Set Unspecified File Name Extensions to Run on a Web Server (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

If you are running IIS 7 in ISAPI mode, you can let files that have unspecified file name extensions, that is, all executable files, run on your Web server. This feature is not available if you are running IIS 7 in Integrated mode.


Allowing all unspecified extensions is a security risk, because your Web server could become susceptible to computer viruses or worms that exploit these technologies. To reduce this risk, you should let only those specific ISAPI extensions or CGI files that you have to run on your Web server.


For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see ISAPI and CGI Restrictions Feature Requirements (IIS 7).

Exceptions to Feature Requirements

  • None

To set unspecified file name extensions to run on a Web server

You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

User Interface

To use the UI

  1. Open IIS Manager and navigate to the level you want to configure. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).

  2. In Features View, double-click ISAPI and CGI Restrictions.

  3. In the Actions pane, click Edit Feature Settings.

  4. Optionally, in the Edit ISAPI and CGI Restrictions Settings dialog box, check Allow unspecified CGI modules to allow unspecified CGI modules.

  5. Optionally, check Allow unspecified ISAPI modules to allow unspecified ISAPI modules.

  6. Click OK.

Command Line

To set unspecified file name extensions to run on a Web server, use the following syntax:

appcmd set config /section:isapiCgiRestriction /notListedCGIsAllowed: True | False /notlistedISAPIsAllowed: True | False

By default, IIS sets notListedCGIsAllowed and notlistedISAPIsAllowed to False, which means that only explicitly listed CGI and ISAPI modules can run. If you set the value for sets notListedCGIsAllowed and notlistedISAPIsAllowed to True, you implicitly enable CGI and ASAPI modules to run. For example, to disable unspecified file name extensions to run on a Web server, type the following at the command prompt, and then press ENTER:

appcmd set config /section:isapiCgiRestriction /notListedCGIsAllowed:False /notlistedISAPIsAllowed:False

For more information about Appcmd.exe, see Appcmd.exe (IIS 7).


The procedure in this topic affects the following configuration elements:


For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.


Use the following WMI classes, methods, or properties to perform this procedure:

  • IsapiCgiRestrictionSection.NotListedIsapisAllowed property

  • IsapiCgiRestrictionSection.NotListedCgisAllowed property

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.

See Also


Configuring ISAPI and CGI Restrictions in IIS 7