Chapter 11 : Windows Chapter 11 : Windows VistaVista

This This chapter is based on chapter is based on Tanenbaum OS/3E book slidesTanenbaum OS/3E book slides And also from And also from Chapter 21 Chapter 21

slides slides of the book:of the book:

““Operating Systems (Third Operating Systems (Third Edition)”Edition)”, , Deitel, Deitel and Deitel, Deitel and ChoffnesChoffnes Prentice Hall, 2004Prentice Hall, 2004

1

Chapter 11 : Windows Chapter 11 : Windows VistaVista

HistoryHistory Programming Windows VistaProgramming Windows Vista Operating System StructureOperating System Structure Process and Thread ManagementProcess and Thread Management Thread SchedulingThread Scheduling Memory ManagementMemory Management Input/Output in VistaInput/Output in Vista NTFSNTFS SecuritySecurity Interprocess Communication Interprocess Communication

2

Figure 11-1. Major releases in the history of Microsoft operating systems for desktop PCs.

History (1)

3

HistoryHistory (2) (2) 1976 Bill Gates and Paul Allen found1976 Bill Gates and Paul Allen foundeded Microsoft Microsoft 1981 MS-DOS 1.01981 MS-DOS 1.0 (Known as CP/M) (Known as CP/M)

16-bit addressing16-bit addressing 8 KB memory resident code8 KB memory resident code

1985 Windows 1.01985 Windows 1.0 First Microsoft GUI operating systemFirst Microsoft GUI operating system

1990 Windows 3.1 and Windows for Workgroups 3.11990 Windows 3.1 and Windows for Workgroups 3.1 Added network support (LANs)Added network support (LANs)

1992 Windows NT 3.11992 Windows NT 3.1 NTFSNTFS 32-bit addressing32-bit addressing

1995 Windows 951995 Windows 95 32-bit addressing32-bit addressing DirectXDirectX

Simulates direct access to hardware through APISimulates direct access to hardware through API

4

HistoryHistory (3) (3) 1996 Windows NT 4.01996 Windows NT 4.0

Moved graphics driver into kernelMoved graphics driver into kernel 1998 Windows 981998 Windows 98

Bundled Internet Explorer into operating Bundled Internet Explorer into operating systemsystem

2000 Windows ME2000 Windows ME Does not boot in DOS modeDoes not boot in DOS mode

2000 Windows 20002000 Windows 2000 Active DirectoryActive Directory

Database of users, computers and servicesDatabase of users, computers and services 2001 2001 Windows XPWindows XP

64-bit support64-bit support 2006 2006 Windows Windows VistaVista

5

2000s: NT-based 2000s: NT-based Windows (1)Windows (1)

Figure 11-2. DEC Operating Systems developed by Dave CutlerFigure 11-2. DEC Operating Systems developed by Dave Cutler

NT was inspired from VMS operating systemNT was inspired from VMS operating system DEC (Digital Equipment Company), a minicomputer DEC (Digital Equipment Company), a minicomputer

maker was sold in 1998 to Compaq which was maker was sold in 1998 to Compaq which was bought by HPbought by HP

NT was also jointly developed as OS/2 for IBMNT was also jointly developed as OS/2 for IBM6

•

2000s: 2000s: NT-basedNT-based Windows (2)Windows (2)

Figure 11-3. The Win32 API allows programs to run on Figure 11-3. The Win32 API allows programs to run on almost all versions of Windows.almost all versions of Windows.

7

Figure 11-4. Split client and server releases of Windows.

2000s: NT-based Windows 2000s: NT-based Windows (3)(3)

8

Figure 11-5. Comparison of lines of code for selected kernel-mode modules in Linux and Windows (from Mark Russinovich, co-author of Microsoft Windows Internals).

Windows VistaWindows Vista

9

Programming Windows Programming Windows VistaVista

Figure 11-6. The programming layers in WindowsFigure 11-6. The programming layers in Windows Beneath the applets and GUI layers we have the APIBeneath the applets and GUI layers we have the API These are dynamic link libraries (DLLs)These are dynamic link libraries (DLLs) NTOS is the kernel mode program which provides the NTOS is the kernel mode program which provides the

system call interface for Microsoft programmers (not system call interface for Microsoft programmers (not open to public) open to public)

10

Figure 11-8. Common categories of kernel-mode object types.

The Native NT Application The Native NT Application Programming Interface (1)Programming Interface (1)

11

Figure 11-9. Examples of native NT API calls that use handles to manipulate objects across process boundaries.

The Native NT Application The Native NT Application Programming Interface (2)Programming Interface (2)

12

The Win32 Application The Win32 Application Programming InterfaceProgramming Interface

Win32 API – interface for developing applicationsWin32 API – interface for developing applications Fully documented and publicly disclosedFully documented and publicly disclosed The API is a library of procedures that either wrap The API is a library of procedures that either wrap

(use and call somehow) the native NT system calls or (use and call somehow) the native NT system calls or do the work themselvesdo the work themselves

Two special execution environments are also providedTwo special execution environments are also provided WOW32 (Windows-on-Windows) which is used on 32-bit x86 WOW32 (Windows-on-Windows) which is used on 32-bit x86

systems to run 16-bit Windows 3.x applications by mapping systems to run 16-bit Windows 3.x applications by mapping system calls and parameters between the 16-bit and 32-bit system calls and parameters between the 16-bit and 32-bit worldsworlds

WOW64 does the same thing for 32-bit applications to work on WOW64 does the same thing for 32-bit applications to work on x64 systemsx64 systems

Previously there were OS2 and POSIX environments but not Previously there were OS2 and POSIX environments but not anymoreanymore

13

Figure 11-10. Examples of Win32 API calls and the native NT API calls that they wrap.

The Win32 Application The Win32 Application Programming InterfaceProgramming Interface

14

The Windows Registry The Windows Registry (1)(1)

Figure 11-11. The registry hives in Windows Vista. HKLM is a Figure 11-11. The registry hives in Windows Vista. HKLM is a

short-hand for short-hand for HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE.. Registry is a special file system to record the details of

system configuration The registry is organized into separate volumes called

hives When the system is booted the SYSTEM hive is loaded

into memory 15

The Windows Registry The Windows Registry ((22))

Figure 11-12. Some of the Win32 API calls for using the Figure 11-12. Some of the Win32 API calls for using the registryregistry

Before the registry, older Windows versions kept Before the registry, older Windows versions kept configuration information in configuration information in .ini .ini (initialization) files (initialization) files scattered all around the diskscattered all around the disk

RegeditRegedit is a program to inspect and modify the registry is a program to inspect and modify the registry but be carefullbut be carefull

16

Figure 11-13. Windows kernel-mode organization.

Operating System StructureOperating System Structure

17

Operating System KernelOperating System Kernel The system library (ntdll.dll) executing at user-mode The system library (ntdll.dll) executing at user-mode

contains compiler run-time and low-level librariescontains compiler run-time and low-level libraries NTOS kernel layer: thread scheduling, synchronization NTOS kernel layer: thread scheduling, synchronization

abstractions, trap handlers, interrupts etc.abstractions, trap handlers, interrupts etc. NTOS executive layer contains the services such as NTOS executive layer contains the services such as

management services for virtual memory, cache, I/O management services for virtual memory, cache, I/O etc.etc.

HAL (Hardware Abstraction Layer)HAL (Hardware Abstraction Layer) Interacts with hardware, drives device components Interacts with hardware, drives device components

on mainon main boardboard Abstracts hardware specifics that differ between Abstracts hardware specifics that differ between

systems of the same architecturesystems of the same architecture (such as different (such as different CPUs)CPUs)

Device drivers are used for any kernel-mode activities Device drivers are used for any kernel-mode activities which are not a part of NTOS or HAL (such as file which are not a part of NTOS or HAL (such as file system, network protocols and antivirus software)system, network protocols and antivirus software)

18

Booting Windows VistaBooting Windows Vista On power on, BIOS loads a small bootstrap loader On power on, BIOS loads a small bootstrap loader

found at the beginning of the disk drive partitionsfound at the beginning of the disk drive partitions Bootstrap loader loads Bootstrap loader loads BootMgrBootMgr program from the program from the

root directoryroot directory If hibernated or in stand-by mode If hibernated or in stand-by mode WinResume.exeWinResume.exe is is

loadedloaded If not If not Winload.exeWinload.exe is loaded for a fresh boot. This is loaded for a fresh boot. This

program loads:program loads: Ntoskrnl.exeNtoskrnl.exe Hal.dllHal.dll SYSTEM hiveSYSTEM hive Win32k.sys (kernel-mode parts of Win32 subsystemWin32k.sys (kernel-mode parts of Win32 subsystem Other boot driversOther boot drivers

19

20

Process and Thread Process and Thread ManagementManagement

ProcessProcesses (containers for threads. PEB- es (containers for threads. PEB- Process Environment Block)Process Environment Block)

ThreadsThreads (Basic scheduling unit. Normally (Basic scheduling unit. Normally executes in user-mode. TEB – Thread executes in user-mode. TEB – Thread Environment Block)Environment Block)

JobsJobs Group processes together as a unitGroup processes together as a unit Manage resources consumed by these Manage resources consumed by these

processes (e.g., CPU time, memory processes (e.g., CPU time, memory consumption, etc.)consumption, etc.)

Terminate all processes at onceTerminate all processes at once

21

Process and Thread Process and Thread OrganizationOrganization

FibersFibers Unit of execution (like a thread)Unit of execution (like a thread) Scheduled by thread that creates them, not Scheduled by thread that creates them, not

microkernel.microkernel. Thread must convert itself into a fiber to Thread must convert itself into a fiber to

create fiberscreate fibers Advantage is in switching: Thread switching Advantage is in switching: Thread switching

requires entry and exit to kernel. A fiber requires entry and exit to kernel. A fiber switch saves and restores a few registers switch saves and restores a few registers withou changing modes at allwithou changing modes at all

Used rarelyUsed rarely

22

Process and Thread Process and Thread OrganizationOrganization

Thread poolsThread pools Worker threads that sleep waiting for work Worker threads that sleep waiting for work

itemsitems Each process gets a thread poolEach process gets a thread pool Useful in certain situationsUseful in certain situations

Fulfilling client requestsFulfilling client requests Asynchronous I/OAsynchronous I/O Combining several threads that sleep most of the Combining several threads that sleep most of the

timetime Memory overhead and less control for the Memory overhead and less control for the

programmerprogrammer

Figure 11-24. The relationship between jobs, processes, threads and fibers. Jobs and fibers are optional; not all processes are in jobs or contain fibers.

Processes and ThreadsProcesses and Threads

23

Figure 11-25. Basic concepts used for CPU and resource management.

24

Thread SynchronizationThread Synchronization Dispatcher objectsDispatcher objects

Event objectEvent object Signaled when event occurs; Signaled when event occurs; unsignaled either when one thread awakens or all unsignaled either when one thread awakens or all

threads awaken (choice determined by event’s threads awaken (choice determined by event’s creator)creator)

Mutex objectMutex object One ownerOne owner Acquire – unsignaled; release – signaledAcquire – unsignaled; release – signaled

Semaphore objectSemaphore object Counting semaphoreCounting semaphore Signaled while count > 0; unsignaled when count 0Signaled while count > 0; unsignaled when count 0 Can be acquired multiple times by same threadCan be acquired multiple times by same thread

25

Thread SynchronizationThread Synchronization

Dispatcher objects (cont.)Dispatcher objects (cont.) Waitable timer objectWaitable timer object

Signaled when time elapsesSignaled when time elapses Manual reset vs. auto resetManual reset vs. auto reset Single user vs. periodicSingle user vs. periodic

Objects that can act as dispatcher objects: Objects that can act as dispatcher objects: process, thread, console inputprocess, thread, console input

26

Thread SynchronizationThread Synchronization Kernel mode locksKernel mode locks

Spin lockSpin lock Queued spin lockQueued spin lock

More efficient than spin lockMore efficient than spin lock Guarantees FIFO ordering of requestsGuarantees FIFO ordering of requests

Fast mutexFast mutex Like a mutex, but more efficientLike a mutex, but more efficient Cannot specify maximum wait timeCannot specify maximum wait time Reacquisition by owning thread causes deadlockReacquisition by owning thread causes deadlock

Kernel mode locks (cont.)Kernel mode locks (cont.) Executive resource lockExecutive resource lock

One lock holder in exclusive modeOne lock holder in exclusive mode Many lock holders in shared modeMany lock holders in shared mode Good for readers and writersGood for readers and writers

27

Thread SynchronizationThread Synchronization Other synchronization toolsOther synchronization tools

Critical section objectCritical section object Like a mutex, but only for threads of the same Like a mutex, but only for threads of the same

processprocess Faster than a mutexFaster than a mutex No maximum wait timeNo maximum wait time

Timer-queue timerTimer-queue timer Waitable timer objects combined with a thread Waitable timer objects combined with a thread

poolpool Interlocked variable accessInterlocked variable access

Atomic operations on variablesAtomic operations on variables Interlocked singly-linked listsInterlocked singly-linked lists

Atomic insertion and deletionAtomic insertion and deletion

Figure 11-26. Some of the Win32 calls for managing processes, threads, and fibers.

SynchronizationSynchronization

28

29

Thread SchedulingThread Scheduling (1) (1) Thread StatesThread States

InitializedInitialized ReadyReady StandbyStandby RunningRunning WaitingWaiting TransitionTransition TerminatedTerminated UnknownUnknown

Thread Scheduling (2)Thread Scheduling (2)

Windows kernel does not have a Windows kernel does not have a central scheduling thread. Instead, central scheduling thread. Instead, when a thread can not run any more, when a thread can not run any more, the thread enters kernel-mode and the thread enters kernel-mode and calls into the scheduler itself to see calls into the scheduler itself to see which thread to switch towhich thread to switch to

30

Thread Scheduling (3)Thread Scheduling (3) The following conditions cause the currently running The following conditions cause the currently running

thread to execute the scheduler code:thread to execute the scheduler code: The currently running thread blocks on a The currently running thread blocks on a

semaphore, mutex, event, I/O, etc.semaphore, mutex, event, I/O, etc. The thread signals an object (e.g., does an up on The thread signals an object (e.g., does an up on

a semaphore or causes an event to be signaled).a semaphore or causes an event to be signaled). The quantum expires.The quantum expires.

The scheduler is also called under two otherThe scheduler is also called under two other conditions:conditions: An I/O operation completes.An I/O operation completes. A timed wait expires.A timed wait expires.

31

Figure 11-27. Mapping of Win32 priorities to Windows priorities.

Thread Scheduling (3)Thread Scheduling (3)

32

Thread Scheduling (4)Thread Scheduling (4)

Figure 11-28. Windows Vista supports 32 priorities for Figure 11-28. Windows Vista supports 32 priorities for threads.threads.

Round-robin for highest-priority non-empty ready queueRound-robin for highest-priority non-empty ready queue

33

Memory ManagementMemory Management (1)(1)

Figure 11-30. Virtual address space layout for three user processes on the x86. The white areas are private per process. The shaded areas are shared among all processes.

34

Memory ManagementMemory Management ((22)) Bottom and top 64 KB are intentionally unmappedBottom and top 64 KB are intentionally unmapped 64 KB – 2 GB: User’s private code and data64 KB – 2 GB: User’s private code and data 2 GB – 4 GB (less 64 KB) : Operating system kernel 2 GB – 4 GB (less 64 KB) : Operating system kernel

virtual memory containing code, data, paged and virtual memory containing code, data, paged and nonpaged pools as well as process page table.nonpaged pools as well as process page table.

Kernel virtual memory is shared by all processes Kernel virtual memory is shared by all processes and is only accessible while running in kernel modeand is only accessible while running in kernel mode

For x86 and x64 systems virtual address space is For x86 and x64 systems virtual address space is demand paged with 4 KB sized pages (No demand paged with 4 KB sized pages (No segmentation)segmentation)

35

Figure 11-31. The principal Win32 API functions for managing virtual memory in Windows.

Memory Management System Memory Management System CallsCalls

36

Figure 11-32. Mapped regions with their shadow pages on disk. The lib.dll file mapped into two address spaces at same time.

Implementation of Memory Implementation of Memory ManagementManagement

37

Page Fault Handling (1)Page Fault Handling (1)

Figure 11-33. A page table entry (PTE) for a mapped page on the (a) Figure 11-33. A page table entry (PTE) for a mapped page on the (a) Intel x86 and (b) AMD x64 architecturesIntel x86 and (b) AMD x64 architectures..

D and A bits are used to implement a LRU (Least D and A bits are used to implement a LRU (Least Recently Used) style page replacement algorithmRecently Used) style page replacement algorithm

38

Page Fault Handling (Page Fault Handling (22))

Each page fault can be considered as Each page fault can be considered as being in one of five categories:being in one of five categories:

The page referenced is not committedThe page referenced is not committed (program (program error – page has not been assigned to a process or error – page has not been assigned to a process or in memory)in memory)..

Attempted access to a page in violation of the Attempted access to a page in violation of the permissionspermissions (program error) (program error)..

A shared copy-on-write page was about to be A shared copy-on-write page was about to be modifiedmodified..

The stack needs to grow.The stack needs to grow. The page referenced is committed but not currently The page referenced is committed but not currently

mapped inmapped in (normal page fault in a paged system) (normal page fault in a paged system)..

39

Page Replacement Page Replacement Algorithm (1)Algorithm (1)

The working set concept is usedThe working set concept is used Each process (not each thread) has a Each process (not each thread) has a

working setworking set Each working set has two parameters:Each working set has two parameters:

A minimum size (initally 20 to 50 pages)A minimum size (initally 20 to 50 pages) A maximum size (initially 45 to 345 pages)A maximum size (initially 45 to 345 pages) Every process starts with the same Every process starts with the same

minimum and maximum but these bounds minimum and maximum but these bounds can change over timecan change over time

40

Page Replacement Page Replacement Algorithm (2)Algorithm (2)

Working sets only come into play when Working sets only come into play when physical memory gets lowphysical memory gets low

Otherwise, processes can exceed the Otherwise, processes can exceed the maximum of their working setmaximum of their working set

The working set manager runs periodically The working set manager runs periodically based on a timer and does the following:based on a timer and does the following:

When When llots of memory ots of memory is is availableavailable, it uses the access , it uses the access bits to compute an bits to compute an ageage for each page for each page

When When mmemory getemory gets s tighttight, the working set is fixed , the working set is fixed and oldest pages are replaced when a new page is and oldest pages are replaced when a new page is neededneeded

When When mmemory is tightemory is tight, the working sets are trimmed , the working sets are trimmed below their maximum by removing the oldest pagesbelow their maximum by removing the oldest pages

41

Physical Memory Physical Memory Manager (1)Manager (1)

Figure 11-36. The various page lists Figure 11-36. The various page lists and the transitions between them.and the transitions between them.

42

Physical Memory Physical Memory Manager (2)Manager (2)

1.1. Pages removed from a working set are put Pages removed from a working set are put on either on either modified page list modified page list or or standby standby page list page list (pages which are not modified)(pages which are not modified)

2.2. The pages on these two lists are in The pages on these two lists are in memory so if a page fault occurs and one memory so if a page fault occurs and one of these pages is needed, they are put of these pages is needed, they are put back to the working set with back to the working set with no disk I/O (A no disk I/O (A soft page fault)soft page fault)

3.3. When a process exits all nonshared pages When a process exits all nonshared pages of the working set, modified pages and of the working set, modified pages and standby pages are returned to the standby pages are returned to the free free page listpage list

43

Physical Memory Physical Memory Manager (3)Manager (3)

4.4. A A modified page writer modified page writer thread wakes up thread wakes up periodically and writes modified pages to disk and periodically and writes modified pages to disk and move them to the standby list if there are not move them to the standby list if there are not enough clean pagesenough clean pages

5.5. When a When a page is not needed by a processpage is not needed by a process, it goes to , it goes to the free page listthe free page list

6.6. At a At a page fault (hard fault) page fault (hard fault) a free page is taken a free page is taken from the free page listfrom the free page list

7.7. Whenever the CPU is idle, a lowest priority thread, Whenever the CPU is idle, a lowest priority thread, the the ZeroPage threadZeroPage thread resets free pages to zeros and resets free pages to zeros and puts them on zeroed page listputs them on zeroed page list

8.8. When a zeroed page is needed for security When a zeroed page is needed for security reasons, pages are taken from the reasons, pages are taken from the zeroed page listzeroed page list

44

Input/Output in VistaInput/Output in Vista

The I/O system consists ofThe I/O system consists of Plug-and-play servicesPlug-and-play services The power managerThe power manager The Input/Output managerThe Input/Output manager Device driversDevice drivers

45

Plug-and-Play ServicesPlug-and-Play Services Buses such as PCI, USB, EIDE, and Buses such as PCI, USB, EIDE, and

SATA had been designed in such a way SATA had been designed in such a way that the plug-and-play manager can that the plug-and-play manager can send a request to each slot and ask the send a request to each slot and ask the device there to identify itselfdevice there to identify itself

After identification PnP manager After identification PnP manager allocates hardware resources, such as allocates hardware resources, such as interrupt levels, locates the appropriate interrupt levels, locates the appropriate drivers, and loads them into memorydrivers, and loads them into memory

As each driver is loaded, a As each driver is loaded, a driver driver object object is createdis created

46

Power ManagerPower Manager The power manager adjusts the power The power manager adjusts the power

state of the I/O devices to reduce system state of the I/O devices to reduce system power consumption when devices are not power consumption when devices are not in usein use

This is very important when laptops are This is very important when laptops are on battery poweron battery power

Two special modes of power saving:Two special modes of power saving: Hibernation mode: all of the physical memory Hibernation mode: all of the physical memory

is copied to disk and power consumption is is copied to disk and power consumption is reduced to a minimum levelreduced to a minimum level

Standby mode: power is reduced to the lowest Standby mode: power is reduced to the lowest level enough to refresh the dynamic RAMlevel enough to refresh the dynamic RAM

47

Input/Output ManagerInput/Output Manager Handles I/O system calls and IRP (Handles I/O system calls and IRP (I/O I/O

Request PacketRequest Packet) based operations) based operations

Figure 11-37. Native NT API calls for Figure 11-37. Native NT API calls for performing I/Operforming I/O 48

Device DriversDevice Drivers All drivers must conform to the All drivers must conform to the WDM WDM

(Windows Driver Model)(Windows Driver Model) standarts for standarts for compatibility reasons with the older compatibility reasons with the older windows versionswindows versions

Devices in Windows are represented by Devices in Windows are represented by device objectsdevice objects which are used to which are used to represent represent Hardware, such as busesHardware, such as buses Software abstractions like file systems, Software abstractions like file systems,

network protocol engines and kernel network protocol engines and kernel extensions, like antivirus filter driversextensions, like antivirus filter drivers

49

Device StacksDevice Stacks

Figure 11-40. Windows allows drivers to be stacked to Figure 11-40. Windows allows drivers to be stacked to work with a specific instance of a device. The stacking work with a specific instance of a device. The stacking is represented by device objects.is represented by device objects.

A driver may do the work by itself like a printer driverA driver may do the work by itself like a printer driver Some drivers are stacked, meaning that requests pass Some drivers are stacked, meaning that requests pass

through a sequence of driversthrough a sequence of drivers

50

51

File SystemsFile Systems Three driver layersThree driver layers

Volume driversVolume drivers Low level driversLow level drivers Interact with data storage hardware devicesInteract with data storage hardware devices

File system driversFile system drivers NTFSNTFS FAT16 FAT16 (16 bit disk addresses with disk partitions at the (16 bit disk addresses with disk partitions at the

most 2 GB)most 2 GB) FAT32FAT32 (32 bit disk addresses and supports partitions up (32 bit disk addresses and supports partitions up

to 2 TB, not secure and used mainly for transportable to 2 TB, not secure and used mainly for transportable media, such as flash disks, nowadaysmedia, such as flash disks, nowadays

File system filter driversFile system filter drivers Perform high-level functionsPerform high-level functions Virus scanningVirus scanning EncryptionEncryption

52

File System DriversFile System Drivers

Typical Disk I/OTypical Disk I/O User-mode thread passes file handle to User-mode thread passes file handle to

object managerobject manager Object manager passes file pointer to Object manager passes file pointer to

file system driverfile system driver File system driver passes request to File system driver passes request to

device driver stackdevice driver stack Eventually request reaches diskEventually request reaches disk Disk performs requested I/ODisk performs requested I/O

53

NTFSNTFS

NTFS overviewNTFS overview Windows Windows NTNT file system file system More secure than FATMore secure than FAT Scales well to large disksScales well to large disks

Cluster size depends on disk sizeCluster size depends on disk size 64-bit file pointers64-bit file pointers Can address up to 16 exabytes of diskCan address up to 16 exabytes of disk

Multiple data streamsMultiple data streams Compression and encryptionCompression and encryption

Powers of 10 & 2 - Side Powers of 10 & 2 - Side RemarkRemark

Prefix Symbol Power of 10 Power of 2

Kilo K 103 210

Mega M 106 220

Giga G 109 230

Tera T 1012 240

Peta P 1015 250

Exa E 1018 260

Zetta Z 1021 270

Yotta Y 1024 280

54

64 bits for addressing = 16 Exa bytes

File System StructureFile System Structure Each NTFS volume (e.g., disk partition) Each NTFS volume (e.g., disk partition)

contains files, directories, bitmaps, and contains files, directories, bitmaps, and other data structures other data structures

Each volume is organized as a linear Each volume is organized as a linear sequence of blocks (called as clusters) sequence of blocks (called as clusters) usually 4 KB in size (can be 512 bytes to usually 4 KB in size (can be 512 bytes to 64 KB) and pointed by 64 bit pointers64 KB) and pointed by 64 bit pointers

The main data structure in each volume The main data structure in each volume is the is the MFT (Master File Table)MFT (Master File Table) which which is a linear sequence of is a linear sequence of 1 KB 1 KB recordsrecords

55

NTFS Master File Table NTFS Master File Table (1)(1)

Each MFT record describes one file or Each MFT record describes one file or directory and contains file attributesdirectory and contains file attributes (file (file name, block addresses, timestamps etc.)name, block addresses, timestamps etc.)

The MFT is a file itself and can be placed The MFT is a file itself and can be placed anywhere within the volume thus eliminating anywhere within the volume thus eliminating the problem of defective sectors in the first the problem of defective sectors in the first tracktrack

MFT can grow dynamically up to a maximum MFT can grow dynamically up to a maximum size of 2size of 24848 records records

The The first 16 MFT first 16 MFT records are reserved for records are reserved for NTFS NTFS metadata files metadata files which contain volume which contain volume related system data to describe the volumerelated system data to describe the volume

56

NTFS Master File Table NTFS Master File Table (2)(2)

57

Attributes Used in MFT Attributes Used in MFT RecordsRecords

Each record consists of a sequence of (attribute header Each record consists of a sequence of (attribute header – name & length, value) pairs– name & length, value) pairs

If attribute is small it is kept in the record, if it is long If attribute is small it is kept in the record, if it is long it is put in another block on disk and pointed hereit is put in another block on disk and pointed here

58

MFT Record for A File MFT Record for A File

Figure 11-43. An MFT record for a three-run, nine-block streamFigure 11-43. An MFT record for a three-run, nine-block stream.. File fits one MFT recordFile fits one MFT record Header (0,9): Offset of the first block of the stream (0) and Header (0,9): Offset of the first block of the stream (0) and

offset of the first block not covered by the record (9)offset of the first block not covered by the record (9)

59

MFT Records for A File MFT Records for A File

Figure 11-44. A file that requires three Figure 11-44. A file that requires three MFT records to store all its runsMFT records to store all its runs

60

An MFT Record for A An MFT Record for A Small DirectorySmall Directory

61

An MFT Record for A An MFT Record for A Large DirectoryLarge Directory

Large directories are arranged as B treesLarge directories are arranged as B trees Multiple directory entries can point to Multiple directory entries can point to the the same filesame file File deleted only when File deleted only when an attribute (an attribute (hard_linkhard_link)) drops drops

to zeroto zero

62

63

File CompressionFile Compression Transforms file to take less space on diskTransforms file to take less space on disk Lempel-Ziv Compression AlgorithmLempel-Ziv Compression Algorithm TransparentTransparent

Applications access files using standard API Applications access files using standard API callscalls

System compresses and decompresses filesSystem compresses and decompresses files Applications unaware if file compressedApplications unaware if file compressed

The compression algorithm considers 16 The compression algorithm considers 16 consecutive blocksconsecutive blocks If the compressed form takes less than 16 If the compressed form takes less than 16

blocks then the compression is applied else blocks then the compression is applied else notnot

64

File EncryptionFile Encryption

Protects files from illicit accessProtects files from illicit access Encryption performed in compression Encryption performed in compression

unitsunits KeysKeys

Public key / private key encryptionPublic key / private key encryption Recovery key given to system administratorRecovery key given to system administrator

In case user forgets passwordIn case user forgets password Encrypted versions of keys stored on diskEncrypted versions of keys stored on disk Decrypted keys stored in non-paged poolDecrypted keys stored in non-paged pool

SecuritySecurity Security properties inherited from the Security properties inherited from the

original security design of NT:original security design of NT: Secure login with anti-spoofing measuresSecure login with anti-spoofing measures

(prevents login screen to be imitated)(prevents login screen to be imitated) Discretionary access controlsDiscretionary access controls (owner has the (owner has the

rights)rights) Privileged access controlsPrivileged access controls (superuser can override) (superuser can override) Address space protection per processAddress space protection per process New pages must be zeroed before being mapped New pages must be zeroed before being mapped

inin Security auditingSecurity auditing (log of several security related (log of several security related

events)events)

65

66

Interprocess Interprocess Communication Communication

Data orientedData oriented PipesPipes Mailslots (message queues)Mailslots (message queues) Shared memoryShared memory

Procedure oriented / object orientedProcedure oriented / object oriented Remote procedure callsRemote procedure calls Microsoft COM Microsoft COM (Component Object-Model) (Component Object-Model)

objectsobjects ClipboardClipboard GUI drag-and-drop capabilityGUI drag-and-drop capability

67

Pipes Pipes Manipulated with file system callsManipulated with file system calls

ReadRead WriteWrite OpenOpen

Pipe serverPipe server Process that creates pipeProcess that creates pipe

Pipe clientsPipe clients Processes that connect to pipeProcesses that connect to pipe

ModesModes Read: pipe server receives data from pipe clientsRead: pipe server receives data from pipe clients Write: pipe server sends data to pipe clientsWrite: pipe server sends data to pipe clients Duplex: pipe server sends and receives dataDuplex: pipe server sends and receives data

68

Pipes Pipes Anonymous PipesAnonymous Pipes

UnidirectionalUnidirectional Between local processesBetween local processes SynchronousSynchronous Pipe handles, usually passed through inheritancePipe handles, usually passed through inheritance

Named PipesNamed Pipes Unidirectional or bidirectionalUnidirectional or bidirectional Between local or remote processesBetween local or remote processes Synchronous or asynchronousSynchronous or asynchronous Opened by nameOpened by name Byte stream vs. message streamByte stream vs. message stream

Default mode vs. write-throughDefault mode vs. write-through mode mode

69

Mailslots Mailslots Mailslot server: creates mailslotMailslot server: creates mailslot Mailslot clients: send messages to Mailslot clients: send messages to

mailslotmailslot CommunicationCommunication

UnidirectionalUnidirectional No acknowledgement of receiptNo acknowledgement of receipt Local or remote communicationLocal or remote communication Implemented as filesImplemented as files Two modesTwo modes

Datagram: for small messagesDatagram: for small messages Server Message Block (SMB): for large Server Message Block (SMB): for large

messagesmessages

70

Other FeaturesOther Features

Cookie managementCookie management CertificatesCertificates Trusted Internet ZonesTrusted Internet Zones Automatic UpdateAutomatic Update

Notifies users of security patchesNotifies users of security patches Can download and install patches Can download and install patches

automaticallyautomatically