spine = 1.2” Part 2 About the Authors Mark Russinovich is a Technical Fellow in ® the Windows Azure™ group at Microsoft. Windows Internals He is coauthor of Windows Sysinternals SIXTH EDITION Administrator’s Reference, co-creator of the Sysinternals tools available from Microsoft Windows ® The definitive guide—fully updated for Windows 7 TechNet, and coauthor of the Windows Internals and Windows Server 2008 R2 book series. Delve inside Windows architecture and internals—and see how core David A. Solomon is coauthor of the Windows Internals book series and has taught components work behind the scenes. Led by a team of internationally his Windows internals class to thousands of renowned internals experts, this classic guide has been fully updated Windows developers and IT professionals worldwide, SIXTH for Windows 7 and Windows Server® 2008 R2—and now presents its including Microsoft staff. He is a regular speaker 6EDITION coverage in two volumes. at Microsoft conferences, including TechNet As always, you get critical, insider perspectives on how Windows and PDC. operates. And through hands-on experiments, you’ll experience its Alex Ionescu is a chief software architect and internal behavior firsthand—knowledge you can apply to improve consultant expert in low-level system software, application design, debugging, system performance, and support. kernel development, security training, and Internals reverse engineering. He teaches Windows internals courses with David Solomon, and is ® In Part 2, you will: active in the security research community. Internals • Understand how core system and management mechanisms Part 2 work—including object manager, synchronization, Wow64, Hyper-V®, and the registry DEVELOPER ROADMAP • Examine the data structures and activities behind processes, Start Here! threads, and jobs • Beginner-level instruction • Go inside the Windows security model to see how it manages • Easy to follow explanations and examples access, auditing, and authorization • Exercises to build your first projects • Explore the Windows networking stack from top to bottom— including APIs, BranchCache, protocol and NDIS drivers, and Step by Step layered services • For experienced developers learning a • Dig into internals hands-on using the kernel debugger, new topic performance monitor, and other tools • Focus on fundamental techniques and tools • Hands-on tutorial with practice files plus 6 EDITION eBook SIXTH NOTE Developer Reference • Professional developers; intermediate to Part 2 available Fall 2012 advanced See Table of Contents inside • Expertly covers essential topics and PART 2 techniques • Features extensive, adaptable code examples Russinovich Focused Topics Solomon • For programmers who develop complex or advanced solutions Ionescu microsoft.com/mspress • Specialized topics; narrow focus; deep coverage • Features extensive, adaptable code examples ISBN: 978-0-7356-4873-9 U.S.A. $39.99 See inside cover Canada $41.99 Mark Russinovich [Recommended] David A. Solomon Operating Systems/ Windows Alex Ionescu Cyan Magenta Yellow Black PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2012 by David Solomon and Mark Russinovich All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number: 2012933511 ISBN: 978-0-7356-6587-3 Printed and bound in the United States of America. Third Printing: December 2014 Microsoft Press books are available through booksellers and distributors worldwide. If you need support related to this book, email Microsoft Press Book Support at [email protected]. Please tell us what you think of this book at http://www.microsoft.com/learning/booksurvey. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/ Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fi ctitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred. This book expresses the authors’ views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book. Acquisitions Editor: Devon Musgrave Developmental Editor: Devon Musgrave Project Editor: Carol Dillingham Editorial Production: Curtis Philips Technical Reviewer: Christophe Nasarre; Technical Review services provided by Content Master, a member of CM Group, Ltd. Copyeditor: John Pierce Indexer: Jan Wright Cover: Twist Creative • Seattle To our parents, who guided and inspired us to follow our dreams Contents at a Glance Windows Internals, Sixth Edition, Part 1 (available separately) CHAPTER 1 Concepts and Tools CHAPTER 2 System Architecture CHAPTER 3 System Mechanisms CHAPTER 4 Management Mechanisms CHAPTER 5 Processes, Threads, and Jobs CHAPTER 6 Security CHAPTER 7 Networking Windows Internals, Sixth Edition, Part 2 CHAPTER 8 I/O System 1 CHAPTER 9 Storage Management 125 CHAPTER 10 Memory Management 187 CHAPTER 11 Cache Manager 355 CHAPTER 12 File Systems 391 CHAPTER 13 Startup and Shutdown 499 CHAPTER 14 Crash Dump Analysis 547 Contents Windows Internals, Sixth Edition, Part 1 (See appendix for Part 1’s table of contents) Windows Internals, Sixth Edition, Part 2 Introduction .....................................................xv Chapter 8 I/O System 1 I/O System Components ...........................................1 The I/O Manager ............................................3 Typical I/O Processing ........................................4 Device Drivers ....................................................5 Types of Device Drivers .......................................5 Structure of a Driver ........................................12 Driver Objects and Device Objects ............................14 Opening Devices ...........................................19 I/O Processing. 25 Types of I/O ................................................25 I/O Request to a Single-Layered Driver ........................33 I/O Requests to Layered Drivers ..............................40 I/O Cancellation ............................................48 I/O Completion Ports .......................................53 I/O Prioritization ............................................58 Container Notifications. .65 Driver Verifier ..............................................65 Kernel-Mode Driver Framework (KMDF) ............................68 Structure and Operation of a KMDF Driver. 68 KMDF Data Model ..........................................70 KMDF I/O Model ...........................................74 What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit: microsoft.com/learning/booksurvey vii User-Mode Driver Framework (UMDF) ..............................78 The Plug and Play (PnP) Manager ..................................81 Level of Plug and Play Support ...............................82 Driver Support for Plug and Play .............................82 Driver Loading, Initialization, and Installation ..................84 Driver Installation. 94 The Power Manager ..............................................98 Power Manager Operation. .100 Driver Power Operation ....................................101 Driver and Application Control of Device Power. 105 Power Availability Requests .................................105 Processor Power Management (PPM) ........................108 Conclusion .....................................................123 Chapter 9 Storage Management 125 Storage Terminology ............................................125 Disk Devices ....................................................126 Rotating Magnetic Disks ....................................126 Solid State Disks ...........................................128 Disk Drivers ....................................................131 Winload ..................................................132 Disk Class, Port, and Miniport Drivers ........................132 Disk Device Objects ........................................136 Partition Manager .........................................138 Volume Management ............................................138 Basic Disks ................................................139 Dynamic Disks .............................................141 Multipartition Volume Management .........................147 The Volume Namespace ....................................153 Volume I/O Operations. 159 Virtual Disk Service ........................................160 Virtual Hard Disk Support ........................................162 Attaching VHDs ...........................................163 Nested File Systems ........................................163 BitLocker Drive Encryption .......................................163 Encryption Keys ...........................................165 Trusted Platform Module (TPM) .............................168