xtack Documentation

Last update: March 17th, 2018, 09:00 UTC

Welcome to xtack's Documentation

Please navigate through the following set of xtack topics to discover more and to make the most out of it.

Note that hovering with the mouse or tapping on each box header makes it to expand for contents. If you have any questions drop us an email.

What is xtack?

xtack is a free of charge, non-for-profit portable and modular web development stack* for Microsoft Windows® Vista through to Windows® 10 operating systems that integrates and orchestrates:

* xtack requires certain Microsoft Visual C++ Redistributable Packages to be previously installed on any system it runs on. Check the Installation Instructions section in this documentation for more details. xtack uses compression technology from the open source 7-Zip software.

What xtack ISN'T

xtack is not meant, in any way, for use on production systems, particularly those accessible via the Internet or any other kind of public IP network. Read the Security Notes section in this documentation for further details.

Please NEVER use xtack on production systems!

What can xtack be used for?

  • Web development on a local Windows® system, without the need to resort to any actual software installations nor virtualization layers.
  • PHP server-side application development, testing and debugging.
  • JavaScript server-side application development, testing and debugging, based on Node.js.
  • Easier testing of websites and web applications along different HTTP/database server and PHP combinations.
  • Cross-server, cross-database code verification.
  • Profiling, refactoring and improvement of existing websites and web applications.
  • Playing around with new web designs in several web browsers in parallel.
  • Etcetera.

xtack advantages over alternative solutions for Windows®

  • xtack is initially delivered just as a plain text Windows® batch script, accompanied by a small footprint runtime, that runs on any standard Windows® Command Prompt, allowing community development and maintenance, without the need for additional tools (e.g. compilers or packagers) beyond the brain and a text editor.
  • As such, it provides a great opportunity for people interested in learning and improving their Windows® batch scripting and AWK skills. We felt this is important.
  • xtack is implemented using a highly modular architecture, its initial download footprint is very low and the user can freely select any optional components to use.
  • In fact, since xtack is a fully portable web development stack, no software is actually installed on the system apart of the required Microsoft Visual C++ Redistributable Packages and you neither need to install any additional software like virtualizers, virtual machine management tools, huge VM images or even Git, thus reducing the total footprint, disk usage and machine lockdown, while keeping an excellent level of flexibility.
  • It has a convenient self-updating functionality, without needing to resort to a specific ad hoc installer program, which allows faster life cycle management and delivery of updates.
  • No data is written to the Windows® Registry as, again, xtack is a fully portable stack.
  • Includes Apache, Nginx, IIS Express and Node.js, compared to the typical dilemma of, for example, either having to choose an Apache stack versus a Nginx stack, or having to run them in parallel but separately managed and maintained.
  • Beyond MySQL, it also supports MariaDB and PostgreSQL out of the box for additional database choice, diversity and flexibility.
  • As mentioned above, xtack includes Node.js plus working MySQL and PostgreSQL database drivers for it.
  • It fully supports a wide spectrum of PHP versions, from the long-ago-legacy-yet-still-used PHP 5.2 to the latest PHP 7.2.
  • Thus, it covers quite a wide range of HTTP and database servers and PHP combinations, which should make matching live environments a bit easier (hopefully) for Windows® users.
  • xtack integrates and wraps up a range of essential and convenient modern web development tools like Xdebug, Composer, PHP_CodeSniffer, PHPUnit, npm, Bower, Phalcon Framework, phpMyAdmin, phpPgAdmin, PHP Mess Detector (PHPMD), etcetera.
  • It has an also very convenient ability to automatically launch up to six different browsers in parallel upon its startup. This can be configured by the user.

What are xtack's requirements?

  • Microsoft Windows® Vista, Windows® 2008 Server, Windows® 7, Windows® 8.0, Windows® 8.1, Windows® Server® 2012 R2 or Windows® 10 (either 32 or 64-bit versions are supported). Windows® XP is NOT and will NEVER be supported. Microsoft set Windows XP on End of Life status long ago.
  • If all xtack components are initially selected for installation, around 985 MB of free disk space to accommodate them all.
  • More disk space may be needed depending on your specific development needs e.g. web libraries and packages used, amount and size of project files, databases and log files, backups for previous software components, etc. If you have less space available, just make sure to select only the components you really need during installation.
  • For its initial installation, xtack.bat needs Windows® PowerShell (which is installed by default on all the supported Windows® versions) and a working Internet connection to download the different components.
  • Microsoft Visual C++ Redistributable Packages for VC9, VC11 (Visual Studio 2012), VC12 (Visual Studio 2013) and/or VC14 (Visual Studio 2015) need to also be previously installed on the local system. Otherwise, xtack will not be able to run at all or will expectedly run with severe errors, due to missing system key functionalities. On systems running 64-bit versions of Microsoft Windows®, Microsoft usually recommends installing both the 32-bit and 64-bit versions of these Microsoft Visual C++ Redistributable Packages.
  • xtack can take charge of installing any eventually missing required Microsoft Visual C++ Redistributable Packages if run from a Windows® Command Prompt with Administrator rights. If you instead prefer to manually install the packages, please read the Manual installation of required Microsoft Visual C++ Redistributable Packages section.
  • xtack is, by default, a portable application, meaning that it can be installed for instance on a flash drive, as long as the required Microsoft Visual C++ Redistributable Packages are installed on every target machine used. In order to preserve xtack's portability intact, it's important to be careful if modifying the default paths set up in xtack's configuration files.
  • If you run xtack from a flash drive or memory card, make sure that its read and write speeds are sufficient for xtack to run fluidly. The higher both speeds are, the quicker xtack will therefore run, and so the faster your workflow will be too.
  • Accordingly, if you find xtack lagging behind when run from such a memory card or flash drive, it might be a good idea to use a higher performing memory device. Note that cheaper devices are usually slower too.
  • If required, grant access/execution permissions to any xtack executable files or processes causing dialog boxes to pop up on your antivirus, firewall and/or security software, so xtack can be fully operational and thus execution delays can be avoided too. Check out the Security Notes section in this documentation for further details.

xtack Installation Instructions

  • Make sure you have a working Internet connection and a supported Windows® version. xtack.bat needs Windows® PowerShell (which should be installed by default on all the supported Windows® versions) for the initial download of 7-Zip's 7za engine and the xtack Runtime.
  • Please note that although we use the term "installation", xtack is a portable web development stack and so nothing is actually installed onto the system beyond the required Microsoft Visual C++ Redistributable Packages, nor any data is written on the Windows® Registry. "Installation" in this context then more accurately refers to the download and copy of xtack files on the specific folder layout required by xtack to run.
  • Download the main xtack.bat Windows® batch script from https://xtack.org and save it to the folder on your local system that you plan to use for xtack, for example C:\xtack:

    Download xtack.bat
  • Wait for the xtack.bat file download to complete:

    Wait for the xtack.bat file download to complete.
  • Open a Windows® Command Prompt window, preferably with Administrator rights (at least for the first time, so it can automatically download and install all the required Visual C++ Redistributable Packages), for example by typing "cmd" into the search box ("Win + S" keys). To open it as Administrator, type also "cmd" into the search box, and right-click and choose "Run as Administrator":

    Open a Command Prompt window for xtack.

    Open a Command Prompt window for xtack.
  • Depending on your user type, Windows® may show a Windows® User Account Control (UAC) popup. Just click on the "Yes" or "Accept" button:

    User Account Control (UAC) popup for xtack.
  • If you find problems to open the Command Prompt window, have a look at this article or watch this video for alternative ways of doing it.
  • If, instead, you DON'T want to grant xtack.bat Administrator rights, please perform a manual installation of all the required Microsoft Visual C++ Redistributable Packages FIRST and then return to the next step of these instructions.
  • In the Command Prompt window change directory (command "cd /d") to the xtack disk drive and folder that you previously chose, check that file xtack.bat is there (command "dir") and run command

    xtack install.
  • As mentioned above, for this initial installation, xtack uses Windows® PowerShell once (which should be installed by default along Windows®) to download the initial copies of 7-Zip's 7za engine and the xtack Runtime. xtack takes care of verifying the authenticity of these three initial installation components by checking out their SHA-512 hashes and OpenPGP file signatures:

    Run xtack install for xtack.bat to start setting everything up.
  • If asked, allow xtack.bat to download and install any missing Visual C++ Redistributable Packages. xtack may eventually ask one or more times, depending on the number of Visual C++ Redistributable Packages that your system had previously installed.
  • When prompted, select the range of components that you want to install. Note that components of types "Core" and "Required" will be automatically downloaded and installed for you, even if you don't select them, as they are necessary for xtack to properly function:

    Select xtack components range to install.
  • Both the SHA-512 checksum and the OpenPGP file signature will be verified also for all these components during the installation/update process, for increased security:

    xtack SHA-512 checksum and OpenPGP signature verification.
  • Allow xtack.bat time enough to setup everything. Keep in mind that it may need to initially download quite a lot of stuff, depending on how many components you selected. The quicker your Internet connection is, the sooner the installation process will obviously be completed.
  • xtack.bat will create a shortcut icon on your desktop to facilitate its later use. It will also inform you whenever everything's ready:

    Allow xtack.bat time to setup everything.

    xtack successful installation.
  • You can check that everything works fine by trying to start the xtack environment with a command like for example xtack start ngxp71m57. Grant execution permissions and network access to any xtack executable files or processes causing dialog boxes to pop up on your antivirus, firewall and/or security software, so xtack can be fully operational:

    Start the xtack environment up now to test it.
  • Additionally, if necessary, or for greater future convenience, create permanent "trusted application rules" or "exclusions" on your antivirus, firewall and/or security software to allow execution of all xtack processes, to grant them continued network and Internet access and to ensure that they all can interact with each other on IP and HTTP protocol levels. Please refer to the specific instructions applicable to your antivirus, firewall and/or security software or search around the Internet for recommendations.

    For a comprehensive list of xtack processes for which to eventually create trusted application rules or exclusions in your specific security software, check out the Security Notes section in this documentation.
  • If installation was successful, your system is now ready to fully run xtack. Congratulations, enjoy it!

    Congratulations, enjoy xtack!

Manual installation of required Visual C++ Redistributable Packages

If you prefer to manually download and install the Microsoft Visual C++ Redistributable Packages required by xtack before installing it, these are the corresponding download links:

On systems running 64-bit versions of Microsoft Windows®, Microsoft usually recommends installing both the 32-bit and 64-bit versions of these Microsoft Visual C++ Redistributable Packages.

IMPORTANT NOTE: Due to a known limitation on the implementation of the Microsoft Visual C++ 2015 (v14.0) Redistributable Package Update 3, its installation on Windows® 8.1 requires that both the additional, optional April 2014 KB2919355 Cumulative Update and the May 2014 KB2975061 servicing stack update for Windows 8.1 and Windows Server 2012 R2 are previously installed on the system.

Since KB2919355 has its own set of prerequisites and dependencies, in the end all the following updates need to also be previously installed on Windows® 8.1 systems, in the following specific order:

How to update xtack?

Very easy: If not done already, just open a new Microsoft Windows® Command Prompt window on xtack's installation directory, run command "xtack update", follow the instructions and select the range of components you want to update.

xtack Security Notes (IMPORTANT - READ CAREFULLY!)

Please READ CAREFULLY the following security information!

As mentioned before, xtack is not meant for production use but, instead, mainly for developers and designers in a controlled and confined development environment.

It is configured to be "as open as possible", allowing the developer to do anything he/she wants. For development environments this is great but on a production environment it could be fatal.

Here are a few security aspects to keep in mind when using xtack:

  • xtack doesn't include any firewall or security software protecting the whole xtack environment.
  • Apache, Nginx, Node.js, MySQL and PostgreSQL are all accessible via IP network.
  • MySQL's and PostgreSQL's user "root"  has a known default password: "root".
  • MySQL's and PostgreSQL's user "xtack"  has a known default password: "xtack123".
  • phpMyAdmin and phpPgAdmin are both accessible via IP network, too.
  • Although ModSecurity for Apache 2.4 is included within xtack, it is delivered inactive and non-configured by default, so it doesn't provide any protection unless you properly configure it to do so.

The most commonly used xtack binary executable files and processes are:
Apache.exe, httpd.exe, nginx.exe, node.exe, mysqld.exe, mysql.exe, mysqladmin.exe, postgres.exe, pg_ctl.exe, php.exe, php-cgi.exe, php-win.exe, phpdbg.exe, sendmail.exe, 7za.exe, fmt.exe, gawk.exe, gpg.exe, hidec.exe, isadmin.exe, nircmdc.exe, ps.exe, reg.exe, sigcheck.exe, wget.exe and wtee.exe.

Note that several of these process names are used in different versions of xtack's components, for example in PHP, and so you may need to grant access permissions to all the different versions of them.

If required, or for greater convenience, you may create permanent "trusted application rules" or "exclusions" on your antivirus, firewall and/or security software to allow execution of several or all these xtack processes, to grant them continued Internet access and to ensure that they all can interact with each other on IP and HTTP protocol levels:

Grant execution permissions to xtack processes in your security software.

Also, note that some antivirus and/or security programs quarantine (delete) any binary executable files that, for whatever reasons, they consider potentially dangerous. In that case, you may need to "unquarantine" any deleted xtack files. Please refer to the specific instructions applicable to your antivirus, firewall and/or security software.

All xtack downloadable component update packages are signed with an unique SHA-512 hash. We also provide OpenPGP file signatures for components, in order to provide xtack users with the ability to validate their authenticity and integrity.

See the xtack team's OpenPGP public key and Component Packages Signatures sections in this documentation for more details.

Again, please make sure to NEVER use xtack on production systems. The xtack team can't accept any liabilities resulting from using xtack on production systems.



xtack team's OpenPGP public key

This is the xtack team's OpenPGP public key (pub 4096R/0x5F625EC753E334C4):



You can also download it as a separate OpenPGP ASCII armored file directly from here.

How do we build our binary Component Packages?

Every time we prepare a new xtack binary component package, we follow the same procedure:

  • We download the original base source package from its official Internet site. We never use modified or second-hand binaries, just the original legitimate ones. You can check the repositories we use both in our Legal Information section, as well as in every package's xtack.json description file. This is respected 100% of the times.
  • After download, and if provided by the original project, we verify the source package's OpenPGP signature and/or checksum to confirm integrity and authenticity.
  • We selectively strip away some parts or specific files, like e.g. documentation, auxiliary binaries, setup scripts, header, PDB symbols or test files and other case-by-case items. This is done to minimize the overall component footprint. As a general rule of thumb, the original configuration files are provided intact, even in those cases in which we have tweaked and fine-tuned those used by xtack, which are handled, maintained and version-controlled separately.
  • A brief regression testing is then performed.
  • If everything goes OK till here, we add or update a xtack.json description file, containing meta information about the package, including back references to the original repository and the associated release note or any applicable piece of documentation.
  • We compress the package's files with 7-Zip using a highly efficient compression configuration.
  • The resulting .7z cabinet file is hashed using the SHA-512 algorithm and then its OpenPGP signature is calculated. This information is published both in the xtack binary Internet repository and in xtack's Change Log.
  • The component's .7z cabinet file is also uploaded to the xtack binary Internet repository and checked online for virus through the VirusTotal online multiengine virus scanning system. Links to all scans are always provided in the Change Log.
  • If everything's OK, the new component is released for global public access through xtack's master online update control file.
  • Moreover, xtack.bat implements mechanisms to verify integrity and authenticity of every component at download time, and prior to installation.
  • Of course, no tampering or malicious manipulation is ever performed by the xtack team on the original source binary executable files. Needless to say that absolutely NO malware is added to xtack's components.

xtack Component Packages Signatures

When we build xtack's downloadable component update package archives we digitally sign them with an unique SHA-512 hash and an OpenPGP file signature using GnuPG, in order to provide xtack users with the ability to validate their authenticity and integrity.

You can download xtack team's OpenPGP public key as a separate OpenPGP ASCII armored file directly from here.

If you already have GnuPG installed on your system, you can then import the key from the Windows® Command Prompt with the following commands:

cd /d C:\Program Files\<GnuPG installation directory>
gpg --import xtack_team_pubkey.pgp

xtack automatically takes care of verifying both the SHA-512 hash and the OpenPGP signature for each component package archive upon its download. Additionally, once our public key is imported, if you want to also manually check any OpenPGP signatures, you can use the following commands:

cd /d X:\<xtack installation directory>
cd swu
gpg --verify <component_filename.sig> <component_filename.7z>
gpg: Signature made 04/19/17 21:34:36
gpg: using RSA key 0x5F625EC753E334C4
gpg: Good signature from "The xtack Team (Visit us at: https://xtack.org) <info@xtack.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F6DF 1F17 12FA 3BD8 D5C8 9ADB 5F62 5EC7 53E3 34C4

If the signature is invalid, you will see a "BAD signature" message, and the package cannot be trusted (xtack should detect it anyway during the update process).

If the signature is valid, you should expect a "Good signature" message.

If you've not signed our key, you will see a "Good signature" message along with a warning about our key being untrusted (as in the example above).

If you trust our key, you can avoid GnuPG's warning output by signing it using your own key with command:

gpg --sign-key 0x5F625EC753E334C4

Note: To create your own private key, just run command:

gpg --gen-key

Known Issues and Limitations

As of the time of the last update of this documentation (see above), this is the list of xtack's known issues:

  • Although we have properly configured it, Microsoft Internet Information Services Express (IIS Express) 10.0 is not recognizing index.php files as www root default index files when omitted in the URL. Possible fixes for this issue are being investigated at the moment.

    However, since xtack.bat r415 we have implemented a workaround to add index.php and index.html file names to xtack common URLs if they are missing in xtack.ini.
  • During testing we have discovered that PHP 5.6.34, PHP 7.0.28, PHP 7.1.15 and PHP 7.2.3, published March 2nd, 2018, have issues impeding loading of Xdebug, Phalcon and producing other series of weird errors in xtack. So, as of March 17th, 2018 we have finally decided NOT to pack any of these specific PHP versions in xtack so far, stick to the previous ones and wait for future updates.
  • phpPgAdmin 5.1.1 seems to NOT be working (well) any longer with PostgreSQL 10. We're researching possible fixes by our own, provided that this package is not originally maintained at the moment.

Microsoft IIS Express Specifics

  • A specific configuration setting IisHttpPort (set by default to 80, the default well-known port for any HTTP server) is included in xtack.ini to define the HTTP protocol port that IIS Express should use upon startup.
  • Due to the way IIS Express is implemented, starting it up on HTTP port 80 requires that it is run with elevated administrator permissions. This will lead to a Windows® User Account Control (UAC) popup to be raised every time IIS Express is started up, switched over or shut down on such HTTP port 80.
  • It also means that, unless you reconfigure IIS Express to start up on another HTTP protocol, like e.g. 8080, you will need to explicitly approve such permissions elevation upon all and every IIS Express startups, switchovers and shutdowns, which can be a bit annoying but, as explained above, is required in connection to how IIS Express is implemented.
  • The UAC popup will request the hidec.exe executable to be approved before being elevated. This is expected and correct within xtack's IIS Express context.

How is xtack licensed?

xtack is licensed under the GPL-3.0 license. Accordingly, xtack is free software, so you can redistribute it and/or modify it under the terms of the mentioned GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. xtack is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

If you want to check the specific licensing conditions for any of the third party software components integrated by xtack, please refer to xtack's Legal Info page.

Windows® Command Prompt optimizations for xtack?

After xtack.bat has been installed and the corresponding shortcut icon has been created on your desktop during installation, you can configure it somewhat like this for an optimal xtack experience:

  • Right mouse click on the shortcut icon.
  • Select "Properties".
  • Select the "Font" tab and choose a visually easy to read font like e.g. "Lucida Console", of at least a size 11 or larger:

    Customizing Command Prompt settings for xtack.
  • Select the "Layout" tab and uncheck "Let system position window" and set Left = Right = 0 in the "Window position" section.
  • Set a wide enough "Window size", of at least 80 characters wide, horizontally. The wider and taller the Command Prompt window is (provided that it obviously fits in the screen), the better to optimally visualize all messages from xtack.
  • Optionally, set a larger-than-default "Screen buffer size Height" to allow more xtack commands and printouts to stay visible in the Command Prompt window (e.g. 6000 lines):

    Customizing Command Prompt settings for xtack.
  • To improve readability and contrast, you can also select the "Colors" tab and set "Screen text" to a full white (RGB 255, 255, 255). Or, if you have other preferred colours or readability settings, you can apply them instead:

    Customizing Command Prompt settings for xtack.

Note that xtack.bat doesn't touch these console visual configuration settings by default on purpose, so you can control all of them, as per your own specific needs.

Basic xtack Commands

Once xtack is installed, it can be operated via several commands. To run them, just open the desktop Windows® Command Prompt shortcut previously prepared and type xtack <command> <parameters>

Available basic commands are:

  • start: Starts xtack with the versions of the HTTP server, database server and PHP engine specified in the first parameter, the so called "Operating Mode". The "Operating Mode" can also be omitted, in which case xtack will read and use the default "Operating Mode" from its configuration file (xtack.ini).
    If a "-s"  switch is provided as second parameter, xtack will be (almost) silently started in what we call "silent mode" and browsers WON'T be launched as part of the start-up process. This silent mode is intended for shared Windows® environments or whenever minimal interaction with the user is required.

    Note that only one xtack instance can run in the system at the same time.

    Also, please note that when trying to start up IIS Express and if the IisHttpPort setting points to HTTP port 80, a Windows® User Account Control (UAC) popup will be raised in order for IIS Express to be able to run with elevated administrator permissions. In such case, please press the Accept button in the popup.

    See the What is xtack's "Operating Mode" section in this documentation for more details and examples.

    If a "-i"  switch is provided instead, xtack will attempt to start any PHP IDE ("Integrated Development Environment" that may eventually exist in the /ide subfolder.
  • silent: Same as the start command but directly in "silent mode". See the start command for further details.
  • stop: Stops xtack's HTTP and database server instances previously started with the start command, as well as any xtack PHP instances and browsers originally launched upon xtack start-up.
    If a "-s"  switch is provided as parameter, xtack will be silently stopped ("silent mode") and browsers WON'T be shut down.
  • switch: This command switches an already running xtack instance over to a different Operating Mode, provided that xtack is indeed running and that the current and the target Operating Modes are different.
    If a "-s"  switch is provided as second parameter, xtack will be silently switched over to the new Operating Mode ("silent mode"). In any case, browsers, if open, WON'T be affected nor refreshed.

    Note that when trying to start up IIS Express and if the IisHttpPort setting points to HTTP port 80, a Windows® User Account Control (UAC) popup will be raised in order for IIS Express to be able to run with elevated administrator permissions. In such case, please press the Accept button in the popup.

    See the What is xtack's "Operating Mode" section in this documentation for further information and examples.
  • status: Displays xtack's current execution status. If xtack is currently started up, this command also lists the xtack processes that are running, including browsers.
  • config: Shows the runtime configuration that xtack would use if it would be started now with the start command, as per the current configuration settings defined in xtack's configuration file (xtack.ini).
  • ver: Displays a dynamically generated list of software versions of HTTP and database servers, PHP engines, programs and tools integrated by xtack.
    If a "-l"  switch is provided as parameter, a little longer, more detailed printout with be shown.
    If, instead, a "-L"  switch is provided as parameter, a very long and very detailed printout will be displayed.
  • update: Checks if any xtack online updates are available. If so, it requests the user's permission to download and selectively install them.
    If a "-d"  switch is provided as parameter, xtack will also update any manuals and documents configured in xtack's configuration file (xtack.ini). See the docs command for details.
  • docs: Upon user's permission, automatically downloads and updates both the standard manuals (basically the PHP, PEAR, MySQL and PostgreSQL Manuals) and any other custom manuals and documents that the user may have defined in xtack.ini.
  • changelog: Opens xtack's Change Log in a new browser window.
  • help: Shows a help screen. If the user types a non-supported command by mistake, he/she will be redirected to this help page too.

What is the xtack "Operating Mode"?

When starting up or switching over xtack with the start or switch commands, an "Operating Mode"  has to be specified as parameter (or be read from xtack's configuration file, xtack.ini).

This Operating Mode is a text string representing the HTTP server, PHP engine and database server versions combination to use (in that specific order), according to the following syntax (which is case insensitive):



Remember that, as described above, if an Operating Mode isn't specified along these commands, xtack will try read the default one set in xtack.ini or, instead, use the default "root Operating Mode".

Other xtack Commands

There are a few other commands available in xtack:

  • composer: This is a wrapper command that allows to run Composer from within xtack.
  • phpcs: Wrapper command allowing to run PHP_CodeSniffer's "phpcs"  main script from within xtack.
  • phpcbf: Wrapper command to run PHP_CodeSniffer's "phpcbf"  (code beautifier and fixer script) from within xtack.
  • phpunit: Wrapper command to run PHPUnit from within xtack.
  • phpmd: Wrapper command to run PHP Mess Detector (PHPMD) from within xtack.
  • npm: Wrapper command to run npm from within xtack.
  • bower: Wrapper command to run Bower from within xtack.
  • clean: Removes any xtack variables and temporary files that could have been left over from a previous execution if, for whatever reasons, it was unexpectedly interrupted.
    Adding a "-l"  switch as parameter forces deletion of any leftover xtack lock files too, thus allowing brand new xtack start-ups.
    Providing a "-L"  switch does the same, plus also removes any previous backup copies of older xtack components under the /swu/backup subdirectory.
  • pgp: Displays details about xtack team's OpenPGP public key, which is used to automatically verify xtack's component archives during its download and installation.

Type "xtack help"  from xtack's Command Prompt window to get further details.

xtack Usage Examples

Some usage examples:

By mixing different HTTP and database servers you can better match your specific live hosting environment, check your website or application on different platforms or just simply try out other alternatives.

xtack Default Configuration Files and Databases

When xtack is installed for the first time, new default/initial configuration files are copied over from xtack's Runtime to the "/cfg"  subdirectory under xtack's main installation directory. These default configuration files are designed to optimize the initial xtack experience but, of course, you can modify and tweak them according to your own specific needs.

The same applies to the default/initial MySQL and PostgreSQL databases, which are installed to the "/dbs"  subdirectory.

When editing configuration files, please make sure that you understand the changes you are doing, particularly for the pre-configured internal paths, as the default settings are designed to ensure that the whole xtack environment runs smoothly and remains 100% portable.

We strongly recommend you to make backup copies of any configuration files you intend to modify, before you actually modify them, so you can later roll back any eventual errors introduced along the process, should they occur. Again, remember that xtack configuration files are stored in the "/cfg"  subdirectory.

During xtack's update process, and when new online MySQL/PostgreSQL database updates are available, you will be asked to confirm their replacement before the previous versions are overwritten. Please pay attention to the databases' update process, so you don't lose any eventually valuable changes you previously made. In case of doubt, it's better to cancel or avoid the database update altogether.

These are xtack's default configuration files:

The xtack.ini Configuration File

xtack has its own separate configuration file, which is independent from the configuration files for the HTTP and database servers, PHP engines and the rest of tools included. Its name is xtack.ini, it is created upon xtack's installation and is also stored in the "/cfg"  subdirectory under xtack's main installation directory.

In xtack.ini lines commented out start with a "#" sign.

Available configuration settings in xtack.ini are:

  • DebugMode: Controls whether xtack debugging messages should be shown or not. We recommend you to leave it ON.
  • DefaultOpMode: Sets the default xtack start-up Operating Mode, in case none is provided to xtack through the command line interface (CLI).
  • VerboseDbServer: If enabled, the chosen xtack database server will be set up to provide verbose console messages that can be used to troubleshoot any eventual problems preventing the database server to start up properly. It is recommended to leave it OFF by default.
  • KillExistingServers: If enabled and xtack is not running on the system, xtack will try to kill any HTTP server, PHP and database server instances that might be running before starting the whole xtack environment, thus trying to prevent potential xtack start-up problems. We recommend you to leave it ON by default.
  • KillExistingBrowsers: If enabled, any existing browser instances will be killed before starting new browser instances used by xtack during its start-up. We recommend you to leave it ON by default.
  • StartBrowser: Comma-separated list of browsers that xtack is meant to start up along the rest of the xtack environment. Thus, multiple browsers can be started simultaneously for greater convenience. If several browsers are launched, make sure that the contents of the BrowserURL (another xtack.ini configuration setting, see below) can be correctly interpreted by all those browsers. To completely disable browser start-up, set this setting to No. Supported browsers are Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, Microsoft Edge, Opera and Apple Safari for Windows®.
  • BrowserURL: URL(s) to load in the browser(s) started by xtack, provided that browser start-up isn't disabled via the StartBrowser setting. The URL(s) must be enclosed within double quotes to make them literal, and thus to avoid the risk of browsers misinterpreting the URL(s). Beware of the fact that if the URL(s) aren't enclosed within double quotes the setting will simply be ignored and NO browser(s) will be launched.
  • IisHttpPort: HTTP port on which IIS Express shall be launched. If this port is 80, a Windows® User Account Control (UAC) popup will be raised every time IIS Express is started up, switched over or shut down in order for IIS Express to be able to run with elevated administrator permissions. This is only due to the specific way in which IIS Express is implemented.

Please have a look to the default initial /cfg/xtack.ini file provided upon xtack's installation for a glimpse of additional details and inline comments.

Where should I store my project files in xtack?

By default, xtack is configured to use the "/www"  subdirectory under xtack's main installation directory as document root.

This means that, unless you change this default location in the HTTP server configuration files, that is the place where you should store your project files. We also find this location pretty convenient overall, and so we recommend you NOT to modify it unless strictly necessary.

Any PHP libraries and packages you install with xtack's Composer will be saved by default to the "/www/packages"  subdirectory under xtack's main installation directory.

Libraries and modules installed via npm or Bower will be stored by default under Node.js' "/bin/njs/node_modules"  subdirectory, which is also under xtack's main installation directory. Unfortunately, this CANNOT be changed.

The xtack Runtime

The xtack Runtime is a compilation of default configuration files, manual help pages and binary executable files required in different ways to run the environment.

The following executable files are bundled in the xtack Runtime:

  • 7za.exe: 7-Zip's compression engine (VirusTotal Component Scan).
  • fmt.exe: GNU's Coreutils fmt, used for certain text processing operations (VirusTotal Component Scan).
  • gawk.exe: GNU's Gawk processor, released by Klabaster.com (VirusTotal Component Scan).
  • gpg.exe: This executable is the GnuPG implementation of the OpenPGP standard and is used to validate SHA-512 hash and the OpenPGP file signatures (VirusTotal Component Scan).
  • hidec.exe: Hides a console window for a started program (VirusTotal Component Scan).
  • IsAdmin.exe: It is a freeware utility which is part of the Windows Admin Script Tools package and that is used in xtack with explicit consent from the author to check whether xtack is being run with elevated administrator permissions (VirusTotal Component Scan).
  • nircmdc.exe: NirCmd is a small command-line utility that allows xtack to do some useful tasks without displaying any user interface, for example showing informative balloons in Windows' tray notification area (VirusTotal Component Scan). Please beware that NirCmd is sometime flagged as a false positive by antivirus and security software, including a handful of antivirus engines included in VirusTotal. We are aware of this, yet nircmdc.exe is fully reliable and trustable.
  • ps.exe: Command-line process handling utility used in xtack in combination with WMIC to control specific xtack processes startup, shutdown, as well as to monitor xtack processes' status (VirusTotal Component Scan).
  • reg.exe: Microsoft console Registry tool, used in xtack to run queries on the Windows® Registry to verify miscellaneous software requirements for the computer system it runs on. Please note that xtack does NEVER write anything into the Windows® Registry (VirusTotal Component Scan).
  • Sigcheck.exe: Sigcheck is a command-line utility by Windows® Sysinternals that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file's status on VirusTotal, a site that performs automated file scanning against over many antivirus engines (VirusTotal Component Scan).
  • wget.exe: GNU Wget network utility (released by Eternallybored.org) in charge of downloading xtack files and components (VirusTotal Component Scan).
  • wtee.exe: Copies standard input to standard output and also to any files given as arguments. In xtack it is used to save information to log files (VirusTotal Component Scan).

xtack Versioning System

xtack follows a pretty simple and straightforward versioning system, based on one-track development "revisions".

Thus, all xtack specific/original deliveries have a sequential "r" revision number. This applies to:

  • xtack.bat.
  • The xtack Runtime.
  • The xtack documentation.
  • xtack's miscellaneous compilation components like the xtack Microsoft Visual C++ Redistributable Packages container file, xtack Icons and the xtack DLL Pack.
  • xtack's default databases for MySQL, MariaDB and PostgreSQL.

The overall xtack system status also uses the same "revision" concept. In fact, it can be seen somewhat as an overall system tag.

Historically, xtack.bat has the highest "r" revision number value of all xtack original deliveries, as it is where most of the development effort has been centered so far.

MySQL, MariaDB and PostgreSQL default xtack users/passwords?

There are two default, predefined MySQL, MariaDB and PostgreSQL username/password pairs preconfigured in xtack:

  • Username = "root" with password "root".
  • Username = "xtack" with password "xtack123".

The main difference between them is that while user "root" has full database privileges, user "xtack" can only execute SELECT, INSERT, UPDATE, DELETE, CREATE and DROP SQL statements.

We recommend you to generally test your databases and applications with the "xtack" user, since it's usually the most similar one, in terms of permissions, to the commonly limited setup that can be found throughout Internet hosting companies and service providers.

If you plan to use one of these predefined MySQL/MariaDB/PostgreSQL username/password pairs, please note that you will most likely need to modify the corresponding database connection configuration files in your components, packages and applications.

Of course, other new MySQL/MariaDB/PostgreSQL usernames/passwords can also be alternatively defined, for example via phpMyAdmin or phpPgAdmin.

Keep in mind that if you modify the default usernames/passwords or define new ones, you will also need to update the phpMyAdmin and phpPgAdmin configuration files in the "/cfg"  subdirectory under xtack's main installation directory, for them to continue working properly.

Can I use Apache, IIS Express and Nginx URL rewrite engines?

For sure, in the three of them. Apache, IIS Express and Nginx's URL rewrite engines are available and enabled by default in xtack's default configuration files, which are expanded from the xtack Runtime during initial installation time.

In Apache this is handled by mod_rewrite, which is activated by default in xtack. And in Nginx and IIS Express the rewrite engines are built in internally, and so nothing else needs to be done to enjoy the feature.

How can I profile PHP scripts?

xtack comes pre-configured by default to be able to profile PHP scripts out-of-the-box through Xdebug on a per-script basis, just by adding Xdebug's XDEBUG_PROFILE HTTP GET variable to whichever script URL you want to profile. See Xdebug's Profiler documentation for further details.

If, instead, you want to profile each and every PHP script in your staging application or website, just look in the corresponding /cfg/phpXX.ini file for Xdebug's xdebug.profiler_enable configuration setting and change it from its default "0" to "1".

Profiling files are saved as /prof/cachegrind.out.xxx.yyy by Xdebug and can then be open and analyzed using QCacheGrind.

ModSecurity for Apache 2.4 in xtack

xtack includes Apache Lounge's ModSecurity binaries for Apache 2.4.

Due to ModSecurity's increasingly powerful and sometimes complex options, we decided NOT to activate it by default in xtack, as doing so would most probably be far beyond the interest of the average web developer, and even conflict with custom-developed rules.

However, we felt it was anyway important to include ModSecurity in xtack, to give users the chance to experiment with it.

If you indeed want to activate it, please uncomment (that is, remove the leading "#" sign from) the following line in Apache 2.4's configuration file /cfg/apache24.conf:

#LoadModule security2_module "bin/a24/modules/mod_security2.so"

Then, at the end of the same configuration file, you should uncomment and add configuration options between the following two clauses:

      #<IfModule security2_module>

      # ...


Please refer to ModSecurity's sample recommended configuration file at:

Alternatively, you can also try OWASP's Core Rule Set.

Finally, you can also check ModSecurity's documentation to make sure that the desired ModSecurity configuration settings are properly set up in the Apache 2.4's configuration file (/cfg/apache24.conf) before starting testing any ModSecurity related functionality.

ModSecurity cannot be used with Nginx nor with IIS Express in xtack.

Reference documentation for xtack's components

A bit about the history of xtack

xtack derives from a previous, quite basic personal web development stack for Microsoft Windows® 2000 and Windows® XP that dates back to early 2006.

While some of the original design principles remain, xtack currently provides many modern functionalities that are required today for an efficient web development workflow.

xtack is implemented as a Windows® batch command file on purpose, in order to allow future community development and maintenance without the need for a separated compiler/linker.

After research, it was decided not to port it to any other Windows® scripting technologies, so to keep it accessible to everybody, since such other solutions are either proprietary or far too complicated.

That's for example particularly the case with Windows® PowerShell, which is a scripting language with a steep learning curve and that has gone through quite some big changes along versions and time, making it not that well suited to support such a wide variety of Windows® versions out-of-the-box.

For certain specific tasks and operations, xtack heavily relies on Gawk and the AWK scripting language, which is still today an extremely powerful language, at the same time that can be well integrated to complement Windows® batch scripts like xtack. It also punctually, but crucially, relies on specific WMIC (Windows Management Instrumentation Command) commands.

If you feel interested, just have a look at the code.


We would like to express our appreciation and special gratitude to the following people, organizations and resources, which have been, and still are, so really useful when blocked by a problem or when you're in need of finding a magic hack...

I like xtack, how can I support it?

If you like xtack and you would also like to donate to the project, please visit our donations page to find out how ;-)

Thank you!

How to report xtack bugs or request new features?

Please kindly report xtack bugs or request new features through our Github Issue Tracker.

All bug reports and feature requests will be confidentially treated on a "best effort" basis, but no guarantees can be given in advance, due to our limited time availability. Thanks for your understanding and patience!