计算机系信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005

计算机系•信息处理实验室

Lecture 7 Processes, Threads, and Jobs (1)

xlanchen@04/01/2005

xlanchen@04/01/2005 Understanding the Inside of Windows2000

2计算机系信息处理实验室

Contents

The internal structures of process

How to create a process

The internal structures of thread

How to create a thread

Thread Scheduling

Job Objects



Process structures

Kernel data structures

KPROCESS (knl - per process)

EPROCESS (executive - per process)

KTHREAD (knl – per thread)

ETHREAD (executive – per thread)

WIN32K.SYS (knl – one struct per USER/GDI thread)

Subsystem data structures

CSRSS (Win32 subsystem – per user thread)

User mode data structures

Process Environment Block (one per process)

TEB (one per thread)



A simplified diagram



EPROCESS



EXPERIMENT

Displaying the Format of an EPROCESS Block



KPROCESS



PEB



EXPERIMENT

Examining the PEB



Kernel Variables Related to Process

PsActiveProcessHead

PsIdleProcess

PsInitialSystemProcess

PspCreateProcessNotifyRoutine

PspCreateProcessNotifyRoutineCount

PspLoadImageNotifyRoutine

PspLoadImageNotifyRoutineCount

PspCidTable



Performance Counters With these counters

track the processes running on your system;

retrieve these counters programmatically or view them with the Performance tool.

Process-Related Performance Counters

Privileged Time

Processor Time

User Time

Elapsed Time

ID Process

Creating Process ID

Thread Count

Handle Count



FunctionsCreateProcess /CreateProcessAsUser /CreateProcessWithLogonW

OpenProcess

ExitProcess /TerminateProcess

FlushInstructionCache

GetProcessTimes /GetExitCodeProcess /GetCommandLine

GetCurrentProcessId /GetProcessVersion

GetStartupInfo

GetEnvironmentStrings /GetEnvironmentVariable

Get/SetProcessShutdownParameters

GetGuiResources



EXPERIMENT

Viewing Process Information with Task Manager



EXPERIMENT

Viewing the Process Tree



EXPERIMENT

Viewing Thread Activity with QuickSlice



EXPERIMENT

Viewing Process Details with Process Viewer



EXPERIMENT

Using the Kernel Debugger !process Command



Creating a Win32 process

CreateProcess

CreateProcessAsUser

CreateProcessWithLogonW

Three parts of the OS are involved:

Kernel32.dll

Executive

Subsystem process (Csrss)

Csrss

executive

Kernel32.dll



Main stages of CreateProcessOpen the image file (.exe) to be executed inside the process.

Create the 2K executive process object.

Create the initial thread (stack, context, and 2K executive thread object).

Notify the Win32 subsystem of the new process so that it can set up for the new process and thread.

Start execution of the initial thread (unless the CREATE_SUSPENDED flag was specified).

In the context of the new process and thread, complete the initialization of the address space (such as load required DLLs) and begin execution of the program.



The main stages of process creation



Some notes

CreationFlags the priority class

Priority class

Normal (default)

Real-time

Below Normal

Idle

…

Desktop



Stage 1:

Opening the Image to Be Executed

The executable file the appropriate Win32 image

Mapped into a section object of the new process



Choosing a Win32 image



Decision Tree for Stage 1

If the image is a/anThis image will run

And this will happen

POSIX executable file Posix.exe

Restarts Stage 1

OS/2 1.x image Os2.exe

MS-DOS App. (*.exe, *.com, *.pif)

Ntvdm.exe

Win16 App. Ntvdm.exe

Command procedure MS-DOS App. (*.bat, *.cmd)

Cmd.exe



Stage 2

Creating the Windows 2000 Executive Process Object

NtCreateProcess

Setting up the EPROCESS block

Creating the initial process address space

Creating the kernel process block

Concluding the setup of the process address space

Setting up the PEB

Completing the setup of the executive process object



Stage 3:

KiInitializeContextThread

Creating the Initial Thread and Its Stack and Context

Stack

Size

Context

NtCreateThreadinitial thread

Suspended state



Stage 4:

Notifying the Win32 Subsystem About the New Process

Kernel32.dll sends a message to the Win32 subsystem

Process and thread handles

Entries in the creation flags

ID of the process's creator

Flag indicating whether the process belongs to a Win32 application (so that Csrss can determine whether or not to show the startup cursor)



Upon receiving the message, the Win32 subsystem

set up for the new process and thread

Allocate Csrss process/thread block



Stage 5:

Starting Execution of the Initial Thread

the initial thread is now resumed



Stage 6:

Performing Process Initialization in the Context of the New Process

KiThreadStartup

Documents

计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005

计算机系信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005