Unit OS2: Unit OS2: Operating System Principles Operating System Principles

(1)

Unit OS2:

Operating System Principles Operating System Principles

2.3. 2.3. Windows on Windows - OS Personalities Windows on Windows - OS Personalities

(2)

Copyright Notice Copyright Notice

© 2000-2005 David A. Solomon and Mark Russinovich

These materials are part of the

These materials are part of the Windows Operating Windows Operating System Internals Curriculum Development Kit,

System Internals Curriculum Development Kit, developed by David A. Solomon and Mark E.

developed by David A. Solomon and Mark E.

Russinovich with Andreas Polze Russinovich with Andreas Polze

Microsoft has licensed these materials from David Microsoft has licensed these materials from David Solomon Expert Seminars, Inc. for distribution to Solomon Expert Seminars, Inc. for distribution to academic organizations solely for use in academic academic organizations solely for use in academic environments (and not for commercial use)

environments (and not for commercial use)

(3)

Roadmap for Section 2.3.

Environment Subsystems Environment Subsystems

System Service Dispatching

Windows on Windows - 16bit

Windows on Windows - 64bit

(4)

Multiple OS Personalities Multiple OS Personalities

OS/2 Windows POSIX

Environment Subsystems

User

Application

Subsystem DLL

Windows User/GDI

Device Driver

Executive

Device Drivers Kernel

Hardware Abstraction Layer (HAL) User

Mode Kernel Mode

System

& Service Processes

Windows

(5)

What about .NET and WinFX?

WinFX is the .NET Framework that will ship with Longhorn WinFX is the .NET Framework that will ship with Longhorn Both .NET and WinFX are built on standard Windows APIs Both .NET and WinFX are built on standard Windows APIs

They are not a subsystem They are not a subsystem

They do not call undocumented Windows system calls They do not call undocumented Windows system calls

.NET/WinFX Application

Windows API DLLs User

Mode

Windows Kernel

Kernel Mode

.NET/WinFX Framework

(6)

Environment Subsystems Environment Subsystems

Environment subsystems provide exposed, documented interface Environment subsystems provide exposed, documented interface between application and Windows native API

between application and Windows native API

Each subsystem defines a different set of APIs & semantics Each subsystem defines a different set of APIs & semantics Subsystems implement these by invoking native APIs

Subsystems implement these by invoking native APIs

i.e., subsystem “wraps” and extends Windows native API i.e., subsystem “wraps” and extends Windows native API

Example: Windows CreateFile in Kernel32.Dll calls native NtCreateFile Example: Windows CreateFile in Kernel32.Dll calls native NtCreateFile

.exe’s and .dll’s you write are associated with a subsystem .exe’s and .dll’s you write are associated with a subsystem

Specified by LINK /SUBSYSTEM option

Cannot mix calls between subsystems

(7)

Environment Subsystems Environment Subsystems

Three environment subsystems originally provided with NT:

Windows –Windows API (originally 32-bit, now also 64-bit) Windows –Windows API (originally 32-bit, now also 64-bit) OS/2 - 1.x character-mode apps only

OS/2 - 1.x character-mode apps only

Removed in Windows 2000 Removed in Windows 2000

Posix - only Posix 1003.1 (bare minimum Unix services - no networking, windowing, Posix - only Posix 1003.1 (bare minimum Unix services - no networking, windowing, threads, etc.)

threads, etc.)

Removed in Windows XP/Server 2003 – enhanced version ships with Services For Unix Removed in Windows XP/Server 2003 – enhanced version ships with Services For Unix 3.03.0

Ships with Windows Server 2003 R2 Ships with Windows Server 2003 R2

Of the three, Windows provides access to the majority of OS native Of the three, Windows provides access to the majority of OS native

functions functions

Of the three, Windows is required to be running Of the three, Windows is required to be running

System crashes if Windows subsystem process exits System crashes if Windows subsystem process exits

POSIX and OS/2 subsystems are actually Windows applications POSIX and OS/2 subsystems are actually Windows applications POSIX & OS/2 start on demand (first time an app is run)

POSIX & OS/2 start on demand (first time an app is run)

Stay running until system shutdown Stay running until system shutdown

(8)

Subsystem Information in Registry Subsystem Information in Registry

Subsystems configuration and startup information is in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

\Session Manager\SubSystems

\Session Manager\SubSystems Values:

Values:

Required

Required - list of value names for subsystems to load at boot time - list of value names for subsystems to load at boot time Optional

Optional - list of value names for subsystems to load when needed - list of value names for subsystems to load when needed Windows

Windows - value giving filespec of Windows subsystem (csrss.exe) - value giving filespec of Windows subsystem (csrss.exe) csrss.exe

csrss.exe Windows APIs Windows APIs required - always started when Windows boots required - always started when Windows boots Kmode

Kmode - value giving filespec of Win32K.Sys - value giving filespec of Win32K.Sys

(kernel-mode driver portion of Windows subsystem) (kernel-mode driver portion of Windows subsystem) Posix

Posix - file name of POSIX subsystem - file name of POSIX subsystem psxss.exe

psxss.exe Posix APIs Posix APIs optional optional - started when first Posix app is run - started when first Posix app is run

Some Windows API DLLs are in “known DLLs” registry entry:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

Files are opened as mapped files Files are opened as mapped files

Improves process creation/image startup time

(9)

OS/2 Windows POSIX

Environment Subsystems

User

Application Subsystem DLL

Windows User/GDI User

Mode

Executive

Device Drivers Kernel

Hardware Abstraction Layer (HAL) Kernel

Mode

System

& Service Processes

Subsystem Components Subsystem Components

API DLLs API DLLs

for Windows: Kernel32.DLL, Gdi32.DLL, User32.DLL, etc.

Subsystem process Subsystem process

for Windows: CSRSS.EXE (Client Server Runtime SubSystem) for Windows: CSRSS.EXE (Client Server Runtime SubSystem)

For Windows only: kernel-mode GDI code For Windows only: kernel-mode GDI code

Win32K.SYS - (this code was formerly part of CSRSS) Win32K.SYS - (this code was formerly part of CSRSS)

3 2

1 3

2

1

(10)

Role of Subsystem Components Role of Subsystem Components

API DLLs API DLLs

Export the APIs defined by the subsystem Export the APIs defined by the subsystem

Implement them by calling Windows “native” services, or by asking the subsystem process Implement them by calling Windows “native” services, or by asking the subsystem process to do the work

to do the work

Subsystem process Subsystem process

Maintains global state of subsystem Maintains global state of subsystem

Implements a few APIs that require subsystem-wide state changes Implements a few APIs that require subsystem-wide state changes

Processes and threads created under a subsystem Processes and threads created under a subsystem Drive letters

Drive letters

Window management for apps with no window code of their own (character-mode apps) Window management for apps with no window code of their own (character-mode apps) Handle and object tables for subsystem-specific objects

Handle and object tables for subsystem-specific objects

Win32K.Sys Win32K.Sys

Implements Windows User & GDI functions; calls routines in GDI drivers Implements Windows User & GDI functions; calls routines in GDI drivers Also used by Posix and OS/2 subsystems to access the display

Also used by Posix and OS/2 subsystems to access the display

3

2

1

(11)

NtDll.Dll

Simplified Architecture Simplified Architecture

(3.51 and earlier) (3.51 and earlier)

OS/2 Windows POSIX

Environment Subsystems

User Mode Kernel Mode

System

& Service Processes

Executive

Device Drivers Kernel

Hardware Abstraction Layer (HAL) KiSystemService

LPC User

Application

Subsystem DLL

1 2

most Windows Kernel APIs most Windows Kernel APIs

all other Windows APIs, including User and GDI APIs all other Windows APIs, including User and GDI APIs 2

1

(12)

NtDll.Dll

OS/2 Windows POSIX

Environment Subsystems

Windows User/GDI User

Mode

Executive

Device Drivers Kernel

Hardware Abstraction Layer (HAL) Kernel

Mode

System

& Service Processes

1 3 2

KiSystemService

User

Application

Subsystem DLL

LPC

Windows Simplified Architecture Windows Simplified Architecture

most Windows Kernel APIs most Windows Kernel APIs

most Windows User and GDI APIs (these were formerly part of CSRSS) most Windows User and GDI APIs (these were formerly part of CSRSS) a few Windows APIs

a few Windows APIs

3

2

1

(13)

Role of CSRSS.EXE Role of CSRSS.EXE

(Windows Subsystem Process) (Windows Subsystem Process)

A few Windows APIs are implemented in this separate process A few Windows APIs are implemented in this separate process

In 3.51 and earlier:

Nearly all User and GDI APIs were implemented in CSRSS Nearly all User and GDI APIs were implemented in CSRSS

CSRSS had a thread for every application thread that created a window CSRSS had a thread for every application thread that created a window GDI drivers (video, printer) were user mode, mapped into this process GDI drivers (video, printer) were user mode, mapped into this process This was done for protection, esp. to keep GDI drivers in user mode This was done for protection, esp. to keep GDI drivers in user mode

CSRSS in NT 4.0 and later: role is greatly diminished CSRSS in NT 4.0 and later: role is greatly diminished

Maintains system-wide state information for all Windows “client” processes Maintains system-wide state information for all Windows “client” processes Several Windows services LPC to CSRSS for “setup and teardown” functions Several Windows services LPC to CSRSS for “setup and teardown” functions

Process and thread creation and deletion Process and thread creation and deletion Get temporary file name

Get temporary file name Drive letters

Drive letters

Security checks for file system redirector Security checks for file system redirector

Window management for console (character cell) applications … Window management for console (character cell) applications …

… … including NTVDM.EXEincluding NTVDM.EXE

(14)

Header of Executable File Specifies Header of Executable File Specifies

Subsystem Type Subsystem Type

Subsystem for each .exe specified in image header Subsystem for each .exe specified in image header

see winnt.h (in Platform SDK) see winnt.h (in Platform SDK)

or exetype image.exe (2000 Resource Kit) or exetype image.exe (2000 Resource Kit)

IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem

IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Windows subsystem (graphical app) IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Windows subsystem (character cell) IMAGE_SUBSYSTEM_OS2_CUI 5 // OS/2 subsystem

IMAGE_SUBSYSTEM_POSIX_CUI 7 // Posix subsystem

(15)

Native Images Native Images

.EXEs not linked against any subsystem .EXEs not linked against any subsystem

Interface to Windows executive routines directly via Interface to Windows executive routines directly via NTDLL.DLL

NTDLL.DLL

Two examples:

smss.exe

smss.exe (Session Manager -- starts before (Session Manager -- starts before subsystems start)

subsystems start) csrss.exe

csrss.exe (Windows subsystem) (Windows subsystem)

(16)

Lab: Subsytems & Images Lab: Subsytems & Images

Look at subsystem startup information in registry Look at subsystem startup information in registry

Using EXETYPE, look at subsystem types for:

\windows\system32\notepad.exe, cmd.exe,

\windows\system32\notepad.exe, cmd.exe, csrss.exe

csrss.exe

(17)

POSIX.1 Subsystem POSIX.1 Subsystem

Original POSIX subsystem implemented only POSIX.1 Original POSIX subsystem implemented only POSIX.1

ISO/IEC 9945-1:1990 or IEEE POSIX standard 1003.1-1990 ISO/IEC 9945-1:1990 or IEEE POSIX standard 1003.1-1990

POSIX.1 compliance as specified in Federal Information Processing Standard POSIX.1 compliance as specified in Federal Information Processing Standard (FIPS) 151-2 (NIST)

(FIPS) 151-2 (NIST)

POSIX Conformance Document in \HELP in Platform SDK POSIX Conformance Document in \HELP in Platform SDK Support for impl. of POSIX.1 subsystem was mandatory for NT Support for impl. of POSIX.1 subsystem was mandatory for NT

fork service in NT executive fork service in NT executive hard file links in NTFS

hard file links in NTFS Limited set of services Limited set of services

such as process control, IPC, simple character cell I/O such as process control, IPC, simple character cell I/O

POSIX subsystem alone is not a complete programming environment POSIX subsystem alone is not a complete programming environment POSIX.1 executable cannot

POSIX.1 executable cannot create a thread or a window create a thread or a window

use remote procedure calls (RPCs) or sockets

(18)

Invoking (a few) Windows Services Invoking (a few) Windows Services

Application Process

CSRSS.EXE (Windows subsystem

process)

Subsystem DLL

Executive

Local

Procedure Call

LPC is an undocumented system service in

NtDll.Dll

(not exposed directly in Windows API)

U K



Some system calls still require communication with the Windows

subsystem process

(19)

System Call Dispatching System Call Dispatching

NTDLL.DLL provides interface for native system calls

(20)

Example: Invoking a Windows Kernel Example: Invoking a Windows Kernel

API API

call WriteFile(…)

call NtWriteFile return to caller

do the operation

Int 2E or SYSCALL or SYSENTER

return to caller

call NtWriteFile dismiss interrupt

Windows application

WriteFile

in Kernel32.Dll

NtWriteFile in NtDll.Dll

KiSystemService in NtosKrnl.Exe NtWriteFile

Windows- specific

used by all subsystems software interrupt

U

K

(21)

Invoking System Functions from Invoking System Functions from

User Mode User Mode

Kernel-mode functions (“services”) are invoked from user mode via a protected Kernel-mode functions (“services”) are invoked from user mode via a protected mechanism

mechanism

x86: INT 2E (as of XP, faster instructions are used where available: SYSENTER on x86, x86: INT 2E (as of XP, faster instructions are used where available: SYSENTER on x86, SYSCALL on AMD)

SYSCALL on AMD)

i.e., on a call to an OS service from user mode, the last thing that happens in user mode is i.e., on a call to an OS service from user mode, the last thing that happens in user mode is this “change mode to kernel” instruction

this “change mode to kernel” instruction

Causes an exception or interrupt, handled by the system service dispatcher Causes an exception or interrupt, handled by the system service dispatcher (KiSystemService) in kernel mode

(KiSystemService) in kernel mode

Return to user mode is done by dismissing the interrupt or exception Return to user mode is done by dismissing the interrupt or exception

The desired system function is selected by the “system service number”

Every Windows function exported to user mode has a unique number Every Windows function exported to user mode has a unique number

This number is stored in a register just before the “change mode” instruction This number is stored in a register just before the “change mode” instruction (after pushing the arguments to the service)

(after pushing the arguments to the service)

This number is an index into the system service dispatch table This number is an index into the system service dispatch table

Table gives kernel-mode entry point address and argument list length for each exported Table gives kernel-mode entry point address and argument list length for each exported function

function

(22)

Invoking System Functions from Invoking System Functions from

User Mode User Mode

All validity checks are done after the user to kernel transition All validity checks are done after the user to kernel transition

KiSystemService probes argument list, copies it to kernel-mode stack, and calls the executive KiSystemService probes argument list, copies it to kernel-mode stack, and calls the executive or kernel routine pointed to by the table

or kernel routine pointed to by the table

Service-specific routine checks argument values, probes pointed-to buffers, etc.

Once past that point, everything is “trusted”

This is safe, because This is safe, because : :

The system service table is in kernel-protected memory; and The system service table is in kernel-protected memory; and

The kernel mode routines pointed to by the system service table are in kernel-protected The kernel mode routines pointed to by the system service table are in kernel-protected memory; therefore:

memory; therefore:

User mode code can’t supply the code to be run in kernel mode; it can only select from among User mode code can’t supply the code to be run in kernel mode; it can only select from among a predefined list

a predefined list

Arguments are copied to the kernel mode stack before validation; therefore:

Other threads in the process can’t corrupt the arguments “out from under” the service Other threads in the process can’t corrupt the arguments “out from under” the service

(23)

call write(…)

call NtWriteFile return to caller

do the operation return to caller

Int 2E

return to caller

call NtWriteFile dismiss interrupt

Posix application

write

in psxdll.dll

NtWriteFile in NtDll.Dll

KiSystemService in NtosKrnl.Exe

NtWriteFile

in NtosKrnl.Exe

Example: Invoking a Posix API Example: Invoking a Posix API

Posix- specific

used by all subsystems software interrupt

U

K

(24)

Ntdll.dll Ntdll.dll

Interface to Windows system calls (285 calls starting with “Nt”-some have Interface to Windows system calls (285 calls starting with “Nt”-some have

“Zw” aliases)

These user-mode routines have the same function names and arguments as the These user-mode routines have the same function names and arguments as the kernel mode routines they invoke

kernel mode routines they invoke

e.g. NtWriteFile in NtDll.Dll invokes NtWriteFile in NtosKrnl.Exe e.g. NtWriteFile in NtDll.Dll invokes NtWriteFile in NtosKrnl.Exe

Majority are not supported or documented Majority are not supported or documented

7 are (partially) documented in the Platform SDK:

NtQuerySystemInformation, NtQuerySystemTime, NtQueryInformationProcess, NtQuerySystemInformation, NtQuerySystemTime, NtQueryInformationProcess, NtQueryInformationThread, NtCreateFile, NtOpenFile, NtWaitForSingleObject NtQueryInformationThread, NtCreateFile, NtOpenFile, NtWaitForSingleObject The DDK describes 25 of them as “Zw” routines (such as ZwReadFile)

The DDK describes 25 of them as “Zw” routines (such as ZwReadFile)

• These entry points call the corresponding “Nt” interface via the system call interfaceThese entry points call the corresponding “Nt” interface via the system call interface

• Thus, “previous mode” is kernel mode, which means no security checksThus, “previous mode” is kernel mode, which means no security checks

• Kernel mode code could also call NtReadFile directlyKernel mode code could also call NtReadFile directly

Other user-mode support routines Other user-mode support routines

Image loader (“Ldr”) Image loader (“Ldr”)

Debug infrastructure (“Dbg”) Debug infrastructure (“Dbg”) Csrss support routines (“Csr”) Csrss support routines (“Csr”) RTL routines (“Rtl”)

RTL routines (“Rtl”)

Tracing routines (“Etw”) [new as of Windows Server 2003]

(25)

call NtWriteFile(…)

do the operation return to caller

Int 2E

return to caller

call NtWriteFile dismiss interrupt

native application (smss.exe, csrss.exe)

NtWriteFile in NtDll.Dll

KiSystemService in NtosKrnl.Exe

NtWriteFile

in NtosKrnl.Exe

Calling a “Native” API from User Calling a “Native” API from User Mode Mode

used by all subsystems software interrupt

U

K

(26)

call user or GDI service(…)

do the operation return to caller call Windows routine

dismiss interrupt

application

Gdi32.Dll or User32.Dll

KiSystemService in NtosKrnl.Exe

service entry point in Win32K.Sys

Invoking (most) User and GDI Invoking (most) User and GDI

Services Services

Windows- specific software interrupt

U K Int 2E

return to caller

(27)

16-bit Applications 16-bit Applications

on 32-bit Windows on 32-bit Windows

16-bit MS-DOS emulation MS-DOS application

16-bit

Virtual device drivers (COM, LPT, keyboard) 32-bit MS-DOS emulation

32-bit

640K 0

16MB

MS-DOS ext. memory

1MB

Windows Subsystem DLLs

OS/2 Windows POSIX

Environment Subsystems

User

Application Subsystem DLL

Windows User

Mode

Executive

Kernel Mode

System

& Service Processes

Windows runs NTVDM.EXE Windows runs NTVDM.EXE (NT Virtual Dos Machine) (NT Virtual Dos Machine)

NTVDM is a Windows image NTVDM is a Windows image No “DOS subsystem” or No “DOS subsystem” or

“Win16 subsystem”

7FFFFFFF

(28)

Windows runs NTVDM.EXE (NT Virtual DOS Machine) Windows runs NTVDM.EXE (NT Virtual DOS Machine)

See \System\CurrentControlSet\Control\WOW\cmdline See \System\CurrentControlSet\Control\WOW\cmdline Each DOS app has a separate process running NTVDM Each DOS app has a separate process running NTVDM

DOS & Windows 16-bit drivers not supported DOS & Windows 16-bit drivers not supported

Note: Windows “command prompt” is not a “DOS box”, despite icon; it’s a Windows console Note: Windows “command prompt” is not a “DOS box”, despite icon; it’s a Windows console application (CMD.EXE)

application (CMD.EXE)

DOS 16-bit Applications DOS 16-bit Applications

e.g. command.com, edit.com (NT4 had e.g. command.com, edit.com (NT4 had

qbasic.exe) qbasic.exe)

16-bit MS-DOS emulation MS-DOS application

16-bit

Virtual device drivers COM, LPT, keyboard

32-bit MS-DOS emulation 32-bit

Windows

Example:

three DOS apps

running in three NTVDM processes

640K 0

16MB

extended memory

1MB

(29)

Windows 16-Bit Applications Windows 16-Bit Applications

e.g. sysedit.exe, winhelp.exe e.g. sysedit.exe, winhelp.exe

Windows also runs NTVDM.EXE Windows also runs NTVDM.EXE

See \CurrentControlSet\Control\WOW\wowcmdline See \CurrentControlSet\Control\WOW\wowcmdline NTVDM loads wowexec.exe

NTVDM loads wowexec.exe

WOW = “Windows on Windows”

Win16 calls are translated to Win32 (Windows API) Win16 calls are translated to Win32 (Windows API)

Windows

Win16 app Win16 app Win16 app

example:

three Win16 apps (and wowexec.ex e) running in one NTVDM

process Win16 API

Virtual Device Drivers

16-bit

32-bit

16MB 0

(30)

Windows 16-bit Windows 16-bit

Applications Applications

Multitasking Details Multitasking Details

By default:

Each Win16 app runs in Each Win16 app runs in

a separate thread in the common a separate thread in the common NTVDM process

NTVDM process

They cooperatively multitask They cooperatively multitask among themselves

among themselves (Win16 Yield API)...

(Win16 Yield API)...

…and the one (if any) that wants …and the one (if any) that wants to run, preemptively multitasks to run, preemptively multitasks with all other threads on Windows with all other threads on Windows necessary to meet serialization necessary to meet serialization assumptions of some Win16 apps assumptions of some Win16 apps

Option to run Win16 apps in separate VDMs Option to run Win16 apps in separate VDMs

“ “

Run in Separate Memory Space” = run in separate processRun in Separate Memory Space” = run in separate process

default set by \CurrentControlSet\Control\WOW\DefaultSeparateVDM default set by \CurrentControlSet\Control\WOW\DefaultSeparateVDM

Win16 apps run this way preemptively multitask with all other threads, including the un-Yield’ed Win16 apps run this way preemptively multitask with all other threads, including the un-Yield’ed thread in a shared Win16 NTVDM (if any)

thread in a shared Win16 NTVDM (if any)

NT4 only:

(31)

Monitoring 16-bit Applications Monitoring 16-bit Applications

To most of Windows, an NTVDM process is just another process To most of Windows, an NTVDM process is just another process Task Manager

Task Manager

“ “ tasks” are simply the names of top-level windows - Win16 windows tasks” are simply the names of top-level windows - Win16 windows included

included

“ “ processes” display identifies Win16 apps within NTVDM processes processes” display identifies Win16 apps within NTVDM processes

by reading the NTVDM process’s private memory (undocumented by reading the NTVDM process’s private memory (undocumented interface)

interface)

does not identify the DOS apps within each NTVDM process does not identify the DOS apps within each NTVDM process

TLIST (resource kit) TLIST (resource kit)

does identify the DOS apps within each NTVDM process (by window does identify the DOS apps within each NTVDM process (by window

title) title)

but for a shared Win16 NTVDM process, only shows one window title but for a shared Win16 NTVDM process, only shows one window title

QuickView, exetype QuickView, exetype

identifies DOS, Win16, etc., application .exe’s

(32)

Lab: 16-bit Applications Lab: 16-bit Applications

DOS applications:

Run command.com and edit.com Run command.com and edit.com

look at process list in Task Manager Process tab - cannot differentiate look at process list in Task Manager Process tab - cannot differentiate which NTVDM.EXE is which

which NTVDM.EXE is which

From Applications tab, right click on window -> goto process (now can From Applications tab, right click on window -> goto process (now can map which NTVDM.EXE process is which)

map which NTVDM.EXE process is which)

Windows 3.1 applications:

Run winhelp.exe twice (do not check “run in separate memory Run winhelp.exe twice (do not check “run in separate memory space”)

space”)

Run winhelp.exe once and check “run in separate memory space”

Bring up Task Manager Process tab - make sure “Show 16-bit Tasks”

is checked on the View menu is checked on the View menu

Look at Task Manager Process tab and see 16-bit applications Look at Task Manager Process tab and see 16-bit applications identified inside the two NTVDMs

identified inside the two NTVDMs

(33)

Wow64 Wow64

Allows execution of Win32 binaries on 64-bit Windows Allows execution of Win32 binaries on 64-bit Windows

Wow64 intercepts system calls from the 32-bit application Wow64 intercepts system calls from the 32-bit application

Converts 32-bit data structure into 64-bit aligned structures Converts 32-bit data structure into 64-bit aligned structures Issues the native 64-bit system call

Issues the native 64-bit system call

Returns any data from the 64-bit system call Returns any data from the 64-bit system call

IsWow64Process()

IsWow64Process() function can tell a 32-bit process if it is running function can tell a 32-bit process if it is running under Wow64

under Wow64 Performance Performance

On x64, instructions executed by hardware On x64, instructions executed by hardware On IA64, instructions have to be emulated On IA64, instructions have to be emulated

New Intel IA-32 EL (Execution Layer) does binary translation of Itanium to x86 New Intel IA-32 EL (Execution Layer) does binary translation of Itanium to x86 to speed performance

to speed performance

Downloadable now – bundled with Server 2003 SP1 Downloadable now – bundled with Server 2003 SP1

(34)

Wow64 Components Wow64 Components

64-bit ntdll.dll 64-bit ntdll.dll Wow64.dll

Wow64.dll Wow64win.dll Wow64win.dll Wow64cpu.dll

Wow64cpu.dll

Win32k.sys Win32k.sys Executive

Executive

Kernel Kernel User Mode User Mode

32-bit ntdll.dll 32-bit ntdll.dll 32-bit EXE, DLLs 32-bit EXE, DLLs Wow64.dll - provides core

Wow64.dll - provides core emulation infrastructure and emulation infrastructure and thunks for Ntoskrnl.exe entry- thunks for Ntoskrnl.exe entry- point functions; exception point functions; exception dispatching

dispatching

Wow64win.dll - provides thunks Wow64win.dll - provides thunks for Win32k.sys entry-point

for Win32k.sys entry-point functions

functions

Wow64cpu.dll – manages thread Wow64cpu.dll – manages thread contexts, supports mode-switch contexts, supports mode-switch instructions

instructions

(35)

Wow64 Limitations Wow64 Limitations

Wow64 Feature Support on 64-bit Windows Wow64 Feature Support on 64-bit Windows

Platforms Platforms

IA64 IA64 x64 x64

16-bit Virtual DOS Machine (VDM) support

16-bit Virtual DOS Machine (VDM) support N/A N/A N/A N/A Physical Address Extension (PAE) APIs

Physical Address Extension (PAE) APIs N/A N/A Yes Yes

GetWriteWatch() API

GetWriteWatch() API N/A N/A Yes Yes

Scatter/Gather I/O APIs

Scatter/Gather I/O APIs N/A N/A Yes Yes

Hardware accelerated with DirectX version 7,8 and 9

Hardware accelerated with DirectX version 7,8 and 9 Software- Software- Yes Yes

Cannot load 32-bit DLLs in 64-bit process and vice versa Cannot load 32-bit DLLs in 64-bit process and vice versa Does not support 32-bit kernel mode device drivers

Does not support 32-bit kernel mode device drivers

Drivers must be ported to 64-bits Drivers must be ported to 64-bits

Special support required to support 32-bit applications using Special support required to support 32-bit applications using DeviceIoControl to driver

DeviceIoControl to driver

Driver must convert 32-bit structures to 64-bit

(36)

Wow64 File Locations Wow64 File Locations

Location of system files Location of system files

64-bit system files are in \windows\system32 64-bit system files are in \windows\system32 32-bit system files are in \windows\syswow64 32-bit system files are in \windows\syswow64

32-bit applications live in “\Program Files (x86)”

64-bit applications live in “\Program Files”

File access to %windir%\system32 redirected to %windir File access to %windir%\system32 redirected to %windir

%\syswow64

Two areas of the registry redirected (see next slide)

(37)

Wow64 Registry Redirection Wow64 Registry Redirection

Two registry keys have 32-bit Two registry keys have 32-bit sections:

sections:

HKEY_LOCAL_MACHINE\Software HKEY_LOCAL_MACHINE\Software HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

Everything else is shared Everything else is shared

32-bit data lives under 32-bit data lives under

\Wow6432Node

When a Wow64 process When a Wow64 process

opens/creates a key, it is redirected opens/creates a key, it is redirected to be under Wow6432Node

to be under Wow6432Node

(38)

Example: Cmd.exe on 64-bit System Example: Cmd.exe on 64-bit System

32-bit Cmd.exe process:

64-bit Cmd.exe process:

(39)

Four Contexts for Executing Code Four Contexts for Executing Code

Full process and thread context:

User applications User applications Windows Services Windows Services

Environment subsystem processes Environment subsystem processes System startup processes

System startup processes

Have thread context but no “real” process:

Threads in “System” process Threads in “System” process

Routines called by other threads/processes:

Subsystem DLLs Subsystem DLLs

Executive system services (NtReadFile, etc.) Executive system services (NtReadFile, etc.)

GDI32 and User32 APIs implemented in Win32K.Sys (and graphics drivers) GDI32 and User32 APIs implemented in Win32K.Sys (and graphics drivers)

No process or thread context No process or thread context

•

(“arbitrary thread context”)(“arbitrary thread context”)

•

Interrupt dispatchingInterrupt dispatching

•

Device driversDevice drivers

(40)

System Service Dispatcher

Task Manager Explorer SvcHost.Exe

WinMgt.Exe SpoolSv.Exe Service

Control Mgr.

LSASS

ObjectMgr.

Windows USER,

GDI

File System Cache

I/O Mgr

Environment Subsystems

User Application Subsystem DLLs

System Processes Services Applications

System Threads UserMode

Kernel Mode

NTDLL.DLL

Device &

File Sys.

Drivers

WinLogon

Session Manager Services.Exe POSIX

Windows DLLs

Plug andPlay Mgr. PowerMgr. SecurityReferenceMonitor VirtualMemory Processes&Threads LocalProcedureCall Graphics

Drivers

Kernel

Hardware Abstraction Layer (HAL) (kernel mode callable interfaces)

Windows Architecture Windows Architecture

Configura-tion Mgr(registry)

OS/2

Windows

(41)