Sistemas Operativos

Kernel de Windows - I

Sistemas Operativos
Versin: Abril 2013 Palabras Claves: Windows, Kernel, Executive, Process, System, Threads

Copyright Notice
2000-2005 David A. Solomon and Mark Russinovich

These materials are part of the Windows Operating System Internals Curriculum Development Kit, developed by David A. Solomon and Mark E. Russinovich with Andreas Polze Microsoft has licensed these materials from David Solomon Expert Seminars, Inc. for distribution to academic organizations solely for use in academic environments (and not for commercial use)

Simplified OS Architecture
System support processes User Mode Kernel Mode Kernel Service processes User Environment applications subsystems

Subsystem DLLs

Executive Device drivers

Hardware Abstraction Layer (HAL)

Windowing and graphics

OS Architecture
Multiple personality OS design
user applications don't call the native Windows operating system services directly

Subsystem DLLs is to translate a documented function into the appropriate internal (and undocumented) Windows system service calls. Environment subsystem processes
Manage client processes in their world Impose semantics such as process model, security

Originally three environment subsystems: Windows, POSIX, and OS/2

Windows 2000 only included Windows and POSIX Windows XP only includes Windows
Enhanced POSIX subsystem available with Services for Unix Included with Windows Server 2003 R2

Kernel-Mode Components: Core OS

Executive
base operating system services, memory management, process and thread management, security, I/O, interprocess communication.

Kernel
low-level operating system functions, thread scheduling, interrupt and exception dispatching, multiprocessor synchronization. provides a set of routines and basic objects that the rest of the executive uses to implement higher-level constructs.

Both contained in file Ntoskrnl.exe

Kernel-Mode Components: Drivers

Device drivers (*.sys)
hardware device drivers translate user I/O function calls into specific hardware device I/O requests virtual devices - system volumes and network protocols

Windowing and Graphics Driver (Win32k.sys)

graphical user interface (GUI) functions (USER and GDI) windows, user interface controls, and drawing

Hardware Abstraction Layer (Hal.dll)

isolates the kernel, device drivers, and executive from hardware Hides platform-specific hardware differences (motherboards)

Background System Processes

Core system processes,
logon process, the session manager, etc. not started by the service control manager

Service processes
Host Windows services i.e.; Task Scheduler and Spooler services Many Windows server applications, such as Microsoft SQL Server and Microsoft Exchange Server, also include components that run as services.

Portability
When Windows NT was designed, there was no dominant processor architecture
Therefore it was designed to be portable

How achieved?
Most Windows OS code and device drivers is written in C
HAL and kernel contain some assembly language

Some components are written in C++:

windowing/graphics subsystem driver volume manager

Hardware-specific code is isolated in low level layers of the OS (such as Kernel and the HAL)
Provides portable interface

NT 4.0 had support for x86, MIPS, PowerPC, Digital Alpha AXP
PowerPC and MIPS dropped soon after NT 4 release Alpha AXP dropped in 1999 (supported through SP6)

Key Windows System Files

Core OS components:
NTOSKRNL.EXE** HAL.DLL NTDLL.DLL Executive and kernel Hardware abstraction layer Internal support functions and system service dispatch stubs to executive functions

Core system processes:

SMSS.EXE WINLOGON.EXE SERVICES.EXE LSASS.EXE Session manager process Logon process Service controller process Local Security Authority Subsystem

Windowing subsystem:
CSRSS.EXE* WIN32K.SYS KERNEL32/USER32/GDI32.DLL Windows subsystem process USER and GDI kernel-mode components Windows subsystem DLLs

Key System Components

Environment Subsystems
System & Service Processes User Mode Kernel Mode Device Drivers Hardware Abstraction Layer (HAL) User Application Subsystem DLL OS/2

Windows

POSIX Windows

Executive
Kernel

Windows User/GDI Device Driver

Multiple OS Personalities
Windows was designed to support multiple personalities, called environment subsystems
Programming interface File system syntax Process semantics

Environment subsystems provide exposed, documented interface between application and Windows native API
Each subsystem defines a different set of APIs and semantics Subsystems implement these by invoking native APIs
Example: Windows CreateFile in Kernel32.Dll calls native NtCreateFile

.exes and .dlls you write are associated with a subsystem

Specified by LINK /SUBSYSTEM option Cannot mix calls between subsystems

App calls Subsystem

Function is entirely implemented in user mode
No message sent to environment subsystem process No Windows executive system service called Examples: PtInRect(), IsRectEmpty()

Function requires one/more calls to Windows executive

Examples: Windows ReadFile() / WriteFile() implemented using I/O system services NtReadFile() / NtWriteFile()

Function requires some work in environment subsystem process (maintain state of client app)
Client/server request (message) to env. Subsystem (LPC facility) Subsystem DLL waits for reply before returning to caller

Combinations of 2/3: CreateProcess() / CreateThread()

Windows Architecture
System Processes Service Control Mgr. LSASS WinLogon User Mode SvcHost.Exe WinMgt.Exe SpoolSv.Exe Services.Exe Subsystem DLLs Windows Task Manager Explorer User Application POSIX Windows DLLs OS/2 Services Applications Environment Subsystems

Session Manager

System Threads Kernel Mode

NTDLL.DLL

System Service Dispatcher (kernel mode callable interfaces) I/O Mgr Configuration Mgr (registry) Processes & Threads Local Procedure Call Security Reference Monitor Plug and Play Mgr. Virtual Memory File System Cache Object Mgr. Power Mgr. Windows USER, GDI

Device & File Sys. Drivers

Graphics Drivers

Kernel Hardware Abstraction Layer (HAL) hardware interfaces (buses, I/O devices, interrupts, interval timers, DMA, memory cache control, etc., etc.)
Original copyright by Microsoft Corporation. Used by permission.

Microkernel OS?
Is Windows a microkernel-based OS?
No not using the academic definition (OS components and drivers run in their own private address spaces, layered on a primitive microkernel) All kernel components live in a common shared address space
Therefore no protection between OS and drivers

Why not pure microkernel?

Performance separate address spaces would mean context switching to call basic OS services Most other commercial OSs (Unix, Linux, VMS etc.) have the same design

But it does have some attributes of a microkernel OS

OS personalities running in user space as separate processes Kernel-mode components don't reach into one anothers data structures
Use formal interfaces to pass parameters and access and/or modify data structures

Therefore the term modified microkernel

Executive
Upper layer of the operating system Provides generic operating system functions (services)
Process Manager Object Manager Cache Manager LPC (local procedure call) Facility Configuration Manager Memory Manager Security Reference Monitor I/O Manager Power Manager Plug-and-Play Manager

Almost completely portable C code Runs in kernel (privileged, ring 0) mode Most interfaces to executive services not documented

Kernel
Lower layers of the operating system
Implements processor-dependent functions (x86 vs. Itanium etc.) Also implements many processor-independent functions that are closely associated with processor-dependent functions

Main services
Thread waiting, scheduling & context switching Exception and interrupt dispatching Operating system synchronization primitives (different for MP vs. UP) A few of these are exposed to user mode

Not a classic microkernel

shares address space with rest of kernel-mode components

HAL - Hardware Abstraction Layer

Responsible for a small part of hardware abstraction
Components on the motherboard not handled by drivers
System timers, Cache coherency, and flushing SMP support, Hardware interrupt priorities

Subroutine library for the kernel & device drivers

Isolates Kernel and Executive from platform-specific details Presents uniform model of I/O hardware interface to drivers

Reduced role as of Windows 2000

Bus support moved to bus drivers Majority of HALs are vendor-independent

HAL also implements some functions that appear to be in the Executive and Kernel Selected at installation time
See \windows\repair\setup.log to find out which one Can select manually at boot time with /HAL= in boot.ini

Sample HAL routines: HalGetInterruptVector HalGetAdapter WRITE_PORT_UCHAR

HAL kit
Special kit only for vendors that must write custom HALs (requires approval from Microsoft) see http://www.microsoft.com/whdc/ddk/HALkit/default.mspx

Kernel-Mode Device Drivers

Separate loadable modules (drivername.SYS)
Linked like .EXEs Typically linked against NTOSKRNL.EXE and HAL.DLL Only one version of each driver binary for both uniprocessor (UP) and multiprocessor (MP) systems but drivers call routines in the kernel that behave differently for UP vs. MP Versions

Defined in registry
Same area as Windows services (t.b.d.) - differentiated by Type value

Several types:
ordinary, file system, NDIS miniport, SCSI miniport (linked against port drivers), bus drivers More information in I/O subsystem section

To view loaded drivers, run drivers.exe

Also see list at end of output from pstat.exe includes addresses of each driver

To update & control:

System properties->Hardware Tab->Device Manager Computer Management->Software Environment->Drivers

System Threads
Functions in OS and some drivers that need to run as real threads
E.g., need to run concurrently with other system activity, wait on timers, perform background housekeeping work Always run in kernel mode Not non-preemptible (unless they raise IRQL to 2 or above) For details, see DDK documentation on PsCreateSystemThread

What process do they appear in?

System process (NT4: PID 2, W2K: PID 8, XP: PID 4) In Windows 2000 & later, windowing system threads (from Win32k.sys) appear in csrss.exe (Windows subsystem process)

10

Examples of System Threads

Memory Manager
Modified Page Writer for mapped files Modified Page Writer for paging files Balance Set Manager Swapper (kernel stack, working sets) Zero page thread (thread 0, priority 0)

Security Reference Monitor

Command Server Thread

Network
Redirector and Server Worker Threads

Threads created by drivers for their exclusive use

Examples: Floppy driver, parallel port driver

Pool of Executive Worker Threads

Used by drivers, file systems, Work queued using ExQueueWorkItem System thread (ExpWorkerThreadBalanceManager) manages pool

Identifying System Threads: Process Explorer

With Process Explorer: Double click on System process Go to Threads tab sort by CPU time As explained before, threads run between clock ticks (or at high IRQL) and thus dont appear to run
Sort by context switch delta column

11

Process-Based Code
OS components that run in separate executables (.exes), in their own processes
Started by system Not tied to a user logon

Three types:
Environment Subsystems (already described) System startup processes
note, system startup processes is not an official MS-defined name

Windows Services

Lets examine the system process tree

Use Tlist /T or Process Explorer

Process-Based Windows Code:

System Startup Processes

First two processes arent real processes
not running a user mode .EXE no user-mode address space different utilities report them with different names data structures for these processes (and their initial threads) are pre-created in NtosKrnl.Exe and loaded along with the code (Idle) Process id 0 Part of the loaded system image Home for idle thread(s) (not a real process nor real threads) Called System Process in many displays Process id 2 (8 in Windows 2000; 4 in XP) Part of the loaded system image Home for kernel-defined threads (not a real process) Thread 0 (routine name Phase1Initialization) launches the first real process, running smss.exe... ...and then becomes the zero page thread

(System)

12

Process-Based Windows Code:

System Startup Processes (cont.)

smss.exe Session Manager The first created process Takes parameters from \HKEY_LOCAL_MACHINE\System\CurrentControlSet \Control\Session Manager Launches required subsystems (csrss) and then winlogon Windows subsystem Logon process: Launches services.exe & lsass.exe; presents first login prompt When someone logs in, launches apps in \Software\Microsoft\Windows NT\WinLogon\Userinit Service Controller; also, home for many Windows-supplied services Starts processes for services not part of services.exe (driven by \Registry\Machine\System\CurrentControlSet\Services ) Local Security Authentication Server Started after logon; starts Explorer.exe (see \Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Shell) and exits (hence Explorer appears to be an orphan) and its children are the creators of all interactive apps

csrss.exe winlogon.exe

services.exe

lsass.exe userinit.exe

explorer.exe

Objects and Handles

Many Windows APIs take arguments that are handles to system-defined data structures, or objects
App calls CreateXxx, which creates an object and returns a handle to it App then uses the handle value in API calls that operate on that object

Three types of Windows objects (and therefore handles):

Windows kernel objects (events, mutexes, files, processes, threads, etc.)
Objects are managed by the Windows Object Manager, and represent data structures in system address space Handle values are private to each process

Windows GDI objects (pens, brushes, fonts, etc.)

Objects are managed by the Windows subsystem Handle values are valid system-wide / session-wide

Windows User objects (windows, menus, etc.)

Objects are managed by the Windows subsystem Handle values are valid system-wide / session-wide

13

Handles and Security

Process handle table
Is unique for each process But is in system address space, hence cannot be modified from user mode Hence, is trusted

Security checks are made when handle table entry is created

i.e. at CreateXxx time Handle table entry indicates the validated access rights to the object Read, Write, Delete, Terminate, etc.

APIs that take an already-opened handle look in the handle table entry before performing the function
For example: TerminateProcess checks to see if the handle was opened for Terminate access No need to check file ACL, process or thread access token, etc., on every write request---checking is done at file handle creation, i.e. file open, time

Handles, Pointers, and Objects

Process A handles Handle Table
index

System Space Event Object

HandleCount = 1 ReferenceCount = 1

Handle to a kernel object is an index into the process handle table, and hence is invalid in any other process
Process B Handle Table

Handle table entry contains the system-space address (8xxxxxxx or above) of the data structure; this address is the same regardless of process context Although handle table is perprocess, it is actually in system address space (hence protected)

14

Object Manager
Executive component for managing system-defined objects
Objects are data structures with optional names Objects managed here include Windows Kernel objects, but not Windows User or GDI objects Object manager implements user-mode handles and the process handle table

Object manager is not used for all Windows data structures

Generally, only those types that need to be shared, named, or exported to user mode Some data structures are called objects but are not managed by the object manager (e.g. DPC objects)

Object Manager
In part, a heap manager
Allocates memory for data structure from system-wide, kernel space heaps (pageable or nonpageable)

with a few extra functions:

Assigns name to data structure (optional) Allows lookup by name Objects can be protected by ACL-based security Provides uniform naming, sharing, and protection scheme
Simplifies C2 security certification by centralizing all object protection in one place

Maintains counts of handles and references (stored pointers in kernel space) to each object
Object cannot be freed back to the heap until all handles and references are gone

15

Executive Objects
Object type Represents
Object directory Container object for other objects: implement hierarchical namespace to store other object types Symbolic link Process Thread Section File Port Access token Mechanism for referring to an object name indirectly Virtual address space and control information necessary for execution of thread objects Executable entity within a process Region of shared memory (file mapping object in Windows API) Instance of an opened file or I/O device Mechanism to pass messages between processes Security profile (security ID, user rights) of a process or thread

Executive Objects (contd.)

Object type
Event Semaphore Mutant Timer Queue

Represents
Object with persistent state (signaled or not) usable for synchronization or notification Counter and resource gate for critical section Synchronization construct to serialize resource access Mechanism to notify a thread when a fixed period of time elapses Method for threads to enqueue/dequeue notifications of I/O completions (Windows I/O completion port) Reference to registry data visible in object manager namespace Mechanism for measuring execution time for a process within an address range

Key Profile

16

Object Structure

Object header

Object body

Object name Object name Object directory Object name Object directory Security descriptor Object directory Security descriptor Quota charges Security descriptor Quota charges Open handle count Quota charges Open handle count Open handles list Open handle count Open handles list Object type Open handles list Object type Reference Objectcount type Reference count Reference data count Object-specific Object-specific data Object-specific data

Process 1 Process 2 Process 3 Type object Type name Access types Synchronizable? (Y/N) Pageable? (Y/N) Methods: open, close, delete parse, security, query name

Type object contains static, object-type specific data: - shared among all instances of an object type - link all instances together (enumeration)

Object Methods
Method Open Close Delete Query name Parse Security Example: When method is called When an object handle is opened When an object handle is closed Before the object manager deletes an object When a thread requests the name of an object, such as a file, that exists in a secondary object domain When the object manager is searching for an object name that exists in a secondary object domain When a process reads/changes protection of an objects, such as a file, that exists in a secondary object domain

Process opens handle to object \Device\Floppy0\docs\resume.doc Object manager traverses name tree until it reaches Floppy0 Calls parse method for object Floppy0 with arg \docs\resume.doc

17

Object Manager Namespace

System and session-wide internal namespace for all objects exported by the operating system View with Winobj from www.sysinternals.com

Interesting Object Directories

in \ObjectTypes
objects that define types of objects

in \BaseNamedObjects
these will appear when Windows programs use CreateEvent, etc. mutant (Windows mutex) queue (Windows I/O completion port) section (Windows file mapping object) event Semaphore

In \GLOBAL??
DOS device name mappings for console session

18

Object Manager Namespace

Namespace:
Hierarchical directory structure (based on file system model) System-wide (not per-process)
With Terminal Services, Windows objects are per-session by default Can override this with global\ prefix on object names

Volatile (not preserved across boots)

As of Server 2003, requires SeCreateGlobalPrivilege

Namespace can be extended by secondary object managers (e.g. file system)

Hook mechanism to call external parse routine (method)

Supports case sensitive or case blind Supports symbolic links (used to implement drive letters, etc.)

Lookup done on object creation or access by name

Not on access by handle

Not all objects managed by the object manager are named

e.g. file objects are not named un-named objects are not visible in WinObj

Otras Referencias
Windows Academic Program: http://www.microsoft.com/education/faculty connection/articles/articledetails.aspx?cid= 2416 (27/05/2010)

SO 2009 - Fac. de Informtica U.N.L.P.

19