lecture 2 system architecture

计算机系•信息处理实验室

Lecture 2 System architecture

xlanchen@03/04/2005

xlanchen@03/04/2005 Understanding the Inside of Windows2000

2计算机系信息处理实验室

Review of last class

Win32 API and its functions

System service (int 2e)

Win32 services

Process and threads in windows 2000

Virtual memory (0G~2G~4G)

Kernel mode vs. user mode

Objects and handles



Contents of this lecture

Design goals

Operating system model

Key system components



Design Goals

True 32-bit, pre-emptive, re-entrant, virtual memory

Multiple hardware platforms

Symmetric multi-processor architecture

Support networked computing

Support 16-bit MS-DOS and Win3.x apps

POSIX 1003.1 compliance

TCSEC C2 certification

Support Unicode



Design Goals

Extensibility

Portability

Reliability and robustness

Compatibility

Performance



Windows 2000 VS. Consumer Windows

Consumer Windows

Windows 95, Windows 98, and Windows Millennium Edition

Both are part of the "Windows family of operating systems

Sharing a common subset API (Win32 and COM) and in some cases operating system code

And WDM (Windows Driver Model) except 95



Windows 2000 VS. Consumer Windows

Multiprocessor systems, security

True 32-bit

Fully reentrant

Address space for 16-bit Windows applications

Visibility of shared memory

Writable system pages from user mode

Fully compatibility with MS-DOS and Windows 3.1



Operating system model

Similar to most UNIX systems

Kernel mode VS. User mode

most of OS and device driver code shares the same kernel-mode protected memory space

Then, Windows 2000

Monolithic operating systemORMicrokernel-Based System



Kernel-mode components and OO

Not an strict OO system

Follows Basic OO design principles

Mostly C not C++

C doesn't directly support OO constructs, such as dynamic binding of data types, polymorphic functions, or class inheritance

What C brings?



Portability

Windows 2000 achieves portability across hardware architectures and platforms in two primary ways

Layered design

Language C



Multitasking vs. multiprocessing

Multitasking: sharing a single processor among multiple threads of execution

Multiprocessing

SMP vs. ASMP



Architecture Overview

Key system components




Four basic types of user-mode processes

System support processes

Service processes

User applications

Environment subsystems



User mode processes [1]

System support processes

not Windows 2000 services (not started by the service control manager)

Example:

Logon process

Session manager




Service processes

Windows 2000 services

Example:

Task scheduler

Spooler

…




User applications

One of five types

Win32

Windows 3.1

MS-DOS

POSIX

OS/2 1.2




Environment subsystems

Environment subsystems expose the native operating system services to user applications through a set of callable functions

Three environment subsystems

Win32, POSIX, and OS/2




Subsystem DLLs




Subsystem DLLs

User applications through one or more subsystem DLLs to call the native Windows 2000 operating system services indirectly

Role of the subsystem DLLs

Function appropriate internal 2K system service calls

Sometimes, sending a message to the appropriate environment subsystem process




Kernel mode component



Kernel mode component

Executive: Base OS services

memory management, process and thread management, security, I/O, and IPC

Kernel: low-level OS functions

thread scheduling, interrupt and exception dispatching, and multiprocessor synchronization

Device drivers

HAL = hardware abstraction layer

Windowing and graphics system



Core Windows 2000 System Files

Ntoskrnl.exe

Executive and kernel

Ntkrnlpa.exe

Executive and kernel with support for PAE

Hal.dll

Different hardware platform has different HAL

Hal.dll

User mode

Kernel modeNtoskrnl.exe




Kernel32.dll

Win32 API functions

Advapi32.dll

Advance application interface

Ntdll.dll

Internal support functions

system service dispatch stubs

Core Win32 subsystem DLLs




Why kernel32/advapi32 + Ntdll?

Ntdll.dll

Ntoskrnl.exe

int 0x2eUser mode

Kernel mode

Kernel32.dll

Advapi32.dll




User32.dll

Gdi32.dll

Win32k.sys

a particular diver

Kernel-mode part of the Win32 subsystem

Win32k.sys

User mode

Kernel mode

User32.dll Gdi32.dll

int 0x2e

Core Win32 subsystem DLLs



Key System Components

Windows 2000 archtecture



Environment Subsystems and DLLs

Win32 subsystem

POSIX Subsystem

OS/2 Subsystem

See registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems



An example (your system may different)



Win32 subsystem [1]

Implemented in the Csrss.exe process

Supports basic text windows

Creating and deleting Win32 processes/threads

and in the kernel mode driver WIN32K.SYS

Parts of the Windows manager (“User”)

Parts of the GDI

And in subsystem DLLs mapping Win32 calls onto NT supervisor functions

Kernel32.dll, Advapi32.dll User32.dll, Gdi32.dll

And Graphics device drivers



Win32 subsystem [2]

E.g. App create windows by calling USER functions which call GDI functions which call graphic device drivers

Win32 (csrss.exe)

User32.dll, Kernel32.dll, Gdi32.dll

Ntdll.dll

Ntoskrnl.exe, win32k.sys

App

User mode

Kernel mode



Window manager and graphics

In win32 process or kernel

Prior to NT4.0

Required multiple thread and process context switches which consumed considerable CPU cycles and memory resources

In NT4.0

moving the windowing and graphics system into kernel mode



POSIX Subsystem

a portable operating system interface based on UNIX

Standard: POSIX 1

a mandatory goal for Windows 2000

Fairly limited in usefulness



OS/2 Subsystem

Supports only OS/2 1.2 16-bit character-based or video I/O (VIO) applications



Key components (cont.)

NTDLL.DLL:

Stubs to Executive entry points

NTCreateFile, NtSetEvent etc.

Support functions for subsystems




Executive (Ntoskrnl.exe), include

Functions

User mode callable or kernel mode callable

components

Such as configuration manager, process and thread manager, I/O manager, plug and play manager, power manager, virtual memory manager, and so on.

Support functions

Object manager, LPC, synchronisation primitives




Kernel (in Ntoskrnl.exe)

provide fundamental mechanisms used by the executive components

Kernel objects, thread scheduling, trap and exception handling, interrupt handling



Ntoskrnl.exe



Key components (cont.)Hardware Abstraction Layer (Hal.dll)

List of HalsHal.dll for Standard PCs

Halacpi.dll for ACPI PCs

Halapic.dll for APIC PCs

Halaacpi.dll for APIC ACPI PCs

Halmps.dll for Multiprocessor PCs

Halmacpi.dll for Multiprocessor ACPI PCs

Halborg.dll for Silicon Graphics Workstation (nolonger marketed)

Halsp.dll for Compaq SystemPro

Hal.dll

Hardware




EXPERIMENT: Determining Which HAL You're Running

Open \Winnt\Repair\Setup.log, search for Hal.dll

Or,

In Device Manager, look at the Computer device(My ComputerPropertiesHardwareDevice Manager)

ACPI= Advanced Configuration and Power Interface

APIC= Advanced Programmable Interrupt Controller




Device Drivers

loadable kernel-mode modules (mostly .sys)

run in kernel mode in one of three contexts

a user thread that initiated an I/O function

a kernel-mode system thread

an interrupt handling

I/O Manager

Drivers

HAL

Hardware



Device driversTypes of device drivers

Hardware device drivers

Handle different physical devices

File system drivers

Implement file abstraction

File system filter drivers

e.g. disk mirroring, encryption and so on

Network redirectors and servers

Transmit I/O requests across network

Protocol drivers

Kernel streaming filter drivers



EXPERIMENT Viewing the Installed Device Drivers

Run msinfo32

An example:



Undocumented functions

EXPERIMENT Listing Undocumented Functions

Depends.exe open system32\Ntoskrnel.exe

An example:



System processesSystem process (0) Idle process System (8) System process smss.exe (144) Session manager csrss.exe (172) Win32 subsystem process winlogon.exe (192) Logon process services.exe (220) Service control manager svchost.exe (384) Generic service host image spoolsv.exe (480) Spooler service regsvc.exe (636) Remote registry service mstask.exe (664) Task scheduler service lsass.exe (232) Local security authentication server



System Processes

Idle Process (ID 0)

System process

Always process ID 8

The home for kernel mode system threads

Session Manager (SMSS.EXE)

First user-mode process

Completes system initialization

Win32 subsystem (csrss.exe)

Logon (winlogon.exe)



Logon (winlogon.exe)

Handles interactive user logons and logoffs

SAS: Ctrl+Alt+Delete

Calls Userinit.exe to create user proc

performs some initialization

creates a process to run the system-defined shell (Explorer.exe)

Exit

Local Security Authentication Server (Lsass.exe)

Validates authentication data and creates access token



Service controller Manager (Services.exe)

Starts and stops NT services (e.g. event log)

EXPERIMENT Listing Installed Services

Administrative Tools Services

lecture 2 system architecture

Documents