计算机系信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005

计算机系•信息处理实验室

Lecture 6 Management Mechanisms

xlanchen@03/25/2005

xlanchen@03/25/2005 Understanding the Inside of Windows2000

2计算机系信息处理实验室

Contents

The Registry

Services

Windows Management Instrumentation

计算机系•信息处理实验室

1. The Registry



Registry

The repository for systemwide and per-user settings

Used to configure and control 2K systems

For a complete reference to the contents of the 2K registry, please refer “Technical Reference to the Windows 2000 Registry” help file.



The focus

Registry structure

Data types

Key information in the registry

…



Registry Data Types

Registry is a database(compare with the file system)

Key: value (directory: file)

Subkey (subdirectory)

Root key (Root directory)

Naming convention

Registry Editor utilities:

Regedit

Regedit32 (for example)



Registry Data Types

11 typesREG_NONE No value type

REG_SZ Fixed-length Unicode NULL-terminated string

REG_EXPAND_SZ Variable-length, that can have embedded environment variables

REG_BINARY Arbitrary-length binary data

REG_DWORD 32-bit number

REG_DWORD_LITTLE_ENDIAN 32-bit number, low byte first.

REG_DWORD_BIG_ENDIAN 32-bit number, high byte first

REG_LINK Unicode symbolic link

REG_MULTI_SZq Array of Unicode NULL-terminated strings

REG_RESOURCE_LIST Hardware resource description

REG_FULL_RESOURCE_DESCRIPTOR Hardware resource description



Registry Logical Structure

Six root keys

HKEY_CURRENT_USER

HKEY_USERS

HKEY_CLASSES_ROOT

HKEY_LOCAL_MACHINE

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA



Demo



HKEY_CURRENT_USER

Contains data regarding the preferences and software configuration of the locally logged-on user

\Documents and Settings\<username>\Ntuser.dat

Link to a subkey of HKER_USER



HKEY_USERS

contains a subkey for each loaded user profile and user class registration database on the system



HKEY_CLASSES_ROOT

consists of two types of information: file extension associations and COM class registrations



HKEY_LOCAL_MACHINE

contains all the systemwide configuration subkeys: HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM



HKEY_CURRENT_CONFIG

link to current hardware profile, stored under HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current.



HKEY_PERFORMANCE_DATA

You can access the registry performance counter information directly by opening a special key named HKEY_PERFORMANCE_DATA and querying values beneath it



EXPERIMENT

Watching Registry Activity

Regmon.exe



Registry internals

Configuration manager

Manages the registry recoverably

The registry is a set of discrete files called hives

Registry tree



HKEY_LOCAL_MACHINE\SYSTEM \Winnt\System32\Config\System

HKEY_LOCAL_MACHINE\SAM \Winnt\System32\Config\Sam

HKEY_LOCAL_MACHINE\SECURITY \Winnt\System32\Config\Security

HKEY_LOCAL_MACHINE\SOFTWARE \Winnt\System32\Config\Software

HKEY_LOCAL_MACHINE\HARDWARE Volatile hive

HKEY_LOCAL_MACHINE\SYSTEM\Clone Volatile hive

HKEY_USERS\<security ID of username>

\Documents and Settings\<username>\Ntuser.dat

HKEY_USERS\<security ID of username>_Classes

\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat

HKEY_USERS\.DEFAULT \Winnt\System32\Config\Default



EXPERIMENT

Looking at Hive Handles

Handleex.exe





Hive Structure

Registry block (4KB)

Base block, includes global information about the hive

Signature: regf

Updated sequence numbers

Time stamp

Hive format version number

Checksum

Internal filename



Cell

To organize the registry data

A cell can hold a key, a value, a security descriptor, a list of subkeys, or a list of key values.

Head of a cell: Size

Data of a cell

Data type

Key cell, value cell, subkey-list cell, value-list cell, security-descriptor cell



Bin

To minimize some management chores

When a cell joins a hive and the hive must expand to contain the cell, the system creates an allocation unit called a bin

Bin head + bin offset + bin size



Cell index

Cell indexes: the links that create the structure of a hive

A cell index is the offset of a cell into the hive file



Internal structure of a registry hive



Cell map

The hive is buffered in the kernel’s address space (paged pool)

When hive grows, the system must allocate paged pool memory to store the new bins

The paged pool that keeps the registry data in memory isn't necessarily contiguous

Cell map: similar to virtual memory physical memory



Structure of a cell index



EXPERIMENT

Viewing Hive Paged Pool Usage



The Registry Namespace

Registry : key object

\Registry

Name parsing

\Registry : configure manager

the rest of the name configuration manager



Key object and key control block

APP

Handle table

Key obj

APP

Handle table

Key obj

Key control block



Flow of control

App: open an existed key

Obj Manager: parse \Registry

Configure Manager: parse the rest of the name

If opened: reference +1

Else: new key control block

Then: new key obj

Obj Manager: return handle

App: OK



Services

Also called Win32 services

Similar to UNIX daemon processes

Win32 services consist of three components

a service application,

a service control program (SCP),

the service control manager (SCM).



Service Applications

Consist of at least one executable

A user wanting to start, stop, or configure a service uses an SCP

Service applications are simply Win32 executables (GUI or console) with additional code

To receive commands from the SCM

To communicate the application's status back to the SCM.



Service Applications (cont.)When installing, setup program must register the service with the system (CreateService )

Usually: auto-start service

The function StartService can be used to start the service

Service characteristics

the service's type

the location of the service's executable image file,

an optional display name,

an optional account name and password

a start type

an error code

And optional information



Registry key for service

Characteristics: key value



Inside a service process



Service Accounts

The Local System Account

Alternate Accounts

Interactive Services



The Service Control Manager The SCM's executable file is \Winnt\System32\Services.exe

SvcCtrlMain

ScCreateServiceDB

This is the function that builds the SCM's internal service database



Service Startup

ScAutoStartService for auto-start services

The services are started in a certain order

HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\List



Startup Errors

If an error is reported, ErrorControl determines the reflection

If SERVICE_ERROR_IGNORE (0) or not specified

The error is ignored

If SERVICE_ERROR_NORMAL (1), an event is written to the system Event Log

“The <service name> service failed to start due to the following error:”



example



WMI

An implementation of Web-Based Enterprise Management (WBEM)

WBEM: a standard defined DMTF



WMI Architecture



The WMI Namespace

Hierarchical organization

Root (dir): subnamespaces

CIMV2

Default

Security

WMI

WMI uses object properties that it defines as keys to identify the objects.

Documents

计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005

计算机系信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005