Audit your computer’s network settings

If you’ve ever tried to audit the speed and duplex settings of NICs in a windows environment, I’ll bet you’ve been frustrated by the fact that you can’t seem to find the answer to this anywhere in the registry or WMI, etc. etc. Yet you know it has to be recorded somewhere because the little icon at the bottom right of you screen displays it just fine.

You essentially have two choices:

1) look up the card settings in the registry – the specific settings will differ depending on what hardware you actually have installed. I’ll show you how to find out what settings to audit for your particular card and where they’re located in the registry.

2) Utilize WMI to query the current bandwidth usage of the card. This generally gives you a fairly accurate way of determining whether you’re operating at 10 or 100 Mbps, and whether you’re at full or half duplex. It’s a good thing to audit in tandem with the item above.


Auditing speed and duplex from the registry:

Part of the difficulty of determining this information is that each NIC vendor implements various settings differently. NICs operate at a low enough layer on the OSI model that a lot of things are hardware specific and are difficult to standardize without perhaps sharing too much information. If you have a network of a hundred nodes which all have the same hardware installed, then auditing all of them through the registry should be a snap. If you have multiple hardware configurations, it just gets more difficult because you have to audit them in subgroups based on their hardware configs – but it still beats going out manually and checking them all.

So, here’s what you do to find out what the Speed and Duplex settings are for your NIC

  • Open Network and Dial-up Connections and right-click and go to the properties of the target NIC
  • Note what appears in the ‘Device Name’ field for that NIC. On the particular computer I’m writing this from, mine is a ‘Realtek RTL8139/810x Family Fast Ethernet NIC’
  • Now, open up the registry, and Browse to the following key:

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}. So far, on every computer I’ve ever checked, this is always the key that all of the different network adapters’ settings are stored under. So I’m pretty sure this is a standard location and will be consistent on any Windows platform. Please let me know if anyone finds differently.

  • Underneath this key, you’ll have a numbered key (i.e. 0001, 0002, etc.) for each adapter installed in the system. These include such things as the WAN Miniport driver, and other weird stuff like that. Just go through each one until you find the one with the DriverDesc key set to the Device Name that you noted earlier.
  • Once you’re at the right adapter (let’s say it’s 0003), all of the subkeys there will be settings and/or information pertaining to your NIC. Now the trick is understanding what all of those settings mean. The best thing to do is to download the latest drivers for your NIC. You’ll need to go to the vendor’s website to find these – download them and unzip them somewhere on your computer. They should come with an .inf file. This file contains all of the possible settings for your NIC and what they mean. For example, my card is a Realtek RTL8139, so I downloaded the drivers from here, and it came with an .inf file, Netrtlx.inf. Down near the bottom of this .inf file (just opened with Notepad), I find the following information:


HKR,Ndi\params\DuplexMode, ParamDesc, 0, %SpeedDuplexMode%

HKR,Ndi\params\DuplexMode, type, 0, “enum”

HKR,Ndi\params\DuplexMode, default, 0, “1″

HKR,Ndi\params\DuplexMode\enum, 1, 0, %auto_nego%

HKR,Ndi\params\DuplexMode\enum, 2, 0, %sd10half%

HKR,Ndi\params\DuplexMode\enum, 3, 0, %sd10full%

HKR,Ndi\params\DuplexMode\enum, 4, 0, %sd100half%

HKR,Ndi\params\DuplexMode\enum, 5, 0, %sd100full%


From this, I can see that if the DuplexMode registry key is set to 1, then the card is set to auto negotiate. Understanding the .inf file can be a little tricky – but usually just by examining it you’ll be able to determine what everything means. Each one is vendor specific, so good luck. If you’re unable to understand the .inf file or you’re unable to even find it, then you can always just look at the registry and note what settings change and how as you make modifications to different settings within the properties of your network card via the Network Control Panel.

Now that you know where the correct key is for this type of NIC, you can do some scripting to query the value of several computers in your network. If they’re all in the same slot, then it’s easier and you can simply open a cmd prompt and use the ‘reg /query’ cmd (use reg /? for full usage summary and how to target a specific key) against each remote machine and append it to a file. See this article for tips about how to run the same command against multiple machines.

NOTE: if you’re lucky enough to have an HP server/machine, there is a utility (should be included as part of the Compaq Mgmt Agent install) called ‘cqniccmd’. You can run it on a box as ‘cqniccmd /s output.xml’ and you’ll get all of the NIC settings into a nicely formatted XML file.

Auditing the bandwidth via WMI:

If you want to know the actual speed that your NIC is operating at, you can check it via WMI. There are a couple of different ways that you can do this. The easiest way to gather it from several computers is via the command line (see article here on tips to do that). You have two choices for querying WMI from a command line, wmic (which is available with Windows XP and Windows 2003 and up systems), and CleWMI (works on Windows NT, 2000, XP, 2003, and up). I’m partial to CleWMI, so my example will utilize that. Here are the details of what you’re after:

Namespace: /root/CIMv2/

Class: win32_perfformatteddata_tcpip_networkinterface

Property: ‘CurrentBandwidth’;

Alternatively, you could query for:

Namespace: /root/WMI/

Class: msndis_linkspeed

Property: NdisLinkSpeed.

To obtain the information for either of the above using CleWMI, you’d do the following (the default namespace if none is specified is /root/CIMv2/):

  • C:\> clewmi.exe -c win32_perfformatteddata_tcpip_networkinterface -p currentbandwidth,name -s SERVERNAME -r Name~Realtek -o csv –nobanner

Where in the above, SERVERNAME gets replaced with the actual server name that you’re trying to query. And Realtek is a string contained in the name of the card (the -r flag is used to restrict the instances returned, based on the Property~Value pair following it. Using the ‘~’ symbol means to use the string Realtek as a regular expression match against the entire string, essentially like performing a SQL ‘WHERE Name LIKE ‘%Realtek%’ clause. The value is case insensitive. Try clewmi.exe –help for a full usage summary.

The other example would be:

  • C:\> clewmi.exe -n /root/wmi -c msndis_linkspeed -p ndislinkspeed,instancename -s SERVERNAME -r instancename~Realtek -o csv –nobanner

Have fun, and I hope you find this useful!