WLC402 Windows Vista: Kernel Changes Mark Russinovich Technical Fellow, Platform and Services Division Microsoft Corporation [email protected]

WLC402Windows Vista: Kernel Changes

Mark Russinovich

Technical Fellow, Platform and Services Division

Microsoft Corporation

[email protected]

Mark RussinovichMark Russinovich

Technical Fellow, Platform and ServicesTechnical Fellow, Platform and Services

Co-founder and chief software architect Co-founder and chief software architect of Winternals Software of Winternals Software ((www.winternals.com))

Co-author of Windows Internals, 4th edition and Co-author of Windows Internals, 4th edition and Inside Windows 2000, 3rd Edition with David Inside Windows 2000, 3rd Edition with David SolomonSolomon

Author of tools on Author of tools on www.sysinternals.com

Home of blog and forumsHome of blog and forums

Senior Contributing Editor to Windows IT Pro Senior Contributing Editor to Windows IT Pro MagazineMagazine

Ph.D. in Computer EngineeringPh.D. in Computer Engineering

http://www.winternals.com/

http://www.sysinternals.com/

OutlineOutline

IntroductionIntroduction

Processes & ThreadsProcesses & Threads

I/O and File SystemI/O and File System

Memory ManagementMemory Management

Startup and ShutdownStartup and Shutdown

Reliability & RecoveryReliability & Recovery

SecuritySecurity

Scope of TalkScope of Talk

This talk covers enhancements to the Windows Vista This talk covers enhancements to the Windows Vista kernel and related core componentskernel and related core components

Many other significant improvements in other kernel areas not Many other significant improvements in other kernel areas not covered (e.g. Networking, Graphics, Window Manager, covered (e.g. Networking, Graphics, Window Manager, Installation, Management, & Monitoring)Installation, Management, & Monitoring)

Windows Server “Longhorn” will be a superset of Windows Server “Longhorn” will be a superset of Windows VistaWindows Vista

These changes will be merged back into Windows Vista kernel These changes will be merged back into Windows Vista kernel with SP1with SP1

Therefore, all Windows Vista kernel changes described in Therefore, all Windows Vista kernel changes described in this talk apply to Windows Server “Longhorn” this talk apply to Windows Server “Longhorn”

But, server-specific changes not covered (e.g. NUMA But, server-specific changes not covered (e.g. NUMA enhancements, hot CPU add/replace, hot replace memory)enhancements, hot CPU add/replace, hot replace memory)

* Content of this talk was co-developed with Dave Solomon (www.solsem.com)* Content of this talk was co-developed with Dave Solomon (www.solsem.com)

OutlineOutline







SecuritySecurity

Time AccountingTime Accounting

Before, Windows accounted for CPU time based on the Before, Windows accounted for CPU time based on the interval clock timerinterval clock timer

10-15ms resolution10-15ms resolution

Thread quantum expiration was not always fairThread quantum expiration was not always fair

A thread might get almost no turn or up to three turnsA thread might get almost no turn or up to three turns

Threads also were charged for interrupts that occurred while they Threads also were charged for interrupts that occurred while they were runningwere running

Idle T1 T2

T1 & T2 come out T1 & T2 come out of wait; T1 beginsof wait; T1 begins

Time slice Time slice intervalinterval

Cycle Time CounterCycle Time Counter

Windows Vista reads Time Stamp Counter (TSC) at Windows Vista reads Time Stamp Counter (TSC) at context switchcontext switch

Actual CPU cycles consumed charged to threadActual CPU cycles consumed charged to threadInterrupt time not chargedInterrupt time not charged

Allows for more accurate quantum accountingAllows for more accurate quantum accountingThread gets at least 1 turn and can get at most a turn + 1 tickThread gets at least 1 turn and can get at most a turn + 1 tickAlso provides accurate time accounting for thread executionAlso provides accurate time accounting for thread execution

Idle T1 T1

Time slice Time slice intervalinterval

T2

Multimedia Class Scheduler ServiceMultimedia Class Scheduler Service

New service that boosts thread priorities of multimedia applications to New service that boosts thread priorities of multimedia applications to support glitch-free audio and video streamingsupport glitch-free audio and video streaming

Implemented in Mmcss.dll (runs in a Svchost)Implemented in Mmcss.dll (runs in a Svchost)

Used by Windows Media Player 11Used by Windows Media Player 11

Threads declare themselves as multimedia:Threads declare themselves as multimedia:

Type of activity (AvSetMmThreadCharacteristics)Type of activity (AvSetMmThreadCharacteristics)

Relative importance (AvSetMmThreadPriority)Relative importance (AvSetMmThreadPriority)

Threads boosted into real-time for 80% of a task’s clock rateThreads boosted into real-time for 80% of a task’s clock rate

If they consume that time, they are lowered so others can runIf they consume that time, they are lowered so others can run

80% can be reconfigured at HKLM\SOFTWARE\Microsoft\Windows NT\80% can be reconfigured at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfileCurrentVersion\Multimedia\SystemProfile

Realtime boostOthe

r work

Realtime boostOthe

r work

OutlineOutline







SecuritySecurity

Symbolic File LinksSymbolic File Links

Before, NTFS supported only symbolic directory links Before, NTFS supported only symbolic directory links (called junctions)(called junctions)

In Windows Vista, NTFS supports symbolic file linksIn Windows Vista, NTFS supports symbolic file links

Like UNIX soft links (ln –s) for filesLike UNIX soft links (ln –s) for files

Built using NTFS reparse points (like junctions)Built using NTFS reparse points (like junctions)

Create them with new CreateSymbolicLink API or Create them with new CreateSymbolicLink API or Mklink.exe commandMklink.exe command

Requires “Create Symbolic Links” privilege (by default only Requires “Create Symbolic Links” privilege (by default only assigned to Administrators)assigned to Administrators)

Mklink can also create hard links Mklink can also create hard links

Symbolic links are processed on the client and so can Symbolic links are processed on the client and so can span volumes and even machinesspan volumes and even machines

I/O Completion Port ImprovementsI/O Completion Port Improvements

I/O completion ports allow threads to wait efficiently for I/O completion ports allow threads to wait efficiently for completion of multiple I/O requestscompletion of multiple I/O requests

Completed I/Os queue on the completion portCompleted I/Os queue on the completion port

Before, each completion caused unnecessary context Before, each completion caused unnecessary context switch to the issuing threadswitch to the issuing thread

This might cause a delay since the thread might not run This might cause a delay since the thread might not run immediately to process thisimmediately to process this

Windows Vista defers I/O completion to when the thread Windows Vista defers I/O completion to when the thread pulls the I/O off the completion portpulls the I/O off the completion port

Avoids context switch, thus improving performanceAvoids context switch, thus improving performance

I/O Cancellation SupportI/O Cancellation SupportBefore, opens could not be cancelledBefore, opens could not be cancelled

Example: you browse to an off-line network share in a File Save Example: you browse to an off-line network share in a File Save dialog and hang for the duration of the network timeoutdialog and hang for the duration of the network timeout

In Windows Vista, opens and other synchronous I/O can In Windows Vista, opens and other synchronous I/O can be cancelledbe cancelled

CancelSynchronousIo cancels a pending synchronous I/O issued CancelSynchronousIo cancels a pending synchronous I/O issued by another threadby another thread

CancelIoEx permits canceling all or individual I/Os from any thread CancelIoEx permits canceling all or individual I/Os from any thread (CancelIo could only cancel all I/Os issued by the calling thread)(CancelIo could only cancel all I/Os issued by the calling thread)

Windows Vista common control file open/save dialogs all Windows Vista common control file open/save dialogs all implement cancellationimplement cancellation

Threads processing I/O can now be notified of process Threads processing I/O can now be notified of process terminationtermination

I/O PrioritizationI/O Prioritization

Background I/O (e.g. AV scans, disk defragmenting) Background I/O (e.g. AV scans, disk defragmenting) interferes with foreground interactive tasks (e.g. reading interferes with foreground interactive tasks (e.g. reading email)email)

Before, only way to prioritize work was based on thread Before, only way to prioritize work was based on thread CPU priorityCPU priority

Windows Vista introduces two types of I/O prioritization:Windows Vista introduces two types of I/O prioritization:

I/O priorityI/O priority

I/O bandwidth reservationI/O bandwidth reservation

I/O prioritization implemented by ATAPI and USB storage I/O prioritization implemented by ATAPI and USB storage driversdrivers

I/O PrioritiesI/O Priorities

I/O priority is based on the priority of the issuing thread or I/O priority is based on the priority of the issuing thread or the explicitly set I/O prioritythe explicitly set I/O priority

Five levels: Critical, High, Normal, Low, Very LowFive levels: Critical, High, Normal, Low, Very LowHigh not implementedHigh not implemented

Critical only for use by memory managerCritical only for use by memory manager

Stored in Flags field of I/O Request Packet (IRP)Stored in Flags field of I/O Request Packet (IRP)

At least one Low or Very Low I/O is processed every secondAt least one Low or Very Low I/O is processed every second

Processes and threads can lower their I/O priority with Processes and threads can lower their I/O priority with SetPriorityClass, SetThreadPrioritySetPriorityClass, SetThreadPriority

““Background mode”Background mode”

Used by Windows Vista background tasks like indexing and Used by Windows Vista background tasks like indexing and Windows Defender scansWindows Defender scans

Bandwidth ReservationBandwidth Reservation

Streaming applications (e.g. Windows Media Player - Streaming applications (e.g. Windows Media Player - WMP) can request I/O bandwidth guaranteesWMP) can request I/O bandwidth guarantees

Specified on individual filesSpecified on individual files

I/O system reports back to applicationI/O system reports back to application

Optimal transfer size Optimal transfer size

Number of outstanding I/Os they should maintainNumber of outstanding I/Os they should maintain

WMP

Walk-in I/OWalk-in I/O

Reserved I/OReserved I/O

WMP WMPWMP

OutlineOutline







SecuritySecurity

Dynamic System Address Space Dynamic System Address Space

Before, system virtual address space divided into fixed Before, system virtual address space divided into fixed regionsregions

Reason for limits on nonpaged, paged pool, system page table Reason for limits on nonpaged, paged pool, system page table entriesentries

In 32-bit Windows Vista, virtual memory assigned as In 32-bit Windows Vista, virtual memory assigned as neededneeded

Permits larger paged, nonpaged, and session poolsPermits larger paged, nonpaged, and session pools

Supports larger terminal servers, larger desktop heap, etc.Supports larger terminal servers, larger desktop heap, etc.

Components still cannot exceed 2 GB on 32-bit systemsComponents still cannot exceed 2 GB on 32-bit systems

On 64-bit systems, address space regions are configured On 64-bit systems, address space regions are configured at their maximum for all memory sizesat their maximum for all memory sizes

SuperFetch™

Before:

Memory was not proactively populated

Memory often did not contain optimal content

Windows XP improved population with the logical prefetcher, but only prefetched a single process at process startup

SuperFetch

In Windows Vista, SuperFetch prefetches across a set of applications

Takes into account frequency of page usage, usage of page in context of other pages in memory

Adapts to memory usage patterns, including complex usage scenarios (e.g. the “after lunch” usage)

Scenarios SuperFetch improves include:Application launch

Resume from hibernate and suspend

Performance after infrequent or low priority tasks execute

SuperFetch ImplementationSuperFetch Implementation

SuperFetch includes kernel and user-mode components

Page usage data collected in kernel mode

SuperFetch service (Sysmain.dll) implements storage and prefetch algorithms

Stores scenario files in \Windows\Prefetch\Ag*.db

Calls kernel to retrieve paging histories and pre-populate page lists

Also prefetches private virtual memory (Windows XP prefetcher only did file and image data)

Uses low-priority I/O for pre-fetching and pre-population

Uses memory priorities (0-7) to prioritize prefetched data

ReadyBoost

RAM is ideal for caching, but it's expensive and difficult to add

External flash is cheaper and is up to 10x faster to random access (not as fast as a disk for sequential I/O)

ReadyBoost uses flash to create a write-through cache between disk and RAM

Supported devices include USB keys, SD cards, Compact Flash, and internal PCI express cards

Data is compressed (typical 2x compression ratio)

File is encrypted with random per-boot session key

Implemented by ReadyBoost service and Ecache.sys volume filter driverYou can look at device statistics under HKLM\Software\Microsoft\Windows NT\CurrentVersion\EmdMgmt

ReadyBoot

• On systems with more than 700 MB boot prefetch is done by ReadyBoot instead of XP-style prefetch

• ReadBoot is implemented by the same driver and services as ReadyBoost

• Service analyzes last 5 boots and derives boot plan that it stores in HKLM\System\CurrentControlSet\Services\Ecache\Parameters

• At boot, the driver implements RAM cache• Cache is populated as the system boots by ReadyBoost service

• Cache does not update to reflect disk writes

• Cache is torn down 90 seconds after boot

• Performs optimized just-in-time prefetch

• Typically 20% improvement over XP-style boot prefetch

ReadyDrive and Hybrid Hard DrivesReadyDrive and Hybrid Hard Drives

Hybrid Hard Drive (H-HHD) include a nonvolatile cache Hybrid Hard Drive (H-HHD) include a nonvolatile cache (NV Cache) (NV Cache)

Cached data can be read and written when disk is spun downCached data can be read and written when disk is spun down

Data remains in cache even when Data remains in cache even when disk is powered downdisk is powered down

Cache is 50 MB - 2 TB Cache is 50 MB - 2 TB (typically 256 MB) (typically 256 MB)

Host OS support required to useHost OS support required to use

Cache may contain:Cache may contain:Superfetch data, boot data, (part of) hibernate fileSuperfetch data, boot data, (part of) hibernate file

OEM can pin dataOEM can pin data

On battery, used as a write cacheOn battery, used as a write cache

NV

Cac

he

OS

OutlineOutline







SecuritySecurity

Boot Configuration Database (BCD)Boot Configuration Database (BCD)

Before, boot mechanism was platform specific Before, boot mechanism was platform specific (e.g. BIOS, EFI)(e.g. BIOS, EFI)

Windows Vista unifies the boot mechanism to be platform Windows Vista unifies the boot mechanism to be platform independentindependent

Boot.ini is replaced by the Boot Configuration Database (BCD)Boot.ini is replaced by the Boot Configuration Database (BCD)

Abstracts firmware Abstracts firmware

Unified across different OS installationsUnified across different OS installations

Uses Unicode strings for internationalizationUses Unicode strings for internationalization

BCD is stored in the RegistryBCD is stored in the Registry

Binary format Binary format

Hive is stored in \Boot\BCDHive is stored in \Boot\BCD

Loads into HKLM\BCD00000000Loads into HKLM\BCD00000000

Registry key security protects entriesRegistry key security protects entries

BCD ManagementBCD Management

BCDEdit is the command-line management interface BCDEdit is the command-line management interface

Uses WMI to interface to BCDUses WMI to interface to BCD

BCD objects are documented in the SDKBCD objects are documented in the SDK

Therefore, developers can code BCD WMI scripts/applications Therefore, developers can code BCD WMI scripts/applications

BCD System Store

Boot Manager Boot Loader Legacy Boot Loader

Timeout

DefaultDisplay Order

App. Path

NX SettingsPAE

Enabled

NTLDR/BOOT.INI

Pre-Boot ExecutablesPre-Boot Executables

Windows boot managerWindows boot manager

\Bootmgr (no extension)\Bootmgr (no extension)

Launched by boot sector codeLaunched by boot sector code

Replaces first half of NTLDR (reading Boot.ini)Replaces first half of NTLDR (reading Boot.ini)

Launches other Windows pre-boot applicationsLaunches other Windows pre-boot applications

Supports UEFI on Longhorn ServerSupports UEFI on Longhorn Server

OS loaderOS loader

\Systemroot\System32\Winload.exe\Systemroot\System32\Winload.exe

Replaces 2nd half of NTLDR (loading OS image, boot drivers, and Replaces 2nd half of NTLDR (loading OS image, boot drivers, and System registry hive)System registry hive)

One per OS installationOne per OS installation

Other Pre-Boot ExecutablesOther Pre-Boot Executables

Windows memory diagnosticWindows memory diagnostic

\Boot\Memtest.exe \Boot\Memtest.exe

Third-parties can add boot executablesThird-parties can add boot executables

Winboot can run other executables:Winboot can run other executables:

Resume loaderResume loader\Systemroot\System32\Winresume.exe\Systemroot\System32\Winresume.exe

Used to be implemented in NtldrUsed to be implemented in Ntldr

Startup Processes on XPStartup Processes on XP

Session Manager (SMSS) created Winlogon and Csrss for Session Manager (SMSS) created Winlogon and Csrss for each sessioneach session

Session creation was done seriallySession creation was done serially

Was bottleneck for Terminal ServicesWas bottleneck for Terminal Services

Winlogon, the interactive logon manager, created:Winlogon, the interactive logon manager, created:Local Security Authority (Lsass.exe) Local Security Authority (Lsass.exe)

Service Control Manager (Services.exe)Service Control Manager (Services.exe)

Startup Processes on Vista

In Windows Vista:In Windows Vista:Initial Smss.exe creates an instance of itself to initialize each Initial Smss.exe creates an instance of itself to initialize each sessionsession

Permits parallel session creation:Permits parallel session creation:Minimum parallel session startups is 4Minimum parallel session startups is 4

Maximum is number of processorsMaximum is number of processors

Session 0 Smss runs Wininit.exe (new)Session 0 Smss runs Wininit.exe (new)Wininit starts what Winlogon used to start: Services, LsassWininit starts what Winlogon used to start: Services, Lsass

Also starts a new process, Local Session Manager (Lsm.exe)Also starts a new process, Local Session Manager (Lsm.exe)

Session 1-n Smss’s create initialize interactive sessionsSession 1-n Smss’s create initialize interactive sessionsSession-specific instance of Csrss.exe and Winlogon.exeSession-specific instance of Csrss.exe and Winlogon.exe

Session 0 IsolationSession 0 Isolation

Before, the console user ran in session 0Before, the console user ran in session 0

Names created by console user could collide with service and Names created by console user could collide with service and system object namessystem object names

Services that presented windows on the console could open the Services that presented windows on the console could open the door for privilege elevation (“shatter” attacks)door for privilege elevation (“shatter” attacks)

Session 1Application

D

ApplicationE

ApplicationF

Session 0Service A

Service B

Service C

ApplicationB

ApplicationA

ApplicationC

Session 0 IsolationSession 0 Isolation

In Windows Vista, the console user starts in session 1 and In Windows Vista, the console user starts in session 1 and cannot connect to session 0cannot connect to session 0

Eliminates name collisionsEliminates name collisions

Poorly written services can’t display windows Poorly written services can’t display windows to the userto the user


A

ApplicationB

ApplicationC

Session 0Service A

Service B

Service C


D

ApplicationE

ApplicationF

Interactive Logon ArchitectureInteractive Logon Architecture

Credential Providers replace GINAsCredential Providers replace GINAs

Plug into Logonui.exePlug into Logonui.exe

Easier to write than GINAsEasier to write than GINAs

Multiple concurrent providers are supportedMultiple concurrent providers are supportedUser selected or event drivenUser selected or event driven

Used to capture elevation credentialsUsed to capture elevation credentials

Inbox Credential providers:Inbox Credential providers:

PasswordPassword

SmartcardSmartcard WinLogon

LogonUI

Credential Provider 1



Delayed Auto Start ServicesDelayed Auto Start Services

Before, autostart services could severely impact login Before, autostart services could severely impact login performance performance

In Windows Vista, services can request delayed autostartIn Windows Vista, services can request delayed autostart

Set by new ChangeServiceConfig2 APISet by new ChangeServiceConfig2 APIStores new DelayedAutoStart value in service Registry keyStores new DelayedAutoStart value in service Registry key

Service Control Manager (SCM) starts these services after the Service Control Manager (SCM) starts these services after the automatic start servicesautomatic start services

I/O priority set to Very Low during startupI/O priority set to Very Low during startup

Services configured this way include BITS, Windows Services configured this way include BITS, Windows Update client, Ehome…Update client, Ehome…

Clean Service ShutdownClean Service Shutdown

Before, services had no way to extend the time allowed Before, services had no way to extend the time allowed for shutdownfor shutdown

After a fixed timeout (default 20 seconds), SCM was killed and system After a fixed timeout (default 20 seconds), SCM was killed and system halted (while services were running) halted (while services were running)

This was a problem for services that needed to flush dataThis was a problem for services that needed to flush data

In Windows Vista, services can request preshutdown In Windows Vista, services can request preshutdown notification and take as long as they want to shut downnotification and take as long as they want to shut down

If the service stops responding the system gives up on it after 3 minutesIf the service stops responding the system gives up on it after 3 minutes

After pre-shutdown services stop, the system performs Windows XP-style After pre-shutdown services stop, the system performs Windows XP-style shutdown for other servicesshutdown for other services

Service Shutdown OrderingService Shutdown Ordering

Before, there was no way for services to specify the order Before, there was no way for services to specify the order in which they receive shutdown notification in which they receive shutdown notification

Some services have shutdown dependencies Some services have shutdown dependencies

Had to implement ad-hoc solutionsHad to implement ad-hoc solutions

In Windows Vista, services can specify shutdown orderIn Windows Vista, services can specify shutdown order

Must request pre-shutdown notificationMust request pre-shutdown notification

Must include their name in HKLM\System\CurrentControlSet\Must include their name in HKLM\System\CurrentControlSet\Control\Control\

PreShutdownOrderPreShutdownOrder

Reliable Sleep TransitionsReliable Sleep Transitions

Before, application or driver could block standby or Before, application or driver could block standby or hibernatehibernate

Often caused by bug or overly aggressive power policyOften caused by bug or overly aggressive power policy

User might not know and system power drain causes data lossUser might not know and system power drain causes data loss

Windows Vista does not query processes when entering Windows Vista does not query processes when entering sleep statessleep states

User-mode notification (PBT_APMSUSPEND) timeout reduced User-mode notification (PBT_APMSUSPEND) timeout reduced from 20 seconds to 2 secondsfrom 20 seconds to 2 seconds

Drivers can’t veto sleep transitionsDrivers can’t veto sleep transitions

OutlineOutline







SecuritySecurity

Kernel Transaction Manager (KTM)Kernel Transaction Manager (KTM)

Before, applications had to work hard to recover from Before, applications had to work hard to recover from errors during modification of files and Registry keyserrors during modification of files and Registry keys

Windows Vista implements a generalized transaction Windows Vista implements a generalized transaction managermanager

Provide all or nothing transaction semantics Provide all or nothing transaction semantics

Extensible through third-party resource managersExtensible through third-party resource managers

Kernel Transaction Manager coordinates between Kernel Transaction Manager coordinates between transaction clients (applications) and Resource Managerstransaction clients (applications) and Resource Managers

Registry and NTFS enhanced to provide transaction semantics Registry and NTFS enhanced to provide transaction semantics across Registry and file system operationsacross Registry and file system operations

Common Log File System (Clfs.sys) introduced in Windows Common Log File System (Clfs.sys) introduced in Windows Server 2003 R2 provides efficient transaction logging facilitiesServer 2003 R2 provides efficient transaction logging facilities

Transactions can span modifications across one or many Registry Transactions can span modifications across one or many Registry keys, files, and volumeskeys, files, and volumes

Transaction APIsTransaction APIs

Third parties can write user-mode or kernel-mode Third parties can write user-mode or kernel-mode Resource ManagersResource Managers

Using DTC and Longhorn Server, transactions can coordinate changes Using DTC and Longhorn Server, transactions can coordinate changes across files, registry, SQL Server, Oracle, MSMQacross files, registry, SQL Server, Oracle, MSMQ

Transactions are used by by Windows Update and System ProtectionTransactions are used by by Windows Update and System Protection

Volume Shadow Copy

Before:

No way to undo file overwrites or accidental deletes

System Restore only protected against changes to system files that it knew about

Windows Vista uses Volume Shadow Copy for System Restore and Previous Versions

Creates point-in-time copy-on-write snapshots of live volumes

Introduced in Windows XPSolved open file and consistent backup problems

Used by Windows Backup

Previous Versions tab introduced as Server 2003 Shadow Copies for Shared Folder feature

Unified data/system protection

Used by System Restore

Windows Error ReportingWindows Error Reporting

Before, unhandled exception handling was executed in Before, unhandled exception handling was executed in context of thread incurring exceptioncontext of thread incurring exception

Relied on thread stack being validRelied on thread stack being valid

Corrupt thread stacks resulted in “silent process death”Corrupt thread stacks resulted in “silent process death”

In Windows Vista, unhandled exceptions send a message In Windows Vista, unhandled exceptions send a message to the Windows Error Reporting (WER) serviceto the Windows Error Reporting (WER) service

WER launches Werfault.exeWER launches Werfault.exeReplaces Dwwin.exeReplaces Dwwin.exe

Permits WER to be invoked for threads who’s stack is too Permits WER to be invoked for threads who’s stack is too corrupted to invoke unhandled exception filtercorrupted to invoke unhandled exception filter

OutlineOutline







SecuritySecurity

BitLocker™ Drive EncryptionBitLocker™ Drive Encryption

Before, physical access to a system could compromise Before, physical access to a system could compromise even domain accountseven domain accounts

3rd-party utilities allow access to all unencrypted data3rd-party utilities allow access to all unencrypted data

Domain credential verifiers cached in RegistryDomain credential verifiers cached in Registry

In Windows Vista, entire OS volume can be encrypted In Windows Vista, entire OS volume can be encrypted with BitLockerwith BitLocker

BitLocker requirements:BitLocker requirements:

Trusted Platform Module (TPM) v1.2 or USB device and USB-Trusted Platform Module (TPM) v1.2 or USB device and USB-capable BIOScapable BIOS

1.5 GB unencrypted system volume1.5 GB unencrypted system volume

BitLocker™ ArchitectureBitLocker™ Architecture

Several supported modes for storing Several supported modes for storing decryption key:decryption key:

TPM locked with signatureTPM locked with signatureof boot files of boot files

And optionally And optionally user-specified PINuser-specified PIN

And optionally key on USBAnd optionally key on USB

On external USB flash deviceOn external USB flash device

Components:Components:

Tpm.sys for accessing TPMTpm.sys for accessing TPM

Fvevol.sys filter driver Fvevol.sys filter driver transparently encrypts/decryptstransparently encrypts/decrypts

File System Driver

Fvevol.sys

Volume Manager

Application

User ModeKernel Mode

Code Integrity VerificationThe OS loader and kernel performs code signature checks

On 64-bit x64 platforms:

All kernel mode code must be signed in order to load

Identity of all kernel mode binaries is verified

System audit events for integrity check failures

On 32-bit platforms:

Load-time checks done on all kernel mode binaries, unsigned code allowed to load But to play protected hi-def content, all loaded kernel mode drivers must be signed

Event log logging of driver loads

Protected ProcessesProtected Processes

Protected Processes prevent unauthorized access to Protected Processes prevent unauthorized access to media content media content

Can only be created through new Protected Media Path Can only be created through new Protected Media Path APIs (part of Media Foundation)APIs (part of Media Foundation)

Used to enforce a secure path to output devicesUsed to enforce a secure path to output devices

Only signed images can be mapped into a secure processOnly signed images can be mapped into a secure processImages must be signed by MicrosoftImages must be signed by Microsoft

3rd Party codecs loaded into a Protected Process must be signed with Windows Media 3rd Party codecs loaded into a Protected Process must be signed with Windows Media DRM certificateDRM certificate

Can query integrity of kernel-modeCan query integrity of kernel-mode

Standard processes have limited access to protected Standard processes have limited access to protected processes (even with SeDebugPrivilege)processes (even with SeDebugPrivilege)

Address Space Load Randomization Address Space Load Randomization (ASLR)(ASLR)

Prior to Windows VistaPrior to Windows Vista

Executables and DLLs load at fixed Executables and DLLs load at fixed locationslocations

Buffer overflows commonly relied on Buffer overflows commonly relied on known system function addresses to known system function addresses to cause specific code to executecause specific code to execute

The Windows Vista loader bases The Windows Vista loader bases modules at one of 256 random points in modules at one of 256 random points in the address spacethe address space

OS images now include relocation OS images now include relocation informationinformation

Relocation performed once per image Relocation performed once per image and shared across processesand shared across processes

User stack locations are also User stack locations are also randomizedrandomized

Kernel32

NTDLL

User32

Exe

XP1XP1

Kernel32

NTDLL

User32

Exe

XP2XP2

Kernel32

NTDLL

User32

Exe

Vista1Vista1

Kernel32

NTDLL

User32

Exe

Vista2Vista2

Service Security ImprovementsService Security ImprovementsBefore, service bugs allowed for privilege elevation Before, service bugs allowed for privilege elevation attacksattacks

In Windows Vista, services apply principle of least-In Windows Vista, services apply principle of least-privilege to limit system exposure in case of compromiseprivilege to limit system exposure in case of compromise

Service-specific SIDs permit a service’s access to objects Service-specific SIDs permit a service’s access to objects to be limitedto be limited

Only required objects give SID accessOnly required objects give SID access

Firewall policy can be applied to service SID (and many Windows Firewall policy can be applied to service SID (and many Windows Vista services have this specified)Vista services have this specified)

Write-restricted service processes further limit write Write-restricted service processes further limit write access access

Can only modify objects allowing WRITE for service SIDsCan only modify objects allowing WRITE for service SIDs

Service Security ImprovementsService Security Improvements

Service can specify which privileges (e.g. shutdown, audit, Service can specify which privileges (e.g. shutdown, audit, etc.) they requireetc.) they require

Limits power of service processesLimits power of service processes

Specified in MULTI_SZ registry value under service key called Specified in MULTI_SZ registry value under service key called RequiredPrivilegesRequiredPrivileges

On service start, SCM computes union of all required On service start, SCM computes union of all required privileges for service(s) inside service processprivileges for service(s) inside service process

If process token does not contain one, service start failsIf process token does not contain one, service start fails

Privileges not explicitly specified are removed from tokenPrivileges not explicitly specified are removed from token

If no required privileges specified, assumes all privileges in If no required privileges specified, assumes all privileges in process token are neededprocess token are needed

User Account Control (UAC)User Account Control (UAC)

Goal: Goal: Have users run as standard userHave users run as standard user

Problem: Problem: Users run as administratorsUsers run as administrators

Some applications only run as administratorSome applications only run as administrator

Solution: Solution: Make previously admin operations non-admin e.g. setting the Make previously admin operations non-admin e.g. setting the timezonetimezone

Badly-behaved non-admin apps get private virtualized views of Badly-behaved non-admin apps get private virtualized views of portions of the file system and Registryportions of the file system and Registry

Administrators run as normal usersAdministrators run as normal users

Convenient to access administrative rightsConvenient to access administrative rights

UAC VirtualizationUAC VirtualizationImages that don’t opt out (in their manifest) are virtualizedImages that don’t opt out (in their manifest) are virtualized

Virtualization implemented in the kernel:Virtualization implemented in the kernel:

File system: file system filter driver (luafv.sys)File system: file system filter driver (luafv.sys)

Registry: built-inRegistry: built-in

Redirected file system locations:Redirected file system locations:

\Program Files, \Windows, \Windows\System32 \Program Files, \Windows, \Windows\System32

Exceptions: Exceptions: System Write Protected Exe’s and DLLsSystem Write Protected Exe’s and DLLs

Files that have executable extensions (.exe, .bat, .vbs, .scr, etc)Files that have executable extensions (.exe, .bat, .vbs, .scr, etc)

Redirected Registry locations:Redirected Registry locations:

HKLM\SoftwareHKLM\Software

Exceptions: Exceptions: Many subkeys under MicrosoftMany subkeys under Microsoft

UAC VirtualizationUAC Virtualization

Writes: redirect to per-user areaWrites: redirect to per-user area

\Users\<Username>\AppData\Local\Virtual Store\Users\<Username>\AppData\Local\Virtual Store

HKCU\Software\Classes\VirtualStoreHKCU\Software\Classes\VirtualStore

Reads: unless an exception applies per-user area is Reads: unless an exception applies per-user area is attempted first and then global locationattempted first and then global location

UAC ElevationUAC Elevation

An executable can be marked for elevation in four ways:An executable can be marked for elevation in four ways:

In its manifest fileIn its manifest file

In the system’s application compatibility databaseIn the system’s application compatibility database

Heuristic installer detectionHeuristic installer detection

User explicitly asks for elevationUser explicitly asks for elevation

Elevation Consent

Two types of elevation:Two types of elevation:

Admin Approval Mode: Continue/cancel Admin Approval Mode: Continue/cancel

At logon LSASS creates admin and Limited User Account (LUA) At logon LSASS creates admin and Limited User Account (LUA) version of admin token version of admin token

Winlogon creates first process (e.g. Userinit) with LUA tokenWinlogon creates first process (e.g. Userinit) with LUA token

Over the Shoulder: prompt for admin credentialsOver the Shoulder: prompt for admin credentials

User is running in a standard user accountUser is running in a standard user account

Consent.exe presents consent/password dialogConsent.exe presents consent/password dialogon secure desktop on secure desktop

Child of AppInfo service (in a Service Host)Child of AppInfo service (in a Service Host)

Process Integrity LevelsProcess Integrity Levels

Specified as new Mandatory Integrity Level (IL) SIDs in Specified as new Mandatory Integrity Level (IL) SIDs in process tokenprocess token

Low: Protected-mode IELow: Protected-mode IE

Medium: LUA processesMedium: LUA processes

High: Elevated processesHigh: Elevated processes

System: System processesSystem: System processes

Object Integrity Levels

Object ILs stored as IL ACE in SACLObject ILs stored as IL ACE in SACL

Processes, threads and tokens always have an IL ACEProcesses, threads and tokens always have an IL ACE

Files and Registry keys without an IL ACE have an Files and Registry keys without an IL ACE have an implicit level of Medium implicit level of Medium

Objects created by medium or higher processes are marked as Objects created by medium or higher processes are marked as medium IL medium IL

Objects created by low IL processes (e.g. Protected-mode IE) Objects created by low IL processes (e.g. Protected-mode IE) are marked as low ILare marked as low IL

IL Access ChecksIL Access Checks

IL checked before DACLIL checked before DACL

A thread can only open an object for write access if its IL is equal to A thread can only open an object for write access if its IL is equal to or higher than that of the objector higher than that of the object

A thread can open any object for read access if:A thread can open any object for read access if:

It’s a non-process objectIt’s a non-process object

If a process, thread IL must be equal or higher than process IL (prevents If a process, thread IL must be equal or higher than process IL (prevents sensitive information leakage via memory reads)sensitive information leakage via memory reads)

The Windows subsystem also honors integrity levels: User The Windows subsystem also honors integrity levels: User Interface Privilege Isolation (UIPI)Interface Privilege Isolation (UIPI)

Only query messages can be sent to the windows of elevated Only query messages can be sent to the windows of elevated processes from LUA processesprocesses from LUA processes

Prevents “shatter” attacksPrevents “shatter” attacks

Miscellaneous Changes

• Changes that I didn’t have time to cover:

• New synchronization primitives:

• Initialize-once

• Shared reader/writer locks

• New thread pooling infrastructure

• Service thread tagging

• Support for large-sector disks

• On-line NTFS chkdsk and NTFS volume resizing

• New kernel Advanced Local Procedure Call IPC mechanism

• See my two-part “Vista Kernel Changes” article to appear in the February and March issues of TechNet Magazine

SummarySummary

Lots of exciting changes in Windows Vista kernel in the Lots of exciting changes in Windows Vista kernel in the areas of performance, scalability, reliability, and securityareas of performance, scalability, reliability, and security

For more information:For more information:

Kernel Enhancements for Windows Vista and Windows Kernel Enhancements for Windows Vista and Windows Server "Longhorn"Server "Longhorn"

http://www.microsoft.com/whdc/system/vista/kernel-en.mspx

MSDN Vista developer resourcesMSDN Vista developer resourceshttp://msdn.microsoft.com/windowsvista/

Driver developer resourcesDriver developer resourcesWindows Hardware Developer CentralWindows Hardware Developer Central

http://www.microsoft.com/whdc/default.mspx

WinHEC 2006 presentationsWinHEC 2006 presentations

http://www.microsoft.com/whdc/winhec/

http://www.microsoft.com/whdc/system/vista/kernel-en.mspx

http://msdn.microsoft.com/windowsvista/








© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Documents

WLC402 Windows Vista: Kernel Changes Mark Russinovich Technical Fellow, Platform and Services Division Microsoft Corporation [email protected]