From: http://spinlock.blog.51cto.com/607469/174696
Author: kevx
Although most people work, study, and entertain on windows every day, many people still do not know about its kernel structure. On the one hand, because of its kernelSource codeIt is not open-source. On the other hand, it is due to the shortage of relevant materials. I spent a semester studying and exploring the NT kernel in my sophomore year. Although I dare not say that I have a deep understanding of it, at least its basic structure is clear. However, after all, I have only limited learning skills, and there will certainly be some imperfections. Please kindly advise me.
Currently, all mainstream Microsoft operating systems are based on the NT kernel, such:
Windows 2000/XP/Server 2003 (based on nt5)
Windows Vista (based on nt6) Windows 7 (based on nt6.1, I have never installed Windows 7, But it is said that this is the case)
Although many people blame windows for many problems in some aspects, this is not a kernel error. In general, NT is a mature, stable, and advanced kernel, I think the NT kernel will remain the mainstream for a long period of time in the future, and there will be no major changes (of course, local upgrades are completely unquestionable)
In the early days, Microsoft wanted to make nt a pure microkernel structure. If you are not clear about the differences between the microkernel and the single kernel, you can search for it online. Later, in order to improve the performance of the graphic subsystem and avoid switching between a large number of kernel States and user States, Microsoft moved it into the kernel, make it a part of the kernel (similar to the later DirectX technology ). It can be seen that NT is not a complete microkernel, and it also has some features of a single kernel.
The NT kernel has the following features (taken from uninitialized ented Windows NT) portability (portability)
As you know, Windows NT can run on multiple platforms, such as Intel, MIPS, Power PC, and DEC Alpha. Many vendors have contributed to the portability of Windows NT. The most important factor may be the language used for its implementation. Windows NT is mostly written in C language, and some use C ++. Platform-related assembly languages are used only when necessary. The Windows NT team also isolates hardware-related parts of the operating system from other parts and separately places them into Hal. dll. In this way, the hardware-independent part of Windows NT Code It can be written in C and other advanced languages, so it can be easily transplanted to various platforms. Extensibility)
Windows NT has high scalability, but its scalability is rarely explored due to lack of documentation. The subsystem bears the brunt of the List of undisclosed features. The subsystem provides multiple operating system interfaces in the operating system. Just add a new subsystem Program New operating system interfaces can be extended for Windows NT. However, Microsoft has been focusing on the public requirements for the process of adding new subsystems.
Windows NT kernel is highly scalable because it can be dynamically loaded as a driver. For Windows NT, Microsoft provides enough documents to write hardware device drivers, such as hard drive, Nic drive, and tape drive. In Windows NT, you can also write drivers that do not control the device. Even file systems are loaded as drivers.
Another example of Windows NT scalability is the implementation of system call interfaces. To modify operating system behaviors, developers generally need to hook up or add system calls. The development team of Windows NT has a good system call interface to easily hook up and add system calls. However, Microsoft still does not disclose these mechanisms.
Compatibility (compatibility)
For a long time, downward compatibility has been a major feature of Intel processors and Microsoft operating systems, and is also the key to the success of these two giants. Windows NT must be able to run dos, Win16, and OS/2 programs. Compatibility is another reason why the Windows NT development team uses the subsystem concept. In addition to binary compatibility (executable files in different formats), Windows NT provides source code-level compatibility for POSIX-compliant programs. In addition to NTFS, Windows NT supports other file systems, such as dos fat and OS/2 HPFs.
Maintainability (maintainability)
Windows NT has a large amount of code and requires a great deal of effort to maintain some code. The NT development team achieved high maintainability through the use of object-oriented design. Moreover, dividing the functions of the operating system into various layers also improves maintainability. The top layer, that is, the operating system layer that the user sees, is the subsystem layer. The subsystem provides system calling interfaces to provide external application programming interfaces. At the system call interface layer, NT executive is established on the kernel, and the kernel depends on the hardware abstraction layer (HAL). The hardware abstraction layer communicates directly with the hardware.
NT development team selected Programming Language It is also related to the maintainability of Windows NT. As we mentioned earlier, the entire operating system is written in C and C ++, and the assembly language is used only a few places that do not need to be used.
Security)
Windows NT is a secure operating system because it has the following features: Users must log in before using the system. Resources in the system are regarded as objects, and each object is identified by a security descriptor. The security descriptor has a security list to indicate that users can access this object.
Despite this, the operating system cannot be safe without a secure file system. The fat file system in DOS does not foresee any security problems. As a single-user system, it does not have to prevent security problems.
To overcome this defect, the Windows NT team launched a new file system, which is based on the OS/2 file system HPFs. The new Windows NT file system is NTFS. It supports access control. You can specify access permissions for the files or directories created under NTFS. NTFS only allows processes with access permissions to access the files or directories.
Multiprocessing (multi-process)
Windows NT supports Symmetric Multi-processing. The Workstation version of Windows NT supports two processors and the server version supports up to four processors. To support multi-processing, the operating system requires a special synchronization mechanism. In a single processor system, code execution in the critical section is not interrupted by disabling interruption. This is required to maintain the integrity of the kernel data structure. In a multi-processor environment, interruption cannot be disabled on all processors. In a multi-processing environment, Windows NT uses a spin lock to protect the kernel data structure.
Note: Multiple processing can be divided into symmetric and asymmetric. In Asymmetric Multi-processing, one processor is the main processor, and all other processors are slave processors. Only the main processor runs in kernel mode, and other slave processors only run in the user thread. As long as the slave processor running in the user thread calls the system service, the master processor takes over the thread and executes the required kernel service. Scheduler, a kernel program that runs on the master processor. Therefore, the main processor acts as the dispatcher and assigns the user mode thread to the slave processor. Naturally, compared to Symmetric Multi-processing that all processors can run in kernel or user mode, the primary processor is heavily burdened and the system is not balanced.
International language support)
Today, many PC users use languages other than English. The key to good interaction with these users is to enable the operating system to support their languages. Windows NT achieves this goal by using the Unicode standard character set. The Unicode Standard specifies a 16-bit character set, while ASCII uses an 8-bit character set. The encoding of the first 256 characters of Unicode is the same as that of ASCII. This leaves plenty of room for non-Latin languages. Win32 API can accept Unicode and ASCII character sets, while Windows NT kernel can only use Unicode. Although application programmers do not know Unicode, drivers must be familiar with Unicode, because kernel interface functions only accept Unicode strings and the driver entry points use Unicode.
Windows NT borrowed the core system from the Mach operating system, which was developed at Carnegie Mellon University. The basic concept of Mach is to minimize the number of kernels by handing over complex operating system functions to user-level processes. This client-server operating system has another purpose: to allow the use of multiple APIs on the same operating system. You can achieve this by implementing APIs in the server process.
The kernel of the Mach operating system provides a very simple set of interface functions. The server process uses this set of interface functions to implement an API to provide a more complex set of interface functions. Windows NT borrowed this idea from mach. Server Processes in Windows NT are called subsystems. Both modular and structured programming are good software management principles. nt chooses to use the client-server architecture to demonstrate its obedience to this principle. Windows NT can implement the required APIs in the kernel, or add different layers on the kernel to implement different APIs. For the purpose of maintainability and scalability, the NT team chose a subsystem approach.
Windows NT has two seed systems: integral subsystems and environment subsystems. Integral subsystems, such as the security management subsystem, complete basic operating system tasks. Environment subsystems enables a Windows NT machine to use different types of APIs. Windows NT subsystems support the following APIs:
Win32 subsystem. The Win32 subsystem provides Win32 APIs. Applications using Win32 APIs can run on all platforms provided by Microsoft-
Wow subsystem. Windows on Windows (WOW) subsystem provides compatibility with 16-bit Windows applications so that Win16 applications can run on Windows NT. These applications can run as long as they do not use undisclosed functions not supported by Windows NT.
NTVDM subsystem. NT virtual DOS Machine (NTVDM) provides a text-based environment in which DOS programs can run.
OS/2 subsystem. The OS/2 subsystem can run OS/2 applications. Wow, NTVDM, and OS/2 can only be used on Intel platforms because they provide binary compatibility for applications. The executable or binary files used for one processor cannot be used on another processor, because the machine instruction formats between processors are different.
POSIX subsystem. The POSIX subsystem provides APIs that comply with the POSIX 1003.1 standard.
The application does not know that the called API is processed by the corresponding subsystem. This hiding is implemented through the client DLL of each subsystem. This dll converts an API call to a local Procedure Call (LPC ). Local Procedure calls are similar to Remote Procedure Calls (RPC) on networked UNIX ). With RPC, a client application can call a server process running on another machine on the network. The LPC optimizes the clients and servers running on the same computer.
The NT kernel mainly contains the following important files:
Ntoskrnl.exe( ntkrnlpa.exe)
Hal. dll
Ntdll. dll
The core of the win32k. sysnt kernel is NT executive. The corresponding file is ntoskrnl.exe. If the machine is a multi-processor, ntkrnlpa.exe is used. It is ridiculous that this file can be deleted directly. The consequence is that Windows cannot be started after the restart, or even the scroll bar cannot be seen. This file is only about 2 MB in size, but it can be said that although the sparrow is small, it is the most core part of the whole windows, providing a complex interface to the outside world. What complements the Hal. dll file, that is, the hardware abstraction layer of the hardware action layer. It directly deals with the hardware of the machine and hides the hardware difference from the layer above it. Windows NT is a highly portable operating system running on multiple platforms. The Code contained in Hal. dll hides the processor and machine-related details from the rest of the core. Therefore, there are only Hal. dll differences between platforms, and the core code for using the Hal interface is highly portable. Ntdll. dll module. Most native API functions are exported, and switching from user to kernel is provided. Anyone who has developed Windows platforms knows that Windows APIs are mainly composed of kernel32.dll, user32.dll, and gdi32.dll. In fact, the call to windowsapi will eventually be transferred to NTDLL. The so-called native API basically adds NT or ZW to the original API (for example, createfile becomes ntcreatefile ). The three files kernel32.dll, user32.dll, and gdi32.dll constitute the Win32 subsystem. They do not implement the API. The exported function is called the stub function (although the name looks confusing)
win32k. SYS module. The Graphic Processing Section of Windows is implemented. USER32 and GDI32 use the system call interface to call services in win32k. sys. Because of its work and kernel state, it has high performance, which also makes windows powerful graphics processing capabilities.