Read physical memory and others

Introduction

This page is an ever-expanding collection of NT information that I accumulate over time. You'll find practical tips as well useless trivia, with new items added at the top of the page.

• Named Pipe directory listings
• NT's/dev/kmem
• Hidden registry keys?
• Fault Tolerance on workstation?
• The native API
• Idle trivia
• Never-ending quantum?
• NT's main
• Tuning workstation for server-like loads

Named Pipe directory listings

Did you know that the device driver that implements Named Pipes is actually a file system driver? In fact, the driver's name is npfs. sys, for "Named Pipe File System ". what you might also find surprising is that its possible to obtain a directory listing of the named pipes defined on a system. this fact is not enabled ented, nor is it possible to do this using the Win32 API. directly Using ntquerydirectoryfile, the native function that the Win32 findfile APIs rely on, makes it possible to list the pipes. the directory listing npfs returns also indicates the maximum number of pipe instances set for each pipe and the number of active instances.

To demonstrate the listing of named pipes I 've written a program called pipelist. pipelist displays the named pipes on your system, including the number of maximum instances and active instances for each pipe. full source code is wrongly ded.

Download pipelist (25 KB)

Related tip: You can watch Named Pipe activity with Filemon by selecting the drives, named pipe menu entry.

 

NT's "/dev/kmem"

Export UNIX afficianados like to point out that Unix has a flexible File System namespace that allows non-File System devices and psuedo-devices to be accessed through it. the most commonly offered example of this feature is/Dev/kmemFile. When an application opens and reads or writes this file (assuming it has permission to do so) it is actually accessing the physical memory of the computer.

What most people don't know is that nt charges its object manager subsystem with providing a namespace (see my article on the object manager for more information ), and the Object Manager allows always anything to be mapped as part of it, just like UNIX's file system namespace. and what even fewer people know is that NT has a mechanic that lets an application view (and even modify, with the proper security configuration) a system's physical memory. its a section (memory mapping) object that is named/Device/physicalmemoryIn NT's namspace (you can verify its existance by using our winobj tool ). an application with sufficient access rights can open the section and map portions of it into its own address space. the result of such a mapping is the creation of a window to physical memory in the application's virtual address map. by default administrators have read-only access to physical memory, but it is possible for an application running as administrator to modify the security attributes so that write access is enabled.

In order to demonstrate the ability to view physical memory, and to give you the opportunity of browsing through your computer's Ram, I 've written physmem. it is a Win32 console program that will open the physical memory section and dump the contents of regions (in hexadecimal and ASCII) that you specify in a simple command-line interface. here is what the interface looks like:

Physmem v1.0: physical memory viewerBy Mark RussinovichSysinternals - http://www.Sysinternals.comEnter values in hexadecimal. Enter 'q' to quit.Address: 1000Bytes: 100000001000: 4D 5A 90 00 03 00 00 00 -04 00 00 00 FF FF 00 00 MZ..............00001010: B8 00 00 00 00 00 00 00 -40 00 00 00 00 00 00 00 +...............00001020: 00 00 00 00 00 00 00 00 -00 00 00 00 00 00 00 00 ................00001030: 00 00 00 00 00 00 00 00 -00 00 00 00 80 00 00 00 ................00001040: 0E 1F BA 0E 00 B4 09 CD -21 B8 01 4C CD 21 54 68 ..¦....-.+.L-.Th00001050: 69 73 20 70 72 6F 67 72 -61 6D 20 63 61 6E 6E 6F is program canno00001060: 74 20 62 65 20 72 75 6E -20 69 6E 20 44 4F 53 20 t be run in DOS00001070: 6D 6F 64 65 2E 0D 0D 0A -24 00 00 00 00 00 00 00 mode............00001080: 50 45 00 00 4C 01 06 00 -53 3A 4D 33 00 00 00 00 PE..L...S.M3.......

While you are browsing your memory, some places of interest you might want to take a look at are offset 0x1000, which is where ntldr is located (you can see its header in the example output above, which states that it can't be run in DOS mode), and 0xf9000-0xfffff, which is where rom bios is mapped. you'll likely see strings belonging to the vendor of your computer and sometimes video adapter strings in the BIOS.

The source code for physmem is fairly self-explanatory. physmem uses the native API to open and MAP/device/physicalmemory because that name is inaccessible via the Win32 API. it also uses the native APIs (all of which are supported ented in the Windows nt ddk) to map and unmap views of the section, though this coshould have been done using win32.

Download physmem (28kb)

Hidden registry keys?

A subtle but significant difference between the Win32 API and the native API (see inside the native API for more information on this largely unformatted ented Interface) is the way that names are described. in the Win32 API strings are interpreted as null-terminated ANSI (8-bit) or wide character (16-bit) strings. in the native API names are counted Unicode (16-bit) strings. while this distinction is usually not important, it leaves open an interesting situation: there is a class of names that can be referenced using the native API, but that cannot be described using the Win32 API.

How is this possible? The answer is that a name which is a counted Unicode string can explicitly include null characters (0) as part of the name. for example, "key/0 ". to include the null at the end the length of the Unicode string is specified as 4. there is absolutely no way to specify this name using the Win32 API since if "key/0" is passed as a name, the API will determine that the name is "key" (3 characters in length) because the "/0" indicates the end of the name.

When a key (or any other object with a name such as a named event, semaphore or mutex) is created with such a name any applications using the Win32 API will be unable to open the name, even though they might seem to see it. the program below, reghide (source code is wrongly DED), please strates this point. it creates a key called "HKEY_LOCAL_MACHINE/software/sysinternals/can't touch me! /0 "using the native API, and inside this key it creates a value. then the program pauses to give you an opportunity to see if you can view the value using any Registry Editor you have handy (regedit, regedt32 or a third-party registry editor ). because regedit and regedt32 (and likely an third party Registry Editor) use the Win32 API, they will see the key listed as a child of sysinternals, but whe N you try to open the key you'll get an error. This is because the Registry Editor will try to open "can't touch me! "Without the trailing null (which is interpreted as the end of the string) and won't find this name. after you 've verified this exit the program and this special key will be deleted.

Download reghide (24kb)

Fault Tolerance on workstation?

One of the differences I highlighted in my November 1996Windows NT magazineArticle, "inside the difference between Windows NT Workstation and Windows NT Server," was that fault tolerant disk deployments are only available on server. This is because the Windows NT disk administrative program,Windisk.exe, Checks to see if its running on a workstation, and if so, does not display itsFault ToleranceMenu, which contains the entries that are used to create mirrors and parity striped sets.

It turns out that whoever wrote the workstation Resource Kit Program ftedit was unaware of Microsoft's official policy on fault tolerance and workstation: it appears you can use this utility to create mirrors and striped sets with parity on workstations.

Update: several people have complained that this doesn't work, which isn't surprising since I left out an important step: the fault-tolerant disk driver must be enabled. if you have an existing volume-set then it is already is, but if you don't, use a Registry Editor to set the value:

HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/ftdisk/start

To 0. The next time you boot your workstation, the fault-tolerant drives you have created will be functional.

The native API

NT's native API are services that are core operating system services available to device drivers and user-mode applications. the Win32 subsystem relies heavily on this API, as do your Microsoft Windows NT Resource Kit utilities. there are over 200 system CILS in NT's native API and only 21 of them are supported ented by Microsoft.

Idle trivia

Did you know that unlike all the other threads in an NT System, the idle-thread executes at an IRQL (interrupt request level) of dispatch_level (rather than passive_level )? See Advanced dpcs for more information.

On uniprocessor x86 systems the idle-thread actually performs a hlt (halt) instruction, which extends tively turns the CPU off to everything blocks t for hardware interrupts.

Never-ending quantum?

In NT, as with most time-sharing operating systems, threads run in turns called quantums. normally, a thread executes until its quantum runs out. the next time it is scheduled it starts with a full quantum. however, in NT a thread also gets its quantum refreshed every time its thread or process priority is set. this means that a thread can reset its quantum by callingSetthreadpriority(Without changing its priority) before its turn runs out. If it continues to do this it will wait tively have an infinite quantum. Why does nt do this? Its not clear, but it appears to be a bug.

Ntoskrnl's main

Ntoskrnl. EXE, the core file of the kernel-mode component of Windows NT, contains the cache manager, the executive, the kernel, the security reference Monitor, the memory manager, and the schedent, among other things, and is in charge of getting nt up and running. you may be surprised to know that it has a standard main () that is executed when it is loaded by the osloader:

// // NTOSKRNL main // int main( boot parameters ) {     //     // Fire up NT!     //     KiSystemStartup();     return 0; }

Tuning workstation for server-like loads

NT Workstation and NT server have vastly different performance characteristics due to the internal tuning that the NT operating system, which is identical on both, performs. most tuning parameters are inaccessible, but a few are located in the registry. if you are running server and you double-click on the server entry of the Services tab in the control panel's network applet, you will get a dialog that lets you determine what type of application you want the machine to be tuned. choices let you select between "minimize memory used", "balance", "maximize usage for file sharing", and "maximize usage for network applications ". this dialog box is not presented on workstation installations. the various selections actually change the values of two registry values:

HKLM/system/CurrentControlSet/control/Session Manager/memory management/largesystemcache

And

HKLM/system/CurrentControlSet/services/LanmanServer/parameters/size

This table (which was derived from sessions with regmon) presents the settings you shoshould select on a workstation to achieve the same effect you wocould get using the dialog box were your system a server.

Tuning target	Largesystemcache	Size
Minimize memory used	0	1
Balance	0	2
File Sharing	1	3
Network applications	0	3