PowerShell Server 2016
PowerShell Server 2016
Questions / Feedback?

Registry Keys

Configuration options for PowerShell Server are stored in the Windows registry in HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\PowerShell\Server\16. This registry key holds settings that are available for PowerShell Server globally. Additional registry keys are available for settings related directly to specific SSL Tunnels, SSH Reverse Tunnels, as well as various other settings.

The tree structure of these registry keys is described below:

The following values can be configured within the root HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\PowerShell\Server\16 registry key:

NameTypeDescription
AdminCommandRegexStringRegular Expression used to restrict the commands available to the SSH admin service. The default value is ^(Get-PSSConnections|Disconnect-PSSClient -ConnectionId \d+|Start-SSHDaemon|Stop-SSHDaemon|Restart-SSHDaemon|Stop-PowerShellServer|Exit)$
AdminServicePortDWORDPort to be used for administrative service connection. The default value is 8122.
AdminServiceUserStringUsername for administrative service connection. The default value is randomly generated during setup.
AdminServicePasswordStringPassword for administrative service connection. The default value is randomly generated during setup.
AdminLocalOnlyDWORDRestricts access to the SSH administration service to the local machine. The default is 1 (True). If set to 0 (False), connections are allowed from outside the local machine. The user must still authenticate using AdminServiceUser and AdminServicePassword. Refer to Sessions for more information.
AdminClientRetryCountDWORDSpecifies the number of attempts to connect to the SSH administration service from the UI before failing. The default is 3. This should never need to be adjusted.
AdminClientRetryDelayDWORDThe delay between retry attempts to connect to the SSH administration service from the UI. The value is in milliseconds and the default is 1000. This should never need to be adjusted.
AdminServiceEnabledDWORDThis setting may be set to enable SSH administrative functions when running as a standalone application (not as a Windows service). By default the SSH administration service will only be enabled when running as a Windows service. Set this value to 1 (True) to enable the SSH administration service at all times (whether running as a Windows service or not). The benefit of enabling this is to allow administration of the server via command line parameters.

See the Sessions page for more details regarding the behavior of the Admin Service, and Running PowerShell Server for the available command line parameters when AdminServiceEnabled is 1.
AllowedClientsStringThis setting defines a comma-separated list of host names or IPv4 addresses that may access the server. The wildcard character "*" is supported. The default value is "*" and all connections are accepted.

When a client connects, the client's address is checked against the list defined here. If there is no match, the client will be disconnected.

AuthMaxAttemptsDWORDSpecifies the maximum number of connection retries allowed from a client with invalid login credentials. By default this value is set to 3.
BannerStringThis is the value of the Login Banner message.
DeleteLogDaysDWORDThe number of days after which old log files will be deleted. This is only applicable when RotateLogDays is set to a positive value.
EnableCompressionDWORDCan be used to enable use of the zlib compression algorithm on SSH connections.

0 - Off: No compression will be used (Default).

1 - On: Zlib compression will be enabled, if requested by the SSH client.

EnableSCPDWORDCan be used to enable SCP support.

0 - Off (default)

1 - On

EnableSessionManagementDWORDCan be used to enable sessions management.

0 - Off

1 - On (default)

EnableSexec DWORD Can be used to disable SExec connections

0 - Off

1 - On (default)

EnableShell DWORD Can be used to disable Shell connections.

0 - Off

1 - On (default)

EnableSFTPDWORDCan be used to enable SFTP support.

0 - Off (default)

1 - On

EnableSSHReverseTunnelDWORDCan be used to enable SSH Reverse Tunnel support.

0 - Off (default)

1 - On

EnableSSHServerDWORDCan be used to disable all SSH server functionality. When disabled no SSH server will be started. This may be used in cases such as only wishing to enable SSL Tunnel functionality.

0 - Off

1 - On (default)

EnableSSHTunnelDWORDCan be used to enable SSH Tunnel support.

0 - Off (default)

1 - On

EnableWebServerDWORDCan be used to enable the PowerShellASP Web Server.

0 - Off (default)

1 - On

ExecShellIdStringThe ID given to the PowerShell Host Shell for SExec sessions. By default this will be nsoftware.PSExec.
FirewallTypeDWORDThe type of firewall for the SSH Tunnel to connect through. Applicable values include the following:

0 - No firewall (default setting)

1 - Connect through a tunneling proxy.

2 - Connect through a SOCKS4 proxy.

3 - Connect through a SOCKS5 proxy.

FirewallHostStringThe name of IP address of the firewall that the SSH Tunnel will connect through.
FirewallPortDWORDThe TCP port for the FirewallHost.
FirewallUserStringA user name if authentication is to be used when connecting through a firewall.
FirewallPasswordStringPassword to be used if authentication is to be used when connecting through a firewall.
GSSAPIAuthEnabled DWORDSpecifies if GSS-API authentication is accepted.

0 - Off

1 - On (default)

GSSAPIMechanismsDWORDUsed to set the allowable GSS-API authentication mechanisms.

0 - All

1 - Kerberos

2 - NTLM (default)

IdleSessionTimeoutDWORDThe number of minutes after which an idle connection should be terminated.
InteractiveShellIdStringThe ID given to the PowerShell Host Shell for interactive sessions. By default this will be nsoftware.PowerShell.
IsolatedSessionsDWORDControls whether isolated sessions will be used when PowerShell Server is running as a service.

0 - Off: PowerShell will impersonate the logged in user (if NoImpersonation is off).

1 - On: The PowerShell Runspace will run from the logged in user account.(default)

Note that this is only applicable when PowerShell Server is running as a service.

KerberosSPNStringThe Service Principal Name for the Kerberos Domain Controller. If the Service Principal Name cannot be automatically determined, it should be set here. This will usually be in the form "host/fqdn.of.sshhost[@REALM]" where REALM is the fully qualified (DNS) name of the kerberos realm (or Windows Active Directory domain name).
LocalHostStringThe local IP address of the interface to which the server will bind. By default the server will listen on the default interface for the system.
LogSSHPacketsDWORDSpecifies whether or not raw SSH packets are included in the log.

0 - Off (default)

1 - On

LogToFileStringThe full path to the log file.
MatchSSHPublicKeyToUsernameDWORDControls whether public keys are tied to a specified user name. This is only applicable when using file based public key authentication. Possible values are:

0 - Off: Public keys are not tied to a specific username (Default).

1 - On: Public keys are tied to a specific username.

By default when a user authenticates using public key authentication the server will check the key presented by the user against the list of keys in the specified file. If the key is found the authentication succeeds. This setting allows you to validate that the user presents both the expected key and username during authentication. If this setting is enabled the server will check the comment of the public key specified in the file and match it to the username provided during authentication. This check is not case sensitive. To specify a username to be associated with a specific key, include the username in place of the comments in the public key. For instance:

Unmodified public key: ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Public key modified to be associated with a specific username: ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= DOMAIN\Username

MaxConnectionsDWORDSpecifies the maximum number of connections that are allowed. By default the number of allowed connections is determined by the license that is installed. This setting may be specified to further restrict the number of connections. The server will restrict the number of connections to whichever is the lesser value between this setting and the number of allowed connections for the license.
MaxNumRowsInLogDWORDControls how many lines will be shown in the Status window in the Service tab of the PowerShell Server User Interface. If this value is exceeded, the oldest lines will be removed as new lines are added. The default value is 1000.
NoImpersonationDWORDCan be used to disable impersonation of the username used in the connection.

0 - Off: Clients will be impersonated (Default).

1 - On: Clients will not be impersonated.

PasswordAuthEnabledDWORDMay be set to disable password authentication. This is enabled by default.

0 - Off: Password authentication is not allowed.

1 - On: Password authentication is enabled (Default).

PreserveFileTimeDWORDDetermines if filetime preservation is supported. If a client requests filetime preservation (typically by setting a "-p" parameter) this setting controls whether or not it is respected.

0 - Off: Filetime preservation options are ignored.

1 - On: Filetime preservation is supported (Default).

PromptForRegPermissionsDWORDWhen the server is running under an account that does not have write permissions to the registry location where these settings are stored the user will be prompted to change the permissions. If this value is set to 0 the user will not be prompted again. Possible values are:

0 - Off: The user will not be prompted to modify registry permissions.

1 - On: The user is prompted to modify registry permissions when needed (Default).

PSTraceLevelDWORDControls the trace level of the logging from the application. Can be one of the following values:

0 - Off: Nothing is logged.

1 - Error: Only errors are logged.

2 - Warning: Errors and warnings are logged.

3 - Info: Errors, warnings and informational messages are logged (default value).

4 - Verbose: All messages, including those useful for debugging and troubleshooting are logged.

PubKeyAuthEnabledDWORDControls if the server will allow clients to authenticate using Public Keys:

0 - Off: No public key authentication; clients can only connect using a password.

1 - On: Public key authentication requests will be accepted.

PubKeyAuthCertStoreTypeDWORDSpecifies the type of certificate store where the allowed public keys can be found.

0 - User: Use the User certificate store.

1 - Machine: Use the Machine certificate store.

PubKeyAuthCertStoreStringSpecifies the certificate store where the allowed public keys can be found.
ReverseTunnelPortMapStringA map defining port ranges to be used by specific users when opening a reverse tunnel. By default when this setting is unspecified any user may request any port to be opened when opening a reverse tunnel. If this setting is specified the server will restrict the port ranges on a per-user basis to the ranges defined here. The value should be a semicolon separate list of username and port range pairs in the format: DOMAIN\user1=5000-5500;DOMAIN\user2=4444 The port range may either be a single port, or a range like "5000-5500". If no range is defined for a user the reverse tunnel request will be reject.
RotateLogDaysDWORDThe number of days after which the log file will be rotated. Old log files will be renamed to the format "logname-yyyy-MM-dd". When set to a positive value DeleteLogDays is applicable.
RunAsAServiceDWORDIndicates if the server needs to be executed as a windows service (1) or in-process inside the PowerShell User Interface (0).
RunProfilesDWORDControls if the server will run profile scripts.:

0 - Off: No profile scripts will execute.

1 - On: Any profile scripts found will be executed.

SCPDefaultDirStringThe absolute path to the default directory for SCP users. By default the SFTPRootDir will be used.
SecurityGroupStringName of the Windows group used to control access.
ServerSSHVersionStringStringThis setting specifies the version string value that is sent to all connecting clients. This may be set to specify server specific information. When setting a custom value, it must contain "SSH-2.0-" as this is a standard format that specifies the supported SSH version.
SFTPHomeDirMapStringA map defining user specific SFTP home directories. By default all users are placed into SFTPRootDir when logging on. This setting allows for a user to be assigned a specific directory. The value should be a semicolon separate list of username and home directory pairs in the format:
DOMAIN\user1=C:\user1;DOMAIN\user2=C:\user2
The user value must include the domain or machine name as appropriate (DOMAIN\user1 or MACHINE\user1). If the directory specified does not exist the user will be placed into the default SFTPRootDir,. If a user connects and no mapping is present for that user they will be placed into the default SFTPRootDir.
SFTPRootDirStringThe absolute path to the root directory for SFTP users. By default the "windir" environment variable will be used to determine the root directory (typically "C:\").

The special value "$user" may be included in the path which will be resolved to the username of the authenticated user (without Domain or Machine information). When "$user" is included in the path if the directory does not exist it will be automatically created.

SSHCertSubjectStringSubject of the SSH certificate used by the server. Example: "CN=NEWTON".
SSHStoreTypeDWORDIndicates where to find the SSH certificate. Can be one of the following values:

0 - User store

1 - Machine Store

2 - PFX File

4 - PEM File

SSHStoreStringIf SSHStoreType is either 0 or 1, the SSHStore value defines the specific store where the certificate can be found. Possible values include: My, Root, Trust, CA, TrustedPublisher, Disallowed, AuthRoot, TrustedPeople.
SSHStorePasswordStringThe password for the specified certificate store.
SSHEncryptionAlgorithmsStringSpecifies the allowed SSH Encryption Algorithms in a comma-delimited list. During the SSH handshake, this list will be used to negotiate the encryption algorithm to be used between the client and server. This list is used for both directions: client to server and server to client. When negotiating algorithms, each side sends a list of all algorithms it supports or allows. The algorithm chosen for each direction is the first algorithm to appear in the sender's list that the receiver supports, so it is important to list multiple algorithms in preferential order. If no algorithm can be agreed upon, the component will raise an error and the connection will be aborted. Valid values are:

aes256-ctr256-bit AES encryption in CTR mode
aes256-cbc256-bit AES encryption in CBC mode
aes192-ctr192-bit AES encryption in CTR mode
aes192-cbc192-bit AES encryption in CBC mode
aes128-ctr128-bit AES encryption in CTR mode
aes128-cbc128-bit AES encryption in CBC mode
3des-ctr192-bit (3-key) triple DES encryption in CTR mode
3des-cbc192-bit (3-key) triple DES encryption in CBC mode
cast128-cbcCAST-128 encryption
blowfish-cbcBlowfish encryption
arcfourARC4 encryption
arcfour128128-bit ARC4 encryption
arcfour256256-bit ARC4 encryption
aes256-gcm@openssh.com256-bit AES encryption in GCM mode.
aes128-gcm@openssh.com128-bit AES encryption in GCM mode.

The default is:

aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,arcfour256,arcfour128,arcfour,cast128-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com
SSHMacAlgorithmsStringThis may be used to specify an alternate list of supported Mac algorithms used during SSH negotiation. This also specifies the order in which the Mac algorithms are preferred. The value should contain a comma separate list of algorithms. Supported algorithms are:

hmac-sha1

hmac-md5

hmac-sha1-96

hmac-md5-96

hmac-sha2-256

hmac-sha2-256-96

hmac-sha2-512

hmac-sha2-512-96

hmac-ripemd160

hmac-ripemd160-96

The default is:

hmac-sha1,hmac-md5,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160-96
.

SSHPortDWORDThe TCP port the server will listen in for connections.
SSHPublicKeyEnabledDWORDControls if file based public key authentication is enabled or not. This depends on PubKeyAuthEnabled being set as well. The file to use is contained in the SSHPublicKeyFileName setting.

0 - Off: Windows store based public key authentication will be used. (default)

1 - On: File based public key authentication will be used.

SSHPublicKeyFileNameStringThe key file to use for file based public key authentication. Note that the file path indicated may contain the %USERNAME% macro, which will resolve to the name of the user being authenticated.
SSLTunnelCertStoreStringThe certificate store where the SSL certificate can be found.

If SSLTunnelCertStoreType is either 0 or 1, this value defines the specific store where the certificate can be found. Otherwise, this value should be set to a path on disk.

Possible values when SSLTunnelCertStoreType is 0 or 1 include: My, Root, Trust, CA, TrustedPublisher, Disallowed, AuthRoot, TrustedPeople.

Note that when set here, and not in the tunnel specific registry keys (as described on the SSL Tunnels page), the value for this setting will be used for all tunnels. The tunnel specific settings may be used to override this value.

SSLTunnelCertStoreTypeDWORDSpecifies the type of certificate store where the SSL certificate can be found. Can be one of the following values:

0 - User store

1 - Machine Store

2 - PFX File

4 - PEM File

Note that when set here, and not in the tunnel specific registry keys (as described on the SSL Tunnels page), the value for this setting will be used for all tunnels. The tunnel specific settings may be used to override this value.

SSLTunnelCertStorePasswordStringThe password for the certificate store defined in SSLTunnelCertStore, if required.

Note that when set here, and not in the tunnel specific registry keys (as described on the SSL Tunnels page), the value for this setting will be used for all tunnels. The tunnel specific settings may be used to override this value.

SSLTunnelCertSubjectStringThe subject of the certificate used during SSL negotiation. Example: "CN=NEWTON".

Note that when set here, and not in the tunnel specific registry keys (as described on the SSL Tunnels page), the value for this setting will be used for all tunnels. The tunnel specific settings may be used to override this value.

SSLTunnelEnabledCipherSuitesStringThe enabled cipher suites to be used in SSL negotiation.

By default, the enabled cipher suites will include all available ciphers ("*").

The special value "*" means that the component will pick all of the supported cipher suites. If SSLTunnelEnabledCipherSuites is set to any other value, only the specified cipher suites will be considered.

Multiple cipher suites are separated by semicolons. For instance "CALG_AES_256;CALG_3DES". Possible values are:

  • CALG_3DES
  • CALG_3DES_112
  • CALG_AES
  • CALG_AES_128
  • CALG_AES_192
  • CALG_AES_256
  • CALG_AGREEDKEY_ANY
  • CALG_CYLINK_MEK
  • CALG_DES
  • CALG_DESX
  • CALG_DH_EPHEM
  • CALG_DH_SF
  • CALG_DSS_SIGN
  • CALG_ECDH
  • CALG_ECDH_EPHEM
  • CALG_ECDSA
  • CALG_ECMQV
  • CALG_HASH_REPLACE_OWF
  • CALG_HUGHES_MD5
  • CALG_HMAC
  • CALG_KEA_KEYX
  • CALG_MAC
  • CALG_MD2
  • CALG_MD4
  • CALG_MD5
  • CALG_NO_SIGN
  • CALG_OID_INFO_CNG_ONLY
  • CALG_OID_INFO_PARAMETERS
  • CALG_PCT1_MASTER
  • CALG_RC2
  • CALG_RC4
  • CALG_RC5
  • CALG_RSA_KEYX
  • CALG_RSA_SIGN
  • CALG_SCHANNEL_ENC_KEY
  • CALG_SCHANNEL_MAC_KEY
  • CALG_SCHANNEL_MASTER_HASH
  • CALG_SEAL
  • CALG_SHA
  • CALG_SHA1
  • CALG_SHA_256
  • CALG_SHA_384
  • CALG_SHA_512
  • CALG_SKIPJACK
  • CALG_SSL2_MASTER
  • CALG_SSL3_MASTER
  • CALG_SSL3_SHAMD5
  • CALG_TEK
  • CALG_TLS1_MASTER
  • CALG_TLS1PRF

Note that when set here, and not in the tunnel specific registry keys (as described on the SSL Tunnels page), the value for this setting will be used for all tunnels. The tunnel specific settings may be used to override this value.

SSLTunnelCipherStrengthDWORDThe minimum cipher strength used for bulk encryption.

This minimum cipher strength largely dependent on the security modules installed on the system. If the cipher strength specified is not supported, an error will be returned when connections are initiated.

Please note that this setting contains the minimum cipher strength requested from the security library.

Use this setting with caution. Requesting a lower cipher strength than necessary could potentially cause serious security vulnerabilities.

Note that when set here, and not in the tunnel specific registry keys (as described on the SSL Tunnels page), the value for this setting will be used for all tunnels. The tunnel specific settings may be used to override this value.

SSLTunnelEnabledProtocolsDWORDUsed to enable/disable the supported SSL/TLS versions.

Not all supported protocols are enabled by default (the value of this setting is 4032). If you want more granular control over the enabled protocols, you can set this property to the binary 'OR' of one or more of the following values:

TLS1.23072 (Hex C00) (Default)
TLS1.1768 (Hex 300) (Default)
TLS1 192 (Hex C0) (Default)
SSL3 48 (Hex 30)
SSL2 12 (Hex 0C)

Note that when set here, and not in the tunnel specific registry keys (as described on the SSL Tunnels page), the value for this setting will be used for all tunnels. The tunnel specific settings may be used to override this value.

SSLTunnelUseInternalSecurityAPIDWORDIndicates whether or not SSL Tunnels should use the system security libraries or an internal implementation.

By default, the tunnel will use the system security libraries to perform cryptographic functions. Setting this to 1 (True) tells the component to use the internal implementation instead of using the system's security API.

Note that this setting is static and will apply to all SSL Tunnels

SSLTunnelProviderStringThe name of the security provider to use.

Change this setting to use security providers other than the system default.

Use this setting with caution. Disabling SSL security or pointing to the wrong provider could potentially cause serious security vulnerabilities in your application.

The special value "*" (default) picks the default SSL provider defined in the system.

The special value "Internal" picks the internal SSL implementation. This does not rely on any system libraries. This is equivalent to setting SSLTunnelUseInternalSecurityAPI to True.

Note that when set here, and not in the tunnel specific registry keys (as described on the SSL Tunnels page), the value for this setting will be used for all tunnels. The tunnel specific settings may be used to override this value.

SSLTunnelSecurityFlagsDWORDFlags that control certificate verification

The following flags are defined (specified in hexadecimal notation). They can be or-ed together to exclude multiple conditions:

0x00000001Ignore time validity status of certificate.
0x00000002Ignore time validity status of CTL.
0x00000004Ignore non-nested certificate times.
0x00000010Allow unknown Certificate Authority.
0x00000020Ignore wrong certificate usage.
0x00000100Ignore unknown certificate revocation status.
0x00000200Ignore unknown CTL signer revocation status.
0x00000400Ignore unknown Certificate Authority revocation status.
0x00000800Ignore unknown Root revocation status.
0x00008000Allow test Root certificate.
0x00004000Trust test Root certificate.
0x80000000Ignore non-matching CN (certificate CN not-matching server name).

Note that when set here, and not in the tunnel specific registry keys (as described on the SSL Tunnels page), the value for this setting will be used for all tunnels. The tunnel specific settings may be used to override this value.

SupportedTerminalsStringMaps client terminal identification strings to the type of interactive terminal offered by PowerShell Server (VT100, Dumb terminal). This should be a string with the following format:

"<idstring>=vt100|dummy,<idstring>=vt100|dummy...".

For example, to map any client with a terminal identification string beginning with VT to the VT100+ emulation, you can configure this as:

"vt*=vt100"

Any id string not found here will always get the "dumb" terminal by default. The default configuration for this option is:

"vt*=vt100,xterm=vt100"

SvcLogFileStringIf present, the trace information generated by the server will be written to the specified file.
SyslogDaemonHostStringWhen running as a Windows service the SSH process will send log messages to the UI process. These are the messages which are logged in the Service tab. By default this communication happens on the loopback adapter of the system. If you wish to send these log messages to a different host instead of the UI process you may set this to the hostname or IP address of the destination to which the Syslog messages will be sent. Syslog facility 23 is used to identify messages from PowerShell Server and filter out any other syslog traffic.
SyslogDaemonPortDWORDWhen running as a Windows service the SSH process will send log messages to the UI process. These are the messages which are logged in the Service tab. By default this communication happens on the loopback adapter of the system on port 514. If this port is in use or you wish to use a different port you may specify this here. This specifies the port on which the UI process will listen for incoming log messages and also the port from which the log messages are sent from the SSH process.
UseFIPSCompliantAPIDWORDDetermines if only FIPS compliant algorithms and API calls are made during SSH or SSL sessions. This is false by default. Possible values:

0 - Off: Non-FIPS compliant algorithms are allowed (default).

1 - On: Only FIPS compliant algorithms are allowed, and cryptographic calls are made only to FIPS compliant APIs.

UseIPv6DWORDControls whether IPv4 or IPv6 is used when listening. Connecting clients will need to connect using the appropriate IP version. Possible values are:

0 - Off: IPv4 is used (default).

1 - On: IPv6 is used.

UseInteractiveLogonDWORDControls the type of logon performed by the application when attempting to authenticate users. Can be one of the following values:

0 - Off: Regular network logon is performed. More secure, but can't access remote network resources.

1 - On: Interactive logon is performed. Less secure, but allows access to remote network resources.

WireEncodingStringControls the encoding used by the server on the wire for text sent and received by the server. By default, the server will use ISO-8859-1 (Latin-1) encoding.

 
 
Copyright (c) 2017 /n software inc. - All rights reserved.
PowerShell Server 2016 - Version 16.0 [Build 6335]