book

Windows® Internals, Sixth Edition, Part 2

Name: Windows® Internals, Sixth Edition, Part 2
Author: David A. Solomon Mark E. Russinovich and Alex Ionescu
ISBN: 9780735677265

by David A. Solomon Mark E. Russinovich and Alex Ionescu

September 2012

Intermediate to advanced

672 pages

25h 45m

English

Microsoft Press

Read now

Unlock full access

Windows® Internals, Sixth Edition, Part 2
Dedication
Introduction
Structure of the Book
History of the Book
Sixth Edition Changes
Hands-on Experiments
Topics Not Covered
A Warning and a Caveat
Acknowledgments

Errata & Book Support
We Want to Hear from You
Stay in Touch
8. I/O System
I/O System Components
The I/O ManagerTypical I/O Processing
Device Drivers
Types of Device DriversWDM DriversLayered DriversStructure of a DriverDriver Objects and Device ObjectsOpening Devices
I/O Processing
Types of I/OSynchronous and Asynchronous I/OFast I/OMapped File I/O and File CachingScatter/Gather I/OI/O Request PacketsIRP Stack LocationsIRP Buffer ManagementI/O Request to a Single-Layered DriverServicing an InterruptCompleting an I/O RequestSynchronizationI/O Requests to Layered DriversThread Agnostic I/OI/O CancellationUser-Initiated I/O CancellationI/O Cancellation for Thread TerminationI/O Completion PortsThe IoCompletion ObjectUsing Completion PortsI/O Completion Port OperationI/O PrioritizationI/O PrioritiesPrioritization StrategiesI/O Priority Inversion Avoidance (I/O Priority Inheritance)I/O Priority Boosts and BumpsBandwidth Reservation (Scheduled File I/O)Container NotificationsDriver Verifier
Kernel-Mode Driver Framework (KMDF)
Structure and Operation of a KMDF DriverKMDF Data ModelKMDF I/O Model
User-Mode Driver Framework (UMDF)
The Plug and Play (PnP) Manager
Level of Plug and Play SupportDriver Support for Plug and PlayDriver Loading, Initialization, and InstallationThe Start ValueDevice EnumerationDevice StacksDevice Stack Driver LoadingDriver Installation
The Power Manager
Power Manager OperationDriver Power OperationDriver and Application Control of Device PowerPower Availability RequestsProcessor Power Management (PPM)Core Parking PoliciesUtility FunctionAlgorithm OverridesIncrease/Decrease ActionsThresholds and Policy SettingsPerformance Check
Conclusion
9. Storage Management
Storage Terminology
Disk Devices
Rotating Magnetic DisksDisk Sector FormatSolid State DisksNAND-Type Flash MemoryFile Deletion and the Trim Command
Disk Drivers
WinloadDisk Class, Port, and Miniport DriversiSCSI DriversMultipath I/O (MPIO) DriversDisk Device ObjectsPartition Manager
Volume Management
Basic DisksMBR-Style PartitioningGUID Partition Table PartitioningBasic Disk Volume ManagerDynamic DisksThe LDM DatabaseLDM and GPT or MBR-Style PartitioningDynamic Disk Volume ManagerMultipartition Volume ManagementSpanned VolumesStriped VolumesMirrored VolumesRAID-5 VolumesThe Volume NamespaceThe Mount ManagerMount PointsVolume MountingVolume I/O OperationsVirtual Disk Service
Virtual Hard Disk Support
Attaching VHDsNested File Systems
BitLocker Drive Encryption
Encryption KeysTrusted Platform Module (TPM)BitLocker Boot ProcessBitLocker Key RecoveryFull-Volume Encryption DriverBitLocker ManagementBitLocker To Go
Volume Shadow Copy Service
Shadow CopiesClone Shadow CopiesCopy-on-Write Shadow CopiesVSS ArchitectureVSS OperationShadow Copy ProviderUses in WindowsBackupPrevious Versions and System Restore
Conclusion
10. Memory Management
Introduction to the Memory Manager
Memory Manager ComponentsInternal SynchronizationExamining Memory Usage
Services Provided by the Memory Manager
Large and Small PagesReserving and Committing PagesCommit LimitLocking MemoryAllocation GranularityShared Memory and Mapped FilesProtecting MemoryNo Execute Page ProtectionSoftware Data Execution PreventionCopy-on-WriteAddress Windowing Extensions
Kernel-Mode Heaps (System Memory Pools)
Pool SizesMonitoring Pool UsageLook-Aside Lists
Heap Manager
Types of HeapsHeap Manager StructureHeap SynchronizationThe Low Fragmentation HeapHeap Security FeaturesHeap Debugging FeaturesPageheapFault Tolerant Heap
Virtual Address Space Layouts
x86 Address Space Layoutsx86 System Address Space Layoutx86 Session SpaceSystem Page Table Entries64-Bit Address Space Layoutsx64 Virtual Addressing LimitationsWindows x64 16-TB LimitationDynamic System Virtual Address Space ManagementSystem Virtual Address Space QuotasUser Address Space LayoutImage RandomizationStack RandomizationHeap RandomizationASLR in Kernel Address SpaceControlling Security Mitigations
Address Translation
x86 Virtual Address TranslationPage DirectoriesPage Tables and Page Table EntriesHardware vs. Software Write Bits in Page Table EntriesByte Within PageTranslation Look-Aside BufferPhysical Address Extension (PAE)x64 Virtual Address TranslationIA64 Virtual Address Translation
Page Fault Handling
Invalid PTEsPrototype PTEsIn-Paging I/OCollided Page FaultsClustered Page FaultsPage FilesCommit Charge and the System Commit LimitCommit Charge and Page File Size
Stacks
User StacksKernel StacksDPC Stack
Virtual Address Descriptors
Process VADsRotate VADs
NUMA
Section Objects
Driver Verifier
Page Frame Number Database
Page List DynamicsPage PriorityModified Page WriterPFN Data Structures
Physical Memory Limits
Windows Client Memory Limits32-Bit Client Effective Memory Limits
Working Sets
Demand PagingLogical PrefetcherPlacement PolicyWorking Set ManagementBalance Set Manager and SwapperSystem Working SetsMemory Notification Events
Proactive Memory Management (Superfetch)
ComponentsTracing and LoggingScenariosPage Priority and RebalancingRobust PerformanceReadyBoostReadyDriveUnified CachingProcess Reflection
Conclusion
11. Cache Manager
Key Features of the Cache Manager
Single, Centralized System CacheThe Memory ManagerCache CoherencyVirtual Block CachingStream-Based CachingRecoverable File System Support
Cache Virtual Memory Management
Cache Size
Cache Virtual SizeCache Working Set SizeCache Physical Size
Cache Data Structures
Systemwide Cache Data StructuresPer-File Cache Data Structures
File System Interfaces
Copying to and from the CacheCaching with the Mapping and Pinning InterfacesCaching with the Direct Memory Access Interfaces
Fast I/O
Read-Ahead and Write-Behind
Intelligent Read-AheadWrite-Back Caching and Lazy WritingDisabling Lazy Writing for a FileForcing the Cache to Write Through to DiskFlushing Mapped FilesWrite ThrottlingSystem Threads
Conclusion
12. File Systems
Windows File System Formats
CDFSUDFFAT12, FAT16, and FAT32exFATNTFS
File System Driver Architecture
Local FSDsRemote FSDsLockingFile System OperationExplicit File I/OMemory Manager’s Modified and Mapped Page WriterCache Manager’s Lazy WriterCache Manager’s Read-Ahead ThreadMemory Manager’s Page Fault HandlerFile System Filter DriversProcess Monitor
Troubleshooting File System Problems
Process Monitor Basic vs. Advanced ModesProcess Monitor Troubleshooting Techniques
Common Log File System
MarshallingMarshallingLog TypesLog LayoutLog Sequence NumbersLog BlocksOwner PagesTranslating Virtual LSNs to Physical LSNsManagement Policies
NTFS Design Goals and Features
High-End File System RequirementsRecoverabilitySecurityData Redundancy and Fault ToleranceAdvanced Features of NTFSMultiple Data StreamsUnicode-Based NamesGeneral Indexing FacilityDynamic Bad-Cluster RemappingHard LinksSymbolic (Soft) Links and JunctionsCompression and Sparse FilesChange LoggingPer-User Volume QuotasLink TrackingEncryptionPOSIX SupportDefragmentationDynamic Partitioning
NTFS File System Driver
NTFS On-Disk Structure
VolumesClustersMaster File TableFile Record NumbersFile RecordsFile NamesResident and Nonresident AttributesData Compression and Sparse FilesCompressing Sparse DataCompressing Nonsparse DataSparse FilesThe Change Journal FileIndexingObject IDsQuota TrackingConsolidated SecurityReparse PointsTransaction SupportIsolationTransactional APIsResource ManagersOn-Disk ImplementationLogging ImplementationRecovery Implementation
NTFS Recovery Support
DesignMetadata LoggingLog File ServiceLog Record TypesRecoveryAnalysis PassRedo PassUndo PassNTFS Bad-Cluster RecoverySelf-Healing
Encrypting File System Security
Encrypting a File for the First TimeEncrypting File DataThe Decryption ProcessBacking Up Encrypted FilesCopying Encrypted Files
Conclusion
13. Startup and Shutdown
Boot Process
BIOS PrebootThe BIOS Boot Sector and BootmgrThe UEFI Boot ProcessBooting from iSCSIInitializing the Kernel and Executive SubsystemsSmss, Csrss, and WininitReadyBootImages That Start Automatically
Troubleshooting Boot and Startup Problems
Last Known GoodSafe ModeDriver Loading in Safe ModeSafe-Mode-Aware User ProgramsBoot Logging in Safe ModeWindows Recovery Environment (WinRE)Solving Common Boot ProblemsMBR CorruptionBoot Sector CorruptionBCD MisconfigurationSystem File CorruptionSystem Hive CorruptionPost–Splash Screen Crash or Hang
Shutdown
Conclusion
14. Crash Dump Analysis
Why Does Windows Crash?
The Blue Screen
Causes of Windows Crashes
Troubleshooting Crashes
Crash Dump Files
Crash Dump Generation
Windows Error Reporting
Online Crash Analysis
Basic Crash Dump Analysis
NotmyfaultBasic Crash Dump AnalysisVerbose Analysis
Using Crash Troubleshooting Tools
Buffer Overruns, Memory Corruption, and Special PoolCode Overwrite and System Code Write Protection
Advanced Crash Dump Analysis
Stack TrashesHung or Unresponsive SystemsWhen There Is No Crash Dump
Analysis of Common Stop Codes
0xD1 - DRIVER_IRQL_NOT_LESS_OR_EQUAL0x8E - KERNEL_MODE_EXCEPTION_NOT_HANDLED0x7F - UNEXPECTED_KERNEL_MODE_TRAP0xC5 - DRIVER_CORRUPTED_EXPOOLHardware Malfunctions
Conclusion
A. Contents of Windows Internals, Sixth Edition, Part 1
Index
About the Authors
Copyright

Content preview from Windows® Internals, Sixth Edition, Part 2

Encrypting File System Security

As covered in Chapter 9, BitLocker encrypts and protects volumes from offline attacks, but once a system is booted BitLocker’s job is done. The Encrypting File System (EFS) protects individual files and directories from other authenticated users on a system. When choosing how to protect your data, it is not an “either/or” choice between BitLocker and EFS; each provides protection from specific—and nonoverlapping—threats. Together BitLocker and EFS provide a “defense in depth” for the data on your system.

The paradigm used by EFS is to encrypt files and directories using symmetric encryption (a single key that is used for encrypting and decrypting the file). The symmetric encryption key is then encrypted using asymmetric ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780735677265Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Windows® Internals, Sixth Edition, Part 2

by David A. Solomon Mark E. Russinovich and Alex Ionescu

Encrypting File System Security

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.