What is an Application Pool?

An Application Pool can contain one or more applications and allows us to configure a level of isolation
between different Web applications. For example, if you want to isolate all the Web applications running
in the same computer, you can do this by creating a separate application pool for every Web application
and placing them in their corresponding application pool. Because each application pool runs in its own
worker process, errors in one application pool will not affect the applications running in other application
pools. Deploying applications in application pools is a primary advantage of running IIS 6.0 in worker
process isolation mode because you can customize the application pools to achieve the degree of
application isolation that you need.

When you configure application pools for optimum availability, you also should consider how to configure
application pools for application security. For example, you might need to create separate application
pools for applications that require a high level of security, while allowing applications that require a lower
level of security to share the same application pool. In the later part of this article, we will see how to
configure identities at the application pool level.

Creating a new Application Pool

Creating a new application pool is a very simple process that is carried out by using the IIS manager.
When you create a new application pool, you have the following two options:

1. You can either create a new application pool from scratch or

2. You can create a new application by importing the configuration settings from an external XML
file
 Post a comment
 Email Article
 Print Article
To create a new application pool from scratch, right-click on the Application Pools node from the
tree view and select New->Application Pool from the context menu. You will be presented with the
following screen, where you need to enter a name for the application pool.

When creating a new application, you also have the option of inheriting the settings from an existing
application pool. For example, if you want your new application pool to inherit the settings from
the DefaultAppPool, you can do that by selecting the option Use existing application pool as
a template in the above screen. After you pick this option, the Application Pool name dropdown box
will be enabled from where you can select an existing application pool.
 After the pool is created, you can save the settings of the application pool to an external XML file any time
by right-clicking the application pool and selecting the option All Tasks->Save Configuration to
a File that is available from the context menu. This is an extremely useful feature that makes it possible
for you to easily recreate the same application pool on the same server or on a different server with
minimal effort.

Configuring Identity for ASP.NET Web Applications

Related Articles
 Secure Your ASP.NET Application from a SQL Injection Attack
 IIS 6.0 and ASP.NET, Part 1
 Managing Complex Layout and Nesting DataGrids in ASP.NET
In previous versions of IIS, worker processes ran as LocalSystem, a powerful account that has system
administrator privileges on the server. Because LocalSystem has access to almost all resources on the
operating system, this caused security implications. As mentioned previously, in IIS 6.0, you can set the
identity of the worker process at the application pool level. The identity of an application pool is the
account under which the application pool's worker process runs. By default, application pools operate
under the NetworkService account, which has low-level user access rights. The NetworkService account
has the following seven privileges:

 Adjust memory quotas for a process

 Generate security audits
 Log on as a service
 Replace process level token
 Impersonate a client after authentication
 Allow logon locally
 Access this computer from the network
By running the worker process using a very low-privileged account such as NetworkService, you can
reduce the security vulnerability. However, by using IIS manager, you can configure the application pool
to run as any of the following pre-defined accounts:

 NetworkService
 LocalSystem
 LocalService
To configure identity for an application pool, right-click the application pool and select Properties from
the context menu. In the Properties dialog box, select the Identity tab and you will see the following
screen.
In the above dialog box, when you select the Predefined option, you can select any of the pre-defined
accounts from the dropdown box. Instead of using a pre-defined account, if you want your application
pool to run under a different account, select the Configurable option and then set the User
name and Password in the textboxes. This approach is particularly useful especially when you are
running multiple applications or sites on one Web server. For example, if an ISP hosts two companies—
who may even be competitors—on one Web server, it has to guarantee that these two applications run in
isolation from each other. More importantly, the ISP has to make sure that a malicious administrator for
one application can't access the data of the other application. You can accomplish this level of isolation
by using the configurable worker process identity.

Configuring Identity for an Application Pool

To demonstrate how to configure the identity for an application pool and how ASP.NET uses that identity
information at the execution time, we will create a very simple ASP.NET application. We will start off by
creating a new ASP.NET application named IdentityExample by using the New Project dialog box in
Visual Studio.NET. After the project is created, if you open up IIS manager, you will find that the
IdentityExample project is created in the default application pool named DefaultAppPool.

Now, let us add the following lines of code to the Page_Load event of the default Web form
WebForm1.aspx.

private void Page_Load(object sender, System.EventArgs e)

{
 Response.Write(
"ASP.NET application executes using the
identity :: <b>" +
WindowsIdentity.GetCurrent().Name +
"</b><br>");
}

As you can see from the above code, we simply display the name of the account that the ASP.NET Web
application uses to process the service. If you execute thise code by navigating to the page from the
browser, you will see the following output.
 Post a comment
 Email Article
 Print Article

Click here for a larger image.

The above output just reinforces the fact that, by default, the Web application runs using
the NetworkService account. Let us change the identity of the DefaultAppPool and then look at the
output of our Web application. To do this, right-click the DefaultAppPool node from the IIS manager
and select Properties from the context menu. In the properties dialog box, navigate to
the Identity tab and select the Configurable option and specify a valid user name and password.
Once entered, the screen should look like the following.
Now if you execute your application, you will see the following output.

Click here for a larger image.

As expected, the output reflects the change that we made using the IIS manager.

Associating an ASP.NET Web Application with an Application Pool

Create a new Visual Studio.NET project named IISIntegration using the New Project dialog box as shown
in the following screen shot.

After creating the new project, if you open up IIS Manager, you will find that the IISIntegration project is
created under an application pool named DefaultAppPool. As the name suggests, by default, all the newly
created ASP.NET Web applications are created under this application pool. This is shown in the following
screen shot.
Click here for a larger image.

To associate the IISIntegration ASP.NET Web application with the application pool
named DemoAppPool, select the Web Sites node that is present under the Machine Name node in the
IIS manager. Then, select Default Web Site-&IISIntegration from the treeview and right-click it
to select Properties from the context menu.
In the Properties dialog box shown above, you can change the Application Pool using the Application
Pool dropdown option in the Directory tab. Because we want our Web application to run under
the DemoAppPool, select DemoAppPool from the list.

Recycling Worker Processes and Their Impact on Application State

Information
If a Web application contains code that causes problems, and you cannot easily rewrite the code, it might
be useful to limit the extent of the problems by periodically recycling the worker process that services the
application. You can accomplish this by using what is known as Worker Process Recycling. Worker
process recycling is the replacing of the instance of the application in memory. IIS 6.0 can automatically
recycle worker processes by restarting the worker process, or worker processes, that are assigned to an
application pool. This helps keep problematic applications running smoothly, and minimizes problems
such as memory leaks. You can trigger the recycling of the worker processes assigned to an application
pool by using worker process recycling methods that are based on elapsed time, the number of Hypertext
Transfer Protocol (HTTP) requests, a set time of day, and two kinds of memory consumption, in addition
to recycling on demand.

To configure all the above settings, go to the Properties window of the application pool in which your Web
application is running using the IIS manager. Using the Recycling, Performance, and Health tabs in the
Properties window, you can specify values for the above settings. Navigating to the Performancetab in
the Properties dialog box of the DemoAppPool results in the following output.
When you set the recycling of worker processes using IIS manager, you also need to take the state
management strategy of your ASP.NET application into consideration. Because every time the worker
process is recycled, the ASP.NET state information will be lost rendering the application in an invalid
state. One alternative to overcome this issue is to maintain state data external to the worker process,
such as in a database. However, moving data to an external database to allow recycling can affect server
performance in the following two ways:

 Performance is reduced because of the added data management that is needed to move the data
between the application and the database.
 Recycling flushes any in-process data caches, so the caches need to be rebuilt.
If you have an application pool with applications that depend on state data, you must decide whether or
not to recycle the worker processes that are assigned to that application pool. If you store state in the
same process as that of IIS, and you don't want the state information to be lost, you must not recycle a
worker process using the application pool configuration settings.

Conclusion
In this part, we looked at what application pools are and their role in increasing the reliability of your
ASP.NET Web applications. We also understood that by allowing different ASP.NET applications to run
under their own application pool, we can also set different identities, thereby controlling the security
permissions for different ASP.NET Web applications. In Part-3 of this article, we will discuss the new
XML-based Metabase storage and the security features of IIS 6.0.

What is w3wp.exe? Learn the

Basics About IIS Worker
Processes
Web applications running within Microsoft’s Internet Information Services (IIS) utilize
what is known as IIS worker processes. These worker processes run as w3wp.exe, and
there can be multiple per computer. It is possible to run IIS on a Windows desktop or
Windows server, although it is usually only seen on Microsoft Windows Servers
configured as web servers.

What is w3wp.exe / IIS Worker Process?

Web applications on Windows Servers are configured via command line or Internet
Information Systems (IIS) Manager. Within IIS you can set up websites and which
application pools they are assigned. Multiple websites can be assigned to a single IIS
application pool.
A defined IIS application pool is what becomes a w3wp.exe process when the
application starts up as an IIS worker process. They have two basic settings which are
related to the version of .NET being used.

An IIS Worker Process (w3wp.exe) handles the web requests sent to the IIS web
server for the configured IIS application pool.

IIS application pools also provide a bunch of advanced settings. These impact the
behavior of w3wp and your IIS worker process. Including things like what Windows user
account it runs as, auto restarting of the process, auto shutdown, and more. It is also
possible for one IIS application pool to create multiple IIS worker processes in what is
called a web garden.
How to View Running IIS Worker Processes (w3wp.exe)
Via the Windows Task Manager, you can see processes named w3wp.exe. Within the
IIS management console, you can view more details. Open IIS manager and on the left
side click on the name of your computer. You will then see a similar list of icons on the
right as shown in the screenshot below. Double click on “Worker Processes” and you
can get a list of which processes are currently running.
On the Worker Processes screen, you can see more details than you would be able to
see from Windows Task Manager. You can easily see the name of the IIS application
pool and the Process Id for the running w3wp.exe process.

If you want to go even a step further, you can double click on a worker process to see
which web requests are currently executing within your IIS worker process.

Warning About Running IIS Application Pools

There is one key thing you need to know about IIS application pools that are a little
confusing. Within the IIS management console, you can stop and start application
pools. But, just because an IIS application pool is started, there may not be an IIS
worker process (w3wp) running. IIS will not start the worker process until the first
web request is received.

How to Stop or Disable an IIS Worker Process

If you want to stop w3wp.exe from running, you will want to stop the IIS application pool
or disable IIS altogether.

If you want to shut down the IIS web server completely, you will want to stop the
Windows Service called “World Wide Web Publish Service.” Be sure to stop it and then
modify the “Startup type” to Disabled. If you do not disable it, it will start back up when
you restart Windows.
Instead of disabling IIS altogether, you can stop individual IIS application pools within
the IIS management console.
Monitoring IIS Worker Processes & ASP.NET Applications
If you have critical ASP.NET web applications running on your web server, it is
important to monitor your server, IIS, and applications. It is important to know if
w3wp.exe stops running, your server goes down, or if your application is running slow.

If you need help monitoring the performance of your ASP.NET applications, be sure to
check out our .NET application performance monitoring solution, Retrace. Retrace can
monitor key Windows performance counters and the performance of your application all
the way down to the code level. Including slow SQL queries, application errors, and
much more.
1. ) Manager. (Run->inetmgr)
2. In the left pane, expand the local computer and then select Application Pools.
3. Right-click the Application Pools node, clicks Add Application Pool, and then clicks Application Pool.
4. In the Add Application Pool dialog box, type “Pool Name” in the name text box. In figure Pool name
isBluechipplus. Select .NET Framework version. In figure, I select 4.0.30319. Select Managed pipeline
 mode. I select integrated mode. Selection of framework version and managed pipeline mode depends on
your application which you are going to hosted. Click OK to complete application pool creation.

5. Now select application pools. You will see newly created Bluechipplus application pool in the middle
panel.
Step 6: Configure application pool
1. Select newly created “Bluechipplus” application pool in the middle panel.

1. Click Advanced Settings in “Edit Application Pool” section in the right panel. A dialogue box will appear
named “Advanced Settings”
2. In Process Model section, select identity. Network service is default and recommended. If you find
problem, you should change. In figure Local service is selected.
3. In Process Model section, type maximum worker process. In figure 12 maximum worker processes
selected. Selecting worker process is actually depends on your server capability and memory.
4. In Recycling section, select private memory limit in KB. In figure 200000is selected. Consider your server
memory before considering memory limit.
5. Finally click OK to complete application pool settings.
Step 7: Select application pool for the application
1. Right click on application in IIS->Manage Application -> Advanced Settings

2. From advanced settings dialogue box -> Browse application pool -> Select application pool
3. Finally click OK after assigning application pool

Now you have completed web garden for your application.

What is Worker Process?

"The "Process" which is responsible for processing Asp.net application request and sending back
response to the client , is known as "Worker Process". All ASP.NET functionalities runs within the
scope of this process."

So finally I can write it...

"Process which is responsible for all asp.net requests and response cycle is known as worker
process."

What about Worker process in Web Farm?

A Web farm contains multiple ASP.NET worker processes.

Each server in the group of servers handles a separate ASP.NET worker process.

What about Worker process in Web Garden?

A Web garden contains multiple ASP.NET worker processes.

Each CPU in the SMP server handles a separate ASP.NET worker process.

Let's See the Worker Process

Running IIS 5.0: Aspnet_wp.ex

Running IIS 6.0: W3wp.exe

ISAPI

ISAPI is the first and highest performance entry point into IIS for custom Web Request handling

ISAPI (Internet Server Application Program Interface) is a set of Windows program (APIs (DLL))
calls that let you write a Web server application that will run faster than a common gateway interface
(CGI) application.

Let's technically see this...

When the first ASP.NET request comes in the DLL will spawn a new process in another EXE –
aspnet_wp.exe/w3wp.exe – and route processing to this spawned process. This process in turn
loads and hosts the .NET runtime. Every request that comes into the ISAPI DLL then routes to this
worker process via Named Pipe calls.

A request starts on the browser where the user types in a URL, clicks on a hyperlink or submits an
HTML form. Or a client application might make call against an ASP.NET based Web Service, which
is also serviced by ASP.NET. On the server side the Web Server IIS picks up the request. At the
lowest level ASP.NET interfaces with IIS through an ISAPI extension.

In IIS .aspx is mapped through an 'Application Extension' (aka. as a script map) that is mapped to
the ASP.NET ISAPI dll - aspnet_isapi.dll. Every request that fires ASP.NET must go through an
extension that is registered and points at aspnet_isapi.dll.
ISAPI is very low level it also is very fast, but fairly unmanageable for application level development.
So, ISAPI has been mainly relegated for some time to providing bridge interfaces to other application
or platforms. But ISAPI isn't dead by any means. In fact, ASP.NET on Microsoft platforms interfaces
with IIS through an ISAPI extension that hosts .NET and through it the ASP.NET runtime. ISAPI
provides the core interface from the Web Server and ASP.NET uses the unmanaged ISAPI code to
retrieve input and send output back to the client. The content that ISAPI provides is available via
common objects like HttpRequest and HttpResponse that expose the unmanaged data as managed
objects with a nice and accessible interface.

What Kind of HTTP Server Is Needed to Run ISAPI?

To host Web sites, you must have an Internet server that supports the Hypertext Transfer Protocol
(HTTP). If you have chosen an ISAPI-compliant Web server (for example, Microsoft Internet
Information Server), you can take advantage of server extension DLLs to create small, fast Internet
server applications.

A special kind of ISAPI DLL is called an ISAPI filter, which can be designated to receive control for
every HTTP request. You can create an ISAPI filter for encryption or decryption, for logging, for
request screening, or for other purposes.

ISAPI consists of two components: Extensions and Filters. These are the only two types of
application that can be developed using ISAPI.

Extensions

ISAPI Extensions are true applications that run on IIS. They have access to all of the functionality
provided by IIS. ISAPI extensions are implemented as DLLs that are loaded into a process that is
controlled by IIS. Clients can access ISAPI extensions in the same way they access a static HTML
page.

Filters

ISAPI filters are used to modify or enhance the functionality provided by IIS. They always run on an
IIS server and filter every request until they find one they need to process. Filters can be
programmed to examine and modify both incoming and outgoing streams of data.

Filters are implemented as DLL files and can be registered on an IIS server on a site level or a
global level (i.e., apply to all sites on an IIS server). Filters are initialized when the worker process is
started and listens to all requests to the site on which it is installed.

Common tasks performed by ISAPI filters include:

 Changing request data (URLs or headers) sent by the client

 Controlling which physical file gets mapped to the URL
 Controlling the user name and password used with anonymous or basic authentication
 Modifying or analyzing a request after authentication is complete
 Modifying a response going back to the client
 Running custom processing on "access denied" responses
 Running processing when a request is complete
 Run processing when a connection with the client is closed
 Performing special logging or traffic analysis.
 Performing custom authentication.
  Handling encryption and compression.

Example

Following are the main Server side scripting languages which support ISAPI.

 ASP
 ASP.NET
 Perl
 PHP