Fundamental Windows v2.0.Beta

8/19/2019 Fundamental Windows v2.0.Beta

1/42

WINDOWS FUNDAMENTALS


2/42

© Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Contents

• Windows Kernel Architecture

ModesComponents of KernelExecutive Services

• Windows Booting Process

• Windows Safe Boot Options

• Windows File SystemFAT

- Contiguous Memory Allocation- Linked Method- Indexed Method

NTFS- NTFS Architecture

• Windows Device ManagementDevice DriversPlug n Play Manager

Power Manager2

• Windows Process Management

ProcessThreads

• Windows Memory Management

Virtual Address SpaceMemory Pool

File MappingPage Faults


3/42


Versions of Windows

• MS-Dos• Windows 2.0• Windows 3.0• Windows 3.11• Windows 95• Windows 98• Windows 98 2 nd

edition

• Windows ME• Windows 2000• Windows XP• Windows Vista• Windows 7

• Windows 3.51• Windows NT-4• Windows 2000 server• Windows 2003 server• Windows 2008 server• Windows 2008 server

R2

Workstation Version Server Version


4/42


Windows Kernel Architecture


5/42


• Windows NT Workstation is a 32-bit, multitasking operatingsystem

• It uses an object model to provide user access to local andnetwork resources such as files, directories, and printers.

• To support inter operability with Microsoft, Novell, TCP/IP(Unix), and other types of networks, Windows NT is built on amodular design in which various objects or componentsperform specific tasks within the operating systemenvironment.



6/42


Modes :• User Mode

• Kernel ModeUser Mode :• User Mode is defined as the applications and the subsystems which support

the applications.

• In User Mode, processes run at a lower priority and are not allowed directaccess to hardware.Kernel Mode :• Kernel Mode is defined as the protected area where the NT operating system

runs.

• Processes running in this mode are high priority and have access to all of thecomputer's hardware and memory resources.Components of Kernel :• Microkernel,

• The Hardware Abstraction Layer (HAL)

• Executive Services6



7/42© Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Micro Kernel :• Core of Operating System

• Access hardware both directly and through the HAL, which isa layer of software that abstracts hardware specific details

such as I/O interfaces and interrupt controllers• Applications and device drivers make calls to HAL routines to

determine hardware specific informationHardware Abstraction Layer :

• The layer between the physical hardware of the computerand the rest of the operating system

• The HAL includes hardware-specific code that controls I/Ointerfaces, interrupt controllers and multiple processors

7




Executive Services :

• Executive Services coordinates the activities of the operatingsystem, such as providing access to the local hard disk,memory, and printers, as well as to network resources

• Each specific function is carried out by a software module

called a Manager• Functions of Executive Services :

Service : NTOSKRNL.EXEExample : Virtual Memory Manager maps virtual memory

addresses used by applications into physical memory

8




Object Types :• Kernel Objects

• Executive ObjectsKernel Objects :

• Kernel objects manages resources such as physical devices, orservices such as synchronization, which are required toimplement any other type of OS service

Executive Objects :

• It encapsulate one or more kernel objects and exposes

9




Cache Controller• Co-ordinates with Memory Manager, I/O Manager and I/O drivers to

provide a common cache for regular file I/O• Windows Cache Manager operates on file blocksConfiguration Manger :• Responsible for implementing Windows Registry

Input / Output Manager :• It controls all input and output to the operating system, including

application requests for local and network resourcesComponents of I / O Manager :• Multiple Universal Naming Convention (UNC) Provider (MUP).• File System Drivers and Redirectors• Transport Driver Interface (TDI)• Transport Protocols• Network Device Interface Specification(NDIS)

• Network Interface Card Drivers10




Local Procedure Call (LPC)• Provides inter-process communication ports with connection semantics• LPC ports are used by user-mode subsystems to communicate with their

clientsMemory Manager• Manages virtual memory, controlling memory protection and the paging

of memory in and out of physical memory to secondary storage, andimplements a general-purpose allocator of physical memoryProcess Structure• Handles process and thread creation and termination• It implements the concept of Job, a group of processes that can be

terminated as a whole, or be placed under shared restrictionsPnP Manager• It handles Plug and Play• Supports device detection and installation at boot time

11




Security Reference Monitor (SRM)• The primary authority for enforcing the security rules of the

security integral subsystem

• It determines whether an object or resource can be accessed,via the use of access control lists (ACLs)

GDI (Graphics Device Interface )• Responsible for tasks such as drawing lines and curves,

rendering fonts and handling palettes.

12




Windows Fundamentals ( Shell )• The Windows UI provides users with access to a wide variety of objects

necessary for running applications and managing the operating system.

• The Shell organizes the objects into a hierarchical namespace andprovides users and applications with a consistent and efficient way toaccess and manage objects.

Logical Components of Windows Shell :

13

Section Description

Shell Classes Describes select Windows Shell classes.Shell Interfaces Describes the Windows Shell Component Object Model (COM) interfaces.

Shell Functions Describes the Windows Shell functions.

Shell Callback Functions Describes the Windows Shell callback functions templates.

Shell Constants, Enumerations, and Flags Describes the Windows Shell constants, enumerations, and flags used in the Shell APIs.

Shell Lightweight Util ity Functions Describes the Windows Shell lightweight uti li ty functions provided in Shlwapi.dll .

Shell Macros Describes the Windows Shell utility macros.

Shell Messages and Notifications Describes the messages and noti fications sent by elements of the Windows Shell .

Shell Objects for Scripting and Microsoft Visual Basic Describes the Windows objects implemented by the Shell for use in scripting and Microsoft Visual Basic.

Shell Objects for C++ Describes the C++ Windows objects implemented by the Shell.

Shell Properties Describes the individual properties that can be set on files and folders in the Windows Shell.

Shell Schemas Describes library, property, and transfer manifest schemas used by the Windows Shell.

Shell Structures Describes the Windows Shell structures used in the Shell APIs.



Booting Process



Windows Boot Process



Windows Safe boot Options

Safe Mode (SAFEBOOT_OPTION=Minimal):This option uses a minimal set of device drivers and services to start

Windows.Safe Mode with Networking (SAFEBOOT_OPTION=Network):

This option uses a minimal set of device drivers and services to startWindows together with the drivers that you must have to load networking.

Safe Mode with Command Prompt(SAFEBOOT_OPTION=Minimal(Alternate Shell)):This option is the same as Safe mode, except that Cmd.exe starts

instead of Windows Explorer.Safe mode and Safe mode with Networking load the Vga.sys driver

instead.

Last Known Good Configuration:This option starts Windows by using the previous good

configuration.Directory Service Restore Mode:

This mode is valid only for Windows-based domain controllers. Thismode performs a directory service repair.



Enable Boot Logging:This option turns on logging when the computer is startedwith any of the Safe Boot options except Last Known GoodConfiguration. The Boot Logging text is recorded in theNtbtlog.txt file in the %SystemRoot% folder.

Starts Windows Normally:This option starts Windows in its normal mode.

Reboot:This option restarts the computer.

Return to OS Choices Menu: On a computer that is configuredto starting to more than one operating system, this optionreturns to the Boot menu.

18

Windows Safe boot Options



Windows File System

File System

• A file system is a method of storing and organizing thecomputer files and the data they contain to make it easy tofind and access them.

Types of File system :

• FAT• NTFSFAT (File Allocation Table)• A disk formatted with FAT is allocated in clusters, whose size

are determined by the size of the volume.• When a file is created, an entry is created in the directory and

the first cluster number containing data is established.

• This entry in the FAT table either indicates that this is the last

cluster of the file, or points to the next cluster.19



Windows File System FAT

Open / Read Operations



Disk Allocation MethodsContiguous allocation• Each file occupies a set of consecutive addresses

on disk• Each directory entry contains:

– File name

– Starting address of the first block – Block address = sector id (e.g., block = 4K) – Length in blocks

• Usual dynamic storage allocation problem – Use first fit, best fit, or worst fit algorithms to

manage storage• If the file can increase in size, either

– Leave no extra space, and copy the fileelsewhere if it expands

– Leave extra space21

Windows File System



Linked allocation• Each data block contains the block address of the next block in the file• Each directory entry contains:

– File name – Block address : pointer to the first block – Have a pointer to the last block

22

Windows File System



Windows File System ( NTFS Architecture )

23

Component Component Description

Hard disk Contains one or more partitions.

Boot sector Bootable partition that stores information about thelayout of the volume and the file system structures, aswell as the boot code that loads Ntdlr.

Master BootRecord

Contains executable code that the system BIOS loadsinto memory. The code scans the MBR to find thepartition table to determine which partition is theactive, or bootable, partition.

Ntldlr.dll Switches the CPU to protected mode, starts the filesystem, and then reads the contents of the Boot.inifile. This information determines the startup optionsand initial boot menu selections.

Ntfs.sys System file driver for NTFS.

Ntoskrnl.exe Extracts information about which system devicedrivers to load and the load order.

Kernel mode The processing mode that allows code to have directaccess to all hardware and memory in the system.

User mode The processing mode in which applications run.


24/42

© Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com 24

Windows File System

NTFS ( New Technology File System )

Boot Sector :• Boot sector consists of two sections and occupies the first sixteen sectors.• The first section holds the BIOS parameter block containing information onthe layout of the volume and the structure of the file system similar to what is

laid out above for FAT.• The boot code to load Windows resides in the second sectionMaster File Table :• The MFT consists of a series of 1KB records, one for each file in the partition.• The first sixteen entries are reserved for the NTFS system files.


25/42


Master File Table :• Record 0 is the MFT .• The next ten include a changes log file for system recovery, information

about the volume, the index of the root folder and a bitmap showingcluster allocation information.

• The final five files are reserved for future use.

NTFS ATTRIBUTES :• Used to describe the records

Resident Attributes :• Contains 4 Attributes

25

Windows File System


26/42

© Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com 26

Windows File System

Resident Attributes :

• Non-resident attributes are ones too large to fit in the MFTrecord.


27/42


Comparison of File Systems - hide

S.No

FAT NTFS

1Support by DOS, OS/2,Windows 95, and

Windows NTOnly supported under the NT OS

2 No Local Security available Local Security is available

3 Does not support NT file compression Support NT file compression

4 Can be converted to NTFS at any time

NTFS can never be converted to FAT. The only way to gofrom NTFS to FAT is to backup the data, reformat the

partition as FAT, and then restore the data to the new FATpartition

5 Maximum partition size of 4GB Maximum partition size of 16EB

6 Disk Quotas were not Possible Disk Quotas were possible


28/42


Windows Device Management

Device Drivers: Types• Virtual Device Drivers

• Windows Subsystem printer drivers

• File system Drivers

• Plug n Play drivers• Non-plug & Play drivers

Plug & Play Manager

• Recognizes Plug n Play devices• Hardware resources allocation

• Loading appropriate drivers

• Detects hardware configuration changes

28


29/42


Power ManagerSystem Power State Definitions

29

Windows Device Management

State Power Consumption Software Resumption Hardware Latency

S0 (fully on) Maximum Not applicable None

S1 (sleeping) Less than S0, more thanS2

System resumes where itleft off (returns to S0)

Less than 2 seconds

S2 (sleeping) Less than S1, more thanS3 System resumes where itleft off (returns to S0) 2 or more seconds

S3 (sleeping) Less than S2; processor isoff

System resumes where itleft off (returns to S0)

Same as S2

S4 (hibernating) Trickle current to powerbutton and wake

circuitry

System restarts fromsaved hibernate file andresumes where it left off

prior to hibernation(returns to S0)

Long and undefined

S5 (fully off) Trickle current to powerbutton

System boot Long and undefined


30/42


Windows Process Management

• A process contains its own independent virtual address space with both

code and data, protected from other processes• Process contains more than one threads• By creating and managing processes, applications can have multiple,

concurrent tasks processing files, performing computations, orcommunicating with other networked systems

Windows Processes and Threads :• Windows thread is the basic executable unitFactors which govern the Threads :• Availability of resources such as CPUs and physical memory, priority

Components of Windows Processes :• One or more threads.• A virtual address space that is distinct from other processes address

spaces.

30


31/42


Management Mechanisms - Registry

• It is the repository for both system wide and per-user settings.

• Tools for Editing Registry – Regedit.exe – Regedt32.exe (Not in Windows 2003)

• Hkey_Current_User

The HKCU root key contains data regarding the preferences and softwareconfiguration of the locally logged-on user• Hkey_Users

HKU contains a subkey for each loaded user profile and user classregistration database on the system. It also contains a subkey named

• Hkey_Classes_RootHKCR consists of two types of information: file extension associations andCOM class registrations

31


32/42


Management Mechanisms - Registry

• Hkey_Local_Machine

HKLM is the root key that contains all the systemwide configurationsubkeys: HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM.

• HKEY_CURRENT_CONFIG is just a link to the current hardware profile,stored under HKLM\SYSTEM\CurrentControlSet\HardwareHkey_Classes_Root

• Hkey_Performance_DataThe registry is the mechanism to access performance counter values on

Windows, whether those are from operating system components orserver applications

32

h


33/42


Management Mechanisms - WMI

• The API’s developed for Windows do not have a process forevent or performance monitoring.

• WMI is an implementation of Web-Based EnterpriseManagement (WBEM), a standard that the DistributedManagement Task Force (DMTF —an industry consortium)

defines.

33

h


34/42


Management Mechanisms - Services

• Windows services consist of three components: a service application, a

service control program (SCP), and the service control manager (SCM).• Types of Services

34

Local System Network Service Local Service

Everyone Service Everyone

Authenticated Users Authenticated Users Authenticated Users

Administrators Users Users

Local Local

Network Service Local Service

Service Service

Wi d M M


35/42


Windows Memory Management

• A 32-bit Microsoft Windows has its own virtual address space that enablesaddressing up to 4 gigabytes of memory

• A 64-bit Windows has a virtual address space of 8 terabytes. All threads ofa process can access its virtual address space

Virtual Address Space• The virtual address space for a process is the set of virtual memory

addresses that it can use.• The address space for each process is private and cannot be accessed by

other processes unless it is shared.Memory Pools :• The memory manager creates the following memory pools that the

system uses to allocate memory

35

Wi d M M


36/42


• Memory pools are located in the region of the address space that isreserved for the system and mapped into the virtual address space of

each process• The non paged pool consists of virtual memory addresses that are

guaranteed to reside in physical memory as long as the correspondingkernel objects are allocated

• The paged pool consists of virtual memory that can be paged in and out of

the system• The handles for kernel objects are stored in the paged pool, so the

number of handles you can create is based on available memoryVirtual Memory Functions :• Reserve a range of a process's virtual address space. Reserving address

space does not allocate any physical storage, but it prevents otherallocation operations from using the specified range

• Commit a range of reserved pages in a process's virtual address space sothat physical storage (either in RAM or on disk) is accessible only to theallocating process

36


Wi d M M


37/42


Virtual Memory Functions :• Specify read/write, read-only, or no access for a range of committed

pages• Free a range of reserved pages, making the range of virtual addresses

available for subsequent allocation operations by the calling process• De commit a range of committed pages, releasing their physical storage

and making it available for subsequent allocation by any process• Lock one or more pages of committed memory into physical memory

(RAM) so that the system cannot swap the pages out to the paging file• Obtain information about a range of pages in the virtual address space of

the calling process or a specified process• Change the access protection for a specified range of committed pages in

the virtual address space of the calling process or a specified process

37


Wi d M M


38/42


File Mapping• It is the association of a file's contents with a portion of the virtual address

space of a process• The system creates a file mapping object (also known as a section object ) to

maintain this association• A file view is the portion of virtual address space that a process uses to

access the file's contentsAdvantages of File Mapping :• File mapping allows the process to use both random input and output (I/O)

and sequential I/O• It also allows the process to work efficiently with a large data file, such as a

database, without having to map the whole file into memory• Multiple processes can also use memory-mapped files to share data• The use of file mapping improves efficiency because the file resides on disk,

but the file view resides in memory• Processes can also manipulate the file view with the Virtual Protect function

38


Wi d M M t


39/42


File Mapping :

39


Wi d M M t


40/42


• The file on disk can be any file that we want to map into memory, or it can

be the system page file• The file mapping object can consist of all or only part of the file. It is

backed by the file on disk• When the system swaps out pages of the file mapping object, any changes

made to the file mapping object are written to the file

• When the pages of the file mapping object are swapped back in, they arerestored from the file

• A file view can consist of all or only part of the file mapping object• A process manipulates the file through the file views. A process can create

multiple views for a file mapping object• The file views created by each process reside in the virtual address space

of that process• When the process needs data from a portion of the file other than what is

in the current file view, it can un map the current file view, then create anew file view

40


P F lt


41/42


Page Fault

41

Reason for Fault Result

Accessing a page that isn't resident inmemory but is on disk in a page file or amapped file

Allocate a physical page, and read thedesired page from disk and into theworking set

Accessing a page that is on the standby ormodified list

Transition the page to the process orsystem working set

Accessing a page that isn't committed (forexample, reserved address space oraddress space that isn't allocated)

Access violation

Accessing a page from user mode that canbe accessed only in kernel mode Access violation

Writing to a page that is read-only Access violation

A reference to an invalid page is called a page fault.

Reasons for Access Fault


42/42

THANK YOU

Documents

Fundamental Windows v2.0.Beta