It turns out that with the example code as is, starting a server at an HTTP or HTTPS address does not require the process to be run as an admin (elevated on Vista and Win7). No namespace needs to be reserved either. This is because the code uses localhost as host name, which will only match traffic sent to localhost (i.e. from a local client) and is considered safe. A practical scenario of this is building and running HTTP.SYS based application from Visual Studio without running as an admin. My experiments show that using the wildcards, machine name, or even the loopback addressing 127.0.0.1 requires admin token or namespace reservation. For XP, this behavior appears to be new in SP3.