operating systems 1 (4/12) - architectures (windows)
TRANSCRIPT
Operating Systems I PT / FF 2014
Example: Windows Operating System Family
• Since Windows XP (2001), all kernels are successors of the original NT development
• Requirements for the original NT project
• Provide a true 32-bit, preemptive, reentrant, virtual memory operating system
• Run on multiple hardware architectures and platforms
• Run and scale well on symmetric multiprocessing systems
• Be a great distributed computing platform (Client & Server)
• Run most existing 16-bit MS-DOS and Microsoft Windows 3.1 applications
• Meet government requirements for POSIX 1003.1 compliance and security
• Meet government and industry requirements for operating system security
• Be easily adaptable to the global market by supporting Unicode
2
Operating Systems I PT / FF 2014
Windows Operating System Family
• Extensibility: Code must be able to grow and change as market requirements change.
• Portability: The system must be able to run on multiple hardware architectures and must be able to move with relative ease to new ones as market demands dictate.
• Dependability: Protection against internal malfunction and external tampering.
• Applications should not be able to harm the OS or other running applications.
• Compatibility: User interface and APIs should be compatible with older versions of Windows as well as older operating systems such as MS-DOS.
• It should also interoperate well with UNIX, OS/2, and NetWare.
• Performance: Within the constraints of the other design goals, the system should be as fast and responsive as possible on each hardware platform.
3
Operating Systems I PT / FF 2014
Windows Versions
• Each Windows version comes in different flavors differing in ...
• ... number of physical processors being supported (not cores)
• ... amount of physical memory supported
• ... number of concurrent network connections supported
• ... support for TabletPC and/or Media Center Edition
• ... more than 100 configurable software licensing values (e.g. BitLocker, DVD burn)
• Example:
• Windows Server 2008 Standard Edition: max. 4 CPUs, max. 32 GB RAM
• Windows Server 2008 Datacenter Edition: max. 64 CPUs, max. 2048 GB RAM
• All flavors of one version are built from the same core components
4
Operating Systems I PT / FF 2014
Simplified Windows Architecture
5
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
Operating Systems I PT / FF 2014
Windows Portability
• Past and present: x86 (initial), MIPS (initial), Alpha AXP (initial), PowerPC (NT 3.51), Itanium (Windows XP/2003), ARM (Windows 8) instruction set architectures
• PowerPC and MIPS dropped soon after NT 4 release, Alpha AXP dropped in 1999 (supported through SP6)
• Layered design: Architecture-specific functions located in kernel
• Windows kernel components are primarily written in C (executive, drivers)
• UI and graphics subsystem are written in C++
• HW-specific/performance-sensitive parts written in assembly language (e.g. interrupt trap handler, context switching)
• HAL (Hardware Abstraction Layer)
• Machine-specific functions located in HAL
• Became pluggable in Windows 8 to support different core components (e.g. separate drivers for the interrupt controller)
6
Operating Systems I PT / FF 2014
Windows Hardware Abstraction Layer (HAL)
• Responsible for a small part of “hardware abstraction” - components on the motherboard not handled by drivers
• System timers, Cache coherency, and flushing, SMP, interrupt priorities
• Subroutine library for the kernel & device drivers
• Isolates Kernel and Executive from platform-specific details
• Presents uniform model of I/O hardware interface to drivers
• Windows Vista and later automatically detect HAL version to be used on startup
• HAL also implements some functions that appear to be in the Executive and Kernel
• Selected at installation time, can select manually at boot time with /HAL= in boot.ini
• Special kit only for vendors that must write custom HALs (requires MS approval)
7
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
Operating Systems I PT / FF 2014
Windows Hardware Abstraction Layer (HAL)
8
HalBugCheckSystem This function stops the system because of an uncorrectable hardware error.
KeAcquireSpinLock The KeAcquireSpinLock routine acquires a spin lock so the caller can synchronize access to shared data in a multiprocessor-safe way by raising IRQL.
HalAllocateHardwareCounters The HalAllocateHardwareCounters routine allocates a set of hardware performance counters.
HalProcessorIdle Enter power saving mode of the CPU hardware
HalQueryRealTimeClock Initialize system time
KeQueryPerformanceCounter The KeQueryPerformanceCounter routine provides the finest grained running count available in the system, can disable system-wide interrupts for a minimal interval.
READ_PORT_UCHAR READ_PORT_UCHAR returns the byte that is read from the specified port address.
geoffchappell.com
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
Operating Systems I PT / FF 2014
Simplified Windows Architecture
9
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
Operating Systems I PT / FF 2014
Windows Kernel
• Lower layers of the operating system
• Implements processor-dependent functions (x86 vs. Itanium etc.)
• Also implements many processor-independent functions that are closely associated with processor-dependent functions
• Main services
• Thread waiting, scheduling & context switching
• Exception and interrupt dispatching
• Operating system synchronization primitives (different for MP vs. UP) , a few of them are exposed to user mode
• Not a classic “microkernel”, since it shares the memory with rest of the kernel
10
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
Operating Systems I PT / FF 2014
Simplified Windows Architecture
11
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
Operating Systems I PT / FF 2014
Windows Device Drivers
• Device drivers (*.sys)
• Hardware device drivers translate user I/O function calls into specific hardware device I/O requests, based on kernel and HAL functions
• Concept of virtual devices - system volumes and network protocols
• Programming models over the years: Windows NT driver model, Windows Driver Model (WDM) since Windows 2000, Windows Driver Foundation (WDF) since Vista
• Windowing and Graphics Driver (Win32k.sys)
• Graphical user interface (GUI) functions (USER and GDI)
• Windows, user interface controls, and drawing
• Hardware Abstraction Layer (Hal.dll) in itself is a driver
12
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
Operating Systems I PT / FF 2014
Windows Device Drivers
• Separate loadable modules (drivername.SYS)
• Linked like .EXE files
• Typically linked against NTOSKRNL.EXE and HAL.DLL
• Only one version of each driver binary for both uniprocessor (UP) and multiprocessor (MP) systems -driver relies on kernel support for the according management
• Several types
• “ordinary”, file system drivers, NDIS mini-port drivers, SCSI mini-port drivers (linked against port drivers), bus drivers
• Use driverquery /v to list loaded drivers
• drivers.exe from resource kit for older Windows versions
13
Kernel-Mode Device Drivers• Separate loadable modules (drivername.SYS)
– Linked like .EXEs
– Typically linked against NTOSKRNL.EXE and HAL.DLL
– Only one version of each driver binary for both uniprocessor (UP) and multiprocessor (MP) systems…
– … but drivers call routines in the kernel that behave differently for UP vs. MP Versions
• Defined in registry
• Several types:– “ordinary”, file system, NDIS miniport,
SCSI miniport (linked against port drivers), bus drivers
– More information in I/O subsystem section
• To view loaded drivers, run drivers.exe– Also see list at end of output from pstat.exe –
includes addresses of each driver
• To update & control:– System properties->Hardware Tab->Device Manager
– Computer Management->Software Environment->Drivers
16
File System Driver
Port Driver Port Driver
RAID Driver
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
Operating Systems I PT / FF 2014
Simplified Windows Architecture
14
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
Operating Systems I PT / FF 2014
Windows Executive
• Upper layer of the operating system
• Process and thread manager - additional semantics to lower level objects
• Object manager - manages representation of resources
• Configuration manager - implementation of the system registry
• Memory manager / cache manager - implementation of virtual memory
• Security reference monitor (SRM) - policy enforcement, auditing, object protection
• I/O manager - device-independent I/O dispatching
• Power manager, Plug-and-Play manager, LPC (local procedure call) facility
• Almost completely portable C code, runs in kernel mode
• Most interfaces to executive services not officially documented
15
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
Operating Systems I PT / FF 2014
Simplified Windows Architecture
16
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
Operating Systems I PT / FF 2014
Windows Subsystem
• Documented callable Windows API functions
• Examples: CreateProcess, CreateFile, GetMessage
• Subsystem DLLs translate Windows API calls to NTOSKRNL.EXE and WIN32K.SYS system service calls
• Undocumented functions, callable from user space
• Example: NtCreateProcess is used by Windows CreateProcess and POSIX fork()
• Prior to Windows NT 4.0, the window manager and graphics services were part of the user-mode Win32 subsystem process - more stable ?
• Internal routines of the Windows subsystem
• Callable only from kernel mode, such as ExAllocatePool for Windows system heap
17
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
Operating Systems I PT / FF 2014
Calling Windows Kernel from User Mode
• Kernel-mode functions are invoked from user mode via a protected mechanism
• x86: INT 2E (as of XP: SYSENTER on x86, SYSCALL on AMD)
• Last thing that happens in user mode is this “change mode to kernel” instruction
• Causes an exception or interrupt, handled by the system service dispatcher (KiSystemService) in kernel mode
• Return to user mode is done by dismissing the interrupt or exception
• The desired system function is selected by the “system service number”
• Every Windows function exported to user mode has a unique number
• This number is stored in a register just before the “change mode” instruction
• This number is an index into the system service dispatch table
• Table gives kernel-mode entry point address and argument list length for each function
18
Operating Systems I PT / FF 2014
Calling Windows Kernel from User Mode
• All validity checks are done after the user to kernel mode transition
• KiSystemService: probes argument list, copies it to kernel-mode stack, calls the executive or kernel routine pointed to by the table
• Service-specific routine checks argument values, probes pointed-to buffers, etc.
• Once past that point, everything is “trusted”
• This is safe, because:
• System service table is in kernel-protected memory
• Kernel mode routines pointed to by the system service table are in kernel-protected memory
• User mode code can’t supply the code to be run in kernel mode, just select
• Arguments are copied to the kernel mode stack before validation, other threads in the process can’t corrupt the arguments “out from under” the service
19
Operating Systems I PT / FF 2014
Calling Windows Kernel from User Mode
• Representation of Windows kernel functions in NTDLL.DLL user mode library
• User-mode routines have the same function names and arguments as the kernel mode routines they invoke
• Example: NtWriteFile in NTDLL.DLL invokes NtWriteFile in NTOSKRNL.EXE
• Some counter examples exits (e.g. NtQuerySystemInformation)
• Used by subsystem DLLs
• Other examples, marked by method name prefix
• Image loader (“Ldr”), debug infrastructure (“Dbg”),CSRSS support routines (“Csr”), RTL routines (“Rtl”), tracing routines (“Etw”)
20
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
Operating Systems I PT / FF 2014
Windows Subsystem Call
21
Example: Invoking a Windows Kernel API
20
call WriteFile(…)
call NtWriteFilereturn to caller
do the operationreturn to caller
Int 2E or SYSCALL or SYSENTERreturn to caller
call NtWriteFiledismiss interrupt
Windows application
WriteFile in Kernel32.Dll
NtWriteFilein NtDll.Dll
KiSystemServicein NtosKrnl.Exe
NtWriteFilein NtosKrnl.Exe
Windows-specific
used by all subsystems
software interrupt
U
K
Operating Systems I PT / FF 2014
Windows Subsystem GDI Call
22
Invoking (most) User and GDI Services
26
call user or GDI service(…)
do the operationreturn to caller
call Windows routinedismiss interrupt
application
Gdi32.Dllor User32.Dll
KiSystemServicein NtosKrnl.Exe
service entry pointin Win32K.Sys
Windows-specific
software interrupt
U
K
Int 2Ereturn to caller
Operating Systems I PT / FF 2014
Key Windows System Files
23
VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures
Program Development Tools
Layered Products(Apps)
Layered design for VAX/VMSoperating system OS/2 Windows
POSIX
Environment Subsystems
UserApplication
Subsystem DLLUserModeKernelMode
System& ServiceProcesses
Windows
46
System-wide data structures
Memory Management I/O Subsystem Process and
time management
System servicesKernel
Record Management Service (RMS)Executive
Command Language Interpreter (CLI)Supervisor
Platform-Adaptation Layer (PAL) - Alpha
Support LibrariesUtilities
User
Windows high-level architecture
WindowsUser/GDIDeviceDriver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL)
Mode
• Core components
• NTOSKRNL.EXE (executive and kernel)
• HAL.DLL (hardware abstraction layer)
• NTDLL.DLL (dispatch stubs to executive)
• Core system processes
• SMSS.EXE (session manager process)
• WINLOGON.EXE (logon process)
• SERVICES.EXE (service controller process)
• LSASS.EXE (local security authority subsystem)
• Windows subsystem
• CSRSS.EXE (Windows subsystem process)
• WIN32K.SYS (User and GDI kernel components)
• KERNEL32/USER32.GDI32.DLL (Windows subsystem DLLs)
Operating Systems I PT / FF 2014
Compatibility - Windows API• Originally named as Win32 API to distinguish it from the Windows 2.0 Win16 API
• Thousands of Windows subsystem functions
• Base services, component services, user interface services, graphics and multimedia services, messaging and collaboration, networking, web services
• Most internal text strings are stored / processed as 16bit Unicode strings
• Windows API string functions typically have 2 versions
• Unicode (wide) version: L“This string uses 16-bit characters“
• ANSI (narrow) version: “This string uses 8-bit characters“
• Windows 95/98/ME had Windows API but no Unicode characters
• Unique property in comparison to Unix systems
24
Operating Systems I PT / FF 2014
Windows API
• System resources are kernel objects referenced by a handle
• handle vs. UNIX file descriptors & PIDs
• Kernel objects can be manipulated only via a subsystem API
• Objects have security attributes
• Files, processes, threads, IPC pipes, memory mappings, events
• Windows API is rich & flexible
• Convenience functions often combine common sequences of function calls
• Function names are long and descriptive (as in VMS)
• WaitForSingleObject(), WaitForMultipleObjects()
• Windows API offers numerous synchronization and communication mechanisms
25
Operating Systems I PT / FF 2014
Windows Security
• Foundational concepts: Objects and handles
• Objects are placeholders for (protected) system resources that may be shared
• Process, thread, file, event objects from user space are mapped on executive objects
• Object services offer read/write access to attributes
• All security and protection based on NT Executive objects
• Discretionary control: read/write/access rights
• Privileged access: administrator may take ownership of files
• Windows API take handles to system “objects” as parameter
• Handle table in kernel adress space, unique per process,
• Security check at handle creation time only26
Operating Systems I PT / FF 2014
Windows Architecture
27
Windows Architecture
40hardware interfaces (buses, I/O devices, interrupts,
interval timers, DMA, memory cache control, etc., etc.)
System Service Dispatcher
Task ManagerExplorer
SvcHost.ExeWinMgt.Exe
SpoolSv.Exe
ServiceControl Mgr.
LSASS
Object
Mgr.
WindowsUSER,
GDI
FileSystemCache
I/O Mgr
Environment Subsystems
UserApplication
Subsystem DLLs
System Processes Services Applications
Original copyright by Microsoft Corporation. Used by
permission.
SystemThreads
UserMode
KernelMode
NTDLL.DLL
Device &File Sys.Drivers
WinLogon
Session Manager
Services.Exe POSIX
Windows DLLs
Plug andPlay M
gr.
Power
Mgr.
SecurityReference
Monitor
VirtualM
emory
Processes&
Threads
LocalProcedure
Call GraphicsDrivers
Kernel
Hardware Abstraction Layer (HAL)
(kernel mode callable interfaces)
Configura-tion M
gr(registry)
OS/2
Windows
Operating Systems I PT / FF 2014
Demos for Windows
• Spending time in user mode vs. kernel mode - mouse and window movements
• Applications vs. processes in task manager and SysInternals process explorer
• Determine the utilized HAL with device manager
• Using dependency walker with ntoskrnl.exe
• List of open handles (Process Explorer)
• Stack trace checking (Process Explorer)
• Suspending notepad
• Killing the Windows subsystem (csrss.exe)
• Killing security (lsass.exe)
• Minimal process set: Killing first smss.exe and then winlogon.exe
28