Introduction

The Network Shell (Netsh) tool was first introduced with Windows 2000. It allows you
to configure, troubleshoot, and administer many different network components of
Windows via the command line both locally and remotely. More contexts and
commands have been added with Windows releases to support new and existing
network functions.

Wireless LAN (WLAN) Commands

One new feature of Windows 7 and Windows Server 2008 R2 is Wireless Hosted
Networks. It lets you create a virtual wireless access point (AP) with your wireless
adapter, even when connected to a wireless network. Once you enable Internet
Connection Sharing (ICS), others can connect to your virtual AP with the encryption
key and access the Internet.

You can create and manage Wireless Hosted Networks with Netsh:

• netsh wlan set hostednetwork: Define the settings for the Wireless Hosted
Network, using the following optional parameters:
- mode = { allow | disallow }
- ssid = WirelessNetworkName
- key = YourDesiredPassword
- keyUsage = { persistent | temporary }
• netsh wlan refresh hostednetwork: Set a new WPA2-PSK encryption key.
Enter the command followed by the new key.
• netsh wlan start hostednetwork: Enable and start broadcasting the Wireless
Hosted Network.
• netsh wlan stop hostednetwork: Disable and stop broadcasting the Wireless
Hosted Network.
• netsh wlan show hostednetwork: Print the settings of the Wireless Hosted
Network, including a list of connected users.
• netsh wlan export hostednetworkprofile: Save the Wireless Hosted Network
profile as an XML file, using the following parameters:
- Folder = PathandFileName
- Name = WirelessProfileName (as shown when using the netsh wlan show
profiles command)
Figure 1: Setting up and starting a Wireless Hosted Network.

Here are some new WLAN commands to show or print the value of other settings:

• netsh wlan show allowexplicitcreds: Shows if the computer is allowed to use

stored user credentials for 802.1X authentication when a user isn’t logged on to
the computer.
• netsh wlan show createalluserprofile: Shows if users can create wireless
profiles for all users, rather than just for their own Windows account.
• netsh wlan show onlyusegpprofilesforallowednetworks: Displays if only the
wireless profiles of Group Policy are allowed when Group Policy is
implemented.

Here are a couple more new miscellaneous Netsh WLAN commands:

• netsh wlan set allowexplicitcreds: Specify if the computer is allowed to use

any stored user credentials for wireless 802.1X authentication when a user isn’t
logged in, using the following parameter:
- allow = { yes | no }
• netsh wlan set profiletype: Specify whether only the current user or all users
can use the given wireless network profile, using the following parameter:
- name = ProfileName
- profiletype = { all | current }
• netsh wlan set blockperiod: Specify the number of minutes (0 – 60) a user
must wait to retry after unsuccessfully connecting to a wireless network.
• netsh wlan reportissues: Create a report in the C:\Windows\Tracing directory
for troubleshooting wireless networking issues.

Local Area Network (LAN) Commands

There are only two new Netsh LAN commands, which are the wired version of the two
new Netsh WLAN commands:
 • netsh lan set allowexplicitcreds: Specify if the computer is allowed to use any
stored user credentials for wired 802.1X authentication when a user isn’t logged
in, using the following parameter:
- allow = { yes | no }
• netsh lan set blockperiod: Specify the number of minutes (0 – 60) a user must
wait to retry after unsuccessfully connecting to a wired network.

Windows Filtering Platform (WFP) Commands

The Windows Filtering Platform (WFP) is a new architecture that debuted in Windows
Vista and Windows Server 2008. It gives software developers much more access and
control over the TCP/IP stack.

Microsoft added a diagnostic tool for the WFP in Windows 7 and Windows Server 2008
R2. It can help you troubleshoot issues with Windows Firewall and IPsec. It runs
diagnostic tests and creates a report in XML format. Here are the diagnostic capture
commands:

• netsh wfp capture start: Begins the capturing, and continues until you enter the
stop command, with the following optional parameters:
- cab = { on | off }: Specify if the two output files should be compressed into
a .cab file. When not specified, it is set to on.
- traceonly = { on | off }: State if only event tracing data should be captured,
reducing the output file size. When not specified, it is set to off.
- keywords = { none | bcast | mcast | bcast+mcast }: Set the type of network
traffic to capture. Unicast network traffic is always included, even when set to
none. bcast means broadcast traffic and mcast is multicast traffic.
- file = PathAndFilename: Specify the path and filename (without extension) to
write the output files.
• netsh wfp capture status: Shows if a capture session is currently active.
• netsh wfp capture stop: Stops the capturing session.

Figure 2: Starting and stopping the capturing.

Two persistent options for the diagnostic capturing can be set with the netsh wfp set
options command, using the following parameters:

• netevents = { on | off }: Specify if network events should be included in the

diagnostics output. The default value is on.
• keywords = { none | bcast | mcast | bcast+mcast }: Set the type of network
traffic to capture. Unicast network traffic is always included, even when set to
none. bcast means broadcast traffic and mcast is multicast traffic.
• Information about the current WFP and firewall configuration, filters, and
network events that’s set when Windows first starts can be displayed with netsh
wfp show, using the following commands:
• netsh wfp show appid: Show the device-based application path for a file, using
the following parameter:
- file = PathAndFilename: Define the file path using the standard, i.e.
C:\folder\subfolder.
• · netsh wfp show boottimepolicy: Displays the WFP policy and filters
that’s set when Windows first starts, before the Windows Firewall with
Advanced Security service is loaded, using the following optionally parameter:
- file = PathAndFilename: Specify where to write the output. If not specified,
the filename is btpol.xml. If you enter a dash (-) for the file value, it is written
only to the console.
• netsh wfp show filters: Shows the currently active WFP filters. You can specify
the output file (or print to the console) and limit results with the following
parameters:
- file = PathAndFilename
- protocol = IPProtocolNumber
- localaddr = IPv4orIPv6Address
- remoteaddr = IPv4orIPv6Address
- localport = PortNumber
- remoteport = PortNumber
- appid = PathAndFileName
- userid = { SID | UserName }
- dir = { in | out }
- verbose = { on | off }
• netsh wfp show netevents: Displays the list of network traffic events. You can
specify the output file (or print to the console) and limit results with the
following parameters:
- file = PathAndFilename
- protocol = IPProtocolNumber
- localaddr = IPv4orIPv6Address
- remoteaddr = IPv4orIPv6Address
- localport = PortNumber
- remoteport = PortNumber
- appid = PathAndFileName
- userid = { SID | UserName }
- timewindow = secondsprevious
• netsh wfp show options: Shows the value of the netevents or keywords settings,
with the following parameter:
- optionsfor = { netevents | keywords }
 • netsh wfp show security: Displays the security descriptor of a selected item,
using the following parameters:
- type = { callout | engine | filter | kesadb | ipsecsadb | layer | netevents |
provider | providercontext | sublayer }
- guid = GUID
• netsh wfp show state: Shows the current functioning state of the WFP and
IPsec, using the following optionally parameter:
- file = PathAndFilename: Specify where to write the output. If not specified,
the filename is wfpstate.xml. If you enter a dash (-) for the file value, it is
written only to the console.
• netsh wfp show sysports: Displays the TCP and UDP ports currently used by
the TCP/IP protocol stack, and the remote procedure call (RPC) subsystem,
using the following optionally parameter:
- file = PathAndFilename: Specify where to write the output. If not specified,
the filename is sysports.xml. If you enter a dash (-) for the file value, it is written
only to the console.

Network Trace Commands

Netsh in Windows 7 and Windows Server 2008 R2 features trace commands to help
you diagnose and trace network-related issues. Here are three commands you need to
know to use the diagnosis tool:

• netsh trace show scenarios: Lists the network components you can perform
traces and diagnosis on.
• netsh trace show scenario: Shows the information for the specified scenario,
including the attribute(s) for the you can use to perform the diagnosis, using the
required parameter:
- name = ScenarioName: Specify the name of the desired scenario.
• netsh trace diagnose: Starts a diagnostic session that tries to detect the root
cause and repair the issue, using the following parameters:
- scenario = ScenarioName (Required)
- namedAttribute = AttributeValue (Required)
- saveSessionTrace = { yes | no }
- report = { yes | no }
- capture = { yes | no }
Figure 3: Running a FileSharing diagnosis to see why the LAPTOP computer isn’t
accessible.

Here are the commands to perform network traces:

• netsh trace start: Begins a trace session, using the following optional
parameters:
- scenario = Scenario1,Scenario2
- globalKeywords = keywords
- globalLevel = level
- capture = { yes | no }
- report = { yes | no }
- persistent = { yes | no }
- traceFile = Path\Filename
- maxSize = MaxFileSizeInMB
- fileMode = { single | circular | append }
- overwrite = { yes | no }
- correlation = { yes | no | disabled }
- provider = ProviderIdOrName
- keywords = KeywordMaskOrSet
- level = level
- provider = Provider2IdOrName
- keywords = Keyword2MaskOrSet
• netsh trace Stop: Stops the trace session.
Figure 4: Starting and stopping a trace on the WLAN.

The trace convert and trace correlate commands can help you manipulate the trace
files. Plus you might look into the following that can display more information related
to tracing and diagnosis:

• netsh trace show CaptureFilterHelp

• netsh trace show globalKeywordsAndLevels
• netsh trace show helperclass
• netsh trace show interfaces
• netsh trace show provider
• netsh trace show providers
• netsh trace show status