Finding your way around IIS 7 configuration sections with AppCmd

The IIS 7 configuration system contains 50+ configuration sections (100+ if you count .NET Framework configuration), 477 attributes, and 57 collections.  This can make it pretty challenging to figure out exactly what IIS 7 configuration section needs to be used to turn on some particular behavior, and then exactly syntax the configuration in that section should follow.

The IIS Manager tool removes some of this complexity by surfacing task-based UI to set IIS 7 configuration for many features, and can be used to do most common configuration tasks very easily.  However, it sometimes isn't enough – it doesn't cover all configuration sections in IIS 7, and cant be used from a script to do automated deployment or configuration.

A lot of the time, I remember enough to write most IIS configuration from memory.  But, what if you didn't spend the past 4 years developing IIS7? 🙂

Thankfully, there are a few things you can do to make this process a lot simpler:

1) Use AppCmd to dump all of the configuration sections you can set

NOTE: Be sure to run AppCmd.exe from a command line prompt running as Administrator, when logged in using an account with Administrative privileges

> %windir%system32inetsrvappcmd set config /section:?

This dumps a list of all configuration sections you can set, and looks something like this:

system.webServer/security/authentication/basicAuthentication
modules
system.web/machineKey
moduleProviders
system.webServer/caching
system.webServer/management/authentication
administrators
system.web/sessionPageState
system.net/authenticationModules
system.web/deployment
system.web/httpRuntime

You can scan the list of sections to spot something that may look interesting to you.  If you want to narrow it down, you can use an undocumented trick to search for sections using wildcard search expression (if you are not comfortable with findstr.exe or a haven't yet developed your own version of grep):

> %windir%system32inetsrvappcmd set config "/section:?system.webServer/*to find all sections that start with "system.webServer/" (runtime IIS configuration sections)

Yes, it's a dirty hack, but its damn useful when you are looking for stuff you know is there.  Now, where was that tracing configuration? Search for *trac*:

> %windir%system32inetsrvappcmd set config "/section:?*trac*"

system.webServer/httpTracing
system.web/trace
system.webServer/tracing/traceProviderDefinitions
system.webServer/tracing/traceFailedRequests

2) AHA! Found the section.  Now, how do I set the damn settings?

Use AppCmd to dump all the attributes, elements, and collections you can set on the section:

> %windir%system32inetsrvappcmd set config /section:system.webServer/httpErrors /?

-errorMode
-existingResponse
-defaultPath
-defaultResponseMode
-detailedMoreInformationLink
-[statusCode='unknown',subStatusCode='int'].statusCode
-[statusCode='unknown',subStatusCode='int'].subStatusCode
-[statusCode='unknown',subStatusCode='int'].prefixLanguageFilePath
-[statusCode='unknown',subStatusCode='int'].path
-[statusCode='unknown',subStatusCode='int'].responseMode
 

This shows you all you need to know to set configuration with AppCmd.  The [] syntax indicates collections – you need to specify the collection keys inside the brackets to identify specific elements you want to touch, and the attributes you can set on those elements.  For example, to add a new error code to that collection, we could do:

> %windir%system32inetsrvappcmd set config /section:system.webServer/httpErrors /+[statusCode='505',subStatusCode='0',path='c:503.html']

Likewise, to edit this element later:

> %windir%system32inetsrvappcmd set config /section:system.webServer/httpErrors /[statusCode='505',subStatusCode='0'].path='c:503_v2.html'

The cool thing is that you can use the same syntax to see what properties you can set on sites, applications, virtual directories and application pools.  Just try:

> %windir%system32inetsrvappcmd set site "Default Web Site" /?
> %windir%system32inetsrvappcmd set app "Default Web Site/" /?
> %windir%system32inetsrvappcmd set vdir "Default Web Site/" /?
> %windir%system32inetsrvappcmd set apppool "DefaultAppPool" /?

Now you should be able to poke around the configuration system on your own and figure out the syntax for setting configuration without getting completely confused.  If you want more, you can dive deeper into the schema of configuration, by looking at the IIS configuration schema.  These files are located in %windir%system32inetsrvconfigschema, and will tell you everything there is to know about IIS (and .NET Framework and ASP.NET v2.0) configuration sections:

 Directory of C:Windowssystem32inetsrvconfigschema

10/25/2007  12:30 PM    <DIR>          .
10/25/2007  12:30 PM    <DIR>          ..
09/17/2007  02:38 AM            38,786 ASPNET_schema.xml
09/17/2007  02:38 AM            26,971 FX_schema.xml
09/17/2007  02:38 AM            74,797 IIS_schema.xml
09/13/2007  01:13 PM             1,244 responsefilter_schema.xml
09/17/2007  02:38 AM             8,363 rscaext.xml
               5 File(s)        150,161 bytes
               2 Dir(s)   9,947,492,352 bytes free

Related resources for you:
Creating IIS7 sites, applications, and virtual directories
Anatomy of an IIS7 configuration path
IISSCHEMA.EXE – A tool to register IIS7 configuration sections
IIS.NET – Article – Getting Started with AppCmd.exe
IIS.NET – Article – Deep Dive into IIS7 Configuration

Happy configuring,

Mike

 

21 Comments

  1. Mike Volodarsky

    Hi Nathanael,

    One of our developers got back to you on the forum thread, let us know if you need any further help.

    Thanks,

    Mike

  2. Anonymous

    When navigating through the configurable sections I’m having trouble figuring out syntax, which is probably due to inexperience. How would I set Read access only for users to a specific FTP vdir. I got this far.

    C:WindowsSystem32inetsrv>appcmd set config “DefaultFTPSite/localuser/testsite/L
    ogFiles” /section:system.ftpServer/security/authorization /?
    ERROR ( message:-[,users=’string’,roles=’string’,permissions=’flags’].accessType

    -[,users=’string’,roles=’string’,permissions=’flags’].users
    -[,users=’string’,roles=’string’,permissions=’flags’].roles
    -[,users=’string’,roles=’string’,permissions=’flags’].permissions
    )

  3. Anonymous

    Why don't global changes reflect at lower levels?

    Lets say I want a global script mapping change to inherit to all my sites.  What is the easiest way to do so?  Currently I have to go to each site and click "revert to inherited".  This is terribly painful with a lot of sites.  Why can't I force my global changes to replace child properties?  Same issue for app pool defualt settings.  

    Please suggest a easy way to maintain global config for all sites.  

  4. Mike Volodarsky

    Hi Kevin,

    Most configuration by default inherits down to child levels. The only times when that doesnt happen are:
    1) Global configuration, like site and apppool definitions
    2) When the child explicitly overrides this configuration. The admin can lock the configuration they dont want changed to prevent this.
    3) When configuration is set using a location tag that is marked to prevent inheritance (I’ve never seen this used)

    If you add an entry to script maps globally, and no child levels “override it” by mapping something else to that extension, it should be available for all sites by default.

    If you are using legacy metabase APIs on IIS 7.0, then you may be causing strange behavior with script maps due to differences in how ABO scriptmaps map into IIS 7.0 configuration.

    Thanks,

    Mike

  5. Anonymous

    Mike,
    I have an HttpHandler added at the Global level. It is correctly being inherited by my website. I then use the IIS Manager to remove it from that website. I look in applicationHost.config and see that a location tag now exists for that website which contains a remove tag that “removes” the previously inherited mapping from that website. All this is fine. But then I wish to use AppCmd.exe to remove the remove tags so that my website will once again inherit the global mapping.
    Do you know if this is possible?

    Thanks for any assistance you can provide.

  6. Anonymous

    How would I go about setting the AspAllowOutOfProcComponents = True in IIS 7.0

    I know that it’s been depreciated according to MS. But I need the ability for a Com object to be called from one of my .asp pages.

  7. Mike Volodarsky

    Jerry,

    According to http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ded67ecb-4b9e-438b-bcfa-b5f3bbc2787c.mspx?mfr=true, this setting has no effect in IIS 6.0. It is entirely removed in IIS 7.0 and has no equivalent in ASP configuration.

    You dont need this property to access COM objects from ASP pages. You should also be able to instantiate out of process COM objects, assuming the script execution identity has the permissions to launch the COM server process and create ithe COM object in question.

    Thanks,

    Mike

    • Me again. You can definitely get Google Webmaster Tools to geatrnee your sitemap for you with Blogger and it doesn”t seem to do so by default (at least it doesn”t show in GWT). I found an easy way to do it is from Statistics –> Subscriber Stats then add one. Not sure what difference if any that will make but hopefully it will remove the annoying message that I haven”t geatrneed a sitemap for the Blog yet.

  8. Anonymous

    When I run the sample command as above:

    %windir%system32inetsrvappcmd set config /section:system.webServer/httpError /?

    I get the following output:

    C:WindowsSystem32inetsrv>%windir%system32inetsrvappcmd set config /section
    :system.webServer/httpErrors /?
    ERROR ( message:-errorMode
    -existingResponse
    -defaultPath
    -defaultResponseMode

    Why an I mgetting this error?

  9. Mike Volodarsky

    Alan,

    This is the way that it returns the properties that can be set. I know it’s confusing because it says “ERROR” – a bug that the team decided not to fix when the product shipped …

    Thanks,
    Mike

  10. Anonymous

    Hi Mike,

    All the “add” examples that I’ve seen simply add an addElement.

    So, how do we add a “removeElement”?

    Please consider this (in web.config), for default document:

    This is necessary, in case index.foo is already defined at the server level.

    Does appcmd have ability to add “removeElement”s?

    I’ve opened a discussion at forums.iis.net: http://forums.iis.net/p/1176511/1975248.aspx

    Thanks!,
    -Aaron Neff

  11. Hello
    I used your methods to list the availabe sections in the web.config.
    I have a custom section created in my web.config but i cant see it in the list.
    Please help me in this.

  12. A simple fix, thank you kilndy!Of the 4 development servers I have, 1 decided not to register .NET with IIS 7.5. I was given the grand tour of the Microsoft campus, again, courtesy of the MSDN web site. All I wanted was a simple answer for a simple question and wound up clicking one link after another on MSDN. Should”ve googled it out of the gate . . . but nooooo,!I”ve bookmarked your site and will gladly recommend you to all! Thanks againDavid

Leave a Reply

Your email address will not be published. Required fields are marked *