You are previewing Microsoft® Windows® Internals: Microsoft Windows Server™ 2003, Windows XP, and Windows 2000, 4th Edition.
O'Reilly logo
Microsoft® Windows® Internals: Microsoft Windows Server™ 2003, Windows XP, and Windows 2000, 4th Edition

Book Description

The premier guide to the Windows kernel now covers Windows Server 2003, Windows XP, and Windows 2000, including 64-bit extensions. Get the architectural perspectives and insider insights needed to unlock the power of Windows.

Table of Contents

  1. Microsoft® Windows® Internals, Fourth Edition: Microsoft Windows Server™ 2003, Windows XP, and Windows 2000
  2. Historical Perspective
  3. Foreword
  4. Acknowledgments
  5. Introduction
    1. Structure of the Book
    2. History of the Book
    3. Fourth Edition Changes
    4. Hands-On Experiments
    5. Topics Not Covered
    6. A Warning and Caveat
    7. Support
      1. From the Authors
      2. From Microsoft Press
  6. About the Authors
    1. David Solomon
    2. Mark Russinovich
  7. 1. Concepts and Tools
    1. Windows Operating System Versions
    2. Foundation Concepts and Terms
      1. Windows API
      2. Services, Functions, and Routines
      3. Processes, Threads, and Jobs
      4. Virtual Memory
      5. Kernel Mode vs. User Mode
      6. Terminal Services and Multiple Sessions
      7. Objects and Handles
      8. Security
      9. Registry
      10. Unicode
    3. Digging into Windows Internals
      1. Performance Tool
      2. Windows Support Tools
      3. Windows Resource Kits
      4. Kernel Debugging
        1. Symbols for Kernel Debugging
        2. Windows Debugging Tools
        3. LiveKd Tool
        4. SoftICE
      5. Platform Software Development Kit (SDK)
      6. Device Driver Kit (DDK)
      7. Sysinternals Tools
    4. Conclusion
  8. 2. System Architecture
    1. Requirements and Design Goals
    2. Operating System Model
    3. Architecture Overview
      1. Portability
      2. Symmetric Multiprocessing
      3. Scalability
      4. Differences Between Client and Server Versions
      5. Checked Build
    4. Key System Components
      1. Environment Subsystems and Subsystem DLLs
        1. Windows Subsystem
        2. POSIX Subsystem
        3. OS/2 Subsystem
      2. Ntdll.dll
      3. Executive
      4. Kernel
        1. Kernel Objects
        2. Hardware Support
      5. Hardware Abstraction Layer
      6. Device Drivers
        1. Windows Driver Model (WDM)
      7. System Processes
        1. Idle Process
        2. Interrupts and DPCs
        3. System Process and System Threads
        4. Session Manager (Smss)
        5. Winlogon, LSASS and Userinit
        6. Service Control Manager (SCM)
    5. Conclusion
  9. 3. System Mechanisms
    1. Trap Dispatching
      1. Interrupt Dispatching
        1. Hardware Interrupt Processing
        2. x86 Interrupt Controllers
        3. x64 Interrupt Controllers
        4. IA64 Interrupt Controllers
        5. Software Interrupt Request Levels (IRQLs)
        6. Software Interrupts
      2. Exception Dispatching
        1. Unhandled Exceptions
        2. Windows Error Reporting
      3. System Service Dispatching
        1. 32-Bit System Service Dispatching
        2. 64-Bit System Service Dispatching
        3. Kernel-Mode System Service Dispatching
        4. Service Descriptor Tables
    2. Object Manager
      1. Executive Objects
      2. Object Structure
        1. Object Headers and Bodies
        2. Type Objects
        3. Object Methods
        4. Object Handles and the Process Handle Table
        5. Object Security
        6. Object Retention
        7. Resource Accounting
        8. Object Names
        9. Session Namespace
    3. Synchronization
      1. High-IRQL Synchronization
        1. Interlocked Operations
        2. Spinlocks
        3. Queued Spinlocks
        4. Instack Queued Spinlocks
        5. Executive Interlocked Operations
      2. Low-IRQL Synchronization
        1. Kernel Dispatcher Objects
        2. Fast Mutexes and Guarded Mutexes
        3. Executive Resources
        4. Push Locks
    4. System Worker Threads
    5. Windows Global Flags
    6. Local Procedure Calls (LPCs)
    7. Kernel Event Tracing
    8. Wow64
      1. Wow64 Process Address Space Layout
      2. System Calls
      3. Exception Dispatching
      4. User Callbacks
      5. File System Redirection
      6. Registry Redirection and Reflection
      7. I/O Control Requests
      8. 16-bit Installer Applications
      9. Printing
      10. Restrictions
    9. Conclusion
  10. 4. Management Mechanisms
    1. The Registry
      1. Viewing and Changing the Registry
      2. Registry Usage
      3. Registry Data Types
      4. Registry Logical Structure
        1. HKEY_CURRENT_USER
        2. HKEY_USERS
        3. HKEY_CLASSES_ROOT
        4. HKEY_LOCAL_MACHINE
        5. HKEY_CURRENT_CONFIG
        6. HKEY_PERFORMANCE_DATA
      5. Troubleshooting Registry Problems
        1. Regmon Internals
        2. Regmon Troubleshooting Techniques
        3. Logging Activity in Unprivileged Accounts or During Logon/Logoff
      6. Registry Internals
        1. Hives
        2. Hive Size Limits
        3. Hive Structure
        4. Cell Maps
        5. The Registry Namespace and Operation
        6. Stable Storage
        7. Registry Optimizations
    2. Services
      1. Service Applications
      2. Service Accounts
        1. The Local System Account
        2. The Network Service Account
        3. The Local Service Account
        4. Running Services in Alternate Accounts
        5. Interactive Services
      3. The Service Control Manager
      4. Service Startup
      5. Startup Errors
      6. Accepting the Boot and Last Known Good
      7. Service Failures
      8. Service Shutdown
      9. Shared Service Processes
      10. Service Control Programs
    3. Windows Management Instrumentation
      1. WMI Architecture
      2. Providers
      3. The Common Information Model and the Managed Object Format Language
      4. The WMI Namespace
      5. Class Association
      6. WMI Implementation
      7. WMI Security
    4. Conclusion
  11. 5. Startup and Shutdown
    1. Boot Process
      1. x86 and x64 Preboot
      2. The x86/x64 Boot Sector and Ntldr
      3. The IA64 Boot Process
      4. Initializing the Kernel and Executive Subsystems
      5. Smss, Csrss, and Winlogon
      6. Images that Start Automatically
    2. Troubleshooting Boot and Startup Problems
      1. Last Known Good
      2. Safe Mode
        1. Driver Loading in Safe Mode
        2. Safe-Mode-Aware User Programs
        3. Boot Logging in Safe Mode
      3. Recovery Console
      4. Solving Common Boot Problems
        1. MBR Corruption
        2. Boot Sector Corruption
        3. Boot.ini Misconfiguration
        4. System File Corruption
        5. System Hive Corruption
        6. Post–Splash Screen Crash or Hang
    3. Shutdown
    4. Conclusion
  12. 6. Processes, Threads, and Jobs
    1. Process Internals
      1. Data Structures
      2. Kernel Variables
      3. Performance Counters
      4. Relevant Functions
    2. Flow of CreateProcess
      1. Stage 1: Opening the Image to Be Executed
      2. Stage 2: Creating the Windows Executive Process Object
        1. Stage 2A: Setting Up the EPROCESS Block
        2. Stage 2B: Creating the Initial Process Address Space
        3. Stage 2C: Creating the Kernel Process Block
        4. Stage 2D: Concluding the Setup of the Process Address Space
        5. Stage 2E: Setting Up the PEB
        6. Stage 2F: Completing the Setup of the Executive Process Object
      3. Stage 3: Creating the Initial Thread and Its Stack and Context
      4. Stage 4: Notifying the Windows Subsystem about the New Process
      5. Stage 5: Starting Execution of the Initial Thread
      6. Stage 6: Performing Process Initialization in the Context of the New Process
    3. Thread Internals
      1. Data Structures
      2. Kernel Variables
      3. Performance Counters
      4. Relevant Functions
      5. Birth of a Thread
    4. Examining Thread Activity
    5. Thread Scheduling
      1. Overview of Windows Scheduling
      2. Priority Levels
      3. Windows Scheduling APIs
      4. Relevant Tools
      5. Real-Time Priorities
      6. Thread States
      7. Dispatcher Database
      8. Quantum
        1. Quantum Accounting
        2. Controlling the Quantum
        3. Quantum Boosting
        4. Quantum Settings Registry Value
      9. Scheduling Scenarios
        1. Voluntary Switch
        2. Preemption
        3. Quantum End
        4. Termination
      10. Context Switching
      11. Idle Thread
      12. Priority Boosts
        1. Priority Boosting after I/O Completion
        2. Boosts after Waiting for Events and Semaphores
        3. Priority Boosts for Foreground Threads after Waits
        4. Priority Boosts after GUI Threads Wake Up
        5. Priority Boosts for CPU Starvation
      13. Multiprocessor Systems
        1. Multiprocessor Dispatcher Database
        2. Hyperthreaded Systems
        3. NUMA Systems
        4. Affinity
        5. Ideal and Last Processor
      14. Multiprocessor Thread-Scheduling Algorithms
        1. Choosing a Processor for a Thread When There Are Idle Processors
        2. Choosing a Processor for a Thread When There Are No Idle Processors
        3. Selecting a Thread to Run on a Specific CPU (Windows 2000 and Windows XP)
        4. Selecting a Thread to Run on a Specific CPU (Windows Server 2003)
    6. Job Objects
    7. Conclusion
  13. 7. Memory Management
    1. Introduction to the Memory Manager
      1. Memory Manager Components
      2. Internal Synchronization
      3. Configuring the Memory Manager
      4. Examining Memory Usage
    2. Services the Memory Manager Provides
      1. Large and Small Pages
      2. Reserving and Committing Pages
      3. Locking Memory
      4. Allocation Granularity
      5. Shared Memory and Mapped Files
      6. Protecting Memory
      7. No Execute Page Protection
      8. Copy-on-Write
      9. Heap Manager
        1. Types of Heaps
        2. Heap Manager Structure
        3. Heap Synchronization
        4. Look-Aside Lists
        5. The Low Fragmentation Heap
        6. Heap Debugging Features
        7. Pageheap
      10. Address Windowing Extensions
    3. System Memory Pools
      1. Configuring Pool Sizes
      2. Monitoring Pool Usage
      3. Look-Aside Lists
      4. Driver Verifier
        1. Driver Verifier Configuration and Initialization
    4. Virtual Address Space Layouts
      1. x86 User Address Space Layouts
      2. x86 System Address Space Layout
      3. x86 Session Space
      4. System Page Table Entries
      5. 64-Bit Address Space Layouts
    5. Address Translation
      1. x86 Virtual Address Translation
        1. Page Directories
        2. Page Tables and Page Table Entries
        3. Byte Within Page
      2. Translation Look-Aside Buffer
      3. Physical Address Extension (PAE)
      4. IA-64 Virtual Address Translation
      5. x64 Virtual Address Translation
    6. Page Fault Handling
      1. Invalid PTEs
      2. Prototype PTEs
      3. In-Paging I/O
      4. Collided Page Faults
      5. Page Files
    7. Virtual Address Descriptors
    8. Section Objects
    9. Working Sets
      1. Demand Paging
    10. Logical Prefetcher
      1. Placement Policy
      2. Working Set Management
      3. Balance Set Manager and Swapper
      4. System Working Set
    11. Page Frame Number Database
      1. Page List Dynamics
      2. Modified Page Writer
      3. PFN Data Structures
      4. Low and High Memory Notification
    12. Conclusion
  14. 8. Security
    1. Security Ratings
    2. Trusted Computer System Evaluation Critiera
    3. The Common Criteria
    4. Security System Components
    5. Protecting Objects
      1. Access Checks
        1. Security Identifiers (SIDs)
        2. Tokens
        3. Impersonation
        4. Restricted Tokens
      2. Security Descriptors and Access Control
        1. ACL Assignment
        2. Determining Access
    6. Account Rights and Privileges
      1. Account Rights
      2. Privileges
      3. Super Privileges
    7. Security Auditing
    8. Logon
      1. Winlogon Initialization
      2. User Logon Steps
    9. Software Restriction Policies
    10. Conclusion
  15. 9. I/O System
    1. I/O System Components
      1. The I/O Manager
      2. Typical I/O Processing
    2. Device Drivers
      1. Types of Device Drivers
        1. WDM Drivers
        2. Layered Drivers
      2. Structure of a Driver
      3. Driver Objects and Device Objects
      4. Opening Devices
    3. I/O Processing
      1. Types of I/O
      2. Synchronous I/O and Asynchronous I/O
        1. Fast I/O
        2. Mapped File I/O and File Caching
        3. Scatter/Gather I/O
      3. I/O Request Packets
        1. IRP Stack Locations
        2. IRP Buffer Management
      4. I/O Request to a Single-Layered Driver
        1. Servicing an Interrupt
        2. Completing an I/O Request
        3. Synchronization
      5. I/O Requests to Layered Drivers
      6. I/O Completion Ports
        1. The IoCompletion Object
        2. Using Completion Ports
        3. I/O Completion Port Operation
      7. Driver Verifier
    4. The Plug and Play (PnP) Manager
      1. Level of Plug and Play Support
      2. Driver Support for Plug and Play
      3. Driver Loading, Initialization, and Installation
        1. The Start Value
        2. Device Enumeration
        3. Devnodes
        4. Devnode Driver Loading
      4. Driver Installation
    5. The Power Manager
      1. Power Manager Operation
      2. Driver Power Operation
      3. Driver Control of Device Power
    6. Conclusion
  16. 10. Storage Management
    1. Storage Terminology
    2. Disk Drivers
      1. Ntldr
      2. Disk Class, Port, and Miniport Drivers
        1. iSCSI Drivers
        2. Multipath I/O (MPIO) Drivers
      3. Disk Device Objects
      4. Partition Manager
    3. Volume Management
      1. Basic Disks
        1. MBR-Style Partitioning
        2. GUID Partition Table Partitioning
        3. Basic Disk Volume Manager
      2. Dynamic Disks
        1. The LDM Database
        2. LDM and GPT or MBR-Style Partitioning
        3. Dynamic Disk Volume Manager
      3. Multipartition Volume Management
        1. Spanned Volumes
        2. Striped Volumes
        3. Mirrored Volumes
        4. RAID-5 Volumes
      4. The Volume Namespace
        1. The Mount Manager
        2. Mount Points
        3. Volume Mounting
      5. Volume I/O Operations
      6. Virtual Disk Service
      7. Volume Shadow Copy Service
    4. Conclusion
  17. 11. Cache Manager
    1. Key Features of the Cache Manager
      1. Single, Centralized System Cache
      2. The Memory Manager
      3. Cache Coherency
      4. Virtual Block Caching
      5. Stream-Based Caching
      6. Recoverable File System Support
    2. Cache Virtual Memory Management
    3. Cache Size
      1. LargeSystemCache
      2. Cache Virtual Size
      3. Cache Working Set Size
      4. Cache Physical Size
    4. Cache Data Structures
      1. Systemwide Cache Data Structures
      2. Per-File Cache Data Structures
    5. File System Interfaces
      1. Copying to and from the Cache
      2. Caching with the Mapping and Pinning Interfaces
      3. Caching with the Direct Memory Access Interfaces
    6. Fast I/O
    7. Read Ahead and Write Behind
      1. Intelligent Read-Ahead
      2. Write-Back Caching and Lazy Writing
        1. Disabling Lazy Writing for a File
        2. Forcing the Cache to Write Through to Disk
        3. Flushing Mapped Files
      3. Write Throttling
      4. System Threads
    8. Conclusion
  18. 12. File Systems
    1. Windows File System Formats
      1. CDFS
      2. UDF
      3. FAT12, FAT16, and FAT32
      4. NTFS
    2. File System Driver Architecture
      1. Local FSDs
      2. Remote FSDs
      3. File System Operation
        1. Explicit File I/O
        2. Memory Manager's Modified and Mapped Page Writer
        3. Cache Manager's Lazy Writer
        4. Cache Manager's Read-Ahead Thread
        5. Memory Manager's Page Fault Handler
      4. File System Filter Drivers
        1. Filemon
        2. System Restore
    3. Troubleshooting File System Problems
      1. Filemon Basic vs. Advanced Modes
      2. Filemon Troubleshooting Techniques
    4. NTFS Design Goals and Features
      1. High-End File System Requirements
        1. Recoverability
        2. Security
        3. Data Redundancy and Fault Tolerance
      2. Advanced Features of NTFS
        1. Multiple Data Streams
        2. Unicode-Based Names
        3. General Indexing Facility
        4. Dynamic Bad-Cluster Remapping
        5. Hard Links and Junctions
        6. Compression and Sparse Files
        7. Change Logging
        8. Per-User Volume Quotas
        9. Link Tracking
        10. Encryption
        11. POSIX Support
        12. Defragmentation
        13. Read-Only Support
    5. NTFS File System Driver
    6. NTFS On-Disk Structure
      1. Volumes
      2. Clusters
      3. Master File Table
      4. File Reference Numbers
      5. File Records
      6. Filenames
      7. Resident and Nonresident Attributes
      8. Data Compression and Sparse Files
        1. Compressing Sparse Data
        2. Compressing Nonsparse Data
        3. Sparse Files
      9. The Change Journal File
      10. Indexing
      11. Object IDs
      12. Quota Tracking
      13. Consolidated Security
      14. Reparse Points
    7. NTFS Recovery Support
      1. Evolution of File System Design
        1. Careful Write File Systems
        2. Lazy Write File Systems
        3. Recoverable File Systems
      2. Logging
        1. Log File Service (LFS)
        2. Log Record Types
      3. Recovery
        1. Analysis Pass
        2. Redo Pass
        3. Undo Pass
      4. NTFS Bad-Cluster Recovery
    8. Encrypting File System Security
      1. Encrypting a File for the First Time
        1. Constructing Key Rings
        2. Encrypting File Data
        3. Encryption Process Summary
      2. The Decryption Process
        1. Decrypted FEK Caching
        2. Decrypting File Data
      3. Backing Up Encrypted Files
    9. Conclusion
  19. 13. Networking
    1. Windows Networking Architecture
      1. The OSI Reference Model
      2. Windows Networking Components
    2. Networking APIs
      1. Windows Sockets
        1. Winsock Client Operation
        2. Winsock Server Operation
        3. Winsock Extensions
        4. Extending Winsock
        5. Winsock Implementation
        6. Windows Sockets Direct
      2. Remote Procedure Call
        1. RPC Operation
        2. RPC Security
        3. RPC Implementation
      3. Web Access APIs
        1. WinInet
        2. WinHTTP
        3. HTTP
      4. Named Pipes and Mailslots
        1. Named Pipe Operation
        2. Mailslot Operation
        3. Named Pipe and Mailslot Implementation
      5. NetBIOS
        1. NetBIOS Names
        2. NetBIOS Operation
        3. NetBIOS API Implementation
      6. Other Networking APIs
        1. Real-Time Communications (RTC)
        2. DCOM
        3. Message Queuing
        4. UPnP
    3. Multiple Redirector Support
      1. Multiple Provider Router
      2. Multiple UNC Provider
    4. Name Resolution
      1. Domain Name System
      2. Windows Internet Name Service
    5. Protocol Drivers
      1. TCP/IP Extensions
        1. Network Address Translation
        2. IP Filtering
        3. IP Filter and Filter Hook
        4. Internet Protocol Security
    6. NDIS Drivers
      1. Variations on the NDIS Miniport
      2. Connection-Oriented NDIS
      3. Remote NDIS
      4. QOS
    7. Binding
    8. Layered Network Services
      1. Remote Access
      2. Active Directory
      3. Network Load Balancing
      4. File Replication Service
      5. Distributed File System
    9. Conclusion
  20. 14. Crash Dump Analysis
    1. Why Does Windows Crash?
    2. The Blue Screen
    3. Crash Dump Files
      1. Crash Dump Generation
    4. Windows Error Reporting
    5. Online Crash Analysis
    6. Basic Crash Dump Analysis
      1. Notmyfault
      2. Basic Crash Dump Analysis
      3. Verbose Analysis
    7. Using Crash Troubleshooting Tools
      1. Buffer Overrun and Special Pool
      2. Code Overwrite and System Code Write Protection
    8. Advanced Crash Dump Analysis
      1. Stack Trashes
      2. Hung or Unresponsive Systems
      3. When There Is No Crash Dump
  21. Glossary
  22. Index
  23. About the Authors
  24. Copyright