Contents
About the Tools
Setup for Support Tools Software
Tools Documented But Not Installed In This Release
Tools Not Documented
General Setup Instructions
Installing from the Command Prompt
Unattended Installation
Individual Tool Release Notes
Bitsadmin.exe (BITS Administration Tool)
Httpcfg.exe (HTTP Configuration Tool)
Ipseccmd.exe (IPSec Configuration Tool)
Dumpchk.exe (Dump Check Utility)
Rasdiag.exe (RAS Diagnostics Tool)
Activate.exe (Production Activation Tool)
Online Documents
Support Policy
If the Setup program finds an older version of Support Tools, it opens a dialog box
with Add/Remove and Remove all (default) options. If you select Remove all,
Setup automatically uninstalls Support Tools. If you select Add/Remove, you can
manually uninstall Support Tools.
1. Start Windows XP Professional, and then insert the Windows XP Professional CD
in your CD-ROM drive.
2. Follow the instructions that appear on your screen.
Note
In the unlikely event that your computer pauses for a few minutes during installation
while the Setup window is displaying "publishing product information," please be
patient. The Setup program will continue shortly and will finish installing the Support
Tools.
The Setup program installs Windows Support Tools files onto your hard disk. A typical
installation requires 4 megabytes (MB) of free space.
As it installs the Support Tools, Setup:
Creates a Windows Support Tools folder within the Program Files folder on the
Start menu, which contains a shortcut to the Windows Support Tools Help. From
there you can access the online documentation and launch tools.
Adds the \Program Files\Support Tools directory (or the directory name you choose
for installing the tools) to your computer's hard drive.
Appends the \Program Files\Support Tools directory to your computer's PATH
statement. This enables you to run an installed Support Tool from a command
prompt within any folder on the hard drive without specifying the path to the
Support Tools folder.
Some tools require separate or additional setup besides the steps described earlier. For
more information about each of these tools and others with additional requirements, as
well as a complete list of the tools, see the online Help file (Suptools.chm).
Note
On the Windows XP Professional CD, most tools are compressed into cabinet (.cab)
files. You cannot run executable files, call other binaries, or open documentation
directly from .cab files. Before you run a tool that you have not installed by using the
Support Tools Setup, you must first extract all executable files and dependencies for
a tool from the .cab file on the CD to your hard drive.
Be aware also that for some tools, the Support Tools Setup or the tool's own Setup
program performs other installation procedures, such as making changes in the
registry. You might not be able to run these tools even if you extract all their files
from the .cab; first install them with the Support Tools Setup or the tool's own Setup
program.
For example, to install Support Tools in the current directory, insert the Windows XP
Professional CD in your CD-ROM drive and type the following at the command prompt:
msiexec /i CDDriveLetter:\support\tools\suptools.msi
where:
CDDriveLetter: is the letter indicating the CD-ROM drive (for example, d:).
Unattended Installation
To perform an unattended installation of the Windows XP Professional Support Tools from
the CD, use the following syntax:
msiexec /i CDDriveLetter:\support\tools\suptools.msi /qb
Syntax
bitsadmin [/rawreturn] [{/wrap | /nowrap}] Parameter
Choose a Parameter from the Parameters section:
Parameters
{/help | /?}
Displays command line usage.
/list [/allusers] [/verbose]
Lists transfer jobs. The /allusers parameter lists jobs for all users on the
system. The /verbose parameter provides detailed information about jobs.
/monitor [/allusers] [/refresh Seconds]
Monitors the copy manager. The /allusers parameter monitors the copy
manager for all users on the system. The /refresh parameter reacquires
copy manager data in the specified time interval in seconds.
/reset [/allusers]
Deletes all jobs in the manager. If run by an administrator with the
/allusers parameter, all jobs are deleted. If run by a normal user, only
the jobs owned by the user are deleted.
/transfer Name [type][/priority Priority][/aclflags Flags] RemoteURL
LocalName
Transfers one or more files, which are each specified by Name. The type
can be /Download or /Upload. The default is /Download. The
/priority parameter, by means of the Priority variable, sets the priority for
the specified file transfer. The Priority can be FOREGROUND, HIGH,
NORMAL, or LOW. The /aclflags parameter, by means of the Flags
variable, sets the address control list (ACL) flags. The Flags variable can be
one or more of the values in the following table:
Value Description
O owner
G group
D DACL
S SACL
For example, /aclflags OGDS copies all ACL parts. RemoteURL specifies
the file's source location. LocalName specifies the file's name on the local
target computer. Multiple URL/file pairs can be specified.
/create [type] DisplayName
Creates a job and assigns DisplayName to it. The type can be
/Download, /Upload, or /Upload-Reply.
/info Job [/verbose]
Displays information about the specified Job. The /verbose parameter
provides detailed information about the job.
/addfile Job RemoteURL LocalName
Adds a file to the specified Job. RemoteURL specifies the file's source
location. LocalName specifies the file's name on the local target computer.
/addfileset Job TextFile
Adds multiple files to the specified Job. Each line of TextFile lists a file's
remote name and local name, separated by spaces. A line beginning with
'#' is treated as a comment. After the file set is read into memory, the
contents are added to the job.
/addfilewithranges Job RemoteURL LocalName RangeList
Similar to /addfile, but BITS reads only selected byte ranges of the URL.
RangeList is a comma-delimited series of length and offset pairs, for
example 0:100,2000:100,5000:eof instructs BITS to read 100 bytes
starting at offset zero, 100 bytes starting at offset 2000, and the remainder
of the URL starting at offset 5000.
/replaceremoteprefix Job OldPrefix NewPrefix
The prefixes of all files whose URLs begin with OldPrefix are changed to
NewPrefix.
/listfiles Job
Lists the files in the specified Job.
/suspend Job
Suspends the specified Job. The job will not be scheduled to run again until
the /resume parameter is run.
/resume Job
Queues the specified Job to the list of jobs enabled for transfer.
/cancel Job
Deletes the specified Job.
/complete Job
Completes the specified Job and makes the files available for the
destination directory. This is normally run after the job moves to the
transferred state.
/gettype Job
Retrieves the job type of the specified Job.
/getaclflags Job
Retrieves the ACL propagation flags for the specified Job.
/setaclflags Job ACLFlags
Sets the ACL propagation flags for the specified Job. ACLFlags is a string of
one or more of the following flags as shown in the following table:
Value Description
O owner
G group
D DACL
S SACL
For example, /setaclflags OGDS sets all the ACL propagation flags.
/getbytestotal Job
Retrieves the size of the specified Job.
/getbytestransferred Job
Retrieves the number of bytes transferred for the specified Job.
/getfilestotal Job
Retrieves the number of files in the specified Job.
/getfilestransferred Job
Retrieves the number of files transferred for the specified Job.
/getcreationtime Job
Retrieves the job creation time for the specified Job.
/getmodificationtime Job
Retrieves the job modification time for the specified Job.
/getcompletiontime Job
Retrieves the job completion time for the specified Job.
/getstate Job
Retrieves the job state for the specified Job.
/geterror Job
Retrieves detailed error information for the specified Job.
/getowner Job
Retrieves the job owner for the specified Job.
/getdisplayname Job
Retrieves the display name for the specified Job.
/setdisplayname Job DisplayName
Sets the DisplayName for the specified Job.
/getdescription Job
Retrieves the job description for the specified Job.
/setdescription Job Description
Sets the description for the specified Job.
/getpriority Job
Retrieves the priority of the specified Job.
/setpriority Job Priority
Sets the priority for the specified Job.
/getnotifyflags Job
Retrieves the notify flags for the specified Job.
/setnotifyflags Job NotifyFlags
Sets the notify flags for the specified Job.
/getnotifyinterface Job
Determines if notify interface is registered for the specified Job.
/getminretrydelay Job
Retrieves the retry delay, in seconds, for the specified Job.
/setminretrydelay Job RetryDelay
Sets the RetryDelay, in seconds, for the specified Job.
/getnoprogresstimeout Job
Retrieves the no progress time-out, in seconds, for the specified Job.
/setnoprogresstimeout Job Timeout
Sets the no progress Timeout, in seconds, for the specified Job.
/geterrorcount Job
Retrieves an error count for the specified Job.
/setproxysettings Job usage
Sets the proxy usage for the specified Job. The usage choices are shown
in the following table:
Value Description
OVERRIDE Must be followed by an explicit proxy list and a proxy bypass list.
NULL or "" can be used as an empty proxy bypass list.
/getproxyusage Job
Retrieves the proxy usage setting for the specified Job.
/getproxylist Job
Retrieves the proxy list for the specified Job.
/getproxybypasslist Job
Retrieves the proxy bypass list for the specified Job.
/takeownership Job
Takes ownership of the specified Job.
/setnotifycmdline Job ProgramName ProgramParameters
Sets a program to execute for notification of the specified Job.
ProgramName can be NULL. ProgramParameters are optional and can be
NULL.
/getnotifycmdline Job
Returns the command line for job notification of the specified Job.
/setcredentials Job Target Scheme Username Password
Adds credentials to the specified Job. The Target can be either SERVER or
PROXY. The Scheme can be BASIC, DIGEST, NTLM, NEGOTIATE, or
PASSPORT.
/removecredentials Job Target Scheme
Removes credentials from the specified Job. The Target can be either
SERVER or PROXY. The Scheme can be BASIC, DIGEST, NTLM,
NEGOTIATE, or PASSPORT.
/util [/setieproxy Account usage] [/conn ConnectionName]
Note: This option requires Administrator account status.
Sets the Internet Explorer proxy settings for the system Account of the
user. If ConnectionName is not specified, settings are applied to the default
network connection. The Account can be LOCALSYSTEM,
NETWORKSERVICE, or LOCALSERVICE. The usage choices are shown
in the following table:
Value Description
MANUAL_PROXY Use an explicit proxy list and bypass list. Must be followed by a
proxy list and a proxy bypass list (comma-delimited). NULL or
"" can be used as an empty proxy bypass list.
Remarks
· Windows Updates
BITS is often erroneously confused with Windows Update service because
Windows Update service uses Background Intelligent Transfer Service by
default.
· Network Throttling
BITS regulates the transfer rate to minimize impact on user interactivity,
such as a job sent to a network printer or Web pages viewed in Internet
Explorer.
· Customized APIs
BITS is exposed to programmers by a set of Application Program Interfaces
(APIs). For more information about using BITS programmatic interfaces,
see the Using Windows XP Background Intelligent Transfer Service (BITS)
with Visual Studio .NET topic on the MSDN Library Web site
(http://go.microsoft.com/fwlink/?linkid=8124).
Examples
DOWNLOAD
236
To find out how the number of bytes of the job have already been transferred,
type:
bitsadmin /getbytestransferred myjob
The following output is displayed:
BITSADMIN version 2.0 [ 5.1.2600.2096 ]
BITS administration utility.
(C) Copyright 2000-2003 Microsoft Corp.
106
To find out how many files have been transferred by a job, type:
bitsadmin /getfilestransferred myjob
The following output is displayed:
BITSADMIN version 2.0 [ 5.1.2600.2096 ]
BITS administration utility.
(C) Copyright 2000-2003 Microsoft Corp.
6/3/2003 10:49:02 AM
6/3/2003 10:49:02 AM
WORKING
The myjob job has not yet completed.
SUSPENDED
DOMAINMAIN\smithj
myjob
Note
· Using DisplayName as the argument for the job will work only if there is one
job in the queue with this display name. Otherwise, Bitsadmin will return an
error. If this happens, the GUID must be used.
Resume a Job
Job resumed
{A305C29C-2247-42A6-918E-C575280CE885} canceled.
{6F2D447C-712E-4674-9FAE-42DBFAD071A8} canceled.
{0B8068F6-2572-4932-AE12-CD58DA78912E} canceled.
3 out of 3 jobs canceled.
Job canceled
Job resumed.
bitsadmin /list
bitsadmin /list
bitsadmin /complete
Job completed.
bitsadmin /list
Listed 0 job(s).
PROXY USAGE: PRECONFIG PROXY LIST: NULL PROXY BYPASS LIST: NULL
DESCRIPTION:
JOB FILES:
Listed 1 job(s).
{134E18A6-FC4B-46AC-A7E9-B7A7D59C84BE} canceled.
XOX
Syntax
httpcfg {set | query | delete} {ssl | query | iplisten} [-i Ip:Port] [-h SSL
Hash] [-g "{GUID}"] [-c StoreName] [-m CheckMode] [-r RevocationFreshness]
[-x UrlRetrievalTimeout] [-t SslCtlIdentifier] [-n SslCtlStoreName] [-f Flags] [-u
{http://URL:Port/ | https://URL:Port/}] [-a ACL]
Parameters
Action commands are set, query, and delete. These commands are followed by a
set of arguments ssl, urlacl, and iplisten, which are known as store arguments.
Depending on the value of the action command and the store argument, different
parameters are then available. For example, the set ssl command can take a
different set of parameters from the query ssl command.
Action commands
set
Creates a configuration record that contains the values specified by the ssl,
urlacl, or iplisten argument. This record is then added to the HTTP API
configuration store. The call fails if a record with the specified values
already exists. To change a given configuration record, you must first
delete it, and then recreate it by using set with the updated value(s).
query
Retrieves one or more HTTP API configuration records.
delete
Deletes the specified information, such as IP addresses or SSL certificates,
from the HTTP API configuration store, one record at a time.
Store arguments
ssl
Depending on the action command used, adds (set), queries, or deletes
SSL certificate meta-information. Such meta-information is maintained by
the HTTP API in a metastore, and is used to locate certificates for certificate
exchange during HTTPS sessions.
urlacl
Depending on the action command used, adds (set), queries, or deletes
namespace reservations. The HTTP API allows administrators to reserve
URI namespaces and protect them with Access Control Lists (ACLs), so that
only specified HTTP API clients can use them.
iplisten
Depending on the action command used, adds (set), queries, or deletes
Internet Protocol (IP) addresses in the IP Listen List. If this list is present,
the HTTP API listens only to addresses on the list.
If you use the following action command and store argument combination:
httpcfg set ssl
you can use the following parameters:
-i Ip:Port
The -i parameter takes a string that specifies the IP-Address:port
combination. This serves as the record key identifying the SSL certificate
being added. When using set ssl, the -i parameter is required.
-h SSL Hash
The -h parameter takes a string of hexadecimal digits specifying the
Thumbprint hash of the certificate being added. This is not a required
parameter. However, the SSL connection will fail if the hash is invalid.
-g "{GUID}"
The -g parameter takes a string representing a Globally Unique Identifier
(GUID) that identifies the application that added the certificate. In the case
of Httpcfg, the GUID must be generated by the user. The enclosing
quotation marks and curly braces are required; the -g parameter will not
work without them. For more information about generating GUIDs, see
Generating Interface UUIDs (http://go.microsoft.com/fwlink/?LinkId=9682)
on the Microsoft Developer Network (MSDN).
-c StoreName
The -c parameter takes a string that specifies the name of the store where
the certificate being added resides. If no string is specified, the name "MY"
is used by default.
-m CheckMode
The -m parameter takes a string containing one or more numbers
representing flags that determine the default mode for checking the
certificate. The numbers can consist of one or more of the following flag
values:
· 1 - Client certificate will not be verified for revocation.
Remarks
For more information about how Httpcfg corresponds to the HTTP API, see
Using the HTTP API Configuration Tool on the MSDN Library Web site
(http://go.microsoft.com/fwlink/?LinkId=9550).
The httpcfg.exe commands return a standard WIN32 API error code. A return
value of 0 means that the command completed successfully. For more
information about WIN32 API error codes, see the Event Logging topic on the
MSDN Library Web site (http://go.microsoft.com/fwlink/?LinkId=9643).
Examples
This group of examples shows how to add, show, and delete a certificate in the SSL
store.
· Adding an SSL Certificate to the Store
In the following example, the user uses the httpcfg set ssl command with
the -i, -h, and -g parameters to specify the IP address, Thumbprint hash, and
GUID, respectively, for the certificate being added.
httpcfg set ssl -i 10.0.0.1:80 -h
2c8bfddf59a4a51a2a5b6186c22473108295624d -g "{2bb50d9c-7f6a-
4d6f-873d-5aee7fb43290}"
After running the command, Httpcfg displays the following text on the screen to
confirm the command completed without an error (error code of 0).
HttpSetServiceConfiguration completed with 0.
· Viewing Certificates in the SSL Store
In this example, the user first uses the httpcfg query ssl command with the
-i parameter, specifying an IP address in order to view the meta-information
for a particular certificate. After viewing the meta-information, the user uses
the httpcfg query ssl command without the -i parameter, to view all
certificates in the store.
httpcfg query ssl
IP : 10.0.0.13:80
Hash : 2c8bfddf59a4a51a2a5b6186c22473108295624d
Guid : {2bb50d9c-7f6a-4d6f-873d-5aee7fb43290}
CertStoreName : (null)
CertCheckMode : 0
RevocationFreshnessTime : 0
UrlRetrievalTimeout : 0
SslCtlIdentifier : (null)
SslCtlStoreName : (null)
Flags : 0
------------------------------------------------------------------------------
IP : 10.0.0.1:80
Hash : 2c8bfddf59a4a51a2a5b6186c22473108295624d
Guid : {2bb50d9c-7f6a-4d6f-873d-5aee7fb43290}
CertStoreName : (null)
CertCheckMode : 0
RevocationFreshnessTime : 0
UrlRetrievalTimeout : 0
SslCtlIdentifier : (null)
SslCtlStoreName : (null)
Flags : 0
------------------------------------------------------------------------------
· Deleting a Certificate from the SSL Store
In this example, the user types httpcfg delete ssl with the required -i
parameter to delete the associated certificate record from the SSL store.
httpcfg delete ssl -i 10.0.0.1:80
Httpcgf then displays the following text to the screen, verifying that the
command completed successfully (error code of 0).
HttpDeleteServiceConfiguration completed with 0.
This group of examples shows how to add, remove, and view URL ACL
combinations in the urlacl store.
· Adding a URL ACL Combination to the urlacl Store
httpcfg set urlacl -u http://woodgrovebank.com:443/ -a
"O:DAG:DAD:(A;;GRGX;;;DA)(A;;GA;;;BA)"
HttpSetServiceConfiguration completed with 0.
· Viewing All of the URLs that have been Assigned an ACL
httpcfg query urlacl
URL : http://woodgrovebank.com:443/
ACL : O:DAG:DAD:(A;;GXGR;;;DA)(A;;GA;;;BA)
------------------------------------------------------------------------------
URL : http://woodgrovebank.com:80/
ACL : O:DAG:DAD:(A;;CCDC;;;SY)(A;;CCDC;;;DA)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0d
e6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;6da8a4ff-0e52-11d0-a286-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa0
03049e2;;PO)(A;;;;;AU)S:(AU;SAFA;CCDCSWWPSDWDWO;;;WD)
------------------------------------------------------------------------------
· Deleting a URL ACL Combination from the urlacl Store
httpcfg delete urlacl -u http://woodgrovebank.com:80/
HttpDeleteServiceConfiguration completed with 0.
This group of examples show how to add, delete, and list IP address in the iplisten
store.
· Adding an IP Address to the iplisten Store
httpcfg set iplisten -i 10.0.0.1:80
HttpSetServiceConfiguration completed with 0.
· Viewing All of the IP Addresses on which the HTTP API is Listening
httpcfg query iplisten
IP : 10.0.0.1:80
------------------------------------------------------------------------------
IP : 10.0.0.13:80
------------------------------------------------------------------------------
· Shows the Result of Deleting a Record from the iplisten Store
httpcfg delete iplisten -i 10.0.0.1:80
HttpDeleteServiceConfiguration completed with 0.
XOX
Syntax
· To add a rule, use the following syntax:
ipseccmd [\\ComputerName] -f FilterList [-n NegotiationMethodList] [-t
TunnelAddr] [-a AuthMethodList] [-1s SecurityMethodList] [-1k
MMRekeyTime] [-1e SoftSAExpirationTime] [-soft] [-confirm] [{-dialup
| -lan}]
· To delete all dynamic policies, use the following syntax:
ipseccmd -u
Parameters
\\ComputerName
Specifies the computer name of a remote computer to which you want to
add a rule.
-f FilterList
Required for first syntax. Specifies one or more filter specifications,
separated by spaces, for quick mode security associations (SAs). Each filter
specification defines a set of network traffic affected by this rule.
-n NegotiationMethodList
Specifies one or more security methods, separated by spaces, for securing
traffic defined by the filter list.
-t TunnelAddr
Specifies the tunnel endpoint for tunnel mode as either an IP address or a
DNS domain name.
-a AuthMethodList
Specifies one or more authentication methods, separated by spaces.
-1s SecurityMethodList
Specifies one or more key exchange security methods, separated by
spaces.
-1k MMRekeyTime
Specifies main mode SA rekey settings.
-1e SoftSAExpirationTime
Specifies the expiration time for soft SAs in seconds.
-soft
Enables soft SAs.
-confirm
Specifies that a confirmation prompt appears before the rule or policy is
added.
{-dialup | -lan}
Specifies whether the rule applies only to remote access or dial-up
connections or whether the rule applies only to local area network (LAN)
connections.
-u
Required for the second syntax. Specifies that all dynamic rules are
deleted.
/?
Displays help at the command prompt.
Remarks
· Ipseccmd cannot configure rules on computers running Windows 2000.
· If you do not specify the \\ComputerName parameter, the rule is added to the
local computer.
· If you use the \\ComputerName parameter, you must use it before all the
other parameters, and you must have administrator permissions on the
computer to which you want to add the rule.
· For the -f parameter, a filter specification is one or more filters that are
separated by spaces and is defined by the following format:
SourceAddress/SourceMask:SourcePort=DestAddress/DestMask:DestPort:Protocol
o SourceMask, SourcePort, DestMask, and DestPort are optional. If you omit
them, the mask of 255.255.255.255 and all ports are used for the
filter.
o Protocol is optional. If you omit it, all protocols are used for the filter. If you
specify a protocol, you must specify the port or precede the
protocol with two colons (::). (See the first example for dynamic
mode.) The protocol must be the last item in the filter. You can use
the following protocol symbols: ICMP, UDP, RAW, or TCP.
o You can create mirrored filters by replacing the equals sign (=) with a plus sign
(+).
o You can replace SourceAddress/SourceMask or DestAddress/DestMask with
the values in the following table.
Value Description
0 My address or addresses
* Any address
DNSName DNS domain name. If the DNS name resolves to multiple addresses, it
is ignored. You can specify DNS, WINS, DHCP, or GATEWAY. The
security policy database (SPD) dynamically replaces these
specifications with the associated addresses set on the computer.
o You can enable the default response rule by specifying the filter specification of
default.
o You can specify a permit filter by surrounding the filter specification with
parentheses. You can specify a blocking filter by surrounding the
filter specification with brackets ([ ]).
o If you are using Internet address class-based subnet masks (the subnet masks
are defined along octet boundaries), you can use wildcard notation
to specify subnet masks. For example, 10.*.*.* is the same as
10.0.0.0/255.0.0.0 and 10.92.*.* is the same as
10.92.0.0/255.255.0.0.
Filter examples
To create mirrored filters to filter TCP traffic between Computer1 and
Computer2, type:
Computer1+Computer2::TCP
To create a filter for all TCP traffic from the subnet
172.31.0.0/255.255.0.0, port 80, to the subnet 10.0.0.0/255.0.0.0, port
80, type:
172.31.0.0/255.255.0.0:80=10.0.0.0/255.0.0.0:80::TCP
To create a mirrored filter that permits traffic between the local IP address
and the IP address 10.2.1.1, type:
(0+10.2.1.1)
· For the -n parameter, one or more negotiation policies are separated by spaces
and follow one of the following forms:
o esp[EncrypAlg,AuthAlg]RekeyPFS[Group]
o ah[HashAlg]RekeyPFS[Group]
o ah[HashAlg]+esp[EncrypAlg,AuthAlg]RekeyPFS[Group]
where EncrypAlg can be none, des, or 3des, AuthAlg can be none,
md5, or sha, and HashAlg can be md5 or sha.
o The configuration esp[none,none] is not supported.
o The sha parameter refers to the SHA1 hash algorithm.
o The Rekey parameter is optional, and it specifies the number of kilobytes
(indicated by placing a K after the number) or the number of
seconds (indicated by placing an S after the number) that precede
a rekeying of the quick mode SA. To specify both rekey parameters,
separate the two numbers with a slash (/). For example, to rekey
the quick mode SA every hour and after every 5 megabytes of
data, type:
3600S/5000K
o The PFS parameter is optional, and it enables session key perfect forward
secrecy. By default, session key perfect forward secrecy is disabled.
o The Group parameter is optional, and it specifies the Diffie-Hellman group for
session key perfect forward secrecy. For the Low(1) Diffie-Hellman
group, specify PFS1. For the Medium(2) Diffie-Hellman group,
specify PFS2. For the High(3) Diffie-Hellman group, specify PFS3.
By default, the group value for session key perfect forward secrecy
is taken from the current main mode settings.
o If you do not specify negotiation policies, the default negotiation policies are
the following:
§ esp[3des,sha]
§ esp[3des,md5]
§ esp[des,sha]
§ esp[des,md5]
· If you omit the -t parameter, IPSec transport mode is used.
Examples
To create a rule that uses the Authentication Header (AH) with MD5
hashing for all traffic to and from the local computer, type:
ipseccmd -f 0+* -n ah[md5]
To create a tunnel rule for traffic from 10.2.1.1 and 10.2.1.13 by using the
tunnel endpoint 10.2.1.13, with AH tunnel mode by using the SHA1 hash
algorithm, with master key perfect forward secrecy enabled, and with a
confirmation prompt for the rule before it is created, type:
ipseccmd -f 10.2.1.1=10.2.1.13 -t 10.2.1.13 -n ah[sha] -1p -c
To create a rule on the computer named corpsrv1 for all traffic between the
computers named corpsrv1 and corpsrv2, by using the combination of both
AH and Encapsulating Security Payload (ESP), with preshared key
authentication, type:
ipseccmd \\corpsrv1 -f corpsrv2+corpsrv1 -n
ah[md5]+esp[des,sha] -a p:"corpauth"
Creates named policies and named rules. You can also use static mode to
modify existing policies and rules, provided they were originally created
with Ipseccmd. The syntax for static mode combines the syntax for dynamic
mode with parameters that enable it to work at a policy level.
Syntax
ipseccmd DynamicModeParameters -w Location -p
PolicyName[:PollInterval] -r RuleName [{-x | -y}] [-o]
Parameters
DynamicModeParameters
Required. Specifies a set of dynamic mode parameters for an IPSec rule as
described earlier.
-w Location
Required. Specifies that the policies and rules are written to the local
registry, a remote computer's registry, or to persistent storage.
-p PolicyName[:PollInterval]
Required. Specifies the name of the policy and how often, in minutes, the
policy is checked for changes. If PolicyName contains any spaces, use
quotation marks around the text (that is, "Policy Name").
-r RuleName
Required. Specifies the name of the rule. If RuleName contains any spaces,
use quotation marks around the text (that is, "Rule Name").
[{-x | -y}]
Optional parameters. The -x parameter requires the -p option and specifies
that the local registry policy is assigned. The -y parameter specifies that
the local registry policy is unassigned.
-o
Specifies that the rule or policy should be deleted.
/?
Displays help at the command prompt.
Remarks
o For the -w parameter, the Location is either reg to specify the registry of the
local computer or a remote computer, or pers to specify persistent
storage. With reg, if you specified \\ComputerName, the policy is
written to the remote computer's registry.
o For the -p parameter, if a policy with this name already exists, the rule you
specify is added to the policy. Otherwise, a policy is created with
the name you specify. The PollInterval parameter is optional and
specifies when IPSec should check for policy updates, for example,
when there are changes to assigned DNS servers. If you specify an
integer for PollInterval, the polling interval for the policy is set to
that number of minutes. If you do not specify PollInterval, the
polling interval defaults to 480 minutes.
o For the -r parameter, if a rule with that name already exists, the rule is
modified to reflect the parameters you specify in the command. For
example, if you include the -f parameter for an existing rule, only
the filters of that rule are replaced. If no rule exists with the name
you specify, a rule with that name is created.
o For the -o parameter, all aspects of the specified policy are deleted. Do not use
this parameter if you have other policies that point to the objects in
the policy you want to delete.
o Static mode usage differs from dynamic mode usage in one respect. When you
use dynamic mode, you indicate permit and blocking filters in
FilterList, which you identify by using the -f parameter. When you
use static mode, you indicate permit and blocking filters in
NegotiationMethodList, which you identify by using the -n
parameter. In addition to the parameters described for
NegotiationMethodList under dynamic mode, you can also use the
block, pass, or inpass parameters in static mode. The following
table lists these parameters and descriptions of their behavior.
Parameter Description
block The rest of the policies in NegotiationMethodList are ignored, and all
of the filters become blocking filters.
pass The rest of the policies in NegotiationMethodList are ignored, and all
of the filters become permit filters.
Examples
To create a policy named Default Domain Policy with a 30-minute polling
interval in which policy changes are written to persistent storage, with a
rule named Secured Servers for traffic between the local computer and
computers named SecuredServer1 and SecuredServer2, and by using
Kerberos and preshared key authentication methods, type:
ipseccmd -f 0+SecuredServer1 0+SecuredServer2 -a k
p:"corpauth" -w pers -p "Default Domain Policy":30 -r "Secured
Servers"
To create and assign a local policy named Me to Anyone, with a rule
named Secure My Traffic, by using a mirrored filter for any traffic to the
local computer, and by using a preshared key as the authentication
method, type:
ipseccmd -f 0+* -a p:"localauth" -w reg -p "Me to Anyone" -r
"Secure My Traffic" -x
Syntax
ipseccmd [\\ComputerName] show {{[gpo] | [filters] | [policies] |
[auth] | [stats] | [sas]} | all}
Parameters
\\ComputerName
Specifies by name the remote computer for which you want to
display data.
show
Required. Specifies that Ipseccmd must run in show mode.
gpo
Displays static policy assignment information.
filters
Displays main mode and quick mode filters.
policies
Displays main mode and quick mode policies.
auth
Displays main mode authentication methods.
stats
Displays statistics about Internet Key Exchange (IKE) and IPSec.
sas
Displays main mode and quick mode security associations (SAs).
all
Displays data provided by all of the parameters except /?.
/?
Displays help at the command prompt.
Remarks
o Ipseccmd does not display IPSec data for computers running Windows 2000.
o If you do not use the \\ComputerName parameter, information about the local
computer is displayed.
o If you use the \\ComputerName parameter, you must use it before all the
other parameters, and you must have administrator permissions on
the computer for which you want to display information.
Examples
To display the main mode and quick mode filters and policies for the local
computer, type:
ipseccmd show filters policies
To display all IPSec information for the remote computer Server1, type the
following command:
ipseccmd \\Server1 show all
Syntax
ipseccmd [\\ComputerName] set [{logike | dontlogike}]
Parameters
\\ComputerName
Specifies by name the remote computer for which you want to have
configuration parameters set.
set
Required. Specifies that Ipseccmd must run in set mode.
logike
Turns on Internet Key Exchange (IKE) logging.
dontlogike
Turns off IKE logging.
/?
Displays help at the command prompt.
Examples
To turn off IKE logging on the local computer, type:
ipseccmd set dontlogike
To turn on IKE logging on the computer named server2, type:
ipseccmd \\server2 set logike
Syntax
ipseccmd [\\ComputerName] [{import | export}] Location FileName
Parameters
\\ComputerName
Specifies by name the remote computer from which you want to
import policy data, or to which you want to export policy data.
{import | export}
Required. Specifies that Ipseccmd must run in import or export
mode.
Location
Required. Specifies that the policy data is read from or written to
the local registry, a remote computer's registry, or to persistent
storage.
FileName
Required. Specifies the name of the file to import from or export to.
If an export file name does not specify the .ipsec extension, the
extension is automatically appended.
/?
Displays help at the command prompt.
Remarks
o The Location is either reg to specify the registry of the local computer or a
remote computer, or pers to specify persistent storage. If you use
reg and you specify \\ComputerName, the policy is read from or
written to the remote computer's registry.
Examples
To export policy data to persistent storage, type:
ipseccmd export pers persistent.ipsec
To import policy data from the file named server1.ipsec on the computer
named server1, type:
ipseccmd \\server1 import reg server1.ipsec
Online Documents
The following table describes major online documents available with the Windows
Support Tools for Microsoft Windows XP Professional
Document Description
Suptools.chm Documentation for Windows Support Tools for Microsoft Windows XP
Professional, describing the required files, syntax, and other usage
issues, along with examples for using these tools.
Support Policy
The SOFTWARE supplied in the Program Files\Support Tools directory is not supported
under any Microsoft standard support program or service. You can, however, report
issues and bugs by sending e-mail to stinput@microsoft.com. Microsoft will, at its sole
discretion, address issues and bugs reported in this manner, and responses are not
guaranteed.
The SOFTWARE (including instructions for its use and all printed and online
documentation) is provided AS IS without warranty of any kind. Microsoft further
disclaims all implied warranties including, without limitation, any implied warranties of
merchantability or of fitness for a particular purpose. The entire risk arising out of the
use or performance of the SOFTWARE and documentation remains with you.
In no event shall Microsoft, its authors, or anyone else involved in the creation,
production, or delivery of the SOFTWARE be liable for any damages whatsoever
(including, without limitation, damages for loss of business profits, business interruption,
loss of business information, or other pecuniary loss) arising out of the use of or inability
to use the SOFTWARE or documentation, even if Microsoft has been advised of the
possibility of such damages.
© Copyright 1985–2001 Microsoft Corporation. All rights reserved.