O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Windows Internals Seventh Edition Part 1: System architecture, processes, threads, memory management, and more, Seventh Edition

Book Description

The definitive guide–fully updated for Windows 10 and Windows Server 2016

Delve inside Windows architecture and internals, and see how core components work behind the scenes. Led by a team of internals experts, this classic guide has been fully updated for Windows 10 and Windows Server 2016.

Whether you are a developer or an IT professional, you’ll get critical, insider perspectives on how Windows operates. And through hands-on experiments, you’ll experience its internal behavior firsthand–knowledge you can apply to improve application design, debugging, system performance, and support.

This book will help you:

  • Understand the Window system architecture and its most important entities, such as processes and threads
  • Examine how processes manage resources and threads scheduled for execution inside processes
  • Observe how Windows manages virtual and physical memory
  • Dig into the Windows I/O system and see how device drivers work and integrate with the rest of the system
  • Go inside the Windows security model to see how it manages access, auditing, and authorization, and learn about the new mechanisms in Windows 10 and Server 2016

Table of Contents

  1. Title Page
  2. Copyright Page
  3. Dedication Page
  4. Contents
  5. Introduction
  6. Chapter 1 Concepts and tools
    1. Windows operating system versions
      1. Windows 10 and future Windows versions
      2. Windows 10 and OneCore
    2. Foundation concepts and terms
      1. Windows API
      2. Services, functions, and routines
      3. Processes
      4. Threads
      5. Jobs
      6. Virtual memory
      7. Kernel mode vs. user mode
      8. Hypervisor
      9. Firmware
      10. Terminal Services and multiple sessions
      11. Objects and handles
      12. Security
      13. Registry
      14. Unicode
    3. Digging into Windows internals
      1. Performance Monitor and Resource Monitor
      2. Kernel debugging
      3. Windows Software Development Kit
      4. Windows Driver Kit
      5. Sysinternals tools
    4. Conclusion
  7. Chapter 2 System architecture
    1. Requirements and design goals
    2. Operating system model
    3. Architecture overview
      1. Portability
      2. Symmetric multiprocessing
      3. Scalability
      4. Differences between client and server versions
      5. Checked build
    4. Virtualization-based security architecture overview
    5. Key system components
      1. Environment subsystems and subsystem DLLs
      2. Other subsystems
      3. Executive
      4. Kernel
      5. Hardware abstraction layer
      6. Device drivers
      7. System processes
    6. Conclusion
  8. Chapter 3 Processes and jobs
    1. Creating a process
      1. CreateProcess* functions arguments
      2. Creating Windows modern processes
      3. Creating other kinds of processes
    2. Process internals
    3. Protected processes
      1. Protected Process Light (PPL)
      2. Third-party PPL support
    4. Minimal and Pico processes
      1. Minimal processes
      2. Pico processes
    5. Trustlets (secure processes)
      1. Trustlet structure
      2. Trustlet policy metadata
      3. Trustlet attributes
      4. System built-in Trustlets
      5. Trustlet identity
      6. Isolated user-mode services
      7. Trustlet-accessible system calls
    6. Flow of CreateProcess
      1. Stage 1: Converting and validating parameters and flags
      2. Stage 2: Opening the image to be executed
      3. Stage 3: Creating the Windows executive process object
      4. Stage 4: Creating the initial thread and its stack and context
      5. Stage 5: Performing Windows subsystem–specific initialization
      6. Stage 6: Starting execution of the initial thread
      7. Stage 7: Performing process initialization in the context of the new process
    7. Terminating a process
    8. Image loader
      1. Early process initialization
      2. DLL name resolution and redirection
      3. Loaded module database
      4. Import parsing
      5. Post-import process initialization
      6. SwitchBack
      7. API Sets
    9. Jobs
      1. Job limits
      2. Working with a job
      3. Nested jobs
      4. Windows containers (server silos)
    10. Conclusion
  9. Chapter 4 Threads
    1. Creating threads
    2. Thread internals
      1. Data structures
      2. Birth of a thread
    3. Examining thread activity
      1. Limitations on protected process threads
    4. Thread scheduling
      1. Overview of Windows scheduling
      2. Priority levels
      3. Thread states
      4. Dispatcher database
      5. Quantum
      6. Priority boosts
      7. Context switching
      8. Scheduling scenarios
      9. Idle threads
      10. Thread suspension
      11. (Deep) freeze
      12. Thread selection
      13. Multiprocessor systems
      14. Thread selection on multiprocessor systems
      15. Processor selection
      16. Heterogeneous scheduling (big.LITTLE)
    5. Group-based scheduling
      1. Dynamic fair share scheduling
      2. CPU rate limits
      3. Dynamic processor addition and replacement
    6. Worker factories (thread pools)
      1. Worker factory creation
    7. Conclusion
  10. Chapter 5 Memory management
    1. Introduction to the memory manager
      1. Memory manager components
      2. Large and small pages
      3. Examining memory usage
      4. Internal synchronization
    2. Services provided by the memory manager
      1. Page states and memory allocations
      2. Commit charge and commit limit
      3. Locking memory
      4. Allocation granularity
      5. Shared memory and mapped files
      6. Protecting memory
      7. Data Execution Prevention
      8. Copy-on-write
      9. Address Windowing Extensions
    3. Kernel-mode heaps (system memory pools)
      1. Pool sizes
      2. Monitoring pool usage
      3. Look-aside lists
    4. Heap manager
      1. Process heaps
      2. Heap types
      3. The NT heap
      4. Heap synchronization
      5. The low-fragmentation heap
      6. The segment heap
      7. Heap security features
      8. Heap debugging features
      9. Pageheap
      10. Fault-tolerant heap
    5. Virtual address space layouts
      1. x86 address space layouts
      2. x86 system address space layout
      3. x86 session space
      4. System page table entries
      5. ARM address space layout
      6. 64-bit address space layout
      7. x64 virtual addressing limitations
      8. Dynamic system virtual address space management
      9. System virtual address space quotas
      10. User address space layout
    6. Address translation
      1. x86 virtual address translation
      2. Translation look-aside buffer
      3. x64 virtual address translation
      4. ARM virtual address translation
    7. Page fault handling
      1. Invalid PTEs
      2. Prototype PTEs
      3. In-paging I/O
      4. Collided page faults
      5. Clustered page faults
      6. Page files
      7. Commit charge and the system commit limit
      8. Commit charge and page file size
    8. Stacks
      1. User stacks
      2. Kernel stacks
      3. DPC stack
    9. Virtual address descriptors
      1. Process VADs
      2. Rotate VADs
    10. NUMA
    11. Section objects
    12. Working sets
      1. Demand paging
      2. Logical prefetcher and ReadyBoot
      3. Placement policy
      4. Working set management
      5. Balance set manager and swapper
      6. System working sets
      7. Memory notification events
    13. Page frame number database
      1. Page list dynamics
      2. Page priority
      3. Modified page writer and mapped page writer
      4. PFN data structures
      5. Page file reservation
    14. Physical memory limits
      1. Windows client memory limits
    15. Memory compression
      1. Compression illustration
      2. Compression architecture
    16. Memory partitions
    17. Memory combining
      1. The search phase
      2. The classification phase
      3. The page combining phase
      4. From private to shared PTE
      5. Combined pages release
    18. Memory enclaves
      1. Programmatic interface
      2. Memory enclave initializations
      3. Enclave construction
      4. Loading data into an enclave
      5. Initializing an enclave
    19. Proactive memory management (SuperFetch)
      1. Components
      2. Tracing and logging
      3. Scenarios
      4. Page priority and rebalancing
      5. Robust performance
      6. ReadyBoost
      7. ReadyDrive
      8. Process reflection
    20. Conclusion
  11. Chapter 6 I/O system
    1. I/O system components
      1. The I/O manager
      2. Typical I/O processing
    2. Interrupt Request Levels and Deferred Procedure Calls
      1. Interrupt Request Levels
      2. Deferred Procedure Calls
    3. Device drivers
      1. Types of device drivers
      2. Structure of a driver
      3. Driver objects and device objects
      4. Opening devices
    4. I/O processing
      1. Types of I/O
      2. I/O request packets
      3. I/O request to a single-layered hardware-based driver
      4. I/O requests to layered drivers
      5. Thread-agnostic I/O
      6. I/O cancellation
      7. I/O completion ports
      8. I/O prioritization
      9. Container notifications
    5. Driver Verifier
      1. I/O-related verification options
      2. Memory-related verification options
    6. The Plug and Play manager
      1. Level of Plug and Play support
      2. Device enumeration
      3. Device stacks
      4. Driver support for Plug and Play
      5. Plug-and-play driver installation
    7. General driver loading and installation
      1. Driver loading
      2. Driver installation
    8. The Windows Driver Foundation
      1. Kernel-Mode Driver Framework
      2. User-Mode Driver Framework
    9. The power manager
      1. Connected Standby and Modern Standby
      2. Power manager operation
      3. Driver power operation
      4. Driver and application control of device power
      5. Power management framework
      6. Power availability requests
    10. Conclusion
  12. Chapter 7 Security
    1. Security ratings
      1. Trusted Computer System Evaluation Criteria
      2. The Common Criteria
    2. Security system components
    3. Virtualization-based security
      1. Credential Guard
      2. Device Guard
    4. Protecting objects
      1. Access checks
      2. Security identifiers
      3. Virtual service accounts
      4. Security descriptors and access control
      5. Dynamic Access Control
    5. The AuthZ API
      1. Conditional ACEs
    6. Account rights and privileges
      1. Account rights
      2. Privileges
      3. Super privileges
    7. Access tokens of processes and threads
    8. Security auditing
      1. Object access auditing
      2. Global audit policy
      3. Advanced Audit Policy settings
    9. AppContainers
      1. Overview of UWP apps
      2. The AppContainer
    10. Logon
      1. Winlogon initialization
      2. User logon steps
      3. Assured authentication
      4. Windows Biometric Framework
      5. Windows Hello
    11. User Account Control and virtualization
      1. File system and registry virtualization
      2. Elevation
    12. Exploit mitigations
      1. Process-mitigation policies
      2. Control Flow Integrity
      3. Security assertions
    13. Application Identification
    14. AppLocker
    15. Software Restriction Policies
    16. Kernel Patch Protection
    17. PatchGuard
    18. HyperGuard
    19. Conclusion
  13. Index