Windows Internals covering windows server 2008 and windows vista- P1

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
80
lượt xem
22
download

Windows Internals covering windows server 2008 and windows vista- P1

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Windows Internals covering windows server 2008 and windows vista- P1: In this chapter, we’ll introduce the key Microsoft Windows operating system concepts and terms we’ll be using throughout this book, such as the Windows API, processes, threads, virtual memory, kernel mode and user mode, objects, handles, security, and the registry.

Chủ đề:
Lưu

Nội dung Text: Windows Internals covering windows server 2008 and windows vista- P1

  1. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  2. Table of Contents Table of Contents.............................................................................. i 1. Concepts and Tools ..................................................................... 1 1.1 Windows Operating System Versions ...........................................................1 1.2 Foundation Concepts and Terms...................................................................2 1.2.1 Windows API .........................................................................................2 1.2.2 Services, Functions, and Routines .......................................................4 1.2.3 Processes, Threads, and Jobs ...............................................................4 1.2.4 Virtual Memory...................................................................................14 1.2.5 Kernel Mode vs. User Mode...............................................................17 1.2.6 Terminal Services and Multiple Sessions..........................................20 1.2.7 Objects and Handles ...........................................................................21 1.2.8 Security ................................................................................................22 1.2.9 Registry ................................................................................................23 1.2.10 Unicode...............................................................................................24 1.3 Digging into Windows internals...................................................................24 1.3.1 Reliability and Performance Monitor...............................................25 1.3.2 Kernel Debugging ...............................................................................27 1.3.3 Windows Software Development Kit ................................................32 1.3.4 Windows Driver Kit............................................................................32 1.3.5 Sysinternals Tools................................................................................32 1.4 Conclusion .....................................................................................................33 2. System Architecture .................................................................. 34 2.1 Requirements and Design Goals..................................................................34 2.2 Operating System Model..............................................................................35 2.3 Architecture Overview..................................................................................36 2.3.1 Portability ............................................................................................38 2.3.2 Symmetric Multiprocessing ...............................................................39 2.3.3 Scalability.............................................................................................44 2.3.4 Differences Between Client and Server Versions .............................44 2.3.5 Checked Build .....................................................................................48 2.4 Key System Components..............................................................................50 2.4.1 Environment Subsystems and Subsystem DLLs..............................51 2.4.2 Ntdll.dll ................................................................................................57 2.4.3 Executive..............................................................................................58 2.4.4 Kernel...................................................................................................61 2.4.5 Hardware Abstraction Layer.............................................................64 2.4.6 Device Drivers .....................................................................................67 2.4.7 System Processes .................................................................................72 i Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  3. 2.5 Conclusion .....................................................................................................83 3. System Mechanisms .................................................................. 84 3.1 Trap Dispatching...........................................................................................84 3.1.1 Interrupt Dispatching.........................................................................86 3.1.2 Exception Dispatching ...................................................................... 113 3.1.3 System Service Dispatching .............................................................123 3.2 Object Manager ..........................................................................................134 3.2.1 Executive Objects..............................................................................137 3.2.2 Object Structure................................................................................138 3.3 Synchronization...........................................................................................171 3.3.1 High-IRQL Synchronization............................................................172 3.3.2 Low-IRQL Synchronization.............................................................177 3.4 System Worker Threads .............................................................................196 3.5 Windows global Flags .................................................................................198 3.6 Advanced Local Procedure Calls (ALPCs)...............................................201 3.7 Kernel event Tracing ..................................................................................205 3.8 Wow64 ..........................................................................................................210 3.8.1 Wow64 Process Address Space Layout ........................................... 211 3.8.2 System Calls....................................................................................... 211 3.8.3 Exception Dispatching ......................................................................212 3.8.4 User Callbacks...................................................................................212 3.8.5 File System Redirection....................................................................212 3.8.6 Registry Redirection and Reflection ...............................................213 3.8.7 I/O Control Requests......................................................................214 3.8.8 16-Bit Installer Applications ............................................................214 3.8.9 Printing............................................................................................214 3.8.10 Restrictions....................................................................................215 3.9 user-Mode Debugging.................................................................................215 3.9.1 Kernel Support..................................................................................215 3.9.2 Native Support ..................................................................................217 3.9.3 Windows Subsystem Support ..........................................................218 3.10 Image Loader ............................................................................................218 3.10.1 Early Process Initialization ............................................................220 3.10.2 Loaded Module Database...............................................................221 3.10.3 Import Parsing ................................................................................224 3.10.4 Post Import Process Initialization .................................................226 3.11 Hypervisor (Hyper-V)...............................................................................226 3.11.1 Partitions..........................................................................................228 3.11.2 Root Partition ..................................................................................228 3.11.3 Child Partitions ...............................................................................230 3.11.4 Hardware Emulation and Support................................................232 3.12 Kernel Transaction Manager...................................................................237 3.13 Hotpatch Support......................................................................................239 ii Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  4. 3.14 Kernel Patch Protection ...........................................................................241 3.15 Code integrity ............................................................................................244 3.16 Conclusion .................................................................................................245 4. Management Mechanisms ...................................................... 246 4.1 The Registry ................................................................................................246 4.1.1 Viewing and Changing the Registry................................................246 4.1.2 Registry Usage...................................................................................246 4.1.3 Registry Data Types ..........................................................................247 4.1.4 Registry Logical Structure ...............................................................248 4.1.6 Monitoring Registry Activity ...........................................................258 4.1.7 Registry Internals..............................................................................261 4.2 Services.........................................................................................................275 4.2.1 Service Applications..........................................................................276 4.2.2 The Service Control Manager..........................................................291 4.2.3 Service Startup ..................................................................................293 4.2.4 Startup Errors ...................................................................................297 4.2.5 Accepting the Boot and Last Known Good.....................................298 4.2.6 Service Failures .................................................................................300 4.2.7 Service Shutdown..............................................................................300 4.2.8 Shared Service Processes..................................................................302 4.2.9 Service Tags .......................................................................................304 4.2.10 Service Control Programs ..............................................................305 4.3 Windows Management instrumentation...................................................306 4.3.1 Providers ............................................................................................308 4.3.2 The Common Information Model and the Managed Object Format Language.....................................................................................................309 4.3.3 Class Association ............................................................................... 311 4.3.4 WMI Implementation.......................................................................314 4.3.5 WMI Security ....................................................................................315 4.4 Windows Diagnostic infrastructure...........................................................316 4.4.1 WDI Instrumentation .......................................................................316 4.4.2 Diagnostic Policy Service..................................................................316 4.4.3 Diagnostic Functionality...................................................................317 4.5 Conclusion ...................................................................................................319 5. Processes, Threads, and Jobs ................................................. 320 5.1 Process Internals .........................................................................................320 5.1.1 Data Structures..................................................................................320 5.1.2 Kernel Variables................................................................................327 5.1.3 Performance Counters......................................................................327 5.1.4 Relevant Functions............................................................................328 5.2 Protected Processes .....................................................................................330 5.3 Flow of CreateProcess ................................................................................332 iii Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  5. 5.3.1 Stage 1: Converting and Validating Parameters and Flags ..........333 5.3.2 Stage 2: Opening the Image to Be Executed...................................334 5.3.3 Stage 3: Creating the Windows Executive Process Object (PspAllocate- Process) ...............................................................................337 5.3.4 Stage 4: Creating the Initial Thread and Its Stack and Context ..341 5.3.5 Stage 5: Performing Windows Subsystem–Specific Post-Initialization.......................................................................................342 5.3.6 Stage 6: Starting Execution of the Initial Thread ..........................344 5.3.7 Stage 7: Performing Process Initialization in the Context of the New Process.........................................................................................................344 5.4 Thread Internals .........................................................................................351 5.4.1 Data Structures..................................................................................351 5.4.2 Kernel Variables................................................................................358 5.4.3 Performance Counters......................................................................358 5.4.4 Relevant Functions............................................................................359 5.4.5 Birth of a Thread...............................................................................359 5.5 Examining Thread activity.........................................................................360 5.6 Worker Factories (Thread Pools) ..............................................................364 5.7 Thread Scheduling ......................................................................................368 5.7.1 Overview of Windows Scheduling ...................................................368 5.7.2 Priority Levels ...................................................................................370 5.7.3 Windows Scheduling APIs................................................................372 5.7.4 Relevant Tools ...................................................................................372 5.7.5 Real-Time Priorities..........................................................................374 5.7.6 Thread States .....................................................................................375 5.7.7 Dispatcher Database .........................................................................378 5.7.8 Quantum ............................................................................................379 5.7.9 Scheduling Scenarios ........................................................................386 5.7.10 Context Switching ...........................................................................390 5.7.11 Idle Thread.......................................................................................390 5.7.12 Priority Boosts.................................................................................391 5.7.13 Multiprocessor Systems..................................................................404 5.7.14 Multiprocessor Thread-Scheduling Algorithms...........................412 5.7.15 CPU Rate Limits .............................................................................413 5.8 Job Objects ..................................................................................................414 5.9 Conclusion ...................................................................................................419 6. Security..................................................................................... 420 6.1 Security Ratings ..........................................................................................420 6.2 Security System Components.....................................................................422 6.3 Protecting Objects.......................................................................................425 6.3.1 Access Checks ....................................................................................426 6.3.2 Security Descriptors and Access Control........................................448 6.4 Account Rights and Privileges ...................................................................462 iv Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  6. 6.4.1 Account Rights ..................................................................................463 6.4.2 Privileges............................................................................................464 6.4.3 Super Privileges.................................................................................468 6.5 Security Auditing ........................................................................................469 6.6 logon .............................................................................................................471 6.6.1 Winlogon Initialization .....................................................................472 6.6.2 User Logon Steps...............................................................................474 6.7 User account Control ..................................................................................478 6.7.1 Virtualization.....................................................................................478 6.7.2 Elevation ............................................................................................484 6.8 Software Restriction Policies .....................................................................489 6.9 Conclusion ...................................................................................................490 7. I/O System................................................................................ 491 7.1 I/O System Components .............................................................................491 7.2 Device Drivers .............................................................................................495 7.2.1 Types of Device Drivers ....................................................................495 7.2.2 Structure of a Driver.........................................................................501 7.2.3 Driver Objects and Device Objects .................................................503 7.2.4 Opening Devices ................................................................................508 7.3 I/O Processing..............................................................................................514 7.3.1 Types of I/O........................................................................................514 7.3.2 I/O Request to a Single-Layered Driver .........................................523 7.3.3 I/O Requests to Layered Drivers .....................................................529 7.3.4 I/O Cancellation ................................................................................537 7.3.5 I/O Completion Ports........................................................................541 7.3.6 I/O Prioritization...............................................................................546 7.3.7 Driver Verifier ...................................................................................551 7.4 Kernel-Mode Driver Framework (KMDF) ..............................................553 7.4.1 Structure and Operation of a KMDF Driver..................................553 7.4.2 KMDF Data Model ...........................................................................555 7.4.3 KMDF I/O Model..............................................................................559 7.5 user-Mode Driver Framework (uMDF)....................................................562 7.6 The Plug and Play (PnP) Manager............................................................565 7.6.1 Level of Plug and Play Support .......................................................566 7.6.2 Driver Support for Plug and Play ...................................................567 7.6.3 Driver Loading, Initialization, and Installation .............................569 7.6.4 Driver Installation.............................................................................578 7.7 The Power Manager....................................................................................582 7.7.1 Power Manager Operation...............................................................584 7.7.2 Driver Power Operation...................................................................585 7.7.3 Driver and Application Control of Device Power ..........................589 7.8 Conclusion ...................................................................................................589 8. Storage Management .............................................................. 591 v Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  7. 8.1 Storage Terminology ...................................................................................591 8.2 Disk Drivers.................................................................................................592 8.2.1 Winload ..............................................................................................592 8.2.2 Disk Class, Port, and Miniport Drivers ..........................................592 8.2.3 Disk Device Objects ..........................................................................596 8.2.4 Partition Manager.............................................................................597 8.3 Volume Management ..................................................................................598 8.3.1 Basic Disks .........................................................................................598 8.3.2 Dynamic Disks...................................................................................600 8.3.3 Multipartition Volume Management...............................................605 8.3.4 The Volume Namespace....................................................................615 8.3.5 Volume I/O Operations.....................................................................621 8.3.6 Virtual Disk Service ..........................................................................623 8.4 BitLocker Drive encryption .......................................................................625 8.4.1 BitLocker Architecture.....................................................................625 8.4.2 Encryption Keys................................................................................626 8.4.3 Trusted Platform Module (TPM) ....................................................628 8.4.4 BitLocker Boot Process ....................................................................630 8.4.5 BitLocker Key Recovery ..................................................................631 8.4.6 Full Volume Encryption Driver .......................................................632 8.4.7 BitLocker Management....................................................................633 8.5 Volume Shadow Copy Service ...................................................................633 8.5.1 Shadow Copies ..................................................................................634 8.5.2 VSS Architecture...............................................................................634 8.5.3 VSS Operation...................................................................................635 8.5.4 Uses in Windows................................................................................637 8.6 Conclusion ...................................................................................................642 9. Memory Management ............................................................. 643 9.1 Introduction to the Memory Manager ......................................................643 9.2 Services the Memory Manager Provides ..................................................647 9.2.1 Large and Small Pages .....................................................................648 9.2.2 Reserving and Committing Pages ...................................................649 9.2.3 Locking Memory...............................................................................650 9.2.4 Allocation Granularity......................................................................651 9.2.5 Shared Memory and Mapped Files .................................................651 9.2.6 Protecting Memory ...........................................................................654 9.2.7 No Execute Page Protection .............................................................655 9.2.8 Copy-on-Write...................................................................................659 9.2.9 Address Windowing Extensions.......................................................661 9.3 Kernel-Mode Heaps (System Memory Pools) ..........................................662 9.3.1 Pool Sizes............................................................................................663 9.3.2 Monitoring Pool Usage .....................................................................665 9.3.3 Look-Aside Lists................................................................................668 vi Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  8. 9.4 Heap Manager.............................................................................................669 9.4.1 Types of Heaps...................................................................................670 9.4.2 Heap Manager Structure..................................................................670 9.4.3 Heap Synchronization ......................................................................671 9.4.4 The Low Fragmentation Heap.........................................................672 9.4.5 Heap Security Features ....................................................................673 9.4.6 Heap Debugging Features ................................................................674 9.4.7 Pageheap ............................................................................................674 9.5 Virtual address Space layouts ....................................................................675 9.5.1 x86 Address Space Layouts ..............................................................676 9.5.2 x86 System Address Space Layout ..................................................679 9.5.3 x86 Session Space ..............................................................................679 9.5.4 System Page Table Entries ...............................................................682 9.5.5 64-Bit Address Space Layouts..........................................................684 9.5.6 64-Bit Virtual Addressing Limitations ............................................686 9.5.7 Dynamic System Virtual Address Space Management..................689 9.5.8 System Virtual Address Space Quotas ............................................692 9.5.9 User Address Space Layout..............................................................693 9.6 Address Translation ....................................................................................697 9.6.1 x86 Virtual Address Translation ......................................................697 9.6.2 Translation Look-Aside Buffer ........................................................703 9.6.3 Physical Address Extension (PAE) ..................................................704 9.6.4 IA64 Virtual Address Translation ...................................................707 9.6.5 x64 Virtual Address Translation ......................................................708 9.7 Page Fault Handling ...................................................................................709 9.7.1 Invalid PTEs ......................................................................................710 9.7.2 Prototype PTEs ................................................................................. 711 9.7.3 In-Paging I/O.....................................................................................713 9.7.4 Collided Page Faults .........................................................................714 9.7.5 Clustered Page Faults .......................................................................714 9.7.6 Page Files ...........................................................................................715 9.8 Stacks............................................................................................................719 9.9 Virtual address Descriptors .......................................................................721 9.10 NuMa..........................................................................................................724 9.11 Section Objects ..........................................................................................725 9.12 Driver Verifier ...........................................................................................732 9.13 Page Frame Number Database ................................................................736 9.13.1 Page List Dynamics.........................................................................739 9.13.2 Page Priority....................................................................................740 9.13.3 Modified Page Writer .....................................................................743 9.13.4 PFN Data Structures.......................................................................744 9.14 Physical Memory limits ............................................................................748 9.15 Working Sets..............................................................................................752 9.15.1 Demand Paging ...............................................................................753 vii Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  9. 9.15.2 Logical Prefetcher ...........................................................................753 9.15.3 Placement Policy .............................................................................757 9.15.4 Working Set Management..............................................................757 9.15.5 Balance Set Manager and Swapper...............................................760 9.15.6 System Working Set ........................................................................761 9.15.7 Memory Notification Events ..........................................................762 9.16 Proactive Memory Management (SuperFetch)......................................764 9.16.1 Components .....................................................................................765 9.16.2 Tracing and Logging.......................................................................766 9.16.3 Scenarios ..........................................................................................767 9.16.4 Page Priority and Rebalancing ......................................................768 9.16.5 Robust Performance .......................................................................770 9.16.6 ReadyBoost ......................................................................................771 9.16.7 ReadyDrive ......................................................................................772 9.17. Conclusion ................................................................................................774 10. Cache Manager...................................................................... 775 10.1 Key Features of the Cache Manager .......................................................775 10.2 Cache Virtual Memory Management......................................................779 10.3 Cache Size ..................................................................................................780 10.4 Cache Data Structures..............................................................................784 10.4.1 Systemwide Cache Data Structures...............................................784 10.4.2 Per-File Cache Data Structures .....................................................786 10.5 File System interfaces ...............................................................................791 10.5.1 Copying to and from the Cache .....................................................792 10.5.2 Caching with the Mapping and Pinning Interfaces .....................793 10.5.3 Caching with the Direct Memory Access Interfaces ....................795 10.6 Fast I/O ......................................................................................................796 10.7 read ahead and Write behind...................................................................798 10.7.1 Intelligent Read-Ahead...................................................................798 10.7.2 Write-Back Caching and Lazy Writing ........................................799 10.7.3 Write Throttling ..............................................................................805 10.7.4 System Threads ...............................................................................807 10.8 Conclusion .................................................................................................808 11. File Systems............................................................................ 809 11.1 Windows File System Formats.................................................................810 11.2 File System Driver architecture ...............................................................815 11.2.1 Local FSDs .......................................................................................815 11.2.2 Remote FSDs....................................................................................816 11.2.3 File System Operation.....................................................................819 11.2.4 File System Filter Drivers...............................................................824 11.3 Troubleshooting File System Problems ...................................................825 11.4 Common log File System ..........................................................................827 viii Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  10. 11.5 NTFS Design goals and Features .............................................................834 11.5.1 High-End File System Requirements ............................................834 11.5.2 Advanced Features of NTFS ..........................................................835 11.6 NTFS File System Driver .......................................................................847 11.7 NTFS On-Disk Structure .......................................................................850 11.8 NTFS recovery Support............................................................................882 11.8.1 Design ...............................................................................................883 11.8.2 Metadata Logging ...........................................................................884 11.8.3 Recovery...........................................................................................888 11.8.4 NTFS Bad-Cluster Recovery..........................................................891 11.8.5 Self-Healing......................................................................................894 11.9 Encrypting File System Security..............................................................895 11.9.1 Encrypting a File for the First Time..............................................898 11.9.2 The Decryption Process ..................................................................902 11.9.3 Backing Up Encrypted Files...........................................................903 11.10 Conclusion................................................................................................904 12. Networking............................................................................. 905 12.1 Windows Networking Architecture .........................................................905 12.1.1 The OSI Reference Model ..............................................................905 12.1.2 Windows Networking Components...............................................907 12.2 Networking APIs .......................................................................................909 12.2.1 Windows Sockets.............................................................................910 12.2.2 Winsock Kernel (WSK) ..................................................................915 12.2.3 Remote Procedure Call...................................................................917 12.2.4 Web Access APIs .............................................................................921 12.2.5 Named Pipes and Mailslots ............................................................923 12.2.6 NetBIOS ...........................................................................................928 12.2.7 Other Networking APIs ..................................................................930 12.3 Multiple redirector Support.....................................................................934 12.3.1 Multiple Provider Router...............................................................934 12.3.2 Multiple UNC Provider ..................................................................937 12.4 Name resolution ........................................................................................938 12.5 Location and Topology .............................................................................941 12.6 Protocol Drivers ........................................................................................943 12.7 NDiS Drivers..............................................................................................952 12.7.1 Variations on the NDIS Miniport ..................................................955 12.7.2 Connection-Oriented NDIS............................................................956 12.7.3 Remote NDIS...................................................................................958 12.7.4 QoS ...................................................................................................959 12.8 Binding .......................................................................................................961 12.9 Layered Network Services .......................................................................962 12.10 Conclusion .............................................................................................967 13. Startup and Shutdown .......................................................... 968 ix Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  11. 13.1 Boot Process...............................................................................................968 13.1.1 BIOS Preboot ..................................................................................968 13.1.2 The BIOS Boot Sector and Bootmgr .............................................970 13.1.3 The EFI Boot Process .....................................................................979 13.1.4 Initializing the Kernel and Executive Subsystems.......................980 13.1.5 Smss, Csrss, and Wininit ................................................................985 13.1.6 ReadyBoot........................................................................................990 13.1.7 Images That Start Automatically...................................................991 13.2 Troubleshooting Boot and Startup Problems .........................................992 13.3 Shutdown .................................................................................................1004 13.4 Conclusion ...............................................................................................1007 14. Crash Dump Analysis ......................................................... 1008 14.1 Why Does Windows Crash?...................................................................1008 14.2 The Blue Screen.......................................................................................1009 14.3 Troubleshooting Crashes ........................................................................1012 14.4 Crash Dump Files ...................................................................................1014 14.5 Windows error reporting........................................................................1019 14.6 Online Crash analysis .............................................................................1020 14.7 Basic Crash Dump analysis....................................................................1021 14.8 Using Crash Troubleshooting Tools.......................................................1025 14.8.1 Buffer Overrun, Memory Corruptions, and Special Pool.........1026 14.8.2 Code Overwrite and System Code Write Protection .................1029 14.9 Advanced Crash Dump analysis ............................................................1030 14.9.1 Stack Trashes .................................................................................1031 14.9.2 Hung or Unresponsive Systems ...................................................1033 14.9.3 When There Is No Crash Dump ..................................................1036 14.10 Conclusion .............................................................................................1037 x Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  12. 1. Concepts and Tools In this chapter, we’ll introduce the key Microsoft Windows operating system concepts and terms we’ll be using throughout this book, such as the Windows API, processes, threads, virtual memory, kernel mode and user mode, objects, handles, security, and the registry. We’ll also introduce the tools that you can use to explore Windows internals, such as the kernel debugger, the Reliability and Performance Monitor, and key tools from Windows Sysinternals (www.microsoft.com/technet/sysinternals). In addition, we’ll explain how you can use the Windows Driver Kit (WDK) and the Windows Software Development Kit (SDK) as resources for finding further information on Windows internals. Be sure that you understand everything in this chapter—the remainder of the book is written assuming that you do. 1.1 Windows Operating System Versions This book covers the two most recent versions of the Microsoft Windows operating system based on the Windows NT code base: Windows Vista (32-bit and 64-bit versions) and Windows Server 2008 (32-bit and 64-bit versions). Unless specifically stated, the text applies to all versions. As background information, Table 1-1 lists the releases of the Windows NT code base, their internal version number, and the external product name. 1 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  13. 1.2 Foundation Concepts and Terms In the course of this book, we’ll be referring to some structures and concepts that might be unfamiliar to some readers. In this section, we’ll define the terms we’ll be using throughout.. You should become familiar with them before proceeding to subsequent chapters. 1.2.1 Windows API The Windows application programming interface (API) is the system programming interface to the Windows operating system family. Prior to the introduction of 64-bit versions of Windows XP and Windows Server 2003, the programming interface to the 32-bit versions of the Windows operating systems was called the Win32 API, to distinguish it from the original 16-bit Windows API, which was the programming interface to the original 16-bit versions of Windows. In this book, the term Windows API refers to both the 32-bit and 64-bit programming interfaces to Windows Vista and Windows Server 2008. Note The Windows API is described in the Windows Software Development Kit (SDK) documentation.(See the section “Windows Software Development Kit” later in this chapter.) This documentation is available for free viewing online at www.msdn.microsoft.com. It is also included with all subscription levels to the Microsoft Developer Network (MSDN), Microsoft’s support program for developers. For more information, see www.msdn.microsoft.com. An excellent description of how to program the Windows base API is the book Windows via C/C++, Fifth Edition by Jeffrey Richter and Christophe Nasarre (Microsoft Press, 2007). The Windows API consists of thousands of callable functions, which are divided into the following major categories: ■ Base Services ■ Component Services ■ User Interface Services ■ Graphics and Multimedia Services ■ Messaging and Collaboration ■ Networking ■ Web Services This book focuses on the internals of the key base services, such as processes and threads, memory management, I/O, and security. What about .Net? 2 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  14. The .NET Framework consists of a library of classes called the Framework Class Library (FCL) and a Common Language Runtime (CLR) that provides a managed code execution environment with features such as just-in-time compilation, type verification, garbage collection, and code access security. By offering these features, the CLR provides a development environment that improves programmer productivity and reduces common programming errors. For an excellent description of the .NET Framework and its core architecture, see CLR via C#, Second Edition by Jeffrey Richter (Microsoft Press,2006). The CLR is implemented as a classic COM server whose code resides in a standard user mode Windows DLL. In fact, all components of the .NET Framework are implemented as standard user-mode Windows DLLs layered over unmanaged Windows API functions. (None of the .NET Framework runs in kernel mode.) Figure 1-1 illustrates the relationship between these components: History of the Win32 API Interestingly, Win32 wasn’t slated to be the original programming interface to Microsoft Windows NT. Because the Windows NT project started as a replacement for OS/2 version 2, the primary programming interface was the 32-bit OS/2 Presentation Manager API. A year into the project, however, Microsoft Windows 3.0 hit the market and took off. As a result, Microsoft changed direction and made Windows NT the future replacement for the Windows family of products as opposed to the replacement for OS/2. It was at this juncture that the need to specify the Windows API arose—before this, the Windows API existed only as a 16-bit interface. 3 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  15. Although the Windows API would introduce many new functions that hadn’t been available on Windows 3.1, Microsoft decided to make the new API compatible with the 16-bit Windows API function names, semantics, and use of data types whenever possible to ease the burden of porting existing 16-bit Windows applications to Windows NT. So those of you who are looking at the Windows API for the first time and wondering why many function names and interfaces seem inconsistent should keep in mind that one reason for the inconsistency was to ensure that the Windows API is compatible with the old 16-bit Windows API. 1.2.2 Services, Functions, and Routines Several terms in the Windows user and programming documentation have different meanings in different contexts. For example, the word service can refer to a callable routine in the operating system, a device driver, or a server process. The following list describes what certain terms mean in this book: ■Windows API functions Documented, callable subroutines in the Windows API. Examples include CreateProcess, CreateFile, and GetMessage. ■ Native system services (or executive system services) The undocumented, underlying services in the operating system that are callable from user mode. For example, NtCreateProcessEx is the internal system service the Windows CreateProcess function calls to create a new process. (For a definition of native functions, see the section “System Service Dispatching” in Chapter 3.) ■ Kernel support functions (or routines) Subroutines inside the Windows operating system that can be called only from kernel mode (defined later in this chapter). For example, ExAllocatePoolWithTag is the routine that device drivers call to allocate memory from the Windows system heaps (called pools). ■ Windows services Processes started by the Windows service control manager. (Although the registry defines Windows device drivers as “services,” we don’t refer to them as such in this book.) For example, the Task Scheduler service runs in a user-mode process that supports the at command (which is similar to the UNIX commands at or cron). ■ DLLs (dynamic-link libraries) A set of callable subroutines linked together as a binary file that can be dynamically loaded by applications that use the subroutines. Examples include Msvcrt.dll (the C run-time library) and Kernel32.dll (one of the Windows API subsystem libraries). Windows user-mode components and applications use DLLs extensively. The advantage DLLs provide over static libraries is that applications can share DLLs, and Windows ensures that there is only one in-memory copy of a DLL’s code among the applications that are referencing it. 1.2.3 Processes, Threads, and Jobs 4 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  16. Several terms in the Windows user and programming documentation have different meanings in different contexts. For example, the word service can refer Although programs and processes appear similar on the surface, they are fundamentally different. A program is a static sequence of instructions, whereas a process is a container for a set of resources used when executing the instance of the program. At the highest level of abstraction, a Windows process comprises the following: ■ A private virtual address space, which is a set of virtual memory addresses that the process can use ■ An executable program, which defines initial code and data and is mapped into the process’s virtual address space ■ A list of open handles to various system resources, such as semaphores, communication ports, and files, that are accessible to all threads in the process ■ A security context called an access token that identifies the user, security groups, privileges, User Access Control (UAC) virtualization state, session, and limited user account state associated with the process ■ A unique identifier called a process ID (internally part of an identifier called a client ID) ■ At least one thread of execution (although an “empty” process is possible, it is not useful) Each process also points to its parent or creator process. However, if the parent exits, this information is not updated. Therefore, it is possible for a process to point to a nonexistent parent. This is not a problem, as nothing relies on this information being present. The following experiment illustrates this case. EXPERIMENT: Viewing the Process Tree One unique attribute about a process that most tools don’t display is the parent or creator process ID. You can retrieve this value with the Performance Monitor (or programmatically) by querying the Creating Process ID. The Tlist.exe tool (in the Debugging Tools for Windows) can show the process tree by using the /t switch. Here’s an example of output from tlist /t: 1. C:\>tlist /t 2. System Process (0) 3. System (4) 4. smss.exe (480) 5. csrss.exe (548) 6. wininit.exe (612) 7. services.exe (656) 8. svchost.exe (848) 9. svchost.exe (880) 10. svchost.exe (924) 11. svchost.exe (980) 5 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  17. 12. audiodg.exe (1040) 13. svchost.exe (1108) 14. dwm.exe (123) 15. svchost.exe (96) 16. taskeng.exe (604) 17. tasking.exe (1532) 18. SLsvc.exe (1814) 19. svchost.exe (2988) 20. lsass.exe (672) 21. lsm.exe (680) 22. csrss.exe (624) 23. winlogon.exe (824) 24. explorer.exe (724) Program Manager 25. WINWORD.EXE (3512) WinInt5E_Chapter01.doc [Compatibility Mode] - Microsoft Word 26. cmd.exe (3936) Command Prompt - tlist /t 27. tlist.exe (1344) The list indents each process to show its parent/child relationship. Processes whose parents aren’t alive are left-justified (as is Explorer.exe in the preceding example) because even if a grandparent process exists, there’s no way to find that relationship. Windows maintains only the creator process ID, not a link back to the creator of the creator, and so forth. To demonstrate the fact that Windows doesn’t keep track of more than just the parent process ID, follow these steps: 1. Open a Command Prompt window. 2. Type start cmd (which starts a second command prompt). 3. Bring up Task Manager. 4. Switch to the second command prompt. 5. Type mspaint (which runs Microsoft Paint). 6. Click the intermediate (second) Command Prompt window. 7. Type exit. (Notice that Paint remains.) 8. Switch to Task Manager. 9. Click the Applications tab. 10. Right-click on the Command Prompt task, and select Go To Process. 11. Click on the Cmd.exe process highlighted in blue. 12. Right-click on this process, and select End Process Tree. 13. Click Yes in the Task Manager Warning message box. The first Command Prompt window will disappear, but you should still see the Paint window because it was the grandchild of the command prompt process you terminated; and because the intermediate process (the parent of Paint) was terminated, there was no link between the parent and the grandchild. A number of tools for viewing (and modifying) processes and process information are available. The following experiments illustrate the various views of process information you can 6 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  18. obtain with some of these tools. These tools are included within Windows itself and within the Debugging Tools for Windows, the Windows SDK, and from Sysinternals. Many of these tools show overlapping subsets of the core process and thread information, sometimes identified by different names. Probably the most widely used tool to examine process activity is Task Manager. (Interestingly, there is no such thing as a “task” in the Windows kernel, so Task Manager is really a tool to manage processes.) The following experiment shows the difference between what Task Manager lists as applications and processes. EXPERIMENT: Viewing Process information with Task Manager The built-in Windows Task Manager provides a quick list of the processes running on the system. You can start Task Manager in one of three ways: (1) press Ctrl+Shift+Esc, (2) right-click on the taskbar and select Task Manager, or (3) press Ctrl+Alt+Delete and click the Task Manager button. Once Task Manager has started, click the Processes tab to see the list of running processes. Notice that processes are identified by the name of the image of which they are an instance. Unlike some objects in Windows, processes can’t be given global names. To display additional details, choose Select Columns from the View menu and select additional columns to be added, as shown here: Although what you see in the Task Manager Processes tab is clearly a list of processes, what the Applications tab displays isn’t as obvious. The Applications tab lists the top-level visible windows on all the desktops in the interactive window station. (By default, there are two desktop objects—you can create more by using the Windows CreateDesktop function.) The Status column indicates whether or not the thread that owns the window is in a Windows message wait state. “Running” means the thread is waiting for windowing input; “Not Responding” means the thread isn’t waiting for windowing input (for example, the thread might be running or waiting for I/O or some Windows synchronization object). From the Applications tab, you can match a task to the process that owns the thread that owns the task window by right-clicking on the task name and choosing Go To Process. 7 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  19. 8 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  20. Process Explorer, from Sysinternals, shows more details about processes and threads than any other available tool, which is why you will see it used in a number of experiments throughout the book. The following are some of the unique things that Process Explorer shows or enables: ■ Full path name for the image being executed ■ Process security token (list of groups and privileges, virtualization state, and session) ■ Highlighting to show changes in the process and thread list ■ List of services inside service-hosting processes, including display name and description ■ Processes that are part of a job and job details ■ Processes running .NET applications and .NET-specific details (such as the list of app domains and CLR performance counters) ■ Start time for processes and threads ■ Complete list of memory-mapped files (not just DLLs) ■ Ability to suspend a process ■ Ability to kill an individual thread ■ Easy identification of which processes were consuming the most CPU time over a period of time (The Reliability and Performance Monitor can display process CPU utilization for a given set of processes, but it won’t automatically show processes created after the performance monitoring session has started–only a manual trace in binary output format can do that.) Process Explorer also provides easy access to information in one place, such as: ■ Process tree (with ability to collapse parts of the tree) ■ Open handles in a process (including unnamed handles) without prior setup (The Microsoft tools to show open handles require the setting of a systemwide flag and a reboot before they can be used.) ■ List of DLLs (and memory-mapped files) in a process ■ Thread activity within a process ■ User-mode thread stacks (including mapping of addresses to names using the debugging tools’ symbol engine) ■ Kernel-mode thread stacks for system threads (including mapping of addresses to names using the debugging tools’ symbol engine) ■ Context switch delta (a better representation of CPU activity, as explained in Chapter 5) ■ Time stamp counter (an even better representation of precise CPU activity, as explained in Chapter 5) ■ 64-bit vs. 32-bit image type ■ Integrity level 9 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Đồng bộ tài khoản