Register Url for none Admin Service User


To use HTTP.SYS for none administrator users, these must have the right this to do. The rights must be granted with the httpcfg tool (Support Tools for XP/2003). The tool must have two parameters for adding an urlacl


The Parameter –u specified the listen URI. It can be http or an https Scheme the “+” for the hostname means all IP addresses.


The Parameter –a specified in DACL (Part of SDDL) the rights of a specified URI



The DACL starts with a “D:” and then in parenthesis 6 tokens which defines one ACL.




t1: ACE Type (A=Alowed/D=Denied)

t2: ACE Flags (can be empty)

t3: Permissions (GA=All;GW=Write;GX=Execute, is necessary to starts an listener)

t4: Object Type (can be empty)

t5: Inherited Object Type (can be empty)

t6: Trustee (contains a SID of an user or group or well-known SIDs (e.g. WD=Everyone)


Syntax SDDL





Create Right to open listener for Everyone:

httpcfg set urlacl –u http://+:7777/ -a “D:(A;;GX;;;WD)”


Create Right to open listener for specified User:

httpcfg set urlacl –u http://+:7777/ -a “D:(A;;GX;;;S-3-5-21-1654004503-842923446-725354543-102)”


Show all urlacs on a system.

httpcfg query urlacl


Delete an urlacl on an system

httpcfg delete urlacl –u http://+7777/


There exists a GUI Tool which can be used to create urlacl and ssl rules for HTTP.SYS.


Posted Aug 02 2006, 09:36 AM by Rolf Nebhuth is a .Net Community Blog powered by daenet GmbH.