You are previewing Windows® Internals, Sixth Edition, Part 1.
O'Reilly logo
Windows® Internals, Sixth Edition, Part 1

Book Description

Delve inside Windows architecture and internals—and see how core components work behind the scenes. Led by three renowned internals experts, this classic guide is fully updated for Windows 7 and Windows Server 2008 R2—and now presents its coverage in two volumes.

As always, you get critical insider perspectives on how Windows operates. And through hands-on experiments, you’ll experience its internal behavior firsthand—knowledge you can apply to improve application design, debugging, system performance, and support.

In Part 1, you will:

  • Understand how core system and management mechanisms work—including the object manager, synchronization, Wow64, Hyper-V, and the registry

  • Examine the data structures and activities behind processes, threads, and jobs

  • Go inside the Windows security model to see how it manages access, auditing, and authorization

  • Explore the Windows networking stack from top to bottom—including APIs, BranchCache, protocol and NDIS drivers, and layered services

  • Dig into internals hands-on using the kernel debugger, performance monitor, and other tools

  • Table of Contents

    1. Windows® Internals, Sixth Edition, Part 1
    2. Dedication
    3. Introduction
      1. Structure of the Book
      2. History of the Book
      3. Sixth Edition Changes
      4. Hands-on Experiments
      5. Topics Not Covered
      6. A Warning and a Caveat
      7. Acknowledgments
      8. Errata & Book Support
      9. We Want to Hear from You
      10. Stay in Touch
    4. 1. Concepts and Tools
      1. Windows Operating System Versions
      2. Foundation Concepts and Terms
        1. Windows API
        2. Services, Functions, and Routines
        3. Processes, Threads, and Jobs
        4. Virtual Memory
        5. Kernel Mode vs. User Mode
        6. Terminal Services and Multiple Sessions
        7. Objects and Handles
        8. Security
        9. Registry
        10. Unicode
      3. Digging into Windows Internals
        1. Performance Monitor
        2. Kernel Debugging
          1. Symbols for Kernel Debugging
          2. Debugging Tools for Windows
          3. LiveKd Tool
        3. Windows Software Development Kit
        4. Windows Driver Kit
        5. Sysinternals Tools
      4. Conclusion
    5. 2. System Architecture
      1. Requirements and Design Goals
      2. Operating System Model
      3. Architecture Overview
        1. Portability
        2. Symmetric Multiprocessing
        3. Scalability
        4. Differences Between Client and Server Versions
        5. Checked Build
      4. Key System Components
        1. Environment Subsystems and Subsystem DLLs
          1. Subsystem Startup
          2. Windows Subsystem
          3. Subsystem for Unix-based Applications
        2. Ntdll.dll
        3. Executive
        4. Kernel
          1. Kernel Objects
          2. Kernel Processor Control Region and Control Block (KPCR and KPRCB)
          3. Hardware Support
        5. Hardware Abstraction Layer
        6. Device Drivers
          1. Windows Driver Model (WDM)
          2. Windows Driver Foundation
        7. System Processes
          1. System Idle Process
          2. System Process and System Threads
          3. Session Manager (Smss)
          4. Windows Initialization Process (Wininit.exe)
          5. Service Control Manager (SCM)
          6. Local Session Manager (Lsm.exe)
          7. Winlogon, LogonUI, and Userinit
      5. Conclusion
    6. 3. System Mechanisms
      1. Trap Dispatching
        1. Interrupt Dispatching
          1. Hardware Interrupt Processing
          2. x86 Interrupt Controllers
          3. x64 Interrupt Controllers
          4. IA64 Interrupt Controllers
          5. Software Interrupt Request Levels (IRQLs)
          6. Software Interrupts
            1. Dispatch or Deferred Procedure Call (DPC) Interrupts
            2. Asynchronous Procedure Call Interrupts
        2. Timer Processing
          1. Timer Expiration
          2. Processor Selection
          3. Intelligent Timer Tick Distribution
          4. Timer Coalescing
        3. Exception Dispatching
          1. Unhandled Exceptions
          2. Windows Error Reporting
        4. System Service Dispatching
          1. System Service Dispatching
          2. Service Descriptor Tables
      2. Object Manager
        1. Executive Objects
        2. Object Structure
          1. Object Headers and Bodies
          2. Type Objects
          3. Object Methods
          4. Object Handles and the Process Handle Table
          5. Reserve Objects
          6. Object Security
          7. Object Retention
          8. Resource Accounting
          9. Object Names
          10. Object Directories
            1. Symbolic Links
          11. Session Namespace
          12. Object Filtering
      3. Synchronization
        1. High-IRQL Synchronization
          1. Interlocked Operations
          2. Spinlocks
          3. Queued Spinlocks
          4. Instack Queued Spinlocks
          5. Executive Interlocked Operations
        2. Low-IRQL Synchronization
          1. Kernel Dispatcher Objects
          2. Waiting for Dispatcher Objects
          3. What Signals an Object?
          4. Data Structures
          5. Keyed Events
          6. Fast Mutexes and Guarded Mutexes
          7. Executive Resources
          8. Pushlocks
          9. Critical Sections
          10. User-Mode Resources
          11. Condition Variables
          12. Slim Reader-Writer Locks
          13. Run Once Initialization
      4. System Worker Threads
      5. Windows Global Flags
      6. Advanced Local Procedure Call
        1. Connection Model
        2. Message Model
        3. Asynchronous Operation
        4. Views, Regions, and Sections
        5. Attributes
        6. Blobs, Handles, and Resources
        7. Security
        8. Performance
        9. Debugging and Tracing
      7. Kernel Event Tracing
      8. Wow64
        1. Wow64 Process Address Space Layout
        2. System Calls
        3. Exception Dispatching
        4. User APC Dispatching
        5. Console Support
        6. User Callbacks
        7. File System Redirection
        8. Registry Redirection
        9. I/O Control Requests
        10. 16-Bit Installer Applications
        11. Printing
        12. Restrictions
      9. User-Mode Debugging
        1. Kernel Support
        2. Native Support
        3. Windows Subsystem Support
      10. Image Loader
        1. Early Process Initialization
        2. DLL Name Resolution and Redirection
          1. DLL Name Redirection
        3. Loaded Module Database
        4. Import Parsing
        5. Post-Import Process Initialization
        6. SwitchBack
        7. API Sets
      11. Hypervisor (Hyper-V)
        1. Partitions
        2. Parent Partition
          1. Parent Partition Operating System
          2. Virtual Machine Manager Service and Worker Processes
          3. Virtualization Service Providers
          4. VM Infrastructure Driver and Hypervisor API Library
          5. Hypervisor
        3. Child Partitions
          1. Virtualization Service Clients
          2. Enlightenments
        4. Hardware Emulation and Support
          1. Emulated Devices
          2. Synthetic Devices
          3. Virtual Processors
          4. Memory Virtualization
          5. Intercepts
          6. Live Migration
      12. Kernel Transaction Manager
      13. Hotpatch Support
      14. Kernel Patch Protection
      15. Code Integrity
      16. Conclusion
    7. 4. Management Mechanisms
      1. The Registry
        1. Viewing and Changing the Registry
        2. Registry Usage
        3. Registry Data Types
        4. Registry Logical Structure
          1. HKEY_CURRENT_USER
          2. HKEY_USERS
          3. HKEY_CLASSES_ROOT
          4. HKEY_LOCAL_MACHINE
          5. HKEY_CURRENT_CONFIG
          6. HKEY_PERFORMANCE_DATA
        5. Transactional Registry (TxR)
        6. Monitoring Registry Activity
        7. Process Monitor Internals
          1. Process Monitor Troubleshooting Techniques
          2. Logging Activity in Unprivileged Accounts or During Logon/Logoff
        8. Registry Internals
          1. Hives
          2. Hive Size Limits
          3. Registry Symbolic Links
          4. Hive Structure
          5. Cell Maps
          6. The Registry Namespace and Operation
          7. Stable Storage
          8. Registry Filtering
          9. Registry Optimizations
      2. Services
        1. Service Applications
          1. Service Accounts
          2. The Local System Account
          3. The Network Service Account
          4. The Local Service Account
          5. Running Services in Alternate Accounts
          6. Running with Least Privilege
          7. Service Isolation
          8. Interactive Services and Session 0 Isolation
        2. The Service Control Manager
        3. Service Startup
        4. Startup Errors
        5. Accepting the Boot and Last Known Good
        6. Service Failures
        7. Service Shutdown
        8. Shared Service Processes
        9. Service Tags
      3. Unified Background Process Manager
        1. Initialization
        2. UBPM API
        3. Provider Registration
        4. Consumer Registration
        5. Task Host
        6. Service Control Programs
      4. Windows Management Instrumentation
        1. WMI Architecture
        2. Providers
        3. The Common Information Model and the Managed Object Format Language
          1. The WMI Namespace
        4. Class Association
        5. WMI Implementation
        6. WMI Security
      5. Windows Diagnostic Infrastructure
        1. WDI Instrumentation
        2. Diagnostic Policy Service
        3. Diagnostic Functionality
      6. Conclusion
    8. 5. Processes, Threads, and Jobs
      1. Process Internals
        1. Data Structures
      2. Protected Processes
      3. Flow of CreateProcess
        1. Stage 1: Converting and Validating Parameters and Flags
        2. Stage 2: Opening the Image to Be Executed
        3. Stage 3: Creating the Windows Executive Process Object (PspAllocateProcess)
          1. Stage 3A: Setting Up the EPROCESS Object
          2. Stage 3B: Creating the Initial Process Address Space
          3. Stage 3C: Creating the Kernel Process Structure
          4. Stage 3D: Concluding the Setup of the Process Address Space
          5. Stage 3E: Setting Up the PEB
          6. Stage 3F: Completing the Setup of the Executive Process Object (PspInsertProcess)
        4. Stage 4: Creating the Initial Thread and Its Stack and Context
        5. Stage 5: Performing Windows Subsystem–Specific Post-Initialization
        6. Stage 6: Starting Execution of the Initial Thread
        7. Stage 7: Performing Process Initialization in the Context of the New Process
      4. Thread Internals
        1. Data Structures
        2. Birth of a Thread
      5. Examining Thread Activity
        1. Limitations on Protected Process Threads
      6. Worker Factories (Thread Pools)
      7. Thread Scheduling
        1. Overview of Windows Scheduling
        2. Priority Levels
          1. Real-Time Priorities
          2. Interrupt Levels vs. Priority Levels
          3. Using Tools to Interact with Priority
        3. Thread States
        4. Dispatcher Database
        5. Quantum
          1. Quantum Accounting
          2. Controlling the Quantum
          3. Variable Quantums
          4. Quantum Settings Registry Value
        6. Priority Boosts
          1. Boosts Due to Scheduler/Dispatcher Events
          2. Unwait Boosts
          3. Lock Ownership Boosts
          4. Priority Boosting After I/O Completion
          5. Boosts During Waiting on Executive Resources
          6. Priority Boosts for Foreground Threads After Waits
          7. Priority Boosts After GUI Threads Wake Up
          8. Priority Boosts for CPU Starvation
          9. Applying Boosts
          10. Removing Boosts
          11. Priority Boosts for Multimedia Applications and Games
        7. Context Switching
        8. Scheduling Scenarios
          1. Voluntary Switch
          2. Preemption
          3. Quantum End
          4. Termination
        9. Idle Threads
        10. Thread Selection
          1. Idle Scheduler
        11. Multiprocessor Systems
          1. Package Sets and SMT Sets
          2. NUMA Systems
          3. Processor Group Assignment
          4. Logical Processors per Group
          5. Logical Processor State
          6. Scheduler Scalability
          7. Affinity
          8. Extended Affinity Mask
          9. System Affinity Mask
          10. Ideal and Last Processor
          11. Ideal Node
        12. Thread Selection on Multiprocessor Systems
        13. Processor Selection
          1. Choosing a Processor for a Thread When There Are Idle Processors
          2. Choosing a Processor for a Thread When There Are No Idle Processors
      8. Processor Share-Based Scheduling
        1. Dynamic Fair Share Scheduling
          1. DFSS Initialization
          2. Per-Session CPU Quota Blocks
          3. Charging of Cycles to Throttled Threads
          4. CPU Throttling and Quota Enforcement
          5. Resuming Execution
          6. DFSS Idle-Only Queue Scheduling
          7. Session Weight Configuration
        2. CPU Rate Limits
      9. Dynamic Processor Addition and Replacement
      10. Job Objects
        1. Job Limits
        2. Job Sets
      11. Conclusion
    9. 6. Security
      1. Security Ratings
        1. Trusted Computer System Evaluation Criteria
        2. The Common Criteria
      2. Security System Components
      3. Protecting Objects
        1. Access Checks
        2. Security Identifiers
          1. Integrity Levels
          2. Tokens
          3. Impersonation
          4. Restricted Tokens
          5. Filtered Admin Token
        3. Virtual Service Accounts
        4. Security Descriptors and Access Control
          1. ACL Assignment
          2. Determining Access
      4. The AuthZ API
        1. Conditional ACEs
      5. Account Rights and Privileges
        1. Account Rights
        2. Privileges
        3. Super Privileges
      6. Access Tokens of Processes and Threads
      7. Security Auditing
        1. Object Access Auditing
        2. Global Audit Policy
        3. Advanced Audit Policy Settings
      8. Logon
        1. Winlogon Initialization
        2. User Logon Steps
        3. Assured Authentication
        4. Biometric Framework for User Authentication
      9. User Account Control and Virtualization
        1. File System and Registry Virtualization
          1. File Virtualization
          2. Registry Virtualization
        2. Elevation
          1. Running with Administrator Rights
          2. Requesting Administrative Rights
          3. Auto-Elevation
          4. Controlling UAC Behavior
      10. Application Identification (AppID)
      11. AppLocker
      12. Software Restriction Policies
      13. Conclusion
    10. 7. Networking
      1. Windows Networking Architecture
        1. The OSI Reference Model
        2. Windows Networking Components
      2. Networking APIs
        1. Windows Sockets
          1. Winsock Client Operation
          2. Winsock Server Operation
          3. Winsock Extensions
          4. Extending Winsock
          5. Winsock Implementation
        2. Winsock Kernel
          1. WSK Implementation
        3. Remote Procedure Call
          1. RPC Operation
          2. RPC Security
          3. RPC Implementation
        4. Web Access APIs
          1. WinInet
          2. HTTP
        5. Named Pipes and Mailslots
          1. Named-Pipe Operation
          2. Mailslot Operation
          3. Named Pipe and Mailslot Implementation
        6. NetBIOS
          1. NetBIOS Names
          2. NetBIOS Operation
          3. NetBIOS API Implementation
        7. Other Networking APIs
          1. Background Intelligent Transfer Service
          2. Peer-to-Peer Infrastructure
          3. DCOM
          4. Message Queuing
          5. UPnP with PnP-X
      3. Multiple Redirector Support
        1. Multiple Provider Router
        2. Multiple UNC Provider
        3. Surrogate Providers
        4. Redirector
        5. Mini-Redirectors
        6. Server Message Block and Sub-Redirectors
      4. Distributed File System Namespace
      5. Distributed File System Replication
      6. Offline Files
        1. Caching Modes
          1. Online
          2. Offline (Slow Connection)
          3. Offline (Working Offline)
          4. Offline (Not Connected)
          5. Offline (Need to Sync)
        2. Ghosts
        3. Data Security
        4. Cache Structure
      7. BranchCache
        1. Caching Modes
          1. Configuration
        2. BranchCache Optimized Application Retrieval: SMB Sequence
        3. BranchCache Optimized Application Retrieval: HTTP Sequence
      8. Name Resolution
        1. Domain Name System
        2. Peer Name Resolution Protocol
          1. PNRP Resolution and Publication
      9. Location and Topology
        1. Network Location Awareness
        2. Network Connectivity Status Indicator
          1. Passive Poll
          2. Network Change Monitoring
          3. Registry Change Monitoring
          4. Active Probe
        3. Link-Layer Topology Discovery
      10. Protocol Drivers
        1. Windows Filtering Platform
          1. Network Address Translation
          2. IP Filtering
          3. Internet Protocol Security
      11. NDIS Drivers
        1. Variations on the NDIS Miniport
        2. Connection-Oriented NDIS
        3. Remote NDIS
        4. QoS
      12. Binding
      13. Layered Network Services
        1. Remote Access
        2. Active Directory
        3. Network Load Balancing
        4. Network Access Protection
        5. Direct Access
      14. Conclusion
    11. A. About the Authors
    12. B. More Resources for Developers
      1. Microsoft Press® books
        1. Visual Studio
        2. Web Development
        3. .Net Framework
        4. Data Access/Database
        5. Other Topics
    13. C. Find the Right Resource for You
    14. Index
    15. About the Authors
    16. Copyright