User state
There are four types of components in the user state, all of which are in process form, that is to say, they all have their own process address space (which is actually a set of page tables).
1. System Support Processes
These are the process of curing, that is, the process in which the operating system is combined.
For example, logon process (Winlogon.exe), Session Manager (Smss.exe).
?
1 2 3 4 5 6 |
Session Manager [smss.exe] Local Session Manager [lsm.exe] Service Control Manager [services.exe] Local Security Authority [lsass.exe] Winlogon [winlogon.exe] Wininit [wininit.exe] |
None of them belong to the service because they are not started by the SCM (Service Control Manager).
2. Service Processes
Service processes are initiated by the SCM and are independent of user logon because some of the service launches are earlier than Winlogon.exe.
Both Task Scheduler and print spooler are services.
?
1 |
Service Host [svchost.exe] |
3. User Applications
Is the often-said application.
4. Environment Subsystem Server Processes
is often said "environment subsystem", namely "Win32 subsystem".
?
Subsystem Dynamic Libraries
Consists of four DLLs:
?
1 2 3 4 |
Kernel32.dll Advapi32.dll User32.dll Gdi32.dll |
They are actually part of the service processes and user applications, loaded into their process address space as DLLs.
Their role is to provide WIN32 API interfaces to service processes and user applications.
The Win32 API is implemented in three categories:
1. Fully implemented within these four DLLs.
2. Through these four DLLs, call the more underlying (kernel, such as kernel or driver) implementation.
3. These four DLLs and environment Subsystem server processes establish C/s communication model, DLL as client request WIN32 subsystem of the Server process (user-state process) to provide the corresponding implementation.
Kernel State
Kernel-state components fall into the following categories:
1. Windows Executive
A hypervisor that can be understood as a kernel state is actually a subsystem of each module.
such as memory management module, process and thread management module, security module, IO module, network module, and interprocess communication module.
2. Windows Kernel
The kernel in the narrow sense provides core operations in the kernel state, such as thread scheduling and switching, distribution and processing of interrupts and exceptions, synchronization of multiple processes, and so on.
It is actually a set of functions.
3. Device Driver
Kernel-state driver.
4. HAL
Hardware Abstract Layer
Used to hide platform-related details and provide a unified API interface upwards.
5. Windowing and Graphics System
window and drawing system. Used to provide GUI-related functions.
Most of these 5 components exist in a Ntoskrnl.exe, except for some third-party driver.
Windows Subsystem
The Windows subsystem consists of two parts:
The environment Subsystem Service Processes and kernel-state windowing and Graphics Systemas described above.
User-configured WIN32 Subsystem service process?
1 2 3) 4 5 |
[csrss.exe] Basesrv.dll Winsrv.dll Csrsrv.dll |
The client that represents the Win32 Subsystem DLL provides support for the following features:
1. Console Windows (Command-line windows, i.e. without GUI functionality, does not involve Win32k.sys)
2. Create and delete Process/thread
3. Side-by-side (SXS) support
Wait a minute.
Win32k.sys Driver for kernel state
The following features are available:
1. Window manager, and GUI-related input, message passing mechanism.
2. Provide the GDI drawing library.
3. DirectX support (implemented in another driver Dxgkrnl.sys)
Ntdll
Executive Kernel HAL Device Driver Subsystem Processes