book

Windows Internals, Fifth Edition

Name: Windows Internals, Fifth Edition
Author: David A. Solomon Mark E. Russinovich and Alex Ionescu
ISBN: 9780735625303

by David A. Solomon Mark E. Russinovich and Alex Ionescu

June 2009

Intermediate to advanced

1264 pages

55h

English

Microsoft Press

Read now

Unlock full access

Windows Internals, Fifth Edition
Dedication
Foreword
Acknowledgments
Introduction
Structure of the Book
History of the Book
Fifth Edition Changes
Hands-On Experiments
Topics Not Covered

A Warning and a Caveat
Find Additional Content Online
Support
From the AuthorsFrom Microsoft PressQuestions and Comments
1. Concepts and Tools
Windows Operating System Versions
Foundation Concepts and Terms
Windows APIServices, Functions, and RoutinesProcesses, Threads, and JobsVirtual MemoryKernel Mode vs. User ModeTerminal Services and Multiple SessionsObjects and HandlesSecurityRegistryUnicode
Digging into Windows Internals
Reliability and Performance MonitorKernel DebuggingSymbols for Kernel DebuggingDebugging Tools for WindowsLiveKd ToolWindows Software Development KitWindows Driver KitSysinternals Tools
Conclusion
2. System Architecture
Requirements and Design Goals
Operating System Model
Architecture Overview
PortabilitySymmetric MultiprocessingScalabilityDifferences Between Client and Server VersionsChecked Build
Key System Components
Environment Subsystems and Subsystem DLLsWindows SubsystemPOSIX SubsystemNtdll.dllExecutiveKernelKernel ObjectsKernel Processor Control Region and Control Block (KPCR and KPRCB)Hardware SupportHardware Abstraction LayerDevice DriversWindows Driver Model (WDM)Windows Driver FoundationSystem ProcessesIdle ProcessInterrupts and DPCsSystem Process and System ThreadsSession Manager (Smss)Winlogon, LogonUI, LSASS, and UserinitService Control Manager (SCM)
Conclusion
3. System Mechanisms
Trap Dispatching
Interrupt DispatchingHardware Interrupt Processingx86 Interrupt Controllersx64 Interrupt ControllersIA64 Interrupt ControllersSoftware Interrupt Request Levels (IRQLs)Software InterruptsException DispatchingUnhandled ExceptionsWindows Error ReportingSystem Service Dispatching32-Bit System Service Dispatching64-Bit System Service DispatchingKernel-Mode System Service DispatchingService Descriptor Tables
Object Manager
Executive ObjectsObject StructureObject Headers and BodiesType ObjectsObject MethodsObject Handles and the Process Handle TableObject SecurityObject RetentionResource AccountingObject NamesSession NamespaceObject Filtering
Synchronization
High-IRQL SynchronizationInterlocked OperationsSpinlocksQueued SpinlocksInstack Queued SpinlocksExecutive Interlocked OperationsLow-IRQL SynchronizationKernel Dispatcher ObjectsKeyed EventsFast Mutexes and Guarded MutexesExecutive ResourcesPushlocksCritical SectionsCondition VariablesSlim Reader Writer LocksRun Once Initialization
System Worker Threads
Windows Global Flags
Advanced Local Procedure Calls (ALPCs)
Kernel Event Tracing
Wow64
Wow64 Process Address Space LayoutSystem CallsException DispatchingUser CallbacksFile System RedirectionRegistry Redirection and ReflectionI/O Control Requests16-Bit Installer ApplicationsPrintingRestrictions
User-Mode Debugging
Kernel SupportNative SupportWindows Subsystem Support
Image Loader
Early Process InitializationLoaded Module DatabaseImport ParsingPost Import Process Initialization
Hypervisor (Hyper-V)
PartitionsRoot PartitionRoot Partition Operating SystemVM Service and Worker ProcessesVirtualization Service ProvidersVM Infrastructure Driver and Hypervisor API LibraryHypervisorChild PartitionsVirtualization Service ClientsEnlightenmentsHardware Emulation and SupportEmulated DevicesSynthetic DevicesVirtual ProcessorsMemory VirtualizationIntercepts
Kernel Transaction Manager
Hotpatch Support
Kernel Patch Protection
Code Integrity
Conclusion
4. Management Mechanisms
The Registry
Viewing and Changing the RegistryRegistry UsageRegistry Data TypesRegistry Logical StructureHKEY_CURRENT_USERHKEY_USERSHKEY_CLASSES_ROOTHKEY_LOCAL_MACHINEHKEY_CURRENT_CONFIGHKEY_PERFORMANCE_DATATransactional Registry (TxR)Monitoring Registry ActivityProcess Monitor InternalsProcess Monitor Troubleshooting TechniquesLogging Activity in Unprivileged Accounts or During Logon/LogoffRegistry InternalsHivesHive Size LimitsHive StructureCell MapsThe Registry Namespace and OperationStable StorageRegistry FilteringRegistry Optimizations
Services
Service ApplicationsService AccountsThe Local System AccountThe Network Service AccountThe Local Service AccountRunning Services in Alternate AccountsRunning with Least PrivilegeService IsolationInteractive Services and Session 0 IsolationThe Service Control ManagerService StartupStartup ErrorsAccepting the Boot and Last Known GoodService FailuresService ShutdownShared Service ProcessesService TagsService Control Programs
Windows Management Instrumentation
WMI ArchitectureProvidersThe Common Information Model and the Managed Object Format LanguageThe WMI NamespaceClass AssociationWMI ImplementationWMI Security
Windows Diagnostic Infrastructure
WDI InstrumentationDiagnostic Policy ServiceDiagnostic Functionality
Conclusion
5. Processes, Threads, and Jobs
Process Internals
Data StructuresKernel VariablesPerformance CountersRelevant Functions
Protected Processes
Flow of CreateProcess
Stage 1: Converting and Validating Parameters and FlagsStage 2: Opening the Image to Be ExecutedStage 3: Creating the Windows Executive Process Object (PspAllocateProcess)Stage 3A: Setting Up the EPROCESS BlockStage 3B: Creating the Initial Process Address SpaceStage 3C: Creating the Kernel Process BlockStage 3D: Concluding the Setup of the Process Address SpaceStage 3E: Setting Up the PEBStage 3F: Completing the Setup of the Executive Process Object (PspInsertProcess)Stage 4: Creating the Initial Thread and Its Stack and ContextStage 5: Performing Windows Subsystem–Specific Post-InitializationStage 6: Starting Execution of the Initial ThreadStage 7: Performing Process Initialization in the Context of the New Process
Thread Internals
Data StructuresKernel VariablesPerformance CountersRelevant FunctionsBirth of a Thread
Examining Thread Activity
Limitations on Protected Process Threads
Worker Factories (Thread Pools)
Thread Scheduling
Overview of Windows SchedulingPriority LevelsWindows Scheduling APIsRelevant ToolsReal-Time PrioritiesThread StatesDispatcher DatabaseQuantumQuantum AccountingControlling the QuantumQuantum BoostingQuantum Settings Registry ValueScheduling ScenariosVoluntary SwitchPreemptionQuantum EndTerminationContext SwitchingIdle ThreadPriority BoostsPriority Boosting after I/O CompletionBoosts After Waiting for Events and SemaphoresBoosts During Waiting on Executive ResourcesPriority Boosts for Foreground Threads After WaitsPriority Boosts After GUI Threads Wake UpPriority Boosts for CPU StarvationPriority Boosts for MultiMedia Applications and Games (MMCSS)Multiprocessor SystemsHyperthreaded and Multicore SystemsNUMA SystemsAffinityIdeal and Last ProcessorDynamic Processor Addition and ReplacementMultiprocessor Thread-Scheduling AlgorithmsChoosing a Processor for a Thread When There Are Idle ProcessorsChoosing a Processor for a Thread When There Are No Idle ProcessorsSelecting a Thread to Run on a Specific CPUCPU Rate Limits
Job Objects
Conclusion
6. Security
Security Ratings
Trusted Computer System Evaluation CriteriaThe Common Criteria
Security System Components
Protecting Objects
Access ChecksSecurity Identifiers (SIDs)Integrity LevelsTokensImpersonationRestricted TokensFiltered Admin TokenSecurity Descriptors and Access ControlACL AssignmentDetermining Access
Account Rights and Privileges
Account RightsPrivilegesSuper Privileges
Security Auditing
Logon
Winlogon InitializationUser Logon Steps
User Account Control
VirtualizationFile Vir tualizationRegistry VirtualizationElevationRunning with Administrator RightsRequesting Administrative Rights
Software Restriction Policies
Conclusion
7. I/O System
I/O System Components
The I/O ManagerTypical I/O Processing
Device Drivers
Types of Device DriversWDM DriversLayered DriversStructure of a DriverDriver Objects and Device ObjectsOpening Devices
I/O Processing
Types of I/OSynchronous and Asynchronous I/OFast I/OMapped File I/O and File CachingScatter/Gather I/OI/O Request PacketsIRP Stack LocationsIRP Buffer ManagementI/O Request to a Single-Layered DriverServicing an InterruptCompleting an I/O RequestSynchronizationI/O Requests to Layered DriversThread Agnostic I/OI/O CancellationUser-Initiated I/O CancellationI/O Cancellation for Thread TerminationI/O Completion PortsThe IoCompletion ObjectUsing Completion PortsI/O Completion Port OperationI/O PrioritizationI/O PrioritiesBandwidth Reservation (Scheduled File I/O)Driver Verifier
Kernel-Mode Driver Framework (KMDF)
Structure and Operation of a KMDF DriverKMDF Data ModelKMDF I/O Model
User-Mode Driver Framework (UMDF)
The Plug and Play (PnP) Manager
Level of Plug and Play SupportDriver Support for Plug and PlayDriver Loading, Initialization, and InstallationThe Start ValueDevice EnumerationDevnodesDevnode Driver LoadingDriver Installation
The Power Manager
Power Manager OperationDriver Power OperationDriver and Application Control of Device Power
Conclusion
8. Storage Management
Storage Terminology
Disk Drivers
WinloadDisk Class, Port, and Miniport DriversiSCSI DriversMultipath I/O (MPIO) DriversDisk Device ObjectsPartition Manager
Volume Management
Basic DisksMBR-Style PartitioningGUID Partition Table PartitioningBasic Disk Volume ManagerDynamic DisksThe LDM DatabaseLDM and GPT or MBR-Style PartitioningDynamic Disk Volume ManagerMultipartition Volume ManagementSpanned VolumesStriped VolumesMirrored VolumesRAID-5 VolumesThe Volume NamespaceThe Mount ManagerMount PointsVolume MountingVolume I/O OperationsVirtual Disk Service
BitLocker Drive Encryption
BitLocker ArchitectureEncryption KeysTrusted Platform Module (TPM)BitLocker Boot ProcessBitLocker Key RecoveryFull Volume Encryption DriverBitLocker Management
Volume Shadow Copy Service
Shadow CopiesClone Shadow CopiesCopy-on-Write Shadow CopiesVSS ArchitectureVSS OperationShadow Copy ProviderUses in WindowsBackupPrevious Versions and System RestoreShadow Copies for Shared Folders
Conclusion
9. Memory Management
Introduction to the Memory Manager
Memory Manager ComponentsInternal SynchronizationExamining Memory Usage
Services the Memory Manager Provides
Large and Small PagesReserving and Committing PagesLocking MemoryAllocation GranularityShared Memory and Mapped FilesProtecting MemoryNo Execute Page ProtectionSoftware Data Execution PreventionCopy-on-WriteAddress Windowing Extensions
Kernel-Mode Heaps (System Memory Pools)
Pool SizesMonitoring Pool UsageLook-Aside Lists
Heap Manager
Types of HeapsHeap Manager StructureHeap SynchronizationThe Low Fragmentation HeapHeap Security FeaturesHeap Debugging FeaturesPageheap
Virtual Address Space Layouts
x86 Address Space Layoutsx86 System Address Space Layoutx86 Session SpaceSystem Page Table Entries64-Bit Address Space Layouts64-Bit Virtual Addressing LimitationsDynamic System Virtual Address Space ManagementSystem Virtual Address Space Quotas
User Address Space Layout
Image RandomizationStack RandomizationHeap Randomization
Address Translation
x86 Virtual Address TranslationPage DirectoriesPage Tables and Page Table EntriesByte Within PageTranslation Look-Aside BufferPhysical Address Extension (PAE)IA64 Virtual Address Translationx64 Virtual Address Translation
Page Fault Handling
Invalid PTEsPrototype PTEsIn-Paging I/OCollided Page FaultsClustered Page FaultsPage Files
Stacks
User StacksKernel StacksDPC Stack
Virtual Address Descriptors
Process VADsRotate VADs
NUMA
Section Objects
Driver Verifier
Page Frame Number Database
Page List DynamicsPage PriorityModified Page WriterPFN Data Structures
Physical Memory Limits
Windows Client Memory Limits32-Bit Client Effective Memory Limits
Working Sets
Demand PagingLogical PrefetcherPlacement PolicyWorking Set ManagementBalance Set Manager and SwapperSystem Working SetMemory Notification Events
Proactive Memory Management (SuperFetch)
ComponentsTracing and LoggingScenariosPage Priority and RebalancingRobust PerformanceReadyBoostReadyDrive
Conclusion
10. Cache Manager
Key Features of the Cache Manager
Single, Centralized System CacheThe Memory ManagerCache CoherencyVirtual Block CachingStream-Based CachingRecoverable File System Support
Cache Virtual Memory Management
Cache Size
Cache Virtual SizeCache Working Set SizeCache Physical Size
Cache Data Structures
Systemwide Cache Data StructuresPer-File Cache Data Structures
File System Interfaces
Copying to and from the CacheCaching with the Mapping and Pinning InterfacesCaching with the Direct Memory Access Interfaces
Fast I/O
Read Ahead and Write Behind
Intelligent Read-AheadWrite-Back Caching and Lazy WritingDisabling Lazy Writing for a FileForcing the Cache to Write Through to DiskFlushing Mapped FilesWrite ThrottlingSystem Threads
Conclusion
11. File Systems
Windows File System Formats
CDFSUDFFAT12, FAT16, and FAT32exFATNTFS
File System Driver Architecture
Local FSDsRemote FSDsFile System OperationExplicit File I/OMemory Manager’s Modified and Mapped Page WriterCache Manager’s Lazy WriterCache Manager’s Read-Ahead ThreadMemory Manager’s Page Fault HandlerFile System Filter DriversProcess Monitor
Troubleshooting File System Problems
Process Monitor Basic vs. Advanced ModesProcess Monitor Troubleshooting Techniques
Common Log File System
MarshallingLog TypesLog LayoutLog Sequence NumbersLog BlocksOwner PagesTranslating Virtual LSNs to Physical LSNsManagement Policies
NTFS Design Goals and Features
High-End File System RequirementsRecoverabilitySecurityData Redundancy and Fault ToleranceAdvanced Features of NTFSMultiple Data StreamsUnicode-Based NamesGeneral Indexing FacilityDynamic Bad-Cluster RemappingHard LinksSymbolic (Soft) Links and JunctionsCompression and Sparse FilesChange LoggingPer-User Volume QuotasLink TrackingEncryptionPOSIX SupportDefragmentationDynamic Partitioning
NTFS File System Driver
NTFS On-Disk Structure
VolumesClustersMaster File TableFile Reference NumbersFile RecordsFile NamesResident and Nonresident AttributesData Compression and Sparse FilesCompressing Sparse DataCompressing Nonsparse DataSparse FilesThe Change Journal FileIndexingObject IDsQuota TrackingConsolidated SecurityReparse PointsTransaction SupportIsolationTransactional APIsResource ManagersOn-Disk ImplementationLogging ImplementationRecovery Implementation
NTFS Recovery Support
DesignMetadata LoggingLog File ServiceLog Record TypesRecoveryAnalysis PassRedo PassUndo PassNTFS Bad-Cluster RecoverySelf-Healing
Encrypting File System Security
Encrypting a File for the First TimeConstructing Key RingsEncrypting File DataEncryption Process SummaryThe Decryption ProcessDecrypted FEK CachingDecrypting File DataBacking Up Encrypted Files
Conclusion
12. Networking
Windows Networking Architecture
The OSI Reference ModelWindows Networking Components
Networking APIs
Windows SocketsWinsock Client OperationWinsock Server OperationWinsock ExtensionsExtending WinsockWinsock ImplementationWinsock Kernel (WSK)WSK ImplementationRemote Procedure CallRPC OperationRPC SecurityRPC ImplementationWeb Access APIsWinInetWinHTTPHTTPNamed Pipes and MailslotsNamed Pipe OperationMailslot OperationNamed Pipe and Mailslot ImplementationNetBIOSNetBIOS NamesNetBIOS OperationNetBIOS API ImplementationOther Networking APIsBITSPeer-to-Peer InfrastructureDCOMMessage QueuingUPnP with PnP-X
Multiple Redirector Support
Multiple Provider RouterMultiple UNC Provider
Name Resolution
Domain Name SystemWindows Internet Name ServicePeer Name Resolution ProtocolPNRP Resolution and Publication
Location and Topology
Network Location Awareness (NLA)Link-Layer Topology Discovery (LLTD)
Protocol Drivers
Windows Filtering Platform (WFP)Network Address TranslationIP FilteringInternet Protocol Security
NDIS Drivers
Variations on the NDIS MiniportConnection-Oriented NDISRemote NDISQoS
Binding
Layered Network Services
Remote AccessActive DirectoryNetwork Load BalancingDistributed File System and DFS Replication
Conclusion
13. Startup and Shutdown
Boot Process
BIOS PrebootThe BIOS Boot Sector and BootmgrThe EFI Boot ProcessInitializing the Kernel and Executive SubsystemsSmss, Csrss, and WininitReadyBootImages That Start Automatically
Troubleshooting Boot and Startup Problems
Last Known GoodSafe ModeDriver Loading in Safe ModeSafe-Mode-Aware User ProgramsBoot Logging in Safe ModeWindows Recovery Environment (WinRE)Solving Common Boot ProblemsMBR CorruptionBoot Sector CorruptionBCD MisconfigurationSystem File CorruptionSystem Hive CorruptionPost–Splash Screen Crash or Hang
Shutdown
Conclusion
14. Crash Dump Analysis
Why Does Windows Crash?
The Blue Screen
Troubleshooting Crashes
Crash Dump Files
Crash Dump Generation
Windows Error Reporting
Online Crash Analysis
Basic Crash Dump Analysis
NotmyfaultBasic Crash Dump AnalysisVerbose Analysis
Using Crash Troubleshooting Tools
Buffer Overrun, Memory Corruptions, and Special PoolCode Overwrite and System Code Write Protection
Advanced Crash Dump Analysis
Stack TrashesHung or Unresponsive SystemsWhen There Is No Crash Dump
Conclusion
Glossary
Index
About the Authors
Copyright

Content preview from Windows Internals, Fifth Edition

Code Integrity

Code integrity is a Windows mechanism that authenticates the integrity and source of executable images (such as applications, DLLs, or drivers) by validating a digital certificate contained within the image’s resources. This mechanism works in conjunction with system policies, defining how signing should be enforced. One of these policies is the Kernel Mode Code Signing (KMCS) policy, which requires that kernel-mode code be signed with a valid Authenticode certificate rooted by one of several recognized code signing authorities, such as Verisign or Thawte.

To address backward compatibility concerns, the KMCS policy is only fully enforced on 64-bit machines, as those drivers have to be recompiled recently in order to run on that Windows ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780735625303Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Windows Internals, Fifth Edition

by David A. Solomon Mark E. Russinovich and Alex Ionescu

Code Integrity

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Windows Internals, Part 2, 7th Edition

Windows System Programming, Fourth Edition

Windows Security Internals

Linux System Programming, 2nd Edition

Publisher Resources