book

Windows® Internals, Sixth Edition, Part 1

Name: Windows® Internals, Sixth Edition, Part 1
Author: David A. Solomon Mark E. Russinovich and Alex Ionescu
ISBN: 9780735671294

by David A. Solomon Mark E. Russinovich and Alex Ionescu

March 2012

Intermediate to advanced

752 pages

31h 4m

English

Microsoft Press

Read now

Unlock full access

Windows® Internals, Sixth Edition, Part 1
Dedication
Introduction
Structure of the Book
History of the Book
Sixth Edition Changes
Hands-on Experiments
Topics Not Covered
A Warning and a Caveat
Acknowledgments

Errata & Book Support
We Want to Hear from You
Stay in Touch
1. Concepts and Tools
Windows Operating System Versions
Foundation Concepts and Terms
Windows APIServices, Functions, and RoutinesProcesses, Threads, and JobsVirtual MemoryKernel Mode vs. User ModeTerminal Services and Multiple SessionsObjects and HandlesSecurityRegistryUnicode
Digging into Windows Internals
Performance MonitorKernel DebuggingSymbols for Kernel DebuggingDebugging Tools for WindowsLiveKd ToolWindows Software Development KitWindows Driver KitSysinternals Tools
Conclusion
2. System Architecture
Requirements and Design Goals
Operating System Model
Architecture Overview
PortabilitySymmetric MultiprocessingScalabilityDifferences Between Client and Server VersionsChecked Build
Key System Components
Environment Subsystems and Subsystem DLLsSubsystem StartupWindows SubsystemSubsystem for Unix-based ApplicationsNtdll.dllExecutiveKernelKernel ObjectsKernel Processor Control Region and Control Block (KPCR and KPRCB)Hardware SupportHardware Abstraction LayerDevice DriversWindows Driver Model (WDM)Windows Driver FoundationSystem ProcessesSystem Idle ProcessSystem Process and System ThreadsSession Manager (Smss)Windows Initialization Process (Wininit.exe)Service Control Manager (SCM)Local Session Manager (Lsm.exe)Winlogon, LogonUI, and Userinit
Conclusion
3. System Mechanisms
Trap Dispatching
Interrupt DispatchingHardware Interrupt Processingx86 Interrupt Controllersx64 Interrupt ControllersIA64 Interrupt ControllersSoftware Interrupt Request Levels (IRQLs)Software InterruptsDispatch or Deferred Procedure Call (DPC) InterruptsAsynchronous Procedure Call InterruptsTimer ProcessingTimer ExpirationProcessor SelectionIntelligent Timer Tick DistributionTimer CoalescingException DispatchingUnhandled ExceptionsWindows Error ReportingSystem Service DispatchingSystem Service DispatchingService Descriptor Tables
Object Manager
Executive ObjectsObject StructureObject Headers and BodiesType ObjectsObject MethodsObject Handles and the Process Handle TableReserve ObjectsObject SecurityObject RetentionResource AccountingObject NamesObject DirectoriesSymbolic LinksSession NamespaceObject Filtering
Synchronization
High-IRQL SynchronizationInterlocked OperationsSpinlocksQueued SpinlocksInstack Queued SpinlocksExecutive Interlocked OperationsLow-IRQL SynchronizationKernel Dispatcher ObjectsWaiting for Dispatcher ObjectsWhat Signals an Object?Data StructuresKeyed EventsFast Mutexes and Guarded MutexesExecutive ResourcesPushlocksCritical SectionsUser-Mode ResourcesCondition VariablesSlim Reader-Writer LocksRun Once Initialization
System Worker Threads
Windows Global Flags
Advanced Local Procedure Call
Connection ModelMessage ModelAsynchronous OperationViews, Regions, and SectionsAttributesBlobs, Handles, and ResourcesSecurityPerformanceDebugging and Tracing
Kernel Event Tracing
Wow64
Wow64 Process Address Space LayoutSystem CallsException DispatchingUser APC DispatchingConsole SupportUser CallbacksFile System RedirectionRegistry RedirectionI/O Control Requests16-Bit Installer ApplicationsPrintingRestrictions
User-Mode Debugging
Kernel SupportNative SupportWindows Subsystem Support
Image Loader
Early Process InitializationDLL Name Resolution and RedirectionDLL Name RedirectionLoaded Module DatabaseImport ParsingPost-Import Process InitializationSwitchBackAPI Sets
Hypervisor (Hyper-V)
PartitionsParent PartitionParent Partition Operating SystemVirtual Machine Manager Service and Worker ProcessesVirtualization Service ProvidersVM Infrastructure Driver and Hypervisor API LibraryHypervisorChild PartitionsVirtualization Service ClientsEnlightenmentsHardware Emulation and SupportEmulated DevicesSynthetic DevicesVirtual ProcessorsMemory VirtualizationInterceptsLive Migration
Kernel Transaction Manager
Hotpatch Support
Kernel Patch Protection
Code Integrity
Conclusion
4. Management Mechanisms
The Registry
Viewing and Changing the RegistryRegistry UsageRegistry Data TypesRegistry Logical StructureHKEY_CURRENT_USERHKEY_USERSHKEY_CLASSES_ROOTHKEY_LOCAL_MACHINEHKEY_CURRENT_CONFIGHKEY_PERFORMANCE_DATATransactional Registry (TxR)Monitoring Registry ActivityProcess Monitor InternalsProcess Monitor Troubleshooting TechniquesLogging Activity in Unprivileged Accounts or During Logon/LogoffRegistry InternalsHivesHive Size LimitsRegistry Symbolic LinksHive StructureCell MapsThe Registry Namespace and OperationStable StorageRegistry FilteringRegistry Optimizations
Services
Service ApplicationsService AccountsThe Local System AccountThe Network Service AccountThe Local Service AccountRunning Services in Alternate AccountsRunning with Least PrivilegeService IsolationInteractive Services and Session 0 IsolationThe Service Control ManagerService StartupStartup ErrorsAccepting the Boot and Last Known GoodService FailuresService ShutdownShared Service ProcessesService Tags
Unified Background Process Manager
InitializationUBPM APIProvider RegistrationConsumer RegistrationTask HostService Control Programs
Windows Management Instrumentation
WMI ArchitectureProvidersThe Common Information Model and the Managed Object Format LanguageThe WMI NamespaceClass AssociationWMI ImplementationWMI Security
Windows Diagnostic Infrastructure
WDI InstrumentationDiagnostic Policy ServiceDiagnostic Functionality
Conclusion
5. Processes, Threads, and Jobs
Process Internals
Data Structures
Protected Processes
Flow of CreateProcess
Stage 1: Converting and Validating Parameters and FlagsStage 2: Opening the Image to Be ExecutedStage 3: Creating the Windows Executive Process Object (PspAllocateProcess)Stage 3A: Setting Up the EPROCESS ObjectStage 3B: Creating the Initial Process Address SpaceStage 3C: Creating the Kernel Process StructureStage 3D: Concluding the Setup of the Process Address SpaceStage 3E: Setting Up the PEBStage 3F: Completing the Setup of the Executive Process Object (PspInsertProcess)Stage 4: Creating the Initial Thread and Its Stack and ContextStage 5: Performing Windows Subsystem–Specific Post-InitializationStage 6: Starting Execution of the Initial ThreadStage 7: Performing Process Initialization in the Context of the New Process
Thread Internals
Data StructuresBirth of a Thread
Examining Thread Activity
Limitations on Protected Process Threads
Worker Factories (Thread Pools)
Thread Scheduling
Overview of Windows SchedulingPriority LevelsReal-Time PrioritiesInterrupt Levels vs. Priority LevelsUsing Tools to Interact with PriorityThread StatesDispatcher DatabaseQuantumQuantum AccountingControlling the QuantumVariable QuantumsQuantum Settings Registry ValuePriority BoostsBoosts Due to Scheduler/Dispatcher EventsUnwait BoostsLock Ownership BoostsPriority Boosting After I/O CompletionBoosts During Waiting on Executive ResourcesPriority Boosts for Foreground Threads After WaitsPriority Boosts After GUI Threads Wake UpPriority Boosts for CPU StarvationApplying BoostsRemoving BoostsPriority Boosts for Multimedia Applications and GamesContext SwitchingScheduling ScenariosVoluntary SwitchPreemptionQuantum EndTerminationIdle ThreadsThread SelectionIdle SchedulerMultiprocessor SystemsPackage Sets and SMT SetsNUMA SystemsProcessor Group AssignmentLogical Processors per GroupLogical Processor StateScheduler ScalabilityAffinityExtended Affinity MaskSystem Affinity MaskIdeal and Last ProcessorIdeal NodeThread Selection on Multiprocessor SystemsProcessor SelectionChoosing a Processor for a Thread When There Are Idle ProcessorsChoosing a Processor for a Thread When There Are No Idle Processors
Processor Share-Based Scheduling
Dynamic Fair Share SchedulingDFSS InitializationPer-Session CPU Quota BlocksCharging of Cycles to Throttled ThreadsCPU Throttling and Quota EnforcementResuming ExecutionDFSS Idle-Only Queue SchedulingSession Weight ConfigurationCPU Rate Limits
Dynamic Processor Addition and Replacement
Job Objects
Job LimitsJob Sets
Conclusion
6. Security
Security Ratings
Trusted Computer System Evaluation CriteriaThe Common Criteria
Security System Components
Protecting Objects
Access ChecksSecurity IdentifiersIntegrity LevelsTokensImpersonationRestricted TokensFiltered Admin TokenVirtual Service AccountsSecurity Descriptors and Access ControlACL AssignmentDetermining Access
The AuthZ API
Conditional ACEs
Account Rights and Privileges
Account RightsPrivilegesSuper Privileges
Access Tokens of Processes and Threads
Security Auditing
Object Access AuditingGlobal Audit PolicyAdvanced Audit Policy Settings
Logon
Winlogon InitializationUser Logon StepsAssured AuthenticationBiometric Framework for User Authentication
User Account Control and Virtualization
File System and Registry VirtualizationFile VirtualizationRegistry VirtualizationElevationRunning with Administrator RightsRequesting Administrative RightsAuto-ElevationControlling UAC Behavior
Application Identification (AppID)
AppLocker
Software Restriction Policies
Conclusion
7. Networking
Windows Networking Architecture
The OSI Reference ModelWindows Networking Components
Networking APIs
Windows SocketsWinsock Client OperationWinsock Server OperationWinsock ExtensionsExtending WinsockWinsock ImplementationWinsock KernelWSK ImplementationRemote Procedure CallRPC OperationRPC SecurityRPC ImplementationWeb Access APIsWinInetHTTPNamed Pipes and MailslotsNamed-Pipe OperationMailslot OperationNamed Pipe and Mailslot ImplementationNetBIOSNetBIOS NamesNetBIOS OperationNetBIOS API ImplementationOther Networking APIsBackground Intelligent Transfer ServicePeer-to-Peer InfrastructureDCOMMessage QueuingUPnP with PnP-X
Multiple Redirector Support
Multiple Provider RouterMultiple UNC ProviderSurrogate ProvidersRedirectorMini-RedirectorsServer Message Block and Sub-Redirectors
Distributed File System Namespace
Distributed File System Replication
Offline Files
Caching ModesOnlineOffline (Slow Connection)Offline (Working Offline)Offline (Not Connected)Offline (Need to Sync)GhostsData SecurityCache Structure
BranchCache
Caching ModesConfigurationBranchCache Optimized Application Retrieval: SMB SequenceBranchCache Optimized Application Retrieval: HTTP Sequence
Name Resolution
Domain Name SystemPeer Name Resolution ProtocolPNRP Resolution and Publication
Location and Topology
Network Location AwarenessNetwork Connectivity Status IndicatorPassive PollNetwork Change MonitoringRegistry Change MonitoringActive ProbeLink-Layer Topology Discovery
Protocol Drivers
Windows Filtering PlatformNetwork Address TranslationIP FilteringInternet Protocol Security
NDIS Drivers
Variations on the NDIS MiniportConnection-Oriented NDISRemote NDISQoS
Binding
Layered Network Services
Remote AccessActive DirectoryNetwork Load BalancingNetwork Access ProtectionDirect Access
Conclusion
A. About the Authors
B. More Resources for Developers
Microsoft Press® books
Visual StudioWeb Development.Net FrameworkData Access/DatabaseOther Topics
C. Find the Right Resource for You
Index
About the Authors
Copyright

Content preview from Windows® Internals, Sixth Edition, Part 1

Kernel Event Tracing

Various components of the Windows kernel and several core device drivers are instrumented to record trace data of their operations for use in system troubleshooting. They rely on a common infrastructure in the kernel that provides trace data to the user-mode Event Tracing for Windows (ETW) facility. An application that uses ETW falls into one or more of three categories:

Controller. A controller starts and stops logging sessions and manages buffer pools. Example controllers include Reliability and Performance Monitor (see the EXPERIMENT: Tracing TCP/IP Activity with the Kernel Logger section, later in this section) and XPerf from the Windows Performance Toolkit (see the EXPERIMENT: Monitoring Interrupt and DPC Activity section, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780735671294Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Windows® Internals, Sixth Edition, Part 1

by David A. Solomon Mark E. Russinovich and Alex Ionescu

Kernel Event Tracing

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.