Managing Registry Keys
Network administrators can modify Ivanti Device and Application Control registry keys, so that Application Control and Device Control can operate more effectively or efficiently in unique network environments or according to specific enterprise network policies.
Registry keys can be used to adapt Application Control and Device Control according to enterprise-specific network environment policies and requirements. Registry keys that can be modified include:
- Application Server keys
- Client keys
- Management Console keys
The database connection registry key parameters allow you to define Application Server behavior during periods of database connectivity loss. The Application Server can run with intermittent database connectivity, ignoring the lack of database connection for specified periods. During these periods, the Application Server retries connecting to the database. After repeatedly attempting to establish database connectivity, the Application Server declines further connectivity requests from the client and console, until database connectivity is restored.
The following table describes the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sxs\parameters registry key parameters for the Application Server. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.
Parameter Name |
Description |
Default Value |
---|---|---|
DbConnectionCount |
Shows the number of database connections in the connection pool. |
20 |
DbConnectionString |
Shows the driver, server, database, and trusted connection or user name and password. |
Provider=sqloledb; DataSource= ; InitialCatalog=sx; Trusted_Connection=yes |
DbInitializationDelay |
Shows the period in seconds that the Application Server waits before contacting the SQL server. |
300 |
The parameters for the Ivanti Device and Application Control Authorization Service tool registry key parameters are shown in the following table.
Key Name |
Description |
Default Values |
---|---|---|
CmdLineBlockParams |
Allows user to setup assignment mode, group name(s), and filters in the FileTool.exe command line parameters. |
-a1 = Microsoft Update Files |
Log file name |
Depends upon the Log to file value. |
authSrvHlpr.log |
Log to file |
Sends debug message to the log file yes=1 |
no = 0 |
OutputDirectory |
Directory path where output XML reports are located. |
C:\Program Files\Ivanti\Device and Application Control\Authorization Service\Logs\ |
SendMail |
The service sends e-mail at the end of the scan, which includes the command line and attached XML report. |
no = 0 |
SXSServer |
Name or IP address of the Application Server. |
Not applicable. |
VerboseReport |
Report mode. no=normal report mode |
yes = verbose report mode |
WSUSContentDirectory |
Absolute directory path where WSUS files are located. |
C:\ |
You can use the debugging registry key parameters to specify the behavior for debugging the Application Server.
The following table describes the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sxs\parameters registry key parameters for the Application Server. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.
Key Name |
Description |
Default Value |
---|---|---|
Debug |
For the Application Server running as a service, a debugger will launch and attach to the server when the value is set to yes = 1. |
no = 0 |
Log file name |
Shows the name of the log file written when Log to file = yes. |
sxs.log |
Log to console |
Sends debug messages to the console when the value is set to yes = 1. |
no = 0 |
Log to dbwin |
Sends debug messages to the DBwin32 when the value is set to yes = 1. |
no = 0 |
Log to file |
Sends debug messages to the log file when the value is set to yes = 1. |
no = 0 |
Log file size |
Sets the maximum size of a log file (in bytes). When the file size is reached, a new log file with an incremented filename is created. The limit may be exceeded by a small amount. |
16777216 |
Log file count |
Sets the maximum number of log files to retain. |
8 |
VerboseSyncLogging |
The Application Server logs the important object attributes retrieved during domain synchronization. |
no = 0 |
The general registry key parameters govern the general behavior of the Application Server.
The following table describes the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sxs\parameters registry key parameters for the Application Server. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.
Parameter Name |
Description |
Default Value |
---|---|---|
AdoVersion |
Specifies a string representing the version of Active Directory objects used. |
No value. |
Concurrency |
Shows how many running threads are allowed for the input/output connection port (IOCP). Zero is equivalent to one thread per central processing unit (CPU). Maximum number equals MaxThreads. |
0=auto |
DataFileDirectory |
Shows the name of the base directory where the Application Server stores data files. |
C:\DataFileDirectory |
SysLogGenerateMsg |
Determines what type of logs are sent to the SysLog server. 1 = Audit logs only 2 = System logs only |
3 = Audit and system logs |
SysLogServerAddress |
The SysLog server that the Application Server sends server and audit log events to. |
Specified during initial client installation. |
SyncContinueOnError |
When set to true, configures the Application Server to log duplicate user or machine SIDs (or other ACL errors), instead of abort, during a directory synchronization. Errors are recorded to the Application Server log (default sxs.log). |
No default value. Key must be manually created and set to true. |
The security registry key parameters govern the security configuration for the Application Server.
The following table describes the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sxs\parameters registry key parameters for the Application Server. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.
Parameter Name |
Description |
Default Value |
---|---|---|
CommVer |
Specifies the client-server communication protocol that the Application Server uses as follows: 1 = Client versions 3.1 or 3.2 2 = Client version 4.0 or higher 3 = Client version 4.0 or higher with TLS enabled |
3 |
MaxSockets |
Specifies the maximum number of TCP connections allowed at any time. |
5000 |
Port |
Specifies the TCP port where the socket-based Application Server listens for new connections. Minimum value = 1 Maximum value = 65534 |
65129 |
RpcProtectionLevel |
Specifies whether the RPC server requires RPC clients to authenticate. 0 = OS selects protection level 1 = No protection 2 = Client identify is verified when connecting to the Ivanti Device and Application Control Application Server 3 = Examines client credentials for TCP connection. 4 = Examines client credentials for TCP connection, adds cryptographic signature to every packet. 5 = Examines client credentials for TCP connection, adds additional cryptographic signature to every packet. 6 = Examines client credentials for TCP connection, adds cryptographic signature to every packet, and encrypts data in both directions |
6 |
SecureInterSxs |
Specifies that inter-Ivanti Device and Application Control Application Server communication use the TLS protocol. |
no |
SndPort |
Specifies the TCP where the Ivanti Device and Application Control client listens for new connections. Minimum value = 1 Maximum value = 65534 |
33115 |
SxdConnectTimeoutMSec |
Specifies the time in milliseconds that the Application Server waits to accept a TCP connection for the client. The value should be between 500 and 120000 ms. |
5000 |
SxdPort |
Specifies the TCP port where the built-in client server listens for new connections. Minimum value = 1 Maximum value = 65534 |
33115 |
TLSMaxSockets |
Specifies the maximum number of TCP connections allowed when using the TLS protocol. |
0 |
TLSPort |
Specifies the TLS port where the socket-based Application Server listens for new connections. Minimum value = 1 Maximum value = 65534 |
65229 |
Configure MaxSockets
When certain security registry key parameters interact, some of the combinations formed are not valid as shown in the following table.
Secure InterSxs |
CommVer |
TLSMax Sockets |
MaxSockets |
Combined Result |
---|---|---|---|---|
No |
<3 |
0 |
0 |
Not valid |
0 |
>0 |
Valid |
||
>0 |
0 |
Not valid |
||
>0 |
>0 |
Valid |
||
3 |
0 |
0 |
Not valid |
|
0 |
>0 |
Not valid |
||
>0 |
0 |
Not valid |
||
>0 |
>0 |
Valid |
||
Yes |
<3 |
0 |
0 |
Not valid |
0 |
>0 |
Not valid |
||
>0 |
0 |
Valid |
||
>0 |
>0 |
Valid |
||
3 |
0 |
0 |
Not valid |
|
0 |
>0 |
Not valid |
||
>0 |
0 |
Valid |
||
>0 |
>0 |
Valid |
Configuring MaxSockets and TLSMaxSockets
The following table describes the parameters used for the MaxSockets and TLSMaxSockets configuration rules.
TLSMaxSockets and MaxSockets Values |
Description |
---|---|
TLSMaxSockets>0 AND MaxSockets=0 |
Only TLS connections are available for Application Server-client communication using the TLSPort port specification. |
TLSMaxSockets=0 AND MaxSockets>0 |
Only non-TLS connections are available for Application Server-client communication using the Port port specification. |
TLSMaxSockets>0 AND MaxSockets>0 |
Both TLS and non-TLS connections are available for Application Server-client communication using the TLSPort and Port port specifications. |
The registry key parameters for Ivanti Device and Application Control Command & Control (SCC) that govern the behavior for all communication between the server, the client(s), and the Certificate Authority (CA) server are shown in the following table.
The following table describes the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\scomc\parameters registry key parameters for the Ivanti Device and Application Control Command & Control module. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.
Key Name |
Description |
Default Value |
---|---|---|
CertGeneration |
Yes=Client is in automatic mode and requests CA certificate. No=Client is in manual mode and a user certificate must be generated manually. |
Defined during client install. |
ImportDir |
Shows the directory used import the policies file. |
C:\Program Files\Ivanti\Device and Application Control\\Import |
ListenPort |
Show a port number value set between 1025 and 65536 (ports numbers 0 to 1024 are reserved for privileged services). |
Port number 33115 is the default value. |
Log file name |
Shows the name of the log file. |
scomc.log |
Log to console |
Yes=Sends debug message to console. No=No debug messages sent to console. |
No default value. |
Log to dbwin |
Yes=Sends debug message to dbwin. No=No debug messages sent to dbwin. |
No |
Log to file |
Yes=Sends debug message to log file. No=No debug messages sent to log file. |
No |
Log file size |
Sets the maximum size of a log file (in bytes). When the file size is reached, a new log file with an incremented filename is created. The limit may be exceeded by a small amount. |
16777216 |
Log file count |
Sets the maximum number of log files to retain. |
8 |
Servers |
Shows a list of Application Server names by FQDN or IP address. |
Defined during server install. |
SyncPeriod |
Shows the time in milliseconds for synchronization periods between the Application Server and the client. |
3,600,000 ms (one hour) is the default value. |
TicketDir |
Shows directory where endpoint maintenance tickets are stored. |
Cannot modify this key. |
UseTLS |
Yes=TLS protocol used No=TLS protocol not used |
Defined during server install. |
The client kernel parameter sub-entries are shown in the following table.
The following table describes the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk\parameters registry key parameters for the client kernel. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.
Parameter Name |
Description |
Default Value |
---|---|---|
EncryptionMode |
EncryptionMode which SK runs one of the following masks: encLpc = 1 encFips = 2 |
encDefault = 0 |
NDISInstallation |
Specifies how SCOMC installs SK-NDIS. 1 = Uninstall only an existing SK-NDIS driver. 2 = Uninstall an existing SK-NDIS driver, then install a new SK-NDIS driver. |
None |
The registry key parameters that govern the application software configuration are shown in the following table.
The following table describes the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC registry key parameters for the Management Console module. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.
Parameter Name |
Description |
Default Value |
---|---|---|
EnableAuthEpResolution |
Sets the RestrictRemoteClients functionality status for the RPC interface. Remote and anonymous RPC call is available only if:
|
0 |
The Application Server registry key parameters allow you to define default server and number of servers connected to the database and console.
The following table describes the HKEY_CURRENT_USER\SOFTWARE\Lumension\Endpoint Security\Server registry key parameters for the Application Server module. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.
Parameter Name |
Description |
Default Value |
---|---|---|
DefaultServer |
Name of the last Application Server that the Management Console connected to. |
None |
Server List |
Lists the names of the Application Servers that the Management Console connected to. Server names are separated by commas. |
None |
The Authorization Wizard registry key parameters allow you to define the behavior for communication between the Application Server and the wizard.
The following table describes the HKEY_CURRENT_USER\SOFTWARE\Lumension\Endpoint Security\SecureEXE\AuthWiz\Parameters registry key parameters for the Authorization Wizard module. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.
Parameter Name |
Description |
Default Value |
---|---|---|
AutoAssign |
Specifies whether the Application Server should assign the hashed files to a file group. |
Yes |
DefaultServer |
The Application Server that the Authorization Wizard sends a result to. The value is the Application Server IP address. |
127.0.0.1 |
DefaultTemDir |
The file location where the Authorization Wizard stores results before uploading to an Application Server. |
%TEMP% |
Conflicts may occur between drivers that exist on managed endpoints and the Ivanti Device and Application Control driver. In these cases, you can create registry entries to exclude the conflicting driver from protection by Ivanti Device and Application Control.
You can repeat this procedure to create multiple registry entries for each driver conflict.
- Open the Windows registry on the client computer.
- Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk\Parameters.
- Select New > DWORD (32-bit) Value.
A new entry is created. - In the Name column for the new entry, type the file path to the driver that you want to exclude.
- Press Enter.
- Right-click the new registry entry.
- Select Modify.
- Enter 0 in the Value data field.
- Click OK.
The value for the new registry entry is set. The driver specified in the in the registry entry name will be excluded from protection by Ivanti Device and Application Control.
Installing Ivanti Device and Application Control on Windows 7 operating systems may trigger a security audit resulting in a false error message reporting invalid hashes. Adding a registry key will prevent the audit and the resulting error message from occurring.
- Open the Windows registry on the client computer.
- Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk\Parameters.
- Select New > DWORD (32-bit) Value.
A new entry is created. - In the Name column for the new entry, type ExcludeProtectedProcesses.
- Press Enter.
- Right-click the new registry entry.
- Select Modify.
- Enter 1 in the Value data field.
- Click OK.
The value for the new registry entry is set.