Understand how Windows is structured from the hardware abstraction layer up through the kernel to user-mode services — the foundation required before you can understand IIS, services, and production troubleshooting.
Think of Windows like a giant, organised office building. The bottom floor is the hardware — CPUs, RAM, disks. Windows is the building management system: it decides which program gets which office (memory), keeps everyone from fighting over the printer (CPU), and calls the fire alarm (blue screen) if something really goes wrong. You work in the upper floors without ever needing to touch the plumbing downstairs.
Windows architecture is like an electrical distribution system: the kernel is the substation handling high-voltage raw power (hardware), device drivers are the transformers stepping it down safely, and your applications are the appliances plugged in at the end — they never touch the dangerous parts of the network directly.
Windows NT architecture separates execution into two privilege levels. Kernel mode has unrestricted access to hardware. It contains the NT kernel (ntoskrnl.exe), the Hardware Abstraction Layer (HAL), the I/O Manager, and kernel-mode device drivers. A crash in kernel mode causes a blue screen (BSOD) because there is no safety net. User mode runs with restricted privileges. Subsystems (Win32, WoW64), the system service layer, and all user applications run here. A crash in user mode terminates only that process — the OS survives.
Windows Server editions add the roles and features layer on top. IIS, DHCP, DNS, and Active Directory Domain Services are all installed as optional server roles. Windows Server 2022 ships with Windows Defender, SMBv3, and HTTP/2 support out of the box. The Windows Service Control Manager (SCM) maintains the service database, handles dependency chains, and controls start/stop/restart for all Windows Services including IIS's W3SVC and WAS.
HTTP.sys (the kernel-mode HTTP listener for IIS) runs in kernel mode. It can accept connections and queue them before any user-mode process wakes up. When w3wp.exe (the IIS worker process, user mode) crashes, HTTP.sys keeps the port open and returns 503 to clients — which is why a crashed app pool doesn't require a full server restart, just a pool recycle. Understanding this boundary makes incident triage 10× faster.
# Check Windows version and edition winver systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" # Check installed roles (PowerShell — Server only) Get-WindowsFeature | Where-Object Installed -eq $true | Select-Object Name,DisplayName # Check running services and their state sc query state= all | findstr /R "SERVICE_NAME STATE" # Check kernel mode drivers loaded sc query type= driver state= running # Check system uptime net statistics server | findstr "since" systeminfo | findstr /C:"Boot Time" # Check system architecture wmic os get osarchitecture
A financial institution's Windows Server 2019 IIS host starts returning 503 errors after a Patch Tuesday update. The L2 engineer checks the update history, sees that a driver update was applied, and notices a kernel-mode driver crash in Event Viewer under System events. Because the engineer understands the architecture boundary — specifically that HTTP.sys lives in kernel mode — they know to check whether the networking driver stack was affected rather than immediately blaming application code. The root cause turns out to be an incompatible NIC driver update. Rolling back the driver restores service without touching IIS configuration at all.
systeminfo. Identify the OS name, version, build number, installed RAM, and system uptime.winver to confirm the build and update level. Note whether you are on a LTSC or SAC/GAC channel release.Get-WindowsFeature | Where-Object { $_.Installed } | Select-Object Name, DisplayName | Format-Table -AutoSize to list all installed roles and features.sc query type= driver state= running and find HTTP in the list — confirm HTTP.sys is loaded and in the RUNNING state. This proves the kernel-mode HTTP listener is active.lsass.exe, services.exe, and svchost.exe. Confirm these are the core user-mode service host processes and note their session IDs.For IIS hosting, use Windows Server Standard or Datacenter — never Desktop (Home/Pro) in production. Standard supports 2 virtual machines per license; Datacenter allows unlimited VMs. LTSC (Long-Term Servicing Channel) editions are preferred for stability because they receive only security updates for 10 years with no feature changes — critical for IIS hosts where change control matters.
Failure: Server is online but users cannot reach the IIS website. IISRESET runs successfully but the site still returns errors. The junior engineer says "Windows is broken."
sc query http — confirm the HTTP.sys kernel driver is running. If stopped, run sc start http.sc query w3svc — confirm the World Wide Web Publishing Service (W3SVC) is running. IISRESET controls this service.sc query was — confirm the Windows Process Activation Service (WAS) is running. WAS launches worker processes; without it no app pool starts.Windows client editions (Home, Pro, Enterprise) are optimised for desktop use — single user, limited concurrent connections, and restricted to 20 inbound connections for file sharing. Windows Server editions (Standard, Datacenter) support server roles like IIS, Active Directory, DNS, DHCP, unlimited inbound connections, Remote Desktop licensing, and per-core/per-user licensing models designed for multi-user production workloads. IIS on a client OS lacks many production features and is not supported in enterprise environments.
The Windows NT kernel (ntoskrnl.exe) is the core of the OS running in privileged kernel mode. It manages CPU scheduling, memory allocation, hardware I/O, and security. It implements fundamental system services including the executive subsystems (Object Manager, I/O Manager, Process Manager, Security Reference Monitor). Nothing in the OS has higher privilege — a bug here causes a BSOD because there is no recovery layer above the kernel.
Kernel mode has unrestricted CPU access (Ring 0 in x86 terminology) and can directly access hardware, all memory, and privileged CPU instructions. User mode (Ring 3) runs application code with restricted privileges. Processes in user mode access hardware only via system calls into the kernel. This separation protects the OS: a crashed user-mode process (like w3wp.exe) is terminated by the kernel without affecting other processes or the OS itself.
The HAL is a thin software layer between the kernel and hardware that hides hardware-specific details. It means the same kernel binary (ntoskrnl.exe) can run on different hardware platforms without modification. The HAL handles access to interrupt controllers, timers, and DMA controllers. In virtual machine environments, the HAL talks to virtual hardware presented by the hypervisor (Hyper-V, VMware), making Windows virtualisation transparent to the kernel.
A role is a collection of software that delivers a specific server function. Roles are installed via Server Manager or PowerShell's Install-WindowsFeature. Key roles include: IIS (Web Server), Active Directory Domain Services, DNS Server, DHCP Server, File Services, and Remote Desktop Services. Each role may depend on other features being present. Roles are managed independently — you can install, remove, and configure them without rebuilding the OS.
Performance and reliability. Kernel-mode HTTP listening means incoming TCP connections are handled at the lowest OS level without context switches between user and kernel mode for every request. HTTP.sys caches responses and handles SSL offloading partly in kernel space. The reliability benefit: if a user-mode IIS worker process (w3wp.exe) crashes, HTTP.sys stays running and can return 503 responses or queue new requests while IIS restarts the app pool — the server port never closes.
The Service Control Manager (SCM, services.exe) is responsible for starting, stopping, and monitoring all Windows Services. It manages service configuration stored in the registry under HKLM\SYSTEM\CurrentControlSet\Services. For IIS, SCM controls W3SVC (World Wide Web Publishing Service), WAS (Windows Process Activation Service), and their dependencies. When you run IISRESET, it is essentially stopping and starting W3SVC and WAS through SCM. If SCM is overloaded or a service fails its dependency check, IIS won't start correctly regardless of what IISRESET reports.
WoW64 (Windows on Windows 64-bit) is the compatibility subsystem that allows 32-bit processes to run on 64-bit Windows. For IIS, it matters when hosting 32-bit .NET applications on a 64-bit server. IIS application pools have an "Enable 32-bit Applications" setting. If a 32-bit DLL or COM component is referenced by an application deployed on a 64-bit app pool, you will get "Could not load file or assembly" errors. The fix is enabling the 32-bit flag on the pool or recompiling the component as AnyCPU or x64.
Server 2016 ships with IIS 10.0 and added HTTP/2 support. Server 2019 improved container support, added Windows Admin Center integration, and hardened TLS 1.2 defaults — TLS 1.0/1.1 are disabled by default. Server 2022 added TLS 1.3 support in IIS, improved HTTPS performance, and added Server Message Block (SMBv3) compression. For new IIS deployments, Server 2022 is recommended for its security defaults — TLS 1.3 and disabled older cipher suites reduce SSL hardening effort significantly.
The Registry is a hierarchical database storing OS and application configuration. Five root hives: HKLM (machine-wide, persistent), HKCU (current user profile), HKCR (file type associations), HKU (all user profiles), HKCC (hardware profile). For IIS: HKLM\SOFTWARE\Microsoft\InetStp stores IIS version and install path. HKLM\SYSTEM\CurrentControlSet\Services\W3SVC stores service configuration. HKLM\SOFTWARE\Microsoft\ASP.NET stores .NET registration. Corrupted or missing registry keys are a common root cause of IIS installation or .NET registration failures.
Event ID 6008 is "The previous system shutdown was unexpected." Start in Event Viewer: check the System log for events in the 30 minutes before reboot — look for kernel-power, BugCheck (BSOD), disk errors, or hardware failure events. Check %SystemRoot%\Minidump for crash dump files and analyse them with WinDbg or the online symbol server to identify the faulting driver or process. If it was a planned update reboot that wasn't acknowledged, coordinate the maintenance window. If hardware-related, engage the hardware vendor with the dump analysis. Never assume "it just rebooted" without a root cause — unexplained reboots in a 24/7 IIS environment are P1 incidents.
On Server Core, all management is done via PowerShell or sconfig (the text menu). Install IIS with: Install-WindowsFeature -Name Web-Server -IncludeManagementTools -IncludeAllSubFeature. Manage IIS remotely using IIS Manager on another machine connected to the Core server, or use the WebAdministration PowerShell module: Import-Module WebAdministration. Server Core is the preferred deployment model in modern enterprises because it has a smaller attack surface (no Explorer, no desktop), lower memory footprint, and fewer patches to manage — all critical for a production IIS host.
Each IIS app pool runs as a separate w3wp.exe process. Open Task Manager → Details tab and sort by CPU — identify the high-CPU w3wp.exe PIDs. To map a PID to an app pool run: %windir%\system32\inetsrv\appcmd list wp. This shows all worker process PIDs and their pool names. Now you know exactly which pool (and therefore which site or application) is consuming CPU. Take a process dump with ProcDump: procdump -ma <PID> dump.dmp and analyse call stacks. In the meantime, consider recycling the offending pool or temporarily stopping the site to restore service to all other sites while you investigate.
Datacenter is needed when you run many virtual machines per physical host (unlimited VMs per Datacenter license vs 2 for Standard) or when you require Storage Spaces Direct, Hyper-V shielded VMs, or Software Defined Networking. For IIS specifically: if you run 3+ IIS VMs on one physical host, Datacenter licensing is cheaper total. Standard is the right choice for physical servers or small VM deployments. Both editions have identical IIS feature sets — the decision is purely about licensing model and virtualisation density, not IIS capability.
HTTP 500.19 is a configuration error where IIS cannot read or parse ApplicationHost.config or Web.config. Causes: (1) Missing IIS modules — a handler or module referenced in web.config is not installed (run Get-WindowsFeature Web-* to verify). (2) NTFS permissions — the IIS_IUSRS group or NETWORK SERVICE lacks Read access to the web.config file or site root directory. (3) Schema mismatch — a custom module registration references a section not present in the applicationHost.config schema. (4) Corrupt or incomplete installation — re-run the IIS feature install. The error detail subcode (e.g., 0x80070005 = access denied, 0x80070021 = locked) tells you exactly which of these applies.
Every Windows Server administrator, IIS engineer, and .NET infrastructure team member needs this knowledge. It is the foundation for every role that manages web hosting on Microsoft platforms — from L1 helpdesk triaging "the website is down" tickets to senior engineers designing HA clusters using Network Load Balancing in front of multiple IIS nodes.
Windows uses a two-layer privilege model — kernel mode for hardware access and OS integrity, user mode for applications and services. IIS bridges both: HTTP.sys in kernel mode handles connections while w3wp.exe in user mode runs application code. Understanding this boundary is the single most useful mental model for IIS troubleshooting.