Windows operating system architecture

User state

There are four types of components in the user state, all of which are in process form, that is to say, they all have their own process address space (which is actually a set of page tables).

1. System Support Processes

These are the process of curing, that is, the process in which the operating system is combined.

For example, logon process (Winlogon.exe), Session Manager (Smss.exe).

?

1 2 3 4 5 6

Session Manager　　　　　　　　　　[smss.exe] Local Session Manager　　　　　　 [lsm.exe] Service Control Manager　　　　　[services.exe] Local Security Authority　　　 　[lsass.exe] Winlogon　　　　　　　　　　　　　　[winlogon.exe]Wininit　　　　　　　　　　　　　　 [wininit.exe]

　　

None of them belong to the service because they are not started by the SCM (Service Control Manager).

2. Service Processes

Service processes are initiated by the SCM and are independent of user logon because some of the service launches are earlier than Winlogon.exe.

Both Task Scheduler and print spooler are services.

?

1	Service Host    [svchost.exe]

　　

3. User Applications

Is the often-said application.

4. Environment Subsystem Server Processes

is often said "environment subsystem", namely "Win32 subsystem".

?

1	[csrss.exe]

　　

Subsystem Dynamic Libraries

Consists of four DLLs:

?

1 2 3 4

Kernel32.dll Advapi32.dll User32.dllGdi32.dll

They are actually part of the service processes and user applications, loaded into their process address space as DLLs.

Their role is to provide WIN32 API interfaces to service processes and user applications.

The Win32 API is implemented in three categories:

1. Fully implemented within these four DLLs.

2. Through these four DLLs, call the more underlying (kernel, such as kernel or driver) implementation.

3. These four DLLs and environment Subsystem server processes establish C/s communication model, DLL as client request WIN32 subsystem of the Server process (user-state process) to provide the corresponding implementation.

Kernel State

Kernel-state components fall into the following categories:

1. Windows Executive

A hypervisor that can be understood as a kernel state is actually a subsystem of each module.

such as memory management module, process and thread management module, security module, IO module, network module, and interprocess communication module.

2. Windows Kernel

The kernel in the narrow sense provides core operations in the kernel state, such as thread scheduling and switching, distribution and processing of interrupts and exceptions, synchronization of multiple processes, and so on.

It is actually a set of functions.

3. Device Driver

Kernel-state driver.

4. HAL

Hardware Abstract Layer

Used to hide platform-related details and provide a unified API interface upwards.

5. Windowing and Graphics System

window and drawing system. Used to provide GUI-related functions.

Most of these 5 components exist in a Ntoskrnl.exe, except for some third-party driver.

Windows Subsystem

The Windows subsystem consists of two parts:

The environment Subsystem Service Processes and kernel-state windowing and Graphics Systemas described above.

User-configured WIN32 Subsystem service process?

1 2 3) 4 5

[csrss.exe]   Basesrv.dll Winsrv.dllCsrsrv.dll

The client that represents the Win32 Subsystem DLL provides support for the following features:

1. Console Windows (Command-line windows, i.e. without GUI functionality, does not involve Win32k.sys)

2. Create and delete Process/thread

3. Side-by-side (SXS) support

Wait a minute.

Win32k.sys Driver for kernel state

The following features are available:

1. Window manager, and GUI-related input, message passing mechanism.

2. Provide the GDI drawing library.

3. DirectX support (implemented in another driver Dxgkrnl.sys)

Ntdll

Executive Kernel HAL Device Driver Subsystem Processes