Process of creating a process in a Windows Operating System

Steps for creating a process in Windows:

A process is a running activity of a program with certain independent functions. It is an independent unit for the system to allocate and schedule resources. A program is an ordered set of commands. It does not have any running meaning, but is a static entity. The process is different. It is the execution of a program on a certain dataset and a dynamic entity. It is created and runs due to scheduling. It is in the waiting status due to waiting for resources or events and is revoked due to task completion, it reflects all the dynamic processes of a program running on a certain dataset.

A thread is an entity of a process and the basic unit of CPU scheduling and scheduling. The thread cannot be executed independently and must be dependent on the process. The process provides multiple thread execution control. From the kernel perspective, a thread is an active object, and a process is only a set of static objects. A process must have at least one active thread to maintain its operation. When an application calls a creation process, such as createprocess, and the user executes a program (in windows, the user executes a general program called CreateProcess by assumer.exe), the operating system divides the process into the following steps:

1. Open the image file to be executed in the process.
2. Create a Windows executor process object.
3. Create an initial thread (stack, heap execution environment initialization, and execution thread object ).
4. Notify windows sub-system that a new process has been created (the sub-system is part of the operating system. It is a specific sub-system process that assists the operating system kernel in managing user States/customers.

Csrss.exe ).
5. Start execution of the initial thread (if the create_suincluded state of the thread is specified during creation, the thread is temporarily suspended and not executed ).
6. initialize the address space in the new process and thread environment (such as loading required DLL and libraries), and then start to execute at the process entry.
Here, the operating system completes the creation of a new process.

Next, let's take a look at the specific work done by the operating system in each step:
1. Open the image file to be executed in the process.
First, the operating system finds the executed Windows Image and creates a memory area object so that it can be mapped to the new process address space.

2. Create a Windows executor process object.
Next, the operating system calls the internal system function ntcreateprocess to create a windwos execution body process object. The procedure is as follows:
(1) Create an eprocess
* Allocate and initialize eprocess structure Blocks
* Inherit from the parent process to obtain the affinity mask of the process.
* Maximum and minimum working unit feet of the allocated process (two parameters are used to determine psminimumworkingset psmaximumworkingset)
* Set the quota block of the new process to the parent process quota block address, and increase the reference count of the parent process quota block.
* Inherit the device namespace of Windows
* Save the parent process ID in the inheritedformuniqueprocessid of the new process object.
* Create a master access token for the process.
* Initialize the process handle table
* Set the exit status of the new process to status_pending.

(2) create an initial process address space
* Create a page table entry in the appropriate page table to map the initial Page
* Calculate the working set size of the process from mmresidentavailablepage.
* The non-page feed part of the system space and the page table cached by the system are mapped to the process.

(3) initialize the kernel process block kprocess
(4) end the process of creating the process address space
(5) Create peb
(6) complete the creation process of the execution body process object

3. Create an initial thread (stack, heap execution environment initialization, and execution thread object ).

At this time, the Windows execution body process object has been fully established, but it is not thread-ready, so it cannot be executed,

Next, the system calls ntcreatethread to create a new suspended thread, which is the main thread body of the process.

4. Notify windows sub-system that a new process has been created (the sub-system is part of the operating system. It is a specific process of csrss.exe to assist the operating system kernel in managing user States/customers ).

Next, the operating system sends a data message created by a new process thread to the Windows subsystem (CSRSS) through the client state (kernel32.dll), allowing the subsystem to establish its own process thread management block. When the CSRSS receives the message, perform the following processing:

* Copy the process and thread handle
* Set the process priority.
* Allocate CSRSS process Blocks
* Bind the exception handling port of the new process to CSRSS, so that when the process encounters an exception, CSRSS will receive the exception message.
* Allocate and initialize CSRSS thread blocks
* Insert a thread to the thread list of the process.
* Insert the process to the CSRSS thread list.
* Display the process startup cursor

5. Start execution of the initial thread (if the create_suincluded state of the thread is specified during creation, the thread is temporarily suspended and not executed ). Here, the process environment has been established and the main thread that starts to be created in the process obtains the execution right to start the execution thread.

6. initialize the address space in the new process and thread environment (such as loading required DLL and libraries), and then start to execute at the process entry. In this step, ldrinitializethunk is called to initialize the loader, the NLS table TLS array and the critical section structure of the heap manager, and any DLL entry points to be called by using the dll_process_attach function code, finally, when the loader initialization routine is returned to the APC distributor in user mode, the process image starts to be executed in user mode, and then it calls the thread to start the function.

Here, the operating system has completed all the creation work, and the program we write is called and run by the operating system.