets the preference order of a wireless network profile on a wireless network interface.

Syntax
set profileorder name=ProfileName interface=InterfaceName priority=integer

Parameters
Name

Required. Specifies the name of the profile to set, (where ProfileName is the name of the wireless
profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show
profiles command).

Interface

Required. Specifies the name of the interface that has this profile configured, (where InterfaceName
is the name of the wireless interface, as listed in Network Connections, or as rendered by the
netsh wlan show interfaces command).

Priority

Required. Specifies the new priority number for the profile.

Example command

set profileorder name="profile 1" interface="Wireless Network Connection" priority=1

set profileparameter
Sets parameters in a wireless network profile.

Syntax
set profileparameter name=ProfileName [[interface=]InterfaceName]
[[authMode=]{machineOrUser|machineOnly|userOnly|guest}]
[[ssoMode=]{preLogon|postLogon|none}] [[maxDelay=]1-120] [[allowDialog={yes|no}]
[[userVLAN=]{yes|no}] [[fips=]{yes|no}]

Network 223 Netsh Communication Networking

 Parameters
Name

Required. Specifies the name of the profile to set, (where ProfileName is the name of the wireless
profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show
profiles command).

Interface

Optional. Specifies the name of the interface on which the profile is set, (where InterfaceName is
the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh
wlan show interfaces command).

AuthMode

Optional [conditional, see "Remarks"]. Specifies the type of credentials to use for authentication.

SSOMode

Optional [conditional, see "Remarks"]. Specifies the type of single sign on to be attempted, if any.

MaxDelay

Optional [conditional, see "Remarks"]. Specifies the timeout value to establish single sign-on
connection.

AllowDialog

Optional [conditional, see "Remarks"]. Specifies whether to allow or disallow a dialog to be shown
for prelogon.

UserVLAN

Optional [conditional, see "Remarks"]. Specifies if the network switches to a different VLAN upon
user authentication.

FIPS

Optional [conditional, see "Remarks"]. Specifies whether to enable or disable Federal Information
Processing Standards Publications (FIPS) mode.

Example commands

set profileparameter name="Profile 1" authMode=userOnly ssoMode=preLogon

set profileparameter name=Profile2 ssoMode=none fips=yes

set tracing
Enables or disables WLAN tracing.

Syntax
set tracing mode={yes|no|persistent}

Parameters
Mode

Network 224 Netsh Communication Networking

 Required. Specifies whether tracing is disabled, enabled and persistent, or enabled and
nonpersistent. See "Remarks" for additional information.

Example command

set tracing mode=persistent

show all
Displays the entire collection of information about wireless network adapters, wireless profiles and
wireless networks.

Syntax
show all

Parameters
There are no parameters for this command.

Example command

show all

show autoconfig
Displays whether WLAN AutoConfig service is enabled or disabled

Syntax
show autoconfig

Parameters
There are no parameters for this command.

Displays whether WLAN AutoConfig service is enabled or disabled on each wireless adapter
interface.

Example command

show autoconfig

show blockednetworks
Displays the global setting whether to display or hide blocked networks in the visible network list

Syntax
show blockednetworks

Parameters
There are no parameters for this command.

Example command

show blockednetworks

show drivers
Displays the properties of the wireless adapter drivers on the computer.

Network 225 Netsh Communication Networking

 Syntax
show drivers [[interface=]InterfaceName]

Parameters
Interface

Optional. Specifies the name of the interface for which driver information is displayed, (where
InterfaceName is the name of the wireless interface, as listed in Network Connections, or as
rendered by the netsh wlan show interfaces command).

Example command

show drivers interface="Wireless Network Connection"

show filters
Displays the current list of allowed and blocked wireless networks.

Syntax
show filters [[permission=]{allow|block}]

Parameters
Permission

Optional. Specifies whether to show the list of allowed and blocked networks configured on the
computer.

Example commands

show filters

show filters permission=allow

show filters permission=block

show interfaces
Displays a list of the current wireless interfaces on a computer.

Syntax
show interfaces

Parameters
There are no parameters for this command.

Example command

show interfaces

show networks
Displays a list of wireless networks that are visible on the computer.

Syntax
show networks [[interface=]InterfaceName] [[mode=]{ssid|bssid}]

Network 226 Netsh Communication Networking

 Parameters
Interface

Optional. Specifies for which interface the network information is returned, (where InterfaceName is
the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh
wlan show interfaces command).

Mode

Optional. Specifies whether to display information for Basic Service Set Identifier (BSSID), or
Service Set Identifier (SSID).

Example commands

show networks interface="Wireless Network Connection"

show networks mode=bssid

show networks

show profiles
Displays a list of wireless profiles that are configured on the computer.

Syntax
show profiles [[name=]ProfileName] [[interface=]InterfaceName]

Parameters
Name

Optional. Specifies the name of the profile to display, (where ProfileName is the name of the
wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show
profiles command).

Interface

Optional. Specifies the name of the interface which has this profile configured, (where
InterfaceName is the name of the wireless interface, as listed in Network Connections, or as
rendered by the netsh wlan show interfaces command).

Example commands

show profiles name="profile 1" interface="Wireless Network Connection"

show profiles name=profile2

show profiles

show settings
Displays the current global settings of the wireless LAN.

Syntax
show settings

Network 227 Netsh Communication Networking

 Parameters
There are no parameters for this command.

Example command

show settings

show tracing
Displays whether wireless tracing is enabled or disabled.

Syntax
show tracing

Parameters
There are no parameters for this command.

Network 228 Netsh Communication Networking

Network 229 Netsh Communication Networking
Network 230 Netsh Communication Networking