Fundamental Windows V2.0.beta

WINDOWS FUNDAMENTALS
Contents
Windows Kernel Architecture

Modes
Components of Kernel
Executive Services
Windows Booting Process
Windows Safe Boot Options
Windows File System
FAT
- Contiguous Memory Allocation
- Linked Method
- Indexed Method
NTFS
- NTFS Architecture
Windows Device Management
Device Drivers
Plug n Play Manager
Power Manager
Windows Process Management

Process
Threads
Windows Memory Management
Virtual Address Space
Memory Pool
File Mapping
Page Faults
Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com
Versions of Windows
Workstation Version
Server Version
MS-Dos
Windows 2.0
Windows 3.0
Windows 3.11
Windows 95
Windows 98
Windows 98 2nd
edition
Windows ME
Windows 2000
Windows XP
Windows Vista
Windows 7
Windows 3.51
Windows NT-4
Windows 2000 server
Windows 2003 server
Windows 2008 server
Windows 2008 server
R2

Windows NT Workstation is a 32-bit, multitasking operating
system
It uses an object model to provide user access to local and
network resources such as files, directories, and printers.
To support inter operability with Microsoft, Novell, TCP/IP
(Unix), and other types of networks, Windows NT is built on a
modular design in which various objects or components
perform specific tasks within the operating system
environment.

Modes :
User Mode
Kernel Mode
User Mode :
User Mode is defined as the applications and the subsystems which support
the applications.
In User Mode, processes run at a lower priority and are not allowed direct
access to hardware.
Kernel Mode :
Kernel Mode is defined as the protected area where the NT operating system
runs.
Processes running in this mode are high priority and have access to all of the
computer's hardware and memory resources.
Components of Kernel :
Microkernel,
The Hardware Abstraction Layer (HAL)
Executive Services

Micro Kernel :
Core of Operating System
Access hardware both directly and through the HAL, which is
a layer of software that abstracts hardware specific details
such as I/O interfaces and interrupt controllers
Applications and device drivers make calls to HAL routines to
determine hardware specific information
Hardware Abstraction Layer :
The layer between the physical hardware of the computer
and the rest of the operating system
The HAL includes hardware-specific code that controls I/O
interfaces, interrupt controllers and multiple processors

Executive Services :
Executive Services coordinates the activities of the operating
system, such as providing access to the local hard disk,
memory, and printers, as well as to network resources
Each specific function is carried out by a software module
called a Manager
Functions of Executive Services :
Service : NTOSKRNL.EXE
Example : Virtual Memory Manager maps virtual memory
addresses used by applications into physical memory

Object Types :
Kernel Objects
Executive Objects
Kernel Objects :
Kernel objects manages resources such as physical devices, or
services such as synchronization, which are required to
implement any other type of OS service
Executive Objects :
It encapsulate one or more kernel objects and exposes

Cache Controller
Co-ordinates with Memory Manager, I/O Manager and I/O drivers to
provide a common cache for regular file I/O
Windows Cache Manager operates on file blocks
Configuration Manger :
Responsible for implementing Windows Registry
Input / Output Manager :
It controls all input and output to the operating system, including
application requests for local and network resources
Components of I / O Manager :
Multiple Universal Naming Convention (UNC) Provider (MUP).
File System Drivers and Redirectors
Transport Driver Interface (TDI)
Transport Protocols
Network Device Interface Specification(NDIS)
Network Interface Card Drivers
10

Local Procedure Call (LPC)
Provides inter-process communication ports with connection semantics
LPC ports are used by user-mode subsystems to communicate with their
clients
Memory Manager
Manages virtual memory, controlling memory protection and the paging
of memory in and out of physical memory to secondary storage, and
implements a general-purpose allocator of physical memory
Process Structure
Handles process and thread creation and termination
It implements the concept of Job, a group of processes that can be
terminated as a whole, or be placed under shared restrictions
PnP Manager
It handles Plug and Play
Supports device detection and installation at boot time
11

Security Reference Monitor (SRM)
The primary authority for enforcing the security rules of the
security integral subsystem
It determines whether an object or resource can be accessed,
via the use of access control lists (ACLs)
GDI (Graphics Device Interface )
Responsible for tasks such as drawing lines and curves,
rendering fonts and handling palettes.
12
Windows Fundamentals ( Shell )

The Windows UI provides users with access to a wide variety of objects
necessary for running applications and managing the operating system.
The Shell organizes the objects into a hierarchical namespace and
provides users and applications with a consistent and efficient way to
access and manage objects.
Logical Components of Windows Shell :
Section
Description
Shell Classes
Describes select Windows Shell classes.
Shell Interfaces
Describes the Windows Shell Component Object Model (COM) interfaces.
Shell Functions
Describes the Windows Shell functions.
Shell Callback Functions
Describes the Windows Shell callback functions templates.
Shell Constants, Enumerations, and Flags
Describes the Windows Shell constants, enumerations, and flags used in the Shell APIs.
Shell Lightweight Utility Functions
Describes the Windows Shell lightweight utility functions provided in Shlwapi.dll.
Shell Macros
Describes the Windows Shell utility macros.
Shell Messages and Notifications
Describes the messages and notifications sent by elements of the Windows Shell.
Shell Objects for Scripting and Microsoft Visual Basic
Describes the Windows objects implemented by the Shell for use in scripting and Microsoft Visual Basic.
Shell Objects for C++
Describes the C++ Windows objects implemented by the Shell.
Shell Properties
Describes the individual properties that can be set on files and folders in the Windows Shell.
Shell Schemas
Describes library, property, and transfer manifest schemas used by the Windows Shell.
Shell Structures
Describes the Windows Shell structures used in the Shell APIs.

13
Booting Process
Windows Boot Process
Windows Boot Process
Windows Safe boot Options

Safe Mode (SAFEBOOT_OPTION=Minimal):
This option uses a minimal set of device drivers and services to start
Windows.
Safe Mode with Networking (SAFEBOOT_OPTION=Network):
This option uses a minimal set of device drivers and services to start
Windows together with the drivers that you must have to load networking.
Safe Mode with Command Prompt
(SAFEBOOT_OPTION=Minimal(Alternate Shell)):
This option is the same as Safe mode, except that Cmd.exe starts
instead of Windows Explorer.
Safe mode and Safe mode with Networking load the Vga.sys driver
instead.
Last Known Good Configuration:
This option starts Windows by using the previous good
configuration.
Directory Service Restore Mode:
This mode is valid only for Windows-based domain controllers. This
mode performs a directory service repair.
Windows Safe boot Options

Enable Boot Logging:
This option turns on logging when the computer is started
with any of the Safe Boot options except Last Known Good
Configuration. The Boot Logging text is recorded in the
Ntbtlog.txt file in the %SystemRoot% folder.
Starts Windows Normally:
This option starts Windows in its normal mode.
Reboot:
This option restarts the computer.
Return to OS Choices Menu: On a computer that is configured
to starting to more than one operating system, this option
returns to the Boot menu.
18
Windows File System

File System
A file system is a method of storing and organizing the
computer files and the data they contain to make it easy to
find and access them.
Types of File system :
FAT
NTFS
FAT (File Allocation Table)
A disk formatted with FAT is allocated in clusters, whose size
are determined by the size of the volume.
When a file is created, an entry is created in the directory and
the first cluster number containing data is established.
This entry in the FAT table either indicates that this is the last
cluster of the file, or points to the next cluster.
19
Windows File System FAT

Open / Read Operations
Windows File System

Disk Allocation Methods
Contiguous allocation
Each file occupies a set of consecutive addresses
on disk
Each directory entry contains:
File name
Starting address of the first block
Block address = sector id (e.g., block = 4K)
Length in blocks
Usual dynamic storage allocation problem
Use first fit, best fit, or worst fit algorithms to
manage storage
If the file can increase in size, either
Leave no extra space, and copy the file
elsewhere if it expands
Leave extra space
21
Windows File System

Linked allocation
Each data block contains the block address of the next block in the file
Each directory entry contains:
File name
Block address: pointer to the first block
Have a pointer to the last block
22
Windows File System ( NTFS Architecture )

Component
Component Description
Hard disk
Contains one or more partitions.
Boot sector
Bootable partition that stores information about the

layout of the volume and the file system structures, as
well as the boot code that loads Ntdlr.
Master Boot
Record
Contains executable code that the system BIOS loads

into memory. The code scans the MBR to find the
partition table to determine which partition is the
active, or bootable, partition.
Ntldlr.dll
Switches the CPU to protected mode, starts the file

system, and then reads the contents of the Boot.ini
file. This information determines the startup options
and initial boot menu selections.
Ntfs.sys
System file driver for NTFS.
Ntoskrnl.exe
Extracts information about which system device

drivers to load and the load order.
Kernel mode
The processing mode that allows code to have direct

access to all hardware and memory in the system.
User mode
The processing mode in which applications run.

23
Windows File System

NTFS ( New Technology File System )
Boot Sector :
Boot sector consists of two sections and occupies the first sixteen sectors.
The first section holds the BIOS parameter block containing information on
the layout of the volume and the structure of the file system similar to what is
laid out above for FAT.
The boot code to load Windows resides in the second section
Master File Table :
The MFT consists of a series of 1KB records, one for each file in the partition.
The first sixteen entries are reserved for the NTFS system files.
24
Windows File System

Master File Table :
Record 0 is the MFT .
The next ten include a changes log file for system recovery, information
about the volume, the index of the root folder and a bitmap showing
cluster allocation information.
The final five files are reserved for future use.
NTFS ATTRIBUTES :
Used to describe the records
Resident Attributes :
Contains 4 Attributes
25
Windows File System

Resident Attributes :
Non-resident attributes are ones too large to fit in the MFT

record.
26
Comparison of File Systems - hide

S.
No
FAT
NTFS
Support by DOS, OS/2,Windows 95, and

Windows NT
Only supported under the NT OS
No Local Security available
Local Security is available
Does not support NT file compression
Support NT file compression
Can be converted to NTFS at any time
NTFS can never be converted to FAT. The only way to go

from NTFS to FAT is to backup the data, reformat the
partition as FAT, and then restore the data to the new FAT
partition
Maximum partition size of 4GB
Maximum partition size of 16EB
Disk Quotas were not Possible
Disk Quotas were possible

Device Drivers: Types
Virtual Device Drivers
Windows Subsystem printer drivers
File system Drivers
Plug n Play drivers
Non-plug & Play drivers
Plug & Play Manager
Recognizes Plug n Play devices
Hardware resources allocation
Loading appropriate drivers
Detects hardware configuration changes
28

Power Manager
System Power State Definitions
State
Power Consumption
Software Resumption
Hardware Latency
S0 (fully on)
Maximum
Not applicable
None
S1 (sleeping)
S2 (sleeping)
S3 (sleeping)
S4 (hibernating)
S5 (fully off)
Less than S0, more than System resumes where it

S2
left off (returns to S0)
Less than S1, more than System resumes where it
S3
Less than S2; processor is System resumes where it
off
Trickle current to power System restarts from
button and wake
saved hibernate file and
circuitry
resumes where it left off
prior to hibernation
(returns to S0)
Trickle current to power
System boot
button
Less than 2 seconds

2 or more seconds
Same as S2
Long and undefined
Long and undefined
29
Windows Process Management

A process contains its own independent virtual address space with both
code and data, protected from other processes
Process contains more than one threads
By creating and managing processes, applications can have multiple,
concurrent tasks processing files, performing computations, or
communicating with other networked systems
Windows Processes and Threads :
Windows thread is the basic executable unit
Factors which govern the Threads :
Availability of resources such as CPUs and physical memory, priority
Components of Windows Processes :
One or more threads.
A virtual address space that is distinct from other processes address
spaces.
30
Management Mechanisms - Registry

It is the repository for both system wide and per-user settings.
Tools for Editing Registry
Regedit.exe
Regedt32.exe (Not in Windows 2003)
Hkey_Current_User
The HKCU root key contains data regarding the preferences and software
configuration of the locally logged-on user
Hkey_Users
HKU contains a subkey for each loaded user profile and user class
registration database on the system. It also contains a subkey named
Hkey_Classes_Root
HKCR consists of two types of information: file extension associations and
COM class registrations
31
Management Mechanisms - Registry

Hkey_Local_Machine
HKLM is the root key that contains all the systemwide configuration
subkeys: HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM.
HKEY_CURRENT_CONFIG is just a link to the current hardware profile,
stored under HKLM\SYSTEM\CurrentControlSet\Hardware
Hkey_Classes_Root
Hkey_Performance_Data
The registry is the mechanism to access performance counter values on
Windows, whether those are from operating system components or
server applications
32
Management Mechanisms - WMI

The APIs developed for Windows do not have a process for
event or performance monitoring.
WMI is an implementation of Web-Based Enterprise
Management (WBEM), a standard that the Distributed
Management Task Force (DMTFan industry consortium)
defines.
33
Management Mechanisms - Services

Windows services consist of three components: a service application, a
service control program (SCP), and the service control manager (SCM).
Types of Services
Local System
Everyone
Authenticated Users
Administrators
Network Service
Service
Authenticated Users
Users
Local
Local Service
Everyone
Authenticated Users
Users
Local
Network Service
Local Service
Service
Service
34

A 32-bit Microsoft Windows has its own virtual address space that enables
addressing up to 4 gigabytes of memory
A 64-bit Windows has a virtual address space of 8 terabytes. All threads of
a process can access its virtual address space
Virtual Address Space
The virtual address space for a process is the set of virtual memory
addresses that it can use.
The address space for each process is private and cannot be accessed by
other processes unless it is shared.
Memory Pools :
The memory manager creates the following memory pools that the
system uses to allocate memory
35

Memory pools are located in the region of the address space that is
reserved for the system and mapped into the virtual address space of
each process
The non paged pool consists of virtual memory addresses that are
guaranteed to reside in physical memory as long as the corresponding
kernel objects are allocated
The paged pool consists of virtual memory that can be paged in and out of
the system
The handles for kernel objects are stored in the paged pool, so the
number of handles you can create is based on available memory
Virtual Memory Functions :
Reserve a range of a process's virtual address space. Reserving address
space does not allocate any physical storage, but it prevents other
allocation operations from using the specified range
Commit a range of reserved pages in a process's virtual address space so
that physical storage (either in RAM or on disk) is accessible only to the
allocating process
36

Virtual Memory Functions :
Specify read/write, read-only, or no access for a range of committed
pages
Free a range of reserved pages, making the range of virtual addresses
available for subsequent allocation operations by the calling process
De commit a range of committed pages, releasing their physical storage
and making it available for subsequent allocation by any process
Lock one or more pages of committed memory into physical memory
(RAM) so that the system cannot swap the pages out to the paging file
Obtain information about a range of pages in the virtual address space of
the calling process or a specified process
Change the access protection for a specified range of committed pages in
the virtual address space of the calling process or a specified process
37

File Mapping
It is the association of a file's contents with a portion of the virtual address
space of a process
The system creates a file mapping object (also known as a section object) to
maintain this association
A file view is the portion of virtual address space that a process uses to
access the file's contents
Advantages of File Mapping :
File mapping allows the process to use both random input and output (I/O)
and sequential I/O
It also allows the process to work efficiently with a large data file, such as a
database, without having to map the whole file into memory
Multiple processes can also use memory-mapped files to share data
The use of file mapping improves efficiency because the file resides on disk,
but the file view resides in memory
Processes can also manipulate the file view with the Virtual Protect function
38

File Mapping :
39

The file on disk can be any file that we want to map into memory, or it can
be the system page file
The file mapping object can consist of all or only part of the file. It is
backed by the file on disk
When the system swaps out pages of the file mapping object, any changes
made to the file mapping object are written to the file
When the pages of the file mapping object are swapped back in, they are
restored from the file
A file view can consist of all or only part of the file mapping object
A process manipulates the file through the file views. A process can create
multiple views for a file mapping object
The file views created by each process reside in the virtual address space
of that process
When the process needs data from a portion of the file other than what is
in the current file view, it can un map the current file view, then create a
new file view
40
Page Fault
A reference to an invalid page is called a page fault.
Reasons for Access Fault
Reason for Fault
Accessing a page that isn't resident in
memory but is on disk in a page file or a
mapped file
Accessing a page that is on the standby or
modified list
Accessing a page that isn't committed (for
example, reserved address space or
address space that isn't allocated)
Accessing a page from user mode that can
be accessed only in kernel mode
Writing to a page that is read-only
Result
Allocate a physical page, and read the
desired page from disk and into the
working set
Transition the page to the process or
system working set
Access violation
Access violation
Access violation
41
THANK YOU
42

Fundamental Windows V2.0.beta

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Fundamental Windows V2.0.beta

Diunggah oleh

Hak Cipta:

Format Tersedia

WINDOWS FUNDAMENTALS

Windows Kernel Architecture

Windows Process Management

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Windows Kernel Architecture

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Windows Kernel Architecture

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Windows Kernel Architecture

Windows Kernel Architecture

Windows Kernel Architecture

Windows Kernel Architecture

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Windows Kernel Architecture

Windows Kernel Architecture

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Windows Kernel Architecture

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Windows Fundamentals ( Shell )

Describes select Windows Shell classes.

Describes the Windows Shell Component Object Model (COM) interfaces.

Describes the Windows Shell functions.

Shell Callback Functions

Describes the Windows Shell callback functions templates.

Shell Constants, Enumerations, and Flags

Shell Lightweight Utility Functions

Describes the Windows Shell lightweight utility functions provided in Shlwapi.dll.

Describes the Windows Shell utility macros.

Shell Messages and Notifications

Shell Objects for Scripting and Microsoft Visual Basic

Shell Objects for C++

Describes the C++ Windows objects implemented by the Shell.

Describes the Windows Shell structures used in the Shell APIs.

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Windows Boot Process

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Windows Boot Process

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Windows Safe boot Options

Windows Safe boot Options

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Windows File System

Windows File System FAT

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Windows File System

Windows File System

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Windows File System ( NTFS Architecture )

Contains one or more partitions.

Bootable partition that stores information about the

Contains executable code that the system BIOS loads

Switches the CPU to protected mode, starts the file

System file driver for NTFS.

Extracts information about which system device

The processing mode that allows code to have direct

The processing mode in which applications run.

Windows File System

Windows File System

Copyright 2009 Appnomic Systems Pvt. Ltd. I Confidential | www.appnomic.com

Windows File System

Non-resident attributes are ones too large to fit in the MFT

Comparison of File Systems - hide