IIS Architecture: HTTP.sys, Worker Process, and Request Flow

HTTP.sys is the Windows kernel-mode driver that provides the HTTP/HTTPS protocol listener for IIS and other Windows applications. It runs in kernel mode for performance: handling TCP connections, HTTP parsing, and SSL negotiation at the kernel level avoids expensive user-mode to kernel-mode context switches that would occur on every request if a user-mode process like w3wp.exe owned the socket. HTTP.sys also maintains a kernel-mode HTTP response cache that can serve frequently accessed static responses without involving any user-mode process at all, reducing latency and CPU usage for cached content.

w3wp.exe is the IIS Worker Process — the user-mode executable that hosts the IIS request pipeline and runs web application code. There is one w3wp.exe per application pool (unless Web Garden mode creates multiple per pool). The name means "World Wide Web Worker Process." Each instance runs in its own isolated memory space under its own security identity (IIS AppPool\PoolName by default). W3SVC and WAS create and manage w3wp.exe processes — you should never start w3wp.exe manually. It appears in Task Manager as multiple instances when multiple app pools are running. When an application pool is recycled, the old w3wp.exe is replaced with a new one.

WAS (Windows Process Activation Service) creates and manages worker processes (w3wp.exe instances) for all application pools. It reads the IIS configuration from applicationHost.config, registers URL reservations with HTTP.sys, monitors worker process health, and enforces recycling conditions. W3SVC (World Wide Web Publishing Service) handles the HTTP-specific aspects — it manages the mapping between IIS sites and HTTP.sys listeners and coordinates the W3 service infrastructure. They are separate services so that WAS can also support non-HTTP activation protocols (Named Pipes, TCP WCF). W3SVC depends on WAS and cannot run without it. Stopping WAS stops all IIS activity even if W3SVC is still running.

An Application Pool is a configuration container that maps one or more IIS applications to a worker process instance. Each pool runs as a separate w3wp.exe with its own memory, security identity, and .NET runtime state. Process isolation means: (1) a crash in one pool does not kill other pools; (2) each pool has its own .NET CLR instance, so different .NET versions can coexist on the same server; (3) each pool runs as a different identity, separating security contexts; (4) pools can be recycled independently without affecting other sites. Best practice: one application per application pool — never share a pool between multiple applications if they have different criticality, release cadence, or security requirements.

IIS uses "overlapping recycle" (also called "graceful recycle"): when a recycle is triggered, WAS starts a new w3wp.exe process alongside the old one. The old process continues handling its in-flight requests. HTTP.sys begins routing new incoming requests to the new process. When the old process completes or the shutdown timeout (default 90 seconds) expires, the old w3wp.exe terminates. This means most recycling operations are invisible to end users — active requests complete on the old process, new requests go to the new process. Edge cases: session state stored in-process (in-memory) is lost when the old process terminates. If in-flight requests take longer than the shutdown time limit, they are forcibly terminated. Using out-of-process session state (SQL Server, Redis) eliminates session loss during recycles.

Rapid Fail Protection is an IIS safety mechanism that permanently disables an application pool if its worker process crashes too many times within a configured time window. Default: 5 failures in 5 minutes triggers pool disable. After disabling, the pool returns HTTP 503 for all requests until manually restarted. Purpose: prevent a buggy process from crashing in a tight loop, consuming CPU and flooding Event Viewer with error logs. Configuration: IIS Manager → App Pool → Advanced Settings → Rapid Fail Protection. In production: tune the thresholds based on the application (aggressive thresholds for critical APIs; more lenient for low-priority apps). Always alert on Event ID 5010 (pool disabled) in your monitoring — a silently disabled pool is invisible to basic HTTP health checks.

A Web Garden creates multiple worker processes for a single application pool (configured via Maximum Worker Processes > 1). Benefits: better CPU utilisation on multi-core servers when the application is not designed for multi-threading; the load is distributed across multiple processes. Drawbacks: each process has its own in-process state — static variables, in-memory caches, and in-process session state are NOT shared across processes. This causes cache inconsistency (each process warms up its cache independently) and session routing issues (requests for the same session must land on the same process, requiring ARR or a load balancer with sticky sessions). Recommendation: use out-of-process cache (Redis, Memcached) and external session state (SQL Server) before enabling Web Garden. In modern architectures, horizontal scaling across servers is preferred over Web Garden within one server.

The application pool request queue is maintained by HTTP.sys in kernel memory. It holds incoming HTTP requests that have been accepted at the network layer but not yet dequeued and processed by a w3wp.exe thread. Default queue length is 1000 requests (configurable via applicationHost.config appPool queueLength or the AppCmd command). When the queue is full, HTTP.sys returns 503 Service Unavailable immediately — the client connection is accepted (no TCP timeout) but gets a 503 response. Queue overflow indicates the application pool cannot process requests as fast as they arrive. Causes: insufficient threads, slow application code, slow downstream dependencies (DB, external APIs), or insufficient worker processes (Web Garden). Monitor with Performance Counter: Web Service(_Total)\Current ISAPI Extension Requests.

ANCM (ASP.NET Core Module) is a native IIS module installed by the .NET Core Hosting Bundle. It bridges IIS and the .NET Core runtime in two modes: Out-of-process: ANCM acts as a reverse proxy, forwarding HTTP requests from IIS to a separate Kestrel process. IIS handles SSL termination, logging, and auth before forwarding. The Kestrel process runs the Core app on a random loopback port. If Kestrel crashes, ANCM waits and retries, returning 502 in the interim. In-process: ANCM loads the CoreCLR directly into w3wp.exe memory (introduced in .NET Core 2.2). The Core app runs inside the IIS worker process. Better performance (no HTTP hop between IIS and Kestrel) but the app shares the worker process lifetime — a Core app crash takes down the worker process. Recommended for production unless architectural reasons require out-of-process isolation.

Recycle: WAS creates a new worker process alongside the current one, the new process starts, HTTP.sys routes new requests to it, and the old process shuts down after completing in-flight requests or hitting the shutdown timeout. Application state is re-initialised in the new process. Zero or minimal downtime via overlapping recycle. Restart: Instantly kills the current worker process and starts a fresh one. Causes brief downtime (the 503 window between death and start). Used when a clean kill is required — e.g., forceful recycle after an app is completely stuck. In IIS Manager: right-click pool → Recycle (graceful) vs. Stop then Start (hard restart). In appcmd: appcmd recycle apppool /apppool.name:X is a recycle; appcmd stop apppool /apppool.name:X then appcmd start apppool /apppool.name:X is a hard restart.

1. Check if it's all pools or one: appcmd list apppool /processModel.userName:* | findstr Stopped — are any pools in Stopped state? 2. Check Event Viewer → Application log Event ID 5010 (rapid fail protection disabled a pool). If yes: identify which pool and which app crashed repeatedly. 3. Run sc query was and sc query w3svc — if either service is stopped, start them: net start was; net start w3svc. 4. Check netsh http show servicestate — any request queue registrations? If none, HTTP.sys lost its registrations (service restart will reregister). 5. If pool is disabled: restart it manually appcmd start apppool /apppool.name:X, confirm site responds, and check logs to prevent recurrence. 6. Document every step for the post-incident review.

Configure the app pool's recycling settings in IIS Manager → App Pool → Recycling: set a Regular Time Interval recycle (minutes since last recycle) or a Specific Time recycle (e.g., 3:00 AM daily when traffic is lowest in the application's time zone). Enable Overlapping Recycle (default): the new process starts before the old one stops — zero downtime for most requests. Set Maximum Private Memory (KB) as a safety net: e.g., 2,000,000 KB (2 GB) — if memory exceeds this, WAS triggers an immediate recycle. Configure the overlap shutdown timeout to 90 seconds to give in-flight requests time to complete. Enable recycle event logging in IIS Manager → App Pool → Advanced Settings → Generate Recycle Event Log Entry for all reasons — this creates Event ID 1074 entries in the Application log, documenting every recycle for the post-mortem. Long-term action: profile the memory leak with a dump analysis tool and fix the root cause.

Risks of habitual iisreset: (1) drops all active connections to all sites simultaneously — a shopping cart or form submission in progress is lost. (2) On a server with 10+ sites, it resets sites that are working fine along with the problematic one. (3) Masks the root cause rather than fixing it — if an app leaks memory or deadlocks, iisreset makes it temporarily better but the issue returns. (4) On a production server serving thousands of users, a 30-second iisreset window at peak time causes measurable revenue loss. Correct approach: (a) identify which specific app pool is degraded via appcmd list wp and Task Manager; (b) recycle ONLY that pool (appcmd recycle apppool /apppool.name:X); (c) investigate the root cause; (d) apply a permanent fix. Never use iisreset during business hours on a production server hosting more than one site unless every site needs to be restarted simultaneously (e.g., after applicationHost.config schema changes).

1. DNS resolves shop.example.com to IP 10.0.1.100. 2. Browser initiates TCP 3-way handshake to 10.0.1.100:443. HTTP.sys kernel driver accepts the connection. 3. TLS handshake: HTTP.sys presents the SSL certificate configured in the IIS binding for shop.example.com port 443, negotiates cipher suite and TLS version. 4. Browser sends HTTP/1.1 or HTTP/2 GET request: GET /products HTTP/2 Host: shop.example.com. 5. HTTP.sys looks up the URL reservation and routing table → maps to "ShopPool" application pool. 6. If "ShopPool" has no w3wp.exe running: WAS creates a new w3wp.exe process. CLR loads and JIT-compiles ASP.NET application assemblies (cold start — can take 5-30 seconds for large apps). 7. HTTP.sys dequeues the request and signals w3wp.exe. 8. IIS pipeline runs through modules: Request Filtering → Anonymous Auth → URL Rewrite → ManagedEngine → ASP.NET MVC route → ProductsController.Index(). 9. Controller queries DB, builds response. 10. w3wp.exe calls HTTP.sys response API with 200 OK and body. 11. HTTP.sys sends response over the TLS session to the browser.

This command shows the current runtime state of the HTTP.sys kernel-mode server. Output sections: Server Session (HTTP server sessions created by applications): each IIS site creates a server session. URL Groups: each site binding (IP:port:hostname) is a URL group registered in HTTP.sys with the application pool queue reference. Request queues: currently pending requests in each pool's queue plus queue statistics (completed requests, rejected requests). SSL certificate bindings: SSL certs associated with each IP:port or SNI hostname. Use cases: (1) Confirm that URL registrations survived a service restart (sites that aren't showing in servicestate despite being configured in IIS Manager are a major clue). (2) Identify queue build-up in real time during a performance incident. (3) Verify SSL certificate is bound to the correct IP/hostname without browsing to the site. (4) Identify orphaned URL reservations from uninstalled applications that may conflict with IIS.