Analysis of the development principle and implementation of Windows Task Manager

WINDOWS2000/XP included in the Task Manager (TASKMGR) I believe everyone is familiar with it, compared to the 2000 features XP is more powerful, the return of the information is more detailed, but do you think there is a lot of hope to get the message is not contained in it? Do you think the things in Windows's System Management Toolbox are too fragmented? Let's take a look at their development principles and implement a real task manager. Now we're calling Win32API to implement these functions, but everyone says Ms hides too much detail and later we'll talk more about the Windows kernel.

Perhaps the most familiar function in Task Manager is the process management, often we suspect in the virus/Trojan will look at the task Manager there is no special process running, so the process viewer should be a very important function. What else do we have but to get the name of the process? Of course, it includes its process identifier (PROCESSID), user information (UserName), CPU usage time (cputime) and memory usage (memoryusage), and its priority (basepriority). CPU and memory information can help us analyze the running of a process, and priority can indicate the priority that a process takes when CPU allocates processor usage. These are common process information, so let's look at other information. The process's parent process ID, the creation time, the program name, and so on, in many cases, is our concern. Let's take a look at process-related performance information. There are usually two modes under Windows: Kernel mode (kernel:level 0) and user mode (User:level 3), processes tend to switch back and forth in both modes, so the process can be used in both kernel mode and user mode for each time. It also includes process-related working sets (WorkingSet), paged pool (pagedpool), non-paged Pool (Nonepagedpool), and paging file (PageFile) information. Process-related I/O operations include read/write/other actions, and we can get the number of these operations and the amount of data transferred.

If you suspect that a process is a trojan, what information do you want to get? The simple process name should not be enough! We want to get the path to the actual program of the process, which helps us determine exactly which program is running. The previous time is not about what processes are hidden, one of them is "creating a remote Thread," which is often in the form of a dynamic-link library (DLL), and we want to see all the modules (module), often DLLs, that a particular process contains. A "thread" is a familiar name, an implementation body in a Windows system, and a process that is a thread-running environment. How many threads has a process actually created? We can also enumerate all thread information within the process. If you find a Trojan process, the following action should be to analyze its operating mechanism (if you are interested in it), but eventually you will end it. Under WINDOWS2K, many system-critical processes cannot be ended in taskmgr, but now you don't have to worry. Well, the operation of the process will of course include an end process. If you have used XP in Chinese, do you often encounter the "suspended animation" of the taskbar, although your computer is not hung up, but can not move, then we will also be able to hang any process, no matter what you do it action (except the end), it will not have any reaction. With the suspend process, we can also activate the process from a "suspend" state.

The Desktop window is the most interactive interface, do you want to get the title information for each window? Of course, we can also get the process associated with the window, the thread and the window handle properties. If you are familiar with VC, you should know one of the Spy + + tools, it can get the desktop window, process and thread details, but now do not have to open this, open that, all buttoned up!

System performance is a topic of concern to every user. It includes the number of handles, processes, and threads that are currently created by the entire system. There is also the total and usage of physical memory (physical Memory), system cache size, memory retention and submission (commit Charge) status, and of course core paging/non-paged pool (Kernel Memory) Use of. Almost includes most of the information on storage management under Windows systems.

Although the price of the hard drive is already very low, but I still use the small east of the 6.4G, so often encountered "lower disk"! We often have to look at the use of hard disk, but every time to enter my computer, too much trouble. And we can now understand the capacity and current usage of all the disks at once, along with their format types (such as FAT,NTFS,CDFS, etc.) and disk labels.

Speaking of environment block, perhaps not so familiar, it contains some environment variables, and each environment variable corresponding to one/more strings, you can in the control Panel of the system/advanced (System/Advanced) set them, including adding new environment variables, delete and edit system environment variables.

Event logging is a great help to our analysis of the use of the system. Event logging is divided into three types: application, System, and security. Each of the corresponding events can be divided into several types, which are general information, warnings, and errors. This includes the record number, the type of event (type), the identifier (event ID), source (source), generation (time generated), username (user), and related descriptive information (Description). There is time for you to look at the event information, of course, each network administrator should be very familiar with them, but also include other event log information.

Ipconfig/all under Windows system I use this command often, because we are using DHCP, nothing to see their IP address has changed. This includes detailed network adapter information, including adapter name, description, hardware address and type, IP address and corresponding subnet mask, gateway and DHCP server address, etc. But are you also interested in network traffic? Of course we can get the host received/sent a number of (not) broadcast datagrams, how many errors, how many received/sent information, these are useful information for each user yo.

Network sharing is often a point of attention, how much information you share, what their file path is, and their shared type information. When we do not need some shared information, of course do not forget to delete it, so as not to disclose their confidential information.

Windows NT is a multiuser system that allows multiple types of users to exist. We would like to get the user account of the use of the period (Password expired), remember to change the user's password not to the time yo, as well as User ID (username), group identifier (team ID), but also useful account types (type), different types have different permissions, We certainly hope to have the highest power yo! It is also helpful to see if the system has limited disk space usage for an account (Max Storage), account login (number of logon) and logon time information (logon Hours), etc.

The system's WIN32 service and device-driven information is also important, and we want to explore the specific path, status, type, startup mode, and so on for each service/device launcher. We also want to control the services, such as stop, start, and delete operations. You can refer to the "Analysis of WINDOWS2000/XP services and backdoor technology" to get more information about WIN32 services.

Shutdown is not so monotonous, you can log out of your system, if you want to leave of course, you need to lock. Recently, people do not like the shutdown, too troublesome, so are accustomed to hibernate, the system will keep the current information for us, but also support power management shutdown and hibernation. Windows2000 users Note that we can also use the XP system with the message to remember when the shutdown and restart features.

The system version information is relatively fixed, mainly including the operating system fingerprint, registered organization/user, host name and system related directory and other information.

Having said so much, we should also talk about how to achieve it.