Windows System Architecture

WindowsWindows – Key User User Mode Mode Components Components

Overview

• Organization • Model • Components • CPU Modes • System processes • Services processes • Users processes • Subsystems processes • System services

www.winitor.com – dec. 2012 1 WindowsWindows – Key User User Mode Mode Components Components

OS Organization

• Access to hardware is not allowed • Access to hardware is made via system services

Applications

Virtual machine

Real machine

www.winitor.com – dec. 2012 2 WindowsWindows – Key User User Mode Mode Components Components

OS Model

• Applications access the OS via one defined Application Program Interface (API)

Application

API

www.winitor.com – dec. 2012 3 WindowsWindows – Key User User Mode Mode Components Components

OS Contexts

Applications

CPU runs in user mode

CPU runs in kernel mode

www.winitor.com – dec. 2012 4 WindowsWindows – Key User User Mode Mode Components Components

CPU Modes

• Protect critical system data from user applications

• User mode 3 2 • Kernel mode 1

www.winitor.com – dec. 2012 5 WindowsWindows – Key User User Mode Mode Components Components

CPU Modes - mechanism

• User programs typically run in both modes • CPU mode switch <> CPU context switch

mode

time

www.winitor.com – dec. 2012 6 WindowsWindows – Key User User Mode Mode Components Components

CPU Modes - scenarios

user kernel

www.winitor.com – dec. 2012 7 WindowsWindows – Key User User Mode Mode Components Components

TCB

• Context • No CPU restriction in kernel • No memory restriction in kernel • No security check in kernel

• Definition administrators

• Portions of the system trusted to enforce applications the security kernel • Components drivers • Most hardware hardware • All kernel code • Some user code (SeTcbPrivilege) • Administrators

www.winitor.com – dec. 2012 8 WindowsWindows – Key User User Mode Mode Components Components

Memory Layout

• Each application occupies 4 GB of address space • All applications share system memory space

0x00000000

Application A Application B Application C ... Application Z

Unprivileged memory address memory

0x7FFFFFFF

0xFFFFFFFF

Privileged memory address memory

www.winitor.com – dec. 2012 9 WindowsWindows – Key User User Mode Mode Components Components

OS Major Components

System processes Services processes User processes Environment processes

Session manager … … POSIX

Logon manager alerter pinball Security manager Win32

… explorer Services manager

System services user

kernel

Executive

Hardware Abstraction Layer

Hardware

www.winitor.com – dec. 2012 10 WindowsWindows – Key User User Mode Mode Components Components

Environment Subsystems

• Definition • Role • Types

.,,

... Win16 application

... Win32 application Win16 application

Posix application Win32 application Win16 application

Posix application Win32 application WOW DOS application DOS application

NTVDM NTVDM …

Posix Win32

www.winitor.com – dec. 2012 11 WindowsWindows – Key User User Mode Mode Components Components

Environment Subsystems - interfaces

• Subsystem • Process runs in a private address space • Application • Sends messages to subsystem • Unaware of messages • Implicitely linked with systems‘s interfaces (image = code + metadata) application.exe

Functions calls

Win32 API

Kernel32.dll Gdi32.dll ... User32.dll

Native API

Ntdll.dll

www.winitor.com – dec. 2012 12 WindowsWindows – Key User User Mode Mode Components Components

Environment Subsystems - strategy

Application Subsystem

Win32 API

Subsystem DLLs

Executive

www.winitor.com – dec. 2012 13 WindowsWindows – Key User User Mode Mode Components Components

Environment Subsystems - strategy

Application Subsystem

Win32 API

Subsystem DLLs

Native API CPU mode switch

Executive

www.winitor.com – dec. 2012 14 WindowsWindows – Key User User Mode Mode Components Components

Environment Subsystems - strategy

Application Subsystem

API

message CPU context switch Subsystem DLLs

Native API CPU mode switch

Executive

www.winitor.com – dec. 2012 15 WindowsWindows – Key User User Mode Mode Components Components

Environment Subsystems - strategy

Service implementation CPU mode switching CPU context switching Message sent

User process No No No

Executive Yes No No performance Server Yes Yes Yes

www.winitor.com – dec. 2012 16 WindowsWindows – Key User User Mode Mode Components Components

Win16 Support

• MS-DOS applications • One-one relation • Win16 applications • Many-one relation

< NT > NT

Windows MS-DOS

MS-DOS Windows

www.winitor.com – dec. 2012 17 WindowsWindows – Key User User Mode Mode Components Components

System processes

• Are started by the system • Are running on every system • Cannot be stopped

www.winitor.com – dec. 2012 18 WindowsWindows – Key User User Mode Mode Components Components

Session Manager Subsystem

• Definition • Role • Particularities • Part of the TCB • Native user application

www.winitor.com – dec. 2012 19 WindowsWindows – Key User User Mode Mode Components Components

Logon Manager

• Definition • Role • Interactive logon request management • Authentication User interface management • User profile initialization • Shell creation • TASKMGR management

Who you are (identification)

What you know What you are (authentication) (authentication)

www.winitor.com – dec. 2012 20 WindowsWindows – Key User User Mode Mode Components Components

Local Security Authority Subsystem

• Definition • Role

www.winitor.com – dec. 2012 21 WindowsWindows – Key User User Mode Mode Components Components

Service Control Manager

• Definition • Role

www.winitor.com – dec. 2012 22 WindowsWindows – Key User User Mode Mode Components Components

User Processes - creation

System

Smss

Winlogon Csrss Permanent Services Lsass

Userinit

Shell

... Volatile (interactive) (interactive) Volatile

www.winitor.com – dec. 2012 23 WindowsWindows – Key User User Mode Mode Components Components

Thanks!