Job Object

Yen-Chin Chen965202011

OutlineJob Object IntroductionWindows functions to create and manipulate

job objectsCPU-related and memory-related limits you can

specify for a jobConclusionExperiment

OutlineJob Object IntroductionJob Object IntroductionWindows functions to create and manipulate



Job Object• A job object is a

– nameable, – securable, – shareable kernel object that allows control

of one or more processes as a group.

• A job object’s basic function is to allow groups of processes to be managed and manipulated as a unit.

• A process can be a member of only one job object.

In this slides,Job

ProcessThread

,this 3 colors will be used to enhance your reading

Job Object• By default,

• Its association with the job object can’t be broken

• All processes created by the process and its descendents are associated with the same job object as well.

• The job object also records basic accounting information for all processes associated with the job and for all processes that were associated with the job but have since terminated.

OutlineJob Object IntroductionWindows functions to create and Windows functions to create and

manipulate job objectsmanipulate job objectsCPU-related and memory-related limits you can


Windows functions to create and manipulate job objects.Function Description

CreateJobObject Creates a job object (with an optional name)

OpenJobObject Opens an existing job object by name

AssignProcessToJobObject Adds a process to a job

TerminateJobObject Terminates all processes in a jobSetInformationJobObject Sets

SetInformationJobObject Sets limits

QueryInformationJobObject Retrieves information about the job, such as CPU time, pagefault count, number of processes, list of process IDs, quotas orlimits, and security limits


job objectsCPU-related and memory-related limits you CPU-related and memory-related limits you

can specify for a jobcan specify for a jobConclusionExperiment

CPU-related and memory-related limits you can specify for a jobMaximum number of active processes

Limits the number of concurrently existing processes in the job.

Jobwide user-mode CPU time Limit Limits the maximum amount of user-

mode CPU time that the processes in the job can consume (including processes that have run and exited).

Once this limit is reached, by default all the processes in the job will be terminated with an error code and no new processes can be created in the job (unless the limit is reset).

The job object is signaled, so any threads waiting for the job will be released. You can change this default behavior with a call to EndOfJobTimeAction.

CPU-related and memory-related limits you can specify for a jobPer-process user-mode CPU time limit

Allows each process in the job to accumulate only a fixed maximum amount of user-mode CPU time. When the maximum is reached, the process terminates (with no chance to clean up).

Job scheduling class Sets the length of the time slice (or

quantum) for threads in processes in the job. This setting applies only to systems running with long, fixed quantums (the default for Windows Server systems). The value of the job-scheduling class determines the quantum as shown here

(Cont’) Job-scheduling classdetermines the quantumScheduling Class Quantum Units

0 6

1 12

2 18

3 24

4 30

5 36

6 42

7 48

8 54

9 Infinite if real-time; 60 otherwise

CPU-related and memory-related limits you can specify for a jobJob processor affinity (Multi-Processor)

Sets the processor affinity mask for each process in the job. (Individual threads can alter their affinity to any subset of the job affinity, but processes can’t alter their process affinity setting.)

Job process priority class Sets the priority class for each process in the

job. Threads can’t increase their priority relative to the class (as they normally can). Attempts to increase thread priority are ignored.

(No error is returned on calls to SetThreadPriority (winnt.h, winbase.h, page. 329 from book), but the increase doesn’t occur.)

SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_NORMAL);

CPU-related and memory-related limits you can specify for a jobDefault working set minimum and

maximum Defines the specified working set

minimum and maximum for each process in the job. (This setting isn’t jobwide—each process has its own working set with the same minimum and maximum values.)

Process and job committed virtual memory limit Defines the maximum amount of virtual

address space that can be committed by either a single process or the entire job.

CPU-related and memory-related limits you can specify for a job• Jobs can also be set to queue an entry to an

I/O completion port object, which other threads might be waiting for, with the Windows GetQueuedCompletionStatus function.

• You can also place security limits on processes in a job.

• You can set a job so that each process runs under the same jobwide access tokenaccess token. You can then create a job to restrict processes from impersonatingimpersonating(模仿 ) or creating processes that have access tokens that contain the local administrator’s group.

Access TokenAn access token is as an object encapsulating the

security descriptor of a processAttached to a process, a security descriptor

identifies the owner of the object (in this case, the process)

An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread.

Ref : http://msdn.microsoft.com/en-us/library/aa374909.aspx

Impersonation TokenImpersonation is a security concept unique to

Windows NT, that allows a server application to temporarily "be" the client in terms of access to secure objects.

Impersonation has three possible levels: identification, letting the server inspect the client's identity, impersonation, letting the server act on behalf of the client, and delegation, same as impersonation but extended to remote systems to which the server connects (through the preservation of credentials).

Ref : http://en.wikipedia.org/wiki/Token_(Windows_NT_architecture)

If you want to get more details, please read

chapter 8 : security of Windows Internal

CPU-related and memory-related limits you can specify for a jobYou can also place user-interface limits on

processes in a job. Such limits include being able to Restrict

processes from opening handles to windows owned by threads outside the job, reading and/or writing to the clipboard, and changing the many user-interface system parameters via the Windows SystemParametersInfo function.

CPU-related and memory-related limits you can specify for a jobX-Windows 2000 Datacenter Server has a tool

called the Process Control Manager that allows an administrator to define job objects, the various quotas and limits that can be specified for a job, and which processes, if run, should be added to the job. A service component monitors process activity and adds the specified processes to the jobs. Note that this tool is no longer shipped with Windows Server 2003 Datacenter Edition, but will remain on the system if a Windows 2000 Datacenter Server is upgraded to Windows Server 2003 Datacenter Edition.

SetInformationJobObject FunctionBOOL WINAPI SetInformationJobObject ( __in HANDLE hJob, //retrun from

//CreateJobObject/OpenJobObject

__in JOBOBJECTINFOCLASS JobObjectInfoClass,

__in LPVOID lpJobObjectInfo, __in DWORD cbJobObjectInfoLength ); __in : Means Input

JOBOBJECTINFOCLASS JobObjectInfoClasstypedef enum _JOBOBJECTINFOCLASS

{ JobObjectBasicAccountingInformation = 1, JobObjectBasicLimitInformation,=>2JobObjectBasicProcessIdList, JobObjectBasicUIRestrictions, JobObjectSecurityLimitInformation, JobObjectEndOfJobTimeInformation, JobObjectAssociateCompletionPortInformation, JobObjectBasicAndIoAccountingInformation, JobObjectExtendedLimitInformation, JobObjectJobSetInformation, MaxJobObjectInfoClass } JOBOBJECTINFOCLASS;

LPVOID lpJobObjectInfoLPVOID lpJobObjectInfotypedef struct

_JOBOBJECT_BASIC_LIMIT_INFORMATION {LARGE_INTEGER PerProcessUserTimeLimit;LARGE_INTEGER PerJobUserTimeLimit;DWORD LimitFlags;SIZE_T MinimumWorkingSetSize;SIZE_T MaximumWorkingSetSize;DWORD ActiveProcessLimit;ULONG_PTR Affinity;DWORD PriorityClass;DWORD SchedulingClass; } JOBOBJECT_BASIC_LIMIT_INFORMATION, *PJOBOBJECT_BASIC_LIMIT_INFORMATION;

So, how to set the So, how to set the Affinity Mask? I Affinity Mask? I

introduce what is introduce what is ULONG_PTR type ULONG_PTR type

first.first.

ULONG_PTRA ULONG_PTR is an unsigned long type used

for pointer precision. It is used when casting a pointer to a long type to perform pointer arithmetic.

Note In a 64-bit environment (indicated below by a TRUE value for _WIN64), the ULONG_PTR MUST be defined as an unsigned __int64, not as a ULONG.

ULONG_PTR#ifdef _WIN64

typedef __int64 ULONG_PTR; #else typedef

ULONG ULONG_PTR;

#endifRef :

http://msdn.microsoft.com/en-us/library/cc230394.aspx

Processor Affinitypublic void SetProcessAffinityToPhysicalCPUForHyperthreadOnly(int processid){

int res;int hProcess;int ProcAffinityMask = 0, SysAffinityMask = 0;

hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, processid);

res = GetProcessAffinityMask(hProcess, ref ProcAffinityMask, ref SysAffinityMask);

if (SysAffinityMask == 3) // 1 proc, 2 logical CPUsres = SetProcessAffinityMask(hProcess, 1);

else if (SysAffinityMask == 15) //dual proc, 4 virtual CPUsres = SetProcessAffinityMask(hProcess, 3);

res = CloseHandle(hProcess);}Ref : http://msdn.microsoft.com/en-us/library/ms686223(VS.85).aspx

If not a Hyperthreding system setting, If not a Hyperthreding system setting, 32-bit : 0000000000000000000000000000011132-bit : 00000000000000000000000000000111, means CPU 0,1 and 2 threads could run on , means CPU 0,1 and 2 threads could run on

and alter between them. and alter between them. So just using ‘|’ , ’&’ , (or/and) bit-operator to So just using ‘|’ , ’&’ , (or/and) bit-operator to

set Affinity Mask.set Affinity Mask.

Processor AffinityBOOL WINAPI SetProcessAffinityMask( __in HANDLE hProcess, __in DWORD_PTR dwProcessAffinityMask );

dwProcessAffinityMask [in] The affinity mask for the threads of the process.

Processor AffinityDWORD_PTR WINAPI SetThreadAffinityMask( __in HANDLE hThread, __in DWORD_PTR dwThreadAffinityMask );dwThreadAffinityMask [in] The affinity mask for the

thread. A thread affinity mask is a bit vector in which each

bit represents the processors that a thread is allowed to run on.

A thread affinity mask must be a subset of the process affinity mask for the containing process of a thread.

A thread can only run on the processors its process can run on.



specify for a jobConclusionConclusionExperiment

Conclusion• In this chapter, we’ve examined the structure of

processes and threads and jobs, seen how they are created, and looked at how Windows decides which threads should run and for how long.

• Many references in this chapter are to topics related to memory management. Because threads run inside processes and processes in large part define an address space, the next logical topic is how Windows performs virtual and physical memory management—the subjects of Chapter 7.

Book : Windows InternalRef : Book page from 369~374



specify for a jobConclusionExperimentExperiment

EXPERIMENT:Viewing the Job Object using

Process ExplorerWindows Kernel Debugger

Process Explorer

If you want to create other processes in the same job, you need execute them in cmd process by runasrunas shown in next slide

Type this command to create a job and a cmd process in this job

/user:MachineName\Administrator Name

Process Explorer

Process Explorer Double Click cmd.exe row , then a dialog will jump out, and processes in the same job will show the same color.

Process Explorer

Windows Kernel Debugger

Before above, You must install Windows Windows SymbolsSymbols

from http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx#d

Windows Kernel Debugger

To See all the To See all the Processes in Processes in

O.S.O.S.

Find out cmd Find out cmd process by process by

runas runas commandcommand

Then, search for Then, search for that cmd process, that cmd process, you’ll see handle you’ll see handle

of the of the job :82245cd0job :82245cd0

Thanks for your Thanks for your AttentionAttention

^_^^_^

Documents

Job Object