Regkey of the Month: October

Visually classify your environment

How to Configure a Custom Banner in Veeam Backup & Replication Console

Have you ever logged into a critical system and wished there was an immediate, unmistakable visual indicator of the environment's security level or purpose? For system administrators managing multiple Veeam environments—such as production, test, HQ, branch-office, and highly classified systems—a simple, consistent warning or label can be a lifesaver.

This post walks you through implementing the Classified Stripe feature in Veeam Backup & Replication (VBR), allowing you to display a custom text banner prominently across all connected consoles.

The use case: The Need for Immediate Context ⚠️

In environments where multiple VBR servers exist for different purposes (e.g., development/test, federal compliance, or critical production), administrative mistakes can happen. Accidentally performing a destructive action on a production server when you thought you were on a test box is a nightmare scenario.

The Veeam Classified Stripe (described in KB4458) is a powerful, yet simple, security feature designed to solve this by providing a persistent, configurable text banner at the top of the VBR console. This banner acts as an immediate visual cue, helping administrators identify the security level or nature of the Veeam Backup Server they are connected to, thus reducing the risk of administrative errors.

The Solution: The Classified Stripe Feature

The solution is to enable a specific set of registry values on the Veeam Backup Server. Once enabled, this banner will appear not only on the server's local console (in Windows based deployments) but also on every remote Veeam Backup & Replication Console that connects to it.

 

The feature requires configuring three main registry values: one to enable the stripe, one to set the text message, and an optional one to define the background color.

How to Implement the Banner 💻

The following steps and registry details must be applied on the Veeam Backup Server itself.

The first mandatory step is to activate the banner. Herefore, create a key named UIClassifiedMode and set the value to 1.

• Path: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\ 
• Name: UIClassifiedMode (DWORD 32 Bit)  
• Default Value: 1 (decimal)

With only this key, the default message "CONFIDENTIAL" is shown in a banner which had a default dark red background.

To set your own message in the banner, you should create a second key.

• Path: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\ 
• Name: UIClassifiedStripeText (String Value (REG_SZ)
• Value: THIS IS MY TEXT FOR THE BANNER

 

Optional you can set the background color. Default, the stripe uses a dark red background. You can customize the color using a hexadecimal color code (the preceding hash sign must be included in the value)

You can find an easy to use ColorWheel to hex-value here.

• Path: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\ 
• Name: UIClassifiedStripeBackgroundColor (String Value (REG_SZ)
• Value: #008000 (this value represents dark green)

Example:

To create a banner that says "DEV/TEST - DO NOT USE FOR PROD" with a light yellow/orange background (#FFCC00), you could run the following three PowerShell commands on the Veeam Backup Server:

# 1. Enable the stripe
New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'UIClassifiedMode' -Value "1" -PropertyType DWORD -Force

# 2. Set the custom text
New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'UIClassifiedStripeText' -Value "DEV/TEST - DO NOT USE FOR PROD" -PropertyType String -Force

# 3. Set the background color to light yellow/orange
New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'UIClassifiedStripeBackgroundColor' -Value "#FFCC00" -PropertyType String -Force

Hey regkey-man, how do we do this on JeOS based VBR deployments ?

The new appliance based VBR deployments are using JeOS (Just Enough OS) which is based on Rocky Linux with some specific tweaking and further hardening. So there is no such thing as a registry.

Don't be afraid, all your registry tweaks are not gone. They're just located in config files.

 

Applying Custom Settings in Veeam Software Appliance (VSA)

Custom settings (like the banner settings discussed above) are applied by editing configuration files within the VSA environment. These configuration files correspond directly to the Windows Registry keys used in Veeam Backup & Replication (VBR) on a Windows server.

To access and modify these files, you must use the Veeam Host Management Console Web UI. Within the console, you navigate to Logs and Services and then select Host Configuration. This interface allows you to search for and manage the configuration files.

The recommended process for implementing a custom setting is:

•     Export the existing configuration file
•     Modify the exported file by adding the necessary settings under the correct section.
•     Import the modified configuration file back into the VSA.

Important remarks:

I always use Notepad++ to edit this type of files since the LF and CR/LF may vary between Linux and Windows environments.

If the Security Officer role is enabled, importing an updated configuration file will require approval from the Security Officer before the changes take effect. If no security officer role is defined during the setup, the changes are applied immediately.

Configuration File Structure

The VSA configuration files use a structure with sections denoted in square brackets (e.g., [root]). A section header corresponds to a specific subkey within the original Windows Registry path. 

For example, in the /etc/veeam/veeam_backup_and_replication.conf file:

The section header [root] is the equivalent of the primary registry key: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\.

A section header like [API] corresponds to the subkey HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\API\.

To apply the custom banner settings (e.g., UIClassifiedMode, UIClassifiedStripeText, UIClassifiedStripeBackgroundColor), you would add the corresponding values directly under the [root] section of the primary configuration file.

Registry Key to Configuration File Overview

The list below provides an overview of common Windows Registry keys and their corresponding configuration files in the Veeam Software Appliance.

Windows Registry Key                                                                    Veeam Software Appliance Configuration File 

HKLM\SOFTWARE\Veeam\Veeam Backup and Replication          /etc/veeam/veeam_backup_and_replication.conf
HKLM\SOFTWARE\Veeam\Veeam Mount Service                         /etc/veeam/veeam_mount_service.conf
HKLM\SOFTWARE\Veeam\Veeam Backup Catalog                       /etc/veeam/veeam_backup_catalog.conf
HKLM\SOFTWARE\Veeam\Veeam Threat Hunter\                         /etc/veeam/veeam_threat_hunter.conf

Final Thoughts 💭

While the Classified Stripe feature is simple to implement, its value in a large or complex IT infrastructure is significant. This small, persistent visual element adds a crucial layer of operational safety and compliance:
Minimizing Errors: It forces administrators to confirm the context of the server, especially when juggling multiple remote console connections.

Compliance: For environments requiring strict classification markings (e.g., government, finance), the stripe helps meet internal policy requirements by clearly labeling the system's data sensitivity.
 

Organizational Clarity: You can use it to display maintenance warnings, security classifications ("NIS2 compliancy," "PCI DATA"), or just simple reminders ("DR SITE").

Implement this feature today to enhance security, reduce administrative mistakes, and bring operational clarity to your Veeam infrastructure!

Regkey of the Month: September

Fine-Tuning Performance for On-Prem Object Storage

Beyond the GUI: The Art of Veeam Fine-Tuning

While Veeam Backup & Replication (VBR) is renowned for its robust and intuitive graphical user interface (GUI), true mastery of the platform goes beyond the standard configuration wizards. 

The difference between a functional Veeam deployment and a truly optimized one frequently lies in the judicious application of advanced settings, many of which are only accessible via the Windows registry. 

One such area of critical importance in modern data protection is the use of Scale-Out Backup Repositories (SOBR) with a Capacity Tier for offloading backup data to low-cost object storage. 
The SOBR architecture is a cornerstone of Veeam's strategy for efficient, long-term data retention, offering a seamless way to leverage both on-premises performance storage and external cloudstorage solutiuon and/or local object storage. However, the performance dynamics of this feature are not uniform across all environments. Public cloud providers, such as Amazon S3, are engineered for massive parallelism and can handle thousands of concurrent connections. In contrast, on-premises S3-compatible appliances, while powerful, operate on finite hardware resources. We've experienced this ourselves with experimenting and tuning devices who offer local S3 compatible storage.

The default Veeam configuration is optimized to take full advantage of the public cloud's scalability, but this can inadvertently overwhelm certain on-prem systems, leading to performance bottlenecks and job failures.

 

A registry key that is vital for stabilizing and optimizing VBR in these hybrid environments: S3ConcurrentTaskLimit. 

This key provides an essential mechanism to throttle S3 interactions, ensuring that the backup infrastructure remains performant and stable, even when interfacing with systems that have different resource limitations than those found in the public cloud.

Demystifying the S3ConcurrentTaskLimit Registry Key

The S3ConcurrentTaskLimit is a powerful, but not widely documented, configuration parameter within Veeam Backup & Replication. Its function is to control the maximum number of simultaneous S3 connections that a single Veeam worker process can open to an object storage repository. This is not a global setting for the entire Veeam server but a specific throttle that governs the behavior of each individual task.

 

The key is a DWORD (32-bit) value located in the primary Veeam registry path on the backup server: 

• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication  
• Name: S3ConcurrentTaskLimit (DWORD)  
• Default Value: 64 (decimal) 

It is crucial to understand that this key is designed as a control mechanism to reduce performance in specific scenarios, not to blindly increase it. The default value of 64 is a high-water mark, a reflection of the architecture's design to leverage the near-infinite scalability of public cloud providers. 

 

This key's purpose is to prevent a backup infrastructure from overpowering an object storage device that cannot handle the default level of parallel load. 

 

A common misunderstanding arises from the name of the key itself. A user might assume that S3ConcurrentTaskLimit limits the number of offload tasks, but its effect is multiplicative. 

The total number of parallel S3 operations is a product of two variables: the number of available repository task slots and the value of this registry key. 

 

The calculation is expressed as:

 

AvailableRepositoryTaskSlots × S3ConcurrentTaskLimi t= Max used S3 operations in parallel

 

For example, with a default value of 64, an offload job with eight available repository tasks could theoretically initiate up to 512 parallel S3 connections (8 x 64 = 512). 

 

This is a high level of parallelism that public cloud services are built to handle, but it can be a recipe for disaster for on-premises systems with limited CPU and I/O resources.

 

Using the key to overcome On-Prem Object Storage Bottlenecks

The most compelling use case for the S3ConcurrentTaskLimit registry key is in environments where a Veeam SOBR with a Capacity Tier is configured to use an on-premises S3-compatible storage appliance. The problem often manifests when an administrator attempts to offload a large volume of data, such as a major synthetic full backup or a new, extensive backup chain.

When a Veeam offload job initiates, it attempts to use as many concurrent S3 connections as the default S3ConcurrentTaskLimit allows, multiplied by the number of available repository tasks. 

In an on-premises scenario, this sudden, high-intensity workload can quickly exhaust the storage appliance's processing capacity. The appliance's CPU utilization may spike to 95% or more, leading to a cascading failure of symptoms: offload jobs run at a fraction of their expected speed, data transfer rates plummet, and in some cases, the jobs may time out and fail entirely. We had this experience on QNAP QuObjects that drowned the complete system altough an AMD Ryzen CPU was present in the NAS.

The role of the S3ConcurrentTaskLimit is to prevent this overload. By reducing the value from the default 64 to a more conservative number, such as 8 or 16, the administrator can effectively cap the number of concurrent S3 connections per worker process. 

This change throttles the offload operation, allowing the on-premises storage appliance to process data at a stable and predictable pace without becoming overwhelmed. By providing this parameter, Veeam acknowledges the diversity of IT infrastructures and offers a tailored solution to a specific and common pain point.

Remarks

Reboot the machine after setting the registry key to another value.

Use for On-Premises Object Storage: This registry key is a vital asset when using an S3-compatible storage appliance on-premises that exhibits high CPU utilization, connection timeouts, or degraded performance during large-scale offload or restore operations.

 

Do Not Use for Public Cloud Storage: Public cloud providers like AWS S3 or Azure Blob are engineered for high concurrency and massive parallelism. Applying this key in such environments would unnecessarily limit performance and could degrade offload and restore speeds without providing any stability benefits.

Always Verify: After making any registry changes, it is essential to monitor job logs and performance metrics on both the Veeam server and the storage appliance to confirm that the changes have had the desired effect. The *.gate.log files are an invaluable resource for this verification process.

To verify the change, you can checks the .gate.log file associated with the SOBR offload job, located at %programdata%/Veeam/Backup/SOBR_Offload_name-of-sobr/VMname/*.gate.log and confirm that the new S3ConcurrentTaskLimit value is reflected in the logs

 

 

Regkey of the Month: August

Controlling the SQL Log Backup Temp Folder

By default, Veeam picks the local disk with the most free space (often C:) and uses a folder like \Veeam\Backup\SqlLogBackup or C:\ProgramData\Veeam\Endpoint\SqlLogBackup to store the native log backup files before copying them to the backup repository

These files are Veeam’s own “.BAK” format (not native SQL .BAK) and are deleted after shipping. However, on heavily-loaded SQL servers this can quickly fill the drive. To prevent this, Veeam provides a registry setting named SqlTempLogPath that lets administrators manually specify an alternate folder for the log backups. 

Understanding and using this key ensures log backups don’t crash your SQL server due to a full disk.

The SqlTempLogPath registry value (a REG_SZ string) tells Veeam where to stage SQL transaction log backups on the SQL Server itself. 

Its behavior varies by scenario:

Image-level (VM) backup by Veeam B&R

On the first run of a transaction log child job, Veeam scans all volumes on the SQL VM, picks the one with most free space, and writes that path into the SqlTempLogPath value. To override this default, create or update the registry entry on the SQL host

• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication  
• Name: SqlTempLogPath (String)  
• Value: <full desired folder path>  (no trailing “\”) 

For example, to point logs to D:\SqlLogs you could run (as Administrator) the following PowerShell command:

        New-ItemProperty -Path "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication" `
        -Name "SqlTempLogPath" -Value "D:\SqlLogs" -PropertyType String

Veeam Agent (Standalone or managed) backups

For machine-level backups using Veeam Agent on Windows, the default temp folder is %ProgramData%\Veeam\Endpoint\SqlLogBackup\. You can override this by setting:

• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam EndPoint Backup  
• Name: SqlTempLogPath (String)  
• Value: <desired folder path>  (no trailing backslash)

This registry key goes on the SQL server (the machine running the Agent backup job). (If the job is managed by VBR, the VBR-style path under HKLM\SOFTWARE\Veeam\Veeam Backup and Replication is also acceptable.) 

If the SqlTempLogPath is set under the Endpoint Backup key and later becomes invalid, the log backup will fail with an error like “Cannot create folder… Invalid folder path” and the missing intervals will be flagged. 

Unlike the VM case, Veeam Agent does not automatically re-pick a drive in that situation; you must correct or remove the key and restart the job.

Cluster-aware backups

For SQL Server on a failover cluster managed by Veeam Agent (VBR-managed AG/FCI), Veeam first checks if the HKLM\SOFTWARE\Veeam\Veeam Backup and Replication key exists. 

If it does not, Veeam uses a fixed default folder (C:\ProgramData\Veeam\Backup\SqlLogBackup) on whichever node is active. 

If the key exists but SqlTempLogPath is missing or invalid, Veeam picks the largest drive and then records it in SqlTempLogPath for that node. 

To manually set a cluster node’s path, create SqlTempLogPath under HKLM\SOFTWARE\Veeam\Veeam Backup and Replication on each node (no trailing slashes). 

Note that if you point the path to a cluster disk, a failover might render it invalid: Veeam will then choose a new path and update the registry.

Important

Restart the job 

After creating or changing SqlTempLogPath, disable and re-enable (or restart) the SQL backup job. This forces Veeam’s log-shipping process to reload the new setting.

Disk space sizing

Plan ahead – you need enough space to hold the largest log backup between full backups. If you do frequent log backups, the needed temp space is roughly the size of one full backup cycle’s worth of logs (for example, if you back up every 20 minutes and keep a weekly full, you might need tens of GB). The more frequent log jobs = smaller native log chunks

Permissions

Ensure the chosen path is writable by the Veeam services (usually the local System or VeeamService account). Otherwise Veeam will fail to write the logs.

Conclusion

The SqlTempLogPath registry key is a powerful knob for Veeam administrators who need to control where SQL transaction log backups are staged. By default, Veeam chooses the largest local volume, which can be problematic on busy SQL servers. Manually setting SqlTempLogPath lets you relocate the temp files to any local drive or folder with adequate space.