Windows - Part I
Download
Report
Transcript Windows - Part I
Operating systems history
•Windows 3.11
•Windows 9x
•Windows NT
•Windows 2000
•Windows 2003
Windows 2000 Key requirements
•32 Bit OS
•Demand Paged virtual memory
•Multiple hardware architectures
•Multiprocessor systems
•Networking
•Reliability and robustness
•POSIX
•Security
Fundamental concepts
What is a Process?
An instance of a running program
Fundamental concepts
What is a Thread ?
An unit of execution
Fundamental concepts
Threads
Share the process address space
Fundamental concepts
Why have multiple threads ?
Perceived user responsiveness
Fundamental concepts
4GB Address space
•2GB process space
•2GB system space
Kernel mode (ring 0)
The privileged mode of operation in which
code has direct access to all hardware and
all memory addresses.
•Can access hardware directly.
•Can access all of the memory on the
computer.
•Cannot be moved to the virtual memory
page file on the hard disk.
•Is processed at a higher priority than user
mode processes.
User Mode (ring 3)
A less privileged processor mode than
kernel mode and has no direct access
to hardware.
•Code running in user mode can run
only in its own address space.
•It uses the Windows APIs to request
system services.
•User mode processes have no direct
access to hardware.
Fundamental concepts
•No process can corrupt other process
memory
•No process can corrupt system memory
•Threads change from user to kernel mode
on system calls
Architecture overview
Architecture overview
מיפוי או תרגום של הפונקציות המתועדות (חשופות)
של מערכת ההפעלה לפונקציות הפנימיות של מערכת
ההפעלה
()windows nt create file function > ntcreatefile
Architecture overview
Process & thread services
I/O subsystem
Inter process communication
Undocumented – accessed through subsystem
DLLS
Architecture overview
Lowest level component of core OS
Provides thread scheduling, interrupt
dispatching, exception dispatching.
Both executive and kernel are contained In
NTOSKERNEL.EXE
Architecture overview
Access to hardware devices.
Translate user i/o functions to hardware
specific i/o requests.
Virtual device drivers – file system, network
protocol.
Architecture overview
Window management and graphic
operations
Win32k.sys
Drawing, ui controls
Prior nt4 was at user mode
Architecture overview
Hardware abstraction layer
Built for different hardware platforms.
“Device driver for the motherboard”
Architecture overview
Always on processes
Idle process – fake process to account for idle cpu cycles
System process – home for kernel mode system threads
Smss.exe – session manager subsystem
Csrss.exe – win32 subsystem
Winlogon.exe – logon process
Services.exe – service control manager
Lsass.exe – local security authentication
Architecture overview
System process – home for kernel mode system threads
• pieces of OS or driver code that run as
independent threads
• memory manager, swapper, file server driver
• Created at boot time
Architecture overview
Task scheduler
Spooler
Web server…
Architecture overview
•All kernel components share a common
address space.
•Other 32 Bit OS have a similar design
•Most OS and drivers are written in a
portable language (C)
•Kernel components use formal interfaces
to interact with each other.
Symmetric multiprocessing
•Everything is the same – no master/slave
•Processors Share one memory space
•A processor can reschedule what the other
is doing
Environment subsystems
Subsystems DLLs
•Translate documented system calls to
internal undocumented NT system calls
•Expose operating system calls
•Posix, os/2 win32
•Ntdll.dll – interface to native system calls
•Win32 is the primary subsystem
NT native API mapping of win32 www.sysinternals.com
Kernel mode components
Contained in ntoskernel.exe
Six variants of ntoskernel.exe
Kernel mode components
Key EXECUTIVE subsys components:
•Process &threads manager
•Memory manager
•Security manager
•i/o manager
•Plug and play manager
•Power manager
•Cache manager
Accessed through subsystem DLLs
Kernel mode components
Key kernel subsys components:
•Cpu abstraction
•Context switching
•Exception and interrupt dispatch
Management mechanisms
•Registry
•Win32 services
•WMI
Management mechanisms
Registry
•Windows Configuration database
•Control drivers loading, process startup
•System wide application settings
•Per user settings
•A window into in-memory system state
•Remotely accessible
Management mechanisms
Registry
Read at:
•Boot time
•Logon time
•Application startup
Changed at:
•When you install software
•System setting change
Regedt32, regedit
Management mechanisms
Registry
Read at:
•Boot time
•Logon time
•Application startup
Changed at:
•When you install software
•System setting change
Management mechanisms
Win32 services
A service is
•A process crested by the service control
manager
•Starts independent of user logon
•Configured to start at boot time
•No user interface
Management mechanisms
Windows Management Instrumentation
Works locally and remotely
Bi-directional
Extensible
Natively scriptable
Processes and threads
Components of process
•Private address space
•Executable image
•DLLs
•Private storage
•Working set – subset of virtual image
•Access token
•Table of open objects
Processes and threads
Components of thread
•Execution context- (hardware state)
•Two stacks – (user and kernel)
•Scheduling state
•Current and base priority
•Current access mode
•Thread access token
Processes and threads
Job object
•Apply quotas and restriction to a group of
processes.
•Also useful to control a single process
Processes and threads
Controls of jobs
•Total CPU time
•Total active processes
•Maximum priority for job
•Which processors to run on
•Security restrictions
•Scheduling class
Processes exit and crashes
When does a process exit?
•Call to exit process()
•Last thread exits
Task manager demo
Processes and threads
•Threads run, not processes
•Most tools report current, not base priority
Processes and threads
Thread scheduling
•No attempt to share processor(s) among
processes
•No guarantied execution period before
preemption.
•If higher than running thread, runs right away
•If same or lower, waits its turn to run
•Threads at the same priority each get a turn.
Processes and threads
Quantum – length of time a thread runs
before another thread at the same
priority gets a turn.
Length of quantum on server
•12 clock intervals
•120 ms if clock runs on 10 ms
Memory management
Memory manager features
•Demand paged virtual memory
•Supports up to 64 GB physical memory
•Provides 4GB flat virtual address space
•3 states – commited, free, reserved
•Shared memory
•Mapped files
•File mapping objects (in win32 API)
•Bytes in file mapped to virtual address
space
Memory management
Process address space (user accessible)
•Contains executable image (EXE) and
dynamically linked libraries (DLLs)
•Private storage
System address space (kernel mode)
•Operating system image (NTOSKERNEL.exe)
•HAL
•Driver files
•Kernel mode stacks
•File system cache
Memory management
Virtual memory concepts
•Applications reference “virtual address”
•Page tables – hardware and software
translators to physical address
•Unit of protection and usage
•Called page
•X86 uses 4096 byte pages
Memory management
Methods for processes to share
memory
•Local procedure calls
•Threads share address space
Process share memory sections
•Called file mapping objects
•Full NT security
Windows automatically shares
sharable pages – code pages in .EXE
All win32 programs use common set of
libraries (DLLs)
Memory management
Copy-on-write pages
•Pages are originally set up as shared read
only
•Gives process a private copy upon write
request
•Saves physical memory, eliminates
unnecessary copies.
How windows executes code
The Windows operating system uses two modes to maintain
operating system efficiency and integrity:
user mode and kernel mode.
The architecture of 80386 and higher processors defines four
privilege levels, called rings, to protect system code and data from
being overwritten inadvertently or maliciously by less privileged
code. This is called the Intel Protection model.
How windows executes code
Kernel mode (ring 0) is the privileged mode of operation in which code has
direct access to all hardware and all memory addresses. Software that runs in
kernel mode has the following attributes:
It can access hardware directly.
It can access all of the memory on the computer.
It cannot be moved to the virtual memory page file on the hard disk.
It is processed at a higher priority than user mode processes.
User mode (ring 3) is a less privileged processor mode than kernel mode and
has no direct access to hardware. Code running in user mode can run only in its
own address space. It uses the Windows APIs to request system services.
User mode processes:
Have no direct access to hardware.
multitasking
• Multitasking is the ability of an operating
system to run more than one program, or
task, at the same time. Multitasking
contrasts with single tasking, where one
process must be completed before
another can begin. MS-DOS is a singletasking environment, while Windows 95
and Windows NT are both multitasking
environments.
Memory Management