I know Microsoft created HTTP.SYS to increase the performance of IIS. My question though is does HTTP.SYS handle HTTP traffic for all apps? What about a JVM for instance, if its using Winsock to receive HTTP traffic, is HTTP.SYS transparently passing this data through the Winsock API? Or has Winsock been replaced by HTTP.SYS on newer kernels of Windows?
Microsoft is not clear about this in their docs, as far as I can tell.
Applications can choose to use http.sys. They can choose to implement their own HTTP protocol handlers.
It is strongly recommended that applications use http.sys for security reasons - the HTTP server implemented by http.sys is fairly well hardened and other HTTP servers may introduce security defects.
As far as I know, HTTP.SYS talks to the TCP stack, not NDIS (otherwise it would have to implement all of TCP internally and that doesn't make a lot of sense).
Winsock is socket level, below HTTP, so I would not think it goes through Http.Sys.
Internet Explorer uses Wininet for HTTP communication, which at up through Vista did not use Http.sys.
edit I think the book "Windows Internals" will answer your question.