8/14/2019 Windows Kernel Internal Overview
1/21
Microsoft Corporation 1
Windows Kernel InternalsOverview
David B. Probert, Ph.D.
Windows Kernel DevelopmentMicrosoft Corporation
8/14/2019 Windows Kernel Internal Overview
2/21
Microsoft Corporation 2
Contributors
Neill Clift
Adrian MarinescuNar Ganapathy
Jake Oshins
Andrew Ritz
Jonathan Schwartz
Mark LucovskySamer Arafeh
Dan Lovinger
Landy Wang
David SolomonBen Leis
Brian Andrew
Jason Zions
Gerardo Bermudez
Dragos SambotinArun Kishan
Adrian Oney
8/14/2019 Windows Kernel Internal Overview
3/21
Microsoft Corporation 3
Windows History
Team formed in November 1988
Less than 20 people Build from the ground up
Advanced Operating System
Designed for desktops and servers
Secure, scalable SMP design
All new code Rigorous discipline developers wrote very detailed
design docs, reviewed/discussed each others docs and
wrote unit tests
8/14/2019 Windows Kernel Internal Overview
4/21
Microsoft Corporation 4
Goals of the NT System
Reliability Nothing should be able to crash the
OS. Anything that crashes the OS is a bug andwe wont ship until it is fixed
Security Built into the design from day one
Portability Support more than one processor,avoid assembler, abstract HW dependencies.
Extensibility Ability to extend the OS over time
Compatibility Apps must run Performance All of the above are more
important than raw speed!
8/14/2019 Windows Kernel Internal Overview
5/21
Microsoft Corporation 5
Windows Server 2003 Architecture
ServicesAlerter
RPC User
Application
Subsystem DLLs
System Processes Applications
Event
LoggerUserMode
SystemThreads
NTDLL.DLL
EnvironmentSubsystemsService
ControllerInterix
WinLogon
SessionManager Win32
Cache
Manager
Device drivers
Virtual
Memory
Processes
& Threads
SecurityPnP/Power
Manager
Executive APIKernelMode I/O Manager
Filesystems Object management / Executive RTL
Kernel
Hardware Abstraction Layer (HAL)
Hardware interfaces (read/write port, timers,
clocks, DMA, cache control, etc.)
8/14/2019 Windows Kernel Internal Overview
6/21
Microsoft Corporation 6
Windows Executive
Upper layers of the operating system
Provides generic operating system functions(services) Creating and deleting processes and threads
Memory management
I/O initiation and completion Interprocess communication
Security
Almost completely portable C code
Runs in kernel (privileged, ring 0) mode
Many interfaces to executive services not documented
8/14/2019 Windows Kernel Internal Overview
7/21
Microsoft Corporation 7
Windows Kernel
Lower layers of the operating system Implements processor-dependent functions (x86 vs. Alpha vs.
etc.) Also implements many processor-independent functions that are
closely associated with processor-dependent functions
Main services
Thread waiting, scheduling & context switching Exception and interrupt dispatching
Operating system synchronization primitives (different for MP vs.UP)
A few of these are exposed to user mode Not a classic microkernel
shares address space with rest ofkernel components
8/14/2019 Windows Kernel Internal Overview
8/21
Microsoft Corporation 8
HAL - Hardware Abstraction Layer
Subroutine library for the kernel & device drivers
Isolates Kernel and Executive from platform-specificdetails
Presents uniform model of I/O hardware interface todrivers
HAL abstracts: System timers, Cache coherency & flushing
SMP support, Hardware interrupt priorities
HAL also implements some functions that appear tobe in the Executive and Kernel
8/14/2019 Windows Kernel Internal Overview
9/21
Microsoft Corporation 9
Kernel Mode Execution
Code is run in kernel mode for one of three reasons:
1. Requests from user mode (system calls)
Via the system service dispatch mechanism Kernel-mode code runs in the context of the requesting thread
2. Interrupts from external devices Interrupts (like all traps) are handled in kernel mode
NT-supplied interrupt dispatcher invokes the interrupt service routine
ISR runs in the context of the interrupted thread (so-called arbitrarythread context)
ISR often requests the execution of a DPC routine, which also runs inkernel mode
3. Dedicated kernel-mode threads Some threads in the system stay in kernel mode at all times (mostly in
the System process)
Scheduled, preempted, etc., like any other threads
8/14/2019 Windows Kernel Internal Overview
10/21
Microsoft Corporation 10
Processes & Threads
ProcessObject
Handle Table
VAD VAD VAD
object
object
Virtual Address Space Descriptors
Access Token
Thread Thread Thread . . .Access Token
8/14/2019 Windows Kernel Internal Overview
11/21
Microsoft Corporation 11
Each process has its own
Virtual address space (including program
global storage, heap storage, threads stacks) processes cannot corrupt each others
address space by mistake
Working set (physical memory owned by theprocess)
Access token (includes security identifiers)
Handle table for Win32 kernel objects
These are common to all threads in the
process, but separate and protected betweenprocesses
8/14/2019 Windows Kernel Internal Overview
12/21
Microsoft Corporation 12
Each thread has its own
Stack (automatic storage, call frames, etc.)
Instance of a top-level function Scheduling state (Wait, Ready, Running, etc.)
and priority
Current access mode (user mode or kernel
mode)
Saved CPU state if it isnt Running Access token (optional -- overrides processs if
present)
8/14/2019 Windows Kernel Internal Overview
13/21
Microsoft Corporation 13
Windows Past, Present, Future
PAST: Personal computer, 16->32 bits, MSDOS,Windows 9x code base, desktop focus Features, usability, compatibility, platform
Windows 98
PRESENT: Enterprise computing, 32/64 bits, NTcode base, solid desktop, datacenter Reliability, performance, IT Features
Windows XP, Windows Server 2003
FUTURE: Managed code (.NET Framework) Productivity, innovation, empowerment
Longhorn
8/14/2019 Windows Kernel Internal Overview
14/21
Microsoft Corporation 14
.Net: Making it Simple
Windows APIHWNDHWND hwndMainhwndMain == CreateWindowExCreateWindowEx((
0, "0, "MainWClassMainWClass", "Main Window",", "Main Window",WS_OVERLAPPEDWINDOW | WS_HSCROLL | WS_VSCROLL,WS_OVERLAPPEDWINDOW | WS_HSCROLL | WS_VSCROLL,CW_USEDEFAULT, CW_USEDEFAULT,CW_USEDEFAULT, CW_USEDEFAULT,CW_USEDEFAULT, CW_USEDEFAULT,CW_USEDEFAULT, CW_USEDEFAULT,(HWND)NULL, (HMENU)NULL,(HWND)NULL, (HMENU)NULL, hInstancehInstance, NULL);, NULL);
ShowWindow(hwndMainShowWindow(hwndMain, SW_SHOWDEFAULT);, SW_SHOWDEFAULT);UpdateWindow(hwndMainUpdateWindow(hwndMain););
.Net FrameworkWindow w = new Window();Window w = new Window();
w.Textw.Text = "Main Window";= "Main Window";
w.Showw.Show();();
8/14/2019 Windows Kernel Internal Overview
15/21
Microsoft Corporation 15
.Net: Unify Programming Models
Windows API
.NET Framework
Consistent API availability regardless of
language and programming model
ASP
Stateless,
Code embedded
in HTML pages
MFC/ATL
Subclassing,
Power,
Expressiveness
VB Forms
RAD,
Composition,
Delegation
8/14/2019 Windows Kernel Internal Overview
16/21
Microsoft Corporation 16
.Net: API Organization
System
System.Data System.Xml
System.Web
Globalization
Diagnostics
Configuration
Collections
Resources
Reflection
Net
IO
Threading
Text
ServiceProcess
Security
Design
ADO
SQLTypes
SQL
XPath
XSLT
Runtime
InteropServices
Remoting
Serialization
Serialization
Configuration SessionState
Caching Security
Services
Description
Discovery
Protocols
UI
HtmlControls
WebControls
System.Drawing
Imaging
Drawing2D
Text
Printing
System.Windows.Forms
Design ComponentModel
8/14/2019 Windows Kernel Internal Overview
17/21
Microsoft Corporation 17
.Net: Languages
The Managed Platform is Language Neutral
All languages are first class players
You can leverage your existing skills Common Language Specification
Set of features guaranteed to be in all languages
C# enforcement: [assembly:CLSCompliant(true)]We are providing
VB, C++, C#, J#, JScript
Third-parties are buildingAPL, COBOL, Pascal, Eiffel, Haskell, ML, Oberon,
Perl, Python, Scheme, Smalltalk
8/14/2019 Windows Kernel Internal Overview
18/21
Microsoft Corporation 18
Unmanaged vs. Managed
Strong namesStrong namesGUIDs
ExceptionsExceptionsHRESULTs
Object basedObject basedInterface based
Type safeType safeType unsafe
Garbage collectionGarbage collectionReference countingResilient bindResilient bindImmutable
AssembliesAssembliesType librariesType standardType standardBinary standard
Managed CodeUnmanaged Code
U i it f T k
8/14/2019 Windows Kernel Internal Overview
19/21
Microsoft Corporation 19
University of Tokyo
Windows Kernel Internals
Object Manager
Virtual Memory
Thread Scheduling
Synchronization
I/O Manager
I/O Security
Power Management
NT File System
Registry
Lightweight Proc Calls
Windows Services
System Bootstrap
Traps / Ints / Exceptions
Processes
Adv. Virtual Memory
Cache Manager
User-mode heap
Win32k.sys
WoW64
Common Errors
Lectures
U i it f T k
8/14/2019 Windows Kernel Internal Overview
20/21
Microsoft Corporation 20
University of Tokyo
Windows Kernel InternalsProjects
Device Drivers and Registry HookingDragos Sambotin Polytech. Inst. of Bucharest
Using LPC to build native client/server apps
Adrian Marinescu University of Bucharest
Threads and Fibers
Arun Kishan Stanford University
Doing virtual memory experiments from user-mode
Arun Kishan Stanford University
8/14/2019 Windows Kernel Internal Overview
21/21
Microsoft Corporation 21
Discussion