Http.sys's HTTPERR and Timer_ConnectionIdle

For all those IIS6 or other http.sys users out there, you might have noticed the HTTPERR logs. If you haven’t it’s over in %SystemRoot%/system32/LogFiles/HTTPERR/httperr*.log. It’s a log of anything that http.sys does with connections and requests that user mode didn’t tell us directly to do. There is a nice KB article with a lot of information about the HTTPERR log. Here is what it looks like:

2002-07-05 18:45:09 172.31.77.6 2094 172.31.77.6 80 HTTP/1.1 GET /qos/1kbfile.txt 503 – ConnLimit
2002-07-05 19:51:59 127.0.0.1 2780 127.0.0.1 80 HTTP/1.1 GET /ThisIsMyUrl.htm 400 – Hostname
2002-07-05 19:53:00 127.0.0.1 2894 127.0.0.1 80 HTTP/2.0 GET / 505 - Version_N/S
2002-07-05 20:06:01 172.31.77.6 64388 127.0.0.1 80 - - - - - Timer_MinBytesPerSecond

If you have a look at one running on a real life web server, it’s usually a lot of entries with the reason Timer_ConnectionIdle entries and a number of entries with the reason Url. The reason code Url entries are often from security software scanning for vulnerable hosts or worms that take advantage of sloppy Url parsing trying to spread. These requests just get rejected outright by http.sys’s pretty strict validation checks and we log that rejection here. The other reason code, Timer_ConnectionIdle, happens in normal HTTP protocol usage, where the client decides not to disconnect from the server because there is a good chance that it will have another request for the server either in the process of loading a page or because a client will probably click a link on a web page that will go back to the same server. By default the server will close the connection and reclaim those resources after 2 minutes of inactivity. This is nothing to worry about, it's just an informational type of entry.

posted on Thursday, July 15, 2004 2:27 PM

Source URL: http://blogs.msdn.com/webtransports/archive/2004/07/15/184336.aspx