1 Windows XP: An Overview Brett O’Neill CSE 8343 – Group A6

1

Windows XP: An Windows XP: An OverviewOverview

Brett O’NeillBrett O’Neill

CSE 8343 – Group A6CSE 8343 – Group A6

2

OverviewOverview

Programs, Processes, Jobs and Programs, Processes, Jobs and ThreadsThreads

Registry and MemoryRegistry and Memory File System Architecture and File System Architecture and

ManagementManagement Inter-Process CommunicationInter-Process Communication Questions?Questions? ReferencesReferences

3

Processes & ThreadsProcesses & Threads Windows XP process architecture is the Windows XP process architecture is the

same as Windows 2000 process same as Windows 2000 process architecturearchitecture

There are 4 units of work – There are 4 units of work – Processes, Processes, Threads, Jobs and Programs.Threads, Jobs and Programs. Simple Simple definitions:definitions: ProgramProgram – A static set of instructions – A static set of instructions ProcessProcess – A container for a set of threads that – A container for a set of threads that

execute an instance of a programexecute an instance of a program JobJob – A group of processes that can be – A group of processes that can be

manipulated as a single unitmanipulated as a single unit Thread Thread – A container for the set of instructions – A container for the set of instructions

to be executed and the contents of machine to be executed and the contents of machine registers that define processor stateregisters that define processor state

4

Processes & ThreadsProcesses & Threads

Each process includes a private Each process includes a private virtual address space, an executable virtual address space, an executable program, a list of open handles to program, a list of open handles to various system resources, a security various system resources, a security context, a unique identifier, and at context, a unique identifier, and at least one thread.least one thread.

5


Fields in a Fields in a Windows XP Windows XP Executive Process Executive Process (EPROCESS) (EPROCESS) Block:Block:

6


Each thread contains a set of Each thread contains a set of instructions to execute, the contents instructions to execute, the contents of machine registers that define the of machine registers that define the processor state while the thread is processor state while the thread is running, and two stacks – one for running, and two stacks – one for User mode and one for Kernel mode.User mode and one for Kernel mode.

7


Fields in a Fields in a Windows XP Windows XP Executive Thread Executive Thread (ETHREAD) Block:(ETHREAD) Block:

8

Thread SchedulingThread Scheduling

Priority-driven, preemptive scheduling is Priority-driven, preemptive scheduling is used.used.

Priorities levels are determined by both Priorities levels are determined by both the process and the thread.the process and the thread.

Processes have 4 priority levels:Processes have 4 priority levels: Idle – Screen savers & other display updatesIdle – Screen savers & other display updates Normal – The default priority classNormal – The default priority class High – Receive most of the CPU’s timeHigh – Receive most of the CPU’s time Real Time – Kernel processesReal Time – Kernel processes

9

Thread SchedulingThread Scheduling

The process’s priority The process’s priority class sets a range of class sets a range of priority values for its priority values for its threads. For example, threads. For example, Real Time processes Real Time processes will always have a will always have a value from 16-31.value from 16-31.

Process Priority Process Priority Classes with Relative Classes with Relative Thread Priorities:Thread Priorities:

10

Thread SchedulingThread Scheduling Threads run for a length of time known Threads run for a length of time known

as a as a quantumquantum.. Quantum values vary from thread to Quantum values vary from thread to

thread.thread. Threads do not necessarily finish their Threads do not necessarily finish their

quantum, because the system is quantum, because the system is preemptive. If another thread with a preemptive. If another thread with a higher priority becomes ready, it will run.higher priority becomes ready, it will run.

However if all threads are the same However if all threads are the same priority, they will run in a round-robin priority, they will run in a round-robin fashion.fashion.

11

Thread SchedulingThread Scheduling Thread scheduling code is distributed Thread scheduling code is distributed

throughout the kernel. It is collectively throughout the kernel. It is collectively known as the known as the dispatcherdispatcher..

The dispatcher can be triggered by:The dispatcher can be triggered by: A thread becoming ready to executeA thread becoming ready to execute A thread leaving the running stateA thread leaving the running state A threads priority changingA threads priority changing

Thread granularityThread granularity: Processes are : Processes are disregarded when scheduling threads – if disregarded when scheduling threads – if Process A has 20 threads and Process B has Process A has 20 threads and Process B has 1 thread, each received 1/211 thread, each received 1/21stst of CPU time. of CPU time.

12

Registry and MemoryRegistry and Memory

Boot time improvements:Boot time improvements: Simple Boot Flag (SBF) is a 3-bit flag in Simple Boot Flag (SBF) is a 3-bit flag in

CMOS BIOS. The 3 bits indicate if the CMOS BIOS. The 3 bits indicate if the system is Plug and Play, if the last boot system is Plug and Play, if the last boot was successful, and if diagnostics need to was successful, and if diagnostics need to run.run.

The boot loader uses parallel pre-fetching The boot loader uses parallel pre-fetching of drivers, boot code and Registry items. of drivers, boot code and Registry items.

Driver loading is prioritized during Driver loading is prioritized during startup.startup.

13


Boot time improvements (cont.):Boot time improvements (cont.): The first time Windows XP boots, it monitors The first time Windows XP boots, it monitors

drivers, startup applications, Registry entries and drivers, startup applications, Registry entries and shell code being loaded and saves the information.shell code being loaded and saves the information.

On the 2On the 2ndnd boot, Windows XP pre-loads drivers and boot, Windows XP pre-loads drivers and code asynchronously in parallel into memory in code asynchronously in parallel into memory in anticipation of their use. Therefore when the boot anticipation of their use. Therefore when the boot execution path attempts to load a driver, the driver execution path attempts to load a driver, the driver is already in memory.is already in memory.

The previous 8 boots are analyzed heuristically to The previous 8 boots are analyzed heuristically to determine what drivers to pre-fetch. Drivers which determine what drivers to pre-fetch. Drivers which aren’t being used drop off the pre-fetch list.aren’t being used drop off the pre-fetch list.

14

Registry and MemoryRegistry and Memory Physical memory can be Physical memory can be page pooledpage pooled or or

non-page poolednon-page pooled.. Non-Page Pooled: Time Critical Non-Page Pooled: Time Critical

memory, such as the Virtual Memory memory, such as the Virtual Memory ManagerManager

Page-Pooled: Memory mapped to diskPage-Pooled: Memory mapped to disk Pool memory is managed by descriptors Pool memory is managed by descriptors

called Page Table Entries (PTE’s) that called Page Table Entries (PTE’s) that hold memory page frame numbers that hold memory page frame numbers that point to physical memory pages.point to physical memory pages.

15


PTE’s also hold several bits to PTE’s also hold several bits to indicate the current status of the indicate the current status of the page: in use, dirty, clean, or unused.page: in use, dirty, clean, or unused.

Several algorithms are used to avoid Several algorithms are used to avoid interfering with actively used memory interfering with actively used memory and to avoid excessive paging to disk.and to avoid excessive paging to disk.

1.3 GB of memory can be mapped to 1.3 GB of memory can be mapped to PTE’s, so more memory can be PTE’s, so more memory can be actively tracked.actively tracked.

16

Registry and MemoryRegistry and Memory Previous versions of Windows allowed Previous versions of Windows allowed

drivers to run “necessary” memory drivers to run “necessary” memory routines. Drivers demanded the O/S routines. Drivers demanded the O/S allocate memory, even if not enough allocate memory, even if not enough memory was available.memory was available.

Windows XP has eliminated these drivers. Windows XP has eliminated these drivers. 33rdrd Party drivers are not “signed drivers” if Party drivers are not “signed drivers” if they don’t eliminate this code.they don’t eliminate this code.

I/O Throttling: When there is no memory I/O Throttling: When there is no memory left to allocate, Windows XP “throttles left to allocate, Windows XP “throttles down” its processing of memory to a page down” its processing of memory to a page at a time, using only the memory it can. at a time, using only the memory it can. This slows the system, but prevents a crash.This slows the system, but prevents a crash.

17


In previous versions of Windows, In previous versions of Windows, system performance suffered as the system performance suffered as the Registry grew. This was primarily Registry grew. This was primarily due to Registry fragmentation – new due to Registry fragmentation – new Registry keys were placed in the first Registry keys were placed in the first available Registry space. When available Registry space. When applications needed to find these applications needed to find these keys, an excessive number of memory keys, an excessive number of memory pages were loaded from disk.pages were loaded from disk.

18


In Windows XP, In Windows XP, when a Registry key when a Registry key needs to be stored, needs to be stored, the kernel searches the kernel searches for a space large for a space large enough to contain enough to contain all related data. all related data. Registry keys are Registry keys are physically adjacent, physically adjacent, so fewer page faults so fewer page faults result:result:

19


Programmers often use Registry Programmers often use Registry keys as flags. Therefore there are keys as flags. Therefore there are many empty Registry key trees that many empty Registry key trees that applications need to search applications need to search through at run time. This slows through at run time. This slows performance noticeably. Windows performance noticeably. Windows XP caches both empty and non-XP caches both empty and non-empty Registry keys to solve this empty Registry keys to solve this problem.problem.

20


21

File System Architecture File System Architecture and Managementand Management

Windows XP supports Windows XP supports FAT16FAT16, , FAT32FAT32 and and NTFSNTFS file systems. file systems.

22


FAT16 – Compatible FAT16 – Compatible with most operating with most operating systems, including systems, including Linux, UNIX, and Linux, UNIX, and OS/2.OS/2.

Disadvantages:Disadvantages: Fixed number of Fixed number of

clusters per partitionclusters per partition File names limited to File names limited to

8 characters8 characters Lack of support for Lack of support for

compression, security compression, security and encryptionand encryption

23


FAT32 – File names FAT32 – File names can be longer, can be longer, greater number of greater number of clusters per partition.clusters per partition.

Disadvantages:Disadvantages: Clusters are still too Clusters are still too

largelarge Not compatible with Not compatible with

many operating many operating systemssystems

Lack of support for Lack of support for compression, security compression, security and encryptionand encryption

24


NTFSNTFS Capability for security, compression, file names Capability for security, compression, file names

of 255 characters, large volume sizesof 255 characters, large volume sizes Architecture:Architecture:

The first block of information on an NTFS The first block of information on an NTFS volume is the Volume Boot Sector. It holds 2 volume is the Volume Boot Sector. It holds 2 primary structures:primary structures:

BIOS Parameter Block – Contains fundamental BIOS Parameter Block – Contains fundamental information about the volume. information about the volume.

Volume Boot Code – A small block of code that tells Volume Boot Code – A small block of code that tells the system how to load the operating system. This the system how to load the operating system. This code has often been the target of virus writers. code has often been the target of virus writers. Windows XP retains tight control over disk access Windows XP retains tight control over disk access routines to prevent boot code viruses from spreading.routines to prevent boot code viruses from spreading.

25


Architecture (cont.):Architecture (cont.): Metadata files contain internal data about Metadata files contain internal data about

the files stored on a volume. They are the files stored on a volume. They are automatically created when the volume is automatically created when the volume is formatted, placed at the beginning of the formatted, placed at the beginning of the volume, and hidden from users.volume, and hidden from users.

The most important metadata file is the The most important metadata file is the Master File Table (MFT). It works like a Master File Table (MFT). It works like a relational database, storing information relational database, storing information about every file and directory stored on a about every file and directory stored on a volume. volume.

26


Master File Table Master File Table Resident Resident Attributes:Attributes:

27


Architecture (cont.):Architecture (cont.): Windows XP initially reserves 12.5% of Windows XP initially reserves 12.5% of

a volume’s space for the MFT. It is a volume’s space for the MFT. It is crucial to keep the MFT in contiguous crucial to keep the MFT in contiguous physical space – known as the “MFT physical space – known as the “MFT Zone”. Zone”.

If the MFT Zone becomes full, more If the MFT Zone becomes full, more space is reserved elsewhere on the space is reserved elsewhere on the volume.volume.

28


Architecture (cont.):Architecture (cont.): NTFS partitions can NTFS partitions can

be very large – 2be very large – 26464 or or 18 billion gigabytes 18 billion gigabytes per volume. per volume.

Individual 512-byte Individual 512-byte sectors are not sectors are not managed individually managed individually – Instead they are – Instead they are grouped into clustersgrouped into clusters

NTFS allows very NTFS allows very small clusters, small clusters, increasing increasing performanceperformance

29

Inter-Process Inter-Process CommunicationCommunication

Inter-Process Communication (IPC) Inter-Process Communication (IPC) is a set of programming interfaces is a set of programming interfaces that allow programmers to create that allow programmers to create and manage individual processes and manage individual processes that can run concurrently at the that can run concurrently at the same time.same time.

Windows XP supports several IPC Windows XP supports several IPC interfaces.interfaces.

30


DDE – Dynamic Data ExchangeDDE – Dynamic Data Exchange Windows XP uses a message-based architecture. Windows XP uses a message-based architecture.

Therefore message-passing is a good way for Therefore message-passing is a good way for applications to exchange data.applications to exchange data.

DDE defines how to pass large piece of data by DDE defines how to pass large piece of data by means of means of global atomsglobal atoms. A global atom is a . A global atom is a reference to a character string. It identifies the reference to a character string. It identifies the applications exchanging information, the nature of applications exchanging information, the nature of the data, and the data itself. the data, and the data itself.

DDE is most appropriate for data exchanges that DDE is most appropriate for data exchanges that do not require ongoing user interaction. Generally do not require ongoing user interaction. Generally a link is established between 2 applications, then a link is established between 2 applications, then continues with no input from the user.continues with no input from the user.

31


OLE – Object Linking and EmbeddingOLE – Object Linking and Embedding Windows XP supports OLE 1.0 and OLE 2.0.Windows XP supports OLE 1.0 and OLE 2.0. OLE is used to enhance the creation and OLE is used to enhance the creation and

management of compound documents. management of compound documents. Embedded or linked objects can be placed Embedded or linked objects can be placed inside a document, retaining formatting inside a document, retaining formatting information.information.

The core of OLE is Component Object The core of OLE is Component Object Model (COM). COM provides an Model (COM). COM provides an architecture for any 3architecture for any 3rdrd party vendor to party vendor to deliver a component at any time and have deliver a component at any time and have the component become instantly available the component become instantly available to applications on the system.to applications on the system.

32


NetBIOSNetBIOS Network Basic Input/Output System is an Network Basic Input/Output System is an

interface that allows applications on interface that allows applications on different computers to communicate over a different computers to communicate over a LAN. LAN.

NetBIOS frees applications from needing to NetBIOS frees applications from needing to know the details of the network on which know the details of the network on which they are located. they are located.

NetBIOS provides session and transport NetBIOS provides session and transport services, but does not provide standard services, but does not provide standard frames or data format for submission. To use frames or data format for submission. To use a standard frame format, NetBIOS Extended a standard frame format, NetBIOS Extended User Interface is needed (NetBEUI).User Interface is needed (NetBEUI).

33


Named PipesNamed Pipes A pipe is a section of shared memory A pipe is a section of shared memory

where different applications leave where different applications leave messages for each other. It is typical to a messages for each other. It is typical to a post office slot.post office slot.

The first process writes to the pipe, the The first process writes to the pipe, the second process reads from the other end.second process reads from the other end.

Pipes do not have formal standards to Pipes do not have formal standards to govern how data is passed. This makes govern how data is passed. This makes pipes easier and more flexible than other pipes easier and more flexible than other IPC’s, but limits them to programs that IPC’s, but limits them to programs that recognize each other and know how to recognize each other and know how to parse the information they exchange.parse the information they exchange.

34


Windows SocketsWindows Sockets WinSock is a network WinSock is a network

programming programming interface based on interface based on Berkeley’s Sockets Berkeley’s Sockets API. It is the API. It is the standard for standard for accessing datagram accessing datagram and session services and session services over TCP/IP, over TCP/IP, NWLink, IPX/SPX, NWLink, IPX/SPX, NetBIOS, and NetBIOS, and AppleTalk.AppleTalk.

35


MailslotsMailslots A mailslot is similar to a pipe, but A mailslot is similar to a pipe, but

allows only one-way allows only one-way communication. It is most communication. It is most commonly used for broadcasting commonly used for broadcasting messages across a network.messages across a network.

Mailslots do not need to conform to Mailslots do not need to conform to any particular specification and any particular specification and take less than 64K of memory.take less than 64K of memory.

36


RPC - Remote RPC - Remote Procedure CallsProcedure Calls

Provides the Provides the opportunity to opportunity to invoke functions invoke functions residing on residing on remote machines.remote machines.

37

Questions?Questions?

38

ReferencesReferences Most of the information in this report Most of the information in this report

came directly from Microsoft Developer came directly from Microsoft Developer Network (MSDN) documentation. Network (MSDN) documentation. Additionally, the following papers were Additionally, the following papers were used:used:

Kozierok, Charles MKozierok, Charles M., ., “New “New Technology File System”Technology File System”, The PC Guide, , The PC Guide, 4/17/01.4/17/01.

Munro, JayMunro, Jay, , “Windows XP Kernel “Windows XP Kernel Enhancements”Enhancements”, Extreme Tech, 6/8/01., Extreme Tech, 6/8/01.

Open Systems Resources, Inc.Open Systems Resources, Inc.

Documents

1 Windows XP: An Overview Brett O’Neill CSE 8343 – Group A6