Netsh http commands

Use netsh http to query and configure HTTP.sys settings and parameters.


If you are using Windows PowerShell on a computer running Windows Server or Windows 10, type netsh and press Enter. At the netsh prompt, type http and press Enter to get the netsh http prompt.

       netsh http>

The available netsh http commands are:

add iplisten

Adds a new IP address to the IP listen list, excluding the port number.


add iplisten [ ipaddress= ] IPAddress


Parameter Description Requirement
ipaddress The IPv4 or IPv6 address to be added to the IP listen list. The IP listen list is used to scope the list of addresses to which the HTTP service binds. "" means any IPv4 address and "::" means any IPv6 address. Required


Following are four examples of the add iplisten command.

  • add iplisten ipaddress=fe80::1
  • add iplisten ipaddress=
  • add iplisten ipaddress=
  • add iplisten ipaddress=::

add sslcert

Adds a new SSL server certificate binding and corresponding client certificate policies for an IP address and port.


add sslcert [ ipport= ] IPAddress:port [ certhash= ] CertHash [ appid= ] GUID [ [ certstorename= ] CertStoreName [ verifyclientcertrevocation= ] enable | disable [verifyrevocationwithcachedclientcertonly= ] enable | disable [ usagecheck= ] enable | disable [ revocationfreshnesstime= ] U-Int [ urlretrievaltimeout= ] U-Int [sslctlidentifier= ] SSLCTIdentifier [ sslctlstorename= ] SLCtStoreName [ dsmapperusage= ] enable | disable [ clientcertnegotiation= ] enable | disable ] ]


Parameter Description Requirement
ipport Specifies the IP address and port for the binding. A colon character (:) is used as a delimiter between the IP address and the port number. Required
certhash Specifies the SHA hash of the certificate. This hash is 20 bytes long and is specified as a hexadecimal string. Required
appid Specifies the GUID to identify the owning application. Required
certstorename Specifies the store name for the certificate. Defaults to MY. Certificate must be stored in the local machine context. Optional
verifyclientcertrevocation Specifies the Turns on/off verification of revocation of client certificates. Optional
verifyrevocationwithcachedclientcertonly Specifies whether the usage of only cached client certificate for revocation checking is enabled or disabled. Optional
usagecheck Specifies whether the usage check is enabled or disabled. Default is enabled. Optional
revocationfreshnesstime Specifies the time interval, in seconds, to check for an updated certificate revocation list (CRL). If this value is zero, then the new CRL is updated only if the previous one expires. Optional
urlretrievaltimeout Specifies the timeout interval (in milliseconds) after the attempt to retrieve the certificate revocation list for the remote URL. Optional
sslctlidentifier Specifies the list of the certificate issuers that can be trusted. This list can be a subset of the certificate issuers that are trusted by the computer. Optional
sslctlstorename Specifies the certificate store name under LOCAL_MACHINE where SslCtlIdentifier is stored. Optional
dsmapperusage Specifies whether DS mappers is enabled or disabled. Default is disabled. Optional
clientcertnegotiation Specifies whether the negotiation of certificate is enabled or disabled. Default is disabled. Optional


Following is an example of the add sslcert command.

add sslcert ipport= certhash=0102030405060708090A0B0C0D0E0F1011121314 appid={00112233-4455-6677-8899- AABBCCDDEEFF}

add timeout

Adds a global timeout to the service.


add timeout [ timeouttype= ] IdleConnectionTimeout | HeaderWaitTimeout [ value=] U-Short


Parameter Description
timeouttype Type of timeout for setting.
value Value of the timeout (in seconds). If the value is in hexadecimal notation, then add the prefix 0x.


Following are two examples of the add timeout command.

  • add timeout timeouttype=idleconnectiontimeout value=120
  • add timeout timeouttype=headerwaittimeout value=0x40

add urlacl

Adds a Uniform Resource Locator (URL) reservation entry. This command reserves the URL for non-administrator users and accounts. The DACL can be specified by using an NT account name with the listen and delegate parameters or by using an SDDL string.


add urlacl [ url= ] URL [ [user=] User [ [ listen= ] yes | no [ delegate= ] yes | no ] | [ sddl= ] SDDL ]


Parameter Description Requirement
url Specifies the fully qualified Uniform Resource Locator (URL). Required
user Specifies the user or user-group name Required
listen Specifies one of the following values: yes: Allow the user to register URLs. This is the default value. no: Deny the user from registering URLs. Optional
delegate Specifies one of the following values: yes: Allow the user to delegate URLs no: Deny the user from delegating URLs. This is the default value. Optional
sddl Specifies an SDDL string that describes the DACL. Optional


Following are four examples of the add urlacl command.

delete cache

Deletes all the entries, or a specified entry, from the HTTP service kernel URI cache.


delete cache [ [ url= ] URL [ [recursive= ] yes | no ]


Parameter Description Requirement
url Specifies the fully qualified Uniform Resource Locator (URL) that you want to delete. Optional
recursive Specifies whether all entries under the url cache get removed. yes: remove all entries no: do not remove all entries Optional


Following are two examples of the delete cache command.

delete iplisten

Deletes an IP address from the IP listen list. The IP listen list is used to scope the list of addresses to which the HTTP service binds.


delete iplisten [ ipaddress= ] IPAddress


Parameter Description Requirement
ipaddress The IPv4 or IPv6 address to be deleted from the IP listen list. The IP listen list is used to scope the list of addresses to which the HTTP service binds. "" means any IPv4 address and "::" means any IPv6 address. This does not include the port number. Required


Following are four examples of the delete iplisten command.

  • delete iplisten ipaddress=fe80::1
  • delete iplisten ipaddress=
  • delete iplisten ipaddress=
  • delete iplisten ipaddress=::

delete sslcert

Deletes SSL server certificate bindings and corresponding client certificate policies for an IP address and port.


delete sslcert [ ipport= ] IPAddress:port


Parameter Description Requirement
ipport Specifies the IPv4 or IPv6 address and port for which the SSL certificate bindings get deleted. A colon character (:) is used as a delimiter between the IP address and the port number. Required


Following are three examples of the delete sslcert command.

  • delete sslcert ipport=
  • delete sslcert ipport=
  • delete sslcert ipport=[::]:443

delete timeout

Deletes a global timeout and makes the service revert to default values.


delete timeout [ timeouttype= ] idleconnectiontimeout | headerwaittimeout


Parameter Description Requirement
timeouttype Specifies the type of timeout setting. Required


Following are two examples of the delete timeout command.

  • delete timeout timeouttype=idleconnectiontimeout
  • delete timeout timeouttype=headerwaittimeout

delete urlacl

Deletes URL reservations.


delete urlacl [ url= ] URL


Parameter Description Requirement
url Specifies the fully qualified Uniform Resource Locator (URL) that you want to delete. Required


Following are two examples of the delete urlacl command.

flush logbuffer

Flushes the internal buffers for the logfiles.


flush logbuffer

show cachestate

Lists cached URI resources and their associated properties. This command either lists all resources and associated properties cached in the HTTP response cache or displays a single resource and its associated properties.


show cachestate [ [url= ] URL]


Parameter Description Requirement
url Specifies the fully qualified URL that you want to display. If not specified, display all URLs. The URL could also be a prefix to registered URLs. Optional


Following are two examples of the show cachestate command:

show iplisten

Displays all IP addresses in the IP listen list. The IP listen list is used to scope the list of addresses to which the HTTP service binds. "" means any IPv4 address and "::" means any IPv6 address.


show iplisten

show servicestate

Displays a snapshot of the HTTP service.


show servicestate [ [ view= ] session | requestq ] [ [ verbose= ] yes | no ]


Parameter Description Requirement
View Specifies whether to view a snapshot of the HTTP service state based on the server session or the request queues. Optional
Verbose Specifies whether to display verbose information that also shows property information. Optional


Following are two examples of the show servicestate command.

  • show servicestate view="session"
  • show servicestate view="requestq"

show sslcert

Displays Secure Sockets Layer (SSL) server certificate bindings and corresponding client certificate policies for an IP address and port.


show sslcert [ ipport= ] IPAddress:port


Parameter Description Requirement
ipport Specifies the IPv4 or IPv6 address and port for which the SSL certificate bindings display. A colon character (:) is used as a delimiter between the IP address and the port number. If you do not specify ipport, all bindings are displayed. Required


Following are five examples of the show sslcert command.

  • show sslcert ipport=[fe80::1]:443
  • show sslcert ipport=
  • show sslcert ipport=
  • show sslcert ipport=[::]:443
  • show sslcert

show timeout

Displays, in seconds, the timeout values of the HTTP service.


show timeout

show urlacl

Displays discretionary access control lists (DACLs) for the specified reserved URL or all reserved URLs.


show urlacl [ [url= ] URL]


Parameter Description Requirement
url Specifies the fully qualified URL that you want to display. If not specified, display all URLs. Optional


Following are three examples of the show urlacl command.