Tools NetShell Lead image: © Kirsty Pargeterr,
© Kirsty Pargeterr,

Configuring Windows with NetShell

Windows networks can be configured from a graphical interface, but if you want to explore all the functions, try using NetShell at the command line to configure TCP/IP stack parameters and network services. By Eric Amberg

NetShell has been an integral part of every version of Windows since Windows 2000. It is based on a core program that can be extended with NetShell helpers. These helpers are libraries (DLL files) that can in turn be extended using the NetShell API. Among other tasks, NetShell lets you:

NetShell is available on both client and server variants of Windows. In some cases, if an additional network service, such as DHCP, is installed on a Windows Server, Windows provides a corresponding NetShell helper to let you control the service via NetShell.

A Question of Context

NetShell [1] can be used in two ways: On the one hand, you can call each NetShell command in a separate line. This method is useful in batch scripts, for example. Alternatively, NetShell offers an interactive environment in which you can enter commands. This variant provides comprehensive help to make sure that newcomers can find their way around. To enter this environment, type


at the command prompt. On Windows Vista and Windows 7, note that the command prompt must be launched with administrator privileges if you want to change the system configuration in NetShell.

NetShell is based on contexts that represent the individual NetShell helpers. Each context refers to a specific network functionality, such as IP, firewall, IPsec, or DHCP client configuration. Figure 1 shows the output of the Help function, which can be called at any time by typing a question mark (?).

Interactive NetShell provides a built-in help function.
Figure 1: Interactive NetShell provides a built-in help function.

In the interactive interface, you can switch between the various contexts. Help shows all the commands available in any context, as well as in your current context. The available sub-contexts are shown at the bottom of the help output. The list of commands also contains those commands that take you to a different context.

The NetShell prompt shows the respective context. If you type interface to switch to the Interface context, for example, the prompt changes to netsh interface. The levels are structured hierarchically. Within a context, you can change to the sub-context of a command. For example, the Interface context offers the ipv4 command. Again, the prompt shows you the level as netsh interface ipv4 when you switch to that context.

Entering two dots (..) takes you to the parent level of a sub-context. As with the Windows command prompt, you can navigate through the command history by using the up and down arrow keys.

How It Works

In addition to the general help, which shows you the available commands, NetShell also has detailed help output for each individual command. For example, if you are in the context netsh interface ipv4 and you type set ?, NetShell shows you other available commands (Figure 2).

The set commands in the context of an IPv4 interface.
Figure 2: The set commands in the context of an IPv4 interface.

A word of caution: set is not a separate sub-context under netsh but a command with further sub-commands and parameters. If you type set, the context remains the same. Instead, after studying the help output, you need to specify the command with the desired sub-command, for which you can again get help. Typing

set address ?

takes you to a detailed syntax description (as shown in Figure 3). Thankfully, the output also includes examples that illustrate the use of the respective NetShell command.

Commands available for setting an IPv4 address in NetShell.
Figure 3: Commands available for setting an IPv4 address in NetShell.

Hands On

Although some configuration tasks can be handled in a GUI via dialog boxes, NetShell is the only option for other tasks, such as editing various IPv6 or BranchCache settings. In particular, the show commands give you details the graphical interface hides.

To configure and edit the network interfaces on your system, enter the netsh interface ipv4 context and, when there, type

show config

for an initial overview. The IP address configuration looks like the ipconfig command output. If you want to modify the interface configuration, several commands are often necessary. The following example shows how to set some of the parameters for the standard Ethernet interface (IP address, subnet mask, default gateway, DNS server

To discover the name of the corresponding interface, you again need show config. Windows refers to the first Ethernet interface as the Local Area Connection. The IP address, subnet mask, and default gateway are set with:

netsh interface ipv4 set address "Local Area Connection" static

If the command is successful, NetShell says nothing; otherwise, you'll see a message that returns a reference to the error. To configure the DNS servers, you need to add the following command:

set dnsservers "Local Area Connection" static

Note that NetShell immediately checks the specified DNS server and displays a warning message if it is not reachable. Regardless, the entry is still made, as you can see later by entering the

ipconfig /all

command at a separate prompt. Incidentally, the changes are permanent.

Thus far, you could have easily made these changes in the graphical input mask for the IPv4 configuration of the interface. But NetShell lets you additionally set specific parameters that do not appear in the GUI, including tuning values for the TCP/IP stack and security settings. For example, you can use the command

set global icmpredirects=disabled

in the context netsh interface ipv4 to specify that the system should not respond to ICMP redirect messages that cause a change in the routing and are thus a major concern in terms of security. You can also add or delete values. If you want to add another DNS server, use:

add dnsservers "Local Area Connection" index=2

The index specifies the priority. If you got something wrong, you can delete the DNS server by typing:

delete dnsservers "Local Area Connection"

Then, check the results of the configuration steps with ipconfig /all.

NetShell also has limitations. For example, you can't change the DNS suffix with it. If you want to do so without the GUI, you need other tools, such as netdom or the Group Policy Manager. Both only work in Active Directory domain environments.

Customizing Windows Firewall

Configuring Windows Firewall is another task often performed in NetShell. Windows XP and Windows Server 2003 used the old Windows Firewall, whereas Windows Vista and Windows Server 2008 use "Windows Firewall with Advanced Security." The graphical Administrator Console has a separate snap-in for this (Figure 4), but for cases in which either a script-based or command-line approach is necessary, in the absence of a graphical interface (typically on Windows Server Core), NetShell can help.

The graphical administration snap-in for the new Windows Firewall.
Figure 4: The graphical administration snap-in for the new Windows Firewall.

Entering advfirewall takes you to the context for the advanced firewall. The

show currentprofile

command shows basic settings for the current network profile, which has distinguished between home, work, public, and domain since Windows Vista. As usual, you can call for help by typing show ?, which reveals that you can view each profile separately in this context, as well as access all of the profiles in the overview.

If you want to configure firewall rules, go to the firewall sub-context. The prompt now reads netsh advfirewall firewall>. Here, you can view, create, modify, and delete firewall rules. The difficulty is in identifying the appropriate rules or their names. Entering

show rule all

lets you view all the rules. This list will be rather long because it displays not only all the incoming and outgoing rules, but all the profiles as well (Figure 5).

Displaying rules. NetShell also manages firewalls.
Figure 5: Displaying rules. NetShell also manages firewalls.

In many cases, the required rule already exists but is disabled. For example, if you want enable the Windows Firewall Remote Management (RPC) rule, you can use the command:

set rule "Windows Firewall Remote Management (RPC)" new enable=yes

In this case, NetShell might even return a response, such as

2 rule(s) were updated. OK

indicating that the same rule has been deployed for two different profiles.

Many standard rules are organized in groups. By specifying the group, you can edit all the associated rules at the same time. The rule in the example here belongs to the group Windows Firewall Remote Management; thus, all related rules can be enabled at once:

Set rule group="Windows Firewall Remote Management" new enable=yes

If you want to create a new rule, you have to select from a plethora of parameters. Typing set rule ? lets you review the syntax and shows some basic examples. The following example shows how to create a rule that allows traffic from network on the local HTTP port 80/TCP and is effective for the domain profile:

add rule name="local web server" dir=in action=allow profile=domain localip=any remoteip= localport=80 remoteport=1024-65535 protocol=tcp

This sets the name of the rule to local web server and the direction of the rule (dir) to inbound (in). The remote port is in the range 1024 through 65535 as it relates to the regular ports used by client applications. More examples can be found in the help output for add rule.

Configuring IPv6

IPv6 introduces some new concepts and features that require special configuration. Although configuration dialogs for the network interfaces since Windows Vista have supported the basic configuration of IPv6, you might find it difficult to avoid customizing additional parameters with NetShell in real life. Moreover, various IPv6 statuses can only be viewed in NetShell (e.g., the routing table, which does not appear in older versions of Windows with netstat -nr or route print).

You can switch to the IPv6 context in a similar way to IPv4 by entering interface ipv6, putting you in the netsh interface ipv6 context. The show route command displays the IPv6 routing table. The show addresses command lists the IPv6 addresses for all of the interfaces. The output also includes special addresses that ipconfig /all does not display.

For a detailed configuration of IPv6, more advanced parameters are necessary. If you want to set a global unicast address for the interface Local Area Connection, use the command:

add address "Local Area Connection" 2001:db8:10::5

Because the border between the network and host in IPv6 addresses is always at 64 bits, you do not need to specify a subnet mask. Note that you can assign multiple IPv6 addresses to a single interface. To add an IPv6 anycast address of 2001:db8:aa:bb:cc::1, use the command:

add address 2001:db8:aa:bb:cc:1 type=anycast

One of the most important IPv6 features is auto-configuration, which allows an IPv6 system to assign itself a globally unique IPv6 address. In the original version, these addresses included the MAC address of the respective interface, allowing global traceability.

To prevent this, the Privacy Extensions [2] were introduced to generate temporary addresses automatically.

To discover whether these Privacy Extensions are enabled on your system, type:

show privacy

You can enable this feature with:

set privacy state=enabled

To switch Privacy Extensions off again, just type

set privacy state=disabled

and you're back to the original EUI 64 format.

Temporary addresses are only valid for a certain period of time, before they need to be renewed. If you want to adjust the parameters responsible for this, you can do so with set privacy; for help, again type the usual set privacy ? command. Here, you will find parameters such as maxvalidlifetime or maxpreferredlifetime that govern the behavior of the temporary address.

NetShell Server-Side

When you install certain services on a Windows Server, NetShell helpers are installed for the appropriate contexts to support management of the server component. For example, a context named dhcp is installed for the DHCP server.

Using NetShell to configure services on a server is a particularly useful option in the case of a slow WAN connection or a large number of servers that use scripts for a uniform and automated configuration process.

If you want to configure the DHCP server, for example, you must first authenticate against Active Directory. This process begins in the nethsh dhcp> context using the following command:

add server server1.windschief.local:

You need the fully qualified domain name and IP address of the server for this; then, you can specify a scope in which the DHCP server can assign its addresses. The following example shows how to create a scope named Test:

server add scope Test

Then, you can define the address range:

server scope add iprange

To define the scope of the network, you need the first and last IP addresses. The following command now sets up a default gateway. The corresponding option is 003:

server scope optionvalue 003 ipaddress

Finally, you still have to activate the scope:

server scope set state 1

If you check these settings in the management console on the DHCP server, you will see that the scope has been set up properly and is active (Figure 6).

The DHCP management console shows the results of configuring the DHCP server with NetShell.
Figure 6: The DHCP management console shows the results of configuring the DHCP server with NetShell.

Tips and Conclusions

NetShell uses contexts and works in a modular and hierarchical way. Because NetShell supports two modes, using the tool initially takes some getting used to, but you once you become familiar with it, you will find the options easy to navigate. If you enter all the commands in one line, as required for scripting, NetShell outputs help text documenting the correct call for the user.

In the interactive shell, it is much easier to work your way through the individual levels. Interestingly, Microsoft has adopted proven concepts here. The command-line interface in Cisco's Internet Operating System (IOS) acts as a role model: On the one hand, show commands are used for viewing the various configurations; on the other hand, it is not necessary to write out each command fully. Instead, you just need to type enough of the command for the results to be unique. For example,

netsh int ip show a

gives you the same result as:

netsh interface ipv4 show addresses

NetShell is a useful tool for network configuration. It lets you tune the network stack with options the graphical dialog box does not give you. However, the administrator must evaluate whether working with NetShell will add any real value on a case-by-case basis as bandwidth becomes increasingly available for remote administration. Almost all management snap-ins support connecting to other servers via RPC. In this case, bandwidth only plays a minor role, but working with NetShell can still be worthwhile because a well-founded understanding of its approach can help in cases where tuning and configuration via NetShell are necessary.