netsh command in Windows

netsh (Network Shell) is a command-line scripting utility built into Windows that lets you configure and inspect virtually every aspect of networking from a terminal — no GUI required. It operates through a context hierarchy: you enter a context like interface or http, then run subcommands within it. Everything from IP address assignment to Windows Firewall rules to IIS URL reservations is reachable through the same tool.

PowerShell has absorbed many of these functions, but netsh remains irreplaceable in three situations: Server Core installations where some PowerShell network cmdlets behave differently, legacy batch scripts that need to run unchanged across a wide range of Windows versions, and contexts where a single self-contained command needs to do in one line what PowerShell would spread across five. Knowing both is the practical position.

This article covers the full usable surface of netsh — interface configuration, WLAN profile management, winhttp proxy, Windows Firewall, and the http context that IIS administrators use to manage URL reservations and SSL certificate bindings. Each section shows real-world scenarios with expected output and explains what can go wrong.

Applies to: Windows Server 2016 / 2019 / 2022 / 2025

Quick answer

Show the IP configuration of all network interfaces:

netsh interface ip show config

Set a static IP address on an interface named Ethernet:

netsh interface ip set address "Ethernet" static 192.168.1.50 255.255.255.0 192.168.1.1

Switch it back to DHCP:

netsh interface ip set address "Ethernet" dhcp
Warning: All netsh commands that change network configuration require an elevated prompt. Run CMD or PowerShell as Administrator. Commands that only read state (show, dump) work without elevation.

What netsh does

netsh exposes the Windows networking stack through a context-based CLI. Each context maps to a subsystem: interface for adapters and IP configuration, wlan for wireless profiles, winhttp for system-wide proxy settings, advfirewall for Windows Firewall rules, http for HTTP.sys reservations and SSL bindings used by IIS and other HTTP listeners, and trace for packet-level network captures.

Basic syntax:

netsh [context] [subcontext] [command] [parameters]

The table below maps the main contexts, their most-used subcommands, and what each does:

ContextSubcommandWhat it does
interface ipshow configDisplay IP address, subnet, gateway, DNS for all adapters
interface ipset addressSet static IP or switch to DHCP
interface ipset dnsConfigure DNS servers on an adapter
interface ipadd addressAdd a secondary IP to an existing adapter
interface portproxyadd v4tov4Forward a local port to another host/port
interface portproxyshow allList all active port-forwarding rules
wlanshow profilesList all saved wireless profiles
wlanexport profileExport a WLAN profile to XML (optionally with key)
wlanadd profileImport a WLAN profile from XML
wlanshow driversDisplay wireless adapter capabilities and driver version
winhttpset proxySet system-wide proxy for WinHTTP clients (Windows Update, WSUS, etc.)
winhttpshow proxyDisplay current WinHTTP proxy configuration
winhttpreset proxyRemove WinHTTP proxy and restore direct connection
winhttpimport proxy source=ieCopy proxy settings from Internet Explorer/WinInet to WinHTTP
advfirewall firewallshow ruleList firewall rules, filterable by name or profile
advfirewall firewalladd ruleCreate an inbound or outbound firewall rule
advfirewall firewalldelete ruleRemove a firewall rule by name
advfirewallset allprofiles stateEnable or disable the firewall across all profiles at once
httpshow urlaclList HTTP.sys URL reservations (used by IIS, WCF, and any HTTP listener)
httpadd urlaclReserve a URL prefix so a non-admin process can listen on it
httpdelete urlaclRemove a URL reservation
httpshow sslcertList SSL certificate bindings registered with HTTP.sys
httpadd sslcertBind a certificate (by thumbprint) to an IP:port for HTTPS
httpdelete sslcertRemove an SSL certificate binding
httpshow iplistenShow which IP addresses HTTP.sys is listening on
int ipresetReset the TCP/IP stack to default state (requires reboot)
tracestart / stopCapture network packets to an ETL file without installing Wireshark

Practical examples

Show full interface configuration

The problem: You are on a Server Core machine via remote console and need to see what IP, gateway, and DNS servers are currently configured on every adapter — without ipconfig giving you the detail level you need.

The solution: netsh interface ip show config lists all adapters with their full configuration in a readable block format, including DHCP vs static state.

rem Shows IP, subnet, gateway, DNS and DHCP state for every adapter
netsh interface ip show config

Expected output (abbreviated):

Configuration for interface "Ethernet"
    DHCP enabled:                         No
    IP Address:                           10.10.1.50
    Subnet Prefix:                        10.10.1.0/24 (mask 255.255.255.0)
    Default Gateway:                      10.10.1.1
    Gateway Metric:                       0
    InterfaceMetric:                      10
    DNS servers configured through DHCP:  None
    Register with which suffix:           Primary only
    DNS servers:
         10.10.1.10
         10.10.1.11
Note: Use netsh interface show interface to see adapter state (connected/disconnected) and link speed. show config only covers IP-layer settings, not physical link state.

Set a static IP address

The problem: You are deploying a Windows Server and need to assign a static IP during OS setup — before the GUI is available or before a remote management tool has connectivity to the machine.

The solution: netsh interface ip set address sets the IP, mask, and gateway in one command. Follow it immediately with set dns or the adapter has no name resolution.

rem Set static IP — adapter name must match exactly as shown in show config
rem Use quotes if the adapter name contains spaces
netsh interface ip set address "Ethernet" static 10.10.1.50 255.255.255.0 10.10.1.1

rem Set primary DNS — static keyword means replace, not append
netsh interface ip set dns "Ethernet" static 10.10.1.10

rem Add secondary DNS — add keyword appends to the list
netsh interface ip add dns "Ethernet" 10.10.1.11 index=2
Warning: The adapter name in the command must match exactly what Windows reports — including case and spacing. To get the correct name, run netsh interface show interface first. A mismatch silently fails or throws a generic error.

To revert to DHCP:

rem Revert to DHCP — this also clears the static DNS entries
netsh interface ip set address "Ethernet" dhcp
netsh interface ip set dns "Ethernet" dhcp

Configure a WinHTTP system proxy

The problem: A server behind a corporate proxy is failing Windows Update, WSUS sync, or certificate revocation checks — because these components use WinHTTP, not the user-level IE/browser proxy settings. The two proxy stacks are completely separate in Windows.

The solution: netsh winhttp set proxy configures the system-wide WinHTTP proxy that Windows Update, SCCM client, Azure Arc agent, and other system services use.

rem Set system proxy — applies to WinHTTP clients system-wide, not browser sessions
rem bypass-list: semicolon-separated list of hosts that bypass the proxy
netsh winhttp set proxy proxy-server="http://proxy.corp.local:8080" bypass-list="*.corp.local;10.*;localhost"

rem Verify what is currently configured
netsh winhttp show proxy

rem Copy proxy from IE/WinInet settings — useful when the user has already configured it in IE
netsh winhttp import proxy source=ie

rem Remove the proxy and restore direct connection
netsh winhttp reset proxy

Expected output from show proxy after configuration:

Current WinHTTP proxy settings:

    Proxy Server(s) :  http://proxy.corp.local:8080
    Bypass List     :  *.corp.local;10.*;localhost
Note: Browser proxy settings (configured in Settings or via IE Options) use WinInet and are user-specific. WinHTTP is a separate system-level stack. Configuring one does not affect the other. Services running as SYSTEM use WinHTTP. User-session applications typically use WinInet.

Export and import WLAN profiles

The problem: You need to migrate Wi-Fi profiles — including pre-shared keys — from one machine to another without manually re-entering credentials. This comes up when reimaging laptops or provisioning a batch of machines for the same wireless network.

The solution: netsh wlan export profile with the key=clear flag writes the profile to XML including the plaintext PSK. Import it on the target machine with add profile.

rem List all saved WLAN profiles on this machine
netsh wlan show profiles

rem Export a specific profile — key=clear includes the password in plaintext in the XML
rem Without key=clear, the key is exported encrypted and only usable on the same machine
netsh wlan export profile name="CorpWifi" key=clear folder="C:\bat\"

rem Export all profiles at once to the same folder
netsh wlan export profile key=clear folder="C:\bat\"

rem Import the profile on the target machine (all users = available at login screen)
netsh wlan add profile filename="C:\bat\Wi-Fi-CorpWifi.xml" user=all
Warning: XML files exported with key=clear contain the Wi-Fi password in plaintext. Treat them like credentials — delete after import or store in a secured location. Do not leave them in shared folders.

Windows Firewall rules

The problem: After deploying an application on SRV-PROD-01, it is unreachable on its port. You need to check whether a firewall rule exists, add one if it does not, and verify it without opening the MMC snap-in.

The solution: netsh advfirewall firewall lets you query, add, and delete rules from the command line across all Windows versions.

rem Show all rules — output is long; pipe through findstr to filter by name or port
netsh advfirewall firewall show rule name=all

rem Show rules that contain "Tomcat" in the name
netsh advfirewall firewall show rule name="Tomcat*"

rem Add an inbound rule to allow TCP port 8080 (Tomcat default HTTP port)
rem dir=in — inbound traffic; action=allow; profile=any — applies to Domain, Private, Public
netsh advfirewall firewall add rule name="Tomcat HTTP" dir=in action=allow protocol=TCP localport=8080 profile=any

rem Add an inbound rule restricted to the Domain profile only — tighter scope for production
netsh advfirewall firewall add rule name="AppService 9090" dir=in action=allow protocol=TCP localport=9090 profile=domain

rem Delete a rule by exact name
netsh advfirewall firewall delete rule name="Tomcat HTTP"

rem Check the overall firewall state across all three profiles
netsh advfirewall show allprofiles state
Note: Rule names must be unique. If you add a rule with a name that already exists, Windows creates a duplicate — it does not overwrite. Always check with show rule name="exact name" before adding. If duplicates exist, delete by name removes all of them at once.

netsh http — URL reservations and SSL bindings for IIS admins

The netsh http context operates at the HTTP.sys level — the kernel-mode HTTP listener that sits beneath IIS, WCF services, and any application that uses the Windows HTTP server API. This is where URL namespace reservations and SSL certificate bindings live. IIS Manager creates and removes these automatically during site configuration, but they frequently need manual intervention when things go wrong: access denied errors on a custom port, SSL bindings pointing to a wrong certificate after renewal, or a decommissioned site leaving a reservation that blocks a new deployment.

Show and manage URL reservations (urlacl)

The problem: A .NET or WCF service on SRV-PROD-01 fails to start with “Access is denied” when trying to listen on http://+:8443/. The service account does not have permission to register that URL prefix with HTTP.sys.

The solution: Add a URL reservation (urlacl) granting the service account permission to bind that prefix. HTTP.sys will then allow the process to listen without requiring it to run as Administrator.

rem List all current URL reservations on the machine
rem This shows every prefix registered with HTTP.sys and who has permission to use it
netsh http show urlacl

rem Show a specific URL reservation
netsh http show urlacl url=http://+:8080/

Expected output from show urlacl:

Reserved URL            : http://+:80/
    User: \Everyone
        Listen: Yes
        Delegate: No
        SDDL: D:(A;;GX;;;WD)

Reserved URL            : http://+:8443/myapp/
    User: CORP\svc-myapp
        Listen: Yes
        Delegate: No
        SDDL: D:(A;;GX;;;S-1-5-21-...)
rem Add a URL reservation for a service account
rem url= must match exactly what the application tries to bind — including trailing slash
rem user= accepts domain accounts, local accounts, or built-in groups
netsh http add urlacl url=http://+:8443/ user="CORP\svc-myapp"

rem Add a reservation for a local service account
netsh http add urlacl url=http://+:9090/api/ user="NT SERVICE\MyWindowsService"

rem Add a reservation using a wildcard that covers all subpaths under /reports/
netsh http add urlacl url=http://+:80/reports/ user="CORP\svc-reporting"

rem Remove a URL reservation that is no longer needed
rem Leftover reservations from decommissioned services can block new deployments
netsh http delete urlacl url=http://+:8443/
Warning: The URL in the urlacl command must match exactly what the application registers — including the trailing slash, the port, and the path. A reservation for http://+:8080/ does not cover http://+:8080/api/. If in doubt, use http://+:PORT/ (root with no path) which covers everything on that port.

Show and manage SSL certificate bindings (sslcert)

The problem: An HTTPS site on IIS stops serving requests with an SSL error after a certificate renewal. The new certificate is in the store, but HTTP.sys still has the old thumbprint bound to the IP:port. IIS Manager shows the new cert selected in Site Bindings, but the binding at the HTTP.sys level was not updated correctly.

The solution: Delete the stale HTTP.sys binding and add a new one pointing to the correct certificate thumbprint.

rem Show all SSL bindings registered with HTTP.sys
rem This is the ground truth — IIS Manager reads from here
netsh http show sslcert

rem Show binding for a specific IP:port
netsh http show sslcert ipport=0.0.0.0:443

Expected output from show sslcert:

SSL Certificate bindings:
-------------------------

    IP:port                      : 0.0.0.0:443
    Certificate Hash             : a3f5c2d1e8b04793621def45a67890bc1234ef56
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
rem Delete the stale SSL binding before adding the new one
rem ipport must match exactly — 0.0.0.0:443 is the binding for "All Unassigned" in IIS
netsh http delete sslcert ipport=0.0.0.0:443

rem Add the new binding with the renewed certificate thumbprint
rem certhash= is the SHA1 thumbprint of the cert from the Local Machine\MY store (no spaces)
rem appid= is a GUID identifying the application — copy from the old binding or generate a new one
netsh http add sslcert ipport=0.0.0.0:443 certhash=NEWTHUMBPRINTHERE appid="{4dc3e181-e14b-4a21-b022-59fc669b0914}"

rem For SNI-based bindings (multiple certs on the same port, different hostnames)
rem hostnameport replaces ipport
netsh http add sslcert hostnameport=app.corp.local:443 certhash=NEWTHUMBPRINTHERE appid="{4dc3e181-e14b-4a21-b022-59fc669b0914}" certstorename=MY
Note: The certificate thumbprint must come from the Local Machine > Personal (MY) store. Copy it from the Certificate MMC snap-in or retrieve it with PowerShell: Get-ChildItem Cert:\LocalMachine\My | Select Subject, Thumbprint. Remove any spaces from the thumbprint string before pasting it into the netsh command — spaces cause a silent parse failure.

Show and manage IP listen list (iplisten)

The problem: HTTP.sys is only listening on one IP address instead of all adapters. New site bindings in IIS do not respond on the server’s other NIC. The iplisten list restricts which IPs HTTP.sys binds to at the kernel level.

The solution: Check the iplisten list. If it contains explicit IP entries, HTTP.sys will only listen on those. An empty list means “listen on all interfaces.”

rem Show the current IP listen list
rem Empty output = HTTP.sys listens on all interfaces (correct default)
netsh http show iplisten

rem If a stale IP is listed that no longer exists on the machine, remove it
netsh http delete iplisten ipaddress=10.10.1.50

rem Add a specific IP to restrict HTTP.sys to one interface only
rem Use this deliberately — leaving it empty is the right default for most servers
netsh http add iplisten ipaddress=10.10.2.100
Warning: Adding an explicit IP to the iplisten list is rarely the right fix. An empty list means HTTP.sys listens everywhere — which is what most servers need. Only add entries if you are intentionally restricting HTTP.sys to a specific NIC. A wrong entry here silently breaks all IIS sites on the excluded interfaces.

Reset the TCP/IP stack

The problem: A server has persistent TCP/IP issues — connections drop randomly, socket exhaustion errors appear in the event log, or network adapters report errors that driver reinstallation does not resolve. The problem is in the stack itself, not the hardware.

The solution: netsh int ip reset rewrites the TCP/IP registry keys to their clean default state. It requires a reboot to take effect and should be logged before running.

rem Reset TCP/IP stack — writes a log of changes made to C:\logs\tcpip-reset.log
rem Requires reboot — do not run on a machine you cannot reboot immediately
netsh int ip reset C:\logs\tcpip-reset.log

rem Also reset Winsock catalog (common to do both together)
netsh winsock reset

rem Reboot is required for the reset to take effect
shutdown /r /t 60 /c "TCP/IP stack reset — scheduled reboot"
Common mistake: Running netsh int ip reset on a machine configured with static IP will clear those settings. After reboot the adapter may fall back to DHCP or have no IP at all. Always note your static IP configuration before running this command so you can restore it after the reboot.

Hidden gems

netsh trace — built-in packet capture without Wireshark

Most administrators reach for Wireshark when they need a packet capture. On servers where you cannot install software — or where installing a third-party tool requires a change request — netsh trace is already there. It captures to an ETL file that you can open in Microsoft Network Monitor or convert to PCAP format using etl2pcapng.

rem Start a capture — maxsize in MB, stops automatically when reached
rem capture=yes includes the actual packet bytes, not just metadata
netsh trace start capture=yes maxsize=500 tracefile=C:\logs\capture.etl

rem Run the scenario that reproduces the problem, then stop
netsh trace stop
Note: The ETL file can be opened directly in Windows Performance Analyzer or Microsoft Message Analyzer. To convert to PCAP for Wireshark, use etl2pcapng — a Microsoft tool available on GitHub. No third-party drivers or kernel components are installed by netsh trace.

Port forwarding with interface portproxy

netsh interface portproxy sets up persistent TCP port forwarding at the OS level — without third-party tools, without touching the firewall, and without a reboot. It survives restarts because it is stored in the registry and the iphlpsvc service applies it at startup.

rem Forward all TCP traffic arriving on local port 8080 to an internal server
rem Useful for exposing a backend service through a bastion or relay host
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=10.10.2.20

rem View all active port-forwarding rules
netsh interface portproxy show all

rem Remove a specific rule
netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0
Warning: Port proxy rules forward TCP only. UDP is not supported. Also, the forwarding rule does not automatically create a firewall exception — you still need to add a firewall rule to allow inbound traffic on the listen port, otherwise the connection is blocked before it reaches the proxy.

Dump current configuration as a reproducible script

netsh dump outputs the entire current network configuration as a sequence of netsh commands that can be saved to a file and replayed on another machine. This is a fast way to document a working configuration or prepare a baseline script before making changes.

rem Export full netsh configuration to a script — can be replayed with netsh exec
netsh dump > C:\bat\netsh-baseline.txt

rem Restore configuration from the saved script
netsh exec C:\bat\netsh-baseline.txt

WLAN driver capabilities

netsh wlan show drivers reveals the wireless adapter’s supported authentication and cipher types, radio frequencies, and hosted network support — detail that Device Manager does not expose. Useful when diagnosing why a laptop refuses to connect to a WPA3 or 802.1X network.

rem Show wireless adapter driver capabilities — authentication modes, cipher types, radio bands
netsh wlan show drivers

PowerShell equivalents

Most netsh functions have PowerShell equivalents introduced in Windows Server 2012 R2 and later. The PowerShell versions are more scriptable and return structured objects rather than formatted text, but netsh works on every Windows version without module dependencies.

netsh commandPowerShell equivalent
netsh interface ip show configGet-NetIPConfiguration
netsh interface ip set address ... staticNew-NetIPAddress
netsh interface ip set address ... dhcpSet-NetIPInterface -Dhcp Enabled
netsh interface ip set dnsSet-DnsClientServerAddress
netsh advfirewall firewall add ruleNew-NetFirewallRule
netsh advfirewall firewall show ruleGet-NetFirewallRule
netsh wlan show profilesGet-NetConnectionProfile (limited)
netsh http show urlaclNo direct equivalent — netsh http only
netsh http show sslcertNo direct equivalent — netsh http only
netsh winsock resetNo direct equivalent

For static IP configuration in PowerShell:

# Get the interface index first
Get-NetAdapter | Select Name, InterfaceIndex

# Set static IP — InterfaceIndex from the command above
New-NetIPAddress -InterfaceIndex 3 -IPAddress 10.10.1.50 -PrefixLength 24 -DefaultGateway 10.10.1.1

# Set DNS servers
Set-DnsClientServerAddress -InterfaceIndex 3 -ServerAddresses ("10.10.1.10","10.10.1.11")

Where this matters

Server Core deployments. Server Core has no Control Panel, no Network and Sharing Center, and limited GUI tools. netsh is the primary way to configure IP, DNS, and firewall settings during and after initial setup.

OS deployment and unattended setup. Batch scripts that run during Windows deployment (MDT, SCCM task sequences, sysprep first-run scripts) use netsh to assign static IPs before the machine is reachable enough for remote management tools to connect.

IIS certificate renewal failures. When a certificate is renewed and the SSL binding in HTTP.sys does not update cleanly, the site continues serving the expired certificate even though IIS Manager shows the new one. Manual netsh http delete sslcert followed by add sslcert with the new thumbprint resolves it immediately without an IIS restart.

Windows Update failures behind a proxy. When Windows Update, WSUS, or Azure Arc connectivity fails on a proxied server, the first diagnostic step is netsh winhttp show proxy. The system proxy is often misconfigured or missing entirely while the browser works fine.

Service “access denied” on custom ports. Any .NET, Java, or WCF service that tries to listen on an HTTP or HTTPS port without a URL reservation will fail with access denied — even running as a domain service account with local admin rights. A urlacl entry is the correct fix, not elevating the service account to Local System.

Packet capture on locked-down servers. On production servers where installing Wireshark requires a formal change request, netsh trace captures network traffic immediately using built-in Windows components — no installation, no drivers, no change request needed.

Tips and limitations

  • Elevation is required for all write operations. Read commands (show, dump) work without elevation. Any command that changes configuration requires Administrator. On UAC-enabled systems, right-click CMD and choose “Run as administrator”.
  • Adapter names with spaces must be quoted. Interface names like “Local Area Connection” or “Ethernet 2” must appear in double quotes in every netsh interface command. Without quotes, netsh interprets the space as a delimiter and parses the command incorrectly — often with no error message.
  • TCP/IP stack reset clears static IP settings. After running netsh int ip reset, adapters with static IP may come up as DHCP or unconfigured after reboot. Document your IP configuration before running this command.
  • Port proxy rules survive reboot but require IPv6 helper service. netsh interface portproxy rules depend on the IP Helper service (iphlpsvc). If that service is disabled, port forwarding will not work after reboot even though the rules appear in the registry.
  • netsh http operates on HTTP.sys, not IIS directly. IIS reads its binding configuration from applicationHost.config, but the actual kernel-level bindings are in HTTP.sys. When they get out of sync — which can happen after manual edits, failed deployments, or certificate tool issues — netsh http shows what HTTP.sys actually has, which may differ from what IIS Manager displays.
  • Certificate thumbprints must have no spaces. When adding an SSL cert binding with netsh http add sslcert certhash=, copy the thumbprint from PowerShell (Get-ChildItem Cert:\LocalMachine\My) and remove all spaces. A thumbprint copied from the Certificate MMC UI often includes invisible leading spaces.
  • WinHTTP and WinInet are separate proxy stacks. Configuring a proxy in browser settings, IE, or wininet does not affect winhttp. Windows Update, SCCM, Azure Arc, and most system services use winhttp. Use netsh winhttp import proxy source=ie to synchronize them.
  • netsh is not deprecated, but Microsoft recommends PowerShell cmdlets for new automation. For interactive use and batch scripts, netsh is fully supported on Windows Server 2016 through 2025. The netsh http context has no PowerShell equivalent for urlacl and sslcert management — it remains the only tool for those tasks.

Official documentation

Related tools

  • IP Subnet Calculator — calculate subnet masks, network ranges, and broadcast addresses when configuring static IPs with netsh
  • DNS Lookup — verify DNS resolution after configuring DNS servers via netsh interface ip set dns

Related guides

  • nltest command in Windows — domain controller discovery and trust diagnostics; often used alongside netsh when diagnosing AD connectivity from a server
  • GPRESULT command in Windows — verify which Group Policy objects applied, including firewall and proxy settings that may conflict with manual netsh configuration