Every Microsoft Windows 2000 process has a unique process identity which is used by the Windows 2000 object manager for various management tasks. Each process object contains an associated access token, which indicates the type of access rights the process has for secured resources. ISAPI extensions either run in the inetinfo process or in an isolated process. The process identity for applications running in the inetinfo process is SYSTEM. The default process identity for isolated applications is IWAM_machinename.
A very simple ISAPI extension will be able to respond to the request and immediately return the required information. More complex extensions, however, will rely on worker threads to accomplish their processing. By default, worker threads have the same identity as the process in which they are running. If your ISAPI extension accesses secured resources, it will need to pass the security context of the logged-on user to a thread. The security context is passed to the thread by obtaining an impersonation token from the process. The detailed steps for obtaining an impersonation token are described in the Process Execution section.
Note GetExtensionVersion is called under the system’s security context. In contrast, DllMain is called using the security token associated with the request that caused the ISAPI extension to be loaded.