Can I write an ISAPI Filter using Managed Code?



Is it possible to write an ISAPI filter equivalent (IHttpModule imlementation?) using managed code? I want my filter to get invoked for non .NET applications a well.



Unfortunately, you cannot [yet] write an ISAPI Filter equivalent using managed code. The closest you can get on existing technologies is IIS6+ASP.Net 2.0 configured as Wildcard Application Mapping, which allows managed code (either HttpModule or HttpHandler) to be invoked for any request type (.NET as well as non .NET) and optionally use the DefaultHttpHandler to pass the request handling back to IIS for further processing. For example, this allows .NET Forms Authentication to apply for ASP pages.

However, I do not consider this to be really “ISAPI Filter equivalent”, by which I mean invoking managed code throughout the request processing lifecycle. Managed code is only invoked in one place in the request pipeline, right before the request is processed and executed. Meanwhile, ISAPI Filter has over a dozen different events firing throughout the request lifecycle, one of which corresponds to “right before the request is processed and executed”.

Of course, you can always write an ISAPI DLL in native code which basically parses the request, launches the CLR inside an AppDomain, and passes requests into it for processing. This is how ASP.Net works today. Or you can write an ISAPI DLL which uses COM Interop to call into managed code components. You may even do a lot of work and write an ISAPI Filter DLL which triggers on all events and passes data into the AppDomain to “simulate” managed code running inside of ISAPI Filter events. But none of these are really “ISAPI Filter equivalent” with managed code.

In other words, it is not possible to use managed code to customize authentication events – IIS negotiates Basic/NTLM/Kerberos/Passport authentication prior to processing and executing the request, which also preceeds when the ASP.Net Wildcard Application Mapping is executed… thus it is not possible for managed code to participate in modifying the IIS authentication behavior. This is why you must configure IIS to be “Anonymous Only” in order to apply .NET Forms Authentication.

Now, IIS7 presents a different story. You will have ISAPI Filter equivalent extensibility of IIS7 using managed code, and it is using the familiar IHttpModule and IHttpHandler interfaces. What we did in IIS7 is refactor and componentize the IIS6 Web Server into a compact “IIS7 Server Core” which exposes a brand new native code extensibility interface, and we are providing 40+ “Functionality Modules” which are coded using the new native code extensibility interface. The 40+ “Functionality Modules” allow the “IIS7 Server Core” to provide the “IIS6 feature set” plus expose completely new features and functionality. One of them is extensibility of the IIS7 Server Core using managed code in an integrated fashion.

Finally, a word of caution when attempting to use managed code to “filter” requests, regardless of IIS version. Since only one CLR Version can be in a given process, if you configure managed code of one version to “filter” requests that are ultimately executed with another CLR Version, that will cause a conflict and prevent request execution.


Comments (10)

  1. Adam Tuliper says:

    What you can do however is write one in mixed code using managed c++. provide your exports, use #pragma unmanaged, and from OnPreprocHeaders you can call into your managed code, inside of the same library using #pragma managed

    This of course doesnt give you the same thing as its managed httpmodule counterpart, but gives you a way to use the advantages of both worlds now. I havent tested this extensively, just was playing around with an idea when I did that. It worked some of the time, at times on a second request would act up, other times it would be ok. I never followed up with debugging it further.

  2. David.Wang says:

    Adam – Unfortunately, mixed-mode C++ is a mixed-bag at best. Yes, it allows you to write managed code and yes it allows the C-style exports that make it valid ISAPI, but at the end of the day, you are still walking through a bunch of interop (either explicit COM-Interop or implicit #pragma), so are things any cleaner/easier?

    It brings in the CLR versioning issue into a process because ISAPI Filter DLL now pulls it in just on loading.

    CLR also has problems on IIS6 due to ISAPI DLLs loaded with \? for security reasons (unless you have some QFEs).


  3. Johan says:


    Official Interface Description:

    Unoficcial Interface Example:


    Johan Hernandez – thepumpkin1979 at

  4. David.Wang says:

    Johan – Thanks for the link, but unfortunately, it is not relevant. Even though the type name includes “ISAPI Runtime”, it is quite the misnomer. What you point to is the Managed Stub to ISAPI used by ASP.Net for its pipeline on IIS. However, it is still unable to extend IIS pipeline like an ISAPI Filter.

    Microsoft simply does not provide any way to extend IIS behavior with a managed code “ISAPI” interface. You will have to wait for IIS7 for the ability.


  5. Tiago Halm says:

    David – I’ve just started an open source project for this same purpose, ISAPI Filters in .NET 2.0 for IIS 5.x and IIS 6.0.

    The current version is for .NET 2.0, so all ASP.NET code will need to be the same version. Haven’t tried setting it up at web scope instead of global, but should work.

    It is a work in progress and version 0.9 (beta) is out. Comments are welcome.

  6. Adam Tuliper says:

    Hi David,

    I was just revisiting this and saw your response from some time ago:

    "Adam – Unfortunately, mixed-mode C++ is a mixed-bag at best. Yes, it allows you to write managed code and yes it allows the C-style exports that make it valid ISAPI, but at the end of the day, you are still walking through a bunch of interop (either explicit COM-Interop or implicit #pragma), so are things any cleaner/easier? "

    I would imagine it would be cleaner and easier, because the worker process (assuming iis6) be running in its own process – not in inetino where the isapi is loaded, and hence whatever version of the runtime that solution would provide. This is of course assuming people use isolated worker processes. in terms of walking through a  bunch of interop – thats how the runtime is launched anyway once inside the aspnet_isapi extension, is it not? This method at least isn’t through com interop (slow) but by the layer provided by the mixed mode c++.


  7. qflash says:

    hi Johan, this link can’t work now.

    can you tel me how to use ISAPIRuntime in my code?

  8. Owen says:

    Is there a way to do this now? In IIS7? On Windows Server 2008?