Windows Internals, Sixth Edition, Part 2

Total Page:16

File Type:pdf, Size:1020Kb

Windows Internals, Sixth Edition, Part 2 spine = 1.2” Part 2 About the Authors Mark Russinovich is a Technical Fellow in ® the Windows Azure™ group at Microsoft. Windows Internals He is coauthor of Windows Sysinternals SIXTH EDITION Administrator’s Reference, co-creator of the Sysinternals tools available from Microsoft Windows ® The definitive guide—fully updated for Windows 7 TechNet, and coauthor of the Windows Internals and Windows Server 2008 R2 book series. Delve inside Windows architecture and internals—and see how core David A. Solomon is coauthor of the Windows Internals book series and has taught components work behind the scenes. Led by a team of internationally his Windows internals class to thousands of renowned internals experts, this classic guide has been fully updated Windows developers and IT professionals worldwide, SIXTH for Windows 7 and Windows Server® 2008 R2—and now presents its including Microsoft staff. He is a regular speaker 6EDITION coverage in two volumes. at Microsoft conferences, including TechNet As always, you get critical, insider perspectives on how Windows and PDC. operates. And through hands-on experiments, you’ll experience its Alex Ionescu is a chief software architect and internal behavior firsthand—knowledge you can apply to improve consultant expert in low-level system software, application design, debugging, system performance, and support. kernel development, security training, and Internals reverse engineering. He teaches Windows internals courses with David Solomon, and is ® In Part 2, you will: active in the security research community. Internals • Understand how core system and management mechanisms Part 2 work—including object manager, synchronization, Wow64, Hyper-V®, and the registry DEVELOPER ROADMAP • Examine the data structures and activities behind processes, Start Here! threads, and jobs • Beginner-level instruction • Go inside the Windows security model to see how it manages • Easy to follow explanations and examples access, auditing, and authorization • Exercises to build your first projects • Explore the Windows networking stack from top to bottom— including APIs, BranchCache, protocol and NDIS drivers, and Step by Step layered services • For experienced developers learning a • Dig into internals hands-on using the kernel debugger, new topic performance monitor, and other tools • Focus on fundamental techniques and tools • Hands-on tutorial with practice files plus 6 EDITION eBook SIXTH NOTE Developer Reference • Professional developers; intermediate to Part 2 available Fall 2012 advanced See Table of Contents inside • Expertly covers essential topics and PART 2 techniques • Features extensive, adaptable code examples Russinovich Focused Topics Solomon • For programmers who develop complex or advanced solutions Ionescu microsoft.com/mspress • Specialized topics; narrow focus; deep coverage • Features extensive, adaptable code examples ISBN: 978-0-7356-4873-9 U.S.A. $39.99 See inside cover Canada $41.99 Mark Russinovich [Recommended] David A. Solomon Operating Systems/ Windows Alex Ionescu Cyan Magenta Yellow Black PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2012 by David Solomon and Mark Russinovich All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number: 2012933511 ISBN: 978-0-7356-6587-3 Printed and bound in the United States of America. Third Printing: December 2014 Microsoft Press books are available through booksellers and distributors worldwide. If you need support related to this book, email Microsoft Press Book Support at [email protected]. Please tell us what you think of this book at http://www.microsoft.com/learning/booksurvey. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/ Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fi ctitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred. This book expresses the authors’ views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book. Acquisitions Editor: Devon Musgrave Developmental Editor: Devon Musgrave Project Editor: Carol Dillingham Editorial Production: Curtis Philips Technical Reviewer: Christophe Nasarre; Technical Review services provided by Content Master, a member of CM Group, Ltd. Copyeditor: John Pierce Indexer: Jan Wright Cover: Twist Creative • Seattle To our parents, who guided and inspired us to follow our dreams Contents at a Glance Windows Internals, Sixth Edition, Part 1 (available separately) CHAPTER 1 Concepts and Tools CHAPTER 2 System Architecture CHAPTER 3 System Mechanisms CHAPTER 4 Management Mechanisms CHAPTER 5 Processes, Threads, and Jobs CHAPTER 6 Security CHAPTER 7 Networking Windows Internals, Sixth Edition, Part 2 CHAPTER 8 I/O System 1 CHAPTER 9 Storage Management 125 CHAPTER 10 Memory Management 187 CHAPTER 11 Cache Manager 355 CHAPTER 12 File Systems 391 CHAPTER 13 Startup and Shutdown 499 CHAPTER 14 Crash Dump Analysis 547 Contents Windows Internals, Sixth Edition, Part 1 (See appendix for Part 1’s table of contents) Windows Internals, Sixth Edition, Part 2 Introduction .....................................................xv Chapter 8 I/O System 1 I/O System Components ...........................................1 The I/O Manager ............................................3 Typical I/O Processing ........................................4 Device Drivers ....................................................5 Types of Device Drivers .......................................5 Structure of a Driver ........................................12 Driver Objects and Device Objects ............................14 Opening Devices ...........................................19 I/O Processing. 25 Types of I/O ................................................25 I/O Request to a Single-Layered Driver ........................33 I/O Requests to Layered Drivers ..............................40 I/O Cancellation ............................................48 I/O Completion Ports .......................................53 I/O Prioritization ............................................58 Container Notifications. .65 Driver Verifier ..............................................65 Kernel-Mode Driver Framework (KMDF) ............................68 Structure and Operation of a KMDF Driver. 68 KMDF Data Model ..........................................70 KMDF I/O Model ...........................................74 What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit: microsoft.com/learning/booksurvey vii User-Mode Driver Framework (UMDF) ..............................78 The Plug and Play (PnP) Manager ..................................81 Level of Plug and Play Support ...............................82 Driver Support for Plug and Play .............................82 Driver Loading, Initialization, and Installation ..................84 Driver Installation. 94 The Power Manager ..............................................98 Power Manager Operation. .100 Driver Power Operation ....................................101 Driver and Application Control of Device Power. 105 Power Availability Requests .................................105 Processor Power Management (PPM) ........................108 Conclusion .....................................................123 Chapter 9 Storage Management 125 Storage Terminology ............................................125 Disk Devices ....................................................126 Rotating Magnetic Disks ....................................126 Solid State Disks ...........................................128 Disk Drivers ....................................................131 Winload ..................................................132 Disk Class, Port, and Miniport Drivers ........................132 Disk Device Objects ........................................136 Partition Manager .........................................138 Volume Management ............................................138 Basic Disks ................................................139 Dynamic Disks .............................................141 Multipartition Volume Management .........................147 The Volume Namespace ....................................153 Volume I/O Operations. 159 Virtual Disk Service ........................................160 Virtual Hard Disk Support ........................................162 Attaching VHDs ...........................................163 Nested File Systems ........................................163 BitLocker Drive Encryption .......................................163 Encryption Keys ...........................................165 Trusted Platform Module (TPM) .............................168
Recommended publications
  • The Linux Kernel Module Programming Guide
    The Linux Kernel Module Programming Guide Peter Jay Salzman Michael Burian Ori Pomerantz Copyright © 2001 Peter Jay Salzman 2007−05−18 ver 2.6.4 The Linux Kernel Module Programming Guide is a free book; you may reproduce and/or modify it under the terms of the Open Software License, version 1.1. You can obtain a copy of this license at http://opensource.org/licenses/osl.php. This book is distributed in the hope it will be useful, but without any warranty, without even the implied warranty of merchantability or fitness for a particular purpose. The author encourages wide distribution of this book for personal or commercial use, provided the above copyright notice remains intact and the method adheres to the provisions of the Open Software License. In summary, you may copy and distribute this book free of charge or for a profit. No explicit permission is required from the author for reproduction of this book in any medium, physical or electronic. Derivative works and translations of this document must be placed under the Open Software License, and the original copyright notice must remain intact. If you have contributed new material to this book, you must make the material and source code available for your revisions. Please make revisions and updates available directly to the document maintainer, Peter Jay Salzman <[email protected]>. This will allow for the merging of updates and provide consistent revisions to the Linux community. If you publish or distribute this book commercially, donations, royalties, and/or printed copies are greatly appreciated by the author and the Linux Documentation Project (LDP).
    [Show full text]
  • Microsoft Update Blue Screen Error Fixing BSOD
    kyoceradocumentsolutions.us Microsoft Update Blue Screen Error Fixing BSOD March 2021 Microsoft Update Blue Screen Error What is causing the Blue Screen error when I print using the KX Driver? Kyocera as well as many other companies began getting reports of Blue Screen of Death (BSOD) incidents when printing. Microsoft released 2 updates this week, KB5000802 and KB5000808. The updates caused the crash. What has Microsoft done since this was reported? Microsoft has removed both updates from the automatic pushed update list. If your PC has not yet downloaded the update it will not install them. If you manually update your system from within Windows Update the 2 problem updates are still there and can be manually selected and installed. Do not do that until a complete fix is released if your PC is used for printing. Microsoft has left them up for manual install for users that have systems not used for printing. How do we fix a PC that has already been updated? The best solution is to uninstall the 2 Updates. Follow the directions below and remember to reboot when done. 1. Open a Command Prompt with Administrator rights. Click on the Start button and type cmd. The following will be displayed. 2 Microsoft Update Blue Screen Error 2. Click Run as Administrator on the right to open the Command Prompt Window. Accept the prompt to open with elevated rights and make changes to the computer. 3. In the Command Prompt enter the following command and press enter. – wusa /uninstall /kb:5000802 4. The Stand alone install will launch and remove the Update.
    [Show full text]
  • TK Backman, Jason Yang, SW Development at MS
    T.K. Backman Jason Yang [email protected] [email protected] Principal Development Lead Principal Development Lead Debugging and Tools Group Analysis Technologies Team Windows Engineering Desktop Windows Engineering Desktop Microsoft Corporation Microsoft Corporationnnn Code on a massive scale Developers on a massive scale Tight constraints on schedules University of Washington 3/2/2011 2 ◦ Company structure Why the world is not just about developers ☺ ◦ Innovation strategy How we actually improve software over time ◦ Dynamic tension When people are involved, everything changes ◦ Development cycles How we build software products in cycles ◦ Program analysis How we push quality upstream ◦ Windows engineering system How we build large-scale products University of Washington 3/2/2011 3 ◦ Total size: ~89,000 employees ◦ Windows & Office – “perfect org structure” PM – program managers Dev – software developers Test – software developers in test ◦ Around 1000 PM+Dev+Test feature teams on 100s of products University of Washington 3/2/2011 4 ◦ Team size: ~10,000 employees ◦ Sales & marketing ◦ Project managers / product managers ◦ 30 feature teams 1500 Devs 1500 Testers 1000 PMs ◦ Customer support engineers ◦ Build engineers University of Washington 3/2/2011 5 “I often say that when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot measure it, when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind; it may be the beginning
    [Show full text]
  • Acceleration of Applications with FPGA-Based Computing Machines: Code Restructuring
    FACULDADE DE ENGENHARIA DA UNIVERSIDADE DO PORTO Acceleration of Applications with FPGA-Based Computing Machines: Code Restructuring Tiago Lascasas dos Santos Mestrado Integrado em Engenharia Informática e Computação Supervisor: João M. P. Cardoso, PhD Co-supervisor: João Bispo, PhD July 31, 2020 c Tiago Santos, 2020 Acceleration of Applications with FPGA-Based Computing Machines: Code Restructuring Tiago Lascasas dos Santos Mestrado Integrado em Engenharia Informática e Computação Approved in oral examination by the committee: Chair: Prof. João Paulo de Castro Canas Ferreira, PhD External Examiner: Dr. José Gabriel de Figueiredo Coutinho, PhD Supervisor: Prof. João Manuel Paiva Cardoso, PhD July 31, 2020 Abstract Field-programmable gate arrays (FPGAs) can be used to accelerate performance-critical programs from a wide range of fields and still providing energy-efficient solutions. Programs written in high level languages, such as C and C++, can be compiled to FPGAs through High-level Synthesis (HLS). Although FPGAs benefit the most from parallel and data-streaming applications, efficient compilation to FPGAs is a problem for both tools and developers. Most applications do not follow these patterns, and extensive code restructuring and the use of HLS directives need to be applied to a program in order to take advantage of FPGAs. Code restructuring and the use of HLS directives often needs to be manually performed by an experienced developer, and as such there is a need to automate this process. This dissertation proposes a framework that automatically optimizes C code via directives, using a source-to-source compiler on a stage prior to HLS. This optimization is primarily applied by strategies that select, configure and insert directives on the code to be input to an HLS tool, e.g., Vivado HLS, in order to synthesize more efficient hardware accelerators.
    [Show full text]
  • Microsoft Security Update for January 2020 Fixes 49 Security Vulnerabilities
    Microsoft Security Update for January 2020 Fixes 49 Security Vulnerabilities Overview Microsoft released the January security update on Tuesday, fixing 49 security issues ranging from simple spoofing attacks to remote code execution, discovered in products like .NET Framework, Apps, ASP.NET, Common Log File System Driver, Microsoft Dynamics, Microsoft Graphics Component, Microsoft Office, Microsoft Scripting Engine, Microsoft Windows, Microsoft Windows Search Component, Windows Hyper-V, Windows Media, Windows RDP, Windows Subsystem for Linux, and Windows Update Stack. Of the vulnerabilities fixed by Microsoft's this monthly update, a total of eight critical vulnerabilities exist in the .NET Framework, ASP.NET, Microsoft Scripting Engine, and Windows RDP. In addition, there are 41 important vulnerabilities. Critical Vulnerabilities The following are eight critical vulnerabilities covered in this update. @NSFOUS 2020 http://www.nsfocus.com Windows RDP CVE-2020-0609、CVE-2020-0610 These two remote code execution vulnerabilities in the Windows Remote Desktop Gateway (RD Gateway) could be exploited by unauthenticated attackers. If the two vulnerabilities are exploited successfully, arbitrary code may be executed on the target system, allowing the attacker to install the program, view, change or delete data, or create a new account with full user rights. To exploit this vulnerability, an attacker needs to send a specially crafted request to the RD gateway of the target system via RDP. This update addresses these issues by correcting the way the RD gateway handles connection requests. For more details about the vulnerabilities and download updates, please refer to Microsoft's official security advisories: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610 CVE-2020-0611 This is a remote code execution vulnerability in Windows Remote Desktop clients.
    [Show full text]
  • Scheduling, Thread Context, and IRQL
    Scheduling, Thread Context, and IRQL December 31, 2020 Abstract This paper presents information about how thread scheduling, thread context, and a processor’s current interrupt request level (IRQL) affect the operation of kernel- mode drivers for the Microsoft® Windows® family of operating systems. It is intended to provide driver writers with a greater understanding of the environment in which their code runs. A companion paper, “Locks, Deadlocks, and Synchronization” at http://www.microsoft.com/whdc/hwdev/driver/LOCKS.mspx, builds on these fundamental concepts to address synchronization issues in drivers. Contents Introduction ....................................................................................................................... 3 Thread Scheduling ............................................................................................................ 3 Thread Context and Driver Routines .................................................................................. 4 Driver Threads .................................................................................................................. 5 Interrupt Request Levels .................................................................................................... 6 Processor-Specific and Thread-Specific IRQLs .............................................................. 8 IRQL PASSIVE_LEVEL ............................................................................................ 8 IRQL PASSIVE_LEVEL, in a critical region ..............................................................
    [Show full text]
  • How to Fix a Frozen Windows PC
    How to Fix a Frozen Windows PC Mashka/Shutterstock.com Windows PCs freeze for a variety of reasons. One instance might be a fluke, but repeated freezes suggest a problem you’ll want to fix. Here’s how to unfreeze and recover a stuck PC—and stop it from freezing again. How to Speed Up a Slow PC Volume 0% How to Unfreeze a Frozen Windows PC There are several ways you can recover your frozen PC, depending on what caused the problem. Sometimes, all you have to do is wait a few seconds—the PC might get hung up while doing some work and unfreeze itself a few seconds later. If a full-screen application, like a game, freezes and prevents you from leaving it, press Alt+F4. This closes the application if the game is just experiencing graphical problems, but it won’t work if the application has frozen completely. To see if the computer is still responding, press Ctrl+Alt+Delete. From this screen, you can open the Task Manager (and close any running applications), or log out of or restart your PC. If this screen doesn’t appear, you might not be able to recover your PC without rebooting it. If you can open the Task Manager, you might be able to recover from the freeze. (You can also press Ctrl+Shift+Esc to open the Task Manager.) Select the “Processes” tab—if you don’t see it, click “More Details.” Locate any processes using a lot of CPU—you can click the “CPU” column header to sort by CPU usage and see the most demanding processes at the top of the list.
    [Show full text]
  • Rootkit- Rootkits.For.Dummies 2007.Pdf
    01_917106 ffirs.qxp 12/21/06 12:04 AM Page i Rootkits FOR DUMmIES‰ 01_917106 ffirs.qxp 12/21/06 12:04 AM Page ii 01_917106 ffirs.qxp 12/21/06 12:04 AM Page iii Rootkits FOR DUMmIES‰ by Larry Stevenson and Nancy Altholz 01_917106 ffirs.qxp 12/21/06 12:04 AM Page iv Rootkits For Dummies® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2007 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit- ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission.
    [Show full text]
  • Run-Commands-Windows-10.Pdf
    Run Commands Windows 10 by Bettertechtips.com Command Action Command Action documents Open Documents Folder devicepairingwizard Device Pairing Wizard videos Open Videos Folder msdt Diagnostics Troubleshooting Wizard downloads Open Downloads Folder tabcal Digitizer Calibration Tool favorites Open Favorites Folder dxdiag DirectX Diagnostic Tool recent Open Recent Folder cleanmgr Disk Cleanup pictures Open Pictures Folder dfrgui Optimie Drive devicepairingwizard Add a new Device diskmgmt.msc Disk Management winver About Windows dialog dpiscaling Display Setting hdwwiz Add Hardware Wizard dccw Display Color Calibration netplwiz User Accounts verifier Driver Verifier Manager azman.msc Authorization Manager utilman Ease of Access Center sdclt Backup and Restore rekeywiz Encryption File System Wizard fsquirt fsquirt eventvwr.msc Event Viewer calc Calculator fxscover Fax Cover Page Editor certmgr.msc Certificates sigverif File Signature Verification systempropertiesperformance Performance Options joy.cpl Game Controllers printui Printer User Interface iexpress IExpress Wizard charmap Character Map iexplore Internet Explorer cttune ClearType text Tuner inetcpl.cpl Internet Properties colorcpl Color Management iscsicpl iSCSI Initiator Configuration Tool cmd Command Prompt lpksetup Language Pack Installer comexp.msc Component Services gpedit.msc Local Group Policy Editor compmgmt.msc Computer Management secpol.msc Local Security Policy: displayswitch Connect to a Projector lusrmgr.msc Local Users and Groups control Control Panel magnify Magnifier
    [Show full text]
  • Introduction to Linux Kernel Driver Programming
    IntroductionIntroduction toto LinuxLinux kernelkernel driverdriver programmingprogramming Introduction to Linux kernel driver programming The Linux kernel device model Authors and license ● Authors – Michael Opdenacker ([email protected]) Founder of Bootlin, kernel and embedded Linux engineering company https://bootlin.com/company/staff/michael-opdenacker ● License – Creative Commons Attribution – Share Alike 4.0 https://creativecommons.org/licenses/by-sa/4.0/ – Document sources: https://github.com/e-ale/Slides Need for a device model ● For the same device, need to use the same device driver on multiple CPU architectures (x86, ARM…), even though the hardware controllers are different. ● Need for a single driver to support multiple devices of the same kind. ● This requires a clean organization of the code, with the device drivers separated from the controller drivers, the hardware description separated from the drivers themselves, etc. Driver: between bus infrastructure and framework In Linux, a driver is always interfacing with: ● a framework that allows the driver to expose the hardware features in a generic way. ● a bus infrastructure, part of the device model, to detect/communicate with the hardware. Let’s focus on the bus infrastructure for now Device model data structures The device model is organized around three main data structures: ● The struct bus_type structure, which represent one type of bus (USB, PCI, I2C, etc.) ● The struct device_driver structure, which represents one driver capable of handling certain devices on a certain bus. ● The struct device structure, which represents one device connected to a bus The kernel uses inheritance to create more specialized versions of struct device_driver and struct device for each bus subsystem.
    [Show full text]
  • Guidelines for Designing Embedded Systems with Windows 10 Iot Enterprise
    Guidelines for Designing Embedded Systems with Windows 10 IoT Enterprise Version 2.0 Published July 15, 2016 Guidelines for designing embedded systems 1 CONFIDENTIAL Contents Overview .................................................................................................................................................................................................... 4 Building a task-specific experience ............................................................................................................................................ 4 General Group Policy settings ....................................................................................................................................................... 4 Application control ................................................................................................................................................................................ 5 Application boot options ................................................................................................................................................................. 5 Auto-boot Universal Windows apps ...................................................................................................................................... 5 Auto-boot Classic Windows apps ........................................................................................................................................... 5 Limit application access with AppLocker ...............................................................................................................................
    [Show full text]
  • Acronis True Image for Western Digital
    Acronis True Image for Western Digital USER GUIDE Table of contents 1 Introduction ....................................................................................................................5 1.1 What is Acronis True Image for Western Digital? ..................................................................... 5 1.2 Backups created in Acronis True Image ..................................................................................... 5 1.3 System requirements and supported media ............................................................................. 6 1.3.1 Minimum system requirements .................................................................................................................... 6 1.3.2 Supported operating systems ........................................................................................................................ 7 1.3.3 Backing up all data on your PC ....................................................................................................................... 7 1.3.4 Supported file systems .................................................................................................................................... 8 1.3.5 Supported storage media ............................................................................................................................... 8 1.4 Installing Acronis True Image for Western Digital ..................................................................... 9 1.5 Activating Acronis True Image for Western Digital .................................................................10
    [Show full text]