Download User mode processes

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
Document related concepts
no text concepts found
Transcript 
Lecture 2 System architecture
xlanchen@03/04/2005
计算机系•信息处理实验室
Review of last class
Win32 API and its functions
System service (int 2e)
Win32 services
Process and threads in windows 2000
Virtual memory (0G~2G~4G)
Kernel mode vs. user mode
Objects and handles
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 2
信息处理实验室
Contents of this lecture
Design goals
Operating system model
Key system components
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 3
信息处理实验室
Design Goals
True 32-bit, pre-emptive, re-entrant, virtual
memory
Multiple hardware platforms
Symmetric multi-processor architecture
Support networked computing
Support 16-bit MS-DOS and Win3.x apps
POSIX 1003.1 compliance
TCSEC C2 certification
Support Unicode
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 4
信息处理实验室
Design Goals
Extensibility
Portability
Reliability and robustness
Compatibility
Performance
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 5
信息处理实验室
Windows 2000 VS. Consumer Windows
Consumer Windows
Windows 95, Windows 98, and Windows Millennium
Edition
Both are part of the "Windows family of
operating systems
Sharing a common subset API (Win32 and COM)
and in some cases operating system code
And WDM (Windows Driver Model) except 95
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 6
信息处理实验室
Windows 2000 VS. Consumer Windows
Multiprocessor systems, security
True 32-bit
Fully reentrant
Address space for 16-bit Windows applications
Visibility of shared memory
Writable system pages from user mode
Fully compatibility with MS-DOS and Windows 3.1
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 7
信息处理实验室
Operating system model
Similar to most UNIX systems
Kernel mode VS. User mode
most of OS and device driver code shares the
same kernel-mode protected memory space
Then, Windows 2000
Monolithic operating system
OR
Microkernel-Based System
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 8
信息处理实验室
Kernel-mode components and OO
Not an strict OO system
Follows Basic OO design principles
Mostly C not C++
C doesn't directly support OO constructs, such as
dynamic binding of data types, polymorphic
functions, or class inheritance
What C brings?
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 9
信息处理实验室
Portability
Windows 2000 achieves portability across
hardware architectures and platforms in two
primary ways
Layered design
Language C
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 10
信息处理实验室
Multitasking vs. multiprocessing
Multitasking: sharing a single processor among
multiple threads of execution
Multiprocessing
SMP vs. ASMP
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 11
信息处理实验室
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 12
信息处理实验室
Architecture Overview
Key system components
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 13
信息处理实验室
Architecture Overview
Four basic types of user-mode processes
System
support
processes
xlanchen@03/04/2005
Service
processes
User
applications
Environment
subsystems
Understanding the Inside of
Windows2000
计算机系 14
信息处理实验室
User mode processes [1]
System support processes
not Windows 2000 services (not started by the
service control manager)
Example:
Logon process
Session manager
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 15
信息处理实验室
User mode processes [2]
Service processes
Windows 2000 services
Example:
Task scheduler
Spooler
…
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 16
信息处理实验室
User mode processes [3]
User applications
One of five types
Win32
Windows 3.1
MS-DOS
POSIX
OS/2 1.2
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 17
信息处理实验室
User mode processes [4]
Environment subsystems
Environment subsystems expose the native
operating system services to user applications
through a set of callable functions
Three environment subsystems
Win32, POSIX, and OS/2
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 18
信息处理实验室
Architecture Overview
Subsystem DLLs
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 19
信息处理实验室
Architecture Overview
Subsystem DLLs
User applications through one or more subsystem
DLLs to call the native Windows 2000 operating
system services indirectly
Role of the subsystem DLLs
Function  appropriate internal 2K system service
calls
Sometimes, sending a message to the appropriate
environment subsystem process
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 20
信息处理实验室
Architecture Overview
Kernel mode component
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 21
信息处理实验室
Kernel mode component
Executive: Base OS services
memory management,
process and thread management,
security, I/O, and IPC
Kernel: low-level OS functions
thread scheduling, interrupt and exception
dispatching, and multiprocessor synchronization
Device drivers
HAL = hardware abstraction layer
Windowing and graphics system
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 22
信息处理实验室
Core Windows 2000 System Files
Ntoskrnl.exe
Executive and kernel
Ntkrnlpa.exe
Executive and kernel with support for PAE
Hal.dll
Different hardware platform has different HAL
User mode
Ntoskrnl.exe
Kernel mode
Hal.dll
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 23
信息处理实验室
Core Windows 2000 System Files
Kernel32.dll
Win32 API functions
Advapi32.dll
Core Win32
subsystem DLLs
Advance application interface
Ntdll.dll
Internal support functions
system service dispatch stubs
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 24
信息处理实验室
Core Windows 2000 System Files
Advapi32.dll
Kernel32.dll
Ntdll.dll
User mode
int 0x2e
Ntoskrnl.exe
Kernel mode
Why kernel32/advapi32 + Ntdll?
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 25
信息处理实验室
Core Windows 2000 System Files
User32.dll
Gdi32.dll
Core Win32 subsystem DLLs
User32.dll
Gdi32.dll
int 0x2e
Win32k.sys
Win32k.sys
User mode
Kernel mode
a particular diver
Kernel-mode part of the Win32 subsystem
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 26
信息处理实验室
Key System Components
Windows 2000 archtecture
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 27
信息处理实验室
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 28
信息处理实验室
Environment Subsystems and DLLs
Win32 subsystem
POSIX Subsystem
OS/2 Subsystem
See registry key
HKLM\SYSTEM\CurrentControlSet\Control\Ses
sion Manager\SubSystems
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 29
信息处理实验室
An example (your system may different)
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 30
信息处理实验室
Win32 subsystem [1]
Implemented in the Csrss.exe process
Supports basic text windows
Creating and deleting Win32 processes/threads
and in the kernel mode driver WIN32K.SYS
Parts of the Windows manager (“User”)
Parts of the GDI
And in subsystem DLLs mapping Win32 calls onto NT
supervisor functions
Kernel32.dll, Advapi32.dll User32.dll, Gdi32.dll
And Graphics device drivers
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 31
信息处理实验室
Win32 subsystem [2]
E.g. App create windows by calling USER
functions which call GDI functions which call
graphic device drivers
Win32 (csrss.exe)
App
User32.dll, Kernel32.dll, Gdi32.dll
Ntdll.dll
Ntoskrnl.exe, win32k.sys
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
User mode
Kernel mode
计算机系 32
信息处理实验室
Window manager and graphics
In win32 process or kernel
Prior to NT4.0
Required multiple thread and process context
switches which consumed considerable CPU cycles
and memory resources
In NT4.0
moving the windowing and graphics system into
kernel mode
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 33
信息处理实验室
POSIX Subsystem
a portable operating system interface based on
UNIX
Standard: POSIX 1
a mandatory goal for Windows 2000
Fairly limited in usefulness
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 34
信息处理实验室
OS/2 Subsystem
Supports only OS/2 1.2 16-bit character-based
or video I/O (VIO) applications
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 35
信息处理实验室
Key components (cont.)
NTDLL.DLL:
Stubs to Executive entry points
NTCreateFile, NtSetEvent etc.
Support functions for subsystems
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 36
信息处理实验室
Key components (cont.)
Executive (Ntoskrnl.exe), include
Functions
User mode callable or kernel mode callable
components
Such as configuration manager, process and thread
manager, I/O manager, plug and play manager, power
manager, virtual memory manager, and so on.
Support functions
Object manager, LPC, synchronisation primitives
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 37
信息处理实验室
Key components (cont.)
Kernel (in Ntoskrnl.exe)
provide fundamental mechanisms used by the
executive components
Kernel objects, thread scheduling, trap and
exception handling, interrupt handling
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 38
信息处理实验室
Ntoskrnl.exe
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 39
信息处理实验室
Key components (cont.)
Hardware Abstraction Layer (Hal.dll)
Hal.dll
List of Hals
Hal.dll
Halacpi.dll
Halapic.dll
Halaacpi.dll
Halmps.dll
Halmacpi.dll
Halborg.dll
for
for
for
for
for
for
for
Halsp.dll
for
xlanchen@03/04/2005
Hardware
Standard PCs
ACPI PCs
APIC PCs
APIC ACPI PCs
Multiprocessor PCs
Multiprocessor ACPI PCs
Silicon Graphics Workstation (no
longer marketed)
Compaq SystemPro
Understanding the Inside of
Windows2000
计算机系 40
信息处理实验室
Key components (cont.)
EXPERIMENT:
Determining Which HAL You're Running
Open \Winnt\Repair\Setup.log, search for Hal.dll
Or,
In Device Manager, look at the Computer device
(My ComputerPropertiesHardwareDevice
Manager)
ACPI= Advanced Configuration and Power Interface
APIC= Advanced Programmable Interrupt Controller
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 41
信息处理实验室
Key components (cont.)
Device Drivers
loadable kernel-mode modules (mostly .sys)
I/O Manager
Drivers
HAL
Hardware
run in kernel mode in one of three contexts
a user thread that initiated an I/O function
a kernel-mode system thread
an interrupt handling
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 42
信息处理实验室
Device drivers
Types of device drivers
Hardware device drivers
Handle different physical devices
File system drivers
Implement file abstraction
File system filter drivers
e.g. disk mirroring, encryption and so on
Network redirectors and servers
Transmit I/O requests across network
Protocol drivers
Kernel streaming filter drivers
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 43
信息处理实验室
EXPERIMENT
Viewing the Installed Device Drivers
Run msinfo32
An example:
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 44
信息处理实验室
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 45
信息处理实验室
Undocumented functions
EXPERIMENT
Listing Undocumented Functions
Depends.exe open system32\Ntoskrnel.exe
An example:
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 46
信息处理实验室
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 47
信息处理实验室
System processes
System process (0)
System (8)
smss.exe (144)
csrss.exe (172)
winlogon.exe (192)
services.exe (220)
svchost.exe (384)
spoolsv.exe (480)
regsvc.exe (636)
mstask.exe (664)
lsass.exe (232)
xlanchen@03/04/2005
Idle process
System process
Session manager
Win32 subsystem process
Logon process
Service control manager
Generic service host image
Spooler service
Remote registry service
Task scheduler service
Local security authentication
server
Understanding the Inside of
Windows2000
计算机系 48
信息处理实验室
System Processes
Idle Process (ID 0)
System process
Always process ID 8
The home for kernel mode system threads
Session Manager (SMSS.EXE)
First user-mode process
Completes system initialization
Win32 subsystem (csrss.exe)
Logon (winlogon.exe)
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 49
信息处理实验室
Logon (winlogon.exe)
Handles interactive user logons and logoffs
SAS: Ctrl+Alt+Delete
Calls Userinit.exe to create user proc
performs some initialization
creates a process to run the system-defined shell
(Explorer.exe)
Exit
Local Security Authentication Server (Lsass.exe)
Validates authentication data and creates access token
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 50
信息处理实验室
Service controller Manager (Services.exe)
Starts and stops NT services (e.g. event log)
EXPERIMENT
Listing Installed Services
Administrative Tools Services
xlanchen@03/04/2005
Understanding the Inside of
Windows2000
计算机系 51
信息处理实验室
Related documents