Procedures for creating processes under Windows operating systems

Process is a program with a certain independent function on a data set of a running activity, is the system for resource allocation and scheduling of an independent unit. A program is just a set of ordered sets of instructions that do not have any operational meaning, just a static entity. The process is different, it is the program on a dataset execution, is a dynamic entity. It is generated because of the creation, because the schedule runs, waits for the resource or the event to be in the waiting state, because completes the task to be withdrawn, has reflected a program to run in the certain data set the entire dynamic process.

Threads (thread) is an entity of a process and is the basic unit of CPU scheduling and dispatch. Threads cannot be executed independently, must be dependent on the process, and the process provides multiple thread execution control. The thread is the active object from the kernel point of view, and the process is just a set of static objects, and the process must have at least one active thread to keep it running.

When an application calls a function that creates a process such as CreateProcess, or a user executes a program (in fact, the general ordinary program that the user executes under Windows is performed by the Explorer.exe call CreateProcess), The operating system divides this process into the following steps:

1. Open the image file that will be executed in the process.

2. Create the Windows execution body process object.

3. Create the initial thread (stack, heap execution environment initialization, and execute thread body object).

4. Notifies the Windows subsystem that a new process has been created (subsystem is part of the operating system it is a subsystem that assists the operating system kernel to manage user state/client side of a specific process for Csrss.exe).

5. Start execution of the initial thread (if the thread's create_suspended state is specified at creation time, the thread hangs temporarily and does not execute).

6. Completes the initialization of the address space (such as loading the necessary DLLs and libraries) in the new process and thread environment, and then starts to execute to the process portal.

Here the operating system completes the process of creating a new process. Here's what you do with each step of your operating system:

1. Open the image file that will be executed in the process.

The operating system first finds the executed Windows image and then creates a memory area object so that it maps to the new process address space later.

2. Create the Windows execution body process object.

The operating system then invokes the internal system function ntcreateprocess to create a Windwos execution process object. The specific steps are:

(1) Establishment of eprocess

* Allocate and initialize eprocess block of structure

* Inherit the affinity mask of the process from the parent process

* Maximum minimum working set ruler for the allocation process (determined by two parameters Psminimumworkingset Psmaximumworkingset)

* The quota block for the new process is set to the parent process quota block address, and the reference count of the parent process quota block is incremented

* Inherit Windows device name space

* Save the parent process process ID in the INHERITEDFORMUNIQUEPROCESSID of the new Process object

* Create a primary access token for the process

* Initialization Process Handle table

* Set the exit status of the new process to status_pending

(2) Create the initial process address space

* Create page table entries in the appropriate page table to map the initial page

* Calculate the process working set size from the Mmresidentavailablepage

* The non-swap page portion of the system space and the system-cached page table are mapped to the process

(3) Initialize kernel process block kprocess

(4) End of process address space creation process

(5) Establishment of PEB

(6) Completing the process of creating the object of the executing body process

3. Create the initial thread (stack, heap execution environment initialization, and execute thread body object).

At this point, the Windows execution process object is fully established, but it has no threads to execute, and then the system calls Ntcreatethread to create a pending new thread that is the main thread of the process.

4. Notifies the Windows subsystem that a new process has been created (subsystem is part of the operating system it is a subsystem that assists the operating system kernel to manage user state/client side of a specific process for Csrss.exe). The operating system then sends a new process thread-created data message through the client state (Kernel32.dll) to the Windows subsystem (CSRSS), allowing the subsystem to establish its own process thread management block. When CSRSS receives the message, perform the following processing:

* Copy a copy of the process and thread handle

* Set Process Priority

* Allocate CSRSS process block

* Bind the exception handling port of the new process to csrss so that when an exception occurs for the process, CSRSS will receive an exception message

* Allocate and initialize CSRSS thread blocks

* Insert a thread into the thread list of the process

* Insert the process into the list of CSRSS threads

* Show process start cursor

5. Start execution of the initial thread (if the thread's create_suspended state is specified at creation time, the thread hangs temporarily and does not execute). This is where the process environment has been built. The main thread created in the process to get execution right begins execution thread.

6. Completes the initialization of the address space (such as loading the necessary DLLs and libraries) in the new process and thread environment, and then starts to execute to the process portal.

The essence of this step is to invoke Ldrinitializethunk to initialize the loader, the heap Manager nls table TLS array, and the critical block structure, and load any DLLs that must be required and use the

The Dll_process_attach function code invokes each DLL entry point, and finally when the loader initialization routine returns to the user-mode APC distributor, the process image starts executing in user mode, and then it invokes the thread start function.

Here the operating system completes all the creation work, and the program we write is then run by the operating system call.