In-depth analysis of Windows operating system Reading Notes (1)

 Chapter 1

Differences between Windows NT series and Windows 95 series:

• Windows NT supports multi-processor and Windows 95 does not.
• Windows NT file system supports security (for example, autonomous Access Control), but Windows 95 does not.
• Windows NT is completely 32-bit, while Windows 95 inherits a lot of 16-bit code from Windows 3.1 and MS-DOS.
• Windows NT is completely reentrant, And some of Windows 95 are not reentrant.
• Windows NT allows 16-bit applications to run in their own address space, while Windows 95 always runs 16-bit Windows applications in a shared address space, in this shared address space, these programs affect each other, and even one Program destroys (or suspends) other programs.
• The memory shared by the Windows NT process is visible only to the processes that have shot the shared memory. On Windows 95, all the shared memory is visible, the memory can be written in any process, so any process can rewrite or destroy the shared memory used by other collaborative processes.
• In Windows 95, some key operating system pages are writable in user mode, which allows a user program to corrupt the system or crash the system.

 

Windows API: Windows application programming interface is a system programming interface for the Microsoft Windows operating system family. Each operating system implements a different subset of Windows APIs.

Windows APIs can be divided into the following categories:

• Basic services
• Component Service
• User Interface Service
• Graphics and multimedia services
• Messages and collaboration
• Network
• Web Services

 

Relationship between a program and a process: a program refers to a static command sequence, while a process is a container, which includes various resources used when a specific instance of a program is executed.

A Windows process consists of the following elements:

• A private virtual address space
• An executable program
• A list of opened handles pointing to various system resources.
• A security environment called an access token identifies users, security groups, and privileges related to the process.
• A unique identifier called a process ID
• At least one execution thread

 

Each process also points to its parent process or creator process. However, if the parent process is released, the parent process information in the child process will not be updated. Therefore, A process may point to a parent process that does not exist.

 

A thread is an entity in a process and a scheduling entity when a process is executed by windows. Without a thread, the process program cannot run.

A thread includes the following:

• Memory in a group of CPU registers that represent the processor status
• Two stacks. One is used when the current thread is executed in kernel mode and the other is executed in user mode.
• A private storage area called a local thread storage area (TLS), which is used by subsystems, runtime libraries, and DLL.
• A unique identifier called a thread ID
• Sometimes threads have their own security environment. If a multi-threaded server application needs to simulate the security environment of its customers, the thread security environment can often be used.

Registers, stacks, and private storage areas are combined in a thread environment.

 

Fiber and thread: fiber enables an application to schedule its own "Thread" execution process without relying on the priority-based scheduling mechanism built in windows. Fiber threads are often called Lightweight threads. From the perspective of scheduling, they are invisible to the kernel because they are implemented in user mode.

 

All threads in a process can read or write the memory of another thread. However, threads in a process cannot directly reference the address space of another process.

 

VAD (Virtual Address Descriptor) refers to some data structures used by the memory management area to record the virtual addresses used by a process.

 

Windows implements a Virtual Memory System Based on Linear address space. Each process feels that it has a large private address space independently. The Virtual Memory provides a logical view of memory, which may not correspond to the physical layout of the memory. During running, the memory manager translates or maps virtual addresses to physical addresses that actually store data with hardware support. By controlling this layer of protection or ing, the operating system can ensure that a process does not break into another process or rewrite the operating system data.

 

To prevent users' applications from accessing or modifying critical operating system data, Windows uses two processor access modes: user mode and kernel mode. The user program code runs in user mode, while the operating system code runs in kernel mode. The kernel mode allows access to all the system memory and all CPU commands. The processor gives the operating system software a higher level of privilege than the application software, thus providing the operating system designer with a layer of protection, ensure that an abnormal application does not undermine the overall stability of the system.

 

The architecture of the intel X86 processor defines four privileged levels. Windows uses the privileged level 0 (or 0 ring) as the kernel mode, and the privileged level 3 (or 3 ring) as the user mode.

 

Every page in the virtual memory is marked with the access mode in which the processor can read and/or write the page. pages in the system space can only be accessed in kernel mode, all pages in the user address space can be accessed in user mode, and read-only pages cannot be written in any mode.

 

Switching from user mode to kernel mode does not affect thread scheduling. mode conversion is not an environment switch. Therefore, it is normal for a user thread to execute some time in user mode and run some time in kernel mode.

 

Terminal Services are the capabilities provided by windows to support multiple interactive user sessions in a single system. Using the Windows Terminal Service, a remote user can establish a session on another machine and log in to the server to run the application program. The server sends the graphic interface to the client, the client transmits user input back to the server.

 

In Windows, an object refers to a single runtime instance of a static defined object type, the object type includes a data type defined by the system, some functions that operate on the instance of the data type, and a set of Object Attributes. in windows, any process is an instance of the Process object type.

An object attribute is a data field in an object. Each object attribute defines a part of the object state.

 

The most fundamental difference between an object and a common data structure is that the internal structure of an object is hidden, and an object service must be called to obtain internal data of the object or place the data inside the object, in this way, we can isolate the underlying Implementation of the object from the code that only uses the object.

 

Windows core security features include

• Independent protection for all shared objects
• Security Audit
• Password Authentication during logon
• After a user releases a resource, another user cannot access the uninitialized resource to view the resource left by the previous user.

 

Windows provides two access control mechanisms

• Independent access mechanism. Authorized by the object owner or denied others to access these objects. When users log on to the system, they will get a set of security creden, or a security environment. When they access objects in the view, the system compares their security environment with the access control list on the objects they want to access to determine whether they are allowed to perform the lock clearing operation.
• Privileged Access Control. Even if the owner of the object cannot be reached, some people can access the protected object.

 

One of the differences between windows and most other operating systems is that most of its internal text strings are stored and processed with Unicode characters of 16 width. Windows functions that accept string parameters generally have two entry points: Unicode and ANSI. If you call a Windows narrow-character version, the input string parameter is converted to Unicode before it is processed by the system, and the output parameter is before it is returned to the application, converts Unicode to an ANSI string.