Microsoft windows internals, Microsoft Windows Server 2003, Windows XP, and Windows 2000 / Mark E. Russinovich, David A. Solomon.

CONTENIDO
Table of Contents
Historical Perspective xix
Foreword xxiii
Acknowledgments xxv
Introduction xxvii
1 Concepts and Tools 1
Windows Operating System Versions 1
Foundation Concepts and Terms 3
Windows API 3
Services, Functions, and Routines 5
Processes, Threads, and Jobs 6
Virtual Memory 14
Kernel Mode vs. User Mode 16
Terminal Services and Multiple Sessions 21
Objects and Handles 22
Security 23
Registry 24
Unicode 25
Digging into Windows Internals 25
Performance Tool 27
Windows Support Tools 27
Windows Resource Kits 27
Kernel Debugging 28
Platform Software Development Kit (SDK) 33
Device Driver Kit (DDK) 34
Sysinternals Tools 34
Conclusion 34
System Architecture 35
Requirements and Design Goals 35
Operating System Model 36
Architecture Overview 37
Portability 40
Symmetric Multiprocessing 41
Scalability 46
Differences Between Client and Server Versions 47
Checked Build 49
Key System Components 51
Environment Subsystems and Subsystem DLLs 53
Ntdll.dll 63
Executive 63
Kernel 65
Hardware Abstraction Layer 67
Device Drivers 69
System Processes 75
Conclusion 84
System Mechanisms 85
Trap Dispatching 85
Interrupt Dispatching 87
Exception Dispatching 109
System Service Dispatching 119
Object Manager 124
Executive Objects 126
Object Structure 128
Synchronization 149
High-IRQL Synchronization 151
Low-IRQL Synchronization 155
System Worker Threads 166
Windows Global Flags 168
Local Procedure Calls (LPCs) 171
Kernel Event Tracing 175
Wow64 178
Wow64 Process Addrress Space Layout 179
System Calls 179
Exception Dispatching 179
User Callbacks 179
File System Redirection 180
Registry Redirection and Reflection 180
I/O Control Requests 181
16-bit Installer Applications 182
Printing 182
Restrictions 182
Conclusion 182
4 Management Mechanisms 183
The Registry 183
Viewing and Changing the Registry 183
Registry Usage 184
Registry Data Types 185
Registry Logical Structure 186
Troubleshooting Registry Problems 192
Registry Internals 197
Services 211
Service Applications 212
Service Accounts 217
The Service Control Manager 223
Service Startup 225
Startup Errors 229
Accepting the Boot and Last Known Good 230
Service Failures 231
Service Shutdown 232
Shared Service Processes 233
Service Control Programs 236
Windows Management Instrumentation 237
WMI Architecture 237
Providers 239
The Common Information Model and the Managed Object Format Language 240
The WMI Namespace 243
Class Association 244
WMI Implementation 247
WMI Security 248
Conclusion 249
Startup and Shutdown 251
Boot Process 251
x86 and x64 Preboot 251
The x86/x64 Boot Sector and Ntldr 255
The IA64 Boot Process 264
Initializing the Kernel and Executive Subsystems 266
Smss, Csrss, and Winlogon 269
Images that Start Automatically 273
Troubleshooting Boot and Startup Problems 274
Last Known Good 274
Safe Mode 274
Recovery Console 279
Solving Common Boot Problems 281
Shutdown 286
Conclusion 288
Processes, Threads, and Jobs 289
Process Internals 289
Data Structures 289
Kernel Variables 297
Performance Counters 297
Relevant Functions 298
Flow of CreateProcess 300
Stage 1: Opening the Image to Be Executed 302
Stage 2: Creating the Windows Executive Process Object 304
Stage 3: Creating the Initial Thread and Its Stack and Context 308
Stage 4: Notifying the Windows Subsystem about the New Process 309
Stage 5: Starting Execution of the Initial Thread 310
Stage 6: Performing Process Initialization in the Context of the New Process 310
Thread Internals 313
Data Structures 313
Kernel Variables 320
Performance Counters 321
Relevant Functions 322
Birth of a Thread 322
Examining Thread Activity 323
Thread Scheduling 325
Overview of Windows Scheduling 326
Priority Levels 327
Windows Scheduling APIs 330
Relevant Tools 331
Real-Time Priorities 333
Thread States 334
Dispatcher Database 338
Quantum 340
Scheduling Scenarios 345
Context Switching 347
Idle Thread 348
Priority Boosts 348
Multiprocessor Systems 357
Multiprocessor Thread-Scheduling Algorithms 366
Job Objects 368
Conclusion 373
7 Memory Management 375
Introduction to the Memory Manager 375
Memory Manager Components 376
Internal Synchronization 377
Configuring the Memory Manager 378
Examining Memory Usage 378
Services the Memory Manager Provides 382
Large and Small Pages 382
Reserving and Committing Pages 384
Locking Memory 385
Allocation Granularity 385
Shared Memory and Mapped Files 386
Protecting Memory 388
No Execute Page Protection 390
Copy-on-Write 392
Heap Manager 394
Address Windowing Extensions 399
System Memory Pools 401
Configuring Pools Sizes 401
Monitoring Pool Usage 404
Look-Aside Lists 408
Driver Verifier 409
Virtual Address Space Layouts 413
x86 User Address Space Layouts 415
x86 System Address Space Layout 417
x86 Session Space 418
System Page Table Entries 421
64-Bit Address Space Layouts 422
Address Translation 425
x86 Virtual Address Translation 438
Page Fault Handling 439
Invalid PTEs 440
Prototype PTEs 441
In-Paging I/O 443
Collided Page Faults 444
Page Files 444
Virtual Address Descriptors 448
Section Objects 450
Working Sets 457
Demand Paging 458
Logical Prefetcher 458
Placement Policy 462
Working Set Management 463
Balance Set Manager and Swapper 466
System Working Set 467
Page Frame Number Database 469
Page List Dynamics 472
Modified Page Writer 475
PFN Data Structures 476
Low and High Memory Notification 479
Conclusion 483
8 Security 485
Security System Components 488
Protecting Objects 492
Access Checks 493
Security Descriptors and Access Control 506
Account Rights and Privileges 516
Account Rights 517
Privileges 518
Super Privileges 523
Security Auditing 524
Logon 526
Winlogon Initialization 528
User Logon Steps 529
Software Restriction Policies 533
Conclusion 535
I/O System 537
I/O System Components 537
The I/O Manager 539
Typical I/O Processing 540
Device Drivers 541
Types of Device Drivers 541
Structure of a Driver 548
Driver Objects and Device Objects 550
Opening Devices 555
I/O Processing 561
Types of I/O 561
I/O Request Packets 564
I/O Request to a Single-Layered Driver 569
I/O Requests to Layered Drivers 577
I/O Completion Ports 585
Driver Verifier 589
The Plug and Play (PnP) Manager 590
Level of Plug and Play Support 594
Driver Installation 603
The Power Manager 607
Power Manager Operation 609
Driver Power Operation 610
Driver Control of Device Power 613
Conclusion 613
10 Storage Management 615
Storage Terminology 615
Disk Drivers 616
Ntldrx 616
Disk Class, Port, and Miniport Drivers 617
Disk Device Objects 620
Partition Manager 622
Volume Management 622
Basic Disks 624
Dynamic Disks 626
Multipartition Volume Management 632
The Volume Namespace 638
Volume I/O Operations 646
Virtual Disk Service 648
Volume Shadow Copy Service 649
Conclusion 654
11 Cache Manager 655
Key Features of the Cache Manager 655
Single, Centralized System Cache 656
The Memory Manager 656
Cache Coherency 656
Virtual Block Caching 658
Stream-Based Caching 658
Recoverable File System Support 658
Cache Virtual Memory Management 660
Cache Size 662
Large System Cache 662
Cache Virtual Size 663
Cache Working Set Size 665
Cache Physical Size 667
Cache Data Structures 668
Systemwide Cache Data Structures 669
Per-File Cache Data Structures 670
File System Interfaces 674
Copying to and from the Cache 676
Caching with the Mapping and Pinning Interfaces 677
Caching with the Direct Memory Access Interfaces 678
Fast I/O 679
Read Ahead and Write Behind 682
Intelligent Read-Ahead 682
Write-Back Caching and Lazy Writing 683
Write Throttling 686
System Threads 687
Conclusion 688
File Systems 689
Windows File System Formats 690
CDFS 690
UDF 691
FAT12, FAT16, and FAT32 691
NTFS 694
File System Driver Architecture 694
Local FSDs 695
Remote FSDs 696
File System Operation 700
File System Filter Drivers 705
Troubleshooting File System Problems 711
Filemon Basic vs. Advanced Modes 711
Filemon Troubleshooting Techniques 712
NTFS Design Goals and Features 717
High-End File System Requirements 717
Advanced Features of NTFS 719
NTFS File System Driver 729
NTFS On-Disk Structure 732
Volumes 732
Clusters 732
Master File Table 733
File Reference Numbers 739
File Records 740
Filenames 742
Resident and Nonresident Attributes 752
Indexing 753
Object IDs 754
Quota Tracking 759
Logging 761
Recovery 767
NTFS Bad-Cluster Recovery 784
Conclusion 785
13 Networking 787
Windows Networking Architecture 787
The OSI Reference Model 787
Windows Networking Components 789
Networking APIs 791
Windows Sockets 791
Remate Procedure Call 798
Web Access APIs 803
Named Pipes and Mailslots 804
NetBIOS 811
Other Networking APIs 813
Multiple Redirector Support 815
Multiple Provider Router 816
Multiple UNC Provider 818
Name Resolution 820
Domain Name System 820
Windows Internet Name Service 820
Protocol Drivers 821
TCP/IP Extensions 824
NDIS Drivers 828
Variations on the NDIS Miniport 832
Connection-Oriented NDIS 832
Remote NDIS 835
QOS 836
Binding 838
Layered Network Services 839
Remate Access 839
Active Directory 840
Network Load Balancing 841
File Replication Service 843
Distributed File System 843
Conclusion 844
Crash Dump Analysis 845
Why Does Windows Crash? 845
The Blue Screen 846
Crash Dump Files 849
Crash Dump Generation 852
Windows Error Reporting 853
Online Crash Analysis 854
Basic Crash Dump Analysis 855
Notmyfault 855
Basic Crash Dump Analysis 856
Verbose Analysis 858
Using Crash Troubleshooting Tools 860
Buffer Overrun and Special Pool 861
Code Overwrite and System Code Write Protection 863
Advanced Crash Dump Analysis 864
Stack Trashes 865
Hunng or Unresponsive Systems 866
When There is no Crash Dump 869