{
	"id": "dfe64ba7-3d25-48fa-a5fa-19980f3c6d57",
	"created_at": "2026-04-06T00:09:57.841469Z",
	"updated_at": "2026-04-10T03:20:42.961425Z",
	"deleted_at": null,
	"sha1_hash": "9374aeef194ac014aa5d4492408408f328b6c334",
	"title": "ISAPI Extension Overview",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53627,
	"plain_text": "ISAPI Extension Overview\r\nBy Archiveddocs\r\nArchived: 2026-04-05 18:48:36 UTC\r\nISAPI extensions are true applications that run on IIS and have access to all of the functionality provided by IIS.\r\nAs an example of how powerful ISAPI extensions can be, ASP pages are processed through an ISAPI extension\r\ncalled ASP.dll. In general, clients can access ISAPI extensions the same way they access a static HTML file or\r\ndynamic ASP file.\r\nISAPI extensions are implemented as DLLs that are loaded into a process that is controlled by IIS. Like ASP and\r\nHTML pages, IIS uses the virtual location of the DLL file in the file system to map the ISAPI extension into the\r\nURL namespace that is served by IIS.\r\nExtensions and filters are the two types of applications that can be developed using ISAPI. An ISAPI extension\r\nruns when requested just like any other static HTML file or dynamic ASP file. Since ISAPI applications are\r\ncompiled code, they are processed much faster than ASP files or files that call COM+ components.\r\nBoth ISAPI filters and ISAPI extensions can only be developed using C or C++. Visual Studio includes wizards\r\nthat speed ISAPI development.\r\nApplication Mappings\r\nApplication mappings (or script mappings) are the Web server equivalent of file associations in Windows. For\r\nexample, in Windows, when you open a file that ends in \".txt\", the file usually opens in Notepad, because TXT\r\nfiles are mapped to Windows Notepad.exe.\r\nIn IIS, ASP functionality is contained in an ISAPI extension called ASP.dll. Any file that is requested from the IIS\r\nserver that ends in \".asp\" is mapped to ASP.dll which is assigned to process the file before displaying its output in\r\nthe client's window.\r\nA client requests an ISAPI extension in the following way:\r\nhttp://Server_name/ISAPI_name.dll/Parameter\r\nTo request an ASP file, a client can request a URL like https://Server_name/ASP.dll/File_name.asp because ASP\r\nfiles are processed by the ISAPI extension named %windir%\\system32\\inetsrv\\ASP.dll. However, to simplify ASP\r\nrequests, IIS uses a script mapping that associates \".asp\" file name extensions with ASP.dll. When a request such\r\nas https://Server_name/File_name.asp is received, IIS runs the ASP.dll ISAPI extension to service the request and\r\nhttps://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525172(v=vs.90)\r\nPage 1 of 3\n\nload that file for processing. Many applications that run on IIS are actually ISAPI extensions that are script-mapped to process files with specific file name extensions.\r\nISAPI Extension Processing Sequence\r\nThe following events occur when IIS receives a request that maps to an ISAPI extension:\r\n1. IIS loads the DLL, if it is not already in memory. When the DLL is loaded, Windows automatically calls\r\nthe optional DLL entry/exit function (usually DllMain). IIS then calls the extension's GetExtensionVersion\r\nentry-point function.\r\n2. IIS performs minor preprocessing on the incoming request.\r\n3. IIS creates and populates an EXTENSION_CONTROL_BLOCK structure to pass request data and\r\ncallback function pointers to the extension.\r\n4. IIS calls the ISAPI extension's HttpExtensionProc function, passing a pointer to the\r\nEXTENSION_CONTROL_BLOCK structure created for this request.\r\n5. The ISAPI extension carries out the actions it was designed to perform: for example, reading more data\r\nfrom the client (as in a POST operation), or writing headers and data back to the client.\r\n6. The extension informs IIS that it is finished processing the request by exiting the HttpExtensionProc\r\nfunction. For synchronous operations, the function returns the HSE_STATUS_SUCCESS return code; for\r\nasynchronous operations, the return code is HSE_STATUS_PENDING. For more information about\r\nasynchronous operations, see Asynchronous I/O Processing.\r\n7. IIS performs cleanup on the connection used for the request, after which it closes the connection if Keep-Alive functionality is not enabled.\r\n8. Once the ISAPI extension is no longer needed, IIS calls the TerminateExtension function, if the extension\r\nprovides one. If IIS is configured to cache ISAPI extensions, TerminateExtension is not called until the IIS\r\nWeb server is shut down or restarted.\r\nNote\r\nGetExtensionVersion is not called for every request. In contrast, HttpExtensionProc is called exactly once for\r\nevery request for the ISAPI extension. Additionally, one EXTENSION_CONTROL_BLOCK structure is used for\r\neach incoming request.\r\nISAPI Compared to CGI\r\nThe Internet Server Application Programming Interface (ISAPI) model was developed as a faster alternative to the\r\nCommon Gateway Interface (CGI). ISAPI provides a number of advantages over CGI, including lower overhead,\r\nfaster loading, and better scalability. The chief difference between the CGI and ISAPI programming models is\r\nhow processing is handled.\r\nhttps://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525172(v=vs.90)\r\nPage 2 of 3\n\nWith CGI, the system creates a unique process for every request. Each time an HTTP server receives a request, it\r\ninitiates a new process. Because the operating system must maintain all these processes, CGI requires many of\r\nresources. This inherent limitation makes it difficult to develop responsive Internet applications with CGI.\r\nWith ISAPI, requests do not require a separate process. Threads are used to isolate and synchronize work items,\r\nresulting in a more efficient use of system resources. For more information, see ISAPI and Web Application\r\nArchitecture.\r\nAn ISAPI extension differs from a CGI executable file in several other ways. An ISAPI extension does the\r\nfollowing:\r\nReceives most of its data through the lpbData member of the EXTENSION_CONTROL_BLOCK\r\nstructure, instead of reading the data from the standard input (STDIN) handle for the process. For any\r\nadditional data, the extension uses the ReadClient callback function.\r\nSends data back to the client using the WriteClient callback function, instead of writing to the standard\r\noutput (STDOUT) handle for the process.\r\nAccesses common CGI variables through the EXTENSION_CONTROL_BLOCK structure. For other\r\nvariables, the extension calls the GetServerVariable function. In a CGI executable file, these variables are\r\nretrieved from the environment table by using getenv.\r\nSpecifies completion status by either sending the header directly using the WriteClient callback function, or\r\nby calling the HSE_REQ_SEND_RESPONSE_HEADER_EXServerSupportFunction, instead of writing\r\nthe header to STDOUT.\r\nRedirects requests with a Location: or URL: header. If the URL is local, the extension uses the\r\nHSE_REQ_SEND_URL structure instead of writing the header to STDOUT. If the URL is remote or\r\nunknown, the extension uses HSE_REQ_SEND_URL_REDIRECT_RESP in the ServerSupportFunction\r\ncallback function. When IIS receives a request for a particular extension, it loads the DLL into memory,\r\nwhere it services other requests. When IIS unloads the extension, it calls the extension's\r\nTerminateExtension function if it is present. Use of TerminateExtension is recommended to free any\r\nresources that the extension may have locked or allocated during its initial Load.Keep-Alive connections.\r\nSource: https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525172(v=vs.90)\r\nhttps://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525172(v=vs.90)\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525172(v=vs.90)"
	],
	"report_names": [
		"ms525172(v=vs.90)"
	],
	"threat_actors": [],
	"ts_created_at": 1775434197,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9374aeef194ac014aa5d4492408408f328b6c334.pdf",
		"text": "https://archive.orkl.eu/9374aeef194ac014aa5d4492408408f328b6c334.txt",
		"img": "https://archive.orkl.eu/9374aeef194ac014aa5d4492408408f328b6c334.jpg"
	}
}