{
	"id": "7664e3e1-4036-4a7a-b5ac-f6edb930b733",
	"created_at": "2026-04-06T00:06:34.926241Z",
	"updated_at": "2026-04-10T03:20:57.2459Z",
	"deleted_at": null,
	"sha1_hash": "342399a1454fcada9f3cd33781124745ea4b4933",
	"title": "ISAPI Filter Overview",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39854,
	"plain_text": "ISAPI Filter Overview\r\nBy Archiveddocs\r\nArchived: 2026-04-05 23:21:33 UTC\r\nISAPI filters are DLL files that can be used to modify and enhance the functionality provided by IIS. ISAPI filters\r\nalways run on an IIS server, filtering every request until they find one they need to process. The ability to examine\r\nand modify both incoming and outgoing streams of data makes ISAPI filters powerful and flexible.\r\nFilters are registered at either the site level or the global level (that is, global filters apply to all sites on the IIS\r\nserver), and are initialized when the worker process is started. A filter listens to all requests to the site on which it\r\nis installed.\r\nBoth ISAPI filters and ISAPI extensions can only be developed using C/C++. Visual Studio comes with wizards\r\nthat make ISAPI development fast and easy.\r\nISAPI filters can be registered with IIS to modify the behavior of a server. For example, filters can perform the\r\nfollowing tasks:\r\nChange request data (URLs or headers) sent by the client\r\nControl which physical file gets mapped to the URL\r\nControl the user name and password used with anonymous or basic authentication\r\nModify or analyze a request after authentication is complete\r\nModify a response going back to the client\r\nRun custom processing on \"access denied\" responses\r\nRun processing when a request is complete\r\nRun processing when a connection with the client is closed\r\nPerform special logging or traffic analysis.\r\nPerform custom authentication.\r\nHandle encryption and compression.\r\nNote\r\nISAPI filter DLLs cannot be requested explicitly, like ISAPI extensions can.\r\nEvery ISAPI filter is contained in a separate DLL that must export two entry-point functions, GetFilterVersionand\r\nHttpFilterProc, and optionally export the TerminateFilter function. The metabase property, FilterLoadOrder,\r\nhttps://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524610(v=vs.90)\r\nPage 1 of 2\n\ncontains a list of all filters that IIS loads when the Web service is started.\r\n1. When IIS initially loads an ISAPI filter, it also creates and partially populates an\r\nHTTP_FILTER_VERSION structure. It then calls the filter's GetFilterVersion function, passing a pointer\r\nto the new structure as a parameter.\r\n2. The ISAPI filter populates the HTTP_FILTER_VERSION structure with version information and\r\ndescriptive information. More importantly, the filter also uses HTTP_FILTER_VERSION to specify\r\nwhich event notifications it should receive, and to declare the general priority level for the filter. In\r\naddition, the filter also indicates whether it is interested in events from secure ports only, unsecure ports\r\nonly, or both.\r\n3. Each HTTP transaction between IIS and a client browser triggers several distinct events. Every time an\r\nevent occurs for which an ISAPI filter is registered, IIS calls the filter's HttpFilterProc entry-point\r\nfunction.\r\nIf more than one ISAPI filter is registered for a given event, IIS notifies the filters that the event occurred.\r\nThe filters, which are marked as high, medium, or low priority, are notified according to priority in\r\ndescending order. If more than one ISAPI filter is declared the same general priority level, IIS uses the\r\norder in which the filters appear in the FilterLoadOrder property to resolve the tie.\r\n4. The ISAPI filter uses the notification type information, passed by IIS as a parameter to HttpFilterProc, to\r\ndetermine which particular data structure is pointed to by the other HttpFilterProc parameter,\r\npvNotification. The ISAPI filter then uses the data contained in that data structure, as well as in the context\r\nstructure HTTP_FILTER_CONTEXT, to perform any custom processing.\r\n5. Once processing is complete, the filter returns one of the SF_STATUS status codes to IIS, and IIS\r\ncontinues processing the HTTP request or response until another event occurs for which ISAPI filters are\r\nregistered.\r\n6. When the Web service is stopped or unloaded, IIS calls TerminateFilter in all ISAPI filters as part of its\r\nshutdown sequence, for any filters that implemented and exported the function. TerminateFilter is\r\ntypically used to perform cleanup and de-allocation of allocated resources.\r\nGetFilterVersion is called exactly once, when the ISAPI filter is initially loaded. Any per-connection\r\ninitializations the developer wants to perform must be managed internally within the context of the\r\nHttpFilterProc function call.\r\nNote\r\nThe priority setting for ISAPI filters is per filter, not per notification. For example, a low priority rating cannot be\r\nassigned for one type of notification and a high priority rating for another type.\r\nSource: https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524610(v=vs.90)\r\nhttps://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524610(v=vs.90)\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524610(v=vs.90)"
	],
	"report_names": [
		"ms524610(v=vs.90)"
	],
	"threat_actors": [],
	"ts_created_at": 1775433994,
	"ts_updated_at": 1775791257,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/342399a1454fcada9f3cd33781124745ea4b4933.pdf",
		"text": "https://archive.orkl.eu/342399a1454fcada9f3cd33781124745ea4b4933.txt",
		"img": "https://archive.orkl.eu/342399a1454fcada9f3cd33781124745ea4b4933.jpg"
	}
}