Have you been looking a download of the IIS Administation cmdlets for Powershell for Windows 7 or Windows Server 2012 R2?

For earlier versions of Windows the IIS PowerShell Snap-in was a download, but with Windows 7 and Windows Server 2012 R2 the IIS PowerShell Snap-in is built into the operating system.

To enable the IIS PowerShell Cmdlets on Windows 7, please follow these steps.


1. From the Start menu, type in Windows Features, and select Turn Windows features on or off.



2. In the Windows Features control panel, expand Internet Information Services, expand Web Management Tools, and place checks next to IIS Management Scripts and IIS Management Service.  Click OK to install.



3. When you are need to use the IIS PowerShell Cmdlets please follow these steps.

Open an Administrative PowerShell, and run the following commands.

Set-ExecutionPolicy unrestricted –force

Import-Module WebAdministration

Set-Location IIS:\


The output should resemble the PowerShell window below.


You are now ready to use the IIS PowerShell Cmdlets on Windows 7.

Note: On an IIS 7.5 Server you may only need to complete step number 3.

However, if you need to install the IIS Management Scripts and IIS Management Service on Windows Server 2012, the “Windows Features” step will take you into the Server Manager.

Once in the Server Manager, you should start by selecting Roles. Once there you need to determine if IIS is already installed.

In the Roles Summary section, if you see Web Server (IIS) then IIS is installed.

If IIS is already installed scroll down to find the Web Server (IIS) section and click Add Role Service.

From here you will need to install the IIS Management Scripts and IIS Management Service.

If IIS is not installed click Add Role, select Web Server (IIS), and while selecting the role services insure that you select IIS Management Scripts and IIS Management Service.

I recently encountered the error “The path is not of a legal form.” from the IIS 7.0 Manager, but was unable to find any documentation on the error.  Oddly this error didn’t log anything in the System Event Log either. 

The error sounds like a config issue so I focused on web.config and applicationHost.config.


When expanding a website in the IIS Manager we get the error below.  This happens only for one specific web site, other sites are on the server are fine.  Additionally the problematic site continues to serve out pages without error.  The only real problem here is an inability to administer the web site.


Internet Information Services (IIS) Manager
The path is not of a legal form.

Internet Information Services (IIS) Manager - The path is not of a legal form.



After inspecting applicationHost.config I noted that one application didn’t have a physical path specified.

<application path="/appdir" applicationPool="DefaultAppPool">
virtualDirectory path="/" physicalPath="" />


This is a situation that we should never find ourselves in, unfortunately we did.  The IIS manager wouldn’t let us make this kind of configuration setting, the physicalPath is required.  In our case we got here by a third party application installation failure.

After noting the config error in the applicationHost.config we also determined that the problem was detectable in the IIS Manager itself by viewing the applications in the application pool.

View Applications

Once we were viewing the various applications in the application pool it was obvious that there was one application which had it’s Physical path set to blank.

Missing Physical Path 



All Applications must have a valid physical path.

I have found that a classic ASP application that worked just fine on IIS 5.0 and IIS 6.0 may have some problems in IIS 7.0 if it is making use of the Session_OnEnd function in Global.asa.

Here is the set up, I have a very simple global.asa file which increments SessionCount in Session_OnStart and decrements SessionCount in Session_OnEnd:


Sub Session_OnStart    
End Sub

Sub Session_OnEnd
End Sub

and a very simple asp page which reports the value of SessionCount.

    response.write("Session Counter Equals:  ")

Seems simple enough right?

Well it is, and on IIS 5.0 and IIS 6.0 this simple set up works just as expected.  However, on IIS 7.0 the session count never decrements.

To allow Session_OnEnd to execute correctly we need to set RunOnEndAnonymously=False.  To set this value we just need to run this command:

appcmd set config /section:system.webServer/asp /runOnEndAnonymously:false

Once this change is made the applicationhost.config should have the following entry:

    <asp runOnEndAnonymously="false" />


After this the Session_OnEnd event should fire and run successfully. 

NOTE: We could also use adsutil.vbs to make the needed change. IIS 6.0 Management Compatibility Role Service will need to be installed.  Once it is installed we need to run this command to make the needed change:

cscript.exe c:\inetpub\adminscripts\adsutil.vbs set w3svc/AspRunOnEndAnonymously false


Problem Description

When trying to configure an Application Pool for a web site or web Application you see <Invalid Application Pool> in the Application Pool field on the Home Directory tab of the properties of the Site or Virtual directory. There may be other application pools to select or there may not.


There are no errors in the system event log.


This problem occurs when the KeyType element is missing or contains an invalid
string. A list of possible values for this element is available in MSDN.


Method #1

Use adsutil.vbs to identify the Application pool which does not show up in the MMC

Enumerate the application pools:

C:\Inetpub\AdminScripts>adsutil.vbs enum /p w3svc/apppools
[/w3svc/apppools/ASP.NET 1.1]
[/w3svc/apppools/ASP.NET 2.0]
[/w3svc/apppools/Broken App Pool]


Then get each app pool keytype, we are looking for one which either returns "The Parameter 'keytype' is not set at this node" or returns a string which is NOT "IIsApplicationPool"

C:\Inetpub\AdminScripts>adsutil.vbs get "w3svc/apppools/Broken App Pool/keytype"

keytype             : (STRING) "IIsApplicationPoolNOT"


Once you have identified the invalid application pool you need to correct or add the value for keytype.

C:\Inetpub\AdminScripts>adsutil.vbs set "w3svc/apppools/Broken App Pool/keytype" IIsApplicationPool
keytype              : (STRING) "IIsApplicationPool"


Method #2

You can also use Metabase Explorer to correct this issue. Metabase Explorer is part of the IIS Resource Kit Tools.

  1. Open MB Explorer.
  2. Expand LM>W3SVC>AppPools.
  3. Look for application pool which does not show up in IIS MMC or one missing or with an invalid string value. The only valid value at this location is "IIsApplicationPool".
  4. Add a Record called "KeyType" with a value of "IIsApplicationPool".
  5. Close Metabase Explorer.
  6. Open IIS MMC and should be able to change application pool on web site/virtual directory now.

I get this call quite frequently. Three times this week.

The Scenario

There was some sort of catastrophe, a hard drive crashed, a power failure, something. After recovering the OS from this catastrophe IIS is not working - The IIS Admin and/or the World Wide Web Services simply will not start.

This failure to start is accompanied by various errors in the System Event Log, the most common I have seen is:

Event Type: Error
Event Source:
Service Control Manager
Event Category: None
Event ID:
The IIS Admin Service service terminated with service-specific error 2148073478

Some Explanation

Two things come into play here, MachineKeys & any encrypted keys in Metabase.XML. If IIS shut down abruptly one or more encrypted keys may not have been written out correctly into the Metabase.  If you went as far as reinstalling Windows then the MachineKeys of the new installation will not be able to decrypt the encrypted keys in the old Metabase. In either case when IIS tries to start the IIS Admin Service and uses a MachineKey under C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys to decrypt the encrypted keys in the Metabase (usually passwords).

If this directory path is changed or the MachineKey itself changes,  or if the encrypted data was not written out correctly in the Metabase during the previous shut down, IIS will fail to start and will generate an error similar to the one listed above.

The specific MachineKey will look similar to the following:


Note: The first half of the MachineKey (up to the under-score "_") refers to the service, in this case IIS, the remainder of the MachineKey is a hash specific to the installation.

Possible Solution

To recover Site configurations:

  1. Rename old Metabase to SiteConfig.XML
  2. Delete all AdminACL keys and password keys from SiteConfig.XML.
  3. With a clean Metabase (reinstall IIS if necessary) verify that IIS Admin and W3SVC start & the Default (under construction) page is working.
  4. Open 'clean' Metabase.XML and copy the SessionKey value.
  5. Open SiteConfig.XML and Delete SessionKey value and paste in the value from 'clean' Metabase.XML.
  6. In IIS MMC use Create New Site (from file) wizard. Point the tool to SiteConfig.XML, click Read File, and select site to import.
  7. Repeat for all sites (Web, FTP, SMTP) and Application Pools.

Other Notes

This entire situation becomes much simpler if you regularly create *password* encrypted backups of the Metabase. The following KB article discusses how to use iisback.vbs to create backups (although it doesn't stress the importance of backing up with a password).  Password encrypted backups remove the dependency on the MachineKeys for decrypting the encrypted Metabase keys making the backup much more portable.

How To Create a Metabase Backup by Using IIS 6.0 in Windows Server 2003


Consider the following scenario. You have a Web site that is hosted on a server that is running Internet Information Services (IIS) 6.0. When users visit this Web site, the users receive the following error message:

HTTP Error 404 - File or directory not found.

In the IIS log file you see an entry like this:

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-12-04 15:59:52
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-12-04 16:00:29 W3SVC1 GET /test.php - 80 - Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) 404 3 50


This problem occurs if the following conditions are true:

  • The file exists in the requested location.
  • The extension does not have an Application Mapping configured on the site.
  • The appropriate MIME type is not configured for the Web site or for the application. 


To resolve this problem, follow these steps:

  • Configure a handler mapping for the requested file name extension. To do this, follow these steps:
    • Click Start, Run.  In the Open field type inetmgr then OK.
    • In IIS Manager, expand the server, expand Web sites, and then right click the Web site that you want to modify and select Properties
    • On the Home Directory tab click Configuration and configure an appropriate Application Extension for the type of the file that results in the 404.3 error. 
  • Configure an appropriate MIME type for the Web site. To do this, follow these steps:
    • Click Start, Run.  In the Open field type inetmgr then OK.
    • In IIS Manager, expand the server, expand Web sites, and then right click the Web site that you want to modify and select Properties.
    • On the HTTP Headers click MIME Types
    • In the MIME Type dialog click New.
    • Add the extension of the required file and the MIME type in the MIME Type dialog, and then click OK

Often users will make the request for a new certificate then reinstall an older cert while waiting on the new one, this breaks the link that IIS keeps with the location of the Private key.  When installing the new Cert IIS (the certificate wizard) will report that is cannot find the Private Key. This relationship can repaired by using CertUtil.exe.

To assign the existing private key to a new certificate, you must use the Microsoft Windows Server 2003 version of Certutil.exe. To do this, follow these steps:

1. Log on to the computer that issued the certificate request by using an account that has administrative permissions.
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. Click Certificates, and then click Add.
6. In the Certificates snap-in dialog box, click Computer account, and then click Next.
7. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
8. Click Close, and then click OK.
9. In the Certificates snap-in, expand Certificates, right-click the Personal folder, point to All Tasks, and then click Import.
10. On the Welcome to the Certificate Import Wizard page, click Next.
11. On the File to Import page, click Browse.
12. In the Open dialog box, click the new certificate, click Open, and then click Next.
13. On the Certificate Store page, click Place all certificates in the following store, and then click Browse.
14. In the Select Certificate Store dialog box, click Personal, click OK, click Next, and then click Finish.
15. In the Certificates snap-in, double-click the imported certificate that is in the Personal folder.
16. In the Certificate dialog box, click the Details tab.
17. Click Serial Number in the Field column of the Details tab, highlight the serial number, and then write down the serial number.
18. Click Start, click Run, type cmd, and then click OK.
19. At the command prompt, type the following:
certutil -repairstore my "SerialNumber"

SerialNumber is the serial number that you wrote down in step 17.
20. In the Certificates snap-in, right-click Certificates, and then click Refresh.

The certificate now has an associated private key.
You can now use the IIS MMC to assign the recovered keyset (certificate) to the Web site that you want.


When Browsing to IIS content in IE we see the following error message:

The data is invalid.

Reviewing the IIS web logs we see  that IIS has sent an HTTP Status Code of 500 with a sub-status code of 19.

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2006-10-31 16:49:56
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2006-10-31 16:49:56 W3SVC1 GET / - 80 - Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) 500 19 13
2006-10-31 16:50:07 W3SVC1 GET /test.asp - 80 - Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) 500 19 13

This can occur for both ASP and HTML content.


At least one section of the metabase is un-readable.  This could mean there is invalid XML in the metabase but more likely there is invalid data set for one or more metabase keys.  The most common metabase key to contain this invalide data is the ScriptMaps.

The explanation given for the 500.19 error is that if we do not have valid metadata for a node, we cannot serve URLs from that node, even if the data is sufficient for a certain subset of the node.

If you receive a 500.19 after making any changes to the metabase, it is probable that the changes made to the metabase make it impossible to parse at least a section of the metabase.

This typically happens when Enable Direct Meabase Edit (EnableEditWhileRunning) is allowed.


Since this typically indicates a problem with the ScriptMaps you should focus there first. A typical script mapping should look similar to this:


Note: There are no spaces in a script map. If a space is present please remove it.  Aditionally there should be no random strings of characters.

If all else fails restoring a know good copy of the metabase should resolve the issue.

More Information

It is important to back up the metabase frequently.  Please refer to the following KBs for more infomation:

324277 - How To Create a Metabase Backup by Using IIS 6.0 in Windows Server 2003

IIS 7.0 will also return 500.19 but the reasons are different.  Please refer to the following KBs for more infomation:


More Posts