book

Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, Seventh Edition

by Pavel Yosifovich, Alex Ionescu, Mark E. Russinovich, David A. Solomon

May 2017

Intermediate to advanced

800 pages

29h 10m

English

Microsoft Press

Read now

Unlock full access

Title Page
Copyright Page
Dedication Page
Contents
Introduction
Chapter 1 Concepts and tools
Windows operating system versionsWindows 10 and future Windows versionsWindows 10 and OneCoreFoundation concepts and termsWindows APIServices, functions, and routinesProcessesThreadsJobsVirtual memoryKernel mode vs. user modeHypervisorFirmwareTerminal Services and multiple sessionsObjects and handlesSecurityRegistryUnicodeDigging into Windows internalsPerformance Monitor and Resource MonitorKernel debuggingWindows Software Development KitWindows Driver KitSysinternals toolsConclusion
Chapter 2 System architecture
Requirements and design goalsOperating system modelArchitecture overviewPortabilitySymmetric multiprocessingScalabilityDifferences between client and server versionsChecked buildVirtualization-based security architecture overviewKey system componentsEnvironment subsystems and subsystem DLLsOther subsystemsExecutiveKernelHardware abstraction layerDevice driversSystem processesConclusion
Chapter 3 Processes and jobs
Creating a processCreateProcess* functions argumentsCreating Windows modern processesCreating other kinds of processesProcess internalsProtected processesProtected Process Light (PPL)Third-party PPL supportMinimal and Pico processesMinimal processesPico processesTrustlets (secure processes)Trustlet structureTrustlet policy metadataTrustlet attributesSystem built-in TrustletsTrustlet identityIsolated user-mode servicesTrustlet-accessible system callsFlow of CreateProcessStage 1: Converting and validating parameters and flagsStage 2: Opening the image to be executedStage 3: Creating the Windows executive process objectStage 4: Creating the initial thread and its stack and contextStage 5: Performing Windows subsystem–specific initialization
Stage 6: Starting execution of the initial thread
Stage 7: Performing process initialization in the context of the new processTerminating a processImage loaderEarly process initializationDLL name resolution and redirectionLoaded module databaseImport parsingPost-import process initializationSwitchBackAPI SetsJobsJob limitsWorking with a jobNested jobsWindows containers (server silos)Conclusion
Chapter 4 Threads
Creating threadsThread internalsData structuresBirth of a threadExamining thread activityLimitations on protected process threadsThread schedulingOverview of Windows schedulingPriority levelsThread statesDispatcher databaseQuantumPriority boosts

Context switching
Scheduling scenariosIdle threadsThread suspension(Deep) freezeThread selectionMultiprocessor systemsThread selection on multiprocessor systemsProcessor selectionHeterogeneous scheduling (big.LITTLE)Group-based schedulingDynamic fair share schedulingCPU rate limitsDynamic processor addition and replacementWorker factories (thread pools)Worker factory creationConclusion
Chapter 5 Memory management
Introduction to the memory managerMemory manager componentsLarge and small pagesExamining memory usageInternal synchronizationServices provided by the memory managerPage states and memory allocationsCommit charge and commit limitLocking memoryAllocation granularityShared memory and mapped filesProtecting memoryData Execution PreventionCopy-on-writeAddress Windowing ExtensionsKernel-mode heaps (system memory pools)Pool sizesMonitoring pool usageLook-aside listsHeap managerProcess heapsHeap typesThe NT heapHeap synchronizationThe low-fragmentation heapThe segment heapHeap security featuresHeap debugging featuresPageheapFault-tolerant heapVirtual address space layoutsx86 address space layoutsx86 system address space layoutx86 session spaceSystem page table entriesARM address space layout64-bit address space layoutx64 virtual addressing limitations
Dynamic system virtual address space management
System virtual address space quotasUser address space layoutAddress translationx86 virtual address translationTranslation look-aside bufferx64 virtual address translationARM virtual address translationPage fault handlingInvalid PTEsPrototype PTEsIn-paging I/OCollided page faultsClustered page faultsPage filesCommit charge and the system commit limitCommit charge and page file sizeStacksUser stacksKernel stacksDPC stackVirtual address descriptorsProcess VADsRotate VADsNUMASection objectsWorking setsDemand pagingLogical prefetcher and ReadyBootPlacement policy
Working set management
Balance set manager and swapperSystem working setsMemory notification eventsPage frame number databasePage list dynamicsPage priorityModified page writer and mapped page writerPFN data structuresPage file reservationPhysical memory limitsWindows client memory limitsMemory compressionCompression illustrationCompression architectureMemory partitionsMemory combiningThe search phaseThe classification phaseThe page combining phaseFrom private to shared PTECombined pages releaseMemory enclavesProgrammatic interfaceMemory enclave initializationsEnclave constructionLoading data into an enclaveInitializing an enclaveProactive memory management (SuperFetch)ComponentsTracing and loggingScenariosPage priority and rebalancingRobust performanceReadyBoostReadyDriveProcess reflectionConclusion
Chapter 6 I/O system
I/O system componentsThe I/O managerTypical I/O processingInterrupt Request Levels and Deferred Procedure CallsInterrupt Request LevelsDeferred Procedure CallsDevice driversTypes of device driversStructure of a driverDriver objects and device objectsOpening devicesI/O processingTypes of I/OI/O request packetsI/O request to a single-layered hardware-based driverI/O requests to layered driversThread-agnostic I/OI/O cancellation
I/O completion ports
I/O prioritizationContainer notificationsDriver VerifierI/O-related verification optionsMemory-related verification optionsThe Plug and Play managerLevel of Plug and Play supportDevice enumerationDevice stacksDriver support for Plug and PlayPlug-and-play driver installationGeneral driver loading and installationDriver loadingDriver installationThe Windows Driver FoundationKernel-Mode Driver FrameworkUser-Mode Driver FrameworkThe power managerConnected Standby and Modern StandbyPower manager operationDriver power operationDriver and application control of device powerPower management frameworkPower availability requestsConclusion
Chapter 7 Security
Security ratingsTrusted Computer System Evaluation CriteriaThe Common CriteriaSecurity system componentsVirtualization-based securityCredential GuardDevice GuardProtecting objectsAccess checksSecurity identifiersVirtual service accountsSecurity descriptors and access controlDynamic Access ControlThe AuthZ APIConditional ACEsAccount rights and privilegesAccount rightsPrivilegesSuper privilegesAccess tokens of processes and threadsSecurity auditingObject access auditingGlobal audit policyAdvanced Audit Policy settingsAppContainersOverview of UWP apps
The AppContainer
LogonWinlogon initializationUser logon stepsAssured authenticationWindows Biometric FrameworkWindows HelloUser Account Control and virtualizationFile system and registry virtualizationElevationExploit mitigationsProcess-mitigation policiesControl Flow IntegritySecurity assertionsApplication IdentificationAppLockerSoftware Restriction PoliciesKernel Patch ProtectionPatchGuardHyperGuardConclusion
Index

Content preview from Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, Seventh Edition

The AppContainer

We’ve seen the steps required to create processes back in Chapter 3; we’ve also seen some of the extra steps required to create UWP processes. The initiation of creation is performed by the DCOMLaunch service, because UWP packages support a set of protocols, one of which is the Launch protocol. The resulting process gets to run inside an AppContainer. Here are several characteristics of packaged processes running inside an AppContainer:

The process token integrity level is set to Low, which automatically restricts access to many objects and limits access to certain APIs or functionality for the process, as discussed earlier ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Understanding the Linux Kernel, 3rd Edition

Publisher Resources

ISBN: 9780133986471Purchase Link

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills