How to change TCP-IP interface IP in command line

Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh.exe also provides a scripting feature that allows you to run a group of commands in batch mode against a specified computer. Netsh.exe can also save a configuration script in a text file for archival purposes or to help you configure other servers.

Netsh.exe is available on Windows 2000, Windows XP and Windows Server 2003.

You can use the Netsh.exe tool to perform the following tasks:

  • Configure interfaces
  • Configure routing protocols
  • Configure filters
  • Configure routes
  • Configure remote access behavior for Windows-based remote access routers that are running the Routing and Remote Access Server (RRAS) Service
  • Display the configuration of a currently running router on any computer
  • Use the scripting feature to run a collection of commands in batch mode against a specified router.

What can we do with Netsh.exe?

With Netsh.exe you can easily view your TCP/IP settings. Type the following command in a Command Prompt window (CMD.EXE):

netsh interface ip show config

With Netsh.exe, you can easily configure your computer's IP address and other TCP/IP related settings. For example:

The following command configures the interface named Local Area Connection with the static IP address, the subnet mask of, and a default gateway of

netsh interface ip set address name="Local Area Connection" static 1

(The above line is one long line, copy paste it as one line)

Netsh.exe can be also useful in certain scenarios such as when you have a portable computer that needs to be relocated between 2 or more office locations, while still maintaining a specific and static IP address configuration. With Netsh.exe, you can easily save and restore the appropriate network configuration.

First, connect your portable computer to location #1, and then manually configure the required settings (such as the IP address, Subnet Mask, Default Gateway, DNS and WINS addresses).

Now, you need to export your current IP settings to a text file. Use the following command:

netsh -c interface dump > c:'location1.txt

When you reach location #2, do the same thing, only keep the new settings to a different file:

netsh -c interface dump > c:'location2.txt

You can go on with any other location you may need, but we'll keep it simple and only use 2 examples.

Now, whenever you need to quickly import your IP settings and change them between location #1 and location #2, just enter the following command in a Command Prompt window (CMD.EXE):

netsh -f c:'location1.txt


netsh -f c:'location2.txt

and so on.

You can also use the global EXEC switch instead of -F:

netsh exec c:'location2.txt

Netsh.exe can also be used to configure your NIC to automatically obtain an IP address from a DHCP server:

netsh interface ip set address "Local Area Connection" dhcp

Would you like to configure DNS and WINS addresses from the Command Prompt? You can. See this example for DNS:

netsh interface ip set dns "Local Area Connection" static

and this one for WINS:

netsh interface ip set wins "Local Area Connection" static

Or, if you want, you can configure your NIC to dynamically obtain it's DNS settings:

netsh interface ip set dns "Local Area Connection" dhcp
As you now see, Netsh.exe has many features you might find useful, and that goes beyond saying even without looking into the other valuable options that exist in the command

Backup with RSYNC

A more feature-rich command for doing backups is rsync. What makes rsync so unique is the rsync algorithm, which compares the local and remote files one small block at a time using checksums, and only transfers the blocks that are different. This algorithm is so efficient that it has been reused in many backup products.

The rsync command can work either on top of a remote shell (ssh), or by running an rsyncd daemon on the server end. The following example uses rsync over ssh to mirror a directory:

$ rsync -avz --delete chris@server1:/home/chris/pics/ chrispics/

The command just shown is intended to mirror the remote directory structure (/home/chris/pics/) on the local system. The -a says to run in archive mode (recursively copying all files from the remote directory), the -z option compresses the files, and -v makes the output verbose. The --delete tells rsync to delete any files on the local system that no longer exist on the remote system.

For ongoing backups, you can have rsync do seven-day incremental backups. Here’s an example:

# mkdir /var/backups
# rsync --delete --backup \
--backup-dir=/var/backups/backup-`date +%A` \
-avz chris@server1:/home/chris/Personal/ \

When the command just shown runs, all the files from /home/chris/Personal on the remote system server1 are copied to the local directory /var/backups/current-backup. All files modified today are copied to a directory named after today’s day of the week, such as /var/backups/backup-Monday. Over a week, seven directories will be created that reflect changes over each of the past seven days.

Another trick for rotated backups is to use hard links instead of multiple copies of the files.

This two-step process consists of rotating the files, then running rsync:
# rm -rf /var/backups/backup-old/
# mv /var/backups/backup-current/ /var/backups/backup-old/
# rsync --delete --link-dest=/var/backups/backup-old -avz \
chris@server1:/home/chris/Personal/ /var/backups/backup-current/

In the previous procedure, the existing backup-current directory replaces the backup-old directory, deleting the two-week-old full backup with last-week’s full backup. When the new full backup is run with rsync using the --link-dest option, if any of the files being backed up from the remote Personal directory on server1 existed during the previous backup (now in backup-old), a hard link is created between the file in the backup-current directory and backup-old directory.
You can save a lot of space by having hard links between files in your backup-old and backup-current directory. For example, if you had a file named file1.txt in both directories, you could check that both were the same physical file by listing the files’ inodes as follows:

$ ls -i /var/backups/backup*/file1.txt
260761 /var/backups/backup-current/file1.txt
260761 /var/backups/backup-old/file1.txt

W32.Downadup Removal

Discovered: November 21, 2008
Updated: November 24, 2008 9:37:07 AM
Also Known As: Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software], [Kaspersky], WORM_DOWNAD.AP [Trend]
Type: Worm
Infection Length: 62,976 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
CVE References: CVE-2008-4250
Once executed, the worm copies itself as the following file:
%System%\[RANDOM FILE NAME].dll

Next, the worm deletes any user-created System Restore points.

It creates the following service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs

Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]"

The worm connects to the following URLs to obtain IP address of the compromised computer:
  • [http://]
  • [http://]
  • [http://]

Next, the worm downloads a file from the following URL and executes it:

The worm then creates a http server on the compromised computer on a random port, for example:

The worm then sends this URL as part of its payload to remote computers.

Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.

In this way, each exploited computer can spread the worm itself, as opposed to downloading from a predetermined location.

Next, the worm connects to a UPnP router and opens the http port.

It then attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.

The worm then attempts to download a data file from the following URL:

The worm spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

Next, the worm attempts to contact the following sites to obtain the current date:

It uses the date information to generate a list of domain names.

The worm then contacts these domains in an attempt to download additional files onto the compromised computer.


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary

What does the Conficker worm do?

If you’re worried about the Conficker worm striking on April 1st, don’t be.

On April 1st the Conficker worm will simply start taking more steps to protect itself. After that date, machines infected with the “C” variant of the worm may not be able to get security updates or patches from Microsoft and from many other vendors. The creators of the worm will also start using a communications system that is more difficult for security researchers to interrupt.

The Conficker worm, sometimes called Downadup or Kido has managed to infect a large number of computers. Specifics are hard to come by, but some researchers estimate that millions of computers have been infected with this threat since January. Current users of Symantec’s Norton security products are protected. Users who lack protection are invited to download a trial version of Norton AntiVirus 2009,Norton Internet Security 2009 or Norton 360. All of these products will detect and remove this worm. Symantec has a detailed technical analysis of the threat here.

What does the Conficker worm do?

We don’t know the purpose of the Conficker worm. Today the worm has created an infrastructure that the creators of the worm can use to remotely install software on infected machines. What will that software do? We don’t know. Most likely the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.

The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

How does the worm infect a computer?

The Downadup worm tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks.

Who is at risk?

Users whose computers are not configured to receive patches and updates from Microsoft and who are not running an up to date antivirus product are most at risk. Users who do not have a genuine version of Windows from Microsoft are most at risk since pirated system usually cannot get Microsoft updates and patches.

What to do if you are infected

  1. Use your Norton product to identify which variant of the worm is on your computer.
  2. Follow the detailed removal instructions for the specific version of the of the worm. These can be found here:

    W32.Downadup.A writeup
    W32.Downadup.B writeup
    W32.Downadup.C writeup

Advice to Stay Safe from the Downadup Worm:

  1. Run a good security suite (we are partial to Norton Internet Security and Norton 360).
  2. Keep your computer updated with the latest patches. If you don’t know how to do this, have someone help you set your system to update itself.
  3. Don’t use “free” security scans that pop up on many web sites. All too often these are fake, using scare tactics to try to get you to purchase their “full” service. In many cases these are actually infecting you while they run. There is reason to believe that the creators of the Conficker worm are associated with some of these fake security products.
  4. Turn off the “autorun” feature that will automatically run programs found on memory sticks and other USB devices.
  5. Be smart with your passwords. This includes
  1. Change your passwords periodically
  2. Use complex passwords – no simple names or words, use special characters and numbers
  3. Using a separate, longer password for each site that has sensitive personal information or access to your bank accounts or credit cards.
  1. Use a passwords management system such as Identity Safe (included in Norton Internet Security and Norton 360) to track your passwords and to fill out forms automatically.
  2. Run Norton Internet Security, Norton AntiVirus or Norton 360. You can also try Norton Security Scan.


Q: Am I safe if I don’t go to questionable web sites?

A: No. The Conficker worm seeks out computers on the same network. You can be in a coffee shop, an airport or in the office and the worm will quietly try to attach to your computer and run itself.

Q: How do I know if I am infected?

A: The best way to know if you are infected is to run a good antivirus product. One symptom that may indicate you are infected is finding that your computer is blocked from accessing the web sites of most security companies.

Q: Can’t I just run free antivirus software?

A: Yes, but free products often aren’t thorough or comprehensive. Worse, the internet is overflowing with fake free security scanners that actually infect your computer. Fake scanners such as “Antivirus 2008” are difficult to identify and have plagued hundreds of thousands of users around the world.