Many sysadmins transitioning from Windows XP/2003 to modern Windows versions face confusion when the classic netsh firewall show state command reports "No ports are currently open" despite active services. This occurs because:

• Windows Vista+ uses Advanced Security Firewall (WFAS)
• The old netsh firewall context is deprecated
• Ports may be dynamically opened by applications

Method 1: Using netsh advfirewall

To view all firewall rules with port information:

netsh advfirewall firewall show rule name=all | find "LocalPort"

For more detailed output including protocol and direction:

netsh advfirewall firewall show rule name=all verbose

Method 2: PowerShell Commands

Get all enabled inbound rules with local ports:

Get-NetFirewallRule | Where-Object { $_.Enabled -eq $true -and $_.Direction -eq "Inbound" } | 
Get-NetFirewallPortFilter | Select-Object Protocol, LocalPort | Format-Table -AutoSize

To see active listening ports (regardless of firewall rules):

netstat -ano | findstr LISTENING

To specifically check Remote Desktop port configuration:

# Check firewall rule
Get-NetFirewallRule -DisplayName "Remote Desktop*" | 
Get-NetFirewallPortFilter | Select Protocol, LocalPort

# Verify actual listening port
Test-NetConnection -ComputerName localhost -Port 3389

For real-time port monitoring with PowerShell:

# Requires admin privileges
$ports = @{}
Get-NetTCPConnection -State Listen | ForEach-Object {
    $ports[$_.LocalPort] = $true
}
$ports.Keys | Sort-Object

To export all firewall rules to CSV for analysis:

Get-NetFirewallRule | Export-Csv -Path "firewall_rules.csv" -NoTypeInformation

• If ports appear open but aren't accessible, check network profile (Domain/Private/Public)
• Remember that some Windows features (like Hyper-V) use dynamic ports
• For precise auditing, combine firewall rules with netstat -ano output

---

For those transitioning from Windows XP/Server 2003 to newer systems, you'll notice the netsh firewall command is now deprecated. Microsoft replaced it with the Advanced Firewall (netsh advfirewall) system starting with Windows Vista and Server 2008. While the old command might still work, it won't show you the complete picture of modern firewall configurations.

To get the actual open ports that are actively allowing traffic, use this PowerShell command:

Get-NetTCPConnection | Where-Object {$_.State -eq "Listen"} | Select-Object LocalAddress, LocalPort, OwningProcess | Sort-Object LocalPort | Format-Table

For a more firewall-specific view showing allowed inbound ports:

netsh advfirewall firewall show rule name=all dir=in | findstr "LocalPort"

For a complete dump of all firewall rules including their port configurations:

netsh advfirewall firewall show rule name=all verbose

To filter only enabled inbound rules with port information:

netsh advfirewall firewall show rule name=all dir=in status=enabled | findstr "Rule Name LocalPort"

1. Checking if Remote Desktop (3389) is allowed:

netsh advfirewall firewall show rule name="Remote Desktop - User Mode (TCP-In)"

2. Verifying Hyper-V management ports:

netsh advfirewall firewall show rule name=all | findstr "Hyper-V"

For GUI users, you can check via:

wf.msc

For network administrators needing remote checks:

powershell -Command "Get-NetFirewallRule | Where-Object {$_.Enabled -eq $true} | Get-NetFirewallPortFilter | Where-Object {$_.LocalPort -ne $null} | Select-Object Protocol, LocalPort"

Remember that Windows Firewall shows configured rules, while netstat shows actual listening ports. For complete security analysis, always cross-reference both:

netstat -ano | findstr LISTENING