Unit OS2:
Unit OS2:
Operating System Principles Operating System Principles
2.3. 2.3. Windows on Windows - OS Personalities Windows on Windows - OS Personalities
Copyright Notice Copyright Notice
© 2000-2005 David A. Solomon and Mark Russinovich
© 2000-2005 David A. Solomon and Mark Russinovich
These materials are part of the
These materials are part of the Windows Operating Windows Operating System Internals Curriculum Development Kit,
System Internals Curriculum Development Kit, developed by David A. Solomon and Mark E.
developed by David A. Solomon and Mark E.
Russinovich with Andreas Polze Russinovich with Andreas Polze
Microsoft has licensed these materials from David Microsoft has licensed these materials from David Solomon Expert Seminars, Inc. for distribution to Solomon Expert Seminars, Inc. for distribution to academic organizations solely for use in academic academic organizations solely for use in academic environments (and not for commercial use)
environments (and not for commercial use)
Roadmap for Section 2.3.
Roadmap for Section 2.3.
Environment Subsystems Environment Subsystems
System Service Dispatching
System Service Dispatching
Windows on Windows - 16bit
Windows on Windows - 16bit
Windows on Windows - 64bit
Windows on Windows - 64bit
Multiple OS Personalities Multiple OS Personalities
OS/2 Windows POSIX
Environment Subsystems
User
Application
Subsystem DLL
Windows User/GDI
Device Driver
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL) User
Mode Kernel Mode
System
& Service Processes
Windows
What about .NET and WinFX?
What about .NET and WinFX?
WinFX is the .NET Framework that will ship with Longhorn WinFX is the .NET Framework that will ship with Longhorn Both .NET and WinFX are built on standard Windows APIs Both .NET and WinFX are built on standard Windows APIs
They are not a subsystem They are not a subsystem
They do not call undocumented Windows system calls They do not call undocumented Windows system calls
.NET/WinFX Application
Windows API DLLs User
Mode
Windows Kernel
Kernel Mode
.NET/WinFX Framework
Environment Subsystems Environment Subsystems
Environment subsystems provide exposed, documented interface Environment subsystems provide exposed, documented interface between application and Windows native API
between application and Windows native API
Each subsystem defines a different set of APIs & semantics Each subsystem defines a different set of APIs & semantics Subsystems implement these by invoking native APIs
Subsystems implement these by invoking native APIs
i.e., subsystem “wraps” and extends Windows native API i.e., subsystem “wraps” and extends Windows native API
Example: Windows CreateFile in Kernel32.Dll calls native NtCreateFile Example: Windows CreateFile in Kernel32.Dll calls native NtCreateFile
.exe’s and .dll’s you write are associated with a subsystem .exe’s and .dll’s you write are associated with a subsystem
Specified by LINK /SUBSYSTEM option
Specified by LINK /SUBSYSTEM option
Cannot mix calls between subsystems
Cannot mix calls between subsystems
Environment Subsystems Environment Subsystems
Three environment subsystems originally provided with NT:
Three environment subsystems originally provided with NT:
Windows –Windows API (originally 32-bit, now also 64-bit) Windows –Windows API (originally 32-bit, now also 64-bit) OS/2 - 1.x character-mode apps only
OS/2 - 1.x character-mode apps only
Removed in Windows 2000 Removed in Windows 2000
Posix - only Posix 1003.1 (bare minimum Unix services - no networking, windowing, Posix - only Posix 1003.1 (bare minimum Unix services - no networking, windowing, threads, etc.)
threads, etc.)
Removed in Windows XP/Server 2003 – enhanced version ships with Services For Unix Removed in Windows XP/Server 2003 – enhanced version ships with Services For Unix 3.03.0
Ships with Windows Server 2003 R2 Ships with Windows Server 2003 R2
Of the three, Windows provides access to the majority of OS native Of the three, Windows provides access to the majority of OS native
functions functions
Of the three, Windows is required to be running Of the three, Windows is required to be running
System crashes if Windows subsystem process exits System crashes if Windows subsystem process exits
POSIX and OS/2 subsystems are actually Windows applications POSIX and OS/2 subsystems are actually Windows applications POSIX & OS/2 start on demand (first time an app is run)
POSIX & OS/2 start on demand (first time an app is run)
Stay running until system shutdown Stay running until system shutdown
Subsystem Information in Registry Subsystem Information in Registry
Subsystems configuration and startup information is in:
Subsystems configuration and startup information is in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\Session Manager\SubSystems
\Session Manager\SubSystems Values:
Values:
Required
Required - list of value names for subsystems to load at boot time - list of value names for subsystems to load at boot time Optional
Optional - list of value names for subsystems to load when needed - list of value names for subsystems to load when needed Windows
Windows - value giving filespec of Windows subsystem (csrss.exe) - value giving filespec of Windows subsystem (csrss.exe) csrss.exe
csrss.exe Windows APIs Windows APIs required - always started when Windows boots required - always started when Windows boots Kmode
Kmode - value giving filespec of Win32K.Sys - value giving filespec of Win32K.Sys
(kernel-mode driver portion of Windows subsystem) (kernel-mode driver portion of Windows subsystem) Posix
Posix - file name of POSIX subsystem - file name of POSIX subsystem psxss.exe
psxss.exe Posix APIs Posix APIs optional optional - started when first Posix app is run - started when first Posix app is run
Some Windows API DLLs are in “known DLLs” registry entry:
Some Windows API DLLs are in “known DLLs” registry entry:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
Files are opened as mapped files Files are opened as mapped files
Improves process creation/image startup time
Improves process creation/image startup time
OS/2 Windows POSIX
Environment Subsystems
User
Application Subsystem DLL
Windows User/GDI User
Mode
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL) Kernel
Mode
System
& Service Processes
Subsystem Components Subsystem Components
API DLLs API DLLs
for Windows: Kernel32.DLL, Gdi32.DLL, User32.DLL, etc.
for Windows: Kernel32.DLL, Gdi32.DLL, User32.DLL, etc.
Subsystem process Subsystem process
for Windows: CSRSS.EXE (Client Server Runtime SubSystem) for Windows: CSRSS.EXE (Client Server Runtime SubSystem)
For Windows only: kernel-mode GDI code For Windows only: kernel-mode GDI code
Win32K.SYS - (this code was formerly part of CSRSS) Win32K.SYS - (this code was formerly part of CSRSS)
3 2
1 3
2
1
Role of Subsystem Components Role of Subsystem Components
API DLLs API DLLs
Export the APIs defined by the subsystem Export the APIs defined by the subsystem
Implement them by calling Windows “native” services, or by asking the subsystem process Implement them by calling Windows “native” services, or by asking the subsystem process to do the work
to do the work
Subsystem process Subsystem process
Maintains global state of subsystem Maintains global state of subsystem
Implements a few APIs that require subsystem-wide state changes Implements a few APIs that require subsystem-wide state changes
Processes and threads created under a subsystem Processes and threads created under a subsystem Drive letters
Drive letters
Window management for apps with no window code of their own (character-mode apps) Window management for apps with no window code of their own (character-mode apps) Handle and object tables for subsystem-specific objects
Handle and object tables for subsystem-specific objects
Win32K.Sys Win32K.Sys
Implements Windows User & GDI functions; calls routines in GDI drivers Implements Windows User & GDI functions; calls routines in GDI drivers Also used by Posix and OS/2 subsystems to access the display
Also used by Posix and OS/2 subsystems to access the display
3
2
1
NtDll.Dll
Simplified Architecture Simplified Architecture
(3.51 and earlier) (3.51 and earlier)
OS/2 Windows POSIX
Environment Subsystems
User Mode Kernel Mode
System
& Service Processes
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL) KiSystemService
LPC User
Application
Subsystem DLL
1 2
most Windows Kernel APIs most Windows Kernel APIs
all other Windows APIs, including User and GDI APIs all other Windows APIs, including User and GDI APIs 2
1
NtDll.Dll
OS/2 Windows POSIX
Environment Subsystems
Windows User/GDI User
Mode
Executive
Device Drivers Kernel
Hardware Abstraction Layer (HAL) Kernel
Mode
System
& Service Processes
1 3 2
KiSystemService
User
Application
Subsystem DLL
LPC
Windows Simplified Architecture Windows Simplified Architecture
most Windows Kernel APIs most Windows Kernel APIs
most Windows User and GDI APIs (these were formerly part of CSRSS) most Windows User and GDI APIs (these were formerly part of CSRSS) a few Windows APIs
a few Windows APIs
3
2
1
Role of CSRSS.EXE Role of CSRSS.EXE
(Windows Subsystem Process) (Windows Subsystem Process)
A few Windows APIs are implemented in this separate process A few Windows APIs are implemented in this separate process
In 3.51 and earlier:
In 3.51 and earlier:
Nearly all User and GDI APIs were implemented in CSRSS Nearly all User and GDI APIs were implemented in CSRSS
CSRSS had a thread for every application thread that created a window CSRSS had a thread for every application thread that created a window GDI drivers (video, printer) were user mode, mapped into this process GDI drivers (video, printer) were user mode, mapped into this process This was done for protection, esp. to keep GDI drivers in user mode This was done for protection, esp. to keep GDI drivers in user mode
CSRSS in NT 4.0 and later: role is greatly diminished CSRSS in NT 4.0 and later: role is greatly diminished
Maintains system-wide state information for all Windows “client” processes Maintains system-wide state information for all Windows “client” processes Several Windows services LPC to CSRSS for “setup and teardown” functions Several Windows services LPC to CSRSS for “setup and teardown” functions
Process and thread creation and deletion Process and thread creation and deletion Get temporary file name
Get temporary file name Drive letters
Drive letters
Security checks for file system redirector Security checks for file system redirector
Window management for console (character cell) applications … Window management for console (character cell) applications …
… … including NTVDM.EXEincluding NTVDM.EXE
Header of Executable File Specifies Header of Executable File Specifies
Subsystem Type Subsystem Type
Subsystem for each .exe specified in image header Subsystem for each .exe specified in image header
see winnt.h (in Platform SDK) see winnt.h (in Platform SDK)
or exetype image.exe (2000 Resource Kit) or exetype image.exe (2000 Resource Kit)
IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem
IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Windows subsystem (graphical app) IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Windows subsystem (character cell) IMAGE_SUBSYSTEM_OS2_CUI 5 // OS/2 subsystem
IMAGE_SUBSYSTEM_POSIX_CUI 7 // Posix subsystem
Native Images Native Images
.EXEs not linked against any subsystem .EXEs not linked against any subsystem
Interface to Windows executive routines directly via Interface to Windows executive routines directly via NTDLL.DLL
NTDLL.DLL
Two examples:
Two examples:
smss.exe
smss.exe (Session Manager -- starts before (Session Manager -- starts before subsystems start)
subsystems start) csrss.exe
csrss.exe (Windows subsystem) (Windows subsystem)
Lab: Subsytems & Images Lab: Subsytems & Images
Look at subsystem startup information in registry Look at subsystem startup information in registry
Using EXETYPE, look at subsystem types for:
Using EXETYPE, look at subsystem types for:
\windows\system32\notepad.exe, cmd.exe,
\windows\system32\notepad.exe, cmd.exe, csrss.exe
csrss.exe
POSIX.1 Subsystem POSIX.1 Subsystem
Original POSIX subsystem implemented only POSIX.1 Original POSIX subsystem implemented only POSIX.1
ISO/IEC 9945-1:1990 or IEEE POSIX standard 1003.1-1990 ISO/IEC 9945-1:1990 or IEEE POSIX standard 1003.1-1990
POSIX.1 compliance as specified in Federal Information Processing Standard POSIX.1 compliance as specified in Federal Information Processing Standard (FIPS) 151-2 (NIST)
(FIPS) 151-2 (NIST)
POSIX Conformance Document in \HELP in Platform SDK POSIX Conformance Document in \HELP in Platform SDK Support for impl. of POSIX.1 subsystem was mandatory for NT Support for impl. of POSIX.1 subsystem was mandatory for NT
fork service in NT executive fork service in NT executive hard file links in NTFS
hard file links in NTFS Limited set of services Limited set of services
such as process control, IPC, simple character cell I/O such as process control, IPC, simple character cell I/O
POSIX subsystem alone is not a complete programming environment POSIX subsystem alone is not a complete programming environment POSIX.1 executable cannot
POSIX.1 executable cannot create a thread or a window create a thread or a window
use remote procedure calls (RPCs) or sockets
use remote procedure calls (RPCs) or sockets
Invoking (a few) Windows Services Invoking (a few) Windows Services
Application Process
CSRSS.EXE (Windows subsystem
process)
Subsystem DLL
Executive
Local
Procedure Call
LPC is an undocumented system service in
NtDll.Dll
(not exposed directly in Windows API)
U K
Some system calls still require communication with the Windows
subsystem process
System Call Dispatching System Call Dispatching
NTDLL.DLL provides interface for native system calls
NTDLL.DLL provides interface for native system calls
Example: Invoking a Windows Kernel Example: Invoking a Windows Kernel
API API
call WriteFile(…)
call NtWriteFile return to caller
do the operation
Int 2E or SYSCALL or SYSENTER
return to caller
call NtWriteFile dismiss interrupt
Windows application
WriteFile
in Kernel32.Dll
NtWriteFile in NtDll.Dll
KiSystemService in NtosKrnl.Exe NtWriteFile
Windows- specific
used by all subsystems software interrupt
U
K
Invoking System Functions from Invoking System Functions from
User Mode User Mode
Kernel-mode functions (“services”) are invoked from user mode via a protected Kernel-mode functions (“services”) are invoked from user mode via a protected mechanism
mechanism
x86: INT 2E (as of XP, faster instructions are used where available: SYSENTER on x86, x86: INT 2E (as of XP, faster instructions are used where available: SYSENTER on x86, SYSCALL on AMD)
SYSCALL on AMD)
i.e., on a call to an OS service from user mode, the last thing that happens in user mode is i.e., on a call to an OS service from user mode, the last thing that happens in user mode is this “change mode to kernel” instruction
this “change mode to kernel” instruction
Causes an exception or interrupt, handled by the system service dispatcher Causes an exception or interrupt, handled by the system service dispatcher (KiSystemService) in kernel mode
(KiSystemService) in kernel mode
Return to user mode is done by dismissing the interrupt or exception Return to user mode is done by dismissing the interrupt or exception
The desired system function is selected by the “system service number”
The desired system function is selected by the “system service number”
Every Windows function exported to user mode has a unique number Every Windows function exported to user mode has a unique number
This number is stored in a register just before the “change mode” instruction This number is stored in a register just before the “change mode” instruction (after pushing the arguments to the service)
(after pushing the arguments to the service)
This number is an index into the system service dispatch table This number is an index into the system service dispatch table
Table gives kernel-mode entry point address and argument list length for each exported Table gives kernel-mode entry point address and argument list length for each exported function
function
Invoking System Functions from Invoking System Functions from
User Mode User Mode
All validity checks are done after the user to kernel transition All validity checks are done after the user to kernel transition
KiSystemService probes argument list, copies it to kernel-mode stack, and calls the executive KiSystemService probes argument list, copies it to kernel-mode stack, and calls the executive or kernel routine pointed to by the table
or kernel routine pointed to by the table
Service-specific routine checks argument values, probes pointed-to buffers, etc.
Service-specific routine checks argument values, probes pointed-to buffers, etc.
Once past that point, everything is “trusted”
Once past that point, everything is “trusted”
This is safe, because This is safe, because : :
The system service table is in kernel-protected memory; and The system service table is in kernel-protected memory; and
The kernel mode routines pointed to by the system service table are in kernel-protected The kernel mode routines pointed to by the system service table are in kernel-protected memory; therefore:
memory; therefore:
User mode code can’t supply the code to be run in kernel mode; it can only select from among User mode code can’t supply the code to be run in kernel mode; it can only select from among a predefined list
a predefined list
Arguments are copied to the kernel mode stack before validation; therefore:
Arguments are copied to the kernel mode stack before validation; therefore:
Other threads in the process can’t corrupt the arguments “out from under” the service Other threads in the process can’t corrupt the arguments “out from under” the service
call write(…)
call NtWriteFile return to caller
do the operation return to caller
Int 2E
return to caller
call NtWriteFile dismiss interrupt
Posix application
write
in psxdll.dll
NtWriteFile in NtDll.Dll
KiSystemService in NtosKrnl.Exe
NtWriteFile
in NtosKrnl.Exe
Example: Invoking a Posix API Example: Invoking a Posix API
Posix- specific
used by all subsystems software interrupt
U
K
Ntdll.dll Ntdll.dll
Interface to Windows system calls (285 calls starting with “Nt”-some have Interface to Windows system calls (285 calls starting with “Nt”-some have
“Zw” aliases)
“Zw” aliases)
These user-mode routines have the same function names and arguments as the These user-mode routines have the same function names and arguments as the kernel mode routines they invoke
kernel mode routines they invoke
e.g. NtWriteFile in NtDll.Dll invokes NtWriteFile in NtosKrnl.Exe e.g. NtWriteFile in NtDll.Dll invokes NtWriteFile in NtosKrnl.Exe
Majority are not supported or documented Majority are not supported or documented
7 are (partially) documented in the Platform SDK:
7 are (partially) documented in the Platform SDK:
NtQuerySystemInformation, NtQuerySystemTime, NtQueryInformationProcess, NtQuerySystemInformation, NtQuerySystemTime, NtQueryInformationProcess, NtQueryInformationThread, NtCreateFile, NtOpenFile, NtWaitForSingleObject NtQueryInformationThread, NtCreateFile, NtOpenFile, NtWaitForSingleObject The DDK describes 25 of them as “Zw” routines (such as ZwReadFile)
The DDK describes 25 of them as “Zw” routines (such as ZwReadFile)
• These entry points call the corresponding “Nt” interface via the system call interfaceThese entry points call the corresponding “Nt” interface via the system call interface
• Thus, “previous mode” is kernel mode, which means no security checksThus, “previous mode” is kernel mode, which means no security checks
• Kernel mode code could also call NtReadFile directlyKernel mode code could also call NtReadFile directly
Other user-mode support routines Other user-mode support routines
Image loader (“Ldr”) Image loader (“Ldr”)
Debug infrastructure (“Dbg”) Debug infrastructure (“Dbg”) Csrss support routines (“Csr”) Csrss support routines (“Csr”) RTL routines (“Rtl”)
RTL routines (“Rtl”)
Tracing routines (“Etw”) [new as of Windows Server 2003]
Tracing routines (“Etw”) [new as of Windows Server 2003]
call NtWriteFile(…)
do the operation return to caller
Int 2E
return to caller
call NtWriteFile dismiss interrupt
native application (smss.exe, csrss.exe)
NtWriteFile in NtDll.Dll
KiSystemService in NtosKrnl.Exe
NtWriteFile
in NtosKrnl.Exe
Calling a “Native” API from User Calling a “Native” API from User Mode Mode
used by all subsystems software interrupt
U
K
call user or GDI service(…)
do the operation return to caller call Windows routine
dismiss interrupt
application
Gdi32.Dll or User32.Dll
KiSystemService in NtosKrnl.Exe
service entry point in Win32K.Sys
Invoking (most) User and GDI Invoking (most) User and GDI
Services Services
Windows- specific software interrupt
U K Int 2E
return to caller
16-bit Applications 16-bit Applications
on 32-bit Windows on 32-bit Windows
16-bit MS-DOS emulation MS-DOS application
16-bit
Virtual device drivers (COM, LPT, keyboard) 32-bit MS-DOS emulation
32-bit
640K 0
16MB
MS-DOS ext. memory
1MBWindows Subsystem DLLs
OS/2 Windows POSIX
Environment Subsystems
User
Application Subsystem DLL
Windows User
Mode
Executive
Kernel Mode
System
& Service Processes
Windows runs NTVDM.EXE Windows runs NTVDM.EXE (NT Virtual Dos Machine) (NT Virtual Dos Machine)
NTVDM is a Windows image NTVDM is a Windows image No “DOS subsystem” or No “DOS subsystem” or
“Win16 subsystem”
“Win16 subsystem”
7FFFFFFF
Windows runs NTVDM.EXE (NT Virtual DOS Machine) Windows runs NTVDM.EXE (NT Virtual DOS Machine)
See \System\CurrentControlSet\Control\WOW\cmdline See \System\CurrentControlSet\Control\WOW\cmdline Each DOS app has a separate process running NTVDM Each DOS app has a separate process running NTVDM
DOS & Windows 16-bit drivers not supported DOS & Windows 16-bit drivers not supported
Note: Windows “command prompt” is not a “DOS box”, despite icon; it’s a Windows console Note: Windows “command prompt” is not a “DOS box”, despite icon; it’s a Windows console application (CMD.EXE)
application (CMD.EXE)
DOS 16-bit Applications DOS 16-bit Applications
e.g. command.com, edit.com (NT4 had e.g. command.com, edit.com (NT4 had
qbasic.exe) qbasic.exe)
16-bit MS-DOS emulation MS-DOS application
16-bit
Virtual device drivers COM, LPT, keyboard
32-bit MS-DOS emulation 32-bit
Windows
Example:
three DOS apps
running in three NTVDM processes
640K 0
16MB
extended memory
1MBWindows 16-Bit Applications Windows 16-Bit Applications
e.g. sysedit.exe, winhelp.exe e.g. sysedit.exe, winhelp.exe
Windows also runs NTVDM.EXE Windows also runs NTVDM.EXE
See \CurrentControlSet\Control\WOW\wowcmdline See \CurrentControlSet\Control\WOW\wowcmdline NTVDM loads wowexec.exe
NTVDM loads wowexec.exe
WOW = “Windows on Windows”
WOW = “Windows on Windows”
Win16 calls are translated to Win32 (Windows API) Win16 calls are translated to Win32 (Windows API)
Windows
Win16 app Win16 app Win16 app
example:
three Win16 apps (and wowexec.ex e) running in one NTVDM
process Win16 API
Virtual Device Drivers
16-bit
32-bit
16MB 0
Windows 16-bit Windows 16-bit
Applications Applications
Multitasking Details Multitasking Details
By default:
By default:
Each Win16 app runs in Each Win16 app runs in
a separate thread in the common a separate thread in the common NTVDM process
NTVDM process
They cooperatively multitask They cooperatively multitask among themselves
among themselves (Win16 Yield API)...
(Win16 Yield API)...
…and the one (if any) that wants …and the one (if any) that wants to run, preemptively multitasks to run, preemptively multitasks with all other threads on Windows with all other threads on Windows necessary to meet serialization necessary to meet serialization assumptions of some Win16 apps assumptions of some Win16 apps
Option to run Win16 apps in separate VDMs Option to run Win16 apps in separate VDMs
“ “
Run in Separate Memory Space” = run in separate processRun in Separate Memory Space” = run in separate processdefault set by \CurrentControlSet\Control\WOW\DefaultSeparateVDM default set by \CurrentControlSet\Control\WOW\DefaultSeparateVDM
Win16 apps run this way preemptively multitask with all other threads, including the un-Yield’ed Win16 apps run this way preemptively multitask with all other threads, including the un-Yield’ed thread in a shared Win16 NTVDM (if any)
thread in a shared Win16 NTVDM (if any)
NT4 only:
Monitoring 16-bit Applications Monitoring 16-bit Applications
To most of Windows, an NTVDM process is just another process To most of Windows, an NTVDM process is just another process Task Manager
Task Manager
“ “ tasks” are simply the names of top-level windows - Win16 windows tasks” are simply the names of top-level windows - Win16 windows included
included
“ “ processes” display identifies Win16 apps within NTVDM processes processes” display identifies Win16 apps within NTVDM processes
by reading the NTVDM process’s private memory (undocumented by reading the NTVDM process’s private memory (undocumented interface)
interface)
does not identify the DOS apps within each NTVDM process does not identify the DOS apps within each NTVDM process
TLIST (resource kit) TLIST (resource kit)
does identify the DOS apps within each NTVDM process (by window does identify the DOS apps within each NTVDM process (by window
title) title)
but for a shared Win16 NTVDM process, only shows one window title but for a shared Win16 NTVDM process, only shows one window title
QuickView, exetype QuickView, exetype
identifies DOS, Win16, etc., application .exe’s
identifies DOS, Win16, etc., application .exe’s
Lab: 16-bit Applications Lab: 16-bit Applications
DOS applications:
DOS applications:
Run command.com and edit.com Run command.com and edit.com
look at process list in Task Manager Process tab - cannot differentiate look at process list in Task Manager Process tab - cannot differentiate which NTVDM.EXE is which
which NTVDM.EXE is which
From Applications tab, right click on window -> goto process (now can From Applications tab, right click on window -> goto process (now can map which NTVDM.EXE process is which)
map which NTVDM.EXE process is which)
Windows 3.1 applications:
Windows 3.1 applications:
Run winhelp.exe twice (do not check “run in separate memory Run winhelp.exe twice (do not check “run in separate memory space”)
space”)
Run winhelp.exe once and check “run in separate memory space”
Run winhelp.exe once and check “run in separate memory space”
Bring up Task Manager Process tab - make sure “Show 16-bit Tasks”
Bring up Task Manager Process tab - make sure “Show 16-bit Tasks”
is checked on the View menu is checked on the View menu
Look at Task Manager Process tab and see 16-bit applications Look at Task Manager Process tab and see 16-bit applications identified inside the two NTVDMs
identified inside the two NTVDMs
Wow64 Wow64
Allows execution of Win32 binaries on 64-bit Windows Allows execution of Win32 binaries on 64-bit Windows
Wow64 intercepts system calls from the 32-bit application Wow64 intercepts system calls from the 32-bit application
Converts 32-bit data structure into 64-bit aligned structures Converts 32-bit data structure into 64-bit aligned structures Issues the native 64-bit system call
Issues the native 64-bit system call
Returns any data from the 64-bit system call Returns any data from the 64-bit system call
IsWow64Process()
IsWow64Process() function can tell a 32-bit process if it is running function can tell a 32-bit process if it is running under Wow64
under Wow64 Performance Performance
On x64, instructions executed by hardware On x64, instructions executed by hardware On IA64, instructions have to be emulated On IA64, instructions have to be emulated
New Intel IA-32 EL (Execution Layer) does binary translation of Itanium to x86 New Intel IA-32 EL (Execution Layer) does binary translation of Itanium to x86 to speed performance
to speed performance
Downloadable now – bundled with Server 2003 SP1 Downloadable now – bundled with Server 2003 SP1
Wow64 Components Wow64 Components
64-bit ntdll.dll 64-bit ntdll.dll Wow64.dll
Wow64.dll Wow64win.dll Wow64win.dll Wow64cpu.dll
Wow64cpu.dll
Win32k.sys Win32k.sys Executive
Executive
Kernel Kernel User Mode User Mode
32-bit ntdll.dll 32-bit ntdll.dll 32-bit EXE, DLLs 32-bit EXE, DLLs Wow64.dll - provides core
Wow64.dll - provides core emulation infrastructure and emulation infrastructure and thunks for Ntoskrnl.exe entry- thunks for Ntoskrnl.exe entry- point functions; exception point functions; exception dispatching
dispatching
Wow64win.dll - provides thunks Wow64win.dll - provides thunks for Win32k.sys entry-point
for Win32k.sys entry-point functions
functions
Wow64cpu.dll – manages thread Wow64cpu.dll – manages thread contexts, supports mode-switch contexts, supports mode-switch instructions
instructions
Wow64 Limitations Wow64 Limitations
Wow64 Feature Support on 64-bit Windows Wow64 Feature Support on 64-bit Windows
Platforms Platforms
IA64 IA64 x64 x64
16-bit Virtual DOS Machine (VDM) support
16-bit Virtual DOS Machine (VDM) support N/A N/A N/A N/A Physical Address Extension (PAE) APIs
Physical Address Extension (PAE) APIs N/A N/A Yes Yes
GetWriteWatch() API
GetWriteWatch() API N/A N/A Yes Yes
Scatter/Gather I/O APIs
Scatter/Gather I/O APIs N/A N/A Yes Yes
Hardware accelerated with DirectX version 7,8 and 9
Hardware accelerated with DirectX version 7,8 and 9 Software- Software- Yes Yes
Cannot load 32-bit DLLs in 64-bit process and vice versa Cannot load 32-bit DLLs in 64-bit process and vice versa Does not support 32-bit kernel mode device drivers
Does not support 32-bit kernel mode device drivers
Drivers must be ported to 64-bits Drivers must be ported to 64-bits
Special support required to support 32-bit applications using Special support required to support 32-bit applications using DeviceIoControl to driver
DeviceIoControl to driver
Driver must convert 32-bit structures to 64-bit
Driver must convert 32-bit structures to 64-bit
Wow64 File Locations Wow64 File Locations
Location of system files Location of system files
64-bit system files are in \windows\system32 64-bit system files are in \windows\system32 32-bit system files are in \windows\syswow64 32-bit system files are in \windows\syswow64
32-bit applications live in “\Program Files (x86)”
32-bit applications live in “\Program Files (x86)”
64-bit applications live in “\Program Files”
64-bit applications live in “\Program Files”
File access to %windir%\system32 redirected to %windir File access to %windir%\system32 redirected to %windir
%\syswow64
%\syswow64
Two areas of the registry redirected (see next slide)
Two areas of the registry redirected (see next slide)
Wow64 Registry Redirection Wow64 Registry Redirection
Two registry keys have 32-bit Two registry keys have 32-bit sections:
sections:
HKEY_LOCAL_MACHINE\Software HKEY_LOCAL_MACHINE\Software HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
Everything else is shared Everything else is shared
32-bit data lives under 32-bit data lives under
\Wow6432Node
\Wow6432Node
When a Wow64 process When a Wow64 process
opens/creates a key, it is redirected opens/creates a key, it is redirected to be under Wow6432Node
to be under Wow6432Node
Example: Cmd.exe on 64-bit System Example: Cmd.exe on 64-bit System
32-bit Cmd.exe process:
32-bit Cmd.exe process:
64-bit Cmd.exe process:
64-bit Cmd.exe process:
Four Contexts for Executing Code Four Contexts for Executing Code
Full process and thread context:
Full process and thread context:
User applications User applications Windows Services Windows Services
Environment subsystem processes Environment subsystem processes System startup processes
System startup processes
Have thread context but no “real” process:
Have thread context but no “real” process:
Threads in “System” process Threads in “System” process
Routines called by other threads/processes:
Routines called by other threads/processes:
Subsystem DLLs Subsystem DLLs
Executive system services (NtReadFile, etc.) Executive system services (NtReadFile, etc.)
GDI32 and User32 APIs implemented in Win32K.Sys (and graphics drivers) GDI32 and User32 APIs implemented in Win32K.Sys (and graphics drivers)
No process or thread context No process or thread context
•
(“arbitrary thread context”)(“arbitrary thread context”)•
Interrupt dispatchingInterrupt dispatching•
Device driversDevice driversSystem Service Dispatcher
Task Manager Explorer SvcHost.Exe
WinMgt.Exe SpoolSv.Exe Service
Control Mgr.
LSASS
ObjectMgr.
Windows USER,
GDI
File System Cache
I/O Mgr
Environment Subsystems
User Application Subsystem DLLs
System Processes Services Applications
System Threads UserMode
Kernel Mode
NTDLL.DLL
Device &
File Sys.
Drivers
WinLogon
Session Manager Services.Exe POSIX
Windows DLLs
Plug andPlay Mgr. PowerMgr. SecurityReferenceMonitor VirtualMemory Processes&Threads LocalProcedureCall Graphics
Drivers
Kernel
Hardware Abstraction Layer (HAL) (kernel mode callable interfaces)
Windows Architecture Windows Architecture
Configura-tion Mgr(registry)
OS/2
Windows