These notes are extracted from “Windows Internals Seventh Edition” by Pavel Yosifovich, Alex Ionescu, Mark E. Russinovich, and David A. Solomon. Some concepts are definitely obsolete as of 2024
[23 July 2024]
Due to inconsistency between windows releases naming and version strings, as with Windows 10 (since version 20H2), mainstream builds of Windows 11 are labeled “YYHX”, with YY representing the two-digit year and X representing the half-year of planned release + a build number eg. 22631
COM is a binary interface created to standardize API interfaces between various components. COM servers are actually DLLs that implement COM objects (binary interfaces) that conform with the standard; basically any language that support function pointers can implement COM servers.
CLSID is a globally unique identifier that identifies a COM object. It contains a reference to the “server” (file on disk) that’ll implement the requested class. COM objects and interfaces are registered in the windows registry under the following registry key HKEY_CLASSES_ROOT/CLSID/{GUID}
Examples of APIs accessed through COM include DirectShow (obsolete), Windows Media Foundation, DirectX, DirectComposition, Windows Imaging Component (WIC), and the Background Intelligent Transfer Service (BITS)
Windows Runtime (WinRT) is a platform-agnostic component and application architecture first introduced in Windows 8; WinRT is not a runtime in a traditional sense but rather a language-independent application binary interface based on COM to allow object-oriented APIs to be consumed from multiple languages,
The .NET Framework is a proprietary software framework that was the predominant implementation of the Common Language Infrastructure (CLI) until being superseded by the cross-platform .NET project.
The Common Language Runtime (CLR) is the run-time engine for .NET and includes a Just In Time (JIT) compiler that translates Common Intermediate Language (CIL) instructions to the underlying hardware CPU machine language, a garbage collector, type verification, code access security, and more. It’s implemented as a COM in-process server (DLL) and uses various facilities provided by the Windows API.
At the highest level of abstraction, a Windows process comprises the following:
- A private virtual address space This is a set of virtual memory addresses that the process can use.
- An executable program This defines initial code and data and is mapped into the process’s virtual address space.
- A list of open handles These map to various system resources such as semaphores, synchronization objects, and files that are accessible to all threads in the process.
- A security context This is an access token that identifies the user, security groups, privileges, attributes, claims, capabilities, User Account Control (UAC) virtualization state, session, and limited user account state associated with the process, as well as the AppContainer identifier and its related sandboxing information.
- A process ID This is a unique identifier, which is internally part of an identifier called a client ID.
- At least one thread of execution Although an “empty” process is possible, it is (mostly) not useful.
For processes that create a user interface, the Running status value means that the UI is responsive. In other words, the thread that created the window(s) is waiting for UI input (technically, the message queue associated with the thread). A process Not Responding can happen if a thread within the process that created the user interface has not checked its message queue for UI-related activity for at least 5 seconds.
Debugging Tools: tlist /t to see a list of processes and parents. Only one level of parent-child information is tracked.
In computing, commit charge is a term used in Microsoft Windows operating systems to describe the total amount of virtual memory of all processes that must be backed by either physical memory or the page file. Through the process of paging, the contents of this virtual memory may move between physical memory and the page file, but it cannot exceed the sum of sizes of those two. As a percentage, commit charge is the utilization of this limit. Virtual memory not related to commit charge includes virtual memory backed by files and all-zero pages backed by nothing.
Debugging Tools for Windows is included in the Windows Driver Kit (WDK). To get the WDK, see Download the Windows Driver Kit (WDK).
You can configure symbols support in Process Explorer by adding the MS symbols server
srv*c:\symbols*https://msdl.microsoft.com/download/symbols
The COM Surrogate is the I don’t feel good about this code, so I’m
going to ask COM to host it in another process
Dllhost.exe is the system-provided surrogate that is used by a COM DLL (in- process) server to run in its own separate process.
A thread includes the following essential components:
- The contents of a set of CPU registers representing the state of the processor
- Two stacks—one for the thread to use while executing in kernel mode and one for executing in user mode
- A private storage area called thread-local storage (TLS) for use by subsystems, run-time libraries, and DLLs
- A unique identifier called a thread ID (part of an internal structure called a client ID; process IDs and thread IDs are generated out of the same namespace, so they never overlap)
Windows implements two mechanisms to reduce the cost of switching threads: fibers and user-mode scheduling (UMS).
In computing on Microsoft platforms, WoW64 is a subsystem of the Windows operating system capable of running 32-bit applications on 64-bit Windows.
Fibers allow an application to schedule its own threads of execution rather than rely on the priority-based scheduling mechanism built into Windows. Fibers are often called lightweight threads. In terms of scheduling, they’re invisible to the kernel because they’re implemented in user mode in Kernel32.dll.
User-mode scheduling (UMS) threads, which are available only on 64-bit versions of Windows, provide the same basic advantages as fibers—and only a few of the disadvantages. UMS threads have their own kernel thread state and are therefore visible to the kernel, which allows multiple UMS threads to issue blocking system calls and share and contend on resources.
In addition to a private address space and one or more threads, each process has a security context and a list of open handles to kernel objects such as files, shared memory sections, or one of the synchronization objects such as mutexes, events, or semaphores
The virtual address descriptors (VADs) are data structures that the memory manager uses to keep track of the virtual addresses the process is using.
Windows provides an extension to the process model called a job. A job object’s main function is to allow the management and manipulation of groups of processes as a unit.
By default, Windows allocates the lower half of this address space (addresses 0x00000000 through 0x7FFFFFFF) to processes for their unique private storage and the upper half (addresses 0x80000000 through 0xFFFFFFFF) for its own protected OS memory utilization.
Virtual space layouts
- 32bit
- 64bit
Kernel mode refers to a mode of execution in a processor that grants access to all system memory and all CPU instructions. Although each Windows process has its own private memory space, the kernel-mode OS and device-driver code share a single virtual address space.
Each page in virtual memory is tagged to indicate what access mode the processor must be in to read and/or write the page.
đź“š References