• + Cover

  Page 0

  • Copyright page

    Page 00

• Contents at a Glance

  Page III

• Contents

  Page V

• + Introduction

  Page XV

  • Structure of the Book

    Page XV

  • History of the Book

    Page XVI

  • Sixth Edition Changes

    Page XVI

  • Hands-on Experiments

    Page XVI

  • Topics Not Covered

    Page XVII

  • A Warning and a Caveat

    Page XVII

  • Acknowledgments

    Page XVII

  • Errata & Book Support

    Page XX

  • We Want to Hear from You

    Page XX

  • Stay in Touch

    Page XX

• + Chapter 1: Concepts and Tools

  Page 1

  • + Windows Operating System Versions

    Page 1

    • Foundation Concepts and Terms

      Page 2

    • Windows API

      Page 2

    • Services, Functions, and Routines

      Page 4

    • Processes, Threads, and Jobs

      Page 5

    • Virtual Memory

      Page 15

    • Kernel Mode vs. User Mode

      Page 17

    • Terminal Services and Multiple Sessions

      Page 20

    • Objects and Handles

      Page 21

    • Security

      Page 22

    • Registry

      Page 23

    • + Unicode

      Page 24

      • Digging into Windows Internals

        Page 24

    • Performance Monitor

      Page 25

    • Kernel Debugging

      Page 26

    • Windows Software Development Kit

      Page 31

    • Windows Driver Kit

      Page 31

    • + Sysinternals Tools

      Page 32

      • Conclusion

        Page 32

• + Chapter 2: System Architecture

  Page 33

  • + Requirements and Design Goals

    Page 33

    • + Operating System Model

      Page 34

      • Architecture Overview

        Page 35

    • Portability

      Page 37

    • Symmetric Multiprocessing

      Page 38

    • Scalability

      Page 40

    • Differences Between Client and Server Versions

      Page 41

    • + Checked Build

      Page 45

      • Key System Components

        Page 46

    • Environment Subsystems and Subsystem DLLs

      Page 48

    • Ntdll.dll

      Page 53

    • Executive

      Page 54

    • Kernel

      Page 57

    • Hardware Abstraction Layer

      Page 60

    • Device Drivers

      Page 63

    • + System Processes

      Page 68

      • Conclusion

        Page 78

• + Chapter 3: System Mechanisms

  Page 79

  • + Trap Dispatching

    Page 79

    • Interrupt Dispatching

      Page 81

    • Timer Processing

      Page 112

    • Exception Dispatching

      Page 123

    • + System Service Dispatching

      Page 132

      • Object Manager

        Page 140

    • Executive Objects

      Page 143

    • + Object Structure

      Page 145

      • Synchronization

        Page 176

    • High-IRQL Synchronization

      Page 178

    • + Low-IRQL Synchronization

      Page 183

      • System Worker Threads

        Page 205

      • Windows Global Flags

        Page 207

      • Advanced Local Procedure Call

        Page 209

    • Connection Model

      Page 210

    • Message Model

      Page 211

    • Asynchronous Operation

      Page 213

    • Views, Regions, and Sections

      Page 214

    • Attributes

      Page 215

    • Blobs, Handles, and Resources

      Page 215

    • Security

      Page 216

    • Performance

      Page 217

    • + Debugging and Tracing

      Page 218

      • Kernel Event Tracing

        Page 220

      • Wow64

        Page 224

    • Wow64 Process Address Space Layout

      Page 224

    • System Calls

      Page 225

    • Exception Dispatching

      Page 225

    • User APC Dispatching

      Page 225

    • Console Support

      Page 225

    • User Callbacks

      Page 226

    • File System Redirection

      Page 226

    • Registry Redirection

      Page 227

    • I/O Control Requests

      Page 227

    • 16-Bit Installer Applications

      Page 228

    • Printing

      Page 228

    • + Restrictions

      Page 228

      • User-Mode Debugging

        Page 229

    • Kernel Support

      Page 229

    • Native Support

      Page 230

    • + Windows Subsystem Support

      Page 232

      • Image Loader

        Page 232

    • Early Process Initialization

      Page 234

    • DLL Name Resolution and Redirection

      Page 235

    • Loaded Module Database

      Page 238

    • Import Parsing

      Page 242

    • Post-Import Process Initialization

      Page 243

    • SwitchBack

      Page 244

    • + API Sets

      Page 245

      • Hypervisor (Hyper-V)

        Page 248

    • Partitions

      Page 249

    • Parent Partition

      Page 249

    • Child Partitions

      Page 251

    • + Hardware Emulation and Support

      Page 254

      • Kernel Transaction Manager

        Page 268

      • Hotpatch Support

        Page 270

      • Kernel Patch Protection

        Page 272

      • Code Integrity

        Page 274

      • Conclusion

        Page 276

• + Chapter 4: Management Mechanisms

  Page 277

  • + The Registry

    Page 277

    • Viewing and Changing the Registry

      Page 277

    • Registry Usage

      Page 278

    • Registry Data Types

      Page 279

    • Registry Logical Structure

      Page 280

    • Transactional Registry (TxR)

      Page 287

    • Monitoring Registry Activity

      Page 289

    • Process Monitor Internals

      Page 289

    • + Registry Internals

      Page 293

      • Services

        Page 305

    • Service Applications

      Page 305

    • The Service Control Manager

      Page 321

    • Service Startup

      Page 323

    • Startup Errors

      Page 327

    • Accepting the Boot and Last Known Good

      Page 328

    • Service Failures

      Page 330

    • Service Shutdown

      Page 331

    • Shared Service Processes

      Page 332

    • + Service Tags

      Page 335

      • Unified Background Process Manager

        Page 336

    • Initialization

      Page 337

    • UBPM API

      Page 338

    • Provider Registration

      Page 338

    • Consumer Registration

      Page 339

    • Task Host

      Page 341

    • + Service Control Programs

      Page 341

      • Windows Management Instrumentation

        Page 342

    • Providers

      Page 344

    • The Common Information Model and the Managed Object Format Language

      Page 345

    • Class Association

      Page 349

    • WMI Implementation

      Page 351

    • + WMI Security

      Page 353

      • Windows Diagnostic Infrastructure

        Page 354

    • WDI Instrumentation

      Page 354

    • Diagnostic Policy Service

      Page 354

    • + Diagnostic Functionality

      Page 356

      • Conclusion

        Page 357

• + Chapter 5: Processes, Threads, and Jobs

  Page 359

  • + Process Internals

    Page 359

    • + Data Structures

      Page 359

      • Protected Processes

        Page 368

      • Flow of CreateProcess

        Page 369

    • Stage 1: Converting and Validating Parameters and Flags

      Page 371

    • Stage 2: Opening the Image to Be Executed

      Page 373

    • Stage 3: Creating the Windows Executive Process Object (PspAllocateProcess)

      Page 376

    • Stage 4: Creating the Initial Thread and Its Stack and Context

      Page 381

    • Stage 5: Performing Windows Subsystem–Specific ­Post-Initialization

      Page 383

    • Stage 6: Starting Execution of the Initial Thread

      Page 385

    • + Stage 7: Performing Process Initialization in the Context of the New Process

      Page 386

      • Thread Internals

        Page 391

    • Data Structures

      Page 391

    • + Birth of a Thread

      Page 398

      • Examining Thread Activity

        Page 398

    • + Limitations on Protected Process Threads

      Page 401

      • Worker Factories (Thread Pools)

        Page 403

      • Thread Scheduling

        Page 408

    • Overview of Windows Scheduling

      Page 408

    • Priority Levels

      Page 410

    • Thread States

      Page 416

    • Dispatcher Database

      Page 421

    • Quantum

      Page 422

    • Priority Boosts

      Page 430

    • Context Switching

      Page 448

    • Scheduling Scenarios

      Page 449

    • Idle Threads

      Page 453

    • Thread Selection

      Page 456

    • Multiprocessor Systems

      Page 458

    • Thread Selection on Multiprocessor Systems

      Page 467

    • + Processor Selection

      Page 468

      • Processor Share-Based Scheduling

        Page 470

    • Distributed Fair Share Scheduling

      Page 471

    • + CPU Rate Limits

      Page 478

      • Dynamic Processor Addition and Replacement

        Page 479

      • Job Objects

        Page 480

    • Job Limits

      Page 481

    • + Job Sets

      Page 482

      • Conclusion

        Page 485

• + Chapter 6: Security

  Page 487

  • + Security Ratings

    Page 487

    • Trusted Computer System Evaluation Criteria

      Page 487

    • + The Common Criteria

      Page 489

      • Security System Components

        Page 490

      • Protecting Objects

        Page 494

    • Access Checks

      Page 495

    • Security Identifiers

      Page 497

    • Virtual Service Accounts

      Page 518

    • + Security Descriptors and Access Control

      Page 522

      • The AuthZ API

        Page 536

      • Account Rights and Privileges

        Page 538

    • Account Rights

      Page 540

    • Privileges

      Page 540

    • + Super Privileges

      Page 546

      • Access Tokens of Processes and Threads

        Page 547

      • Security Auditing

        Page 548

    • Object Access Auditing

      Page 549

    • Global Audit Policy

      Page 552

    • + Advanced Audit Policy Settings

      Page 554

      • Logon

        Page 555

    • Winlogon Initialization

      Page 556

    • User Logon Steps

      Page 558

    • Assured Authentication

      Page 562

    • + Biometric Framework for User Authentication

      Page 563

      • User Account Control and Virtualization

        Page 566

    • File System and Registry Virtualization

      Page 566

    • + Elevation

      Page 573

      • Application Identification (AppID)

        Page 581

      • AppLocker

        Page 583

      • Software Restriction Policies

        Page 589

      • Conclusion

        Page 590

• + Chapter 7: Networking

  Page 591

  • + Windows Networking Architecture

    Page 591

    • The OSI Reference Model

      Page 592

    • + Windows Networking Components

      Page 594

      • Networking APIs

        Page 597

    • Windows Sockets

      Page 597

    • Winsock Kernel

      Page 603

    • Remote Procedure Call

      Page 605

    • Web Access APIs

      Page 610

    • Named Pipes and Mailslots

      Page 612

    • NetBIOS

      Page 618

    • + Other Networking APIs

      Page 620

      • Multiple Redirector Support

        Page 627

    • Multiple Provider Router

      Page 627

    • Multiple UNC Provider

      Page 630

    • Surrogate Providers

      Page 632

    • Redirector

      Page 633

    • Mini-Redirectors

      Page 634

    • + Server Message Block and Sub-Redirectors

      Page 635

      • Distributed File System Namespace

        Page 637

      • Distributed File System Replication

        Page 638

      • Offline Files

        Page 639

    • Caching Modes

      Page 641

    • Ghosts

      Page 643

    • Data Security

      Page 643

    • + Cache Structure

      Page 643

      • BranchCache

        Page 645

    • Caching Modes

      Page 647

    • BranchCache Optimized Application Retrieval: SMB Sequence

      Page 651

    • + BranchCache Optimized Application Retrieval: HTTP Sequence

      Page 653

      • Name Resolution

        Page 655

    • Domain Name System

      Page 655

    • + Peer Name Resolution Protocol

      Page 656

      • Location and Topology

        Page 658

    • Network Location Awareness

      Page 658

    • Network Connectivity Status Indicator

      Page 659

    • + Link-Layer Topology Discovery

      Page 662

      • Protocol Drivers

        Page 663

    • + Windows Filtering Platform

      Page 667

      • NDIS Drivers

        Page 672

    • Variations on the NDIS Miniport

      Page 677

    • Connection-Oriented NDIS

      Page 677

    • Remote NDIS

      Page 680

    • + QoS

      Page 682

      • Binding

        Page 684

      • Layered Network Services

        Page 685

    • Remote Access

      Page 685

    • Active Directory

      Page 686

    • Network Load Balancing

      Page 688

    • Network Access Protection

      Page 689

    • + Direct Access

      Page 695

      • Conclusion

        Page 696

• Index

  Page 697

• About the Authors

  Page 727

• Survey

  Page 730

Delve inside Windows architecture and internals--and see how core components work behind the scenes. Led by three renowned internals experts, this classic guide is fully updated for Windows 7 and Windows Server 2008 R2--and now presents its coverage in two volumes.

As always, you get critical insider perspectives on how Windows operates. And through hands-on experiments, you'll experience its internal behavior firsthand--knowledge you can apply to improve application design, debugging, system performance, and support.

In Part 1, you will:

• Understand how core system and management mechanisms work--including the object manager, synchronization, Wow64, Hyper-V, and the registry

• Examine the data structures and activities behind processes, threads, and jobs

• Go inside the Windows security model to see how it manages access, auditing, and authorization

• Explore the Windows networking stack from top to bottom--including APIs, BranchCache, protocol and NDIS drivers, and layered services

• Dig into internals hands-on using the kernel debugger, performance monitor, and other tools