Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows NT ® Internals David Solomon David Solomon Expert Seminars Microsoft Corporation.

Similar presentations


Presentation on theme: "Windows NT ® Internals David Solomon David Solomon Expert Seminars Microsoft Corporation."— Presentation transcript:

1 Windows NT ® Internals David Solomon David Solomon Expert Seminars Microsoft Corporation

2 Agenda  Introduction  Tools  System Architecture  Processes and Threads  Memory Management

3 About The Speaker David Solomon  14 years at Digital - the last 10 as a developer in the VMS operating system development group  Started Windows NT developer training company in 1992  Author of Inside Windows NT, 2nd edition (Microsoft Press) and Windows NT for OpenVMS Professionals (Digital Press)  Regular speaker at industry conferences (WinDev, TechEd, Software Development, DECUS...)  Recipient of past Microsoft MVP award for MSWIN32 technical support

4 About The Company  David Solomon Expert Seminars offers high-quality Windows developer training Taught by well known industry experts and authors who develop and teach their own courses Taught by well known industry experts and authors who develop and teach their own courses  Instructors include: Doug Boling, Brian Catlin, Jamie Hanrahan, Jeff Prosise, Jeffrey Richter, and David Solomon Doug Boling, Brian Catlin, Jamie Hanrahan, Jeff Prosise, Jeffrey Richter, and David Solomon  Topics include: Windows CE Windows CE Windows NT Internals Windows NT Internals Windows NT and WDM Device Drivers Windows NT and WDM Device Drivers Windows NT® Server Applications Windows NT® Server Applications Win32® Programming Win32® Programming Visual C++® and MFC Visual C++® and MFC COM/ActiveX® Programming COM/ActiveX® Programming  To be notified of new classes and other developments, join our interest list

5 Session Goals  Goals Explain internal architecture and operation of core Windows NT components Explain internal architecture and operation of core Windows NT components Use various tools that demonstration internal Windows NT behavior Use various tools that demonstration internal Windows NT behavior  Audience assumptions Familiar with basic 32-bit OS concepts Familiar with basic 32-bit OS concepts Familiar with Win32 API (processes, threads, memory management) Familiar with Win32 API (processes, threads, memory management)  Acknowledgements Jamie Hanrahan - co-author of the Windows NT internals seminar from which these slides were taken Jamie Hanrahan - co-author of the Windows NT internals seminar from which these slides were taken Dave Cutler, Helen Custer, John Balciunas, Lou Perazzoli, Mark Lucovsky, Steve Wood, Tom Miller, Gary Kimura, and Landy Wang for their support and assistance in understanding Windows NT internals Dave Cutler, Helen Custer, John Balciunas, Lou Perazzoli, Mark Lucovsky, Steve Wood, Tom Miller, Gary Kimura, and Landy Wang for their support and assistance in understanding Windows NT internals

6 Device drivers Win32User,GDIVirtualMemoryProcesses & Threads SecurityCacheManager I/O Manager Hardware interfaces (buses, I/O, interrupts, timers, clocks, DMA, cache control, etc.) Replicator Alerter Service Controller WinLogon RPC Environment Subsystems UserApplication Subsystem DLLs POSIX OS/2 SessionManager System Processes Services Applications Copyright by Microsoft Corporation. Used by permission. Filesystems Object management / Executive RTL Kernel Hardware Abstraction Layer (HAL) EventLogger UserMode SystemThreads KernelMode Executive API Win32 NTDLL.DLL Windows NT Architecture

7 Windows NT 5.0 Internal changes  In one sense, much is the same Basic architecture of many components unchanged: Basic architecture of many components unchanged: Win32 subsystem, memory manager, process model, thread scheduling, security model, file system Win32 subsystem, memory manager, process model, thread scheduling, security model, file system  But lots of additions of major new functionality: Active Directory, distributed security, Kerberos, Microsoft management console, IntelliMirror ™, NTFS extensions (content indexing, quotas, reparse points, sparse files, link tracking) Active Directory, distributed security, Kerberos, Microsoft management console, IntelliMirror ™, NTFS extensions (content indexing, quotas, reparse points, sparse files, link tracking)

8 Windows NT 5.0 Internal changes  Kernel/core changes include: I/O system (plug and play and power management) I/O system (plug and play and power management) 64-bit Very Large Memory support for Alpha 64-bit Very Large Memory support for Alpha Job object Job object Integration of Terminal Server Integration of Terminal Server  Comparable to level of change from 3.51 to 4.0  Also many incremental performance improvements: Object Manager, Memory manager (e.g., working set management algorithms), SMP scalability… Object Manager, Memory manager (e.g., working set management algorithms), SMP scalability…

9 Agenda  Introduction  Tools  System Architecture  Processes and Threads  Memory Management

10 toolexecutableorigin Performance Monitor PerfMonWindows NT Registry Editor RegEdt32Windows NT Windows NT Diagnostics WinMSDWindows NT Kernel Debugger i386kd, Widows NT CD \support\debug alphakd Pool MonitorpoolmonWindows NT CD \support\debug Global FlagsgflagsWindows NT Resource Kit Open HandlesohWindows NT Resource Kit QuickSlice qsliceWindows NT Resource Kit Process Viewer pviewer,Windows NT Resource Kit pviewPlatform SDK, VC++ Process Exploder pviewWindows NT Resource Kit 4.0 Process Statuspstat Windows NT Resource Kit PmonpmonWindows NT Resource Kit Object ViewerWinObjPlatform SDK Process Walker PWalkPlatform SDK Page Fault Monitor PFMonPlatform SDK Spy++ Visual C++ Tools Preview

11 Windows NT Resource Kits  Full “Windows NT 5.0 Resource Kit” 250+ utilities 250+ utilities Combines what was in the 4.0 Server and Workstation resource kits Combines what was in the 4.0 Server and Workstation resource kits  Subset “Windows NT 5.0 Resource Kit Support Tools” 50 utilities 50 utilities Ships in \support\reskit on Windows NT CD Ships in \support\reskit on Windows NT CD

12  Windows NT internals articles and tools Some generated using reverse engineering (e.g., no source access) Some generated using reverse engineering (e.g., no source access)  Some examples: winobj - view object manager namespace and objects winobj - view object manager namespace and objects nthandlex - show open handles by process nthandlex - show open handles by process ntfilmon - log all file I/O operations ntfilmon - log all file I/O operations ntregmon - log all registry accesses ntregmon - log all registry accesses cpufrob - change thread quantum cpufrob - change thread quantum  Caveat: Most include a device driver, hence you’re added “trusted code” No warranty on using these on your system! No warranty on using these on your system!

13 GFLAGS (Global Flags)  Changes system-wide or image-wide debugging flags  Poolmon requires “enable pool taggin”  Oh (open handles) requires “maintain a list of objects for each type”

14 Windows NT Kernel Debugger (1 Of 4)  Two versions: Command line: I386KD.EXE, ALPHAKD, etc., shipped with Windows NT Command line: I386KD.EXE, ALPHAKD, etc., shipped with Windows NT In NTcdrom:\support\debug\i386, … \debug\alpha, etc. In NTcdrom:\support\debug\i386, … \debug\alpha, etc. Select directory to match host system (where you will run the debugger executable); select executable to match target system (system being debugged) Select directory to match host system (where you will run the debugger executable); select executable to match target system (system being debugged) Also need many DLLs from this directory Also need many DLLs from this directory Also need symbol files from NTcdrom:\support\debug\targetarch\symbols\ … Also need symbol files from NTcdrom:\support\debug\targetarch\symbols\ … Extended via WinDbg shipped with Platform SDK (part of MSDN Professional) Extended via WinDbg shipped with Platform SDK (part of MSDN Professional) Provides GUI, fully-symbolic, source-level debugging Provides GUI, fully-symbolic, source-level debugging Needs same DLLs and symbol files Needs same DLLs and symbol files

15 Windows NT Kernel Debugger (2 Of 4)  Documentation: Windows NT Workstation Resource Guide (see “Windows NT Debugger”) Windows NT Workstation Resource Guide (see “Windows NT Debugger”) Windows NT Device Driver Kit (DDK) Windows NT Device Driver Kit (DDK) See i386kd -? See i386kd -? Help within debugger: commands “?” and “!?” and “!help” Help within debugger: commands “?” and “!?” and “!help”

16 serial “null modem” cable (for debugger) hosttarget Windows NT Kernel Debugger (3 Of 4)  Two modes of operation: Open a crash dump file: C:\> set _NT_SYMBOL_PATH= ntcdrom:\support\debug\i386\symbols C:\> i386kd -Z dumpfilename Open a crash dump file: C:\> set _NT_SYMBOL_PATH= ntcdrom:\support\debug\i386\symbols C:\> i386kd -Z dumpfilename Connect to a live system via null modem cable (must boot target system with /DEBUG/DEBUGPORT=COMn in boot.ini) C:\> set _NT_SYMBOL_PATH=ntcdrom:\support\debug\i386\symbols C:\> set _NT_DEBUG_PORT=COMndefault COM1 C:\> set _NT_DEBUG_BAUD_RATE=nnnnndefault C:\> i386kd Connect to a live system via null modem cable (must boot target system with /DEBUG/DEBUGPORT=COMn in boot.ini) C:\> set _NT_SYMBOL_PATH=ntcdrom:\support\debug\i386\symbols C:\> set _NT_DEBUG_PORT=COMndefault COM1 C:\> set _NT_DEBUG_BAUD_RATE=nnnnndefault C:\> i386kd

17 Windows NT Kernel Debuggers (4 Of 4)  Third-party product: SoftICE for Windows NT (NuMega) Runs on same system - e.g., doesn’t require second system for live debugging Runs on same system - e.g., doesn’t require second system for live debugging x86 only x86 only See See

18 Agenda  Introduction  Tools  System Architecture Kernel Mode Environment Kernel Mode Environment Executive, Kernel, HAL, Drivers Executive, Kernel, HAL, Drivers Product Packaging Product Packaging System Threads System Threads Environment Subsystems Environment Subsystems System Service Dispatching System Service Dispatching Process-based Windows NT code Process-based Windows NT code Summary Summary  Processes and Threads  Memory Management

19 Kernel Mode Versus User Mode  A processor state Controls access to memory Controls access to memory Each memory page is tagged to show the required mode for reading and for writing Each memory page is tagged to show the required mode for reading and for writing Protects the system from the users Protects the system from the users Protects the user (process) from themselves Protects the user (process) from themselves System is not protected from system System is not protected from system Code regions are tagged “no write in any mode” Code regions are tagged “no write in any mode” Controls ability to execute privileged instructions Controls ability to execute privileged instructions A Windows NT abstraction A Windows NT abstraction Intel: Ring 0, Ring 3 Intel: Ring 0, Ring 3 PerfMon, Processor: “Privileged Time” and “User Time” PerfMon, Processor: “Privileged Time” and “User Time” ComponentsAccess mode ApplicationsUser Subsystem processesUser ExecutiveKernel KernelKernel DriversKernel HALKernel  Associated with threads Threads can change from user to kernel and back Threads can change from user to kernel and back Part of saved context, along with registers, etc. Part of saved context, along with registers, etc. Does not affect scheduling Does not affect scheduling

20 Getting Into Kernel Mode Code is run in kernel mode for one of three reasons: 1. Requests from user mode Via the system service dispatch mechanism Via the system service dispatch mechanism Kernel-mode code runs in the context of the requesting thread Kernel-mode code runs in the context of the requesting thread 2. Interrupts from external devices Windows NT-supplied interrupt dispatcher invokes the interrupt service routine Windows NT-supplied interrupt dispatcher invokes the interrupt service routine ISR runs in the context of the interrupted thread (so-called “arbitrary thread context”) ISR runs in the context of the interrupted thread (so-called “arbitrary thread context”) ISR often requests the execution of a “DPC routine,” which also runs in kernel mode ISR often requests the execution of a “DPC routine,” which also runs in kernel mode Time not charged to interrupted thread Time not charged to interrupted thread 3. Dedicated kernel-mode system threads Some threads in the system stay in kernel mode at all times (mostly in the “System” process) Some threads in the system stay in kernel mode at all times (mostly in the “System” process) Scheduled, preempted, etc., like any other threads Scheduled, preempted, etc., like any other threads

21 Interrupt dispatch routine Disable interrupts Record machine state (trap frame) to allow resume Mask equal- and lower-IRQL interrupts Find and call appropriate ISR Dismiss interrupt Restore machine state (including mode and enabled interrupts) Tell the device to stop interrupting Interrogate device state, start next operation on device, etc. Request a DPC Return to caller Interrupt service routine interrupt ! user or kernel mode code kernel mode Note, no thread or process context switch! Interrupt Dispatching

22 Low APC Dispatch/DPC Device 1... Device n Clock Interprocessor Interrupt Power fail High normal thread execution Hardware interrupts Deferrable software interrupts Interrupt Precedence Via IRQLs  IRQL = Interrupt Request Level The “precedence” of the interrupt with respect to other interrupts The “precedence” of the interrupt with respect to other interrupts Different interrupt sources have different IRQLs Different interrupt sources have different IRQLs Not the same as IRQ Not the same as IRQ  IRQL is also a state of the processor  Servicing an interrupt raises processor IRQL to that interrupt’s IRQL This masks subsequent interrupts at equal and lower IRQLs This masks subsequent interrupts at equal and lower IRQLs  User mode is limited to IRQL 0

23 Low APC Dispatch/DPC Device Device High Clock Interprocessor Interrupt High Alpha IRQLs  IRQL on Alpha implemented in PAL code

24 queue head DPC object XydriverDpcRtn(DpcObj,DfrdCtx,SysArg1,SysArg2){ //... //...} DfrdCtx SysArg1 SysArg2 DPCs (Deferred Procedure Calls)  A list of “work requests” One queue per processor (but processors can run each others’ DPCs) One queue per processor (but processors can run each others’ DPCs) Implicitly ordered by time of request (FIFO) Implicitly ordered by time of request (FIFO)  Used to defer processing from higher (device) interrupt level to a lower (dispatch) level Used heavily for driver “after interrupt” functions Used heavily for driver “after interrupt” functions Used for quantum end and timer expiration Used for quantum end and timer expiration

25 Screen snapshot from: Programs | Administrative Tools | Performance Monitor click on “+” button, or select Edit | Add to chart… Accounting For Kernel-Mode Time  “Processor Time” = total busy time of processor (equal to elapsed real time - idle time)  “Processor Time” = “User Time” + “Privileged Time”  “Privileged Time” = time spent in kernel mode  “Privileged Time” includes: Interrupt Time Interrupt Time DPC Time DPC Time  Again note: interrupts and DPCs are not charged to any process or thread

26 Agenda  Introduction  Tools  System Architecture Kernel Mode Environment Kernel Mode Environment Executive, Kernel, HAL, Drivers Executive, Kernel, HAL, Drivers Product Packaging Product Packaging System Threads System Threads Environment Subsystems Environment Subsystems System Service Dispatching System Service Dispatching Process-based Windows NT code Process-based Windows NT code Summary Summary  Processes and Threads  Memory Management

27 Windows NT Executive  Upper layers of operating system  Provides “generic OS” services Processes, threads, memory management, I/O, interprocess communication, synchronization, security Processes, threads, memory management, I/O, interprocess communication, synchronization, security  Almost completely portable C code  Exports functions (“services”) which may be invoked via user-mode APIs Interface is NTDLL.DLL Interface is NTDLL.DLL E.g., Win32 ReadFile -> executive NtReadFile E.g., Win32 ReadFile -> executive NtReadFile  Most interfaces to executive services not documented Used by subsystem writers Used by subsystem writers

28 Machine Independent C Assembler Machine Dep. C Windows NT Kernel  Abstracts differences between processor architectures x86 vs. Alpha vs., etc. x86 vs. Alpha vs., etc.  Main services Thread scheduling and context switching Thread scheduling and context switching Generic wait operations Generic wait operations Exception and interrupt dispatching Exception and interrupt dispatching Operating system synchronization primitives (MP and UP) Operating system synchronization primitives (MP and UP)  Not a classic “microkernel” shares address space withrest of kernel-mode components shares address space withrest of kernel-mode components

29  A separate loaded binary (c:\winnt\system32\hal.dll) Several different versions for different motherboards, UP vs. MP, etc. Several different versions for different motherboards, UP vs. MP, etc. Installation procedure selects appropriate HAL for platform and copies to Hal.Dll on system disk Installation procedure selects appropriate HAL for platform and copies to Hal.Dll on system disk  Purpose: Isolate (abstract) Kernel and Executive from platform-specific details Isolate (abstract) Kernel and Executive from platform-specific details Present uniform model for ease of driver development Present uniform model for ease of driver development  HAL abstracts: I/O system specifics (bus interfaces, DMA…) I/O system specifics (bus interfaces, DMA…) System timers, Cache coherency and flushing System timers, Cache coherency and flushing SMP support, Hardware interrupt priorities SMP support, Hardware interrupt priorities  OEM Development Kit needed to buildHALs  HAL contains some Executive and Kernel subroutines HalGetBusDataHalGetBusDataByOffsetHalAssignSlotResourcesHalSetBusDataHalSetBusDataByOffsetHalTranslateBusAddressHalGetInterruptVectorHalGetAdapterREAD_REGISTER_ULONGWRITE_PORT_UCHAR Sample HAL routines: HAL - Hardware Abstraction Layer

30 Kernel-Mode Device Drivers  Separate loadable modules (drivername.SYS) Linked like.EXEs Linked like.EXEs Linked against NTOSKRNL.EXE and HAL.DLL Linked against NTOSKRNL.EXE and HAL.DLL  Only way to add “kernel extensions” or to access kernel mode system routines  Defined in registry Same area as Win32 services (t.b.d.) Same area as Win32 services (t.b.d.) Differentiated by Type value Differentiated by Type value  View loaded drivers with pstat.exe, drivers.exe  Several types: “Ordinary” hardware drivers “Ordinary” hardware drivers File system File system NDIS miniport, SCSI miniport (linked against port drivers) NDIS miniport, SCSI miniport (linked against port drivers) Win32K.Sys - Windowing system Win32K.Sys - Windowing system

31 WDM (Win32 Driver Model)  Extension to Windows NT driver model to support for Plug and Play and Power Management  Allows source/(x86) binary-compatible drivers across Windows 98 and Windows NT 5.0  Non trivial additions to existing drivers: 3 new major IRP types 3 new major IRP types 36 new minor IRPs added 36 new minor IRPs added 6 new miniport driver types 6 new miniport driver types Supporting WDM affects every area of a driver Supporting WDM affects every area of a driver

32 WDM Drivers  What’s covered in WDM: IEEE 1394 (Firewire) IEEE 1394 (Firewire) Universal Serial Bus (USB) Universal Serial Bus (USB) Audio: Speakers, microphone, CODEC Audio: Speakers, microphone, CODEC Human Interface Devices: mouse, keyboard, monitor controls, game devices Human Interface Devices: mouse, keyboard, monitor controls, game devices Still Imaging: Cameras, scanners Still Imaging: Cameras, scanners Video Devices: Video capture, DVD Video Devices: Video capture, DVD Advanced Power and Configuration Interface (ACPI) BIOS support Advanced Power and Configuration Interface (ACPI) BIOS support  Not covered by WDM: Network Network Storage Storage File System File System Video Video

33  Introduction  Tools  System Architecture Kernel Mode Environment Kernel Mode Environment Executive, Kernel, HAL, Drivers Executive, Kernel, HAL, Drivers Product Packaging Product Packaging System Threads System Threads Environment Subsystems Environment Subsystems System Service Dispatching System Service Dispatching Process-based Windows NT code Process-based Windows NT code Summary Summary  Processes and Threads  Memory Management Agenda

34 Device drivers Win32User,GDIVirtualMemoryProcesses & Threads SecurityCacheManager I/O Manager Hardware interfaces (buses, I/O, interrupts, timers, clocks, DMA, cache control, etc.) Replicator Alerter Service Controller WinLogon RPC EnvironmentSubsystems UserApplication Subsystem DLLs POSIX OS/2 SessionManager System Processes Services Applications Copyright by Microsoft Corporation. Used by permission. Filesystems Object management / Executive RTL Kernel Hardware Abstraction Layer (HAL) EventLogger UserMode SystemThreads KernelMode Executive API Win32 NTDLL.DLL NtosKrnl.Exe NTOSKRNL.EXE

35 NTOSKRNL.EXE  NTOSKRNL.EXE Windows NT executive and kernel Windows NT executive and kernel  HAL.DLL Hardware Abstraction Layer - interface to hardware platform Hardware Abstraction Layer - interface to hardware platform  BOOTVID.DLL Boot video driver Boot video driver

36 Naming Convention For Internal Windows NT Routines  Two- or three-letter component code in beginning of function name Ex- General executive routineOb- Object management Exp- Executive private (not exported)Io- I/O subsystem Cc- Cache managerSe- Security Mm- Memory managementPs- Process structure Rtl- Run-Time LibraryLsa- Security Authentication FsRtl- File System Run-Time LibZw- File access, etc. Ke- Kernel Ki- Kernel internal (not available outside the kernel) Hal- Hardware Abstraction Layer READ_, WRITE_ - I/O port and register access Executive Kernel HAL

37 Multiprocessor Support  Code comprising NTOSKRNL compiled twice: Once for uniprocessor, once for multiprocessor Avoids penalizing uniprocessor systems for added MP complexity Avoids penalizing uniprocessor systems for added MP complexity  Two files on Windows NT media: UP version: NTOSKRNL.EXE UP version: NTOSKRNL.EXE MP version: NTKRNLMP.EXE MP version: NTKRNLMP.EXE Selected at installation time, but copied to NTOSKRNL Selected at installation time, but copied to NTOSKRNL  All drivers, DLLs, EXEs are built to run on on MP  Upgrading from Uniprocessor vs Multiprocessor See uptomp.exe (in Resource Kit) See uptomp.exe (in Resource Kit) 2 files replaced with different code 2 files replaced with different code NTKRNLMP.EXE replaces NTOSKRNL.EXE NTKRNLMP.EXE replaces NTOSKRNL.EXE new HAL replaces HAL.DLL new HAL replaces HAL.DLL 4 files replaced with same code, but modified image header 4 files replaced with same code, but modified image header KERNEL32.DLL, NTDLL.DLL, WINSRV.DLL, WIN32K.SYS KERNEL32.DLL, NTDLL.DLL, WINSRV.DLL, WIN32K.SYS

38 Screen snapshot from: Programs | Administrative Tools | Windows NT Diagnostics Identifying Your NTOSKRNL  Build numbers Incremented each time Windows NT is built from sources (i.e., different for beta releases) Incremented each time Windows NT is built from sources (i.e., different for beta releases)  Service packs Replaces.EXEs (including usually NTOSKRNL),.DLLs, etc. Replaces.EXEs (including usually NTOSKRNL),.DLLs, etc. Do not change Windows NT build number Do not change Windows NT build number  Free versus Checked build Free = retail version; Checked = debug version Free = retail version; Checked = debug version Used primarily in driver testing Used primarily in driver testing Build number is the same Build number is the same Recompilation of system with DEBUG flag true Recompilation of system with DEBUG flag true Therefore a different NTOSKRNL.EXE Therefore a different NTOSKRNL.EXE Note: MP only (NTOSKRNL and NTKRNLMP.EXE identical) Note: MP only (NTOSKRNL and NTKRNLMP.EXE identical)

39 Workstation Vs Server  Core operating system executables are identical NTOSKRNL.EXE, HAL.DLL, xxxDRIVER.SYS, etc., (t.b.d.) NTOSKRNL.EXE, HAL.DLL, xxxDRIVER.SYS, etc., (t.b.d.)  Windows NT Server a superset of Workstation domains, host-based RAID 5, NetWare gateway, DHCP server, WINS, DNS, full Internet Information Server… domains, host-based RAID 5, NetWare gateway, DHCP server, WINS, DNS, full Internet Information Server… Enterprise Server adds yet more functionality (Clusters, 3GB address space) Enterprise Server adds yet more functionality (Clusters, 3GB address space) Terminal Server enables multi-user thin client support Terminal Server enables multi-user thin client support  MP limits: Workstation: 2 CPUs, Server: 4 CPUs, Server Enterprise: 8 CPUs

40 Workstation Vs Server  Registry indicates system type HKLM\CurrentControlSet\Control\ProductOptions HKLM\CurrentControlSet\Control\ProductOptions ProductType: WinNT=Workstation, ServerNT=Server not a domain controller, LanManNT=Server that is a Domain Controller ProductType: WinNT=Workstation, ServerNT=Server not a domain controller, LanManNT=Server that is a Domain Controller ProductSuite: Indicates Enterprise Edition, Terminal Server… ProductSuite: Indicates Enterprise Edition, Terminal Server…  Code in the operating system tests these values and behaves slightly differently in a few places Licensing limits (number of processors, number of inbound network connections, etc.) Licensing limits (number of processors, number of inbound network connections, etc.) Boot-time calculations (memory manager) Boot-time calculations (memory manager) Default length of time slice Default length of time slice See DDK: MmIsThisAnNtasSystem See DDK: MmIsThisAnNtasSystem

41 Agenda  Introduction  Tools  System Architecture Kernel Mode Environment Kernel Mode Environment Executive, Kernel, HAL, Drivers Executive, Kernel, HAL, Drivers Product Packaging Product Packaging System Threads System Threads Environment Subsystems Environment Subsystems System Service Dispatching System Service Dispatching Process-based Windows NT code Process-based Windows NT code Summary Summary  Processe and Threads  Memory Management

42 System Threads  Internal worker routines that need thread context  Drivers or Executive can create system threads Always run in kernel mode Always run in kernel mode Usually associated with the “System” process by default Usually associated with the “System” process by default But can be tied to any process But can be tied to any process Not non-preemptible (unless they raise IRQL to 2 or above) Not non-preemptible (unless they raise IRQL to 2 or above)  Kernel mode APIs: PsCreateSystemThread PsCreateSystemThread PsTerminateSystemThread PsTerminateSystemThread KeSetBasePriorityThread KeSetBasePriorityThread KeSetPriorityThread KeSetPriorityThread

43 Screen snapshot from: Programs | Resource Kit | Diagnostics | Process Viewer select “System” process Threads In The “System” Process  Note CPU time is 100% kernel mode  “Start address” is address of thread function On Intel (at least): On Intel (at least): Addresses 8xxxxxxx will correspond to symbols in NtosKrnl.Exe Addresses 8xxxxxxx will correspond to symbols in NtosKrnl.Exe Addresses Axxxxxxx are routines in Win32K.Sys Addresses Axxxxxxx are routines in Win32K.Sys Addresses Fxxxxxxx are routines in loaded device drivers Addresses Fxxxxxxx are routines in loaded device drivers

44 Threads In The “System” Process  Memory Management Modified Page Writer for mapped files Modified Page Writer for mapped files Modified Page Writer for paging files Modified Page Writer for paging files Balance Set Manager Balance Set Manager Swapper (kernel stack, working sets) Swapper (kernel stack, working sets) Zero page thread (thread 0, priority 0) Zero page thread (thread 0, priority 0)  Security Reference Monitor Command Server Thread Command Server Thread  Network Redirector and Server Worker Threads Redirector and Server Worker Threads  Threads created by drivers for their exclusive use Examples: Floppy driver, parallel port driver Examples: Floppy driver, parallel port driver  Pool of Executive Worker Threads Used by drivers, file systems… Used by drivers, file systems… Accessed via ExQueueWorkItem Accessed via ExQueueWorkItem

45 Threads In System Process (Observed on Intel Windows NT Workstation 4.0 ) Routine Name PriorityNotes Phase1Initialization0 First thread in life of system; becomes zero page thread ExpWorkerThread9-16 Pool of worker threads MiDereferenceSegmentThread18 Dereferences segments; also expands paging file MiModifiedPageWriter17 Writes modifed pages to paging file KeBalanceSetManager16 Reclaims memory from processes, with aid of... KeSwapProcessOrStack23 Scheduled by balance set manager FsRtlWorkerThread 16, 17 Dedicated worker threads for FSDs SepRmCommandServerThread15 Security Reference Monitor Command Server MiMappedPageWriter17 Writes modified pages to mapped files (Win32 threads) 16 routines in Win32K.Sys (0xA ) (driver threads) various routines in *driver.Sys (0xF )

46 Agenda  Introduction  Tools  System Architecture Kernel Mode Environment Kernel Mode Environment Executive, Kernel, HAL, Drivers Executive, Kernel, HAL, Drivers Product Packaging Product Packaging System Threads System Threads Environment Subsystems Environment Subsystems System Service Dispatching System Service Dispatching Process-based Windows NT code Process-based Windows NT code Summary Summary  Processes and Threads  Memory Management

47 Environment Subsystems  Expose “native API” “Wrap” and extend Windows NT native functionality “Wrap” and extend Windows NT native functionality Interfaces to write subsystems not documented Interfaces to write subsystems not documented  Two main components Subsystem DLLs - convert documented API to native API Subsystem DLLs - convert documented API to native API Environment Subsystem Process - maintain state of client processes; implement some subsystem APIs Environment Subsystem Process - maintain state of client processes; implement some subsystem APIs  Three provided with Windows NT: Win32 Win32 Posix Posix Bare minimum Posix standards, no optional components Bare minimum Posix standards, no optional components OS/2 OS/2 Support for 1.x character-mode applications only Support for 1.x character-mode applications only

48 Subsystem Extensions  OS/2 Microsoft sells an add-on to the OS/2 subsystem Microsoft sells an add-on to the OS/2 subsystem Supports 1.x Presentation Manager Supports 1.x Presentation Manager  Posix OpenNT from SoftWay OpenNT from SoftWay More-featured replacement for Posix subsystem More-featured replacement for Posix subsystem

49  Subsystem for each.exe specified in image header See winnt.h See winnt.h See Explorer / QuickView (right-click on.exe or.dll file) See Explorer / QuickView (right-click on.exe or.dll file) Or \reskit\exetype image.exe Or \reskit\exetype image.exe IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Win32 subsystem (graphical app) IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Win32 subsystem (character cell) IMAGE_SUBSYSTEM_OS2_CUI 5 // OS/2 subsystem IMAGE_SUBSYSTEM_POSIX_CUI 7 // Posix subsystem Environment Subsystems

50 Showing.exe Type With QuickView  In Explorer: Right-click on an executable file or.DLL Right-click on an executable file or.DLL “Context menu” appears “Context menu” appears Select Quick View Select Quick View

51 Environment Subsystems Loading  Subsystems to load specified in registry: \SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems \SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems  Values: Required- list of value names for subsystems to load at boot time Required- list of value names for subsystems to load at boot time Optional- list of value names for subsystems to load when needed Optional- list of value names for subsystems to load when needed Windows- value giving filespec of Win32 subsystem (csrss.exe) Windows- value giving filespec of Win32 subsystem (csrss.exe) csrss.exeWin32 APIs required (Client Server Runtime SubSystem) os2ss.exeOS/2 APIsoptional psxss.exePosix APIsoptional Kmode- value giving filespec of Win32K.Sys (kernel-mode component of Win32) Kmode- value giving filespec of Win32K.Sys (kernel-mode component of Win32)  Some Win32 API DLLs are in “known DLLs” registry entry: \SYSTEM\CurrenctControlSet\Control\Session Manager\KnownDLLs \SYSTEM\CurrenctControlSet\Control\Session Manager\KnownDLLs

52 OS/2 Win32 POSIX Environment Subsystems UserApplication Subsystem DLL Win32User/GDI UserMode Executive Device Drivers Kernel Hardware Abstraction Layer (HAL) KernelMode System and Server Processes NTDLL.DLL Environment Subsystems Components  Subsystem process For Win32: CSRSS.EXE For Win32: CSRSS.EXE  API DLLs For Win32: Kernel32.DLL, Gdi32.DLL, User32.DLL, etc. For Win32: Kernel32.DLL, Gdi32.DLL, User32.DLL, etc.  Kernel-mode extension to executive Win32 only: Win32K.SYS Win32 only: Win32K.SYS

53 Windows NT Simplified Architecture (3.51 and earlier) OS/2Win32 POSIX Environment Subsystems UserMode KernelMode System and Server Processes Executive Device Drivers Kernel Hardware Abstraction Layer (HAL) LPC UserApplication Subsystem DLL 12 Most Win32 Kernel APIs All other Win32 APIs, including User and GDI APIs 2 1 NTDLL.DLL

54 OS/2 Win32 POSIX Environment Subsystems Win32User/GDI UserMode Executive Device Drivers Kernel Hardware Abstraction Layer (HAL) KernelMode System and Server Processes 132 UserApplication Subsystem DLL LPC Most Win32 Kernel APIs Most Win32 User and GDI APIs A few Win32 APIs NTDLL.DLL Windows NT Simplified Architecture (4.0 and later)

55 (Reduced) Role Of Win32 Subsystem Process  Process creation and deletion  Thread creation and deletion  Get temporary file name  Drive letters  Security checks for file system redirector  Window management for console (character cell) applications  Some support for 16-bit DOS support (NTVDM.EXE)

56 Agenda  Introduction  Tools  System Architecture Kernel Mode Environment Kernel Mode Environment Executive, Kernel, HAL, Drivers Executive, Kernel, HAL, Drivers Product Packaging Product Packaging System Threads System Threads Environment Subsystems Environment Subsystems System Service Dispatching System Service Dispatching Process-based Windows NT code Process-based Windows NT code Summary Summary  Processes and Threads  Memory Management

57 Invoking System Functions From User Mode  Kernel-mode functions (“services”) are invoked from user mode via a protected mechanism x86: INT 2E; Alpha: SYSCALL (PALcode) x86: INT 2E; Alpha: SYSCALL (PALcode) I.e., on a call to an OS service from user mode, the last thing that happens in user mode is this “change mode to kernel” instruction I.e., on a call to an OS service from user mode, the last thing that happens in user mode is this “change mode to kernel” instruction Causes an interrupt, handled by the system service dispatcher (KiSystemService) in kernel mode Causes an interrupt, handled by the system service dispatcher (KiSystemService) in kernel mode Return to user mode is done by dismissing the interrupt or exception Return to user mode is done by dismissing the interrupt or exception  The desired system function is selected by the “system service number” Every Windows NT function exported to user mode has a unique number Every Windows NT function exported to user mode has a unique number Push this number on the stack just before the “change mode” instruction (after pushing the arguments to the service) Push this number on the stack just before the “change mode” instruction (after pushing the arguments to the service) This number is an index into the system service dispatch table This number is an index into the system service dispatch table Table gives kernel-mode entry point address and argument list length for each exported function Table gives kernel-mode entry point address and argument list length for each exported function

58 Invoking System Functions From User Mode  All validity checks are done after the user to kernel transition KiSystemService probes argument list, copies it to kernel-mode stack, and calls the executive or kernel routine pointed to by the table KiSystemService probes argument list, copies it to kernel-mode stack, and calls the executive or kernel routine pointed to by the table Service-specific routine checks argument values, probes pointed-to buffers, etc. Service-specific routine checks argument values, probes pointed-to buffers, etc. Once past that point, everything is “trusted” Once past that point, everything is “trusted”  This is safe, because: The system service table is in kernel-protected memory; and The system service table is in kernel-protected memory; and The kernel mode routines pointed to by the system service table are in kernel-protected memory; therefore: The kernel mode routines pointed to by the system service table are in kernel-protected memory; therefore: User mode code can’t supply the code to be run in kernel mode; it can only select from among a predefined list User mode code can’t supply the code to be run in kernel mode; it can only select from among a predefined list Arguments are copied to the kernel mode stack before validation; therefore: Arguments are copied to the kernel mode stack before validation; therefore: Other threads in the process can’t corrupt the arguments “out from under” the service Other threads in the process can’t corrupt the arguments “out from under” the service

59 NTDLL.DLL  PUSH of service # and INT 2E are “wrapped” by small “jacket” procedures in NTDLL.DLL These user-mode routines have the same function names and arguments as the kernel mode routines they call These user-mode routines have the same function names and arguments as the kernel mode routines they call E.g., NtWriteFile in NtDll.Dll invokes NtWriteFile in NtosKrnl.Exe E.g., NtWriteFile in NtDll.Dll invokes NtWriteFile in NtosKrnl.Exe Therefore exports of NTDLL are the “NT native API” Therefore exports of NTDLL are the “NT native API”  Entry points in NtDll.Dll are not supported or documented for use from user mode apps A few are documented in the DDK for call from kernel mode A few are documented in the DDK for call from kernel mode A few images that come with Windows NT are written to the “native API” exposed by NtDll.Dll (“Windows NT native images”) A few images that come with Windows NT are written to the “native API” exposed by NtDll.Dll (“Windows NT native images”) See article on See article on  NTDLL also contains image loader and other support functions  What about getting to USER and GDI functions in Win32K.SYS? System service wrapper exists in USER32.DLL, GDI32.DLL System service wrapper exists in USER32.DLL, GDI32.DLL Does not go through NTDLL.DLL Does not go through NTDLL.DLL

60 call WriteFile(…) call NtWriteFile return to caller do the operation return to caller Int 2E return to caller call NtWriteFile dismiss interrupt Win32 application WriteFile in Kernel32.Dll NtWriteFile in NtDll.Dll KiSystemService in NtosKrnl.Exe NtWriteFile Tracing An Example Win32 Call Win32-specific used by all subsystems software interrupt UK Source: MSJ, August 1996, page 21 (by Matt Pietrek)

61  Depends.Exe in Resource Kit and Platform SDK  Allows viewing of image->DLL relationships, imports, and exports Tracing An Example Win32 Call

62 Examining Symbols In Key Images  Examine imports and exports of an.EXE down to the OS In Explorer, right mouse click on EXE or DLL, then “quick view” (built in) or “View Dependencies” (Dependency Walker tool in ResKit and Platform SDK) In Explorer, right mouse click on EXE or DLL, then “quick view” (built in) or “View Dependencies” (Dependency Walker tool in ResKit and Platform SDK) Or use LINK /DUMP /EXPORTS, /IMPORTS Or use LINK /DUMP /EXPORTS, /IMPORTS 1. Look at imports of \winnt\system32\notepad.exe 2. Look at exports and imports of kernel32.dll Most of the exports are documented Win32 calls Most of the exports are documented Win32 calls 3. Look at exports and imports of ntdll.dll None of the exports are documented None of the exports are documented Some are the same as exports from ntoskrnl.exe, documented in DDK, with identical Some are the same as exports from ntoskrnl.exe, documented in DDK, with identical

63 Examining Symbols In Key Images 4. Look at exports and imports of ntoskrnl.exe About 1000 total exported symbols About 1000 total exported symbols About 300 of the exported routine names are documented in DDK About 300 of the exported routine names are documented in DDK Callable only from kernel mode Callable only from kernel mode 5. Look at all global symbols in ntoskrnl.exe Defined in \support\symbols\xxx\debug\exe\ntoskrnl.dbg Defined in \support\symbols\xxx\debug\exe\ntoskrnl.dbg Quick viewer won’t display - use Kernel Debugger “x *” with just this.dbg file loaded Quick viewer won’t display - use Kernel Debugger “x *” with just this.dbg file loaded About 4000 total symbols (Includes executive data cells in addition to routines) About 4000 total symbols (Includes executive data cells in addition to routines) Exports of ntoskrnl.exe are a subset of this list Exports of ntoskrnl.exe are a subset of this list

64 Agenda  Introduction  Tools  System Architecture Kernel Mode Environment Kernel Mode Environment Executive, Kernel, HAL, Drivers Executive, Kernel, HAL, Drivers Product Packaging Product Packaging System Threads System Threads Environment Subsystems Environment Subsystems System Service Dispatching System Service Dispatching Process-based Windows NT code Process-based Windows NT code Summary Summary  Processes and Threads  Memory Management

65 Process-Based Windows NT Code  Pieces of Windows NT that run in separate executables (.exe’s), in separate processes Started by system Started by system Not tied to a user logon Not tied to a user logon  Have full process context  Three types: Environment Subsystems (already described) Environment Subsystems (already described) Win32 Services Win32 Services System startup processes System startup processes Note: “system startup processes” is not an official MS-defined name Note: “system startup processes” is not an official MS-defined name

66 Process Creation Hierarchy  tlist.exe (from resource kit)  tlist /t shows creation hierarchy  Creating process can exit, leaving created process running - hence this display does not show all creators Explorer.exe is actually started by userinit.exe, which then exits Explorer.exe is actually started by userinit.exe, which then exits

67 Process-Based Windows NT Code Win32 services  Win32.EXEs (applications) that run independently of a logged on user Start at boot or logon time, survive logoff Start at boot or logon time, survive logoff Defined by CreateService API - view through Control Panel Defined by CreateService API - view through Control Panel See srvany.exe, sc.exe, srvinstw.exe, instsrv.exe in Resource Kit See srvany.exe, sc.exe, srvinstw.exe, instsrv.exe in Resource Kit Typically do not interact with the desktop Typically do not interact with the desktop Get startup configuration parameters from Registry Get startup configuration parameters from Registry Log errors to Windows NT Event Log Log errors to Windows NT Event Log Use some form of IPC mechanism for client communication and control Use some form of IPC mechanism for client communication and control Services will likely make use of Windows NT security impersonation Services will likely make use of Windows NT security impersonation Remotely manageable (start, stop, user-defined codes) Remotely manageable (start, stop, user-defined codes) Server Manager allows remote control of services Server Manager allows remote control of services Code is the same to control services locally vs. remotely Code is the same to control services locally vs. remotely  Examples of built-in Windows NT Services Schedule service (at command), Event Log, Remote Access Server, etc. Schedule service (at command), Event Log, Remote Access Server, etc.

68 ServiceController Life Of A Service  Install time Setup application tells Service Controller about the service Setup application tells Service Controller about the service System boot / initialization SCM reads registry, starts services as directed SCM reads registry, starts services as directed  Management / maintenance Control panel can start and stop services and change startup parameters Control panel can start and stop services and change startup parameters SetupApplication CreateService Registry ServiceProcesses ControlPanel

69 Where Are Services Defined?  Maintained in Windows NT Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services One key per installed service One key per installed service  Mandatory information kept on each service: Type of service (Win32, Driver…) Type of service (Win32, Driver…) Imagename of service.EXE Imagename of service.EXE NOTE: Some service.EXEs contain more than one service NOTE: Some service.EXEs contain more than one service Start type (automatic, manual, or disabled) Start type (automatic, manual, or disabled)  Optional information: Display Name Display Name Dependencies Dependencies Account and password to run under Account and password to run under  Can store application-specific configuration parameters “Parameters” under service key “Parameters” under service key

70 Process-Based Windows NT Code System startup processes  Separate processes loaded or started at boot time (not as services or environment subsystems)  Names of images are not in registry “Hardwired” in the source code “Hardwired” in the source code  Most are Win32 executables, one (smss) is a “native image” (Idle)Process id 0 Part of the loaded system image Home for idle thread(s) (not a real process nor real threads) Called “System Process” in many displays (System)Process id 2 Part of the loaded system image Home for kernel-defined threads (not a real process) Thread 0 (routine name Phase1Initialization) launches the first “real” process, running smss.exe… …and then becomes the zero page thread

71 Process-Based Windows NT Code System startup processes  smss.exeSession Manager The first “created” process Takes parameters from \Registry\Machine\System\CurrentControlSet\Control\Session Manager Launches required subsystems (csrss) and winlogon  winlogon.exeLogon process Presents first login prompt Presents “enter username and password” dialog Launches services.exe, lsass.exe, and nddeagnt.exe When someone logs in, launches userinit.exe  services.exeService Controller; also, home for many NT-supplied services Starts processes for services not part of services.exe (driven by \Registry\Machine\System\CurrentControlSet\Services )  lsass.exeLocal Security Authentication Server  userinit.exeStarted after logon; starts desktop (Explorer.Exe) and exits (hence does not show up in tlist output; Explorer appears to be an orphan)  explorer.exeand its children are the creators of all interactive apps

72 Agenda  Introduction  Tools  System Architecture Kernel Mode Environment Kernel Mode Environment Executive, Kernel, HAL, Drivers Executive, Kernel, HAL, Drivers Product Packaging Product Packaging System Threads System Threads Environment Subsystems Environment Subsystems System Service Dispatching System Service Dispatching Process-based Windows NT code Process-based Windows NT code Summary Summary  Processes and Threads  Memory Management

73 Four Contexts For Executing Code  Full process and thread context: User applications User applications Win32 Services Win32 Services Environment subsystem processes Environment subsystem processes System startup processes System startup processes  Have thread context but no “real” process: Threads in “System” process Threads in “System” process  Routines called by other threads / processes: Subsystem DLLs Subsystem DLLs Executive system services (NtReadFile, etc.) Executive system services (NtReadFile, etc.) GDI routines in Win32K.Sys (and graphics drivers) GDI routines in Win32K.Sys (and graphics drivers)  No process or thread context (“Arbitrary thread context”) (“Arbitrary thread context”) Interrupt dispatching Interrupt dispatching Device drivers Device drivers

74 Where Is The Code?  Kernel32.Dll, Gdi32.Dll, User32.Dll Export Win32 entry points Export Win32 entry points  NtDll.Dll Provides user-mode access to system-space routines Provides user-mode access to system-space routines Also contains heap manager, image loader, thread startup routine Also contains heap manager, image loader, thread startup routine  Ntoskrnl.Exe (or Ntkrnlmp.exe) Executive and kernel Executive and kernel Includes most routines that run as threads in “system” process Includes most routines that run as threads in “system” process  Win32K.Sys The loadable module that includes the now-kernel-mode Win32 code (formerly in csrss.exe) The loadable module that includes the now-kernel-mode Win32 code (formerly in csrss.exe)  Hal.Dll Hardware Abstraction Library Hardware Abstraction Library  drivername.Sys Loadable kernel drivers Loadable kernel drivers

75 Agenda  Introduction  Tools  System Architecture  Processes and Threads  Memory Management

76 Per-process address space Systemwide Address Space Thread Thread Thread Processes And Threads  What is a process? Represents an instance of a running program Represents an instance of a running program You create a process to run a program You create a process to run a program Starting an application creates a process Starting an application creates a process Primary argument to CreateProcess is image file name (or command line) Primary argument to CreateProcess is image file name (or command line)  What is a thread? An execution context within a process An execution context within a process Primary argument to CreateThread is a function entry point address Primary argument to CreateThread is a function entry point address All threads in a process share the same per- process address space All threads in a process share the same per- process address space  Every process starts with one thread Running the program’s “main” function Running the program’s “main” function Can create other threads in the same process Can create other threads in the same process Can create additional processes Can create additional processes

77 Tools To Examine Processes  Task Manager  Performance Monitor  pviewer.exe (pview in Platform SDK): shows processes, threads within processes, memory details  pview.exe (process explode): thread and process ACLs and tokens  tlist.exe - tlist /t shows parent/child relationships  QuickSlice qlice.exe qlice.exe CPU usage by process, and by thread within each process CPU usage by process, and by thread within each process  Pulist - process user list  Vadump - dump virtual address space of a process

78 Tools To Examine Processes  Page fault monitor (pfmon.exe) Shows page fault type and origin of subject application Shows page fault type and origin of subject application Can provide data to working set tuner (part of Platform SDK) Can provide data to working set tuner (part of Platform SDK)  Pstat pstat.exe (char mode, no icon) pstat.exe (char mode, no icon) One-time snapshot of system One-time snapshot of system Shows state of threads within all processes, with wait reasons Shows state of threads within all processes, with wait reasons  Kernel debugger Shows various internal structures Shows various internal structures See Windows NT ® Workstation Resource Kit documentation See Windows NT ® Workstation Resource Kit documentation  oh.exe (ResKit), nthandleex (www.sysinternals.com) - show open handles  Ntpmon (www.sysinternals.com)

79 Windows NT 5.0 Job Object  New kernel object to collect a group of related processes CreateJobObject/OpenJobObject CreateJobObject/OpenJobObject  System enforces job quotas and security context Limits: Total and current CPU time, total and active processes, per-process and per-job CPU time, min and max working set, CPU affinity, priority class Limits: Total and current CPU time, total and active processes, per-process and per-job CPU time, min and max working set, CPU affinity, priority class Security limits: No administrators token, only restricted token, only specific token, filter token, no accessing windows outside the job, no reading/writing the clipboard Security limits: No administrators token, only restricted token, only specific token, filter token, no accessing windows outside the job, no reading/writing the clipboard  To examine: See new performance counters + new !job command in kernel debugger

80 Process object Handle table VADVADVAD object object Virtual address space descriptors Access token Thread Thread Thread … See kernel debugger commands: !processfields!threadfields!process!thread!tokenfields!token!handle!object Processes And Threads Internal Structures

81 Pcb: 0x0 Pcb: 0x0 ExitStatus: 0x68 ExitStatus: 0x68 LockEvent: 0x6c LockEvent: 0x6c LockCount: 0x7c LockCount: 0x7c CreateTime: 0x80 CreateTime: 0x80 ExitTime: 0x88 ExitTime: 0x88 LockOwner: 0x90 LockOwner: 0x90 UniqueProcessId: 0x94 UniqueProcessId: 0x94 ActiveProcessLinks: 0x98 ActiveProcessLinks: 0x98 QuotaPeakPoolUsage[0]: 0xa0 QuotaPeakPoolUsage[0]: 0xa0 QuotaPoolUsage[0]: 0xa8 QuotaPoolUsage[0]: 0xa8 PagefileUsage: 0xb0 PagefileUsage: 0xb0 CommitCharge: 0xb4 CommitCharge: 0xb4 PeakPagefileUsage: 0xb8 PeakPagefileUsage: 0xb8 PeakVirtualSize: 0xbc PeakVirtualSize: 0xbc VirtualSize: 0xc0 VirtualSize: 0xc0 Vm: 0xc8 Vm: 0xc8 LastProtoPteFault: 0xf8 LastProtoPteFault: 0xf8 DebugPort: 0xfc DebugPort: 0xfc ExceptionPort: 0x100 ExceptionPort: 0x100 ObjectTable: 0x104 ObjectTable: 0x104 Token: 0x108 Token: 0x108 WorkingSetLock: 0x10c WorkingSetLock: 0x10c WorkingSetPage: 0x12c WorkingSetPage: 0x12c ProcessOutswapEnabled: 0x130 ProcessOutswapEnabled: 0x130 ProcessOutswapped: 0x131 ProcessOutswapped: 0x131 AddressSpaceInitialized: 0x132 AddressSpaceInitialized: 0x132 AddressSpaceDeleted: 0x133 AddressSpaceDeleted: 0x133 AddressCreationLock: 0x134 AddressCreationLock: 0x134 ForkInProgress: 0x158 ForkInProgress: 0x158 VmOperation: 0x15c VmOperation: 0x15c VmOperationEvent: 0x160 VmOperationEvent: 0x160 PageDirectoryPte: 0x164 PageDirectoryPte: 0x164 LastFaultCount: 0x168 LastFaultCount: 0x168 VadRoot: 0x170 VadRoot: 0x170 VadHint: 0x174 VadHint: 0x174 CloneRoot: 0x178 CloneRoot: 0x178 NumberOfPrivatePages: 0x17c NumberOfPrivatePages: 0x17c NumberOfLockedPages: 0x180 NumberOfLockedPages: 0x180 ForkWasSuccessful: 0x184 ForkWasSuccessful: 0x184 ExitProcessCalled: 0x186 ExitProcessCalled: 0x186 CreateProcessReported: 0x187 CreateProcessReported: 0x187 SectionHandle: 0x188 SectionHandle: 0x188 Peb: 0x18c Peb: 0x18c SectionBaseAddress: 0x190 SectionBaseAddress: 0x190 QuotaBlock: 0x194 QuotaBlock: 0x194 LastThreadExitStatus: 0x198 LastThreadExitStatus: 0x198 WorkingSetWatch: 0x19c WorkingSetWatch: 0x19c LpcPort: 0x1a0 LpcPort: 0x1a0 InheritedFromUniqueProcessId: 0x1a4 InheritedFromUniqueProcessId: 0x1a4 GrantedAccess: 0x1a8 GrantedAccess: 0x1a8 DefaultHardErrorProcessing 0x1ac DefaultHardErrorProcessing 0x1ac LdtInformation: 0x1b0 LdtInformation: 0x1b0 VadFreeHint: 0x1b4 VadFreeHint: 0x1b4 VdmObjects: 0x1b8 VdmObjects: 0x1b8 ProcessMutant: 0x1bc ProcessMutant: 0x1bc ImageFileName[0]: 0x1dc ImageFileName[0]: 0x1dc VmTrimFaultValue: 0x1ec VmTrimFaultValue: 0x1ec !processfields

82 Tcb: 0x0 Tcb: 0x0 CreateTime: 0x1b0 CreateTime: 0x1b0 ExitTime: 0x1b8 ExitTime: 0x1b8 ExitStatus: 0x1c0 ExitStatus: 0x1c0 PostBlockList: 0x1c4 PostBlockList: 0x1c4 TerminationPortList: 0x1cc TerminationPortList: 0x1cc ActiveTimerListLock: 0x1d4 ActiveTimerListLock: 0x1d4 ActiveTimerListHead: 0x1d8 ActiveTimerListHead: 0x1d8 Cid: 0x1e0 Cid: 0x1e0 LpcReplySemaphore: 0x1e8 LpcReplySemaphore: 0x1e8 LpcReplyMessage: 0x1fc LpcReplyMessage: 0x1fc LpcReplyMessageId: 0x200 LpcReplyMessageId: 0x200 Client: 0x208 Client: 0x208 IrpList: 0x20c IrpList: 0x20c TopLevelIrp: 0x214 TopLevelIrp: 0x214 ReadClusterSize: 0x21c ReadClusterSize: 0x21c ForwardClusterOnly: 0x220 ForwardClusterOnly: 0x220 DisablePageFaultClustering: 0x221 DisablePageFaultClustering: 0x221 DeadThread: 0x222 DeadThread: 0x222 HasTerminated: 0x223 HasTerminated: 0x223 EventPair: 0x224 EventPair: 0x224 GrantedAccess: 0x228 GrantedAccess: 0x228 ThreadsProcess: 0x22c ThreadsProcess: 0x22c StartAddress: 0x230 StartAddress: 0x230 Win32StartAddress: 0x234 Win32StartAddress: 0x234 LpcExitThreadCalled: 0x238 LpcExitThreadCalled: 0x238 HardErrorsAreDisabled: 0x239 HardErrorsAreDisabled: 0x239 !threadfields

83 Looking At Waiting Threads  pstat.exe (Resource Kit) Shows state of every thread in every process Shows state of every thread in every process But for threads that are waiting, that’s all we know… But for threads that are waiting, that’s all we know…

84 Looking At Waiting Threads  !thread command in kernel debugger shows what a thread is waiting on

85 SizeType State Wait listhead Object-type- specific data Dispatcher object (see \ddk\inc\nttddk.h) Dispatcher Objects  Any kernel object you can wait for is a “dispatcher object” Some exclusively for synchronization Some exclusively for synchronization E.g., events, mutexes (“mutants”), semaphores, queues, timers E.g., events, mutexes (“mutants”), semaphores, queues, timers Others can be waited for as a side effect of their prime function Others can be waited for as a side effect of their prime function E.g., processes, threads, file objects E.g., processes, threads, file objects Non-waitable kernel objects are called “control objects” Non-waitable kernel objects are called “control objects”  All dispatcher objects have a common header  All dispatcher objects are in one of two states “Signalled” versus “nonsignalled” “Signalled” versus “nonsignalled” When signalled, a wait on the object is satisfied When signalled, a wait on the object is satisfied Different object types differ in terms of what changes their state Different object types differ in terms of what changes their state Wait and unwait implementation is common to all types of dispatcher objects Wait and unwait implementation is common to all types of dispatcher objects

86 Object-type- specific data SizeType State Wait listhead SizeType State Object-type- specific data DispatcherObjects Thread Objects WaitBlockList WaitBlockList Wait blocks KeyType Next link List entry Object Thread KeyType Next link List entry Object Thread KeyType Next link List entry Object Thread Wait Blocks  Represent a thread’s reference to something it’s waiting for (one per handle passed to WaitFor…)  All wait blocks from a given wait call are chained to the waiting thread  Type indicates wait for “any” or “all”  Key denotes argument list position for WaitForMultipleObjects

87 Agenda  Introduction  Tools  System Architecture  Processes and Threads  Memory Management Virtual Address Space Layout Virtual Address Space Layout Process Memory Usage Process Memory Usage Global System Cache Global System Cache System Memory Usage System Memory Usage

88 .EXE code Globals Per-thread user mode stacks Process heaps.DLL code FFFFFFF Exec, Kernel, HAL, drivers, per- thread kernel mode stacks, Win32K.Sys File system cache Paged pool Non-paged pool FFFFFFFF Process page tables, hyperspace C GB Virtual Address Space  2 GB per-process Address space of one process is not directly reachable from other processes Address space of one process is not directly reachable from other processes  2 GB systemwide The operating system is loaded here, and appears in every process’s address space The operating system is loaded here, and appears in every process’s address space There is no process for “the operating system” (though there are processes that do things for the OS, more or less in “background”) There is no process for “the operating system” (though there are processes that do things for the OS, more or less in “background”) Unique per process, accessible in user or kernel mode System wide, accessible only in kernel mode Per process, accessible only in kernel mode

89 System Space Layout System code (NTOSKRNL, HAL, boot drivers); initial nonpaged pool A System Mapped Views (e.g. WIN32K.SYS) or session space (Terminal Server only) A Additional System PTEs (& big cache) C Process Page Tables and Page Directory C Hyperspace and process working set list System Cache C Paged Pool EB (min) Non-Paged Pool expansion FFBE0000 x86 Alpha AXP C System Working Set List C0C00000 Unused No Access E System PTEs Crash dump information System code (NTOSKRNL, HAL, boot drivers) and initial nonpaged pool C Process Page Tables and Page Directory C Hyperspace and process working set list System Cache C Paged Pool EB (min) Non-Paged Pool expansion C System Working Set List C Unused No Access E System PTEs FFC00000 HAL usage FDFEC000 Crash dump information & HAL usage System Mapped Views (e.g. WIN32K.SYS) DE000000

90 Unique per process (= per appl.), user mode.EXE code Globals Per-thread user mode stacks.DLL code Process heaps Exec, kernel, HAL, drivers, etc BFFFFFFF FFFFFFFF C Unique per process, accessible in user or kernel mode 3GB Process Space Option  Only available on x86 Server Enterprise Edition Boot with /3GB option in BOOT.INI Boot with /3GB option in BOOT.INI Chief “loser” in system space is file system cache Chief “loser” in system space is file system cache  Expands per-process address space But image must be marked as “large address space aware” But image must be marked as “large address space aware”  A stopgap while we wait for 64-bit Windows NT (Merced and Alpha; post- Windows NT 5.0) System wide, accessible only in kernel mode Per process, accessible only in kernel mode Process page tables, hyperspace

91 2GB user space 2GB process space FFFFFFF 2GB system space FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF Invalid (inaccesible) (about 1.8x10^19 bytes; not to scale!) FFFFFFFF 7FFFFFFF GB Large Memory Area 64-bit Very Large Memory In Windows NT 5.0  Alpha Windows NT Server Enterprise Edition only  Referenced by 64-bit pointers Cannot be paged out - must be resident at all times Cannot be paged out - must be resident at all times Cannot be used for code, only data file mapping Cannot be used for code, only data file mapping New APIs: VirtualAllocVlm, MapViewOfFileVlm, Read/WriteFileVlm, Read/WriteProcessMemoryVl m, etc.) New APIs: VirtualAllocVlm, MapViewOfFileVlm, Read/WriteFileVlm, Read/WriteProcessMemoryVl m, etc.) Yet another stopgap prior to 64-bit Windows NT Yet another stopgap prior to 64-bit Windows NT

92  See link/dump/header, or QuickView for.exe’s and.dll’s  CreateFileMapping, MapViewOfFile simply make the mechanism available to application-level code  All of these files may simultaneously be mapped by other processes FFFFFFF.exe.dll paging file Application Startup Maps V.A.S. To Code On Disk

93 Screen snapshot from: Programs | SDK Tools | Process Walker Process | Load Process | notepad Process Virtual Address Layout

94 Agenda  Introduction  Tools  System Architecture  Processes and Threads  Memory Management Virtual Address Space Layout Virtual Address Space Layout Process Memory Usage Process Memory Usage Global System Cache Global System Cache System Memory Usage System Memory Usage

95 Process Memory Usage  Working set: All the physical pages “owned” by a process Essentially, all the pages the process can reference without incurring a page fault Essentially, all the pages the process can reference without incurring a page fault Upper limit on size for each process Upper limit on size for each process When limit is reached, a page must be released for every page that’s brought in (“working set replacement”) When limit is reached, a page must be released for every page that’s brought in (“working set replacement”)  Working set limit: The maximum pages the process can own Maximum is calculated as (available pages pages) Maximum is calculated as (available pages pages) Result stored in MmMaximumWorkingSetSize Result stored in MmMaximumWorkingSetSize

96 PerfMon Process “WorkingSet” newer pages older pages Working Set List A FIFO list for each process

97 PerfMon Process “WorkingSet” To standby or modified page list Working Set Replacement  When working set “count” = working set size, must give up pages to make room for new pages  Page replacement is ”modified FIFO” MP x86 and Alpha: no regard to accessed bit MP x86 and Alpha: no regard to accessed bit Windows NT 5.0 on uniprocessor x86 takes into account age Windows NT 5.0 on uniprocessor x86 takes into account age

98 Locking Pages  Pages may be locked into the process working set Locked pages are guarenteed in physical memory (“resident”) when any thread in process is executing Locked pages are guarenteed in physical memory (“resident”) when any thread in process is executingWin32: status = VirtualLock(baseAddress, size); status = VirtualUnlock(baseAddress, size);  Number of lockable pages is a fraction of the maximum working set size Changed by SetProcessWorkingSetSize Changed by SetProcessWorkingSetSize  Pages can be locked into physical memory (by drivers only) Pages are then immune from outswapping as well as paging MmProbeAndLockPages Pages are then immune from outswapping as well as paging MmProbeAndLockPages

99 Screen snapshot from : Task Manager | Processes tab Memory Management Information Task manager processes tab  “Mem Usage” = physical memory used by process (working set size, not working set limit)  “VM Size” = private (not shared) committed virtual space in processes  “Mem Usage” in status bar is total of “VM Size” column/maximum allowed - i.e., same as “commit charge” in “Performance” tab (see next slide) - not same as “Mem Usage” column here!

100  “Working Set” = working set size (not limit)  “Private Bytes” = same as “VM Size” from Task Manager Processes list  “Virtual Bytes” = committed virtual space, including shared pages Memory Management Information PerfMon - process object Screen snapshot from: Performance Monitor counters from Process object

101 “Commit charge total” = total of private (not shared) committed virtual space in all processes (i.e. total of “VM Size” from processes display) “Commit charge limit” = sum of available physical memory + free space in paging file Memory Management Information Task manager performance tab Screen snapshot from: Task Manager | Performance tab

102 Agenda  Introduction  Tools  System Architecture  Processes and Threads  Memory Management Virtual Address Space Layout Virtual Address Space Layout Process Memory Usage Process Memory Usage Global System Cache Global System Cache System Memory Usage System Memory Usage

103 File System Virtual Block Cache  Shared by all file systems (local or remote)  Caches all files Including file system metadata files Including file system metadata files  Virtual block cache (not logical block) Managed in terms of blocks within files, not blocks within partition Managed in terms of blocks within files, not blocks within partition Uses standard Windows NT virtual memory mechanisms Uses standard Windows NT virtual memory mechanisms Coherency maintained between mapped files and read/write access Coherency maintained between mapped files and read/write access  Virtual size: mb (960MB if large cache size set) In system virtual address space, so visible to all In system virtual address space, so visible to all Divided into 256kb “views” Divided into 256kb “views”

104 Processaddressspace Systemaddressspace File Cached File Operations  Open a file: Find an available view Find an available view Map the first 256kb of the file into the view Map the first 256kb of the file into the view  Read from or write to a cached file: Remap as necessary to map referenced section of file into the cache Remap as necessary to map referenced section of file into the cache Copy data between application buffer and cache’s virtual address space Copy data between application buffer and cache’s virtual address space Actual I/O is due to paging Actual I/O is due to paging

105 Fast I/O I/O Subsystem API (Ntxxx) DriverSupportRoutines (Io, Ex, Ke, Mm, Hal, FsRtl,...) I/O Manager (Ioxxx) HAL I/O access routines I/O ports and registers File System drivers (e.g. NTFS) Disk device driver CacheManager Fast I/O path  Fast I/O path Allows executive I/O APIs to access cache directly Allows executive I/O APIs to access cache directly Bypasses file system driver Bypasses file system driver Bypasses IRP generation, probe- and-lock of user buffer, etc. Bypasses IRP generation, probe- and-lock of user buffer, etc.

106 Cache Size  Physical size: Depends on available memory Competes for physical memory with processes, paged pool, pageable system code Competes for physical memory with processes, paged pool, pageable system code Part of “system working set” Part of “system working set” Automatically expanded / shrunk by system Automatically expanded / shrunk by system Normal working set adjustment mechanisms Normal working set adjustment mechanisms Relies on Memory Manager for global memory policy Relies on Memory Manager for global memory policy Performance Monitor: Memory object | System cache resident bytes shows current physical space occupied by cache Performance Monitor: Memory object | System cache resident bytes shows current physical space occupied by cache See \SYSTEM\CurrentControlSet\Control\Session Manager\ Memory Management\LargeSystemCache See \SYSTEM\CurrentControlSet\Control\Session Manager\ Memory Management\LargeSystemCache Default is 0 for both Workstation and Server Default is 0 for both Workstation and Server 1 = favor system working set vs. process working set 1 = favor system working set vs. process working set also allows cache to be >512MB virtual size also allows cache to be >512MB virtual size Can modify with Control Panel->Network->Services-> Server properties Can modify with Control Panel->Network->Services-> Server properties

107 Cache Functions And Control  Automatic asynchronous readahead Done by separate “Readahead” system thread Done by separate “Readahead” system thread 64kb readaheads by default 64kb readaheads by default Predicts next read location based on history of last 3 reads Predicts next read location based on history of last 3 reads Readahead hints can be provided to CreateFile: Readahead hints can be provided to CreateFile: FILE_FLAG_SEQUENTIAL does 192kb read ahead FILE_FLAG_SEQUENTIAL does 192kb read ahead FILE_FLAG_RANDOM_ACCESS disables read ahead FILE_FLAG_RANDOM_ACCESS disables read ahead  Write-back, not write-through Dirty page threshold forces writing Dirty page threshold forces writing Small system: Physical Pages / 8; medium system: Physical Pages / 4 Small system: Physical Pages / 8; medium system: Physical Pages / 4 Large system: add above 2 together Large system: add above 2 together “Lazy writer” thread queues 1/4 of dirty pages every second to separate “Write Behind” system thread (note, does not flush mapped files) “Lazy writer” thread queues 1/4 of dirty pages every second to separate “Write Behind” system thread (note, does not flush mapped files) Can override via CreateFile with FILE_FLAG_WRITE_THROUGH Can override via CreateFile with FILE_FLAG_WRITE_THROUGH Or explicitly call FlushFileBuffers when you care (does flush mapped files) Or explicitly call FlushFileBuffers when you care (does flush mapped files)

108 Cache Functions And Control  Can disable cache completely on a per-file basis CreateFile with FILE_FLAG_NO_BUFFERING CreateFile with FILE_FLAG_NO_BUFFERING Requires reads/writes to be done on sector boundaries Requires reads/writes to be done on sector boundaries Buffers must be aligned in memory on sector boundaries Buffers must be aligned in memory on sector boundaries

109 Agenda  Introduction  Tools  System Architecture  Processes and Threads  Memory Management Virtual Address Space Layout Virtual Address Space Layout Process Memory Usage Process Memory Usage Global System Cache Global System Cache System Memory Usage System Memory Usage

110 System Paged Memory  Just as processes have working sets, Windows NT’s pageable system-space code and data lives in the “system working set” Cache is one of 4 components of “system working set” Cache is one of 4 components of “system working set”  Pageable components of system working set: Paged pool Paged pool Pageable code and data in the exec Pageable code and data in the exec Pageable code and data in kernel-mode drivers, Win32K.Sys, graphics drivers, etc. Pageable code and data in kernel-mode drivers, Win32K.Sys, graphics drivers, etc. Global file system data cache Global file system data cache  To get physical (resident) size of these with PerfMon, look at: Memory | Pool Paged Resident Bytes Memory | Pool Paged Resident Bytes Memory | System Code Resident Bytes Memory | System Code Resident Bytes Memory | System Driver Resident Bytes Memory | System Driver Resident Bytes Memory | System Cache Resident Bytes Memory | System Cache Resident Bytes Memory | Cache bytes counter is total of these four “resident” (physical) counters (not just the cache; same as “File Cache” on Task Manager / Performance tab Memory | Cache bytes counter is total of these four “resident” (physical) counters (not just the cache; same as “File Cache” on Task Manager / Performance tab

111 System code (NTOSKRNL, HAL, boot drivers); initial nonpaged pool A Win32k.sys *8MB) A Session Working Set Lists x86 Mapped Views for Session Paged Pool for Session A0C00000 A Sessions  New memory management object to support Windows NT ® Server 5.0  All processes in an interactive session share a: Session-specific copy of Win32K.Sys Session-specific copy of Win32K.Sys Instance of Winlogon Instance of Winlogon Session working set Session working set

112  Nonpageable components: Nonpageable parts of NtosKrnl.Exe, drivers Nonpageable parts of NtosKrnl.Exe, drivers Nonpaged pool (see PerfMon, Memory object: Pool nonpaged bytes) Nonpaged pool (see PerfMon, Memory object: Pool nonpaged bytes)  To get size of nonpageable system code, run \ntreskit\pstat.exe & add columns 1 & 2 non-paged code non-paged data pageable code+data output of “drivers” (\ntreskit\drivers.exe) is similar output of “drivers” (\ntreskit\drivers.exe) is similar Win32K.Sys is paged, even though it shows up as nonpaged Win32K.Sys is paged, even though it shows up as nonpaged System Nonpaged Memory

113 Monitoring Pool Usage  Poolmon.exe in \support\debug  Must first turn on pool tagging with gflags “p” to toggle between nonpaged, paged pool, or both Sorting: “b” to sort by total # of bytes “a” to sort by # of allocations “t” to sort by structure tag

114 “Free” Memory  System keeps unassigned physical pages (those not part of any working set) on five lists Free page list Free page list Modified page list Modified page list Standby page list Standby page list Zero page list Zero page list Bad page list - pages that failed memory test at system startup Bad page list - pages that failed memory test at system startup

115 Managing Physical Pages Standby Page List ZeroPageListFree ProcessWorkingSets pages read from disk demand zero page faults working set replacement Modified Page List modifiedpagewriter zeropagethread “soft”pagefaults BadPageList

116 “Available” memory = total of free, zero, and standby lists (majority usually are standby pages) “File cache” is really total physical size of pageable portions of: paged pool, NtosKrnl.Exe code and data, drivers code and data, and file system cache (same as PerfMon “cache bytes” counter) “Kernel Memory Paged” is resident size of paged pool “Kernel Memory Nonpaged” is actual size of nonpaged pool Screen snapshot from: Task Manager | Performance tab Memory Management Information Task manager performance tab

117  Process working sets Perfmon: Process / Working set Perfmon: Process / Working set Note, shared resident pages are counted the process working set of every process that’s faulted them in Note, shared resident pages are counted the process working set of every process that’s faulted them in Hence, the total of all of these may be greater than physical memory Hence, the total of all of these may be greater than physical memory  Nonpageable system code (NTOSKRNL + drivers, including win32k.sys &graphics drivers) See total displayed by DRIVERS utility in Windows NT Resource Kit See total displayed by DRIVERS utility in Windows NT Resource Kit  Nonpageable pool Perfmon: Memory / Pool nonpaged bytes Perfmon: Memory / Pool nonpaged bytes  Free, zero, and standby page lists Perfmon: Memory / Available bytes Perfmon: Memory / Available bytes Or: Task Manager / Performance tab: Physical memory: Available Or: Task Manager / Performance tab: Physical memory: Available  Pageable, but currently-resident, system-space memory Perfmon: Memory / Pool paged resident bytes Perfmon: Memory / Pool paged resident bytes Perfmon: Memory / System cache resident bytes Perfmon: Memory / System cache resident bytes Perfmon: Memory / System code resident bytes Perfmon: Memory / System code resident bytes Perfmon: Memory / System driver resident bytes Perfmon: Memory / System driver resident bytes Memory | Cache bytes counter is really total of these four “resident” (physical) counters Memory | Cache bytes counter is really total of these four “resident” (physical) counters  Modified, Bad page lists can only see size with !memusage command in Kernel Debugger can only see size with !memusage command in Kernel Debugger Summary: Accounting For Physical Memory Usage

118 Windows NT Internals Information Sources  Books Inside Windows NT (Solomon, MS Press) Inside Windows NT (Solomon, MS Press) Advanced Windows (Richter, MS Press) Advanced Windows (Richter, MS Press) Windows NT Workstation Resource Guide (MS Press) Windows NT Workstation Resource Guide (MS Press)  MSDN Library Platform SDK API documentation Platform SDK API documentation Windows NT Device Driver Kit (DDK) documentation Windows NT Device Driver Kit (DDK) documentation Win32 Knowledge Base - has some Windows NT internals articles Win32 Knowledge Base - has some Windows NT internals articles  Past  Windows NT conferences audio/video tapes (www.mobiletape.com)  - Windows NT internals articles and tools  - hardware developers and driver writers  - Installable File System Developers Kit  comp.os.ms-windows.programmer.nt.kernel-mode - drivers newsgroup  - Windows NT device driver FAQ

119


Download ppt "Windows NT ® Internals David Solomon David Solomon Expert Seminars Microsoft Corporation."

Similar presentations


Ads by Google