DOCSLIB.ORG

Inside the Windows Vista Kernel: Part 1

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Windows administration At a glance: Thread priority and scheduling File-based symbolic links Cancelling I/O operations Inside the Windows Vista kernel: Part 1 Mark Russinovich This is the first part The scope of this article comprises changes to the Windows Vista kernel only, specifi- of a series on what’s cally Ntoskrnl.exe and its closely associated components. Please remember that there are new in the Windows many other significant changes in Windows Vista that fall outside the kernel proper and Vista kernel. In this therefore won’t be covered. This includes improvements to the shell (such as integrat- issue, I’ll look at ed desktop search), networking (like the new IPv6 stack and two-way firewall), and the next- changes in the areas of generation graphics model (such as Aero™ Glass, Windows Presentation Foundation, processes and threads, the Desktop Window Manager, and the new graphics driver model). Also not covered are and in I/O. Future the new Windows User-Mode and Kernel- Mode Driver Frameworks (UMDF and instalments will cover KMDF) since these are back-level installable on earlier versions of Windows. memory management, CPU cycle counting startup and shutdown, Windows Vista includes a number of en- hancements in the area of processes and reliability and recovery, threads that include use of the CPU cycle counter for fairer CPU allocation and the and security. new Multimedia Class Scheduler Service 14 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine 14_19_Vista_UK.desFIN.indd 14 27/3/07 13:49:49 Threads A and B Threads A and B become ready to run become ready to run Thread A Interrupt Idle Thread B Idle Thread A Thread B Interrupt Interval � Interval � Interval � Interval � Interval � Figure 1 Unfair thread scheduling Figure 2 Windows Vista cycle-based scheduling (MMCSS) that helps media applications de- terval, it can more accurately dole out turns liver glitch-free playback. on the CPU. In addition, the Windows Vista All versions of Windows NT® up to and scheduler does not count interrupt execu- including Windows Vista program an inter- tion against a thread’s turn. This means that val-timer interrupt routine to execute ap- on Windows Vista a thread will always get proximately every 10 or 15 ms (milliseconds), at least its turn on the CPU and never more depending on the hardware platform. The than an extra clock interval of execution, re- routine looks at what thread it interrupted sulting in greater fairness and more deter- and updates the thread’s CPU usage statis- ministic app behaviour. Figure 2 shows how tics as if that thread had run for the entire in- Windows Vista responds to the scenario terval, while in reality the thread might have shown in Figure 1 by giving both threads at started executing just before the interval’s least one time slice interval of execution. end. Further, the thread might have been technically assigned the CPU, but didn’t get a chance to run because hardware and soft- ware interrupt routines executed instead. While clock-based time accounting might Watching process CPU usage be OK for diagnostic tools that report thread You can see the inaccuracy of the Windows standard clock-based time and process CPU usage, use of that meth- accounting using the Process Explorer utility from Sysinternals (micro- od by the thread scheduler can cause unfair soft.com/technet/sysinternals). Run Process Explorer on a Windows Vista CPU allocation. By default, on client versions system and add the Cycles Delta column to the process view. Cycles of Windows threads are permitted to run Delta shows the number of cycles the threads of each process execute up to 2 clock ticks (6 if in the foreground). between Process Explorer updates. Because CPU time accounting is still However, the thread might get virtually no based on the interval timer, if you also add the CPU Time column, then time on the CPU or up to 6 ticks (18 if in the you’ll see many processes that have threads consuming millions of CPU foreground), depending on its behaviour and cycles and yet don’t have their CPU time updated and don’t show up in other activity on the system. the CPU usage column. Figure 1 shows the unfairness that can oc- cur when two threads that have the same pri- ority become ready to run at the same time. Thread A runs until the next time-slice inter- val expiration when the scheduler assumes it has run for the entire interval and so decides that Thread A’s turn is finished. Furthermore, Thread A gets unfairly charged for the inter- rupt that occurred during its turn. At the next interval, the scheduler picks Thread B to take over and it runs for a full interval. In Windows Vista, the scheduler uses the cycle counter register of modern processors to track precisely how many CPU cycles a thread executes. By estimating how many Figure A Viewing CPU time and Cycles Delta in Process Explorer cycles the CPU can execute in a clock in- TechNet Magazine April 2007 15 14_19_Vista_UK.desFIN.indd 15 27/3/07 13:49:50 Windows administration MMCSS, which is implemented in %SystemRoot%\System32\Mmcss.dll and runs in a Service Host (Svchost.exe) process, has a priority-management thread that runs at priority 27. (Thread priorities in Windows range from 0 to 31.) This thread boosts the priority of registered multimedia threads into the range associated with the Scheduling Category value of their task’s registry key as listed in Figure 4. In Windows, thread priori- ties 16 and higher are in the real-time prior- Figure 3 Multimedia Class Scheduler audio task definition ity range and higher than all other threads on a system (with the exception of the kernel’s The ‘Watching process CPU usage’ side- Memory Manager worker threads, which run bar illustrates how you can monitor pro- at priorities 28 and 29). Only administrative cess CPU cycle usage for yourself using the accounts, like the Local System account in Process Explorer utility. which MMCSS executes, have the Increase Priority privilege that’s required to set real- Multimedia Class Scheduler Service time thread priorities. Users expect multimedia applications, in- When you play an audio file, Windows cluding music and video players, to offer a Media Player registers Audio task threads, seamless playback experience. However, de- and when you play a video, it registers Play- mand for the CPU by other concurrently back task threads. The MMCSS service running applications, like antivirus, content boosts all threads that have indicated that indexing, or even the mail client, can result they are delivering a stream at the same time in unpleasant hiccups. To provide a better when they are running in the process that playback experience, Windows Vista intro- owns the foreground window and when duces MMCSS to manage the CPU priorities they have the BackgroundOnly value set to of multimedia threads. True in their task’s definition key. A multimedia app like Windows Media® But while MMCSS wants to help multi- Player 11 registers with MMCSS using new media threads get the CPU time they need, APIs that indicate its multimedia character- it also wants to ensure that other threads get istics, which must match one of those listed at least some CPU time so that the system by name under the following registry key: and other applications remain responsive. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\ MMCSS therefore reserves a percentage of Currentversion\Multimedia\SystemProfile\Tasks CPU time for other activity, specified in the The various task keys specify how much following registry value: preference threads associated with different HKLM\Software\Microsoft\Windows NT\Currentversion\ Multimedia\SystemProfile\SystemResponsiveness multimedia types get for CPU and graphics processor resources (though graphics proces- By default, this is 20 percent; MMCSS sor resource management is not implement- monitors CPU usage to ensure that multi- ed in Windows Vista). Figure 3 shows the media threads aren’t boosted for more than 8 contents of one of the task registry keys after ms over a 10 ms period if other threads want a clean Windows Vista installation, though the CPU. To get the multimedia threads out third-party developers can add their own of the way for the remaining 2 ms, the sched- task definitions. uler drops their priorities into the 1-7 range. You can see how MMCSS boosts thread priority by reading the ‘Watching MMCSS Figure 4 MMCSS thread priorities priority boosting’ sidebar. Scheduling Category Boosted thread priority High 23-26 File-based symbolic links Medium 16-23 The Windows Vista I/O-related chang- es include file-based symbolic links, more 16 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine 14_19_Vista_UK.desFIN.indd 16 27/3/07 13:49:50 efficient I/O completion processing, com- prehensive support for I/O cancellation and prioritised I/O. Watching MMCSS priority boosting A file system feature many have considered You can witness the thread boosting that the MMCSS service applies to missing from NTFS, the symbolic file link (or Windows Media Player threads by playing a video or audio clip, running as it’s called in UNIX, the soft link) finally ar- the Performance Monitor, setting the graph scale to 31 (the highest Win- rives in Windows Vista. The Windows 2000 dows thread priority), and adding the Priority Current counter for all version of NTFS introduced symbolic direc- instances of the Windows Media Player (Wmplayer.exe) thread objects to tory links, called directory junctions, which the display. One or more threads will run at priority 21.
Recommended publications
  • Bitmap Graphics Model - Device Context • Windows Does Not Retain a Copy of What the Application Drew • Windows 3.0 (1990)

    Bitmap Graphics Model - Device Context • Windows Does Not Retain a Copy of What the Application Drew • Windows 3.0 (1990)

    historie 08.11.2018 vjj 1 pravěk INPUT PROGRAM OUTPUT 08.11.2018 vjj 2 evoluce • dávkové zpracování • interaktivní práce • prompt • GUI 08.11.2018 vjj 3 evoluce INPUT PROGRAM OUTPUT 08.11.2018 vjj 4 evoluce Windows • bitmap graphics model - Device Context • Windows does not retain a copy of what the application drew • Windows 3.0 (1990) • bitmap graphics model - layered Device Context • Windows does retain a copy of the drawing as a bitmap • Windows 2000 (beta 1998) • .NET Framework (2001-2005) • vector graphics model – WPF (on DirectX) • tree of user-interface elements with objects representing graphical shapes • Windows Vista, .NET Framework 3.0 (2006) • Metro - deterioration • Windows 8, .NET Framework 4.5 (2012) 08.11.2018 vjj 5 1: Win32 API classique 08.11.2018 vjj 6 Uživatel Fronta zpráv GetMessage (mouse, keyboard) hardware interrupt DRIVER DispatchMessage System message queue WindowProc WindowProc RIT Raw Input Thread Fronta zpráv 8.11.18 vjj 7 WM_PAINT • každý ovládací prvek je samostatným oknem s vlastní procedurou na zpracovávání zpráv • celá stavba programu/algoritmu se točila kolem přípravy dat pro vykreslení obsahu okna vždy, když přišla zpráva WM_PAINT (a že chodila často) • během přímého kreslení se výstup do momentálně neviditelné části okna nikam nezapsal 08.11.2018 vjj 8 User Windows OS Invalidate... Program WM_PAINT GetDC Program Funkce GDI32 / GDI+ Graphics Card Frame Buffer for Screen Image data only retained as long as it remains visible on screen 08.11.2018 vjj 9 PROGRAM: direct Device Context OUTPUT PROGRAM PROGRAM PROGRAM PROGRAM PROGRAM WM_PAINT WM_PAINT WM_PAINT WM_PAINT WM_PAINT 08.11.2018 vjj 10 standardní funkce • TextOut • MoveToEx DrawText LineTo Rectangle Ellipse • DrawIcon Pie Arc Chord Polyline • BitBlt Polygon stretchBlt 08.11.2018 vjj 11 Device Context • standardní funkce pro kreslení do okna vyžadují hDC jako svůj první parametr • datová struktura popisující vlastnosti výstupu, např.
  • Process Explorer V16.05 (1.07 MB)

    Process Explorer V16.05 (1.07 MB)

    United States (English) Sign in Windows Sysinternals Search TechNet with Bing Home Learn Downloads Community Windows Sysinternals > Downloads > Process Utilities > Process Explorer Utilities Process Explorer Download Sysinternals Suite Utilities Index Download Process Explorer v16.05 (1.07 MB) File and Disk Utilities By Mark Russinovich Run Process Explorer now from Networking Utilities Published: March 10, 2015 Live.Sysinternals.com Process Utilities Download Process Explorer Runs on: Security Utilities (1.07 MB) System Information Utilities Rate: Client: Windows XP and higher (Including IA64). Miscellaneous Utilities Server: Windows Server 2003 and higher (Including Share this content IA64). Additional Introduction Installation Resources Ever wondered which program has a particular file or directory open? Now Simply run Process Explorer (procexp.exe). Forum you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded. The help file describes Process Explorer operation and Site Blog usage. If you have problems or questions please visit The Process Explorer display consists of two sub-windows. The top window the Sysinternals Process Explorer Forum. Sysinternals Learning always shows a list of the currently active processes, including the names of Mark's Webcasts their owning accounts, whereas the information displayed in the bottom Mark's Blog window depends on the mode that Process Explorer is in: if it is in handle Learn More mode you'll see the handles that the process selected in the top window has Software License opened; if Process Explorer is in DLL mode you'll see the DLLs and memory- Here are some other handle and DLL viewing tools and Licensing FAQ mapped files that the process has loaded.
  • Crypto Ransomware Analysis and Detection Using

    Crypto Ransomware Analysis and Detection Using

    CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR by ASHWINI BALKRUSHNA KARDILE Presented to the Faculty of the Graduate School of The University of Texas at Arlington in Partial Fulfillment of the Requirements for the Degree of MASTER OF SCIENCE IN COMPUTER SCIENCE THE UNIVERSITY OF TEXAS AT ARLINGTON December 2017 Copyright © by Ashwini Balkrushna Kardile 2017 All Rights Reserved ii Acknowledgements I would like to thank Dr. Ming for his timely guidance and motivation. His insights for this research were valuable. I would also like to thank my committee members Dr. David Levine and Dr. David Kung for taking out time from their schedule and attending my dissertation. I am grateful to John Podolanko; it would not have been possible without his help and support. Thank you, John, for helping me and foster my confidence. I would like to thank my colleagues for supporting me directly or indirectly. Last but not the least; I would like to thank my parents, my family and my friends for encouraging me and supporting me throughout my research. November 16, 2017 iii Abstract CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR Ashwini Balkrushna Kardile, MS The University of Texas at Arlington, 2017 Supervising Professor: Jiang Ming Ransomware is a faster growing threat that encrypts user’s files and locks the computer and holds the key required to decrypt the files for ransom. Over the past few years, the impact of ransomware has increased exponentially. There have been several reported high profile ransomware attacks, such as CryptoLocker, CryptoWall, WannaCry, Petya and Bad Rabbit which have collectively cost individuals and companies well over a billion dollars according to FBI.
  • P 240/1 Process Control on Windows

    P 240/1 Process Control on Windows

    P240.qxp_June 2018 03/05/2018 22:16 Page 41 Process Control on Windows P 240/1 Optimise and Stabilise Your Windows System by Taking Control of Your Processes Using the information given in this article you will be able to: Investigate exactly what processes are using your PC’s processor and memory, Optimise the performance of your system with perfect process management, Find and close Trojans, viruses and other suspicious processes. You’ve probably come across messages from Windows telling you that an application is no longer responding, and wondered exactly what is happening in the background on your Windows system. The egg timer icon or a little blue circle usually appear, the hard drive grinds away and you wait for what seems like an eternity for Windows to do something. When this happens, it usually indicates that Windows is performing tasks in the background. You can take a look at the list of the processes that are running on your system, but they usually have cryptic names which makes it difficult to work out exactly what is going on. However, if a program or service doesn’t run in a stable way, or you suspect that a virus or Trojan may be doing damage to your system, then you can’t avoid checking which processes are running. In this article I will show you the most important processes that Windows runs internally, and the tasks you need to perform in order to maintain your processes and take control of your system. • Check the Hidden Tasks Your Windows System is Running .................
  • Guidelines for Designing Embedded Systems with Windows 10 Iot Enterprise

    Guidelines for Designing Embedded Systems with Windows 10 Iot Enterprise

    Guidelines for Designing Embedded Systems with Windows 10 IoT Enterprise Version 2.0 Published July 15, 2016 Guidelines for designing embedded systems 1 CONFIDENTIAL Contents Overview .................................................................................................................................................................................................... 4 Building a task-specific experience ............................................................................................................................................ 4 General Group Policy settings ....................................................................................................................................................... 4 Application control ................................................................................................................................................................................ 5 Application boot options ................................................................................................................................................................. 5 Auto-boot Universal Windows apps ...................................................................................................................................... 5 Auto-boot Classic Windows apps ........................................................................................................................................... 5 Limit application access with AppLocker ...............................................................................................................................
  • Zero-Day Vulnerability in Desktop Window Manager (CVE-2021-28310) Used in the Wild | Securelist

    Zero-Day Vulnerability in Desktop Window Manager (CVE-2021-28310) Used in the Wild | Securelist

    4/14/2021 Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild | Securelist Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898 While analyzing the CVE-2021-1732 exploit originally discovered by the DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we discovered another zero-day exploit we believe is linked to the same actor. We reported this new exploit to Microsoft in February and after confirmation that it is indeed a zero-day, it received the designation CVE-2021-28310. Microsoft released a patch to this vulnerability as a part of its April security updates. We believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. Unfortunately, we weren’t able to capture a full chain, so we don’t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities. The exploit was initially identified by our advanced exploit prevention technology and related detection records. In fact, over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone.
  • Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals

    Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals

    Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals - www.sysinternals.com Process Explorer is an advanced process management utility that picks up where Task Manager leaves off. It will show you detailed information about a process including its icon, command-line, full image path, memory statistics, user account, security attributes, and more. When you zoom in on a particular process you can list the DLLs it has loaded or the operating system resource handles it has open. A search capability enables you to track down a process that has a resource opened, such as a file, directory or Registry key, or to view the list of processes that have a DLL loaded. The Process Explorer display consists of two sub-windows. The top always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window, which you can close, depends on the mode that Process Explorer is in: if it is in handle mode you will see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you will see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. You can obtain equivalent command-line tools, Handle and ListDLLs, at the Sysinternals Web site.
  • Mastering Powershellpowershell

    Mastering Powershellpowershell

    CopyrightCopyright © 2009 BBS Technologies ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, stored, or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems except as permitted under Section 107 or 108 of the 1976 United States Copyright Act without the prior written permission of the publisher. For permission to use material from the text please contact Idera at [email protected]. Microsoft® Windows PowerShell® and Microsoft® SQL Server® are registered trademarks of Microsoft Corporation in the United Stated and other countries. All other trademarks are the property of their respective owners. AboutAbout thethe AuthorAuthor Dr. Tobias Weltner is one of the most visible PowerShell MVPs in Europe. He has published more than 80 books on Windows and Scripting Techniques with Microsoft Press and other publishers, is a regular speaker at conferences and road shows and does high level PowerShell and Scripting trainings for companies throughout Europe. He created the powershell.com website and community in an effort to help people adopt and use PowerShell more efficiently. As software architect, he created a number of award-winning scripting tools such as SystemScripter (VBScript), the original PowerShell IDE and PowerShell Plus, a comprehensive integrated PowerShell development system. AcknowledgmentsAcknowledgments First and foremost, I’d like to thank my family who is always a source of inspiration and encouragement. A special thanks to Idera, Rick Pleczko, David Fargo, Richard Giles, Conley Smith and David Twamley for helping to bring this book to the English speaking world.
  • Security Policy Page 1 of 20

    Security Policy Page 1 of 20

    Security Policy Page 1 of 20 Security Policy This security policy contains data to configure services and network security based on the server’s role, as well as data to configure registry and auditing settings. Server: VENGWIN207 Services Service Name Startup Mode Description Issues, manages, and removes X.509 certificates for such applications such as Active Directory Certificate S/MIME and SSL. If the service is stopped, Disabled Services certificates will not be issued. If this service is disabled, any services that explicitly depend on it will fail to start. AD DS Domain Controller service. If this service is stopped, users will be unable to log Active Directory Domain Services Disabled on to the network. If this service is disabled, any services that explicitly depend on it will fail to start. AD FS Web Agent Authentication The AD FS Web Agent Authentication Service Disabled Service validates incoming tokens and cookies. Adobe Acrobat Updater keeps your Adobe Adobe Acrobat Update Service Automatic software up to date. Sends logging messages to the logging database when logging is enabled for the Active Directory Rights Management Services role. If this service is disabled or stopped AdRmsLoggingService Disabled when logging is enabled, logging messages will be stored in local message queues and sent to the logging database when the service is started. Processes application compatibility cache Application Experience Disabled requests for applications as they are launched Provides administrative services for IIS, for example configuration history and Application Pool account mapping. If this Application Host Helper Service Disabled service is stopped, configuration history and locking down files or directories with Application Pool specific Access Control Entries will not work.
  • Development Environment

    Development Environment

    BLUESPAWN BLUESPAWN Dev Team Apr 28, 2021 CONTENTS 1 Our Mission 3 2 What is BLUESPAWN 5 3 Get Involved & Contribute to the project7 4 Why we made BLUESPAWN9 4.1 Contact Us................................................9 4.2 Sponsoring................................................9 4.3 Licensing.................................................9 4.4 Project Authors.............................................. 10 4.5 Publications............................................... 11 4.6 Hunts................................................... 11 4.7 Scan Mode................................................ 11 4.8 Mitigations................................................ 11 4.9 Reactions................................................. 11 4.10 Logging and Output........................................... 11 4.11 Agent7 Integration............................................ 11 4.12 Getting Started.............................................. 11 4.13 Examples of BLUESPWAN in Action.................................. 13 4.14 Using Mitigations............................................ 14 4.15 Getting Involved............................................. 18 4.16 Setting up your Development Environment............................... 18 4.17 Software Architecture Info........................................ 19 4.18 Project Roadmap............................................. 21 i ii BLUESPAWN CONTENTS 1 BLUESPAWN 2 CONTENTS CHAPTER ONE OUR MISSION BLUESPAWN helps blue teams monitor systems in real-time against active attackers by detecting
  • Multiband Plasma-Process Monitor C10346-01

    Multiband Plasma-Process Monitor C10346-01

    Multiband plasma-process monitor C10346-01 C10346-01 is a multiband plasma process monitor designed for real-time, monitoring of wide spectrum. Monitoring Plasma (Emission Spectrum) in Real-Time C10346-01 is a monitoring system to detect wide spectrum plasma emission during the process of etching, spattering and CVD in semiconductor manufacturing . With the various analysis functions, it can be used for setting up end-point detection conditions and automatic detection of etching and cleaning, estimation of plasma species and monitoring (plasma) contamination and abnormal discharges. Features Simultaneous measurements of wide (plasma) spectrum Easy measurement using optical fibers Captures wide spectrum (emission) from (plasma) radicals or ions. The equipped optical fiber can be easily attached to plasma C10346-01 : 200 nm to 950 nm chambers through a SMA connector widely used. Real-time plasma (emission) measurement Operation with multiple chambers Continuously measures up to 15 000 spectra at an interval of 20 ms A single analysis unit can control up to four C10346-01 (50 ms with concurrent running of detection software) Multiband plasma-process monitor via a USB 2.0 interface. Highly accurate and reliable measurements Data acquisition software A high resolution spectrometer and a ultra-high sensitive photo The data acquisition software stores the spectrum data into detector are firmly locked in position to assure the acquisition of the database during plasma process. This stored data can accurate spectrum and precise spectrum responsivity data then be used for spectrum data calculations. through sharply focused plasma emission spectrum images. Optional software High-sensitivity detection in UV spectrum region High sensitive endpoint detection and real-time monitoring of Detects the UV spectrum region from 200 nm with high process abnormality are achieved by creating ''detection model''.
  • Process Monitor

    Process Monitor

    Моим коллегам — специалистам по устранению неполадок Windows. Никогда не отступайте и не сдавайтесь! – Марк Руссинович Элизе, благодаря ей сбываются самые прекрасные мечты! (И она гораздо круче меня!) – Аарон Маргозис SIN_Titul.indd I 29.12.2011 13:41:15 Mark Russinovich Aaron Margosis Windows® Sysinternals Administrator's Reference SIN_Titul.indd II 29.12.2011 13:41:15 Марк Руссинович Аарон Маргозис Предисловие Дэвида Соломона Утилиты Sysinternals Справочник администратора 2012 SIN_Titul.indd III 29.12.2011 13:41:15 УДК 004.738.5 ББК 32.973.202 P89 Руссинович Марк, Маргозис Аарон P89 Утилиты Sysinternals. Справочник администратора. / Пер. с англ. — М. : Издательство «Русская редакция» ; СПб. : БХВ-Петербург, 2012. — 480 стр. : ил. ISBN 978-5-7502-0411-3 («Русская редакция») ISBN 978-5-9775-0826-1 («БХВ-Петербург») Эта книга — исчерпывающее руководство по использованию утилит Sysin- ternals. Авторы книги — создатель утилит Sysinternals Марк Руссинович и при- знанный эксперт по Windows Аарон Маргозис — подробно разбирают многочис- ленные функции утилит для диагностики и управления файлами, дисками, си- стемой безопасности и встроенным инструментарием Windows. Рекомендации авторов проиллюстрированы многочисленными примерами из реальной жизни. Изучив их, вы сможете справиться с неполадками в ИТ-системах так, как это делают настоящие профессионалы. Книга состоит из 18 глав и предметного указателя. Она предназначена для ИТ-специалистов и опытных пользователей Windows, которые хотят применять утилиты Sysinternals с максимальной эффективностью. УДК 004.738.5 ББК 32.973.202 © 2011-2012, Translation Russian Edition Publishers. Authorized Russian translation of the English edition of Windows® Sysinternals Administrator’s Reference, ISBN 978- 0-7356-5672-7 © Aaron Margosis and Mark Russinovich. This translation is published and sold by permission of O’Reilly Media, Inc., which owns or controls all rights to publish and sell the same.