NeuroAgent

Setting Up SSH Port Forwarding as a Service in Windows 10

Complete guide to setting up SSH port forwarding as a Windows 10 service. Fixing error 1053 and deployment via SCCM using NSSM.

#nssm#sccm-deployment#ssh-port-forwarding#ssh-tunnel#windows-10#windows-service
Question

How do I set up SSH port forwarding as a service or scheduled task in Windows 10?

I have a private key on my local computer and the corresponding public key on the terminal server (asd-pc-00).

I successfully created a port forwarding using the following command in a bat file:

ssh -i "C:\windows\ccmsetup\id_test2" -o StrictHostKeyChecking=no -o UserKnownHostsFile=NUL -N -f -T -R 33890:localhost:3389 test2@asd-pc-00

However, when trying to create a Windows service using the command:

sc.exe create "SSH-Tunnel-Service" binPath= "C:\Windows\System32\OpenSSH\ssh.exe -i `"C:\windows\ccmsetup\id_test2`" -o StrictHostKeyChecking=no -o UserKnownHostsFile=NUL -N -f -T -R 33890:localhost:3389 test2@asd-pc-00"

I get error 1053: “The service did not respond to the start or control request in a timely fashion.”

I also tried using Task Scheduler to run the script from a bat file or just the command directly. The task shows as running, but the tunnel doesn’t get established.

Ultimately, I want to deploy this SSH tunnel via SCCM. What am I doing wrong?

NeuroAgent

Setting Up SSH Port Forwarding as a Service in Windows 10

There are several proven methods for configuring SSH port forwarding as a service or scheduled task in Windows 10. Let’s break down the problem and provide effective solutions.

The main reason your sc.exe command doesn’t work is that Windows services run in a special non-interactive context where the necessary SSH security settings and authentication are missing. Here’s how to properly configure an SSH tunnel as a service.

Table of Contents

Problem with Running SSH as a Windows Service

Error 1053 occurs because Windows services run in a special context that differs from a standard interactive session. The main issues are:

  • Lack of interactive session: The SSH client requires certain conditions to work that are not provided by the service environment
  • Authentication problems: The non-interactive service context may not properly handle private keys
  • Permission restrictions: The service account may not have the necessary rights to access the private key file

Your approach with sc.exe is technically possible but requires proper environment configuration and parameters.

Solution Using NSSM (Non-Sucking Service Manager)

NSSM is the most recommended tool for solving your task, as indicated in several sources.

Step 1: Install NSSM

  1. Download NSSM from the official site: https://nssm.cc/download
  2. Extract the archive to a convenient location, such as C:\Program Files\nssm
  3. Add the NSSM path to your system PATH variable or use the full path to nssm.exe

Step 2: Create a Service with NSSM

Use the following command to create the service:

cmd
nssm install "SSH-Tunnel-Service" "C:\Windows\System32\OpenSSH\ssh.exe"

Step 3: Configure Service Parameters

After installing the service, open the NSSM configuration window:

cmd
nssm edit "SSH-Tunnel-Service"

Or configure parameters via command line:

cmd
nssm set "SSH-Tunnel-Service" AppParameters "-i `"C:\windows\ccmsetup\id_test2`" -o StrictHostKeyChecking=no -o UserKnownHostsFile=NUL -N -f -T -R 33890:localhost:3389 test2@asd-pc-00"
nssm set "SSH-Tunnel-Service" AppDirectory "C:\Windows\System32\OpenSSH"
nssm set "SSH-Tunnel-Service" DisplayName "SSH Tunnel Service"
nssm set "SSH-Tunnel-Service" Description "SSH Port Forwarding Tunnel"

Step 4: Configure Service Account

Important: Specify an account that has access to the private key file:

cmd
nssm set "SSH-Tunnel-Service" ObjectName "LocalSystem"  # or your account
nssm set "SSH-Tunnel-Service" Password ""  # password if required

Step 5: Start the Service

cmd
nssm start "SSH-Tunnel-Service"

Check the service status:

cmd
nssm status "SSH-Tunnel-Service"

Important: As noted in the sources, NSSM is the preferred solution for running SSH tunnels as services because it properly handles the execution context and parameters.

Alternative Configuration Methods

Method 1: Using Plink from PuTTY

If you prefer to use PuTTY, you can configure it through Plink:

cmd
nssm install "SSH-Tunnel-Service-Plink" "C:\Path\To\putty\plink.exe"
nssm set "SSH-Tunnel-Service-Plink" AppParameters "-i `"C:\windows\ccmsetup\id_test2`" -ssh -N -R 33890:localhost:3389 test2@asd-pc-00"

Method 2: Using AutoSSH for Reliable Connections

For automatic connection recovery, use AutoSSH:

cmd
nssm install "SSH-Tunnel-Service-AutoSSH" "C:\Path\To\autossh\autossh.exe"
nssm set "SSH-Tunnel-Service-AutoSSH" AppParameters "-M 20000 -i `"C:\windows\ccmsetup\id_test2`" -o StrictHostKeyChecking=no -o UserKnownHostsFile=NUL -N -T -R 33890:localhost:3389 test2@asd-pc-00"

Method 3: Using a Batch File with Delay

Create a bat file with a startup delay for SSH:

bat
@echo off
timeout /t 10 /nobreak >nul
ssh -i "C:\windows\ccmsetup\id_test2" -o StrictHostKeyChecking=no -o UserKnownHostsFile=NUL -N -f -T -R 33890:localhost:3389 test2@asd-pc-00

Configure NSSM to run this bat file instead of the direct SSH command.

Setup via Task Scheduler

If you prefer to use Task Scheduler, configure it properly:

Step 1: Create a Task

  1. Open Task Scheduler
  2. Create a new task
  3. On the “General” tab:
    • Name: “SSH Tunnel Service”
    • Run with highest privileges: Enabled
    • Run whether user is logged on or not: Disabled

Step 2: Configure Trigger

  • Action: At system startup
  • Delayed start: 1 minute

Step 3: Configure Action

  • Action: Start a program
  • Program/script: cmd.exe
  • Arguments: /C "C:\Path\To\your\tunnel.bat"

Step 4: Configure Conditions

  • Stop the task if the computer switches to battery power
  • If the computer enters an idle state, wait until it comes out of idle

Note: As indicated in research, Task Scheduler may show that the task is running but not establish the tunnel due to execution context issues.

Preparation for SCCM Deployment

For deployment via SCCM, prepare the package as follows:

Package Structure:

SSH-Tunnel-Package/
├── Install.bat
├── Uninstall.bat
├── nssm.exe
├── ssh_tunnel_config.xml
└── Readme.txt

Install.bat:

bat
@echo off
echo Installing SSH Tunnel Service...

REM Copy NSSM to system directory
copy "%~dp0nssm.exe" "%SystemRoot%\System32\"

REM Install the service
nssm install "SSH-Tunnel-Service" "C:\Windows\System32\OpenSSH\ssh.exe"
nssm set "SSH-Tunnel-Service" AppParameters "-i `"C:\windows\ccmsetup\id_test2`" -o StrictHostKeyChecking=no -o UserKnownHostsFile=NUL -N -f -T -R 33890:localhost:3389 test2@asd-pc-00"
nssm set "SSH-Tunnel-Service" AppDirectory "C:\Windows\System32\OpenSSH"
nssm set "SSH-Tunnel-Service" ObjectName "LocalSystem"

REM Start the service
nssm start "SSH-Tunnel-Service"

echo Installation completed successfully

Uninstall.bat:

bat
@echo off
echo Uninstalling SSH Tunnel Service...

REM Stop and remove the service
nssm stop "SSH-Tunnel-Service"
nssm remove "SSH-Tunnel-Service" confirm

echo Uninstallation completed successfully

SCCM Configuration:

  1. Create an application with two deployment types:
    • Installation: Install.bat
    • Uninstallation: Uninstall.bat
  2. Configure deployment conditions
  3. Specify user and computer parameters

Testing and Debugging

Check Service Status:

cmd
sc query "SSH-Tunnel-Service"
nssm status "SSH-Tunnel-Service"

Logging for Debugging:

Add logging to your SSH command:

cmd
nssm set "SSH-Tunnel-Service" AppParameters "-i `"C:\windows\ccmsetup\id_test2`" -o StrictHostKeyChecking=no -o UserKnownHostsFile=NUL -N -f -T -R 33890:localhost:3389 test2@asd-pc-00 > `"C:\logs\ssh_tunnel.log`" 2>&1"

Check Access Rights:

Ensure the service account has access to the private key file:

cmd
icacls "C:\windows\ccmsetup\id_test2"

Conclusion

For configuring SSH port forwarding as a service in Windows 10, it’s recommended to use NSSM (Non-Sucking Service Manager), which specializes in properly launching applications in the Windows service context. The main steps are:

  1. Install NSSM and configure it to create the service
  2. Correctly specify SSH command parameters including the private key path
  3. Configure the service account with necessary permissions
  4. Use logging for troubleshooting problems
  5. Prepare a package for SCCM with installation and uninstallation scripts

Directly running SSH via sc.exe or Task Scheduler often doesn’t work due to Windows service execution context limitations. NSSM solves this problem by properly handling parameters and environment for launching SSH tunnels.

For deployment via SCCM, prepare a package with NSSM and installation/uninstallation scripts, which will allow centralized management of SSH tunnels across the network.

Sources

  1. NSSM - the Non-Sucking Service Manager
  2. Persistent SSH tunnel for Windows - Technicus
  3. How can I make a SSH tunnel command into a service on Windows 10? - Stack Overflow
  4. r/sysadmin on Reddit: What is the best SSH tunneling setup for Windows?
  5. Configure SSH Tunnel (Port Forwarding) on Windows | Windows OS Hub
How to set up automatic SSH tunnel restart when connection is lost?What access rights are needed for the SSH tunnel service account in Windows?How to verify that the SSH tunnel is working successfully through port 33890?What alternatives to NSSM exist for creating SSH services in Windows?How to set up an SSH tunnel using PuTTY instead of OpenSSH?What logs are available for debugging SSH tunnel issues in Windows?
Ask NeuroAgent