Tài liệu Windows Internals covering windows server 2008 and windows vista- P1 doc
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (917.63 KB, 50 trang )
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
i
Table of Contents
Table of Contents i
1. Concepts and Tools 1
1.1 Windows Operating System Versions 1
1.2 Foundation Concepts and Terms 2
1.2.1 Windows API 2
1.2.2 Services, Functions, and Routines 4
1.2.3 Processes, Threads, and Jobs 4
1.2.4 Virtual Memory 14
1.2.5 Kernel Mode vs. User Mode 17
1.2.6 Terminal Services and Multiple Sessions 20
1.2.7 Objects and Handles 21
1.2.8 Security 22
1.2.9 Registry 23
1.2.10 Unicode 24
1.3 Digging into Windows internals 24
1.3.1 Reliability and Performance Monitor 25
1.3.2 Kernel Debugging 27
1.3.3 Windows Software Development Kit 32
1.3.4 Windows Driver Kit 32
1.3.5 Sysinternals Tools 32
1.4 Conclusion 33
2. System Architecture 34
2.1 Requirements and Design Goals 34
2.2 Operating System Model 35
2.3 Architecture Overview 36
2.3.1 Portability 38
2.3.2 Symmetric Multiprocessing 39
2.3.3 Scalability 44
2.3.4 Differences Between Client and Server Versions 44
2.3.5 Checked Build 48
2.4 Key System Components 50
2.4.1 Environment Subsystems and Subsystem DLLs 51
2.4.2 Ntdll.dll 57
2.4.3 Executive 58
2.4.4 Kernel 61
2.4.5 Hardware Abstraction Layer 64
2.4.6 Device Drivers 67
2.4.7 System Processes 72
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ii
2.5 Conclusion 83
3. System Mechanisms 84
3.1 Trap Dispatching 84
3.1.1 Interrupt Dispatching 86
3.1.2 Exception Dispatching 113
3.1.3 System Service Dispatching 123
3.2 Object Manager 134
3.2.1 Executive Objects 137
3.2.2 Object Structure 138
3.3 Synchronization 171
3.3.1 High-IRQL Synchronization 172
3.3.2 Low-IRQL Synchronization 177
3.4 System Worker Threads 196
3.5 Windows global Flags 198
3.6 Advanced Local Procedure Calls (ALPCs) 201
3.7 Kernel event Tracing 205
3.8 Wow64 210
3.8.1 Wow64 Process Address Space Layout 211
3.8.2 System Calls 211
3.8.3 Exception Dispatching 212
3.8.4 User Callbacks 212
3.8.5 File System Redirection 212
3.8.6 Registry Redirection and Reflection 213
3.8.7 I/O Control Requests 214
3.8.8 16-Bit Installer Applications 214
3.8.9 Printing 214
3.8.10 Restrictions 215
3.9 user-Mode Debugging 215
3.9.1 Kernel Support 215
3.9.2 Native Support 217
3.9.3 Windows Subsystem Support 218
3.10 Image Loader 218
3.10.1 Early Process Initialization 220
3.10.2 Loaded Module Database 221
3.10.3 Import Parsing 224
3.10.4 Post Import Process Initialization 226
3.11 Hypervisor (Hyper-V) 226
3.11.1 Partitions 228
3.11.2 Root Partition 228
3.11.3 Child Partitions 230
3.11.4 Hardware Emulation and Support 232
3.12 Kernel Transaction Manager 237
3.13 Hotpatch Support 239
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
iii
3.14 Kernel Patch Protection 241
3.15 Code integrity 244
3.16 Conclusion 245
4. Management Mechanisms 246
4.1 The Registry 246
4.1.1 Viewing and Changing the Registry 246
4.1.2 Registry Usage 246
4.1.3 Registry Data Types 247
4.1.4 Registry Logical Structure 248
4.1.6 Monitoring Registry Activity 258
4.1.7 Registry Internals 261
4.2 Services 275
4.2.1 Service Applications 276
4.2.2 The Service Control Manager 291
4.2.3 Service Startup 293
4.2.4 Startup Errors 297
4.2.5 Accepting the Boot and Last Known Good 298
4.2.6 Service Failures 300
4.2.7 Service Shutdown 300
4.2.8 Shared Service Processes 302
4.2.9 Service Tags 304
4.2.10 Service Control Programs 305
4.3 Windows Management instrumentation 306
4.3.1 Providers 308
4.3.2 The Common Information Model and the Managed Object Format
Language 309
4.3.3 Class Association 311
4.3.4 WMI Implementation 314
4.3.5 WMI Security 315
4.4 Windows Diagnostic infrastructure 316
4.4.1 WDI Instrumentation 316
4.4.2 Diagnostic Policy Service 316
4.4.3 Diagnostic Functionality 317
4.5 Conclusion 319
5. Processes, Threads, and Jobs 320
5.1 Process Internals 320
5.1.1 Data Structures 320
5.1.2 Kernel Variables 327
5.1.3 Performance Counters 327
5.1.4 Relevant Functions 328
5.2 Protected Processes 330
5.3 Flow of CreateProcess 332
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
iv
5.3.1 Stage 1: Converting and Validating Parameters and Flags 333
5.3.2 Stage 2: Opening the Image to Be Executed 334
5.3.3 Stage 3: Creating the Windows Executive Process Object
(PspAllocate- Process) 337
5.3.4 Stage 4: Creating the Initial Thread and Its Stack and Context 341
5.3.5 Stage 5: Performing Windows Subsystem–Specific
Post-Initialization 342
5.3.6 Stage 6: Starting Execution of the Initial Thread 344
5.3.7 Stage 7: Performing Process Initialization in the Context of the New
Process 344
5.4 Thread Internals 351
5.4.1 Data Structures 351
5.4.2 Kernel Variables 358
5.4.3 Performance Counters 358
5.4.4 Relevant Functions 359
5.4.5 Birth of a Thread 359
5.5 Examining Thread activity 360
5.6 Worker Factories (Thread Pools) 364
5.7 Thread Scheduling 368
5.7.1 Overview of Windows Scheduling 368
5.7.2 Priority Levels 370
5.7.3 Windows Scheduling APIs 372
5.7.4 Relevant Tools 372
5.7.5 Real-Time Priorities 374
5.7.6 Thread States 375
5.7.7 Dispatcher Database 378
5.7.8 Quantum 379
5.7.9 Scheduling Scenarios 386
5.7.10 Context Switching 390
5.7.11 Idle Thread 390
5.7.12 Priority Boosts 391
5.7.13 Multiprocessor Systems 404
5.7.14 Multiprocessor Thread-Scheduling Algorithms 412
5.7.15 CPU Rate Limits 413
5.8 Job Objects 414
5.9 Conclusion 419
6. Security 420
6.1 Security Ratings 420
6.2 Security System Components 422
6.3 Protecting Objects 425
6.3.1 Access Checks 426
6.3.2 Security Descriptors and Access Control 448
6.4 Account Rights and Privileges 462
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
v
6.4.1 Account Rights 463
6.4.2 Privileges 464
6.4.3 Super Privileges 468
6.5 Security Auditing 469
6.6 logon 471
6.6.1 Winlogon Initialization 472
6.6.2 User Logon Steps 474
6.7 User account Control 478
6.7.1 Virtualization 478
6.7.2 Elevation 484
6.8 Software Restriction Policies 489
6.9 Conclusion 490
7. I/O System 491
7.1 I/O System Components 491
7.2 Device Drivers 495
7.2.1 Types of Device Drivers 495
7.2.2 Structure of a Driver 501
7.2.3 Driver Objects and Device Objects 503
7.2.4 Opening Devices 508
7.3 I/O Processing 514
7.3.1 Types of I/O 514
7.3.2 I/O Request to a Single-Layered Driver 523
7.3.3 I/O Requests to Layered Drivers 529
7.3.4 I/O Cancellation 537
7.3.5 I/O Completion Ports 541
7.3.6 I/O Prioritization 546
7.3.7 Driver Verifier 551
7.4 Kernel-Mode Driver Framework (KMDF) 553
7.4.1 Structure and Operation of a KMDF Driver 553
7.4.2 KMDF Data Model 555
7.4.3 KMDF I/O Model 559
7.5 user-Mode Driver Framework (uMDF) 562
7.6 The Plug and Play (PnP) Manager 565
7.6.1 Level of Plug and Play Support 566
7.6.2 Driver Support for Plug and Play 567
7.6.3 Driver Loading, Initialization, and Installation 569
7.6.4 Driver Installation 578
7.7 The Power Manager 582
7.7.1 Power Manager Operation 584
7.7.2 Driver Power Operation 585
7.7.3 Driver and Application Control of Device Power 589
7.8 Conclusion 589
8. Storage Management 591
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
vi
8.1 Storage Terminology 591
8.2 Disk Drivers 592
8.2.1 Winload 592
8.2.2 Disk Class, Port, and Miniport Drivers 592
8.2.3 Disk Device Objects 596
8.2.4 Partition Manager 597
8.3 Volume Management 598
8.3.1 Basic Disks 598
8.3.2 Dynamic Disks 600
8.3.3 Multipartition Volume Management 605
8.3.4 The Volume Namespace 615
8.3.5 Volume I/O Operations 621
8.3.6 Virtual Disk Service 623
8.4 BitLocker Drive encryption 625
8.4.1 BitLocker Architecture 625
8.4.2 Encryption Keys 626
8.4.3 Trusted Platform Module (TPM) 628
8.4.4 BitLocker Boot Process 630
8.4.5 BitLocker Key Recovery 631
8.4.6 Full Volume Encryption Driver 632
8.4.7 BitLocker Management 633
8.5 Volume Shadow Copy Service 633
8.5.1 Shadow Copies 634
8.5.2 VSS Architecture 634
8.5.3 VSS Operation 635
8.5.4 Uses in Windows 637
8.6 Conclusion 642
9. Memory Management 643
9.1 Introduction to the Memory Manager 643
9.2 Services the Memory Manager Provides 647
9.2.1 Large and Small Pages 648
9.2.2 Reserving and Committing Pages 649
9.2.3 Locking Memory 650
9.2.4 Allocation Granularity 651
9.2.5 Shared Memory and Mapped Files 651
9.2.6 Protecting Memory 654
9.2.7 No Execute Page Protection 655
9.2.8 Copy-on-Write 659
9.2.9 Address Windowing Extensions 661
9.3 Kernel-Mode Heaps (System Memory Pools) 662
9.3.1 Pool Sizes 663
9.3.2 Monitoring Pool Usage 665
9.3.3 Look-Aside Lists 668
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
vii
9.4 Heap Manager 669
9.4.1 Types of Heaps 670
9.4.2 Heap Manager Structure 670
9.4.3 Heap Synchronization 671
9.4.4 The Low Fragmentation Heap 672
9.4.5 Heap Security Features 673
9.4.6 Heap Debugging Features 674
9.4.7 Pageheap 674
9.5 Virtual address Space layouts 675
9.5.1 x86 Address Space Layouts 676
9.5.2 x86 System Address Space Layout 679
9.5.3 x86 Session Space 679
9.5.4 System Page Table Entries 682
9.5.5 64-Bit Address Space Layouts 684
9.5.6 64-Bit Virtual Addressing Limitations 686
9.5.7 Dynamic System Virtual Address Space Management 689
9.5.8 System Virtual Address Space Quotas 692
9.5.9 User Address Space Layout 693
9.6 Address Translation 697
9.6.1 x86 Virtual Address Translation 697
9.6.2 Translation Look-Aside Buffer 703
9.6.3 Physical Address Extension (PAE) 704
9.6.4 IA64 Virtual Address Translation 707
9.6.5 x64 Virtual Address Translation 708
9.7 Page Fault Handling 709
9.7.1 Invalid PTEs 710
9.7.2 Prototype PTEs 711
9.7.3 In-Paging I/O 713
9.7.4 Collided Page Faults 714
9.7.5 Clustered Page Faults 714
9.7.6 Page Files 715
9.8 Stacks 719
9.9 Virtual address Descriptors 721
9.10 NuMa 724
9.11 Section Objects 725
9.12 Driver Verifier 732
9.13 Page Frame Number Database 736
9.13.1 Page List Dynamics 739
9.13.2 Page Priority 740
9.13.3 Modified Page Writer 743
9.13.4 PFN Data Structures 744
9.14 Physical Memory limits 748
9.15 Working Sets 752
9.15.1 Demand Paging 753
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
viii
9.15.2 Logical Prefetcher 753
9.15.3 Placement Policy 757
9.15.4 Working Set Management 757
9.15.5 Balance Set Manager and Swapper 760
9.15.6 System Working Set 761
9.15.7 Memory Notification Events 762
9.16 Proactive Memory Management (SuperFetch) 764
9.16.1 Components 765
9.16.2 Tracing and Logging 766
9.16.3 Scenarios 767
9.16.4 Page Priority and Rebalancing 768
9.16.5 Robust Performance 770
9.16.6 ReadyBoost 771
9.16.7 ReadyDrive 772
9.17. Conclusion 774
10. Cache Manager 775
10.1 Key Features of the Cache Manager 775
10.2 Cache Virtual Memory Management 779
10.3 Cache Size 780
10.4 Cache Data Structures 784
10.4.1 Systemwide Cache Data Structures 784
10.4.2 Per-File Cache Data Structures 786
10.5 File System interfaces 791
10.5.1 Copying to and from the Cache 792
10.5.2 Caching with the Mapping and Pinning Interfaces 793
10.5.3 Caching with the Direct Memory Access Interfaces 795
10.6 Fast I/O 796
10.7 read ahead and Write behind 798
10.7.1 Intelligent Read-Ahead 798
10.7.2 Write-Back Caching and Lazy Writing 799
10.7.3 Write Throttling 805
10.7.4 System Threads 807
10.8 Conclusion 808
11. File Systems 809
11.1 Windows File System Formats 810
11.2 File System Driver architecture 815
11.2.1 Local FSDs 815
11.2.2 Remote FSDs 816
11.2.3 File System Operation 819
11.2.4 File System Filter Drivers 824
11.3 Troubleshooting File System Problems 825
11.4 Common log File System 827
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ix
11.5 NTFS Design goals and Features 834
11.5.1 High-End File System Requirements 834
11.5.2 Advanced Features of NTFS 835
11.6 NTFS File System Driver 847
11.7 NTFS On-Disk Structure 850
11.8 NTFS recovery Support 882
11.8.1 Design 883
11.8.2 Metadata Logging 884
11.8.3 Recovery 888
11.8.4 NTFS Bad-Cluster Recovery 891
11.8.5 Self-Healing 894
11.9 Encrypting File System Security 895
11.9.1 Encrypting a File for the First Time 898
11.9.2 The Decryption Process 902
11.9.3 Backing Up Encrypted Files 903
11.10 Conclusion 904
12. Networking 905
12.1 Windows Networking Architecture 905
12.1.1 The OSI Reference Model 905
12.1.2 Windows Networking Components 907
12.2 Networking APIs 909
12.2.1 Windows Sockets 910
12.2.2 Winsock Kernel (WSK) 915
12.2.3 Remote Procedure Call 917
12.2.4 Web Access APIs 921
12.2.5 Named Pipes and Mailslots 923
12.2.6 NetBIOS 928
12.2.7 Other Networking APIs 930
12.3 Multiple redirector Support 934
12.3.1 Multiple Provider Router 934
12.3.2 Multiple UNC Provider 937
12.4 Name resolution 938
12.5 Location and Topology 941
12.6 Protocol Drivers 943
12.7 NDiS Drivers 952
12.7.1 Variations on the NDIS Miniport 955
12.7.2 Connection-Oriented NDIS 956
12.7.3 Remote NDIS 958
12.7.4 QoS 959
12.8 Binding 961
12.9 Layered Network Services 962
12.10 Conclusion 967
13. Startup and Shutdown 968
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
x
13.1 Boot Process 968
13.1.1 BIOS Preboot 968
13.1.2 The BIOS Boot Sector and Bootmgr 970
13.1.3 The EFI Boot Process 979
13.1.4 Initializing the Kernel and Executive Subsystems 980
13.1.5 Smss, Csrss, and Wininit 985
13.1.6 ReadyBoot 990
13.1.7 Images That Start Automatically 991
13.2 Troubleshooting Boot and Startup Problems 992
13.3 Shutdown 1004
13.4 Conclusion 1007
14. Crash Dump Analysis 1008
14.1 Why Does Windows Crash? 1008
14.2 The Blue Screen 1009
14.3 Troubleshooting Crashes 1012
14.4 Crash Dump Files 1014
14.5 Windows error reporting 1019
14.6 Online Crash analysis 1020
14.7 Basic Crash Dump analysis 1021
14.8 Using Crash Troubleshooting Tools 1025
14.8.1 Buffer Overrun, Memory Corruptions, and Special Pool 1026
14.8.2 Code Overwrite and System Code Write Protection 1029
14.9 Advanced Crash Dump analysis 1030
14.9.1 Stack Trashes 1031
14.9.2 Hung or Unresponsive Systems 1033
14.9.3 When There Is No Crash Dump 1036
14.10 Conclusion 1037
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
1
1. Concepts and Tools
In this chapter, we’ll introduce the key Microsoft Windows operating system concepts and
terms we’ll be using throughout this book, such as the Windows API, processes, threads, virtual
memory, kernel mode and user mode, objects, handles, security, and the registry. We’ll also
introduce the tools that you can use to explore Windows internals, such as the kernel debugger, the
Reliability and Performance Monitor, and key tools from Windows Sysinternals
(www.microsoft.com/technet/sysinternals). In addition, we’ll explain how you can use the
Windows Driver Kit (WDK) and the Windows Software Development Kit (SDK) as resources for
finding further information on Windows internals.
Be sure that you understand everything in this chapter—the remainder of the book is written
assuming that you do.
1.1 Windows Operating System Versions
This book covers the two most recent versions of the Microsoft Windows operating system
based on the Windows NT code base: Windows Vista (32-bit and 64-bit versions) and Windows
Server 2008 (32-bit and 64-bit versions). Unless specifically stated, the text applies to all versions.
As background information, Table 1-1 lists the releases of the Windows NT code base, their
internal version number, and the external product name.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
2
1.2 Foundation Concepts and Terms
In the course of this book, we’ll be referring to some structures and concepts that might be
unfamiliar to some readers. In this section, we’ll define the terms we’ll be using throughout
You should become familiar with them before proceeding to subsequent chapters.
1.2.1 Windows API
The Windows application programming interface (API) is the system programming interface
to the Windows operating system family. Prior to the introduction of 64-bit versions of Windows
XP and Windows Server 2003, the programming interface to the 32-bit versions of the Windows
operating systems was called the Win32 API, to distinguish it from the original 16-bit Windows
API, which was the programming interface to the original 16-bit versions of Windows. In this
book, the term Windows API refers to both the 32-bit and 64-bit programming interfaces to
Windows Vista and Windows Server 2008.
Note The Windows API is described in the Windows Software Development Kit (SDK)
documentation.(See the section “Windows Software Development Kit” later in this chapter.) This
documentation is available for free viewing online at www.msdn.microsoft.com. It is also
included with all subscription levels to the Microsoft Developer Network (MSDN), Microsoft’s
support program for developers. For more information, see www.msdn.microsoft.com. An
excellent description of how to program the Windows base API is the book Windows via C/C++,
Fifth Edition by Jeffrey Richter and Christophe Nasarre (Microsoft Press, 2007).
The Windows API consists of thousands of callable functions, which are divided into the
following major categories:
■ Base Services
■ Component Services
■ User Interface Services
■ Graphics and Multimedia Services
■ Messaging and Collaboration
■ Networking
■ Web Services
This book focuses on the internals of the key base services, such as processes and threads,
memory management, I/O, and security.
What about .Net?
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
3
The .NET Framework consists of a library of classes called the Framework Class Library
(FCL) and a Common Language Runtime (CLR) that provides a managed code execution
environment with features such as just-in-time compilation, type verification, garbage collection,
and code access security. By offering these features, the CLR provides a development
environment that improves programmer productivity and reduces common programming errors.
For an excellent description of the .NET Framework and its core architecture, see CLR via C#,
Second Edition by Jeffrey Richter (Microsoft Press,2006).
The CLR is implemented as a classic COM server whose code resides in a standard user
mode Windows DLL. In fact, all components of the .NET Framework are implemented as
standard user-mode Windows DLLs layered over unmanaged Windows API functions. (None of
the .NET Framework runs in kernel mode.) Figure 1-1 illustrates the relationship between these
components:
History of the Win32 API
Interestingly, Win32 wasn’t slated to be the original programming interface to Microsoft
Windows NT. Because the Windows NT project started as a replacement for OS/2 version 2, the
primary programming interface was the 32-bit OS/2 Presentation Manager API. A year into the
project, however, Microsoft Windows 3.0 hit the market and took off. As a result, Microsoft
changed direction and made Windows NT the future replacement for the Windows family of
products as opposed to the replacement for OS/2. It was at this juncture that the need to specify
the Windows API arose—before this, the Windows API existed only as a 16-bit interface.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
4
Although the Windows API would introduce many new functions that hadn’t been available
on Windows 3.1, Microsoft decided to make the new API compatible with the 16-bit Windows
API function names, semantics, and use of data types whenever possible to ease the burden of
porting existing 16-bit Windows applications to Windows NT. So those of you who are looking at
the Windows API for the first time and wondering why many function names and interfaces seem
inconsistent should keep in mind that one reason for the inconsistency was to ensure that the
Windows API is compatible with the old 16-bit Windows API.
1.2.2 Services, Functions, and Routines
Several terms in the Windows user and programming documentation have different meanings
in different contexts. For example, the word service can refer to a callable routine in the operating
system, a device driver, or a server process. The following list describes what certain terms mean
in this book:
■Windows API functions Documented, callable subroutines in the Windows API. Examples
include CreateProcess, CreateFile, and GetMessage.
■ Native system services (or executive system services) The undocumented, underlying
services in the operating system that are callable from user mode. For example,
NtCreateProcessEx is the internal system service the Windows CreateProcess function calls to
create a new process. (For a definition of native functions, see the section “System Service
Dispatching” in Chapter 3.)
■ Kernel support functions (or routines) Subroutines inside the Windows operating system
that can be called only from kernel mode (defined later in this chapter). For example,
ExAllocatePoolWithTag is the routine that device drivers call to allocate memory from the
Windows system heaps (called pools).
■ Windows services Processes started by the Windows service control manager. (Although
the registry defines Windows device drivers as “services,” we don’t refer to them as such in this
book.) For example, the Task Scheduler service runs in a user-mode process that supports the at
command (which is similar to the UNIX commands at or cron).
■ DLLs (dynamic-link libraries) A set of callable subroutines linked together as a binary file
that can be dynamically loaded by applications that use the subroutines. Examples include
Msvcrt.dll (the C run-time library) and Kernel32.dll (one of the Windows API subsystem
libraries). Windows user-mode components and applications use DLLs extensively. The
advantage DLLs provide over static libraries is that applications can share DLLs, and Windows
ensures that there is only one in-memory copy of a DLL’s code among the applications that are
referencing it.
1.2.3 Processes, Threads, and Jobs
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
5
Several terms in the Windows user and programming documentation have different meanings
in different contexts. For example, the word service can refer
Although programs and processes appear similar on the surface, they are fundamentally
different. A program is a static sequence of instructions, whereas a process is a container for a set
of resources used when executing the instance of the program. At the highest level of abstraction,
a Windows process comprises the following:
■ A private virtual address space, which is a set of virtual memory addresses that the process
can use
■ An executable program, which defines initial code and data and is mapped into the
process’s virtual address space
■ A list of open handles to various system resources, such as semaphores, communication
ports, and files, that are accessible to all threads in the process
■ A security context called an access token that identifies the user, security groups, privileges,
User Access Control (UAC) virtualization state, session, and limited user account state associated
with the process
■ A unique identifier called a process ID (internally part of an identifier called a client ID)
■ At least one thread of execution (although an “empty” process is possible, it is not useful)
Each process also points to its parent or creator process. However, if the parent exits, this
information is not updated. Therefore, it is possible for a process to point to a nonexistent parent.
This is not a problem, as nothing relies on this information being present. The following
experiment illustrates this case.
EXPERIMENT: Viewing the Process Tree
One unique attribute about a process that most tools don’t display is the parent or creator
process ID. You can retrieve this value with the Performance Monitor (or programmatically) by
querying the Creating Process ID. The Tlist.exe tool (in the Debugging
Tools for Windows) can show the process tree by using the /t switch. Here’s an example of
output from tlist /t:
1. C:\>tlist /t
2. System Process (0)
3. System (4)
4. smss.exe (480)
5. csrss.exe (548)
6. wininit.exe (612)
7. services.exe (656)
8. svchost.exe (848)
9. svchost.exe (880)
10. svchost.exe (924)
11. svchost.exe (980)
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
6
12. audiodg.exe (1040)
13. svchost.exe (1108)
14. dwm.exe (123)
15. svchost.exe (96)
16. taskeng.exe (604)
17. tasking.exe (1532)
18. SLsvc.exe (1814)
19. svchost.exe (2988)
20. lsass.exe (672)
21. lsm.exe (680)
22. csrss.exe (624)
23. winlogon.exe (824)
24. explorer.exe (724) Program Manager
25. WINWORD.EXE (3512) WinInt5E_Chapter01.doc [Compatibility Mode]
- Microsoft Word
26. cmd.exe (3936) Command Prompt - tlist /t
27. tlist.exe (1344)
The list indents each process to show its parent/child relationship. Processes whose parents
aren’t alive are left-justified (as is Explorer.exe in the preceding example) because even if a
grandparent process exists, there’s no way to find that relationship. Windows maintains only the
creator process ID, not a link back to the creator of the creator, and so forth.
To demonstrate the fact that Windows doesn’t keep track of more than just the parent process
ID, follow these steps:
1. Open a Command Prompt window.
2. Type start cmd (which starts a second command prompt).
3. Bring up Task Manager.
4. Switch to the second command prompt.
5. Type mspaint (which runs Microsoft Paint).
6. Click the intermediate (second) Command Prompt window.
7. Type exit. (Notice that Paint remains.)
8. Switch to Task Manager.
9. Click the Applications tab.
10. Right-click on the Command Prompt task, and select Go To Process.
11. Click on the Cmd.exe process highlighted in blue.
12. Right-click on this process, and select End Process Tree.
13. Click Yes in the Task Manager Warning message box.
The first Command Prompt window will disappear, but you should still see the Paint window
because it was the grandchild of the command prompt process you terminated; and because the
intermediate process (the parent of Paint) was terminated, there was no link between the parent
and the grandchild.
A number of tools for viewing (and modifying) processes and process information are
available. The following experiments illustrate the various views of process information you can
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
7
obtain with some of these tools. These tools are included within Windows itself and within the
Debugging Tools for Windows, the Windows SDK, and from Sysinternals. Many of these tools
show overlapping subsets of the core process and thread information, sometimes identified by
different names.
Probably the most widely used tool to examine process activity is Task Manager.
(Interestingly, there is no such thing as a “task” in the Windows kernel, so Task Manager is really
a tool to manage processes.) The following experiment shows the difference between what Task
Manager lists as applications and processes.
EXPERIMENT: Viewing Process information with Task Manager
The built-in Windows Task Manager provides a quick list of the processes running on the
system. You can start Task Manager in one of three ways: (1) press Ctrl+Shift+Esc, (2) right-click
on the taskbar and select Task Manager, or (3) press Ctrl+Alt+Delete and click the Task Manager
button. Once Task Manager has started, click the Processes tab to see the list of running processes.
Notice that processes are identified by the name of the image of which they are an instance.
Unlike some objects in Windows, processes can’t be given global names. To display additional
details, choose Select Columns from the View menu and select additional columns to be added, as
shown here:
Although what you see in the Task Manager Processes tab is clearly a list of processes, what
the Applications tab displays isn’t as obvious. The Applications tab lists the top-level visible
windows on all the desktops in the interactive window station. (By default, there are two desktop
objects—you can create more by using the Windows CreateDesktop function.) The Status column
indicates whether or not the thread that owns the window is in a Windows message wait state.
“Running” means the thread is waiting for windowing input; “Not Responding” means the thread
isn’t waiting for windowing input (for example, the thread might be running or waiting for I/O or
some Windows synchronization object).
From the Applications tab, you can match a task to the process that owns the thread that owns
the task window by right-clicking on the task name and choosing Go To Process.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
8
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
9
Process Explorer, from Sysinternals, shows more details about processes and threads than
any other available tool, which is why you will see it used in a number of experiments throughout
the book. The following are some of the unique things that Process Explorer shows or enables:
■ Full path name for the image being executed
■ Process security token (list of groups and privileges, virtualization state, and session)
■ Highlighting to show changes in the process and thread list
■ List of services inside service-hosting processes, including display name and description
■ Processes that are part of a job and job details
■ Processes running .NET applications and .NET-specific details (such as the list of app
domains and CLR performance counters)
■ Start time for processes and threads
■ Complete list of memory-mapped files (not just DLLs)
■ Ability to suspend a process
■ Ability to kill an individual thread
■ Easy identification of which processes were consuming the most CPU time over a period
of time (The Reliability and Performance Monitor can display process CPU utilization for a given
set of processes, but it won’t automatically show processes created after the performance
monitoring session has started–only a manual trace in binary output format can do that.)
Process Explorer also provides easy access to information in one place, such as:
■ Process tree (with ability to collapse parts of the tree)
■ Open handles in a process (including unnamed handles) without prior setup (The Microsoft
tools to show open handles require the setting of a systemwide flag and a reboot before they can
be used.)
■ List of DLLs (and memory-mapped files) in a process
■ Thread activity within a process
■ User-mode thread stacks (including mapping of addresses to names using the debugging
tools’ symbol engine)
■ Kernel-mode thread stacks for system threads (including mapping of addresses to names
using the debugging tools’ symbol engine)
■ Context switch delta (a better representation of CPU activity, as explained in Chapter 5)
■ Time stamp counter (an even better representation of precise CPU activity, as explained in
Chapter 5)
■ 64-bit vs. 32-bit image type
■ Integrity level
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
10
■ Virtualization state
■ Kernel memory (paged and nonpaged pool) limits (other tools show only current size)
An introductory experiment using Process Explorer follows.
EXPERIMENT: Viewing Process Details with Process explorer
Download the latest version of Process Explorer from Sysinternals and run it. The first time
you run it, you will receive a message that symbols are not currently configured. If properly
configured, Process Explorer can access symbol information to display the symbolic name of the
thread start function and functions on its call stack (available by double-clicking on a process and
clicking on the Threads tab). This is useful for identifying what threads are doing within a process.
To access symbols, you must have the Debugging Tools for Windows installed (described later in
this chapter). Then click on Options, choose Configure Symbols, and fill in the appropriate
symbols path. For example:
In the preceding example, the on-demand symbol server is being used to access symbols and
a copy of the symbol files is being stored on the local machine in the c:\symbols folder. For more
information on configuring use of the symbol server, see www.microsoft.com/whdc/dev tools
/debugging/debugstart.mspx.
When Process Explorer starts, it shows by default the process list on the top half and the open
handles for the currently selected process on the bottom half. It also shows tooltips for four kinds
of hosting processes:
■ The running services inside a service-hosting process (Svchost.exe) if you hover your
mouse over the name
■ The running COM object tasks part of a Taskeng.exe process
■ The target of a Rundll32.exe process (used for things such as Control Panel items)
■ The COM object being hosted inside a Dllhost.exe process
Here are a few steps to walk you through some basic capabilities of Process Explorer:
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
11
1. Turn off the lower pane by deselecting View, Show Lower Pane. (The lower pane can
show open handles or mapped DLLs and memory-mapped files—these are explored in Chapters 3
and 9.)
2. Notice that processes hosting services are highlighted by default in pink. Your own
processes are highlighted in blue. (These colors can be configured.)
3. Hover your mouse pointer over the image name for processes, and notice the full path
displayed by the tooltip.
4. Click on View, Select Columns, and add the image path.
5. Sort on the process column, and notice the tree view disappears. (You can either display
tree view or sort by any of the columns shown.) Click again to sort from Z to A. Then click again,
and the display returns to tree view.
6. Deselect View, Show Processes From All Users to show only your processes.
7. Go to Options, Difference Highlight Duration, and change the value to 5 seconds. Then
launch a new process (anything), and notice the new process highlighted in green for 5 seconds.
Exit this new process, and notice the process is highlighted in red for 5 seconds before
disappearing from the display. This can be useful to see processes being created and exiting on
your system.
8. Finally, double-click on a process and explore the various tabs available from the process
properties display. (These will be referenced in various experiments throughout the book where
the information being shown is being explained.)
A thread is the entity within a process that Windows schedules for execution. Without it, the
process’s program can’t run. A thread includes the following essential components:
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
12
■ The contents of a set of CPU registers representing the state of the processor.
■ Two stacks, one for the thread to use while executing in kernel mode and one for executing
in user mode.
■ A private storage area called thread-local storage (TLS) for use by subsystems, run-time
libraries, and DLLs.
■ A unique identifier called a thread ID (also internally called a client ID—process IDs and
thread IDs are generated out of the same namespace, so they never overlap).
■ Threads sometimes have their own security context that is often used by multithreaded
server applications that impersonate the security context of the clients that they serve.
The volatile registers, stacks, and private storage area are called the thread’s context. Because
this information is different for each machine architecture that Windows runs on, this structure, by
necessity, is architecture-specific. The Windows GetThreadContext function provides access to
this architecture-specific information (called the CONTEXT block).
Fibers vs. Threads
Fibers allow an application to schedule its own “threads” of execution rather than rely on the
priority-based scheduling mechanism built into Windows. Fibers are often called “lightweight”
threads, and in terms of scheduling, they’re invisible to the kernel because they’re implemented in
user mode in Kernel32.dll. To use fibers, a call is first made to the Windows
ConvertThreadToFiber function. This function converts the thread to a running fiber. Afterward,
the newly converted fiber can create additional fibers with the CreateFiber function. (Each fiber
can have its own set of fibers.) Unlike a thread, however, a fiber doesn’t begin execution until it’s
manually selected through a call to the SwitchToFiber function. The new fiber runs until it exits or
until it calls SwitchToFiber, again selecting another fiber to run. For more information, see the
Windows SDK documentation on fiber functions.
Although threads have their own execution context, every thread within a process shares the
process’s virtual address space (in addition to the rest of the resources belonging to the process),
meaning that all the threads in a process can write to and read from each other’s memory. Threads
cannot accidentally reference the address space of another process, however, unless the other
process makes available part of its private address space as a shared memory section (called a file
mapping object in the Windows API) or unless one process has the right to open another process
to use cross-process memory functions such as ReadProcessMemory and WriteProcessMemory.
In addition to a private address space and one or more threads, each process has a security
identification and a list of open handles to objects such as files, shared memory sections, or one of
the synchronization objects such as mutexes, events, or semaphores, as illustrated in Figure 1-2.
Every process has a security context that is stored in an object called an access token. The
process access token contains the security identification and credentials for the process. By default,
threads don’t have their own access token, but they can obtain one, thus allowing individual
threads to impersonate the security context of another process—including processes running on a
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
13
remote Windows system—without affecting other threads in the process. (See Chapter 6 for more
details on process and thread security.)
The virtual address descriptors (VADs) are data structures that the memory manager uses to
keep track of the virtual addresses the process is using. These data structures are described in more
depth in Chapter 9.
Windows provides an extension to the process model called a job. A job object’s main
function is to allow groups of processes to be managed and manipulated as a unit. A job object
allows control of certain attributes and provides limits for the process or processes associated with
the job. It also records basic accounting information for all processes associated with the job and
for all processes that were associated with the job but have since terminated. In some ways, the
job object compensates for the lack of a structured process tree in Windows—yet in many ways it
is more powerful than a UNIX-style process tree.
You’ll find out much more about the internal structure of jobs, processes and threads, the
mechanics of process and thread creation, and the thread-scheduling algorithms in Chapter 5.
To a callable routine in the operating system, a device driver, or a server process. The
following list describes what certain terms mean in this book:
■Windows API functions Documented, callable subroutines in the Windows API. Examples
include CreateProcess, CreateFile, and GetMessage.
■ Native system services (or executive system services) The undocumented, underlying
services in the operating system that are callable from user mode. For example,
NtCreateProcessEx is the internal system service the Windows CreateProcess function calls to
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
14
create a new process. (For a definition of native functions, see the section “System Service
Dispatching” in Chapter 3.)
■ Kernel support functions (or routines) Subroutines inside the Windows operating system
that can be called only from kernel mode (defined later in this chapter). For example,
ExAllocatePoolWithTag is the routine that device drivers call to allocate memory from the
Windows system heaps (called pools).
■ Windows services Processes started by the Windows service control manager. (Although
the registry defines Windows device drivers as “services,” we don’t refer to them as such in this
book.) For example, the Task Scheduler service runs in a user-mode process that supports the at
command (which is similar to the UNIX commands at or cron).
■ DLLs (dynamic-link libraries) A set of callable subroutines linked together as a binary file
that can be dynamically loaded by applications that use the subroutines. Examples include
Msvcrt.dll (the C run-time library) and Kernel32.dll (one of the Windows API subsystem
libraries). Windows user-mode components and applications use DLLs extensively. The
advantage DLLs provide over static libraries is that applications can share DLLs, and Windows
ensures that there is only one in-memory copy of a DLL’s code among the applications that are
referencing it.
1.2.4 Virtual Memory
Windows implements a virtual memory system based on a flat (linear) address space that
provides each process with the illusion of having its own large, private address space. Virtual
memory provides a logical view of memory that might not correspond to its physical layout. At
run time, the memory manager, with assistance from hardware, translates, or maps, the virtual
addresses into physical addresses, where the data is actually stored. By controlling the protection
and mapping, the operating system can ensure that individual processes don’t bump into one
another or overwrite operating system data. Figure 1-3 illustrates three virtually contiguous pages
mapped to three discontiguous pages in physical memory.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
