Finding your way around IIS 7 configuration sections with AppCmd

The IIS 7 configuration system contains 50+ configuration sections (100+ if you count .NET Framework configuration), 477 attributes, and 57 collections. This can make it pretty challenging to figure out exactly what IIS 7 configuration section needs to be used to turn on some particular behavior, and then exactly syntax the configuration in that section should follow.

The IIS Manager tool removes some of this complexity by surfacing task-based UI to set IIS 7 configuration for many features, and can be used to do most common configuration tasks very easily. However, it sometimes isn't enough - it doesn't cover all configuration sections in IIS 7, and cant be used from a script to do automated deployment or configuration.

A lot of the time, I remember enough to write most IIS configuration from memory. But, what if you didn't spend the past 4 years developing IIS7? :)

Thankfully, there are a few things you can do to make this process a lot simpler:

1) Use AppCmd to dump all of the configuration sections you can set

NOTE: Be sure to run AppCmd.exe from a command line prompt running as Administrator, when logged in using an account with Administrative privileges

> %windir%\system32\inetsrv\appcmd set config /section:?

This dumps a list of all configuration sections you can set, and looks something like this:

system.webServer/security/authentication/basicAuthentication
modules
system.web/machineKey
moduleProviders
system.webServer/caching
system.webServer/management/authentication
administrators
system.web/sessionPageState
system.net/authenticationModules
system.web/deployment
system.web/httpRuntime
...

You can scan the list of sections to spot something that may look interesting to you. If you want to narrow it down, you can use an undocumented trick to search for sections using wildcard search expression (if you are not comfortable with findstr.exe or a haven't yet developed your own version of grep):

> %windir%\system32\inetsrv\appcmd set config "/section:?system.webServer/*" to find all sections that start with "system.webServer/" (runtime IIS configuration sections)

Yes, it's a dirty hack, but its damn useful when you are looking for stuff you know is there. Now, where was that tracing configuration? Search for *trac*:

> %windir%\system32\inetsrv\appcmd set config "/section:?*trac*"

system.webServer/httpTracing
system.web/trace
system.webServer/tracing/traceProviderDefinitions
system.webServer/tracing/traceFailedRequests

2) AHA! Found the section. Now, how do I set the damn settings?

Use AppCmd to dump all the attributes, elements, and collections you can set on the section:

> %windir%\system32\inetsrv\appcmd set config /section:system.webServer/httpErrors /?

-errorMode
-existingResponse
-defaultPath
-defaultResponseMode
-detailedMoreInformationLink
-[statusCode='unknown',subStatusCode='int'].statusCode
-[statusCode='unknown',subStatusCode='int'].subStatusCode
-[statusCode='unknown',subStatusCode='int'].prefixLanguageFilePath
-[statusCode='unknown',subStatusCode='int'].path
-[statusCode='unknown',subStatusCode='int'].responseMode

This shows you all you need to know to set configuration with AppCmd. The [] syntax indicates collections - you need to specify the collection keys inside the brackets to identify specific elements you want to touch, and the attributes you can set on those elements. For example, to add a new error code to that collection, we could do:

> %windir%\system32\inetsrv\appcmd set config /section:system.webServer/httpErrors /+[statusCode='505',subStatusCode='0',path='c:\503.html']

Likewise, to edit this element later:

> %windir%\system32\inetsrv\appcmd set config /section:system.webServer/httpErrors /[statusCode='505',subStatusCode='0'].path='c:\503_v2.html'

The cool thing is that you can use the same syntax to see what properties you can set on sites, applications, virtual directories and application pools. Just try:

> %windir%\system32\inetsrv\appcmd set site "Default Web Site" /?
> %windir%\system32\inetsrv\appcmd set app "Default Web Site/" /?
> %windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" /?
> %windir%\system32\inetsrv\appcmd set apppool "DefaultAppPool" /?

Now you should be able to poke around the configuration system on your own and figure out the syntax for setting configuration without getting completely confused. If you want more, you can dive deeper into the schema of configuration, by looking at the IIS configuration schema. These files are located in %windir%\system32\inetsrv\config\schema, and will tell you everything there is to know about IIS (and .NET Framework and ASP.NET v2.0) configuration sections:

Directory of C:\Windows\system32\inetsrv\config\schema
10/25/2007 12:30 PM    <DIR>          .
10/25/2007 12:30 PM    <DIR>          ..
09/17/2007 02:38 AM            38,786 ASPNET_schema.xml
09/17/2007 02:38 AM            26,971 FX_schema.xml
09/17/2007 02:38 AM            74,797 IIS_schema.xml
09/13/2007 01:13 PM             1,244 responsefilter_schema.xml
09/17/2007 02:38 AM             8,363 rscaext.xml
               5 File(s)        150,161 bytes
               2 Dir(s)   9,947,492,352 bytes free

Happy configuring,

Mike

Published 01 November 07 12:20 by Mike Volodarsky

Filed under: IIS7, AppCmd, Configuration

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# MVolo's Blog said on November 1, 2007 1:35 AM:

The IIS 7 configuration system contains 50+ configuration sections (100+ if you count .NET Framework

# Mike Volodarsky's WebLog said on November 1, 2007 1:37 AM:

The IIS 7 configuration system contains 50+ configuration sections (100+ if you count .NET Framework

# Noticias externas said on November 1, 2007 2:33 AM:

The IIS 7 configuration system contains 50+ configuration sections (100+ if you count .NET Framework

# Nathanael Jones said on November 6, 2007 5:00 PM:

Sorry to bug you, but have you heard anything on the "Failed to Execute URL" issue? http://forums.iis.net/p/1146755/1858820.aspx Thanks, Nathanael

# Mike Volodarsky said on December 8, 2007 12:44 PM:

Hi Nathanael,

One of our developers got back to you on the forum thread, let us know if you need any further help.

Thanks,

Mike

# David said on April 29, 2008 6:38 PM:

When navigating through the configurable sections I'm having trouble figuring out syntax, which is probably due to inexperience. How would I set Read access only for users to a specific FTP vdir. I got this far. C:\Windows\System32\inetsrv>appcmd set config "DefaultFTPSite/localuser/testsite/L ogFiles" /section:system.ftpServer/security/authorization /? ERROR ( message:-[,users='string',roles='string',permissions='flags'].accessType -[,users='string',roles='string',permissions='flags'].users -[,users='string',roles='string',permissions='flags'].roles -[,users='string',roles='string',permissions='flags'].permissions )

# Mike Volodarsky said on April 30, 2008 6:19 PM:

David,

Use the standard collection operations. For example, to add a permission entry to allow user Me:

appcmd set config "DefaultFTPSite/localuser/testsite/L ogFiles" /section:system.ftpServer/security/authorization /+[users='Me',permissions='Read',accessType='Allow']

For more info on editing collections, see http://learn.iis.net/page.aspx/114/getting-started-with-appcmdexe/.

Thanks,

Mike

# Kevin Cornwell said on July 3, 2008 2:29 PM:

Why don't global changes reflect at lower levels?

Lets say I want a global script mapping change to inherit to all my sites. What is the easiest way to do so? Currently I have to go to each site and click "revert to inherited". This is terribly painful with a lot of sites. Why can't I force my global changes to replace child properties? Same issue for app pool defualt settings.

Please suggest a easy way to maintain global config for all sites.

# Mike Volodarsky said on July 4, 2008 12:02 PM:

Hi Kevin,

Most configuration by default inherits down to child levels. The only times when that doesnt happen are:

1) Global configuration, like site and apppool definitions

2) When the child explicitly overrides this configuration. The admin can lock the configuration they dont want changed to prevent this.

3) When configuration is set using a location tag that is marked to prevent inheritance (I've never seen this used)

If you add an entry to script maps globally, and no child levels "override it" by mapping something else to that extension, it should be available for all sites by default.

If you are using legacy metabase APIs on IIS 7.0, then you may be causing strange behavior with script maps due to differences in how ABO scriptmaps map into IIS 7.0 configuration.

Thanks,

Mike

Name (required)
Your URL (optional)
Comments (required)
Remember Me?
Enter the code you see below

About Mike Volodarsky

For the past 5 years, I was the core Program Manager for Microsoft ASP.NET 2.0 and IIS 7.0 products. I drove the design and development of the IIS 7.0 web server core, the IIS FastCGI support, the AppCmd command line tool, the ASP.NET Integrated pipeline, and other special projects around server security, performance, and scalability. Now, I am working on my own on cutting edge web server tech on top of the Microsoft IIS platform, and continue blogging about it here.

IIS 7.0 Server-Side

Finding your way around IIS 7 configuration sections with AppCmd

Comment Notification

Comments

Leave a Comment

About Mike Volodarsky

About me

Writings

Tools and Modules

Popular Posts

Tags

Search

This Blog

Navigation

Archives

Good IIS Blogs

Disclaimer

Syndication