Upload
horatio-adams
View
222
Download
2
Tags:
Embed Size (px)
Citation preview
WLC402Windows Vista: Kernel Changes
Mark Russinovich
Technical Fellow, Platform and Services Division
Microsoft Corporation
Mark RussinovichMark Russinovich
Technical Fellow, Platform and ServicesTechnical Fellow, Platform and Services
Co-founder and chief software architect Co-founder and chief software architect of Winternals Software of Winternals Software ((www.winternals.com))
Co-author of Windows Internals, 4th edition and Co-author of Windows Internals, 4th edition and Inside Windows 2000, 3rd Edition with David Inside Windows 2000, 3rd Edition with David SolomonSolomon
Author of tools on Author of tools on www.sysinternals.com
Home of blog and forumsHome of blog and forums
Senior Contributing Editor to Windows IT Pro Senior Contributing Editor to Windows IT Pro MagazineMagazine
Ph.D. in Computer EngineeringPh.D. in Computer Engineering
OutlineOutline
IntroductionIntroduction
Processes & ThreadsProcesses & Threads
I/O and File SystemI/O and File System
Memory ManagementMemory Management
Startup and ShutdownStartup and Shutdown
Reliability & RecoveryReliability & Recovery
SecuritySecurity
Scope of TalkScope of Talk
This talk covers enhancements to the Windows Vista This talk covers enhancements to the Windows Vista kernel and related core componentskernel and related core components
Many other significant improvements in other kernel areas not Many other significant improvements in other kernel areas not covered (e.g. Networking, Graphics, Window Manager, covered (e.g. Networking, Graphics, Window Manager, Installation, Management, & Monitoring)Installation, Management, & Monitoring)
Windows Server “Longhorn” will be a superset of Windows Server “Longhorn” will be a superset of Windows VistaWindows Vista
These changes will be merged back into Windows Vista kernel These changes will be merged back into Windows Vista kernel with SP1with SP1
Therefore, all Windows Vista kernel changes described in Therefore, all Windows Vista kernel changes described in this talk apply to Windows Server “Longhorn” this talk apply to Windows Server “Longhorn”
But, server-specific changes not covered (e.g. NUMA But, server-specific changes not covered (e.g. NUMA enhancements, hot CPU add/replace, hot replace memory)enhancements, hot CPU add/replace, hot replace memory)
* Content of this talk was co-developed with Dave Solomon (www.solsem.com)* Content of this talk was co-developed with Dave Solomon (www.solsem.com)
OutlineOutline
IntroductionIntroduction
Processes & ThreadsProcesses & Threads
I/O and File SystemI/O and File System
Memory ManagementMemory Management
Startup and ShutdownStartup and Shutdown
Reliability & RecoveryReliability & Recovery
SecuritySecurity
Time AccountingTime Accounting
Before, Windows accounted for CPU time based on the Before, Windows accounted for CPU time based on the interval clock timerinterval clock timer
10-15ms resolution10-15ms resolution
Thread quantum expiration was not always fairThread quantum expiration was not always fair
A thread might get almost no turn or up to three turnsA thread might get almost no turn or up to three turns
Threads also were charged for interrupts that occurred while they Threads also were charged for interrupts that occurred while they were runningwere running
Idle T1 T2
T1 & T2 come out T1 & T2 come out of wait; T1 beginsof wait; T1 begins
Time slice Time slice intervalinterval
Cycle Time CounterCycle Time Counter
Windows Vista reads Time Stamp Counter (TSC) at Windows Vista reads Time Stamp Counter (TSC) at context switchcontext switch
Actual CPU cycles consumed charged to threadActual CPU cycles consumed charged to threadInterrupt time not chargedInterrupt time not charged
Allows for more accurate quantum accountingAllows for more accurate quantum accountingThread gets at least 1 turn and can get at most a turn + 1 tickThread gets at least 1 turn and can get at most a turn + 1 tickAlso provides accurate time accounting for thread executionAlso provides accurate time accounting for thread execution
Idle T1 T1
Time slice Time slice intervalinterval
T2
Multimedia Class Scheduler ServiceMultimedia Class Scheduler Service
New service that boosts thread priorities of multimedia applications to New service that boosts thread priorities of multimedia applications to support glitch-free audio and video streamingsupport glitch-free audio and video streaming
Implemented in Mmcss.dll (runs in a Svchost)Implemented in Mmcss.dll (runs in a Svchost)
Used by Windows Media Player 11Used by Windows Media Player 11
Threads declare themselves as multimedia:Threads declare themselves as multimedia:
Type of activity (AvSetMmThreadCharacteristics)Type of activity (AvSetMmThreadCharacteristics)
Relative importance (AvSetMmThreadPriority)Relative importance (AvSetMmThreadPriority)
Threads boosted into real-time for 80% of a task’s clock rateThreads boosted into real-time for 80% of a task’s clock rate
If they consume that time, they are lowered so others can runIf they consume that time, they are lowered so others can run
80% can be reconfigured at HKLM\SOFTWARE\Microsoft\Windows NT\80% can be reconfigured at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfileCurrentVersion\Multimedia\SystemProfile
Realtime boostOthe
r work
Realtime boostOthe
r work
OutlineOutline
IntroductionIntroduction
Processes & ThreadsProcesses & Threads
I/O and File SystemI/O and File System
Memory ManagementMemory Management
Startup and ShutdownStartup and Shutdown
Reliability & RecoveryReliability & Recovery
SecuritySecurity
Symbolic File LinksSymbolic File Links
Before, NTFS supported only symbolic directory links Before, NTFS supported only symbolic directory links (called junctions)(called junctions)
In Windows Vista, NTFS supports symbolic file linksIn Windows Vista, NTFS supports symbolic file links
Like UNIX soft links (ln –s) for filesLike UNIX soft links (ln –s) for files
Built using NTFS reparse points (like junctions)Built using NTFS reparse points (like junctions)
Create them with new CreateSymbolicLink API or Create them with new CreateSymbolicLink API or Mklink.exe commandMklink.exe command
Requires “Create Symbolic Links” privilege (by default only Requires “Create Symbolic Links” privilege (by default only assigned to Administrators)assigned to Administrators)
Mklink can also create hard links Mklink can also create hard links
Symbolic links are processed on the client and so can Symbolic links are processed on the client and so can span volumes and even machinesspan volumes and even machines
I/O Completion Port ImprovementsI/O Completion Port Improvements
I/O completion ports allow threads to wait efficiently for I/O completion ports allow threads to wait efficiently for completion of multiple I/O requestscompletion of multiple I/O requests
Completed I/Os queue on the completion portCompleted I/Os queue on the completion port
Before, each completion caused unnecessary context Before, each completion caused unnecessary context switch to the issuing threadswitch to the issuing thread
This might cause a delay since the thread might not run This might cause a delay since the thread might not run immediately to process thisimmediately to process this
Windows Vista defers I/O completion to when the thread Windows Vista defers I/O completion to when the thread pulls the I/O off the completion portpulls the I/O off the completion port
Avoids context switch, thus improving performanceAvoids context switch, thus improving performance
I/O Cancellation SupportI/O Cancellation SupportBefore, opens could not be cancelledBefore, opens could not be cancelled
Example: you browse to an off-line network share in a File Save Example: you browse to an off-line network share in a File Save dialog and hang for the duration of the network timeoutdialog and hang for the duration of the network timeout
In Windows Vista, opens and other synchronous I/O can In Windows Vista, opens and other synchronous I/O can be cancelledbe cancelled
CancelSynchronousIo cancels a pending synchronous I/O issued CancelSynchronousIo cancels a pending synchronous I/O issued by another threadby another thread
CancelIoEx permits canceling all or individual I/Os from any thread CancelIoEx permits canceling all or individual I/Os from any thread (CancelIo could only cancel all I/Os issued by the calling thread)(CancelIo could only cancel all I/Os issued by the calling thread)
Windows Vista common control file open/save dialogs all Windows Vista common control file open/save dialogs all implement cancellationimplement cancellation
Threads processing I/O can now be notified of process Threads processing I/O can now be notified of process terminationtermination
I/O PrioritizationI/O Prioritization
Background I/O (e.g. AV scans, disk defragmenting) Background I/O (e.g. AV scans, disk defragmenting) interferes with foreground interactive tasks (e.g. reading interferes with foreground interactive tasks (e.g. reading email)email)
Before, only way to prioritize work was based on thread Before, only way to prioritize work was based on thread CPU priorityCPU priority
Windows Vista introduces two types of I/O prioritization:Windows Vista introduces two types of I/O prioritization:
I/O priorityI/O priority
I/O bandwidth reservationI/O bandwidth reservation
I/O prioritization implemented by ATAPI and USB storage I/O prioritization implemented by ATAPI and USB storage driversdrivers
I/O PrioritiesI/O Priorities
I/O priority is based on the priority of the issuing thread or I/O priority is based on the priority of the issuing thread or the explicitly set I/O prioritythe explicitly set I/O priority
Five levels: Critical, High, Normal, Low, Very LowFive levels: Critical, High, Normal, Low, Very LowHigh not implementedHigh not implemented
Critical only for use by memory managerCritical only for use by memory manager
Stored in Flags field of I/O Request Packet (IRP)Stored in Flags field of I/O Request Packet (IRP)
At least one Low or Very Low I/O is processed every secondAt least one Low or Very Low I/O is processed every second
Processes and threads can lower their I/O priority with Processes and threads can lower their I/O priority with SetPriorityClass, SetThreadPrioritySetPriorityClass, SetThreadPriority
““Background mode”Background mode”
Used by Windows Vista background tasks like indexing and Used by Windows Vista background tasks like indexing and Windows Defender scansWindows Defender scans
Bandwidth ReservationBandwidth Reservation
Streaming applications (e.g. Windows Media Player - Streaming applications (e.g. Windows Media Player - WMP) can request I/O bandwidth guaranteesWMP) can request I/O bandwidth guarantees
Specified on individual filesSpecified on individual files
I/O system reports back to applicationI/O system reports back to application
Optimal transfer size Optimal transfer size
Number of outstanding I/Os they should maintainNumber of outstanding I/Os they should maintain
WMP
Walk-in I/OWalk-in I/O
Reserved I/OReserved I/O
WMP WMPWMP
OutlineOutline
IntroductionIntroduction
Processes & ThreadsProcesses & Threads
I/O and File SystemI/O and File System
Memory ManagementMemory Management
Startup and ShutdownStartup and Shutdown
Reliability & RecoveryReliability & Recovery
SecuritySecurity
Dynamic System Address Space Dynamic System Address Space
Before, system virtual address space divided into fixed Before, system virtual address space divided into fixed regionsregions
Reason for limits on nonpaged, paged pool, system page table Reason for limits on nonpaged, paged pool, system page table entriesentries
In 32-bit Windows Vista, virtual memory assigned as In 32-bit Windows Vista, virtual memory assigned as neededneeded
Permits larger paged, nonpaged, and session poolsPermits larger paged, nonpaged, and session pools
Supports larger terminal servers, larger desktop heap, etc.Supports larger terminal servers, larger desktop heap, etc.
Components still cannot exceed 2 GB on 32-bit systemsComponents still cannot exceed 2 GB on 32-bit systems
On 64-bit systems, address space regions are configured On 64-bit systems, address space regions are configured at their maximum for all memory sizesat their maximum for all memory sizes
SuperFetch™
Before:
Memory was not proactively populated
Memory often did not contain optimal content
Windows XP improved population with the logical prefetcher, but only prefetched a single process at process startup
SuperFetch
In Windows Vista, SuperFetch prefetches across a set of applications
Takes into account frequency of page usage, usage of page in context of other pages in memory
Adapts to memory usage patterns, including complex usage scenarios (e.g. the “after lunch” usage)
Scenarios SuperFetch improves include:Application launch
Resume from hibernate and suspend
Performance after infrequent or low priority tasks execute
SuperFetch ImplementationSuperFetch Implementation
SuperFetch includes kernel and user-mode components
Page usage data collected in kernel mode
SuperFetch service (Sysmain.dll) implements storage and prefetch algorithms
Stores scenario files in \Windows\Prefetch\Ag*.db
Calls kernel to retrieve paging histories and pre-populate page lists
Also prefetches private virtual memory (Windows XP prefetcher only did file and image data)
Uses low-priority I/O for pre-fetching and pre-population
Uses memory priorities (0-7) to prioritize prefetched data
ReadyBoost
RAM is ideal for caching, but it's expensive and difficult to add
External flash is cheaper and is up to 10x faster to random access (not as fast as a disk for sequential I/O)
ReadyBoost uses flash to create a write-through cache between disk and RAM
Supported devices include USB keys, SD cards, Compact Flash, and internal PCI express cards
Data is compressed (typical 2x compression ratio)
File is encrypted with random per-boot session key
Implemented by ReadyBoost service and Ecache.sys volume filter driverYou can look at device statistics under HKLM\Software\Microsoft\Windows NT\CurrentVersion\EmdMgmt
ReadyBoot
• On systems with more than 700 MB boot prefetch is done by ReadyBoot instead of XP-style prefetch
• ReadBoot is implemented by the same driver and services as ReadyBoost
• Service analyzes last 5 boots and derives boot plan that it stores in HKLM\System\CurrentControlSet\Services\Ecache\Parameters
• At boot, the driver implements RAM cache• Cache is populated as the system boots by ReadyBoost service
• Cache does not update to reflect disk writes
• Cache is torn down 90 seconds after boot
• Performs optimized just-in-time prefetch
• Typically 20% improvement over XP-style boot prefetch
ReadyDrive and Hybrid Hard DrivesReadyDrive and Hybrid Hard Drives
Hybrid Hard Drive (H-HHD) include a nonvolatile cache Hybrid Hard Drive (H-HHD) include a nonvolatile cache (NV Cache) (NV Cache)
Cached data can be read and written when disk is spun downCached data can be read and written when disk is spun down
Data remains in cache even when Data remains in cache even when disk is powered downdisk is powered down
Cache is 50 MB - 2 TB Cache is 50 MB - 2 TB (typically 256 MB) (typically 256 MB)
Host OS support required to useHost OS support required to use
Cache may contain:Cache may contain:Superfetch data, boot data, (part of) hibernate fileSuperfetch data, boot data, (part of) hibernate file
OEM can pin dataOEM can pin data
On battery, used as a write cacheOn battery, used as a write cache
NV
Cac
he
OS
OutlineOutline
IntroductionIntroduction
Processes & ThreadsProcesses & Threads
I/O and File SystemI/O and File System
Memory ManagementMemory Management
Startup and ShutdownStartup and Shutdown
Reliability & RecoveryReliability & Recovery
SecuritySecurity
Boot Configuration Database (BCD)Boot Configuration Database (BCD)
Before, boot mechanism was platform specific Before, boot mechanism was platform specific (e.g. BIOS, EFI)(e.g. BIOS, EFI)
Windows Vista unifies the boot mechanism to be platform Windows Vista unifies the boot mechanism to be platform independentindependent
Boot.ini is replaced by the Boot Configuration Database (BCD)Boot.ini is replaced by the Boot Configuration Database (BCD)
Abstracts firmware Abstracts firmware
Unified across different OS installationsUnified across different OS installations
Uses Unicode strings for internationalizationUses Unicode strings for internationalization
BCD is stored in the RegistryBCD is stored in the Registry
Binary format Binary format
Hive is stored in \Boot\BCDHive is stored in \Boot\BCD
Loads into HKLM\BCD00000000Loads into HKLM\BCD00000000
Registry key security protects entriesRegistry key security protects entries
BCD ManagementBCD Management
BCDEdit is the command-line management interface BCDEdit is the command-line management interface
Uses WMI to interface to BCDUses WMI to interface to BCD
BCD objects are documented in the SDKBCD objects are documented in the SDK
Therefore, developers can code BCD WMI scripts/applications Therefore, developers can code BCD WMI scripts/applications
BCD System Store
Boot Manager Boot Loader Legacy Boot Loader
Timeout
DefaultDisplay Order
App. Path
NX SettingsPAE
Enabled
NTLDR/BOOT.INI
Pre-Boot ExecutablesPre-Boot Executables
Windows boot managerWindows boot manager
\Bootmgr (no extension)\Bootmgr (no extension)
Launched by boot sector codeLaunched by boot sector code
Replaces first half of NTLDR (reading Boot.ini)Replaces first half of NTLDR (reading Boot.ini)
Launches other Windows pre-boot applicationsLaunches other Windows pre-boot applications
Supports UEFI on Longhorn ServerSupports UEFI on Longhorn Server
OS loaderOS loader
\Systemroot\System32\Winload.exe\Systemroot\System32\Winload.exe
Replaces 2nd half of NTLDR (loading OS image, boot drivers, and Replaces 2nd half of NTLDR (loading OS image, boot drivers, and System registry hive)System registry hive)
One per OS installationOne per OS installation
Other Pre-Boot ExecutablesOther Pre-Boot Executables
Windows memory diagnosticWindows memory diagnostic
\Boot\Memtest.exe \Boot\Memtest.exe
Third-parties can add boot executablesThird-parties can add boot executables
Winboot can run other executables:Winboot can run other executables:
Resume loaderResume loader\Systemroot\System32\Winresume.exe\Systemroot\System32\Winresume.exe
Used to be implemented in NtldrUsed to be implemented in Ntldr
Startup Processes on XPStartup Processes on XP
Session Manager (SMSS) created Winlogon and Csrss for Session Manager (SMSS) created Winlogon and Csrss for each sessioneach session
Session creation was done seriallySession creation was done serially
Was bottleneck for Terminal ServicesWas bottleneck for Terminal Services
Winlogon, the interactive logon manager, created:Winlogon, the interactive logon manager, created:Local Security Authority (Lsass.exe) Local Security Authority (Lsass.exe)
Service Control Manager (Services.exe)Service Control Manager (Services.exe)
Startup Processes on Vista
In Windows Vista:In Windows Vista:Initial Smss.exe creates an instance of itself to initialize each Initial Smss.exe creates an instance of itself to initialize each sessionsession
Permits parallel session creation:Permits parallel session creation:Minimum parallel session startups is 4Minimum parallel session startups is 4
Maximum is number of processorsMaximum is number of processors
Session 0 Smss runs Wininit.exe (new)Session 0 Smss runs Wininit.exe (new)Wininit starts what Winlogon used to start: Services, LsassWininit starts what Winlogon used to start: Services, Lsass
Also starts a new process, Local Session Manager (Lsm.exe)Also starts a new process, Local Session Manager (Lsm.exe)
Session 1-n Smss’s create initialize interactive sessionsSession 1-n Smss’s create initialize interactive sessionsSession-specific instance of Csrss.exe and Winlogon.exeSession-specific instance of Csrss.exe and Winlogon.exe
Session 0 IsolationSession 0 Isolation
Before, the console user ran in session 0Before, the console user ran in session 0
Names created by console user could collide with service and Names created by console user could collide with service and system object namessystem object names
Services that presented windows on the console could open the Services that presented windows on the console could open the door for privilege elevation (“shatter” attacks)door for privilege elevation (“shatter” attacks)
Session 1Application
D
ApplicationE
ApplicationF
Session 0Service A
Service B
Service C
ApplicationB
ApplicationA
ApplicationC
Session 0 IsolationSession 0 Isolation
In Windows Vista, the console user starts in session 1 and In Windows Vista, the console user starts in session 1 and cannot connect to session 0cannot connect to session 0
Eliminates name collisionsEliminates name collisions
Poorly written services can’t display windows Poorly written services can’t display windows to the userto the user
Session 1Application
A
ApplicationB
ApplicationC
Session 0Service A
Service B
Service C
Session 2Application
D
ApplicationE
ApplicationF
Interactive Logon ArchitectureInteractive Logon Architecture
Credential Providers replace GINAsCredential Providers replace GINAs
Plug into Logonui.exePlug into Logonui.exe
Easier to write than GINAsEasier to write than GINAs
Multiple concurrent providers are supportedMultiple concurrent providers are supportedUser selected or event drivenUser selected or event driven
Used to capture elevation credentialsUsed to capture elevation credentials
Inbox Credential providers:Inbox Credential providers:
PasswordPassword
SmartcardSmartcard WinLogon
LogonUI
Credential Provider 1
Credential Provider 2
Credential Provider 3
Delayed Auto Start ServicesDelayed Auto Start Services
Before, autostart services could severely impact login Before, autostart services could severely impact login performance performance
In Windows Vista, services can request delayed autostartIn Windows Vista, services can request delayed autostart
Set by new ChangeServiceConfig2 APISet by new ChangeServiceConfig2 APIStores new DelayedAutoStart value in service Registry keyStores new DelayedAutoStart value in service Registry key
Service Control Manager (SCM) starts these services after the Service Control Manager (SCM) starts these services after the automatic start servicesautomatic start services
I/O priority set to Very Low during startupI/O priority set to Very Low during startup
Services configured this way include BITS, Windows Services configured this way include BITS, Windows Update client, Ehome…Update client, Ehome…
Clean Service ShutdownClean Service Shutdown
Before, services had no way to extend the time allowed Before, services had no way to extend the time allowed for shutdownfor shutdown
After a fixed timeout (default 20 seconds), SCM was killed and system After a fixed timeout (default 20 seconds), SCM was killed and system halted (while services were running) halted (while services were running)
This was a problem for services that needed to flush dataThis was a problem for services that needed to flush data
In Windows Vista, services can request preshutdown In Windows Vista, services can request preshutdown notification and take as long as they want to shut downnotification and take as long as they want to shut down
If the service stops responding the system gives up on it after 3 minutesIf the service stops responding the system gives up on it after 3 minutes
After pre-shutdown services stop, the system performs Windows XP-style After pre-shutdown services stop, the system performs Windows XP-style shutdown for other servicesshutdown for other services
Service Shutdown OrderingService Shutdown Ordering
Before, there was no way for services to specify the order Before, there was no way for services to specify the order in which they receive shutdown notification in which they receive shutdown notification
Some services have shutdown dependencies Some services have shutdown dependencies
Had to implement ad-hoc solutionsHad to implement ad-hoc solutions
In Windows Vista, services can specify shutdown orderIn Windows Vista, services can specify shutdown order
Must request pre-shutdown notificationMust request pre-shutdown notification
Must include their name in HKLM\System\CurrentControlSet\Must include their name in HKLM\System\CurrentControlSet\Control\Control\
PreShutdownOrderPreShutdownOrder
Reliable Sleep TransitionsReliable Sleep Transitions
Before, application or driver could block standby or Before, application or driver could block standby or hibernatehibernate
Often caused by bug or overly aggressive power policyOften caused by bug or overly aggressive power policy
User might not know and system power drain causes data lossUser might not know and system power drain causes data loss
Windows Vista does not query processes when entering Windows Vista does not query processes when entering sleep statessleep states
User-mode notification (PBT_APMSUSPEND) timeout reduced User-mode notification (PBT_APMSUSPEND) timeout reduced from 20 seconds to 2 secondsfrom 20 seconds to 2 seconds
Drivers can’t veto sleep transitionsDrivers can’t veto sleep transitions
OutlineOutline
IntroductionIntroduction
Processes & ThreadsProcesses & Threads
I/O and File SystemI/O and File System
Memory ManagementMemory Management
Startup and ShutdownStartup and Shutdown
Reliability & RecoveryReliability & Recovery
SecuritySecurity
Kernel Transaction Manager (KTM)Kernel Transaction Manager (KTM)
Before, applications had to work hard to recover from Before, applications had to work hard to recover from errors during modification of files and Registry keyserrors during modification of files and Registry keys
Windows Vista implements a generalized transaction Windows Vista implements a generalized transaction managermanager
Provide all or nothing transaction semantics Provide all or nothing transaction semantics
Extensible through third-party resource managersExtensible through third-party resource managers
Kernel Transaction Manager coordinates between Kernel Transaction Manager coordinates between transaction clients (applications) and Resource Managerstransaction clients (applications) and Resource Managers
Registry and NTFS enhanced to provide transaction semantics Registry and NTFS enhanced to provide transaction semantics across Registry and file system operationsacross Registry and file system operations
Common Log File System (Clfs.sys) introduced in Windows Common Log File System (Clfs.sys) introduced in Windows Server 2003 R2 provides efficient transaction logging facilitiesServer 2003 R2 provides efficient transaction logging facilities
Transactions can span modifications across one or many Registry Transactions can span modifications across one or many Registry keys, files, and volumeskeys, files, and volumes
Transaction APIsTransaction APIs
Third parties can write user-mode or kernel-mode Third parties can write user-mode or kernel-mode Resource ManagersResource Managers
Using DTC and Longhorn Server, transactions can coordinate changes Using DTC and Longhorn Server, transactions can coordinate changes across files, registry, SQL Server, Oracle, MSMQacross files, registry, SQL Server, Oracle, MSMQ
Transactions are used by by Windows Update and System ProtectionTransactions are used by by Windows Update and System Protection
Volume Shadow Copy
Before:
No way to undo file overwrites or accidental deletes
System Restore only protected against changes to system files that it knew about
Windows Vista uses Volume Shadow Copy for System Restore and Previous Versions
Creates point-in-time copy-on-write snapshots of live volumes
Introduced in Windows XPSolved open file and consistent backup problems
Used by Windows Backup
Previous Versions tab introduced as Server 2003 Shadow Copies for Shared Folder feature
Unified data/system protection
Used by System Restore
Windows Error ReportingWindows Error Reporting
Before, unhandled exception handling was executed in Before, unhandled exception handling was executed in context of thread incurring exceptioncontext of thread incurring exception
Relied on thread stack being validRelied on thread stack being valid
Corrupt thread stacks resulted in “silent process death”Corrupt thread stacks resulted in “silent process death”
In Windows Vista, unhandled exceptions send a message In Windows Vista, unhandled exceptions send a message to the Windows Error Reporting (WER) serviceto the Windows Error Reporting (WER) service
WER launches Werfault.exeWER launches Werfault.exeReplaces Dwwin.exeReplaces Dwwin.exe
Permits WER to be invoked for threads who’s stack is too Permits WER to be invoked for threads who’s stack is too corrupted to invoke unhandled exception filtercorrupted to invoke unhandled exception filter
OutlineOutline
IntroductionIntroduction
Processes & ThreadsProcesses & Threads
I/O and File SystemI/O and File System
Memory ManagementMemory Management
Startup and ShutdownStartup and Shutdown
Reliability & RecoveryReliability & Recovery
SecuritySecurity
BitLocker™ Drive EncryptionBitLocker™ Drive Encryption
Before, physical access to a system could compromise Before, physical access to a system could compromise even domain accountseven domain accounts
3rd-party utilities allow access to all unencrypted data3rd-party utilities allow access to all unencrypted data
Domain credential verifiers cached in RegistryDomain credential verifiers cached in Registry
In Windows Vista, entire OS volume can be encrypted In Windows Vista, entire OS volume can be encrypted with BitLockerwith BitLocker
BitLocker requirements:BitLocker requirements:
Trusted Platform Module (TPM) v1.2 or USB device and USB-Trusted Platform Module (TPM) v1.2 or USB device and USB-capable BIOScapable BIOS
1.5 GB unencrypted system volume1.5 GB unencrypted system volume
BitLocker™ ArchitectureBitLocker™ Architecture
Several supported modes for storing Several supported modes for storing decryption key:decryption key:
TPM locked with signatureTPM locked with signatureof boot files of boot files
And optionally And optionally user-specified PINuser-specified PIN
And optionally key on USBAnd optionally key on USB
On external USB flash deviceOn external USB flash device
Components:Components:
Tpm.sys for accessing TPMTpm.sys for accessing TPM
Fvevol.sys filter driver Fvevol.sys filter driver transparently encrypts/decryptstransparently encrypts/decrypts
File System Driver
Fvevol.sys
Volume Manager
Application
User ModeKernel Mode
Code Integrity VerificationThe OS loader and kernel performs code signature checks
On 64-bit x64 platforms:
All kernel mode code must be signed in order to load
Identity of all kernel mode binaries is verified
System audit events for integrity check failures
On 32-bit platforms:
Load-time checks done on all kernel mode binaries, unsigned code allowed to load But to play protected hi-def content, all loaded kernel mode drivers must be signed
Event log logging of driver loads
Protected ProcessesProtected Processes
Protected Processes prevent unauthorized access to Protected Processes prevent unauthorized access to media content media content
Can only be created through new Protected Media Path Can only be created through new Protected Media Path APIs (part of Media Foundation)APIs (part of Media Foundation)
Used to enforce a secure path to output devicesUsed to enforce a secure path to output devices
Only signed images can be mapped into a secure processOnly signed images can be mapped into a secure processImages must be signed by MicrosoftImages must be signed by Microsoft
3rd Party codecs loaded into a Protected Process must be signed with Windows Media 3rd Party codecs loaded into a Protected Process must be signed with Windows Media DRM certificateDRM certificate
Can query integrity of kernel-modeCan query integrity of kernel-mode
Standard processes have limited access to protected Standard processes have limited access to protected processes (even with SeDebugPrivilege)processes (even with SeDebugPrivilege)
Address Space Load Randomization Address Space Load Randomization (ASLR)(ASLR)
Prior to Windows VistaPrior to Windows Vista
Executables and DLLs load at fixed Executables and DLLs load at fixed locationslocations
Buffer overflows commonly relied on Buffer overflows commonly relied on known system function addresses to known system function addresses to cause specific code to executecause specific code to execute
The Windows Vista loader bases The Windows Vista loader bases modules at one of 256 random points in modules at one of 256 random points in the address spacethe address space
OS images now include relocation OS images now include relocation informationinformation
Relocation performed once per image Relocation performed once per image and shared across processesand shared across processes
User stack locations are also User stack locations are also randomizedrandomized
Kernel32
NTDLL
User32
Exe
XP1XP1
Kernel32
NTDLL
User32
Exe
XP2XP2
Kernel32
NTDLL
User32
Exe
Vista1Vista1
Kernel32
NTDLL
User32
Exe
Vista2Vista2
Service Security ImprovementsService Security ImprovementsBefore, service bugs allowed for privilege elevation Before, service bugs allowed for privilege elevation attacksattacks
In Windows Vista, services apply principle of least-In Windows Vista, services apply principle of least-privilege to limit system exposure in case of compromiseprivilege to limit system exposure in case of compromise
Service-specific SIDs permit a service’s access to objects Service-specific SIDs permit a service’s access to objects to be limitedto be limited
Only required objects give SID accessOnly required objects give SID access
Firewall policy can be applied to service SID (and many Windows Firewall policy can be applied to service SID (and many Windows Vista services have this specified)Vista services have this specified)
Write-restricted service processes further limit write Write-restricted service processes further limit write access access
Can only modify objects allowing WRITE for service SIDsCan only modify objects allowing WRITE for service SIDs
Service Security ImprovementsService Security Improvements
Service can specify which privileges (e.g. shutdown, audit, Service can specify which privileges (e.g. shutdown, audit, etc.) they requireetc.) they require
Limits power of service processesLimits power of service processes
Specified in MULTI_SZ registry value under service key called Specified in MULTI_SZ registry value under service key called RequiredPrivilegesRequiredPrivileges
On service start, SCM computes union of all required On service start, SCM computes union of all required privileges for service(s) inside service processprivileges for service(s) inside service process
If process token does not contain one, service start failsIf process token does not contain one, service start fails
Privileges not explicitly specified are removed from tokenPrivileges not explicitly specified are removed from token
If no required privileges specified, assumes all privileges in If no required privileges specified, assumes all privileges in process token are neededprocess token are needed
User Account Control (UAC)User Account Control (UAC)
Goal: Goal: Have users run as standard userHave users run as standard user
Problem: Problem: Users run as administratorsUsers run as administrators
Some applications only run as administratorSome applications only run as administrator
Solution: Solution: Make previously admin operations non-admin e.g. setting the Make previously admin operations non-admin e.g. setting the timezonetimezone
Badly-behaved non-admin apps get private virtualized views of Badly-behaved non-admin apps get private virtualized views of portions of the file system and Registryportions of the file system and Registry
Administrators run as normal usersAdministrators run as normal users
Convenient to access administrative rightsConvenient to access administrative rights
UAC VirtualizationUAC VirtualizationImages that don’t opt out (in their manifest) are virtualizedImages that don’t opt out (in their manifest) are virtualized
Virtualization implemented in the kernel:Virtualization implemented in the kernel:
File system: file system filter driver (luafv.sys)File system: file system filter driver (luafv.sys)
Registry: built-inRegistry: built-in
Redirected file system locations:Redirected file system locations:
\Program Files, \Windows, \Windows\System32 \Program Files, \Windows, \Windows\System32
Exceptions: Exceptions: System Write Protected Exe’s and DLLsSystem Write Protected Exe’s and DLLs
Files that have executable extensions (.exe, .bat, .vbs, .scr, etc)Files that have executable extensions (.exe, .bat, .vbs, .scr, etc)
Redirected Registry locations:Redirected Registry locations:
HKLM\SoftwareHKLM\Software
Exceptions: Exceptions: Many subkeys under MicrosoftMany subkeys under Microsoft
UAC VirtualizationUAC Virtualization
Writes: redirect to per-user areaWrites: redirect to per-user area
\Users\<Username>\AppData\Local\Virtual Store\Users\<Username>\AppData\Local\Virtual Store
HKCU\Software\Classes\VirtualStoreHKCU\Software\Classes\VirtualStore
Reads: unless an exception applies per-user area is Reads: unless an exception applies per-user area is attempted first and then global locationattempted first and then global location
UAC ElevationUAC Elevation
An executable can be marked for elevation in four ways:An executable can be marked for elevation in four ways:
In its manifest fileIn its manifest file
In the system’s application compatibility databaseIn the system’s application compatibility database
Heuristic installer detectionHeuristic installer detection
User explicitly asks for elevationUser explicitly asks for elevation
Elevation Consent
Two types of elevation:Two types of elevation:
Admin Approval Mode: Continue/cancel Admin Approval Mode: Continue/cancel
At logon LSASS creates admin and Limited User Account (LUA) At logon LSASS creates admin and Limited User Account (LUA) version of admin token version of admin token
Winlogon creates first process (e.g. Userinit) with LUA tokenWinlogon creates first process (e.g. Userinit) with LUA token
Over the Shoulder: prompt for admin credentialsOver the Shoulder: prompt for admin credentials
User is running in a standard user accountUser is running in a standard user account
Consent.exe presents consent/password dialogConsent.exe presents consent/password dialogon secure desktop on secure desktop
Child of AppInfo service (in a Service Host)Child of AppInfo service (in a Service Host)
Process Integrity LevelsProcess Integrity Levels
Specified as new Mandatory Integrity Level (IL) SIDs in Specified as new Mandatory Integrity Level (IL) SIDs in process tokenprocess token
Low: Protected-mode IELow: Protected-mode IE
Medium: LUA processesMedium: LUA processes
High: Elevated processesHigh: Elevated processes
System: System processesSystem: System processes
Object Integrity Levels
Object ILs stored as IL ACE in SACLObject ILs stored as IL ACE in SACL
Processes, threads and tokens always have an IL ACEProcesses, threads and tokens always have an IL ACE
Files and Registry keys without an IL ACE have an Files and Registry keys without an IL ACE have an implicit level of Medium implicit level of Medium
Objects created by medium or higher processes are marked as Objects created by medium or higher processes are marked as medium IL medium IL
Objects created by low IL processes (e.g. Protected-mode IE) Objects created by low IL processes (e.g. Protected-mode IE) are marked as low ILare marked as low IL
IL Access ChecksIL Access Checks
IL checked before DACLIL checked before DACL
A thread can only open an object for write access if its IL is equal to A thread can only open an object for write access if its IL is equal to or higher than that of the objector higher than that of the object
A thread can open any object for read access if:A thread can open any object for read access if:
It’s a non-process objectIt’s a non-process object
If a process, thread IL must be equal or higher than process IL (prevents If a process, thread IL must be equal or higher than process IL (prevents sensitive information leakage via memory reads)sensitive information leakage via memory reads)
The Windows subsystem also honors integrity levels: User The Windows subsystem also honors integrity levels: User Interface Privilege Isolation (UIPI)Interface Privilege Isolation (UIPI)
Only query messages can be sent to the windows of elevated Only query messages can be sent to the windows of elevated processes from LUA processesprocesses from LUA processes
Prevents “shatter” attacksPrevents “shatter” attacks
Miscellaneous Changes
• Changes that I didn’t have time to cover:
• New synchronization primitives:
• Initialize-once
• Shared reader/writer locks
• New thread pooling infrastructure
• Service thread tagging
• Support for large-sector disks
• On-line NTFS chkdsk and NTFS volume resizing
• New kernel Advanced Local Procedure Call IPC mechanism
• See my two-part “Vista Kernel Changes” article to appear in the February and March issues of TechNet Magazine
SummarySummary
Lots of exciting changes in Windows Vista kernel in the Lots of exciting changes in Windows Vista kernel in the areas of performance, scalability, reliability, and securityareas of performance, scalability, reliability, and security
For more information:For more information:
Kernel Enhancements for Windows Vista and Windows Kernel Enhancements for Windows Vista and Windows Server "Longhorn"Server "Longhorn"
http://www.microsoft.com/whdc/system/vista/kernel-en.mspx
MSDN Vista developer resourcesMSDN Vista developer resourceshttp://msdn.microsoft.com/windowsvista/
Driver developer resourcesDriver developer resourcesWindows Hardware Developer CentralWindows Hardware Developer Central
http://www.microsoft.com/whdc/default.mspx
WinHEC 2006 presentationsWinHEC 2006 presentations
http://www.microsoft.com/whdc/winhec/
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.