Windows: Enable SCHANNEL verbose logging to determine cipher suite


to determine which CIPHER Suite a TLS connection uses you can enable SCHANNEL logging.

Enable logging and reboot the computer

D:\> reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL /v EventLogging /d 7

After the reboot each connection is logged in detail to the System EventLog. For example:

A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.

   Protocol version: TLS 1.2
   CipherSuite: 0xC028
   Exchange strength: 384 bits
   Context handle: 0x2703f511720
   Target name:
   Local certificate subject name: 
   Remote certificate subject name: C=DE, S=Hetzles, O=my Company, CN=*

To translate the CipherSuite Hex number into the ciphername use

PS D:\> [system.array](Get-TlsCipherSuite) | ?{ $_.CipherSuite -eq 0xC028 }
KeyType               : 0
Certificate           : RSA
MaximumExchangeLength : 65536
MinimumExchangeLength : 0
Exchange              : ECDH
HashLength            : 384
Hash                  : SHA384
CipherBlockLength     : 16
CipherLength          : 256
BaseCipherSuite       : 49192
CipherSuite           : 49192
Cipher                : AES
Name                  : TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Protocols             : {771, 65277}

To get all allowed CipherSuites use

PS D:\>  [system.array](Get-TlsCipherSuite) | Select-Object Name

The cipher suites can resticted by a Group Policy

Computer Configuration/Administrative Templates/Network/SSL Configuration Settings/SSL Cipher Suite Order

In the registry the list can be found at:


Explaintation of the various cipher suites can be found here.

and here


Advertisment to support

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.