6 Process, Thread ( ) : Slide 2 1.Process 2.Thread 3.CreateProcess 4.Thread Activity Slide 3 Simplified Windows Archetecture Executive The base operating system services, such as memory management, process and thread management, security, I/O, networking, and interprocess communication. Kernel low-level operating system functions, such as thread scheduling, interrupt and exception dispatching, and multiprocessor synchronization. Ntoskrnl.exe (Executive + Kernel) Slide 4 Windows Archetecture Environment Subsystems 3 OS/2 (Windows2000 ) POSIX (Windows XP ) Windows Windows Subsystem . (keyboard, mouse, display..) Subsystem DLLs User application Windows system service . Such as Kernel32.dll Advanapi32.dll User32.dll Gdi32.dll Slide 5 Process Process EPROCESS(executive process) block process . the Windows subsystem process (Csrss) maintains a parallel structure that executes a Windows program. the kernel-mode part of the Windows subsystem (Win32k.sys) has a per- process data structure. EPROCESS block the System Address Space : EPROCESS PEB(Process Environment Block) the Process Address Space KPROCESS block Thread Scheduling Slide 6 Process (contd) EPROCESS blockKPROCESS block Slide 7 Process (contd) PEB (Process Environment Block) Process object the Process Address Space the image loader, the heap manager, and other Windows system DLLs user- mode Cf) EPROCESS, KPROCESS kernel- mode Slide 8 Process (contd) : Displaying the Format of an EPROCESS Block : Using the Kernel Debugger !process Command : Examining the PEB Slide 9 Thread Thread ETHREAD(executive thread) block the Windows subsystem process (Csrss) maintains a parallel structure for each thread created in a Windows process. the kernelmode part of the Windows subsystem (Win32k.sys) maintains a per-thread data structure. ETHREAD block the System Address Space : ETHREAD TEB(Thread Environment Block) the Process Address Space Slide 10 Thread (contd) ETHREAD block (executive) KTHREAD block (Kernel) ( ) Slide 11 Thread (contd) TEB (Thread Environment Block) The TEB stores context information for the image loader and various Windows DLLs. (for user-mode) Slide 12 Thread (contd) : Displaying ETHREAD and KTHREAD Structures : Using the Kernel Debugger !thread Command : Examining the TEB Slide 13 CreateProcess Windows Process CreateProcess, CreateProcessAsUser, CreateProcessWithTokenW, or CreateProcessWithLogonW O/S the Windows client-side library Kernel32.dll, the Windows executive, and the Windows subsystem process (Csrss) CreateProcess Slide 14 CreateProcess (contd) 1.Open the image file (.exe). 2.Create the Windows executive process object. 3.Create the initial thread (stack, context, and Windows executive thread object). 4.Notify the Windows subsystem about the new process. 5.Start execution of the initial thread. 6.Complete the initialization of the address space and begin execution of the program. Slide 15 CreateProcess (contd) 1 : Open the image file (.exe) Window .exe Window .exe Windows Support Image . open. CreateProcess has opened a valid Windows executable file and created a section object to map it into the new process address space. Slide 16 CreateProcess (contd) 2 : Create the Windows executive process object 1 image run . NtCreateProcess 1.Setting up the EPROCESS block 2.Creating the initial process address space 3.Initializing the kernel process block (KPROCESS) 4.Concluding the setup of the process address space 5.Setting up the PEB 6.Completing the setup of the executive process object Slide 17 CreateProcess (contd) 3 : Create the initial thread (stack, context, and Windows executive thread object) Thread stack context . Initial Thread Thread image . NtCreateThread parameter PEB . (This parameter will be used by the initialization code that runs in the context of this new thread (as described in Stage 6) ) suspend . (5 resume . Slide 18 CreateProcess (contd) 4 : Notify the Windows subsystem about the new process. At this point, all the necessary executive process and thread objects have been created. Kernel32.dll next sends a message to the Windows subsystem. Process and thread handles Entries in the creation flags ID of the process's creator Flag indicating whether the process belongs to a Windows application (so that Csrss can determine whether or not to show the startup cursor) Slide 19 CreateProcess (contd) 4 : Notify the Windows subsystem about the new process. (contd) The Windows subsystem performs the following steps when it receives this message: CreateProcess duplicates a handle for the process and thread. The Csrss process block is allocated. The Csrss thread block is allocated and initialized. CreateProcess inserts the thread in the list of threads for the process. The count of processes in this session is incremented. The new process block is inserted into the list of Windows subsystemwide processes. The per-process data structure used by the kernel-mode part of the Windows subsystem (W32PROCESS structure) is allocated and initialized. The application start cursor is displayed. Slide 20 CreateProcess (contd) 5 : Start execution of the Initial Thread. At this point.. the process environment has been determined. (1 ) resources for its threads to use have been allocated. (2 ) process has a thread. (3 ) the Windows subsystem knows about the new process.(4 ) the initial thread is now resumed so that it can start running and perform the remainder of the process initialization work Slide 21 CreateProcess (contd) 6 : Complete the initialization of the address space and begin execution of the program. The new thread begins life running the kernel-mode thread startup routine. (KiThreadStartup) Loads any required DLLs and calls the DLL entry points with the DLL_PROCESS_ ATTACH function code. Finally, the image begins execution in user mode when the loader initialization returns to the user mode APC dispatcher, which then calls the thread's start function that was pushed on the user stack. Slide 22 CreateProcess (contd) Slide 23 Thread Activity Process Explorer ? Process Explorer Refresh Time Thread Thread Stack : Process Explorer Slide 24 Glossary Process Working Set The subset of a process's virtual address space that is resident and owned by the running process. System Working Set The physical memory being used by the system cache, paged pool, pageable code in Ntoskrnl.exe, and pageable code in device drivers. Process The virtual address space and control information necessary for the execution of a set of thread objects. Thread An entity within a process that Windows schedules for execution. A thread includes the contents of a set of volatile registers representing the state of the processor; two stacks, one for the thread to use while executing in kernel mode and one for executing in user mode; a private storage area for use by subsystems, run-time libraries, and DLLs; and a unique identifier called a thread ID (also internally called a client ID). Process Affinity The set of processors a thread is permitted to run on. Slide 25 Glossary (contd) Section Object An object that represents a block of memory that two or more processes can share. A section object can be mapped to the paging file or to another file on disk. The executive uses section objects to load executable images into memory, and the cache manager uses them to access data in a cached file. In the Windows subsystem, a section object is called a file-mapping object. Page Table Entry (PTE) An entry in a process's page table that contains the address to which the virtual address is mapped. The page can be in physical memory or it can be on disk. Page Table A page of mapping information (made up of an array of page table entries) the operating system constructs that describes the location of the virtual pages in a process address space. Because Windows provides a private address space for each process, each process has its own set of process page tables to map that private address space because the mappings will be different for each process. The page tables that describe system space are shared among all processes. Page Directory A page the memory manager creates to map the location of all page tables for that process. Each process has a single page directory. Slide 26 Glossary (contd) Hyperspace A special region used to map the process working set list and to temporarily map other physical pages for such operations as zeroing a page on the free list (when the zero list is empty and a zero page is needed), invalidating page table entries in other page tables (such as when a page is removed from the standby list), and on process creation setting up a new process's address space.