Внутреннее Устройство Microsoft Windows. 6-е Издание

., .
Microsoft Windows. 6- .
-
.

32.973.2-018.2
.
.
.
.
.
.
.
004.451
., .
89 Microsoft Windows. 6- . .: , 2013. 800 .:

. ( -).
ISBN 978-5-459-01730-4

Microsoft
Windows7, Windows Server 2008 R2. Windows, , ,
.
Windows,
: , ; .
,
, , Windows.
12+ ( 29 2010 . 436-.)
ISBN 978-0735648739 .
ISBN 978-5-459-01730-4

Microsoft Press, 2012

, 2013
,
, 2013
Microsoft Press. .
.
, , , . , , ,
.
, 192102, -, . (. ), . 3, , . 7.
005-93, 2; 95 3005 .
04.04.13. 70100/16. . . . 64,500. 1200.

. 142300, , , . , . , .1.

.............................................................................................................. 14
1. ..... 18
2. ................................................................... 54
3. ............................................................... 104
4. ............................................................. 332
5. , .................................................... 424
6. .................................................................................. 564
7. .................................................................................................... 681

............................................................................................................ 14
............................................................................................................................14
......................................................................................................................14
, .............................................................................15
.....................................................................................................15
.......................................................................................................................15
.....................................................................................15
.................................................................................................................................16
1. ............................... 18
Windows ................................................................................. 18
..................................................................................................... 19
Windows API....................................................................................................................................19
, ....................................................................20
, .....................................................................................................22
.....................................30
.....................................................................................................................32
...................................................34
..................................................39
..............................................................................................................40
....................................................................................................................................41
.................................................................................................................................................43
Unicode...............................................................................................................................................43
Windows ............................................ 44
.....................................................................................................................45
...................................................................................................................................47
........................................................................................................47
Windows...............................................................................................47
LiveKd.......................................................................................51
Windows Software Development Kit........................................................................................52
Windows Driver Kit.......................................................................................................................52
Sysinternals.............................................................................53
.......................................................................................................................................... 53
2. ............................................................................. 54
..................................................................................................... 54
...............................................................................................55
......................................................................................................56
................................................................................................................................58
.................................................................60
........................................................................................................................62
................................................63
........................................................................................................................67
..............................................................................................69
DLL- ....................................70
...........................................................................................................................72
Windows....................................................................................................................72
Unix-....................................................................75
Ntdll.dll...............................................................................................................................................76
.................................................................................................................77
.....................................................................................................................................................80
..................................................................................................................................80
...........................................................................................................83
.............................................................................................84
......................................................................................................................87
Windows (WDM).....................................................................................88
Windows Driver Foundation.......................................................................................................89
....................................................................................................................92
...........................................................................................................93
System .....................................................................................94
(Smss).............................................................................................................97
Windows (Wininit.exe)...............................................................98
(SCM).............................................................................99
(Lsm.exe)............................................................................101
Winlogon, LogonUI Userinit.................................................................................................102
........................................................................................................................................ 103
3. .......................................................................... 104
.........................................................................104
................................................................................................106
.....................................................................................107
x86...................................................................................................109
x64................................................................................................110
IA64.............................................................................................110
(IRQL)....................................................111
.......................................................................................................131
......................................................................................................................141
....................................................................................................144
........................................................................................................................147
...............................150
..............................................................................................................152
................................................................................................154
.................................................................................................158
Windows Error Reporting........................................................................................160
......................................................................................... 164
.....................................................................................164
.................................................................................................170
........................................................................................................................ 173
...........................................................................................176
.......................................................................................................................178
.......................................................................................................179
................................................................................................................................185
............................................................................................................................189
............................................192
......................................................................................................................199
.................................................................................................................200
..................................................................................................................202
................................................................................................................................206
............................................................................................................................207
.......................................................................................................................208
........................................................................................................212
.................................................................................................................215
................................................................................................................................. 216
IRQL-............................................................................217
...............................................................................................218
-.........................................................................................................................218
- ...............................................................................................221
- ................................................................222
................................................222
IRQL-...............................................................................223
.........................................................................................................224
.............................................................................................225
?..............................................................226
......................................................................................................................229
......................................................................................................................237
.................................................................239
............................................................................................241
-..........................................................................................................................243
.................................................................................................................245
.....................................................................................245
................................................................................................................246
- (Slim Reader-Writer Locks)................................247
...........................................................................................248
......................................................................................................... 250
Windows.....................................................................................................252
........................................................... 253
.................................................................................................................255
......................................................................................................................256
.............................................................................................................259
, ..............................................................................................260
.........................................................................................................................................261
, ..............................................................................................261
..................................................................................................................................262
...................................................................................................................263
..............................................................................................................264
...................................................................................................... 266
Wow64 .................................................................................................................................................. 270
Wow64..........................................................270
......................................................................................................................271
................................................................................................272
APC..........................................................................272
....................................................................................................................272
................................................................272
................................................................................272
....................................................................................................273
-...........................................................................274
16- ....................................................................................275
...........................................................................................................................275
..................................................................................................................................275
...................................................................................... 276
....................................................................................................276
...............................................................................................................278
Windows..........................................................................................279
........................................................................................................................... 280
...........................................................................282
DLL- .................................................283
DLL.................................................................................................284
......................................................................................287
............................................................................................................................291
..........................................................292
SwitchBack.............................................................................................................294
API-................................................................................................................295
(Hyper-V) ................................................................................................................... 297
............................................................................................................................................299
..................................................................................................................300
................................................................300
......................301
....................................................................................301
API-
.................................................................................................................................301
......................................................................................................................................302
........................................................................................................................302
..........................................................................................304
.................................................................................................................................304
................................................................................305
.....................................................................................................306
.......................................................................................................307
.........................................................................................................309
..............................................................................................................309
.......................................................................................................................................318
..........................................................................................................318
......................................................................................................... 321
............................................................................................. 324
...................................................................................................... 326
............................................................................................................................. 329
........................................................................................................................................ 331
4. ........................................................................ 332
................................................................................................................................................... 332
..............................................................................................332
..............................................................................................................333
.................................................................................................................334
................................................................................................335
HKEY_CURRENT_USER.......................................................................................................336
HKEY_USERS..............................................................................................................................337
HKEY_CLASSES_ROOT.........................................................................................................338
10
HKEY_LOCAL_MACHINE.....................................................................................................339
HKEY_CURRENT_CONFIG..................................................................................................343
HKEY_PERFORMANCE_DATA..........................................................................................343

Transactional Registry (TxR)..................................................................................................343
.......................................................................................346
Process Monitor.........................................................................346

Process Monitor..........................................................................................................................348

- ..............................349
................................................................................................. 350
................................................................................................................................................350
.....................................................................................................351
.............................................................................................352
...........................................................................................................................353
.....................................................................................................................357
...................................................................................359
........................................................................................361
....................................................................................................................363
.................................................................................................................363
................................................................................................................................................ 364
.....................................................................................................................365
...............................................................................................................371
.....................................................................................371
(Network Service)........................................................373
.....................................................................................374
.............................................................374
...............................................................................374
...........................................................................................................................376
(Session 0)............................380
..........................................................................................382
..............................................................................................................................386
, .....................................................................................390
...........................................391
.....................................................................................................................................393
.......................................................................................................................394
, ...........................................................................396
......................................................................................................................................399
..............................................................................400
............................................................................................................................400
API- UBPM..................................................................................................................402
..........................................................................................................402
.........................................................................................................404
Task Host.........................................................................................................................................405
.......................................................................................406
Windows Management Instrumentation................................................................................407
WMI.......................................................................................................................407
....................................................................................................................................409
Common Information Model Managed Object Format......................................410

11
WMI.........................................................................................................414
................................................................................................................................415
WMI.........................................................................................................................417
WMI......................................................................................................................419
Windows.............................................................................420
WDI...............................................................................................................420
..............................................................................................421
..........................................................................................................422
....................................................................................................................................423
5. , ................................................................. 424
............................................................................................ 424
......................................................................................................................424
................................................................................................................. 432
CreateProcess ............................................................................... 434
1. ............435
2. , ..................................439
3. Windows
(PspAllocateProcess).................................................................................................................442
3. EPROCESS..........................................................................443
3. .............................445
3. ....................................445
3. .........................446
3. PEB..........................................................................................................447
3.
(PspInsertProcess).....................................................................................................................447
4. , ........................448
5. ,
Windows.................................................................................451
6. ................................................................452
7. ......453
................................................................................................ 459
.......................................................................................................................459
..........................................................................................................................465
...................................................................................................... 466
, ............................469
( ) ............................................................................................ 471
.................................................................................................................. 475
Windows.................................................................475
......................................................................................................................478
......................................................................................................................484
............................................................................................................490
............................................................................................................................492
.............................................................................................................500
..........................................................................................................521
...........................................................................................................521
............................................................................................................................526
.................................................................................................................................530
...............................................................................................532
............................................................543
........................................................................................................................544
12
, ........................... 546
..................................................547
...................................555
.......................................................... 557
............................................................................................................................. 559
.................................................................................................................559
............................................................................................................................560
........................................................................................................................................ 563
6. ....................................................................................... 564
..................................................................................................................... 564
........................564
...........................................................................................................................566
.................................................................................... 567
.............................................................................................................................. 571
..............................................................................................................573
..............................................................................................576
....................................................................................597
......................................................601
AuthZ API .......................................................................................................................................... 618
...................................................................................................... 620
................................................................................................................622
....................................................................................................................................623
.........................................................................................................................629
.................................................................................. 631
........................................................................................................................ 632
...........................................................................................................633
...................................................................................................636
................................................................................................................................. 639
Winlogon........................................................................................................641
..................................................................................642
........................................................................................647
....................................... 649
.............................. 651
....................................................................652
............................................................................................................659
(AppID) ................................................................................... 670
AppLocker ........................................................................................................................................... 672
.......................................................... 678
........................................................................................................................................ 680
7. ..................................................................................................... 681
Windows ................................................................................................... 681
OSI................................................................................................................681
Windows...............................................................................................685
API ...................................................................................................................................... 688
Windows..........................................................................................................................688
Winsock.................................................................................................................................695
...................................................................................................697
API- -..................................................................................................703
............................................................................705

13
NetBIOS...........................................................................................................................................712
API....................................................................................................................714
..................................................................................... 722
(MPR)..............................................................722
UNC- (MUP)..............................................................................725
.........................................................................................................727
.....................................................................................................................................728
-.....................................................................................................................730
..........................731
................................................. 732
................................................................ 734
........................................................................................................................ 735
................................................................................................................737
.........................................................................................................................................739
..................................................................................................................740
............................................................................................................................740
BranchCache ....................................................................................................................................... 742
................................................................................................................744

BranchCache: SMB-...........................................................................750

BranchCache: HTTP........................................................................752
............................................................................................................................. 754
.................................................................................................................754
..............................................................755
.......................................................................................................... 757
...........................................................................757
..................................................................758
Link-Layer....................................................................................761
...................................................................................................................... 762
Windows Filtering Platform.....................................................767
NDIS- ................................................................................................................................ 773
NDIS- -...................................................................778
NDIS-, ...................................778
Remote NDIS.................................................................................................................................781
QoS....................................................................................................................................................782
............................................................................................................................................. 785
............................................................................................ 787
........................................................................................................................787
Active Directory............................................................................................................................787
Network Load Balancing.............................................................................................................789
...........................................................................................................790
Direct Access..................................................................................................................................796
........................................................................................................................................ 799

Windows
( ),
Microsoft Windows 7 Windows
Server 2008 R2. ,
,
Windows. .
,

. ,
Windows ,
.

Windows
.
,
, , , .
.
: , ; .

Microsoft Press 2012 :
-, , ,
.
.

.

, Inside Windows NT
(Microsoft Press, 1992) (Helen Custer)
Microsoft Windows NT 3.1. Inside Windows NT ,
Windows NT
. Inside Windows NT, Second Edition (Microsoft Press,
1998) (David Solomon). -
15
Windows NT 4.0
.
Inside Windows 2000, Third Edition (Microsoft Press, 2000)
(David Solomon) (Mark
Russinovich). , , , , . , Windows
2000, Windows Driver Model (WDM), Plug and Play,
, Windows Management Instrumentation (WMI), , . Windows Internals, Fourth
Edition , WindowsXP WindowsServer
2003, , IT- Windows,
Windows Sysinternals (www.microsoft.com/
technet/sysinternals) . Windows Internals,
Fifth Edition Windows Vista Windows Server 2008.
, Hyper-V.
,
, ,
Windows 7 Windows Server 2008 R2. , , .

Windows
Windows , Sysinternals Winsider Seminars & Solutions.

Windows, ,
,
. , ,
Windows ,
.

Windows .
, Windows, . , COM+,
- Windows,
Microsoft .NET Framework, .
16
, ,
, , ,
Windows.

Windows
(, ),
. ( ,
Windows API, .)
, , , ,
, .
,
Windows, . ,
, (, ) ,
Windows .
( Jamie Hanrahan)
(Brian Catlin) Azius, LLC ,
. , .
Azius Windows .
www.azius.com.
(Alex Ionescu),
.
.
(Eric Traut) ( Jon DeVaan) (David Solomon) Windows
,
Windows Internals.

: (Arun Kishan), (Landy
Wang) (Aaron Margosis) ! .

,
Microsoft Windows.
,
: Greg Cottingham; Joe Hamburg; Jeff Lambert; Pavel Lebedynskiy; Joseph
East; Adi Oltean; Alexey Pakhunov; Valerie See.
17

(Gianluigi Nusca) (Tom Jolly), ,
:
BranchCache ( )
( ), . ,
: Roopesh Battepati; Molly Brown; Greg
Cottingham; Dotan Elharrar; Eric Hanson; Tom Jolly; Manoj Kadam; Greg Kramer;
David Kruse; Jeff Lambert; Darene Lewis; Dan Lovinger; Gianluigi Nusca; Amos Ortal;
Ivan Pashov; Ganesh Prasad; Paul Swan; Shiva Kumar Thangapandi.
(Amos Ortal) (Dotan Elharrar)
NAP, (Shiva Kumar
Thangapandi) EAP.
, (Christophe Nasarre),
,
.
(Ilfak Guilfanov)
Hex-Rays (www.hex-rays.com) IDA Pro Advanced HexRays, (Alex Ionescu),
Windows.
, Microsoft
Press, .
,
(Ben Ryan), Microsoft Press,
, Windows !

,
comp@piter.com ( , ).
!
- http://www.piter.com.
1.

Microsoft Windows, . Windows
API, , , ,
, , , . , Windows, ,
Windows Sysinternals
(www.microsoft.com/technet/sysinternals). , Windows Driver Kit
(WDK) Windows Software
Development Kit (SDK) Windows.
,
.
Windows

Microsoft Windows: Windows 7 (32- 64- )
Windows Server 2008 R2 ( 64- ).
, . . 1.1
Windows,
.
1.1. Windows

Windows NT 3.1
3.1
1993 .
Windows NT 3.5
3.5
1994 .
Windows NT 3.51
3.51
1995 .
Windows NT 4.0
4.0
1996 .
Windows 2000
5.0
1999 .
Windows XP
5.1
2001 .
Windows Server 2003
5.2
2003 .
Windows Vista
6.0 ( 6000)
2007 .
Windows Server 2008
6.0 ( 6001)
2008 .
Windows 7
6.1 ( 7600)
2009 .
Windows Server 2008 R2
6.1 ( 7600)
2009 .
19
7 Windows 7
, . , , Windows7
6.1, .1.1.
, , Windows 7 ,
Windows Vista. , Windows 7, Server 2008
R2 ,
Windows.

, . , .
, .
Windows API
WindowsAPI (application program
ming interface) Windows.
64- Windows 32-
Windows Win32 API,
16- Windows API ( 16- Windows).
Windows API 32-, 64-
Windows.
Windows API Windows

Software Development Kit (SDK). (. Windows
Software Development Kit.) - www.
msdn.microsoft.com.
Microsoft Developer Network (MSDN), .
www.msdn.microsoft.
com.
Windows API Windows via C/C++, ,
(Jeffrey Richter)
(Christophe Nasarre) (Microsoft Press, 2007).
Windows API ,
:
(Base Services).
(Component Services).
(User Interface Services).
20 1.
(Graphics and Multimedia Services).

(Messaging and Collaboration).
(Networking).
- (Web Services).
: , , -
.
.NET?
Microsoft .NET Framework
Framework Class Library (FCL)
Common Language Runtime (CLR). CLR
, ,
. , CLR , .
.NET Framework
CLR via C#, ,
(Jeffrey Richter) (Microsoft Press, 2010).
CLR , COM-, Windows DLL-,
. .NET Framework
Windows DLL-
, Windows API. (
.NET Framework .) .1.1.
( )
( )
.NET-
( EXE-
)
Framework Class Library
( DLL-
)
DLL- CLR
(COM-)
DLL- Windows API
Windows
. 1.1. .NET Framework
,
Windows
. ,
21
,
.
, :
Windows API. ,
Windows API. , CreateProcess, CreateFile GetMessage.
( ).
,
. , NtCreateUserProcess , Windows CreateProcess
.
(. 3).
( ).
Windows, ( ). ,
ExAllocatePoolWithTag ,

Windows ( ).
Windows. , (Windows service control manager). ,
, , at ( UNIX- at cron).
(: Windows
, .)
DLL (dynamic-link libraries

). ,
, ,
.
Msvcrt.dll ( ,
C) Kernel32.dll ( Windows API).
DLL-
Windows, . ,
DLL- , ,
, Windows
DLL- , . , .NET-
DLL-, -
. CLR
.
Win32 API
, Win32
, Windows
NT. Windows NT OS/2
2, 32- OS/2 Presentation Manager API.
Microsoft Windows 3.0. -
22 1.
Microsoft Windows NT
Windows, OS/2.
Windows API , Windows 3.0, API 16- .
Windows API , Windows 3.1, Microsoft API, ,
,
16- Windows API, 16- Windows- Windows NT. , , ,
:
Windows API 16- Windows API.
,
,
. , , .
Windows- :
,
, ;
, , -
() -
, ,
;
, ,
, , , User Account Control (UAC),
;
, ,
process ID (
client ID);
( ).
. , . . ,
.
ProcessExplorer ,
. , .
23
:
,
, - (parent or creator process ID).
(Performance
Monitor) , Creating Process ID.
, Tlist.exe (
Windows Debugging Tools), /t. ,
tlist /t:
C:\>tlist/t
System Process (0)
System (4)
smss.exe (224)
csrss.exe (384)
csrss.exe (444)
conhost.exe (3076) OleMainThreadWndName
winlogon.exe (496)
wininit.exe (504)
services.exe (580)
svchost.exe (696)
svchost.exe (796)
svchost.exe (912)
svchost.exe (948)
svchost.exe (988)
svchost.exe (244)
WUDFHost.exe (1008)
dwm.exe (2912) DWM Notification Window
btwdins.exe (268)
svchost.exe (1104)
svchost.exe (1192)
svchost.exe (1368)
svchost.exe (1400)
spoolsv.exe (1560)
svchost.exe (1860)
svchost.exe (1936)
svchost.exe (1124)
svchost.exe (1440)
svchost.exe (2276)
taskhost.exe (2816) Task Host Window
svchost.exe (892)
lsass.exe (588)
lsm.exe (596)
explorer.exe (2968) Program Manager
cmd.exe (1832) Administrator: C:\Windows\system32\cmd.exe - "c:\tlist.exe"
tlist.exe (2448)
/t
, . ,
24 1.
, (
Explorer.exe ), , ,
. Windows -
..
, Windows
,
:
1. .
2. title Parent, Parent ().
3. start cmd (
).
4. title Child,
Child ().
5. .
6. mspaint (,
Microsoft Paint).
7. exit.
(, Paint .)
8. .
9. .
10. Parent
.
11. cmd.exe
.
12.
.
, - Paint, .
( Paint) , .
( ) . ,
.
Windows,
Debugging Tools for Windows Windows SDK, Sysinternals.
,
-.
,
1.
Windows , , ,
.
25
, ,
.
:

Windows
, .
: 1) Ctrl+Shift+Esc, 2)

, 3) Ctrl+Alt+Delete
, 4) Taskmgr.exe. ,
.
, ,
.
Windows, .
, , .
, ,
.

, . (
, ,
Windows CreateDesktop, Sysinternals Desktops.) ,
, ,
. , - , ,
(,
- - Windows).
26 1.
,
, .

,
tlist.
Process Explorer Sysinternals , , ,

. , Process Explorer
:
( , -
);
;
, ,
, ;
, .NET-
.NET- (
AppDomain, CLR);
;
( DLL-
);
;
;
, . (
(Performance Monitor)
,
, ,
.)
27
Process Explorer ,
. :
( );
( );
DLL- (
);
;
( Dbghelp.dll,
Debugging Tools Windows);
,
( 5
, , ,
);
;
, (peak commit charge), (kernel memory paged)
(nonpaged pool limits) .
Process
Explorer.
:
Process Explorer
Process Explorer Sysinternals . . Process Explorer

(
Threads ()). , .
Debugging Tools
Windows ( ).
Options ( ), Configure
Symbols ( ) Dbghelp.dll
Debugging Tools, . , 64- .
28 1.
c:\
symbols .

http://msdn.microsoft.com/en-us/windows/hardware/gg462988.aspx.
Process Explorer
. ,

DLL- , . ( 3 .) - (hosting processes):
yy -
(Svchost.exe) .
yy COM- Taskeng.exe
( (Task Scheduler)).
yy Rundll32.exe (
, (Control Panel)).
yy COM-, Dllhost.
exe.
yy Internet Explorer.
yy - .
Process Explorer
:
1. , - .
. ( -.)
2. , -
29
3.
4.
5.
6.
. , .
View (), Select Columns ( )
Process Image ( )
Image Path ( ).
, Process
(), , .
( , , .)
Z A.
, .
, View
() Show Processes From All Users (
).
Options ( ), Difference
Highlight Duration ( )
5 . () ,
5 . ,
5,
.
.
,
, . (
, ,
, .)
, Windows,
. , , .
:
,
, ,
, .
thread-local storage (TLS) ,

DLL-.
, thread
ID ( ,
clientID
, ).
,
(token), , .
, .
30 1.
, Windows, , ,
, . ,
, (
CONTEXT) Windows- GetThreadContext.
32- , 64-
Windows, 32-,
64- , Wow64 32-
64- .
CONTEXT-,
Windows API 64- .
Wow64GetThreadContext 32- context. Wow64 3.

, ,
. Windows
: user-mode scheduling (UMS).

, Windows .
, , , ,
Kernel32.dll.
, Windows-
ConvertThreadToFiber. . CreateFiber .
( .)
,
SwitchToFiber.
, , ,
SwitchToFiber, .
Windows SDK .
UMS-, 64- Windows,
, , ,
. UMS-
, , UMS-
,
.
UMS- ,
( ) :
31
. . UMS- ,
(, ),
( directed context switch).
UMS 5.
,
-
( , ). ,
.
,
1,
, , ReadProcessMemory WriteProcessMemory.
.1.2,
, , ,
,
.

(VAD)
VAD
VAD
VAD
...
. 1.2.
, (access token).
.
,
,
, Windows,
Windows API , .
32 1.
. (
6 .)
virtual address
descriptors (VAD) ,
, .
Windows ,
( job). ,

.
, .
, , ,
, .
Windows ,
,
UNIX-.
, ,

5.

Windows ()
,
, , .
,
.
, ,
. ,

. .1.3 - ,
.

. 1.3.
33
, ,
.
,
. , , .
- , ,
.
. 32- x86
, 4.
Windows ( 4-
0x00000000 0x7FFFFFFF)
(, 0x80000000
0xFFFFFFFF)
. ,
.
Windows 1, , 2, 3
( 1 ).
, ,
,
.
.1.4 ,
32- Windows. ( increaseuserva
2 3 .)

. 1.4. 32- Windows

increaseuserva Boot Configuration
Database.
2
.
1
34 1.
3 , 2 ,
() .
32- , Windows
Address Windowing Extension (AWE),
32- 64 , , , 2-
. AWE .

, ,
32- .
64- Windows : 7152 IA-64 8192 x64. .1.5
64- . ,
.
17 , 64-
. ,
64- Windows,
, 8192 (8).
x64
IA-64
8192 (8 T)
7152 (7 T)
8192
7152
. 1.5. 64- Windows

()
, Windows
( ,
Windows, ): .
, (,
) . ,
.
,
35
, , .
x86 x64 ( ) ,
. Windows
0 ( 0) , 3 (
3) . , Windows
, , , (, Compaq Alpha
Silicon Graphics MIPS), .
Windows-
, , .
, ,
() . ,

. , (, ,
), . ,
, , (no-execute memory protection), Windows , , ,
.
32- Windows
-, , . ,

Windows, .
Windows ,
, , ,
,
.

, , ,
.
Windows ,
(Plug and Play) , (,
, ).
Driver Verifier (, ),
.
36 1.
64- Windows
Kernel Mode Code Signing (KMCS) , 64-
( ) , .

, , :

F8 Disable
Driver Signature Enforcement ( ). digital
rights management (DRM).
2 ,
. , Windows-
ReadFile, ,
Windows, .
,
. ,
,
Ntoskrnl.exe Win32k.sys. , ,
. ,
.
( )

.
3.
,
, .
, -
, , , ,
. , , , Microsoft Paint Microsoft Chess Titans, ,
, ,
. 1.2. , Direct2D (compositing),

, ,
.
37
1.2. ,

:
: % (Processor: %
Privileged Time)

( )

: % (Processor: % User
Time)
( )
: % (Process: % Privileged
Time)

: % (Process: % User Time)
: % (Thread: % Privileged
Time)
: % (Thread: % User Time)

:

,
, (Performance Monitor).
:
1. (Performance Monitor),
(Start)
(All Programs Administrative Tools Performance
Monitor). (Performance)
(Monitoring Tools) (Performance Monitor).
2. (+),
.
3. (Processor),
% (% Privileged Time counter)
, Ctrl,
% (% User Time).
4. (Add), OK.
5. C , dir \\%computer
name%\c$ /s.
38 1.
6. .

(Task Manager). (Performance),
(View) (Show
Kernel Times).
, .
, (Performance Monitor),
, %
(% User Time) % (% Privileged Time) :
1. (Performance Monitor) ,
. ( , ,
(Remove All Counters.)
2. (+), .
3. (Process).
4. % (% User
Time) % (% Privileged Time).
5.
(Instance) (, mmc, csrss Idle).
6. (Add), OK.
39
7. .
8. (Highlight) Ctrl+H, .
.
9. ,
,
, ,
.
( (Instance) mmc),
,
,
, , Windows-,
. ,
csrss .
,
Windows,
, . (
2.) , Idle,
, , 100 %
, , ,
.
, Idle, Windows
, .

(Terminal Services)1 Windows .
, .
(
, ), . (
XWindow System, Windows ,
.)
, (session zero), , (
4 ).
,

(Mstsc.exe) , .
Windows , - , ( ,
Windows . . .
40 1.
, ).
Windows, Windows Media Center, Windows Media Center Extender.
Windows
( , , )
, .
,
,
.
(,
(Start) (Switch User)
(Shutdown)
Windows L
(Switch User button)), (, , , ,
) , .
, .
,
, Windows API ,
. ( Windows SDK
Remote Desktop Services API.)
2
, ,
, .
3

, ,
.

Windows , .
, (), .
Windows- , ,
( ).
,
Windows, process,
file ..
,
. ,
process , (process ID),
41
, , . ,
, . ,
open process , .
API
ObjectAttributes (
),
.

.
.
.
, .
.

:
-
.
.
, ,
,
.
Windows
. ,
, , (
) , . ,

, . (
) 3.
Windows

,
Common Criteria
for Information Technology Security Evaluation (CCITSE).
, ,
. ,
42 1.
.
Windows
:
, ( ), -
(,
, , ..);
( ,
, );
(
),
.
Windows .
(discretionary access control)
,
.
( )
.
, .
(access control list) ,
, ,
.
, (privileged access control).
, - . , , , .
Windows, , ,
.
, , , .
Internet Explorer, ,
, ,
, ,
, . ( User
Account Control, UAC, 6.)
Windows API.
Windows ,
. Windows Windows-
.
43
Windows .
, Windows
.
Windows 6.
Windows, , , .
Windows, ,
. ,
, , Windows, (, ).
, , ,
( , ..), Windows. ,
, .
,
, 4.
Windows (

.),
Windows,
, .
,
,
, , . , . ,
, ,
HKEY_LOCAL_MACHINE, HKLM.

4.
Unicode
Windows ,
16- Unicode. Unicode
, 16-
.
, 8-
() ANSI-, Windows-,
, : Unicode
44 1.
(, 16-) ANSI (, 8-). Windows- ,

Unicode, , ,
Unicode ANSI.
, Windows, ,
ANSI-, Windows
ANSI- Unicode. Windows : ,
: Unicode ANSI, .
, Windows
. , Windows
, ( ). Windows-,
, .
Unicode www.unicode.
org, MSDN.

Windows

Windows ,
. Windows
, Windows
, Windows.
.

Windows, , ,
Windows. ,
Windows, .
. 1.3 , , .
1.3.
Windows

Startup Programs Viewer (

, )
AUTORUNS
Sysinternals1
http://technet.microsoft.com/ru-RU/sysinternals. . .
Windows 45
Access Check (
)
ACCESSCHK
Sysinternals
Dependency Walker ( DEPENDS

)
www.dependencywalker.
com
Global Flags ( )
GFLAGS
Handle Viewer (

)
HANDLE
Sysinternals
Kernel debuggers (
)
WINDBG, KD
,
Windows SDK
Object Viewer (
)
WINOBJ
Sysinternals
Performance Monitor ( )
PERFMON.MSC
Windows
Pool Monitor ( )
POOLMON
Windows Driver Kit
Process Explorer ( )
PROCEXP
Sysinternals
Process Monitor ( - PROCMON

)
Sysinternals
Task (Process) List (

())
TLIST
Task Manager ( )
TASKMGR

Windows

(Performance Monitor),
(Control Panel), .
(Performance Monitor) (Resource Monitor). : ,
( ,

).
, .
. , ,
Windows.
.
, (Add Counters) (Show Description).
, , , Windows
46 1.
(
(Performance) (Task
Manager)), : , , .
, .
,
.
(CPU) , ,
.
,
, .
(CPU) ,
. , (-),
, .
Process Explorer, ( ) ,
, (, DLL-), . (Search
Handles) , .
(Memory) ,
,
.
, , , ,
.
(Disk), , - ,
.
.
(Networking)
, ,
. , .
TCP-,
, ,
, . ,
, , (
) .
.
, Windows
. HKEY_PERFORMANCE_DATA 4
,
Windows API.
Windows 47

() .
Windows,
, - , .
, ,
.

,
. - (linker)
. ,
. , . ,
,
, .
Windows (
, , ,
..) ,
, Ntoskrnl.exe. (

2.) , . ,
Windows Service Pack - , ,
.
Windows ,
.
Microsoft, , . ,

- c:\symbols:
srv*c:\symbols*http://msdl.microsoft.com/download/symbols

- http://msdn.
microsoft.com/en-us/windows/hardware/gg462988.aspx.
Windows
Windows ,
48 1.
Windows.
Windows Software
Development Kit (SDK).
, . (.
.)
Debugging Tools for Windows Windows,

.
.

()
. :
yy (Invasive).
, Windows- DebugActiveProcess.
()
, . Windows
,
.
yy (Noninvasive). OpenProcess.
.
() ,
.

(. 3, , ).
:
(Kd.exe) , GUI (Windbg.exe).
, .
:
-, -
, -
( ,
).
. , , .
- , IEEE 1394
USB 2.0. -
Windows 49
( F8
(Debugging Mode),
, Bcdedit Msconfig.exe). ,
( , Hyper-V, Virtual
PC VMWare), .
Windows . .
WinDbg, File (), Kernel Debug ( ),
Local (), OK. .
.1.6.
(, .dump,
,
LiveKd).
. 1.6.
,
, , - ,

(, !).
.
Debugger.chm,
WinDbg.
.
dt (display type ) 1000
, Windows
, .
50 1.
:

, , dt nt!_*.
:
lkd>dtnt!_*
nt!_LIST_ENTRY
nt!_LIST_ENTRY
nt!_IMAGE_NT_HEADERS
nt!_IMAGE_FILE_HEADER
nt!_IMAGE_OPTIONAL_HEADER
nt!_IMAGE_NT_HEADERS
nt!_LARGE_INTEGER
dt
,
-. ,
interrupt, dt nt!_*interrupt*:
lkd>dtnt!_*interrupt*
nt!_KINTERRUPT
nt!_KINTERRUPT_MODE
nt!_KINTERRUPT_POLARITY
nt!_UNEXPECTED_INTERRUPT
, , dt
:
lkd>dtnt!_kinterrupt
nt!_KINTERRUPT
+0x000 Type
+0x002 Size
+0x008 InterruptListEntry
+0x018 ServiceRoutine
+0x020 MessageServiceRoutine
+0x028 MessageIndex
+0x030 ServiceContext
+0x038 SpinLock
+0x040 TickCount
+0x048 ActualLock
+0x050 DispatchAddress
+0x058 Vector
+0x05c Irql
+0x05d SynchronizeIrql
+0x05e FloatingSave
+0x05f Connected
+0x060 Number
+0x064 ShareVector
+0x065 Pad
+0x068 Mode
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
Int2B
Int2B
_LIST_ENTRY
Ptr64
unsigned char
Ptr64
unsigned char
Uint4B
Ptr64 Void
Uint8B
Uint4B
Ptr64 Uint8B
Ptr64
void
Uint4B
UChar
UChar
UChar
UChar
Uint4B
UChar
[3] Char
_KINTERRUPT_MODE
Windows 51
+0x06c
+0x070
+0x074
+0x078
+0x080
+0x088
+0x090
Polarity
ServiceCount
DispatchCount
Rsvd1
TrapFrame
Reserved
DispatchCode
:
:
:
:
:
:
:
_KINTERRUPT_POLARITY
Uint4B
Uint4B
Uint8B
Ptr64 _KTRAP_FRAME
Ptr64 Void
[4] Uint4B
, dt (
) .
r. ,
_LIST_ENTRY, InterruptListEntry:
lkd>dtnt!_kinterrupt-r
nt!_KINTERRUPT
+0x000 Type
+0x002 Size
+0x008 InterruptListEntry
+0x000 Flink
+0x000 Flink
+0x008 Blink
+0x008 Blink
+0x000 Flink
+0x008 Blink
:
:
:
:
:
:
:
:
:
Int2B
Int2B
_LIST_ENTRY
Ptr64 _LIST_ENTRY
Ptr64 _LIST_ENTRY
Ptr64 _LIST_ENTRY
Ptr64 _LIST_ENTRY
Ptr64 _LIST_ENTRY
Ptr64 _LIST_ENTRY
Debugging Tools for Windows , . ,

, Windows
Driver Kit.
LiveKd
LiveKd ,
Sysinternals.
Microsoft
. , ,
, ,
,
- .
LiveKd , WinDbg Kd,
, .
LiveKd , Kd. WinDbg, w.
, LiveKd, ?.
LiveKd ,
LiveKd , .
52 1.
LiveKd ,
, ,
, . . (snapshot), (
q), LiveKd .
, Ctrl+C . ,
Ctrl+Break, . LiveKd
.
Windows Software Development Kit

Windows Software Development Kit (SDK)
MSDN msdn.microsoft.com. Debugging
Tools, , C ,
Windows-. (
Microsoft VisualC++ , ,
Windows SDK,
Windows, , Visual C++,
, Visual C++.)
, Windows SDK Windows
API (\Program Files\Microsoft SDKs\Windows\v7.0A\Include).

, Windows SDK, MSDN Library.
Windows Driver Kit

Windows Driver Kit (WDK)
MSDN , Windows SDK,
. Windows Driver Kit MSDN.
WDK ,
Windows.
WDK Windows-
,
, .
WDK, , ( ,
ntddk.h, ntifs.h wdm.h),
, .
Windows, , ,
, (, ) .
WDK (,
, , , , ..).
53
-
, , WDK ( ,
Kernel-Mode Driver Architecture Design Guide,
). (Walter
Oney) Microsoft Windows Driver Model, (,
2007) (Penny Orwick) (Guy Smith) Windows
Driver Foundation. (BHV, 2008).
Sysinternals
, , ,
Sysinternals. (Mark Russinovich).
Process Explorer Process Monitor.
,
, , , ,
,

()
.
Sysinternals , -
, . Sysinternals
( RSS-).
, , (Mark Russinovich)
(Aaron Margosis) Windows Sysinternals Administrators
Reference (Microsoft Press, 2011).
, , Sysinternals.

Windows, .
, Windows.
,
.
2.
, Microsoft Windows.
,
, . Windows, , .

1989 Windows NT :
- , 32- ,
.
.

, , .
16-
MS-DOS Microsoft Windows 3.1.

POSIX 1003.1.
, .
Unicode.
,
,
:
.
. -
, , ,
.
.
, .
.
. Windows NT
,
API Windows
55
MS-DOS. , UNIX, OS/2 NetWare.

. , ,
.
Windows,
,
.
, Windows .

.
(
), ,
( ), ,
. , , , ,
. , ,
,
. Windows UNIX- , ,

, .
,
,
. Windows
, PatchGuard Kernel Mode Code Signing (. 3),
, , .
, ,
,
( ). Windows
, ,
.
Windows ,
, -,
.
Windows, , - . ,
56 2.
,
. ()
.

, Windows, , -
.
C .
- ,
, . Windows
C , - ,
.

Windows , . .2.1. ,
. (,

.)

DLL-

(HAL)
. 2.1. Windows
.2.1 ,
Windows, . , ,
, , , , ,
. 1, (
, ). ,
, ,
57
,
.
:
( )
,
Session Manager, Windows (
).
, Windows,
(Task Scheduler) (Print Spooler). , , .
Windows, Microsoft SQL Server Microsoft
Exchange Server, , .
, : 32- 64- Windows, 16-
Windows 3.1, 16- MS-DOS 32-
64- POSIX. , 16-
32- Windows.
, , . Windows NT
: Windows, POSIX OS/2. POSIX
OS/2 Windows 2000.
Windows Ultimate Enterprise,
POSIX,
Unix (Unix-based Applications, SUA).
DLL-, .2.1
. Windows
Windows ,
(dynamic-link libraries, DLL).
DLL- ( )
. ( ) , .
Windows , :
Windows
, , ,
, -, .
Windows ,
, .
,
.
58 2.
- -
, ,
.
(hardware abstraction layer, HAL), , , Windows
( ).
,
(graphical user interface,
GUI), Windows USER- GDI-,
, .
.2.1
Windows. ( ,
.) ,
.
2.1. Windows

Ntoskrnl.exe
Ntkrnlpa.exe (

32- ) Physical Address Extension (PAE),
32-
64

Hal.dll
Win32k.sys
Windows,
Ntdll.dll
Kernel32.dll, Advapi32.dll, Windows- DLL-

User32.dll, Gdi32.dll
,
Windows.
, Windows , .
Windows .
Windows NT x86 MIPS.
Alpha AXP Digital
Equipment Corporation ( Compaq, Hewlett-Packard). ( Alpha AXP
59
64-, Windows NT 32- . Windows 2000 Alpha AXP 64-

, .)
, Motorola PowerPC, Windows NT 3.51. -
Windows 2000 MIPS PowerPC .
Compaq Alpha AXP, Windows 2000 x86. Windows XP Windows Server 2003
64- : Intel Itanium
IA-64, AMD64 64- Intel Extension Technology (EM64T)
x86. ( AMD64, .)
64- ,
x64. Windows 32-
64- , 3.
Windows
:
Windows ,

, ,

. ,
, (
Ntoskrnl.exe) ( HAL,
Hal.dll).
. , (,
), . , (, ), HAL.
, ,
, ,
.
Windows C,
, C++.
,
(, )
,
(, ).
HAL-,
(, ,
,
), Windows,
, ,
Ntdll.dll ( , ).
60 2.

. ,
. , ,
,
.
, Windows
. Windows
(symmetric multiprocessing, SMP) .
,
. , .
(asymmetric
multiprocessing, ASMP), ,
.
.2.2.
Windows
: , (Hyper-Threading) NUMA (non-uniform memory architecture).
. ( ,
5 , .)
(Hyper-Threading) ,
Intel
. , - .
,
(, -
).
, ,
,
,
. 5.
NUMA- , . ,
-
. Windows NUMA- SMP-, ,
, ,
. ,
61
. 2.2.
.
, , .
, Windows , (
), SMP- Windows
,
(, ), .
Windows - , ,
Windows. Windows ( ,
, ) (
, affinity mask),
(32- 64-),
. - Windows
,
. ,
, Windows , . ,
, , ,
62 2.
, . ( 4)
.
, .
, Windows ( NUMA), 5.
, Windows. (.
.2.2.)
(\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Software
ProtectionPlatform\tokens.dat) KernelRegisteredProcessors. ,
,

, .
. SMP-
.
, , , .
. Windows
,
:
-
( -, -
-, 3)
,

.
, -,
, .
Windows . ,
Windows Server 2003
, . Windows 7 Windows Server 2008 R2
.

, . 3.
63

Windows , .
Windows 7:
Windows 7 Home Basic, Windows 7 Home Premium, Windows 7 Professional,
Windows 7 Ultimate, Windows 7 Enterprise Windows 7 Starter.
Windows Server 2008 R2:
Windows Server 2008 R2 Foundation, Windows Server 2008 R2 Standard, Windows
Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Web
Server 2008 R2, Windows HPC Server 2008 R2 Windows Server 2008 R2 for
Itanium-Based Systems ( Windows Intel Itanium).
N-,
Windows Media Player. , Windows Server 2008 R2 Standard,
Enterprise Datacenter Hyper-V, Hyper-V. ( Hyper-V 3.)
:
( ,
);
(,
, );
(
,
10 .);
Media Center;
Multi-Touch, Aero (Desktop Compo
siting);
, BitLocker, VHD Booting, AppLocker, Windows
XP Compatibility Mode
;
, Windows Server
(,
).
Windows 7 Windows Server
2008 R2 . 2.2.
Windows Server 2008 R2 - www.microsoft.com/
windowsserver2008/en/us/r2-compare-specs.aspx.
Windows
,
, , Ntoskrnl.exe
( PAE- Ntkrnlpa.exe), HAL-,
DLL-.
Windows 7 Windows Server 2008 R2.
, Windows
, , ? ProductType ProductSuite, HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions .
ProductType ,
( ).
4
4
4
Windows 7
Professional
Windows 7 Enterprise 2
Windows 7 Ultimate
Windows Server 2008

R2 Foundation
Windows Web Server

2008 R2
Windows Server 2008

R2 Standard
Windows HPC
Server 2008 R2
Windows Server 2008

R2 Enterprise
Windows Server 2008

R2 Datacenter
Windows Server 2008

R2 for Itanium-Based
Systems
Windows 7 Home
Premium
Windows 7 Home
Basic
(32-. ),
Windows 7 Starter 1
(32-. )
64
64
(64-. )
2.2. Windows 7 Windows Server 2008 R2
2048
(Itanium),
2048
2048
128
32
32
192
192
192
16
(x64),
65
.
.2.3. GetVersionEx
RtlGetVersion.
2.3. ProductType,
Windows
ProductType
Windows client
WinNT
Windows server ( )
LanmanNT
Windows server ( )
ServerNT
, ProductPolicy, , tokens.dat,
Windows .
,
Windows , Windows- VerifyVersionInfo
(. SDK). RtlVerifyVersionInfo (. WDK).
, ,
, ? ,
, ,
( )
.
, -
. ,
, ( ),
- .
,
.
,
(. 5).
.
, , ,
, .
: ,

, Windows
, .
,
(
stock-keeping unit, SKU) ,
, BitLocker (
Windows, Windows Ultimate Enterprise).
, ,
66 2.
SlPolicy, - Winsider
Seminars & Solutions (www.winsiderss.com/tools/slpolicy.htm).
, , . Slpolicy.
exe f, ,
:
C:\>SlPolicy.exe -f
SlPolicy v1.05 - Show Software Licensing Policies
Copyright (C) 2008-2011 Winsider Seminars & Solutions Inc.
www.winsiderss.com
Software Licensing Facilities:
Kernel
Licensing and Activation
Core
DWM
SMB
IIS
.
.
.
, . , ,
,
Kernel. Windows 7
Ultimate :
C:\>SlPolicy.exe -f Kernel
SlPolicy v1.05 - Show Software Licensing Policies
Copyright (C) 2008-2011 Winsider Seminars & Solutions Inc.
www.winsiderss.com
Kernel
-----Processor Limit: 2
Maximum Memory Allowed (x86): 4096
Maximum Memory Allowed (x64): 196608
Maximum Memory Allowed (IA64): 196608
Maximum Physical Page: 4096
Addition of Physical Memory Allowed: No
Addition of Physical Memory Allowed, if virtualized: Yes
Product Information: 1
Dynamic Partitioning Supported: No
Virtual Dynamic Partitioning Supported: No
Memory Mirroring Supported: No
Native VHD Boot Supported: Yes
Bad Memory List Persistance Supported: No
Number of MUI Languages Allowed: 1000
List of Allowed Languages: EMPTY
List of Disallowed Languages: EMPTY
MUI Language SKU:
Expiration Date: 0
67

Windows, (checked build),
MSDN Operating Systems. Windows
DBG ( ). ,
, Windows,
. (. Debugging Performance-Optimized Code
Debugging Tools for Windows.)
,
,
. , ( - , )
, (, ),
, -
.
:
, ,
( ),
.
Debug Win32_OperatingSystem
Windows Management Instrumentation (WMI). Microsoft Visual Basic:
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery _
("SELECT * FROM Win32_OperatingSystem")
For Each objOperatingSystem in colOperatingSystems
Wscript.Echo ": " & objOperatingSystem.Caption
Wscript.Echo ": " & objOperatingSystem.Debug
Wscript.Echo ": " & objOperatingSystem.Version
Next
,
.
C:\>cscript osversion.vbs
:
Windows (Microsoft R) 5.8
(Microsoft Corp.), 1996-2001. .
: Microsoft Windows 7 Ultimate
:
: 6.1.7600
,
, False ().
68 2.

ASSERT ()
NT_ASSERT, WDK Wdm.h
WDK-. (,
), FALSE,
RtlAssert, , DbgPrintEx . ,
,
( , , ).
(
Boot Configuration Database, BCD)
, ASSERT
. ASSERT, , Checked Build
ASSERTs WDK-.

,
. (
Microsoft HOWTO: Enable Verbose Debug Tracing in
Various Drivers and Subsystems.)

DbgPrintEx. ( ), !dbgprint
,
Dbgview.exe Sysinternals (www.microsoft.com/technet/sysinternals).
. (Ntoskrnl.
exe) HAL- (Hal.dll). ,
,
. Installing Just the Checked
Operating System and HAL WDK-.
,
, ,
. ( ,
.)
. ,
(, , HAL),
,
.
69

Windows
, . .2.3

Windows
DLLs
Windows
DLLs

Windows DLLs
Windows DLLs
Windows DLLs
Winlogon
Windows
DLLs
DLL-
Windows
Wininit
Windows DLLs
Windows

DLL-
SUA
DLL-
Windows
DLL-
Windows
NTDLL.DLL
(HAL)
(, -, ,
, DMA, - . .)

. 2.3. Windows
Windows
USER,
GDI
plug and play
( )
70 2.
Windows,
.2.1. ,
( , ,
7 ).

. 3 , (, , ..). 4 , ,
Windows Management
Instrumentation. , ,
, , -,
, -, Windows (NTFS)
.

DLL-

Windows. , Windows. , , , ,
,
. , Windows
SUA- fork.
(.exe) . ,
. Microsoft Visual C++
/SUBSYSTEM link.
,
Windows.
DLL- . , ,
. , API- Windows DLL- Windows, , Kernel32.dll, Advapi32.
dll, User32.dll Gdi32.dll. API- SUA DLL-
SUA (Psxdll.dll).
:
Dependency
Walker (Depends.exe) ( www.dependencywalker.com). , Windows, Notepad.exe ( ) Cmd.exe (
Windows):
71
, Notepad () GUI-, Cmd

(console), . , GUI-
, Windows,
GUI- ,
GUI-.
, DLL- , :
DLL-
. ,
Windows . , . :
yy GetCurrentProcess ( 1, ,
, );
yy GetCurrentProcessId (ID , ID -,
).

Windows. , Windows- ReadFile WriteFile ( )
- Windows NtReadFile NtWriteFile.
. ( , , , .)
-
72 2.
. DLL-
, , .

. Windows- CreateProcess CreateThread.

Session Manager
(Smss.exe). , ,
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems.
, , .2.4.
. 2.4. ,
Required ,
. : Windows Debug. Windows
Windows, Csrss.exe ( Client/
Server Run-Time Subsystem, - ).
Debug (
) . Optional , SUA. Kmode
Windows,
, Win32k.sys ( ).
.
Windows
Windows ,
-
, , , ,
73
. Windows ,
Windows -
Windows. , SUA - Windows.
Windows
Windows-,
. ( , -
, ).
Windows :
(Csrss.exe) DLL- (Basesrv.dll, Winsrv.dll Csrsrv.dll),
:
yy ;
yy , 16- DOS-
(VDM) ( 32- Windows);
yy Side-by-Side (SxS) (Fusion) ;
yy , GetTempFile, DefineDosDevice,
ExitWindowsEx .
(Win32k.sys), :
yy , ,
, ,
;
yy Graphics Device Interface (GDI), . ,
;
yy DirectX,
(Dxgkrnl.sys).
- console host process (Conhost.exe), () .
DLL- (, Kernel32.dll, Advapi32.dll, User32.dll
Gdi32.dll), Windows API
Ntoskrnl.exe Win32k.sys.
- , -.

, , USER.
GDI, ,
, .
-.
74 2.
, Windows-
MinWin, DLL- , ,
, API-, DLL-
.
3, .
GDI ,
,
. GDI-
,
. GDI-
.
.
. GDI ,
. , , GDI
, .
( , , Windows Driver Kit, Design Guide Display
(Adapters and Monitors).)
,
-, , Windows
Windows-: , . , Windows-
Windows (
).

Windows (Csrss.
exe) (, Cmd.exe, ),
Csrss. Windows , , console window
host (Conhost.exe). , . .
, Csrss, , Csrss
Conhost, Csrss
.
, Conhost Csrss
75
(
Csrss),
(Asynchronous Local Procedure Call, ALPC)
\RPC (. 3.) console-PIDlpc-handle, PID Conhost-.
PID ,
,
ALPC-.
Conhost,
. , BaseNamedObjects 0 ( ConsoleEvent-PID),
Conhost
. Conhost , ALPC- .
Conhost (
), ,
,
,
(User Interface Privilege Isolation). (UIPI 6 .) , ,
- ,
( ).
Conhost-
Csrss, , ( Conhost)
, DLL- .
Unix-
Unix Subsystem for UNIX-based
Applications (SUA)
76 2.
UNIX- Windows Windows

Enterprise Ultimate. SUA 2000 UNIX-
300 UNIX- . ( , SUA, http://technet.microsoft.com/en-us/library/
cc771470.aspx.) , Windows
SUA-, 5, CreateProcess.
POSIX
POSIX , a portable operating
system interface based on UNIX (
UNIX),
UNIX-.
POSIX , UNIX-,
,
.
Windows POSIX, POSIX.1, ISO/IEC 9945-1:1990
IEEE POSIX standard 1003.1-1990.
, 1980- . POSIX.1
Federal
Information Processing Standard (FIPS) 151-2,
National Institute of Standards and
Technology. Windows NT 3.5, 3.51 4
FIPS 151-2.
POSIX.1 Windows ,

, POSIX.1 ( fork, Windows,
Windows).
Ntdll.dll
Ntdll.dll , , , DLL- .
:
-,
Windows;
, , DLL .

Windows, .
400 , NtCreateFile,
NtSetEvent .. , ,
77
, Windows API.

.
Ntdll , . ,
( 3),

, Ntoskrnl.exe.
Ntdll , ( Ldr),
Windows ( Csr). Ntdll
(
Rtl), ( DbgUi) Windows (Event Tracing for Windows) ( Etw),

(APC). (APC- 3.) , Ntdll
C (CRT), ,
(
memcpy, strcpy, itoa ..).

Windows Ntoskrnl.exe.
( .) :
, .
Ntdll. Windows API

API- .
. ( ALPC , NtQueryInformationProcess, ,
NtCreatePagingFile ..).
, DeviceIo
Control, ,
.
, , WDK .
, , WDK (, , , Inbv).
, , . ,
Ntoskrnl, ,
78 2.
Iop ( -)
Mi ( ).
, , .
,
:
(. 4),
.
(. 5)
.
Windows;
.
(security reference monitor, SRM) (. 6) .
,
.
- - - .
plug and play (PnP) ,
, .

. PnP
, -,
(IRQ), DMA- .

( ) .
-, ,
.
. ,
.
Windows Windows Driver Model Windows Management Instrumentation routines (.
4) , WMI-
. WMI-
,
-,
, , ,
(
). , .
79
, -
, ,
,
. .
Superfetch ,
.

, . WDK, .
:
, Windows
,
, ,
, , .
3.
(ALPC, 3)
. , ALPC
(remote procedure call, RPC),
.
, , ,
.
,
( ), , : (resources),
(fast mutexes) - (pushlocks).
( ):
, -
KD, ,
( USB IEEE 1394)
WinDbg Kd.exe.
,
API-
, .
, , ,
(TxR) NTFS (TxF).
80 2.
, Hyper-V Windows Server 2008, -
, ,
( ).
,
.
Driver Verifier,
.
Event Tracing for Windows, .
Windows, .
Windows, .
, .
, Ntoskrnl.exe.
( ), , - (, ),
. C,
, , , C .
,
, WDK (
, Ke),
.

,
, .
.
,
, , .

. , ,
, .
81
, ,
, ,
. ,
, .
, , .
APC, deferred procedure call (DPC), ,
-, .
, -, ,
. - , (
), , , , .
, ,
. 3, 5.
, ,
(KPCR KPRCB)
, , ,
KPCR (Kernel Processor Control Region). KPCR , (interrupt
dispatch table, IDT), (task-state segment, TSS)
(global descriptor table, GDT).
,
, ACPI- HAL.
KPCR fs 32-
Windows gs Windows- x64. IA64
KPCR 0xe0000000ffff0000.
KPCR ,
(kernel processor control block, KPRCB). KPCR,
Windows, KPRCB
, , Ntoskrnl.exe. :
( , -
, );
( -
);
DPC-;

(, , , );
82 2.
NUMA ( , ..);
-;
( DPC ) .
KPRCB ,
-, , DPC . , KPRCB ,
, NUMA-. , , KPRCB.
: KPCR KPRCB
KPCR KPRCB , !pcr !prcb.
0; , (, !pcr 2).
, !pcr !prcb.
DPC-,
.
lkd> !pcr
KPCR for Processor 0 at 81d09800:
Major 1 Minor 1
NtTib.ExceptionList: 9b31ca3c
NtTib.StackBase: 00000000
NtTib.StackLimit: 00000000
NtTib.SubSystemTib: 80150000
NtTib.Version: 1c47209e
NtTib.UserPointer: 00000001
NtTib.SelfTib: 7ffde000
SelfPcr: 81d09800
Prcb: 81d09920
Irql: 00000002
IRR: 00000000
IDR: ffffffff
InterruptMode: 00000000
IDT: 82fb8400
GDT: 82fb8000
TSS: 80150000
CurrentThread: 86d317e8
NextThread: 00000000
IdleThread: 81d0d640
DpcQueue:
lkd> !prcb
PRCB for Processor 0 at 81d09920:
Current IRQL -- 0
83
Threads-- Current 86d317e8 Next 00000000 Idle 81d0d640
Number 0 SetMember 1
Interrupt Count -- 294ccce0
Times -- Dpc
0002a87f Interrupt 00010b87
Kernel 026270a1 User
00140e5e
_KPCR _KPRCB dt,

(
). , ,
MHz:
lkd> dt nt!_KPRCB 81d09920 MHz
+0x3c4 MHz : 0xbb4
lkd> ? bb4
Evaluate expression: 2996 = 00000bb4
3.

,
Windows.
, , .
, ,
.
.
, , .
-
, . , ,
, , , .
(. - 3)
HAL,
.
x86-,
MS-DOS. x86-
, ,
, - ;
. , x86-, ,
(GDT) (LDT),
x86.
, , -
84 2.
. - -
.
.
( ,
),
. ( ..),
.

,
Windows . hardware abstraction
layer (HAL) ,
. HAL (Hal.dll),
, Windows. , ,
-,
, , ,
.
,
Windows, ,
, , HAL-. HAL WDK. HAL WDK.
HAL- (.
.2.4), Windows ,
HAL- , , Windows Windows
.
2.4. HAL- x86
HAL-
Halacpi.dll

Advanced
Configuration and Power Interface (ACPI).
APIC (
HAL-, )
Halmacpi.dll
Advanced Programmable Interrupt

Controller (APIC), ACPI. APIC
SMP
85
x64- HAL- Hal.dll. x64- , ACPI APIC. , ACPI

PIC, .
: HAL-
, HAL- , WinDbg
. .reload , lm vm hal. , , ACPI HAL:
lkd> lm vm hal
start
end
module name
fffff800'0181b000 fffff800'01864000
hal
(deferred)
Loaded symbol image file: halmacpi.dll
Image path: halmacpi.dll
Image name: halmacpi.dll
Timestamp:
Mon Jul 13 21:27:36 2009 (4A5BDF08)
CheckSum:
0004BD36
ImageSize:
00049000
File version:
6.1.7600.16385
Product version: 6.1.7600.16385
File flags:
0 (Mask 3F)
File OS:
40004 NT Win32
File type:
2.0 Dll
File date:
00000000.00000000
Translations:
0409.04b0
CompanyName:
Microsoft Corporation
ProductName:
Microsoft Windows Operating System
InternalName:
halmacpi.dll
OriginalFilename: halmacpi.dll
ProductVersion:
6.1.7600.16385
FileVersion:
6.1.7600.16385 (win7_rtm.090713-1255)
FileDescription: Hardware Abstraction Layer DLL
LegalCopyright:
Microsoft Corporation. All rights reserved.
: NTOSKRNL HAL
HAL-
Dependency
Walker (Depends.exe). Dependency Walker
Open () File (),
.
,
Ntoskrnl .
86 2.
, Ntoskrnl HAL, , , Ntoskrnl. ( .) Ntoskrnl

:
yy Pshed.dll, Platform-Specific Hardware
Error Driver (PSHED), .
,
Windows
.
yy Bootvid.dll ( 32- ), . Bootvid VGA,
. x64
Kernel Patch
Protection (KPP) . ( KPP
PatchGuard 3.)
yy Kdcom.dll,
Kernel Debugger Protocol (KD) Communications Library.
yy Ci.dll, . (
3.)
yy Clfs.sys, , , , Transaction Manager
(KTM). ( KTM 3.)
, ,
Dependency Walker (Depends.hlp).
87

,
, .
(
.sys),
- . :
, -
;
( -
).
, Windows
,
HAL. C (
C++) , HAL ,
Windows,
.
:
, ( HAL)
. ,
,
..
, Windows,
-
-, .
,
, -
- .
, ,
- ,
, .
, , TCP/IP,
NetBEUI IPX/SPX.
,
, , .
,
88 2.
,
( WDK). , Sysinternals
Windows GUI , ,
Windows API .
Windows (WDM)
Windows 2000 Plug and Play,
Windows NT, Windows (WDM). Windows 2000
, Windows NT 4, ,
Plug and Play , ,
,
.
WDM, :
, , , -
, .
, Microsoft, , ;
( PCI, PCMCIA USB), ,
. , VMEbus, Multibus Futurebus.
,
.
, ( ,
- , SCSI PassThru).
, , , .
,
( )
- ( ,
).
,
. OEM (IHV).
WDM
: PnP
, ,
.
, ,
. ,
, 4 -,
89
16 -,
, PnP,
-.
, ,
- . ,
, , , .
3.
Windows Driver Foundation

Windows Driver Foundation (WDF)
Windows, : KernelMode Driver Framework (KMDF) User-Mode Driver Framework (UMDF).
KMDF Windows
2000 SP4 , UMDF Win
dowsXP .
KMDF WDM , --.
KMDF , , KMDF , ,
. (
.) 200
WDM KMDF.
UMDF ( USB ,
), , MP3-,
, ,
. UMDF
ALPC - ,
. UMDF- , , , ,
,
, . ,
UMDF- C++ COM-
, , .
:
Msinfo32.
( (Start),
Msinfo32 .) (System
Summary) (Software Environment) (System Drivers).
.
90 2.
,
Running () Stopped
(). , Windows : HKLM\SYSTEM\CurrentControlSet\Services.
, 1
. ( ,
, . 4.7 4.)
, System process Process Explorer DLL.

( Ntoskrnl.
exe, Hal.dll Ntdll.dll). ,
Windows, , . ,
, ,
.

,
Windows, .
, Ntdll.dll
, Windows DLL , ,
. Windows-,
Windows API. (. Inside the Native
API Sysinternals.)
, , DLL-
Windows ( Kernel32.dll Advapi32.dll)
Ntdll.
91
Ntoskrnl.exe.
, , Windows Driver Kit,
.
Ntoskrnl HAL; HAL, Ntoskrnl, .
. 2.5
.
i ( internal, ),
p ( private, ). ,
Ki , Psp
.
Windows.
:
<><><>
, , ,
, ,
.
, ExAllocatePoolWithTag
. KeInitializeThread ,
.
2.5.

Alpc
Cc
Cm
Dbgk
Em
Etw
Windows
Ex
FsRtl
Hvl
Io
Kd
Ke
Lsa
Mm
92 2.
2.5 ()

Nt
NT ( Windows-)
Ob
Pf
Prefetcher
Po
Pp
PnP
Ps
Rtl
Se
Sm
Tm
Vf
Wdi
Windows
Whea
Windows
Wmi
Windows
Zw
(
Nt), , , Nt
,

Windows (Idle
System , - ):
Idle ( -
);
System (
);
(Smss.exe);
(Lsm.exe);
Windows (Csrss.exe);
0 (Wininit.exe);
(Winlogon.exe);
(Services.exe) -
(,
- , Svchost.exe);
(Lsass.exe).
93
, , .
, . .2.5
,
, Process Monitor.
Process Monitor ,
( ).
. 2.5.
, .2.5, . .

.2.5 Idle.
5, .
( System) -
( \Windows System
Idle Process.exe). , - (- ). .2.6
, Idle ( 0). Idle
5.
94 2.
2.6. 0
Task Manager
System Idle Process
Process Status (Pstat.exe)
Idle Process
Process Explorer (Procexp.exe)
System Idle Process
Task List (Tasklist.exe)
System Idle Process
Tlist (Tlist.exe)
System Process

, .
System
System ( 4) , : .
, (, ,
..), ,
, ,
Ntoskrnl.exe .
, ,
.
PsCreateSystemThread (. WDK),
. Windows,

, : , - ,
, - . ,
,
,
..
(balance set manager), ,
.

. (Srv2.sys) - ,
.
. ( ,
, , .)
, .
95
System, . ,
Windows (Win32k.sys) Canonical Display Driver (Cdd.dll),
Windows (Csrss.exe),
, .
,
. ,
System , , . ,
, ,
System .
, System, , (, Performance Monitor). ( ) , (,
, , , ,
), (, , )
, , .
.
:

, System
, ( ,
). , , System,
, , .
. (
, Srv2.sys, -. ,
, 7.)
1. .
2. C,
. , COMPUTER1,
dir \\computer1\c$ /s ( /s
).
3. Process Explorer System.
4. Threads ().
5. CSwitch Delta ( ). ,
Srv2.sys, , , .
96 2.
, , Module (),
. Module () Srv2.sys, .
97
(Smss)
(%SystemRoot%\System32\Smss.exe) , .
, .
Smss
( Smss) ,
Smss . (
.)
Smss
( , , , ).

. ,
Smss .
Smss.exe.
Smss :
1. . (
, , - ,
Windows. 5.)
2. 11.
3. , , .
(
5.)
4. (pipes) (mailslots), Smss, Csrss Lsm ( ).
5. ALPC- .
6. , HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environ
ment.
7. , HKLM\
SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices
\Global?? .
8. \Ses
sions.
9. , HKLM\SYSTEM\CurrentControlSet\
Control\Session Manager\BootExecute. ( Autochk.exe, .)
10. , HKLM\SYSTEM\
CurrentControlSet\Control\Session anager\PendingFileRenameOperations.
98 2.
11. () .
12. ( HKLM Software, SAM
Security).
13. , HKLM\SYSTEM\CurrentControlSet\
Control\Session Manager\SetupExecute.
14. DLL- (HKLM\SYSTEM\CurrentControlSet\
Control\Session Manager\KnownDLLs) ( ).
15. , .
16. Smss 0 ( ).
17. Smss 1 ( ).
, Smss
Csrss.exe .
Csrss , Csrss,
- .
Smss, , :
1. NtSetSystemInformation . , ,
MmSessionCreate,
,
, Windows, (Win32k.sys),
, .
2. () ( Csrss.exe
Windows).
3. Winlogon ( ) Wininit ( 0). .
Smss (
, , , Winlogon Wininit).
Windows (Wininit.exe)
Wininit.exe :
,
(
, );
;
%windir%\temp;
(Winsta0) (Winlogon Default)
, 0;
Services.exe ( Service
Control Manager SCM);
99
Lsass.exe (Local Security Authentication Subsystem Server
);
Lsm.exe ( );
.
(SCM)
, Windows
, . .
- UNIX VMS ,
,
. (,
Windows- StartService).
, , , (. 4).
, %SystemRoot%\System32\Services.exe,
, .
Windows-,
Windows-
, , , ,
. HKLM\SYSTEM\
CurrentControlSet\Services.
, : ,
, , . .
, .
Windows ,
, .
, , tlist /s tasklist /svc. ,
, . , , ,
.
Windows .
, ,
. 4.
:

(Control Panel) (Administrative Tools),
(Services).
, :
100 2.
,
(Properties). ,
( ).
, , . ,
,
.
101
(Lsm.exe)
( Lsm.exe )
. ALPC-
SmSsWinStationApiPort Smss (,
Csrss Winlogon), Explorer
(Switch User). Lsm
Winlogon Csrss ( RPC ).
Csrss , , ,
. Winlogon :
.
.
.
.
.
:
Process Explorer - . , Options

() Configure Colors ( ).
- ,
Services () , , , ,
, ( )
Svchost DLL-, . ,
Svchost.exe,
System, .
102 2.
Winlogon, LogonUI Userinit

Windows (Winlogon, %SystemRoot%\System32\Winlogon.exe)
.
Winlogon ,
secure attention sequence (SAS).
SAS Windows Ctrl+Alt+Delete.
SAS , (
, ).
DLL-,
(credential providers). Windows , Windows :
-.
Windows
- (,
). Winlogon
, ,
Winlogon LogonUI. Winlogon SAS, ,
.
,
LogonUI .
, Winlogon DLL-
(network providers),
.
, .
,
(%SystemRoot%\System32\Lsass.exe, .6) to be authenticated. LSASS ( DLL-)
, ,
Active Directory SAM ( ,
).
LSASS
(, NtCreateToken) ,
.
(User Account Control, UAC)

, LSASS , .
Winlogon
103
() . ()
Userinit, HKLM\SOFTWARE\
Microsoft\Windows NT\CurrentVersion\Winlogon. ( Userinit.exe,
.)
Userinit
(, ), Shell (
Winlogon) (
Explorer.exe). Userinit . Explorer.exe
, , 1, tlist
, .
( , Explorer
Winlogon.)
Winlogon , SAS . ,
Ctrl+Alt+Delete,
Windows, ,
, ..
Winlogon LogonUI.
6.
, LSASS (,
Lsa), Windows SDK.
Windows.
Windows .
,
, .
3.
Windows , , ,
.
:
, ,
(DPC), (APC), ;
;
, -, , , ,
( );
;
, Windows;
(ALPC);
(Kernel event tracing);
Wow64;
;
(image loader);
(Hyper-V);
(Kernel Transaction Manager, KTM);
(Kernel Patch Protection, KPP);
.

, , . ,
.
,
. Windows , ,
. .3.1
.
.
( ),
. , , -, ,
() (). ,
, , -
105
. ( , , - , .)

.
,
.
( ).

(
)
. 3.1.
,
. , , ,
, , , .
-,
( APC DPC ).

, ,
, .
, Windows
. Windows
,
. , ,
dt nt!_ktrap_frame (. 5).
, ,
, .
106 3.

,
, . , -
,
(Interrupt service routine,
ISR), ,
. - ,
, ,
.

. KeBugCheckEx,
, ,
, , .
,
.

-,
, . , ,
, -. -
, , . ,
. ,
, , ,
.
.
,
.
, , ,
. , , .
(ISR), , ,
.
ISR-, , .
,
, , ,
, , ( ,
), , , , .
107

, Windows,
- . , .
,
(Interrupt request, IRQ). IRQ
,
(Interrupt dispatch table, IDT)
.
Windows IDT ,
.
Windows IRQ- IDT
IDT
. , x86 x64 (, ,
, ) 0xe (14). , 0xe IDT
. ,
Windows, 256 IDT-,
IRQ-, , .
: IDT
IDT, , Windows
( IRQ-), ,
!idt. !idt ,
(
64- ).
, !idt:
lkd> !idt
Dumping IDT:
00: fffff80001a7ec40
01: fffff80001a7ed40
02: fffff80001a7ef00
03: fffff80001a7f280
04: fffff80001a7f380
05: fffff80001a7f480
06: fffff80001a7f580
07: fffff80001a7f7c0
08: fffff80001a7f880
09: fffff80001a7f940
0a: fffff80001a7fa00
0b: fffff80001a7fac0
0c: fffff80001a7fc00
0d: fffff80001a7fd40
nt!KiDivideErrorFault
nt!KiDebugTrapOrFault
nt!KiNmiInterrupt Stack = 0xFFFFF80001865000
nt!KiBreakpointTrap
nt!KiOverflowTrap
nt!KiBoundFault
nt!KiInvalidOpcodeFault
nt!KiNpxNotAvailableFault
nt!KiDoubleFaultAbort Stack = 0xFFFFF80001863000
nt!KiNpxSegmentOverrunAbort
nt!KiInvalidTssFault
nt!KiSegmentNotPresentFault
nt!KiStackFault
nt!KiGeneralProtectionFault
108 3.
0e: fffff80001a7fe80 nt!KiPageFault
10: fffff80001a80240 nt!KiFloatingErrorFault
11: fffff80001a803c0 nt!KiAlignmentFault
12: fffff80001a804c0 nt!KiMcheckAbort Stack = 0xFFFFF80001867000
13: fffff80001a80840 nt!KiXmmException
1f: fffff80001a5ec10 nt!KiApcInterrupt
2c: fffff80001a80a00 nt!KiRaiseAssertion
2d: fffff80001a80b00 nt!KiDebugServiceTrap
2f: fffff80001acd590 nt!KiDpcInterrupt
37: fffff8000201c090 hal!PicSpuriousService37 (KINTERRUPT fffff8000201c000)
3f: fffff8000201c130 hal!PicSpuriousService37 (KINTERRUPT fffff8000201c0a0)
51: fffffa80045babd0 dxgkrnl!DpiFdoLineInterruptRoutine (KINTERRUPT fffffa80045bab40)
52: fffffa80029f1390 USBPORT!USBPORT_InterruptService (KINTERRUPT fffffa80029f1300)
62: fffffa80029f15d0 USBPORT!USBPORT_InterruptService (KINTERRUPT fffffa80029f1540)
USBPORT!USBPORT_InterruptService (KINTERRUPT fffffa80029f1240)
72: fffffa80029f1e10 ataport!IdePortInterrupt (KINTERRUPT fffffa80029f1d80)
81: fffffa80045bae10 i8042prt!I8042KeyboardInterruptService (KINTERRUPT
fffffa80045bad80)
82: fffffa80029f1ed0 ataport!IdePortInterrupt (KINTERRUPT fffffa80029f1e40)
90: fffffa80045bad50 Vid+0x7918 (KINTERRUPT fffffa80045bacc0)
91: fffffa80045baed0 i8042prt!I8042MouseInterruptService (KINTERRUPT fffffa80045bae40)
a0: fffffa80045bac90 vmbus!XPartPncIsr (KINTERRUPT fffffa80045bac00)
a2: fffffa80029f1210 sdbus!SdbusInterrupt (KINTERRUPT fffffa80029f1180)
rimmpx64+0x9FFC (KINTERRUPT fffffa80029f10c0)
rimspx64+0x7A14 (KINTERRUPT fffffa80029f1000)
rixdpx64+0x9C50 (KINTERRUPT fffffa80045baf00)
a3: fffffa80029f1510 USBPORT!USBPORT_InterruptService (KINTERRUPT fffffa80029f1480)
HDAudBus!HdaController::Isr (KINTERRUPT fffffa80029f1c00)
a8: fffffa80029f1bd0 NDIS!ndisMiniportMessageIsr (KINTERRUPT fffffa80029f1b40)
a9: fffffa80029f1b10 NDIS!ndisMiniportMessageIsr (KINTERRUPT fffffa80029f1a80)
aa: fffffa80029f1a50 NDIS!ndisMiniportMessageIsr (KINTERRUPT fffffa80029f19c0)
ab: fffffa80029f1990 NDIS!ndisMiniportMessageIsr (KINTERRUPT fffffa80029f1900)
ac: fffffa80029f18d0 NDIS!ndisMiniportMessageIsr (KINTERRUPT fffffa80029f1840)
ad: fffffa80029f1810 NDIS!ndisMiniportMessageIsr (KINTERRUPT fffffa80029f1780)
ae: fffffa80029f1750 NDIS!ndisMiniportMessageIsr (KINTERRUPT fffffa80029f16c0)
af: fffffa80029f1690 NDIS!ndisMiniportMessageIsr (KINTERRUPT fffffa80029f1600)
b0: fffffa80029f1d50 NDIS!ndisMiniportMessageIsr (KINTERRUPT fffffa80029f1cc0)
b1: fffffa80029f1f90 ACPI!ACPIInterruptServiceRoutine (KINTERRUPT fffffa80029f1f00)
b3: fffffa80029f1450 USBPORT!USBPORT_InterruptService (KINTERRUPT fffffa80029f13c0)
c1: fffff8000201c3b0 hal!HalpBroadcastCallService (KINTERRUPT fffff8000201c320)
d1: fffff8000201c450 hal!HalpHpetClockInterrupt (KINTERRUPT fffff8000201c3c0)
d2: fffff8000201c4f0 hal!HalpHpetRolloverInterrupt (KINTERRUPT fffff8000201c460)
df: fffff8000201c310 hal!HalpApicRebootService (KINTERRUPT fffff8000201c280)
e1: fffff80001a8e1f0 nt!KiIpiInterrupt
e2: fffff8000201c270 hal!HalpDeferredRecoveryService (KINTERRUPT fffff8000201c1e0)
e3: fffff8000201c1d0 hal!HalpLocalApicErrorService (KINTERRUPT fffff8000201c140)
fd: fffff8000201c590 hal!HalpProfileInterrupt (KINTERRUPT fffff8000201c500)
fe: fffff8000201c630 hal!HalpPerfInterrupt (KINTERRUPT fffff8000201c5a0)
109
, , ISR (I8042prt.sys) 0x81. , , 0xe KiPageFault.
IDT-, , , ISR-. , ,
.

.
, .
x86
x86 (Programmable Interrupt Controller, PIC) i8259A,
(Advanced
Programmable Interrupt Controller, APIC) i82489.
APIC. PIC IBM
PC. PIC i8259A
8 . IBM PC PIC-, ,

PIC-. 15 (7
8 ,
). APIC- SAPIC- (Streamlined Advanced Programmable Interrupt
Controllers
), 256 . Intel Multiprocessor Specification (MP Specification),
x86,
APIC.
,
, APIC-
15
. APIC- .3.2.
APIC- : APIC
-, , APIC, APIC - , , i8259A , APIC- ,
PIC-.
APIC- -, , .
,
110 3.
,
,
.
APIC- -, , . Windows
APIC- .
APIC
APIC
APIC
i8259A
PIC
. 3.2. APIC- x86
x64
x64 x86, x64 , x86. , x64-
, APIC,
APIC.
IA64
IA64 Streamlined Advanced Programmable Interrupt
Controller (SAPIC), APIC.
, Windows , , .
: PIC APIC
PIC
APIC
!pic !apic. !pic 1.
, !pic , APIC HAL, .
111
lkd> !pic
----- IRQ Number -----000102030405060708090A0B0C0D0E0F
Physicallyinservice:................
Physicallymasked:...Y..YY..Y..Y..
Physicallyrequested:................
LevelTriggered:.....Y...Y.Y....
!apic, ,
APIC HAL. ,
APIC, , , , .

, APIC ,
~ () .
lkd> !apic
Apic @ fffe0000 ID:0 (50014) LogDesc:01000000 DestFmt:ffffffff TPR 20
TimeCnt: 00000000clk SpurVec:3f FaultVec:e3 error:0
Ipi Cmd: 01000000'0000002f Vec:2F FixedDel
Ph:01000000
edg high
Timer..: 00000000'000300fd Vec:FD FixedDel
Dest=Self
edg high
Linti0.: 00000000'0001003f Vec:3F FixedDel
Dest=Self
edg high
Linti1.: 00000000'000004ff Vec:FF NMI
Dest=Self
edg high
TMR: 51-52, 62, A3, B1, B3
IRR:
ISR::
m
m
, Vec, IDT,
. ,
0xFD APIC Timer, 0xE3
APIC.
, !idt, ,
0xFD HAL (
), 0xe3, ,
APIC HAL.
!ioapic, APIC- -,
, :
lkd> !ioapic
IoApic @ FEC00000
ID:0 (51)
Inti00.: 0000a951'0000a951
Arb:A951
Vec:51
LowestDl
Lg:0000a951
lvl low
(IRQL)
,
Windows ,
(IRQL). IRQL- 0 31 x86 0 15
x64 IA64,
. IRQL-, HAL -
112 3.
IRQL-. .3.3 IRQL-

x86, .3.4 IRQL- x64 IA64.
31
High
30
Power fail
29
Interprocessor interrupt
28
Clock
27
Profile/Synch
26
Device n
5 Corrected Machine Check Interrupt

4
Device 1
DPC/dispatch
APC
Passive/Low
. 3.3. (IRQL) x86

x64
IA64
15
High/Profile
High/Profile/Power
14
Interprocessor interrupt/Power
Interprocessor interrupt
13
Clock
Clock
12
Synch
Synch
11
Device n
Device n
Device 1
Device 1
Corrected Machine Check
Dispatch/DPC
Dispatch/DPC & Synch
APC
APC
Passive/Low
Passive/Low
. 3.4. (IRQL) x64 IA64
,
.

. , , IRQL
. IRQL- ,
113
, .
,
. IRQL, , . , .
IRQL , , ( 5). , IRQL
, . ,
IRQL,
.
IRQL ,
. IRQL-
.
, IRQL ,
KeRaiseIrql KeLowerIrql, , , ,
, , . .3.5, , IRQL,
, , , IRQL- ,
, IRQL.
IRQL
High

IRQL = Clock
Power fail
Inter-processor interrupt
Clock
Profile/Synch
Device n

CMCI
Device 1
DPC/dispatch
APC
Passive

IRQL = DPC/dispatch
,
. 3.5.
PIC , HAL, - IRQL-

(, PIC 32-
Advanced Configuration
114 3.
and Power Interface, ACPI), ,

IRQL (lazy IRQL) PIC.
IRQL HAL IRQL,
. ,
HAL ,
, (
) , IRQL .
, IRQL
, PIC HAL- .

IRQL APC-. IRQL APC,
- dispatch/DPC-,
APC- .
, APC IRQL, ,
.
IRQL , , , . ,
, (, ,
) IRQL IRQL, .
IRQL ( ), , , ,
. , , IRQL .
, ,
IRQL ( ).
, IRQL
.
: IRQL
IRQL
!irql. IRQL IRQL , ,
IRQL , :
kd>!irql
DebuggersavedIRQLforprocessor0x0--0(LOW_LEVEL)
, IRQL . , IRQL,
(processor control region, PCR), ,
(processor region control block, PRCB), IRQL DebuggerSaveIrql. PCR PRCB
, IRQL, IDT-,
115
, . HAL
,
. PCR PRCB
Ntddk.h,
Windows Driver Kit (WDK).
PCR
, !pcr. PCR
,
:
lkd> !pcr 0
KPCR for Processor 0 at fffff80001bfad00:
Major 1 Minor 1
NtTib.ExceptionList: fffff80001853000
NtTib.StackBase: fffff80001854080
NtTib.StackLimit: 000000000026ea28
NtTib.SubSystemTib: fffff80001bfad00
NtTib.Version: 0000000001bfae80
NtTib.UserPointer: fffff80001bfb4f0
NtTib.SelfTib: 000007fffffdb000
SelfPcr: 0000000000000000
Prcb: fffff80001bfae80
Irql: 0000000000000000
IRR: 0000000000000000
IDR: 0000000000000000
InterruptMode: 0000000000000000
IDT: 0000000000000000
GDT: 0000000000000000
TSS: 0000000000000000
CurrentThread: fffff80001c08c40
NextThread: 0000000000000000
IdleThread: fffff80001c08c40
DpcQueue:
IRQL , . , IRQL

. IRQL .
. ,
(Interprocessor interrupt, IPI), ,
-
(Translation look-aside buffer, TLB).
,
, .
,
.
116 3.
HAL
, .
.
( ) .
IRQL-
IRQL- (IRQ), , ,
Windows, IRQL .
Windows , IRQL ? HAL. Windows (PCI, USB ..)
, ,
, .
Plug and Play, ,
,
, . Plug and Play,
IRQL-. ( , ACPI, ,
ACPI- ACPI HAL .)
HAL, Windows,
. ACPI- ( x86, x64 IA64), HAL IRQL
,
IRQ 16. IRQ,
, . APIC , -
IRQ IRQL .
(. . 117) ,
.
IRQL-
IRQL,
.3.4, :
(high),
KeBugCheckEx .
( power fail)
Windows NT.
, IRQL .
(interprocessor interrupt)
, - TLB,
.
(clock) .
,
.
117
( , , -
APIC) (
) profile.

, , . ,
.

, Kernrate, Windows
Driver Kit (WDK).
, Kernrate.
IRQL (synchronization)
-.
IRQL-
.
IRQL- (device)
, . IRQL- .
(corrected machine check)
,
, Machine Check Error (MCE)
.
(DPC/dispatch)
(APC)
, .
DPC APC .
IRQL- ( passive)
; .
:
(Kernrate)
Kernel Profiler (Kernrate)
, ,
,
.
, () ,
(, ).
, .
Kernrate
(, Ntoskrnl, ..).
, Windows Driver Kit .
118 3.
1. .
2. cd C:\WinDDK\7600.16385.1\tools\other ( WDK Windows 7/Server 2008R2).
3. dir. .
4. , (
). , x86 i386\
kernrate.exe.
5. Kernrate -
. , Windows Media Player
- , , ,
-
.
6. Ctrl+C Kernrate. Kernrate
.
Kernrate ,
Windows Media Player, :
C:\WinDDK\7600.16385.1\tools\Other\i386>kernrate.exe
/==============================\
<
KERNRATE LOG
>
\==============================/
Date: 2011/03/09
Time: 16:44:24
Machine Name: TEST-LAPTOP
Number of Processors: 2
PROCESSOR_ARCHITECTURE: x86
PROCESSOR_LEVEL: 6
PROCESSOR_REVISION: 0f06
Physical Memory: 3310 MB
Pagefile Total: 7285 MB
Virtual Total: 2047 MB
PageFile1: \??\C:\pagefile.sys, 4100MB
OS Version: 6.1 Build 7601 Service-Pack: 1.0
WinDir: C:\Windows
Kernrate Executable Location: C:\WINDDK\7600.16385.1\TOOLS\OTHER\I386
Kernrate User-Specified Command Line:
kernrate.exe
Kernel Profile (PID = 0): Source= Time,
Using Kernrate Default Rate of 25000 events/hit
Starting to collect profile data
***> Press ctrl-c to finish collecting profile data
===> Finished Collecting Data, Starting to Process Results
------------Overall Summary:-------------P0
K 0:00:00.000 ( 0.0%) U 0:00:00.234 ( 4.7%) I 0:00:04.789 (95.3%)
DPC 0:00:00.000 ( 0.0%) Interrupt 0:00:00.000 ( 0.0%)
Interrupts= 9254, Interrupt Rate= 1842/sec.
P1
K 0:00:00.031 ( 0.6%) U 0:00:00.140 ( 2.8%) I 0:00:04.851 (96.6%)
DPC 0:00:00.000 ( 0.0%) Interrupt 0:00:00.000 ( 0.0%)
Interrupts= 7051, Interrupt Rate= 1404/sec.
TOTAL K 0:00:00.031 ( 0.3%) U 0:00:00.374 ( 3.7%) I 0:00:09.640 (96.0%)
119
DPC 0:00:00.000 ( 0.0%) Interrupt 0:00:00.000 ( 0.0%)
Total Interrupts= 16305, Total Interrupt Rate= 3246/sec.
Total Profile Time = 5023 msec
BytesStart
BytesStop
BytesDiff.
Available Physical Memory ,
1716359168,
1716195328,
-163840
Available Pagefile(s)
,
5973733376,
5972783104,
-950272
Available Virtual
,
2122145792,
2122145792,
0
Available Extended Virtual ,
0,
0,
0
Committed Memory Bytes
,
1665404928,
1666355200,
950272
Non Paged Pool Usage Bytes ,
66211840,
66211840,
0
Paged Pool Usage Bytes
,
189083648,
189087744,
4096
Paged Pool Available Bytes,
150593536,
150593536,
0
Free System PTEs
,
37322,
37322,
0
Total
Avg. Rate
Context Switches
,
30152,
6003/sec.
System Calls
,
110807,
22059/sec.
Page Faults
,
226,
45/sec.
I/O Read Operations ,
730,
145/sec.
I/O Write Operations ,
1038,
207/sec.
I/O Other Operations ,
858,
171/sec.
I/O Read Bytes
,
2013850,
2759/ I/O
I/O Write Bytes
,
28212,
27/ I/O
I/O Other Bytes
,
19902,
23/ I/O
----------------------------Results for Kernel Mode:
----------------------------OutputResults: KernelModuleCount = 167
Percentage in the following table is based on the Total Hits for the Kernel
Time
3814 hits, 25000 events per hit -------Module
Hits
msec %Total Events/Sec
NTKRNLPA
3768
5036
98 %
18705321
NVLDDMKM
12
5036
0 %
59571
HAL
12
5036
0 %
59571
WIN32K
10
5037
0 %
49632
DXGKRNL
9
5036
0 %
44678
NETW4V32
2
5036
0 %
9928
FLTMGR
1
5036
0 %
4964
================================= END OF RUN ==================================
============================== NORMAL END OF RUN ==============================
, 0,3 %
, 3,7 % , 96,0 % , 0,0 %
DPC 0,0 % .
Ntkrnlpa.exe,
(Physical Address Extension, PAE) NX. nvlddmkm.sys, ,
. ,
, , Windows Media Player, - .
120 3.
,
, . ,

( ):
C:\WinDDK\7600.16385.1\tools\Other\i386>kernrate.exe -z ntkrnlpa -z win32k
/==============================\
<
KERNRATE LOG
>
\==============================/
Date: 2011/03/09
Time: 16:49:56
Time
4191 hits, 25000 events per hit -------Module
Hits
NTKRNLPA
3623
WIN32K
303
INTELPPM
141
HAL
61
CDD
30
NVLDDMKM
13
msec
5695
5696
5696
5695
5696
5696
%Total
86 %
7 %
3 %
1 %
0 %
0 %
Events/Sec
15904302
1329880
618855
267778
131671
57057
--- Zoomed module WIN32K.SYS (Bucket size = 16 bytes, Rounding Down) -------Module
Hits
BltLnkReadPat
34
5696
10 %
149227
memmove
21
5696
6 %
92169
vSrcTranCopyS8D32
17
5696
5 %
74613
memcpy
12
5696
3 %
52668
RGNOBJ::bMerge
10
5696
3 %
43890
HANDLELOCK::vLockHandle
8
5696
2 %
35112
--- Zoomed module NTKRNLPA.EXE (Bucket size = 16 bytes, Rounding Down) -------Module
Hits
KiIdleLoop
3288
5695
87 %
14433713
READ_REGISTER_USHORT
95
5695
2 %
417032
READ_REGISTER_ULONG
93
5695
2 %
408252
RtlFillMemoryUlong
31
5695
0 %
136084
KiFastCallEntry
18
5695
0 %
79016
Win32k.sys,
.
Cdd.dll, ,
Aero 3D-. ,
. , Win32k.sys , ,
, GDI- ,
.
, ,
DPC/dispatch , , ,
, , -
121
DPC-.
, IRQL- DPC/dispatch
.
,
. -, ,
.
, , (, , idle,
), ,
, IRQL- DPC/dispatch . , -
APC_LEVEL, , ,
, - , APC
.
IRQL_NOT_LESS_OR_EQUAL
(IRQL ) DRIVER_IRQL_NOT_LESS_
OR_EQUAL (IRQL ).

. ,
, Windows Driver Verifier.

,
,
(ISR) .
, ,
ISR ,
ISR, IRQL-, , (IDT), ISR.

, ,
, KiInterruptTemplate.
.

, KiInterruptDispatch,
KiChainedDispatch, .
KiInterruptDispatch , ,
. KiChainedDispatch
, . ,
ISR, .
122 3.
IRQL, ,
KiInterruptDispatch KiChainedDispatch ISR
IRQL , ,
ISR, IRQL. ,
, ,
( - ) ,
.
, APIC .
Windows- x64 , , ,
, KiInterruptDispatchNoLock, ,
- ( , ISR-), KiInterruptDispatchNoEOI.
KiInterruptDispatchNoEOI , APIC Auto-End-ofInterrupt (Auto-EOI), EOI
, EOI. , (performance/profiling)
KiInterruptDispatchLBControl,
Last Branch Control MSR, .
; ,
,
. , ,
HAL, HAL
, HAL ISR.
KiFloatingDispatch
,
. , (MMX, SSE, 3DNow!), ,
ISR- (, ISR
, ).
FloatingSave TRUE,
, , (
). ,
32- .
.3.6 ,
.
123
JP
00 3
93 8N
8 F
JP
00 3
93 8N
8 F
0
2
3
-
APIC PIC
APIC
( IRQ#
)
ISR
-
IRQL

DPC
IRQL
KiInterruptDispatch
ISR-
. 3.6.
:
, ,
IRQL, ISR
. !idt ,
I8042KeyboardInterruptService, ISR-
PS2-:
81:
fffffa80045bae10 i8042prt!I8042KeyboardInterruptService (KINTERRUPT
fffffa80045bad80)
,
, dt nt!_kinterrupt , KINTERRUPT:
lkd> dt nt!_KINTERRUPT fffffa80045bad80
+0x000 Type
: 22
+0x002 Size
: 160
+0x008 InterruptListEntry : _LIST_ENTRY [ 0x00000000'00000000 - 0x0 ]
+0x018 ServiceRoutine
: 0xfffff880'0356ca04
unsigned char
i8042prt!I8042KeyboardInterruptService+0
+0x020 MessageServiceRoutine : (null)
+0x028 MessageIndex
: 0
+0x030 ServiceContext : 0xfffffa80'02c839f0
124 3.
+0x038
+0x040
+0x048
+0x050
+0x058
+0x05c
+0x05d
+0x05e
+0x05f
+0x060
+0x064
+0x065
+0x068
+0x06c
+0x070
+0x074
+0x078
+0x080
+0x088
+0x090
SpinLock
TickCount
ActualLock
DispatchAddress
Vector
Irql
SynchronizeIrql
FloatingSave
Connected
Number
ShareVector
Pad
Mode
Polarity
ServiceCount
DispatchCount
Rsvd1
TrapFrame
Reserved
DispatchCode
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
0
0
0xfffffa80'02c83b50 -> 0
0xfffff800'01a7db90
void nt!KiInterruptDispatch+0
0x81
0x8 ''
0x9 ''
0 ''
0x1 ''
0
0 ''
[3] ""
1 ( Latched )
0 ( InterruptPolarityUnknown )
0
0
0
0xfffff800'0185ab00 _KTRAP_FRAME
(null)
[4] 0x8d485550
IRQL, Windows , 8.
IRQ , Windows
.
(, ) (,
). IRQ-
( ACPI), ACPI IRQ- .
ACPI IRQ-
!apciirqarb:
lkd> !acpiirqarb
Processor 0 (0, 0):
Device Object: 0000000000000000
Current IDT Allocation:
...
0000000000000081 - 0000000000000081
A:0000000000000000 IRQ:0
...
fffffa80029b4c20
(i8042prt)
ACPI,
!arbiter4 ( 4 IRQ-):
lkd> !arbiter 4
DEVNODE fffffa80027c6d90 (HTREE\ROOT\0)
Interrupt Arbiter "RootIRQ" at fffff80001c82500
Allocated ranges:
0000000000000081 - 0000000000000081
Owner
fffffa80029b4c20 (i8042prt)
. !devobj,
125
i8042prt ( PS/2):
lkd> !devobj fffffa80029b4c20
Device object (fffffa80029b4c20) is for:
00000061 \Driver\ACPI DriverObject fffffa8002888e70
Current Irp 00000000 RefCount 1 Type 00000032 Flags 00003040
Dacl fffff9a100096a41 DevExt fffffa800299f740 DevObjExt fffffa80029b4d70 DevNode
fffffa80029b54b0
,
.
!devnode
6, :
lkd> !devnode fffffa80029b54b0 6
DevNode 0xfffffa80029b54b0 for PDO 0xfffffa80029b4c20
Parent 0xfffffa800299b390
Sibling 0xfffffa80029b5230
Child 0000000000
InstancePath is "ACPI\PNP0303\4&17aa870d&0"
ServiceName is "i8042prt"
...
CmResourceList at 0xfffff8a00185bf40 Version 1.1 Interface 0xf Bus #0
Entry 0 - Port (0x1) Device Exclusive (0x1)
Flags (0x11) - PORT_MEMORY PORT_IO 16_BIT_DECODE
Range starts at 0x60 for 0x1 bytes
Entry 4 - Interrupt (0x2) Device Exclusive (0x1)
Flags (0x01) - LATCHED
Level 0x1, Vector 0x1, Group 0, Affinity 0xffffffff
, , ,
IRQ 1. (
IRQ, .) IRQ 1 PC/AT
IRQ, PS/2, ,
. ( USB- .)
ACPI- ,
!acpiirqarb.
IRQ IDT:
Interrupt Controller (Inputs: 0x0-0x17 Dev: 0000000000000000):
(00)Cur:IDT-a1 Ref-1 edg hi
Pos:IDT-00 Ref-0 edg hi
(01)Cur:IDT-81 Ref-1 edg hi
126 3.
(09)Cur:IDT-b1 Ref-1 lev hi
(0a)Cur:IDT-00 Ref-0 edg hi
(0b)Cur:IDT-00 Ref-0 edg hi
(0c)Cur:IDT-91 Ref-1 edg hi
(0d)Cur:IDT-61 Ref-1 edg hi
(0e)Cur:IDT-82 Ref-1 edg hi
(0f)Cur:IDT-72 Ref-1 edg hi
(10)Cur:IDT-51 Ref-3 lev low
(11)Cur:IDT-b2 Ref-1 lev low
(12)Cur:IDT-a2 Ref-5 lev low
(15)Cur:IDT-a3 Ref-2 lev low
(16)Cur:IDT-b3 Ref-1 lev low

, IRQ 1 IDT- 0x81.

ISR- Service
Routine ( !idt ), , , DispatchCode
. , DispatchAddress
(KiInterruptDispatch ), .
Windows
, , .
(, )
, ,
, . (, ) ,
, - .
.

.
127
, - , - , .
Windows IRQ IRQL- , Windows
.
, Windows,
. ,
- .

ISR DPC . ,
. ,
DPC ISR
, .

(, ), Windows Embedded
Standard 7 .
Windows 7,
, . ,
Windows 7, , , .
, ,
Windows . , ,
HAL Windows
. , Windows,
,
.
ISR
, ISR IDT
. ,
IoConnectInterruptEx IoDisconnectInterruptEx,
ISR ISR,
.
ISR ,
( , ),
IDT.
,

.
.

ISR , IRS
.
128 3.
,
ISR- .
IDT, .
,
,
. , ISR-
, .
, , ,
IRQL, , ISR-,
. ,
, , , ;
, Plug and Play
, .
KiChainedDispatch,
ISR- ,
. !idt (: IDT,
. 107) 0xa2
. , , ,
- 7--1,
- Secure Digital (SD), Compact Flash
(CF), MultiMedia Card (MMC) ,
.
, .

,
, .

.
, - 7--1
, , ,
. IRQ-
IRQ-. ,
PCI- IRQ, -
IRQ-.
, IRQ, , IRQ-
(interrupt storms)
129
,
ISR- ,
. ,
, , EOI.
- - - ,
,
, . ,
. , , ,
Plug and Play, ,
.
, PCI 2.2 , (Message-signaled interrupts, MSI).
,
, MSI, Windows,
. MSI-
, . , Windows ISR () ,
.
( 32),
.

, IRQ-
( MSI-
, IRQ-), ISR- ,
, .
, , , ISR- .
, PCI 3.0 MSI- MSI-X 32- ( 16-) 2048 ( 32), ,
, (
)
MSI. MSI ,
,
,
(nonuniform memory
access, NUMA) ,
.
, NUMA-.
130 3.

, ACPI APIC, Windows
( , ) ( ,
, ,
). , IRQL. (affinity policy) ,
. 3.1,
InterruptPolicyValue Interrupt Management\Affinity
Policy , .
,
,
. Microsoft Interrupt Affinity policy Tool,
http://www.microsoft.com/whdc/system/sysperf/intpolicy.mspx.
3.1. IRQ
IrqPolicyMachineDefault
- . Windows ,
, (
)

IrqPolicyAllCloseProcessors NUMA- Plug and Play

,
( ). ,
NUMA-,
IrqPolicyAllProcessorsInMachine
IrqPolicyOneCloseProcessor NUMA- Plug and Play
, ( ). ,
NUMA-, ,

IrqPolicyAllProcessorsIn
Machine
IrqPolicySpecifiedProcessors ,
AssignmentSetOverride
IrqPolicySpreadMessages
AcrossAllProcessors
, ,

, , , NUMA. MSI-X

,
. 3.2.
131
, , Windows , IRQ , , IRQL,
, , Windows . IRQ ,

, .
3.2. IRQ
IrqPriorityUndefined
.
, (IrqPriorityNormal)
IrqPriorityLow
,
IRQL,
IrqPriorityNormal
. IRQL-,

IrqPriorityHigh
. IRQL,

,
Windows ,
:
;
;
;
;
-.
.

(Deferred Procedure Call, DPC).
, , - , -
, ,
. , ,
.
, , . DPC-
.
132 3.
IRQL DPC/dispatch ,
.
. , DPC/dispatch, ,
IRQL .
, ,
IRQL DPC/dispatch, -
. , IRQL DPC/dispatch, .
, ,
. Windows , .
IRQL
(DPC). DPC ,
, , .
(deferred), .

.
DPC-
( , )
,
( ). DPC . Windows
IRQL IRQL- . ISR-
,

,
DPC- IRQL- DPC/dispatch.
DPC- DPC-,
, , . , DPC-, ,
DPC-. DPC-, , , , .
DPC-. DPC
DPC-, DPC-.
DPC- DPC-
, DPC- (
, ISR-).
, DPC- (, ,
, ) DPC . DPC-,
, DPC. DPC
133
, DPC- ,
.
DPC-, IRQL- IRQL- DPC/dispatch
IRQL- (APC passive). Windows IRQL
DPC/dispatch DPC-
, ( ), DPC-. IRQL-
DPC/dispatch
. DPC .3.7.
DPC- .
DPC- DPC/dispatch. , DPC-
(, ISR-)
DPC (low). DPC , , DPC
DPC-,
, .
DPC

IRQL
2
IRQL-
DPC/dispatch,
DPC-.
DPC
3 DPC-

,
High
DPC-,
, Power failure
.

DPC/dispatch
APC
Passive

( ).
DPC
DPC -
4
DPC-
DPC-,
. ,
.
. 3.7. DPC-
DPC- , ,
ISR-, DPC (high)
(medium-high),
( IPI) DPC, .
, DPC/dispatch
DPC-, ,
. (idle)
DPC- , .
134 3.
, DPC-
,
DPC-. ,
DPC-, .3.3. , ,
, ,
. ,
, .
IRQL,
, DPC- . DPC- ,
, , DPC-,
, ,
. DPC- ,
,
( ).
, , , .
3.3. DPC-
DPC
DPC-
,
ISR-
DPC-

(Low)
DPC-
DPC DPC
DPC-
DPC-
DPC

(Medium)
DPC-
DPC

(Medium-High)
(High)
DPC- ,
. DPC
. IRQL- clock. (
IRQL- clock)
, .
, , , ,
, , IRQL- DPC/dispatch.
DPC- , , IRQL-
135
. DPC- , , ,
, DPC-.
DPC- , ( ),
, , ,

,
DPC-. DPC-
,
,
DPC- Windows DPC-.
DPC-, , DPC- (passive)
(priority 31). DPC-
(

). , DPC, APC-
.
: DPC
DPC
Process Explorer, System Information
( ) CPU ( ), DPC-,
Process Explorer ( ).
136 3.

, ( ):
1. . , Microsoft Windows Performance Toolkit (
c:\Program Files) 1:
xperf on PROC_THREAD+LOADER+DPC+INTERRUPT

2. , :
xperf d dpcisr.etl

3. , :
xperf dpcisr.etl
tracerpt \kernel.etl report dpcisr.html f html

- dpcisr.html.
4. report.html DPC/ISR.
DPC/ISR Breakdown , ,
ISR- DPC- . , .
ln , DPC ISR:
lkd> ln 0x806321C7
(806321c7)
ndis!ndisInterruptDpc
lkd> ln 0x820AED3F
(820aed3f)
nt!IopTimerDispatch
lkd> ln 0x82051312
(82051312)
nt!PpmPerfIdleDpc
DPC-, -
NDIS. DPC- -. DPC-,
(idle).

HTML, DPC- ISR-
Xperf Viewer, Xperf
DPC and/or ISR CPU Usage graphs ( , , Process Explorer
Process Monitor, , .
137
DPC ISR)
Summary Table ( ).
DPC ISR , , .
138 3.
DPC- ,
DWORD- HKEY_
LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\kernel\
ThreadDpcEnable. DPC- ,
, DPC-, , , . ,
IRQL-,
. , API KeAcquire/ReleaseSpinLockAtDpcLevel, , dispatch.
DPC- KeAcquire/ReleaseSpinLockForDpc,
IRQL.
. (Asynchronous procedure call, APC)
( , ).
APC-
IRQL-, DPC/
dispatch, ,
DPC. APC- (),
,
.
APC- , APC. APC-, ,
APC-. DPC, , APC
APC-. APC-
, , APC-.
, , APC- ,
, APC-.
APC-: . APC-
, APC-
. APC-
. APC- : . APC-
APC APC- APC-.
APC- passive
APC- ( ,
).
APC- IRQL APC- KeEnterGuardedRegion.
APC-, SpecialApcDisable
KTHREAD ( 5).
APC-
KeEnterCriticalRegion, KernelApcDisable
139
KTHREAD . .3.4 APC-
APC.
3.4. APC
APC
( )

APC-

APC-,
IRQL, ,
.
,
APC-
(-
)

APC (

APC-)
PASSIVE_LEVEL

APC-. ,
APC ( , ,
)
(- APC-
)
PASSIVE_LEVEL,
IRQL, ,
(
) ,
.
, APC- (
,
, )
( )
(PsExit
SpecialApc)

APC-
PASSIVE_LEVEL
,

.
, APC,
APC- ,
( ) . APC-, , ,
- .
APC- ,
, .
UNIX- APC-
UNIX- UNIX-.
APC- .
,
140 3.
APC , .
APC-
,
, ,
, .
APC- .
, -
, .
, -
- , -,
-
, .
- APC- ,
API- SetFileIoOverlappedRange
-,
, , .
APC- Windows
API-, ReadFileEx, WriteFileEx QueueUserAPC. ,
ReadFileEx WriteFileEx , -.
- APC-
, -.
APC- ,
APC-
, .

, (
Windows- WaitForMulti pleObjectsEx),
APC ( SleepEx).
, APC- ,
() , APC-, , APC- . APC , APC, APC-
passive.
APC ,
, , , .
APC- , APC- .
, , ,
. , APC-
, - ,
, ,
, ,
. , ,
.
141
,
- .

, Windows-, IRQL
(CLOCK_LEVEL). , . Windows
,
, , , , . Windows
, ,
,
.
Windows
, .
(Programmable Interrupt Timer, PIT), ,
, PC/AT, (Real Time Clock, RTC). PIT ,
NTSC ( CGA),
(HAL)
1 ,
1 15. RTC 32,768,
, 2, , 2.
APIC Multiprocessor HAL RTC
15,6, 64 .
Windows-, ,
. ,
1. Windows
API- , , (
, ). , ,
.
Windows .
Windows . (
) .
,
, , , Windows
(
, ).
142 3.
: ,

, - , , Windows Event Tracing for
Windows (ETW) ,
. .
, , ,
.
powercfg /energy
HTML- energy-report.html .
(Platform Timer Resolution) ,

,
, . , ,
20 000 2.
.
. EPROCESS ,
,
:
+0x4a8 TimerResolutionLink : _LIST_ENTRY [ 0xfffffa80'05218fd8 - 0xfffffa80'059cd508 ]
+0x4b8 RequestedTimerResolution : 0
+0x4bc ActiveThreadsHighWatermark : 0x1d
+0x4c0 SmallestTimerResolution : 0x2710
+0x4c8 TimerResolutionStackRecord : 0xfffff8a0'0476ecd0 _PO_DIAG_STACK_RECORD
143
, : , - . ,
PowerPoint 2010,
, . EPROCESS- PowerPoint,
, ,
PO_DIAG_STACK_RECORD.
, TimerResolutionLink

ExpTimerResolutionListHead. !list ,
, powercfg :
lkd> !list "-e -x \"dt nt!_EPROCESS @$extret-@@(#FIELD_OFFSET(nt!_EPROCESS,
TimerResolutionLink))
ImageFileName SmallestTimerResolution RequestedTimerResolution\"
nt!ExpTimerResolutionListHead"
dt nt!_EPROCESS @$extret-@@(#FIELD_OFFSET(nt!_EPROCESS, TimerResolutionLink))
ImageFileName
SmallestTimerResolution RequestedTimerResolution
+0x2e0 ImageFileName
: [15] "audiodg.exe"
ImageFileName
: [15] "chrome.exe"
ImageFileName
: [15] "calc.exe"
ImageFileName
: [15] "devenv.exe"
144 3.
ImageFileName
: [15] "POWERPNT.EXE"
ImageFileName
: [15] "winvnc.exe"
+0x4b8 RequestedTimerResolution : 0x2710

, ISR-, , RTC PIT, ,
KeUpdateSystemTime.
, , ,
, API-,
GetTickCount, , ,
. KeUpdateRunTime. ,
KeUpdateRunTime , - .
Windows , , ,
,
. , ,

. , ,
( ).
13 19 ,
20 , , , ,
2 , , 2 .

, , .
,
64
( APIC HAL). Windows
,

145
. , ,
PRCB,
(.3.8). , ,
. ,
.
,
. ,
, . , , ,
, -
, .
255
255
31
31
. 3.8.
,
,
,
CLOCK_LEVEL, IRQL-.
, ISR- DPC,
, ISR- DPC, PRCB, DPC , -
146 3.
. ,
, ISR- ,
, DPC PRCB .
PRCB-,
,

. .3.5 ,
.
IRQL DPC
DISPATCH_LEVEL, .
3.5. KPRCB,
KPRCB
ReadySummary
(32)
DeferredReadyListHead
DispatcherReadyListHead 32 32
5 ,
.
. ,
( DPC-, PRCB
TimerExpiryDpc) . (
, , , , ,
, .)
:
(

).
. , . .
,
DPC-, .
. ( /
.) , DISPATCH_LEVEL, DPC,
.
147

, , IRQL- CLOCK_LEVEL
DISPATCH_LEVEL. .3.9
, ,
, .
. 3.9.

,
, ,
. DPC-,
(
5). ,
, . , - DPC-,
,
DPC, .
,
DPC, .
, DPC- ,
,
0. , , .
, DPC-
, .
, , Hyper-V,
.
, - DPC-, 0
148 3.
.

DPC- . ,
DPC-,
, , ,
. Hyper-V, 0 DPC, ,
.
,
.3.10, , ,
.
32-
, 64- .
KiDistributeTimers,
, .
- DistributeTimers, , SKU HKLM\
SYSTEM\CurrentControlSet\Control\Session Manager\kernel.
,
0
. 3.10. ,
:
,
, DPC-,
( ), .
.
[lkd> !timer
Dump system timers
Interrupt time: 61876995 000003df [ 4/ 5/2010 18:58:09.189]
List Timer
Interrupt Low/High
Fire Time
DPC/thread
PROCESSOR 0 (nt!_KTIMER_TABLE fffff80001bfd080)
5 fffffa8003099810
627684ac 000003df [ 4/ 5/2010 18:58:10.756]
NDIS!ndisMTimerObjectDpc (DPC @ fffffa8003099850)
149
13 fffffa8003027278 272dde78 000004cf [ 4/ 6/2010 23:34:30.510] NDIS!ndisMWakeUpDpcX
(DPC @ fffffa80030272b8)
fffffa8003029278 272e0588 000004cf [ 4/ 6/2010 23:34:30.511] NDIS!ndisMWakeUpDpcX
fffffa8003025278 272e0588 000004cf [ 4/ 6/2010 23:34:30.511] NDIS!ndisMWakeUpDpcX
fffffa8003023278 272e2c99 000004cf [ 4/ 6/2010 23:34:30.512] NDIS!ndisMWakeUpDpcX
16 fffffa8006096c20
6c1613a6 000003df [ 4/ 5/2010 18:58:26.901] thread
fffffa8006096b60
19 fffff80001c85c40
64f9aeb5 000003df [ 4/ 5/2010 18:58:14.971]
nt!CmpLazyFlushDpcRoutine (DPC @ fffff80001c85c00)
31 fffffa8002c43660 P dc527b9b 000003e8 [ 4/ 5/2010 20:06:00.673]
intelppm!LongCapTraceDpc (DPC @ fffffa8002c436a0)
40 fffff80001c86f60 62ca1080 000003df [ 4/ 5/2010 18:58:11.304] nt!CcScanDpc (DPC
@ fffff80001c86f20)
fffff88004039710
62ca1080 000003df [ 4/ 5/2010 18:58:11.304]
luafv!ScavengerTimerRoutine (DPC @ fffff88004039750)
...
252 fffffa800458ed50 62619a91 000003df [ 4/ 5/2010 18:58:10.619] netbt!TimerExpiry
(DPC @ fffffa800458ed10)
fffffa8004599b60 fe2fc6ce 000003e0 [ 4/ 5/2010 19:09:41.514] netbt!TimerExpiry
PROCESSOR 1 (nt!_KTIMER_TABLE fffff880009ba380)
0 fffffa8004ec9700
626be121 000003df [ 4/ 5/2010 18:58:10.686] thread
fffffa80027f3060
fffff80001c84dd0 P 70b3f446 000003df [ 4/ 5/2010 18:58:34.647]
nt!IopIrpStackProfilerTimer (DPC @ fffff80001c84e10)
11 fffffa8005c26cd0 62859842 000003df [ 4/ 5/2010 18:58:10.855] afd!AfdTimeoutPoll
(DPC @ fffffa8005c26c90)
fffffa8002ce8160
6e6c45f4 000003df [ 4/ 5/2010 18:58:30.822] thread
fffffa80053c2b60
fffffa8004fdb3d0
77f0c2cb 000003df [ 4/ 5/2010 18:58:46.789] thread
fffffa8004f4bb60
13 fffffa8005051c20
60713a93 800003df [
NEVER
] thread
fffffa8005051b60
15 fffffa8005ede120
77f9fb8c 000003df [ 4/ 5/2010 18:58:46.850] thread
fffffa8005ede060
20 fffffa8004f40ef0
629a3748 000003df [ 4/ 5/2010 18:58:10.990] thread
fffffa8004f4bb60
22 fffffa8005195120
6500ec7a 000003df [ 4/ 5/2010 18:58:15.019] thread
fffffa8005195060
28 fffffa8004760e20
62ad4e07 000003df [ 4/ 5/2010 18:58:11.115] btaudio (DPC
@ fffffa8004760e60)+12d10
31 fffffa8002c40660 P dc527b9b 000003e8 [ 4/ 5/2010 20:06:00.673]
intelppm!LongCapTraceDpc (DPC @ fffffa8002c406a0)
...
232 fffff80001c85040 P 62317a00 000003df [ 4/ 5/2010 18:58:10.304] nt!IopTimerDispatch
(DPC @ fffff80001c85080)
150 3.
fffff80001c26fc0 P 6493d400 000003df [ 4/ 5/2010 18:58:14.304]
nt!EtwpAdjustBuffersDpcRoutine (DPC @ fffff80001c26f80)
235 fffffa80047471a8
6238ba5c 000003df [ 4/ 5/2010 18:58:10.351] stwrt64 (DPC
@ fffffa80047471e8)+67d4
242 fffff880023ae480
11228580 000003e1 [ 4/ 5/2010 19:10:13.304]
dfsc!DfscTimerDispatch
(DPC @ fffff880023ae4c0)
245 fffff800020156b8 P 72fb2569 000003df [ 4/ 5/2010 18:58:38.469]
hal!HalpCmcDeferredRoutine (DPC @ fffff800020156f8)
248 fffffa80029ee460 P 62578455 000003df [ 4/ 5/2010 18:58:10.553]
ataport!IdePortTickHandler (DPC @ fffffa80029ee4a0)
fffffa8002776460 P 62578455 000003df [ 4/ 5/2010 18:58:10.553]
ataport!IdePortTickHandler (DPC @ fffffa80027764a0)
fffff88001678500
fe2f836f 000003e0 [ 4/ 5/2010 19:09:41.512]
cng!seedFileDpcRoutine
(DPC @ fffff880016784c0)
fffff80001c25b80
885e52b3 0064a048 [12/31/2099 23:00:00.008]
nt!ExpCenturyDpcRoutine (DPC @ fffff80001c25bc0)
Total Timers: 254, Maximum List: 8

, Ndis.sys Afd.sys (
), , Bluetooth, ATA/IDE. ,
, , ETW,
(Users Account Control, UAC).
,
DPC- ,

. ,
!thread . , , Windows,
,
, , , , .
,
.

.3.9, , ISR-
, ,
1 ( ), ( ).
1 (
),
1 ( )? - ?
151
,
.
( 0) . , , ,
0.
Windows , ( ),
.3.11 , 1 ( ,
, - ). , 1 5
, ( ).
KiPendingTimer,
, , (
).
, , IPI .
. 3.11.
1
,
, : , ,
(P-),
.

, , -.
, ,
; , ,
(C-), ,
, , . ,
152 3.
10 , 1.
(- ), C-
.

, ,
C-,
15 , ,
, ,
0.

(
DISPATCH_LEVEL), (
,
). ,

( ),
6 , 6- , 6-
.
(coalescing
mechanism)
.
,
( , , ).
,
30, , , 31
29, , , , ,
- 50 ,
. , , , . ,
50 ,
,
2, .
, Windows
, ,
API- KeSetCoalescableTimer,
SetWaitableTimerEx.
API- (
153
), ,
, 1.
32 , 15,6-
,
. Windows
: 1 , 250, 100 50.
,
Windows , (shifting). ,
,
( ).
, ,
. ,

,
.
, , .3.11
, .
Windows ,
.3.12. , 1
, , C. , ,
0, , ,
, DISPATCH_LEVEL
.
. 3.12.
50 .
154 3.

, , , . Windows ,
(structured exception handling),
.
, (
, ) ,
,
. ,
,
Windows. ,
, Windows API
Windows SDK 23 25 ( Jeffrey Richter)
(Christophe Nasarre) Windows via C/C++.
, , (, __try Microsoft
Visual C++), , ,
- .
x86 x64
, IDT-, .
.3.6 , x86-
. , ,
IDT- , , .
, , , ,
. . ,
, , , ,
.
, ,
Windows SDK.
. ,
,
. ,
.
. ,
, . 32-
155
3.6.
Divide Error ( )
Debug (Single Step) ( )
Non-Maskable Interrupt (NMI) ( )
Breakpoint ( )
Overflow ()
Bounds Check ( )
Invalid Opcode ( )
NPX Not Available (NPX )
(Double Fault)
NPX Segment Overrun ( NPX)
10
Invalid Task State Segment (TSS) (

)
11
Segment Not Present ( )
12
Stack Fault ( )
13
General Protection ( )
14
Page Fault ( )
15
Intel Reserved ( Intel)
16
Floating Point ( )
17
Alignment Check ( )
18
Machine Check ( )
19
SIMD Floating Point (

SIMD-)
.
,
. , .
,
.
, .
, , , , ,
. ,
, .
64-
.
. ,
, ,
32- .
156 3.

, ,
.
, - (IOCTL-).
.
.
Windows SDK MSDN.
, , ,
, ,
.
,
( , ).
(trap frame) ,
, .
,
, .
, , .

, ,
.
,
. ,
, , ,
.
UNEXPECTED_KERNEL_MODE_TRAP.
, . 5, Windows (
)
Windows1. .3.13,
, .
.
, ,
, . ,
, .
, Windows
2000, , LPC-.

,
LPC- ,
.
157

ALPC-
( )
( )
Windows
Error Reporting
. 3.13.
, , CONTEXT ( Windows SDK),

.
, ,
.
.

, , . , ,
, .
, ,
. , UNIX Subsystem for UNIX Applications
, , Subsystem
for UNIX Applications UNIX- ,
.
,
, / (Client/Server Run-Time Subsystem, Csrss)
158 3.
Windows Error Reporting (WER)

, .
, .

Windows ,
.
Windows- (start-of-thread).
,
. ,
, , ,
,
CreateThread.
:
Windows-
, Windows- ,
( ), , 0 Windows-, ( ). , ,
Process Explorer .
Windows-
-, Process Explorer

, -, . ,
, Notepad.
exe.
159
Process Explorer . ,
Stack.
18
. (17)

kernel32,
Windows. (16)
Notepad.exe.

:
VOID RtlUserThreadStart(VOID)
{
LPVOID lpStartAddr = (R/E)AX; // Located in the initial thread context structure
LPVOID lpvThreadParam = (R/E)BX; // Located in the initial thread context structure
LPVOID lpWin32StartAddr;
lpWin32StartAddr = Kernel32ThreadInitThunkFunction ? Kernel32ThreadInitThunkFunction
: lpStartAddr;
__try
{
DWORDdwThreadExitCode=lpWin32StartAddr(lpvThreadParam);
RtlExitUserThread(dwThreadExitCode);
}
__except(RtlpGetExceptionFilter(GetExceptionInformation()))
{
NtTerminateProcess(NtCurrentProcess(), GetExceptionCode());
}
}
VOIDWin32StartOfProcess(

160 3.
LPTHREAD_START_ROUTINElpStartAddr,
LPVOIDlpvThreadParam)
{
lpStartAddr(lpvThreadParam);
}
, Windows , . ,
WerFault.exe.
Windows Error Reporting, , ,
.
WerFault.exe HKLM\SOFTWARE\
Microsoft\Windows NT\CurrentVersion\AeDebug ,
.
: Auto Debugger. Auto , ,
, .
, Microsoft Visual Studio, ,
, 0. ( , 0
.) Debugger ,
, WerFault ID

, .
Windows Error Reporting

Windows Error Reporting (WER)
, .
Windows Error Reporting (Control Panel) (Action Center)
(Change Action Center)
(Problem Reporting Settings).
, , , (, ) ALPC-
WER-. .
, WerFault.exe,
,
, ,
.
, .3.14.
(Debug) ( Debugger, AeDebug),
.
161
. 3.14. Windows Error Reporting
(- XML , DLL-,
) - Microsoft, . , , ,
, .
. ,
(Reliability Monitor) .
WER ()
,
.
,
.
, WER, ,
, , .
, , Microsoft,
. Microsoft System Center Desktop Error
Monitoring , Windows Error Reporting,

Microsoft.

, ,
,
.
, , , .
, -
162 3.
, Windows WER
,
.
WER , (Group Policy)
. .3.7
WER , .
HKLM\SOFTWARE\Microsoft\Windows\
Windows Error Reporting HKEY_CURRENT_USER .
3.7. WER
ConfigureArchive
1 , 2

Consent\DefaultConsent
1 , 2
, 3
, 4
.
Consent\DefaultOverride
Behavior

1 DefaultConsent
WER
Consent\PluginName

WER
,
DefaultConsent
CorporateWERDirectory
WER
CorporateWERPortNumber
,
WER
CorporateWERServer
,
WER
CorporateWERUse
Authentication

1 WER
Windows (Windows
Integrated Authentication)
CorporateWERUseSSL

WER

(SSL)
DebugApplications
, - 1

(Debug)
(Continue)
1 SSL
163
DisableArchive
Disabled

WER
1 WER
DisableQueue
DontShowUI
- 1 UI
WER UI
DontSendAdditionalData
ExcludedApplications\
AppName
, WER
ForceQueue
- 1
-
LocalDumps\DumpFolder
,
-
LocalDumps\DumpCount
LocalDumps\DumpType
0 ,
1 -, 2

LocalDumps\
CustomDumpFlags
, ,
MINIDUMP_TYPE
LoggingDisabled
- 1

MaxArchiveCount

( )

15000
MaxQueueCount
1500
QueuePesterInterval
, LocalDumps,
LocalDumps .
, HKLM.
164 3.
, WER ALPC-. ,
WER NtSetInformationProcess ( DbgkRegisterErrorPort). Windows
, ALPC-,
WER. ,
, WER,
. ,
WER WerFault.exe ,
. , WER
, (Event Log) .
: , , .

.3.1, , .
, , .

, . ,
Windows ,
, .

x86, Pentium II, Windows 0x2e (46 ),
. Windows 46 IDT
. (. . 3.3.)
. EAX ,
. EDX
, .

iret (interrupt return ).
x86 Pentium II Windows
sysenter, Intel . Windows
,
, - (machine-specific register,
MSR), .
. EAX, EDX
165
.
sysexit. ,
, iret,
sysexit EFLAGS, ,
sysenter , trap ,
.
int 0x2e ( ), 32-

Windows ,
sysenter, - .
x64 Windows syscall, EAX, , ,

.
IA64 Windows epc ( Enter Privileged Mode). 8
, 8 .
:

, 32-
, , IDT sysenter,

MSR. 32- AMD Windows syscall, 64-
syscall.
:
1. 32- 2E
!idt 2e.
lkd> !idt 2e
Dumping IDT:
2e:
8208c8ee nt!KiSystemService
2. sysenter
rdmsr MSR 0x176, :
lkd> rdmsr 176
msr[176] = 00000000'8208c9c0
lkd> ln 00000000'8208c9c0
(8208c9c0)
nt!KiFastCallEntry
166 3.
64- 64- , ,
MSR- 0xC0000082,
syscall 64- . ,
nt!KiSystemCall64:
lkd> rdmsr c0000082
msr[c0000082] = fffff800'01a71ec0
lkd> ln fffff800'01a71ec0
(fffff800'01a71ec0)
nt!KiSystemCall64
3. KiSystemService
KiSystemCall64 u. 32-
:
nt!KiSystemService+0x7b:
8208c969 897d04
mov
8208c96c fb
sti
8208c96d e9dd000000
jmp
dword ptr [ebp+4],edi

nt!KiFastCallEntry+0x8f (8208ca4f)
, , , , ,
, sysenter.
.
32- Windows , ,

SharedUserData. NtReadFile :
0:000> u ntdll!NtReadFile
ntdll!ZwReadFile:
77020074 b802010000
mov
77020079 ba0003fe7f
mov
(7ffe0300)
7702007e ff12
call
77020080 c22400
ret
77020083 90
nop
eax,102h
edx,offset SharedUserData!SystemCallStub
dword ptr [edx]
24h
0x102 (258 ), call ,

0x7ffe0300. (
SystemCallStub KUSER_SHARED_DATA,
0x7FFE0000.)
Intel Core 2 Duo,
sysenter:
0:000> dd SharedUserData!SystemCallStub l 1
7ffe0300 77020f30
0:000> u 77020f30
167
ntdll!KiFastSystemCall:
77020f30 8bd4
77020f32 0f34
mov
edx,esp
sysenter
64-
, Ntdll.dll, ,
syscall:
ntdll!NtReadFile:
00000000'77f9fc60 4c8bd1movr10,rcx
00000000'77f9fc63 b810200000moveax,0x102
00000000'77f9fc68 0f05syscall
00000000'77f9fc6a c3ret
Kernel-Mode System Service Dispatching
.3.15,
. 32-
, ,
,
. 64- ,
, .
x64 application binary interface
(ABI) .

Microsoft
,
, .

0
1
2
3
. 3.15.
, KiSystemService,
168 3.
(
), . ,
, ,
( ).
. 64- Windows
, . ,
, , ,
.
, (previous mode)
.
(
), , , . ,
,
, ( ).
, , .
,
, , sysenter :
, , ,
.
:
,
. ,
API- . , .
.
Zw- , NtCreateFile
ZwCreateFile. Zw-
, , .
- Zw- .
,
API- ,
. , NtCreateFile,
, , ,
, , , ,
. ,
169
?
Zw-.
API-
Nt-.
Nt-,
.
sysenter,
() ,
(,
)
KiSystemService, .
,
, , , ,
(kernel). NtCreateFile
, , . , 32- 64-
. .
lkd> u nt!ZwReadFile
nt!ZwReadFile:
8207f118 b802010000
mov
8207f11d 8d542404
lea
8207f121 9c
pushfd
8207f122 6a08
push
8207f124 e8c5d70000
call
8207f129 c22400
ret
lkd> uf nt!ZwReadFile
nt!ZwReadFile:
fffff800'01a7a520 488bc4
fffff800'01a7a523 fa
fffff800'01a7a524 4883ec10
fffff800'01a7a528 50
fffff800'01a7a529 9c
fffff800'01a7a52a 6a10
fffff800'01a7a52c 488d05bd310000
(fffff800'01a7d6f0)]
fffff800'01a7a533 50
fffff800'01a7a534 b803000000
fffff800'01a7a539 e902690000
eax,102h
edx,[esp+4]
8
nt!KiSystemService (8208c8ee)
24h
mov
cli
sub
push
pushfq
push
lea
rax,rsp
push
mov
jmp
rax
eax,3
nt!KiServiceInternal (fffff800'01a80e40)
rsp,10h
rax
10h
rax,[nt!KiServiceLinkage
5 , Windows ,

. 32-
Windows IA64
, x64 .
, ,
32-
170 3.
. 12
, . .3.16.

31
13 11
0
API
API
1
KeServiceDescriptorTable
Win32k.sys API
KeServiceDescriptorTableShadow
. 3.16.

, , KeServiceDescriptorTable, ,
Ntosrknl.exe. , KeServiceDescriptorTableShadow, Windows USER GDI, Windows,
, Win32k.sys. 32- Windows
IA64, Windows Windows- USER
GDI, , , Windows- USER GDI. KeAddSystem
ServiceTable Win32k.sys .

Windows Ntdll.dll. DLL- Ntdll.
Windows USER GDI, User32.dll Gdi32.dll Ntdll.dll
. .3.17.
.3.17, Windows- WriteFile Kernel32.dll WriteFile API-MS-Win-Core-File-L1-1-0.dll,
DLL- MinWin ( API-
), , ,
WriteFile KernelBase.dll, .
, ,
NtWriteFile Ntdll.dll, , ,
,
, , NtWriteFile.
171
( KiSystemService Ntoskrnl.exe) NtWriteFile -.

Windows USER GDI
Windows , Win32k.sys.
API- USER
GDI
API-
Windows
Windows
WriteFile
Kernelbase.dll
NtWriteFile
Ntdll.dll
WriteFile (...)

USER GDI (...)
NtWriteFile ,

Windows
SYSENTER
Gdi32.dll

User32.dll
,
SYSENTER

Windows

KiSystemService
Ntoskrnl.exe
NtWriteFile
Ntoskrnl.exe
NtWriteFile

KiSystemService
Ntoskrnl.exe

Windows

Win32k.sys
. 3.17.
:

, ,

1. , KeServiceDescriptorTable KeServiceDescriptorTableShadow,
(
64- ) , KiServiceTable, , KiArgumentTable. 32-

172 3.
dds.
. :
lkd> dds KiServiceTable
820807d0 821be2e5 nt!NtAcceptConnectPort
820807d4 820659a6 nt!NtAccessCheck
820807d8 8224a953 nt!NtAccessCheckAndAuditAlarm
820807dc 820659dd nt!NtAccessCheckByType
820807e0 8224a992 nt!NtAccessCheckByTypeAndAuditAlarm
820807e4 82065a18 nt!NtAccessCheckByTypeResultList
820807e8 8224a9db nt!NtAccessCheckByTypeResultListAndAuditAlarm
820807ec 8224aa24 nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
820807f0 822892af nt!NtAddAtom
2. , 64- Windows
-
( ) , , 32- Windows.
KiServiceTable,
dq. 64- :
lkd> dq nt!KiServiceTable
fffff800'01a73b00 02f6f000'04106900 031a0105'fff72d00
3.
. 32- Windows, ,
, ,
4 , : = KiServiceTable + * 4.
0x102, -
NtReadFile Ntdll.dll.
lkd> ln poi(KiServiceTable + 102 * 4)
(82193023)
nt!NtReadFile
64- Windows
ln,
4 ( ) KiServiceTable,
:
lkd> ln @@c++(((int*)@@(nt!KiServiceTable))[3] >> 4) + nt!KiServiceTable
(fffff800'01d9cb10)
nt!NtReadFile
| (fffff800'01d9d24c)
nt!NtOpenFile
Exact matches:
nt!NtReadFile = <no type information>
4. , , 32- Windows ,
, dds
(dds ,
). 64- Windows -
173
Kernel Patch Protection,
.
,
, / (System Calls/Sec) (System). (Performance Monitor),
(Performance Monitor)
(Monitoring Tools) (Add),
. (System),
/ (System Calls/Sec),
(Add) .

2 , , , Windows .
Windows,
, , , .
,
.
, .
:
, .
, ,
:
yy WinObj ( Sysinternals)
(, , ,
. .).
yy Process Explorer Handle Sysinternals,
(Resource Monitor) ( 1) .
yy Openfiles/query ,
.
yy !handle
.
WinObj
, . ( , .) WinObj
.
174 3.
, Windows- Openfiles/query
Windows,
maintain objects list. (
.
Windows.) Openfiles/Local, , .
Openfiles/Local ON. ,
, . Process Explorer, Handle
(Resource Monitor)
, , .
:
, -
;
;
,
;
,
, ,
;
,
( Windows Subsystem for UNIX Applications)
175
, ( Subsystem for UNIX Applications);

(object
retention) ( ,
);
,
, .
Windows :
, GDI/User.
,
( , , - ..).
, Windows.
. ,
, .
, .3.18, () .
Name ()
HandleCount
(
)
ReferenceCount
( )
Type ()
. 3.18. ,
, GDI/User Windows
(Win32k.sys) .
,
Windows SDK.
,
, .
176 3.
, , ,
,
Windows ,
6.

Windows
.
,
.
,
. , Windows Windows CreateFileW, DLL- Windows
Kernelbase.dll. CreateFileW,
,
Windows- NtCreateFile.
, , ,
. Windows
,
. ,
Windows (, , ). ,
Windows ,
, .
, Subsystem for UNIX Applications,
. Subsystem for UNIX Applications ,
UNIX .
4242 .

, , Windows API .
Driver, Device, EventPair.
. 3.8 ,
, , .
, ,
, Windows, -
177
Windows API. ,
Winobj ObjectTypes.
3.8. , Windows API

Process ()
Thread ()
Job ()
Section () ( Windows
)
File ()
Token ()
( , ..)
Event () , (
),
Semaphore
()
, , ,
Mutex ()
Timer ()
IoCompletion
(
-)

- (
Windows API -)
Key (
)
.
, , . (key)
,

Directory ()
TpWorkerFactory ,
. ,
, ,
,
, , . Windows (worker factory object)
178 3.
3.8 ()

TmRm ( ),
TmTx (), TmTm
(
),
TmEn ( )
, (Kernel
Transaction Manager, KTM) ()

. API CreateTransactionManager, CreateResourceManager,
CreateTransaction CreateEnlistment
WindowStation
( )
, ,

Desktop ( )
, (window
station).
,
PowerRequest
, ,
SetThreadExecutionState
,
(, - )
EtwConsumer
ETW-
, API-
StartTrace ( ProcessTrace )
EtwRegistration
, ETW ( ), API- EventRegister
, Windows NT
OS/2, OS/2,
, ,
, .
,
. OS/2 , Windows 32 (
).

. 3.19, .
, ,
, .
, (type object), , .
, :
179
, , ,
.

034DEF0
2A1DDAF
6D3AED4
0A3C44A1
3DF12AB4

? (/)
:
Open, close, delete,
parse, security,
query name
. 3.19.

,
. .3.9
, . 3.10 ,
.
, ,
, , . ,
,
, . (
, , .)

InfoMask. , , InfoMask,
180 3.

ObpInfoMaskToOffset,
.

, , , ,
, ,
. , ,
. , ( ) ,
,
, , , .
.3.10. ,
. (
. 3.12.)
3.9.
Handle count ( )
Pointer count ( )
(
).

Security descriptor
,
( - . , )

Object type index
( )
, ,
. ,
, ObTypeIndexTable
Subheader mask ( )
, , , . 3.10, , , , ,
.
ObpInfoMaskToOffset, ,

Flags ()
.
. 3.12
Lock ()
, ,

181
3.10.
Creator
information
(
)

0 (0x1)
, ,
Object headerObpInfoMaskToOffset[0])
Name
information
(
)
, 1 (0x2)

,
, ,

Object header ObpInfoMaskToOffsetObpInfoMaskToOffset

[InfoMask & 0x3]
Handle
information
(
)
, - 2 (0x4)
(
) ,

(

)
Object header ObpInfoMaskToOffset

[InfoMask & 0x7]
Quota
information
(
)
,
,

3 (0x8)
Object header ObpInfoMaskToOffset

[InfoMask & 0xF]
Process
information
(
)
,
.

4 (0x10) Object header ObpInfoMaskToOffset

[InfoMask & 0x1F]

, ,
. . 3.11 .
, ()
. . ,
, ,
. .3.12 ,
.
182 3.
3.11. ,
Name information ( )
Quota information ( )
( )
Process information (- (exclusive) )

. ( .3.12.)
Handle information (-
- (handle count). )
, ALPC-, WindowStation Desktop
Creator information (-
) (type list). (Driver)
, Driver Verifier.
( ) ,
Type-
API- Windows
( CreateEvent CreateFile), - DLL-
. ,
Win32, BaseNamedObjects,
, , ,
, Kernelbase.dll
. BaseNamedObjects ,
, .
3.12.

OBJ_INHERIT
,

,
DuplicateHandle
OBJ_PERMANENT
OB_FLAG_

PERMANENT_OBJECT ,

OBJ_EXCLUSIVE
OB_FLAG_
EXCLUSIVE_OBJECT
,
,
183
OBJ_CASE_
INSENSITIVE
,

.
case insensitive

OBJ_OPENIF
, - , -
OBJ_OPENLINK
, - , -
OBJ_KERNEL_
HANDLE
OB_FLAG_KERNEL_
OBJECT
OBJ_FORCE_
ACCESS_
CHECK
, - , -
OBJ_KERNEL_
EXCLUSIVE
OB_FLAG_KERNEL_
ONLY_
ACCESS

;
/Device/
OF_FLAG_DEFAULT_
SECURITY_QUOTA
,

2
OB_FLAG_SINGLE_
HANDLE_
ENTRY
OB_FLAG_NEW_
OBJECT
,
,
OB_FLAG_DELETED_
INLINE
,

(
)
PhysicalMemory
,
; .
, .
184 3.
, ,

. ,
.
,
, , (
). ,
Windows Windows-, . 3.13.
,
(create), (open)
(query). , -
,
.
,
, , , , , ,
. ,
,
, .
3.13.
Close ()
Duplicate ()
Make permanent/temporary ( ( )
)
Query object ( )
Query security ( )
Set security ( )
Wait for a single object ( - )

Signal an object and wait for another (
)
(, )

Wait for multiple objects (

)
185

, ,
. ,

. ,
. ,
, .
,
, , .
, , , .
, , . ,
. .3.20, (
Windows),
( ),
, .
.
. 3.20.
,
.
, , Windows API. ,
, . 3.14.
186 3.
3.14.
Type name ( )
(, ,
. .)
Pool type ( )
Default quota charges (- ,

)
.
Valid access mask (- , )
(,
, , . .)
Generic access rights
mapping (
)
( ,
, ) ,
Flags ()
, (, ),
,
, , ,
( ) () (
). use default object
default
object
Object type code ( - , )

(
).
1, 2 4.
ALPC
,
Invalid attributes ( )
(
. 3.12),
Default object (
)
,
, .
, , File ALPC-,
;
. , FILE_OBJECT
Event
Methods ()
187
:

,
!process:
lkd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS fffffa800279cae0
SessionId: none Cid: 0004
Peb: 00000000 ParentCid: 0000
DirBase: 00187000 ObjectTable: fffff8a000001920 HandleCount: 541.
Image: System
!object :
lkd> !object fffffa800279cae0
Object: fffffa800279cae0 Type: (fffffa8002755b60) Process
ObjectHeader: fffffa800279cab0 (new version)
HandleCount: 3 PointerCount: 172 3172
, 32- Windows
0x18 (24 ) , ,
64- Windows 0x30 (48
) , ,
.
:
lkd> dt nt!_OBJECT_HEADER fffffa800279cab0
+0x000 PointerCount
: 172
+0x008 HandleCount
: 33
+0x008 NextToFree
: 0x000000000x00000000'00000003
+0x010 Lock
: _EX_PUSH_LOCK
+0x018 TypeIndex
: 0x7 ''
+0x019 TraceFlags
: 0 ''
+0x01a InfoMask
: 0 ''
+0x01b Flags
: 0x2 ''
+0x020 ObjectCreateInfo : 0xfffff800'01c53a80 _OBJECT_CREATE_INFORMATION
+0x020 QuotaBlockCharged : 0xfffff800'01c53a80
+0x028 SecurityDescriptor: 0xfffff8a0'00004b29
+0x030 Body
: _QUAD
,
ObTypeIndexTable, ,
TypeIndex :
lkd> ?? ((nt!_OBJECT_TYPE**)@@(nt!ObTypeIndexTable))[((nt!_OBJECT_
HEADER*)0xfffffa800279cab0)->TypeIndex]
struct _OBJECT_TYPE * 0xfffffa80'02755b60
+0x000 TypeList
: _LIST_ENTRY [ 0xfffffa80'02755b60 - 0xfffffa80'02755b60
188 3.
]
+0x010 Name
: _UNICODE_STRING "Process"
+0x020 DefaultObject
: (null)
+0x028 Index
: 0x70x7 ''
+0x02c TotalNumberOfObjects
: 0x380x38
+0x030 TotalNumberOfHandles
: 0x1320x132
+0x034 HighWaterNumberOfObjects : 0x3d
+0x038 HighWaterNumberOfHandles : 0x13c
+0x040 TypeInfo
: _OBJECT_TYPE_INITIALIZER
+0x0b0 TypeLock
: _EX_PUSH_LOCK
+0x0b8 Key
: 0x636f7250
+0x0c0 CallbackList
: _LIST_ENTRY [ 0xfffffa80'02755c20 - 0xfffffa80'02755c20 ]
,
,
. CallbackList , . TypeInfo
,
, :
lkd> ?? ((nt!_OBJECT_TYPE*)0xfffffa8002755b60)->TypeInfo*)0xfffffa8002755b60)->TypeInfo
+0x000 Length
: 0x70
+0x002 ObjectTypeFlags
: 0x4a 'J'
+0x002 CaseInsensitive
: 0y0
+0x002 UnnamedObjectsOnly : 0y1
+0x002 UseDefaultObject
: 0y0
+0x002 SecurityRequired
: 0y1
+0x002 MaintainHandleCount : 0y0
+0x002 MaintainTypeList
: 0y0
+0x002 SupportsObjectCallbacks : 0y1
+0x004 ObjectTypeCode
: 0
+0x008 InvalidAttributes
: 0xb0
+0x00c GenericMapping
: _GENERIC_MAPPING
+0x01c ValidAccessMask
: 0x1fffff
+0x020 RetainAccess
: 0x101000
+0x024 PoolType
: 0 ( NonPagedPool )
+0x028 DefaultPagedPoolCharge
: 0x1000
+0x02c DefaultNonPagedPoolCharge : 0x528
+0x030 DumpProcedure
: (null)
+0x038 OpenProcedure
: 0xfffff800'01d98d58 long nt!PspProcessOpen+0
+0x040 CloseProcedure
: 0xfffff800'01d833c4 void nt!PspProcessClose+0
+0x048 DeleteProcedure : 0xfffff800'01d83090 void nt!PspProcessDelete+0
+0x050 ParseProcedure
: (null)
+0x058 SecurityProcedure : 0xfffff800'01d8bb50 long nt!SeDefaultObjectMethod+0
+0x060 QueryNameProcedure
: (null)
+0x068 OkayToCloseProcedure : (null)
, ,
Windows,
189
.
, , , ,
, .
. :
-
, , , IRQL-.
,
.
,
, - ,
( . 3.14).

. 3.14, , ,
C++, ,
. , ,
-
- .
, , ,
.
,

. ,
, - . ,
, . 3.15.

(, , ..).
.
, .
, Win32k.sys
WindowStation Desktop.
Win32k.sys ,
.
, , , SeDefault
ObjectMethod. ,
190 3.
,
,
, .
,
. ,
(security reference monitor).
3.15.
Open ()
Close ()
Delete ()
Query name (
)
, ,

Parse ( )
Dump ( )
Okay to close ( )
Security (
)

, ,
,
open , .
WindowStation Desktop open; ,
WindowStation open, Win32k.sys , ,
.
close -. - close
, close . close , ,
, - ,
, , .
, , ,
.
delete, . ,
, delete ,
, .
191
, . , , ,
.
.
parse ( , query name) , ,
.
, , ,
parse.
parse, ,
. Windows
: ,
, , -
(. 4).
, \Device\Harddisk
Volume1\docs\resume.doc,
, HarddiskVolume1.
, parse, ,
, ,
docs\resume.doc. parse
-, - parse.
parse, -,
,
.
security, -,
parse. , , . ,
, .

-.
, okay-to-close
, . , Desktop ,
.

,
. ,
. Win32k.sys
okay-to-close Desktop WindowStation.
192 3.

, , .
, ,
.

(
CreateProcess,
, Windows- SetHandleInformation)
(. Windows-
DuplicateHandle).
,
.
. ,
C Pascal ( , Delphi) .
;
.
,
.
, , ,
. ( .)

,
. API-
. ,
(EPROCESS), , API- Ps*.
( , ,
).
, ( ZwCreateEvent),
, .
. -,
, , , .
, . -,
, . ,
193

, , ,

.
:
Process Explorer , . (View () Lower Pane View
( ) Handles ()).

Cmd.exe.
. , ,
C:\Users\Administrator, Process Explorer .
Process Explorer ,
View () Update Speed ( ) Pause ().
cd F5, . Process
Explorer,
.
, .
, Process Explorer, . ,
, Process Explorer ,
, . (
.) .
()
, .
.
194 3.
,
Handle Sysinternals.
, , , , Handle
, Cmd.exe
. Handle , a,
, Process Explorer.
C:\>handle -p cmd.exe
Handle v3.46
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals - www.sysinternals.com
-----------------------------------------------------------------------------cmd.exe pid: 5124 Alex-Laptop\Alex Ionescu
3C: File (R-D)
C:\Windows\System32\en-US\KernelBase.dll.mui
44: File (RW-)
C:\
C:\>cd windows
C:\Windows>handle -p cmd.exe
Handle v3.46
-----------------------------------------------------------------------------cmd.exe pid: 5124 Alex-Laptop\Alex Ionescu
3C: File (R-D)
C:\Windows\System32\en-US\KernelBase.dll.mui
40: File
(RW-)
C:\Windows
, .
(EPROCESS), 5. 4, 8 ..
, .
, , x86
, , 16000000
.
195

, , . , Windows 2000,
16777216 ,
32 , Windows .

, . ,
,
. , x86 4096 8,
512 1, 511
. ,
. Windows .3.21.
. 3.21. Windows
Testlimit Sysinternals ,
. , ,
196 3.
. ,
,
, .
, ,
:
1. http://live.sysinternals.com/WindowsInternals Testlimit, 32- 64- Windows.
2. Process Explorer, View ()
System Information ( ) Memory (). .
, Process Explorer
, Ntoskrnl.
exe. ,
Testlimit.
3. .
4. Testlimit h (
testlimit h). Testlimit , ,
. ,
16, , , ,

.
5. ,
Testlimit .
.3.22, x86 32- :

() . 64-
12: 64-
32- (. 6).
(Audit on close)
(Inheritable)
(Lock)
A I L

(Protect from close)
32
. 3.22.
197
:

!handle :
!handle < > <> < >
. ( .)
4, 8 .. ,
!handle 4 .
, 0
, 1
( ) , 2
, .
0x62C:
lkd> !handle 0 7 62c
processor number 0, process 000000000000062c
Searching for Process with Cid == 62c
PROCESS fffffa80052a7060
SessionId: 1 Cid: 062c
Peb: 7fffffdb000 ParentCid: 0558
DirBase: 7e401000 ObjectTable: fffff8a00381fc80 HandleCount: 111.
Image: windbg.exe
Handle table at fffff8a0038fa000 with 113 Entries in use
0000: free handle, Entry address fffff8a0038fa000, Next Entry 00000000fffffffe
0004: Object: fffff8a005022b70 GrantedAccess: 00000003 Entry: fffff8a0038fa010
Object: fffff8a005022b70 Type: (fffffa8002778f30) Directory
ObjectHeader: fffff8a005022b40fffff8a005022b40 (new version)
HandleCount: 25 PointerCount: 63
Directory Object: fffff8a000004980 Name: KnownDlls
0008: Object: fffffa8005226070 GrantedAccess: 00100020 Entry: fffff8a0038fa020
Object: fffffa8005226070 Type: (fffffa80027b3080) File
ObjectHeader: fffffa8005226040fffffa8005226040 (new version)
Directory Object: 00000000 Name: \Program Files\Debugging Tools for Windows (x64)
{HarddiskVolume2}

, , . , , ,
, .
,
SetHandleInformation.
, ( Windows,
).
,
198 3.
(
NtSetInformationObject).

, .
(
ObpKernelHandleTable). . ,
,
.
, ,
, 0x80000000. System,
, System (, ,
), , .
:

, Process Explorer, Handle OpenFiles.exe, .
,
, !devhandles.
1. , , Device. , ,
!object:
1: kd> !object \Global??\C:
Object: fffff8a00016ea40 Type: (fffffa8000c38bb0) SymbolicLink
ObjectHeader: fffff8a00016ea10 (new version)
Directory Object: fffff8a000008060 Name: C:
Target String is '\Device\HarddiskVolume1'
Drive Letter Index is 3 (C:)
2. !object,
Device :
1: kd> !object \Device\HarddiskVolume1
Object: fffffa8001bd3cd0 Type: (fffffa8000ca0750) Device
3. Device,
!devhandles. :
!devhandles fffffa8001bd3cd0
Checking handle table for process 0xfffffa8000c819e0
Kernel handle table at fffff8a000001830 with 434 entries in use
PROCESS fffffa8000c819e0
199
Image: System
0048: Object: fffffa8001d4f2a0 GrantedAccess: 0013008b Entry: fffff8a000003120
Object: fffffa8001d4f2a0 Type: (fffffa8000ca0360) File
ObjectHeader: fffffa8001d4f270 (new version)
Directory Object: 00000000 Name: \Windows\System32\LogFiles\WMI\
RtBackup\EtwRTEventLog-Application.etl {HarddiskVolume1}

,
, ,
Windows.
, ,
( )
( ). , ,
,
. Windows
:
User APC reserve object
- I/O Completion packet reserve object.
,
Windows
. , ,
( ,
) .
, APC-,
, , -,
, .
User APC,
, API- QueueUserApc
Kernelbase.dll, NtQueueUserApcThread.

KAPC, APC-.
, ,
APC, , , APC-
, .
,

NtAllocateReserveObject,
200 3.
KAPC-.
, NtQueueUserApcThreadEx, , .
, (
InUse true) , KAPC-
,
. , , API-,
, , . , RPC- APC-, ,
.
, -.
API- PostQueuedCompletionStatus
Kernelbase.dll, API- NtSetIoCompletion.
, APC-, -,
, ,
.
API- NtAllocateReserveObject,
-, , , NtSetIoCompletionEx.
, User APC,

RPC-, Windows- Peer-To-Peer BranchCache ( 7 )
-.

, ,
. ,
, . ,
,
, .
(, , ),
, ,
. ,
. , .
, (security reference monitor),
, ,
. ,
, -
201
. , , , . ,
, , 6.
, , , ,
, . ,
,
, .
Windows Ex- ( Extended)
API- CreateEventEx, CreateMutexEx, CreateSemaphoreEx,
.
(discretionary access control lists, DACL) , API-
.
OpenEvent,
? API-
, , ,
, .
API- API- . ,
,
, , . ,
API- ()
,
. , , ,
API- ,
API- Ex.
:

Process Explorer, WinObj, AccessCheck. , Sysinternals.
(access control list, ACL).
, , WinObj,
Properties (). ,
BaseNamedObjects, Properties ()
Security (). , ,
.
, , ,
Everyone () , SYSTEM
( 0 SYSTEM).
202 3.
WinObj
, Process Explorer, (. 193).
Explorer.exe.
\Sessions\n\BaseNamedObjects
Directory. ,
Security ()
( ). Process
Explorer , .
,
AccessCheck o,
. , AccessCheck
(. 6).
C:\Windows>accesschk -o \Sessions\1\BaseNamedObjects
Accesschk v5.02 - Reports effective permissions for securable objects
\sessions\2\BaseNamedObjects
Type: Directory
RW NT AUTHORITY\SYSTEM
RW NTDEV\markruss
RW NTDEV\S-1-5-5-0-5491067-markruss
RW BUILTIN\Administrators
R Everyone
NT AUTHORITY\RESTRICTED

: . , , ,
. ,
203
. , ,
,
, . , ,
, , , , .
.
. ,
.

.
, .
,
. .

( ), .
, , , .
;
,
.
,
,
.
. 3.23 .
. . ,
; ,
3. , , ,
, 1. ,
, ,
.
,
, ,
, -
. , , . ,
,
. , - , ,
IRQL- , ,
,
, ,
204 3.

HandleCount=2
ReferenceCount=3

DuplicateHandle

HandleCount=1
ReferenceCount=1
. 3.23.
1.
,
, passive (IRQL 0). .
, ,
Kernel Transaction Manager (KTM).
,
, ,
.
,
. KTM- , IRQL-, ObDereferenceObjectDeferDelete.
, -
, - , .
, , , . , ,
, , , .
205
, ,
. ,
, , ,
. ,
,
.
,
.
,
, .
, ,
, , , (
). Windows , ,
, .
, Debugging Tools for Windows ,
. . 3.16.
3.16.
Handle Tracing
Database (
)

!htrace <
Kernel Stack Trace ()
>
< ID >
Gflags.exe
User Stack Trace
Object Reference
Tracing (
)

Object Reference Tracing,
(
)
() Gflags.exe
!obtrace < >
Object Reference
Tagging (
)
API-

. !htrace
.
, ,
, , , CloseHandle.
, !obtrace, ,
206 3.
,
( , )
.
. ,
. , , ,
(, , Process Monitor). ,
, .
,
, , API-,

, ,
ObReferenceObjectWithTag ObDereferenceObjectWithTag.
, API-
- ,
.
!obtrace
,
,
, .

, key
OBJECT_TYPE dt.
,
PsProcessType.
!object, .

, , . , - .
, - ,
.
, , , .
,
. ,
, , ,
, , .
, -
, , -
207
,
. , .
.
, Windows .
(quota charges), ,
() ,
.
Windows , , . 0 ( ), .
NonPagedPoolQuota, PagedPool
Quota PagingFileQuota HKLM\SYSTEM\CurrentControlSet\Control\
Session Manager\Memory Management. , ,
.

.
, :
, ;
.
. , ,
, , . ,
, , ,
. , .
, .
, .
, . , ,
. , .

, - . . -, :

208 3.
, , . , : , ,
;
. ,
, , UNIX ,
, .

, .

, , .
. , . , ,
(
), (, ). , - \Device,
, -.
. .3.17 , Windows,
, .
Windows- \BaseNamedObjects
\Global?? (. ).
3.17.
\ArcName
, ARC-
NT-
\BaseNamed , , , Objects
, , ALPC-,
\Callback
\Device
\Driver
\FileSystem
. (Filter Manager)
Filters
\GLOBAL??
MS-DOS. ( \Sessions\0\DosDevices\
<LUID>\Global .)
\Kernel
Objects
,
, , , , (Sessions)
209
\KnownDlls
DLL- (DLL-
)
\KnownDlls32 64- Windows \KnownDlls
64- ,
Wow64 32- DLL-
\Nls
\ObjectTypes
\PSXSS
UNIX ( SUA), ALPC-

,
\RPC Control
ALPC-, (RPC), , Conhost.exe

\Security
ALPC- , ,
\Sessions
, . (.
.)
\UMDFCom
munication
Ports
\Windows
ALPC-, User-Mode Driver Framework (UMDF)

ALPC- Windows,
window station
, , ,
, , ,
,
. ,
. ,
(GUID) () (SID).
(
),
.
,
. , -,
,
.
, , , .
Windows -

.
210 3.
, ,
.
,
, API-
Windows, .
, ,
. ,
DACL-, -,

, .
, Windows .
API- CreatePrivateNamespace
,
, . SID, ,
. ,
, ,
( ). ,
, , ,
, , ,
(. 6).
:
, , WinObj Sysinternals. Winobj.exe
\BaseNamedObjects.
211
. :
yy .
yy (Windows-, )
.
yy .
yy , .
yy .
yy .
yy , ALPC.
:

, Windows Media Player , Microsoft Office,
. , Wmplayer.exe
Windows Media Player ,
, .
Process Explorer,
-! :
1. Windows Media Player Process Explorer,
( View (), Lower
Pane View ( ), Handles ()). , CheckForOtherInstanceMutex.
2. Close
Handle ( ). .
3. Windows Media Player .
, .
4. .
(
), ,
, .
212 3.
, Windows Media Player
- ,
. Windows Media Player , , .
(symbolic links).
(, NTFS UNIX-)
,
. ,
,
.
, ,
.
. , , .
,
, .
.
,
, MS-DOS
Windows. Windows , C:, D: ..,
COM1, COM2 .. Windows
, ,
\Global?? .

, .
, ,
. , , \DosDevices, \Windows
\BaseNamedObjects. .
\DosDevices
Windows, .
Windows \DosDevices \Global?? , \DosDevices, \DosDevices

(logon session ID).
\Windows Win32k.sys Winlogon,
(window station) \WinSta0. ( )
,
213
WinSta0, Windows. ,
\BaseNamedObjects , , .
, ,
,
, .

, , , \Sessions\n ( n ).
Windows , , ,
\BaseNamedObjects \Sessions\2\BaseNamedObjects. ,
,
. DLL- Windows , Windows,
\DosDevices, \?? (, C:\
Windows \??\C:\Windows). \??, Windows,
DeviceMap (EPROCESS 5),
, .
DosDevicesDirectory DeviceMap , \DosDevices .
\??,
\DosDevices , DosDevicesDirectory
DeviceMap. ,
DeviceMap . , , GlobalDosDevicesDirectory
DeviceMap, \Global??.
, ,
, ,
.
,
( 0).
\Global,
. , , , \Global\ApplicationInitialized, \BaseNamedObjects\ApplicationInitialized, \Sessions\2\
BaseNamedObjects\ApplicationInitialized.
,
\DosDevices, \Global, \DosDevices. ,
,
.
, \GLOBALROOT.
214 3.
:
0 . ,
, , 1 ( 0). Winobj.exe
\Sessions.
. ,
\DosDevices, \Windows \Base
NamedObjects,
, .
.
Process Explorer -
(, Explorer.exe), (View () Lower Pane View ( ) Handles
()). \Windows\WindowStations\WinSta0
\Sessions\n, n (session ID).
215
,
( ) . ,

(create global object).

Windows .
(altitude), , ,

. ,
, NtOpenThread NtOpenProcess, ,
.
,
,
(, ).
, , , ,

. (
,
) (
).
,

.
API- ObRegisterCallbacks, API- ObUnregisterCallbacks,
.
API- ,
:
, 32- , -
,
Kernel Mode Code Signing (KMCS).
/integritycheck, IMAGE_DLLCHARACTERISTICS_FORCE_
INTEGRITY PE-. ,
.
,
. .
216 3.
MmVerifyCallbackFunction , ,
, ,
, , , LDRP_
IMAGE_INTEGRITY_FORCED (. ).

. , .
,
. ,
, . ,
- ,
, .
, , , , , ,
. .3.24 , ,
, ,
.
()

. 3.24.

, ,
, , . .3.24 , ,
,
,
.
217
, , . , ,

. ,
, . ,
.3.24, , , ,

.
, ( ) ,
(symmetric multiprocessing, SMP) Windows,
,
, . Windows
,
,
, .
,
.

IRQL- DPC/dispatch,
,
, IRQL DPC/dispatch
( , IRQL).
, IRQL,

IRQL ( DPC/dispatch).
IRQL-
,
. , ,
DPC-. ,
,
.
. ,
,
. ,
, Windows .
, .
218 3.
IRQL ,
, . , DPC/dispatch ,
. ,
, IRQL DPC/dispatch,
DPC/dispatch .
,
. IRQL

.
.

.
, InterlockedIncrement, InterlockedDecrement, InterlockedExchange
InterlockedCompareExchange. , InterlockedDecrement x86 lock (, lock
xadd) .
, ,
, ,
,
.
.
Microsoft (intrinsic),
, . ,
, ,
,
, ,
.
-
,
, -. -
, ,
DPC-, .3.25.
, .3.25,
-, DPC-.
- , ,
. -
, (, , ) , ( ), .
-, , , .
- -
219
Do
Do

-
DPC-

-
DPC-
Until
Begin
DPC
End
Until
DPC
-
DPC-

DPC
DPC-
Begin
DPC
End
-
DPC-
. 3.25. -
,
, .
-
(test-and-set),
.
,

. , lock
,
lock bts, ;
. lock .
Windows -
IRQL, DPC/dispatch . ,
-, IRQL .
DPC/dispatch, , -, , IRQL
. ,
-, , . - , , -. ,
-, , , ( 100 %
), .
x86 x64
pause. ,
220 3.
- ( ), .
:

.
HyperThread
, , ,
, ,
.

,
( ),
,
(
). , - ,
.
pause.
-
, ,
KeAcquireSpinLock KeReleaseSpinLock. ,
-,

( ). - , , .

. API- -
IRQL DPC/dispatch, . API-
KeAcquireInterruptSpinLock KeReleaseInterruptSpinLock, KINTERRUPT, .
DIRQL IRQL
, ISR. ISR, ,
API- KeSynchronizeExecution. ,
- , ,
,
,
.
- . - IRQL-
, DPC/dispatch, , , ,
221
-, ,
.
-
-,
- -
. :
- , , , -.
, -, , , .
, -,
-, ,
, , , ,
, .
, - , , -,
. -,
.
-, , - , (FIFO).
,
.
Windows ,
,
(processor region control block, PRCB). . -
KeAcquireQueuedSpinLock PRCB-,
-.
- , WDK
Wdm.h. ,
-
. .
:
-
- (,
- PCR-
) !qlocks. - ,
(page frame number,
PFN), 1, -
.
222 3.
lkd> !qlocks
Key: O = Owner, 1-n = Wait order, blank = not owned/waiting, C = Corrupt
Processor Number
Lock Name
0 1
KE
- Unused Spare
MM
- Expansion
MM
- Unused Spare
MM
- System Space
CC
- Vacb
CC
- Master

-
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock. , , NTFS,
- .
KeAcquireInStackQueuedSpinLock
- -.
- , ,
,
.
. ,
, InStack- API-.

,
,
, -.
ExInterlockedPopEntryList ExInterlockedPushEntryList , ExInterlockedInsertHeadList ExInterlocked
RemoveHeadList . -
.
-
API-, ,
. API- , Ke, ,
, ,

.
.
, -
223

, 0,
. , -,
, API- . ,
, ,
.
-. , API-
ExInterlockedIncrementLong ExInterlockedCompareExchange
lock,
.
( , x86), lock .

.
IRQL-
, ,
. ,
,
, . -, .
- . , - , :
-
.
,
, , ,
( )
.

. ,
,
.
- ,
:
(kernel dispatcher objects);
(fast mutexes) (guarded
mutexes);
224 3.
-;
.
, ,
IRQL, . Windows ,
:
(CondVars);
- Slim Reader-Writer Locks (SRW Locks);
Run-once initialization (InitOnce);
(Critical sections).
,
. 3.18 ,
APC .
3.18.

APC
APC

,
. API- Windows .
225
, Windows API, ,
, , .

Windows programmers WaitForSingleObject WaitFor
Multi pleObjects , Windows
, .
Windows- , , , Windows, ,
, , -, ALPC-, . ,
, . , ,
(, ,
). .3.19 , ,
, Windows API , ,
.
,
, .
( ), ( ).
Windows API. .

.
.

: . ,
, , , ,
(
, , ).
,
, ,
.
, ,
.
, , - ,
.
, , .
226 3.
:
1. .
2. , , .
3. - .
4. , . (. ),
. ,
(. 5).
, , WaitAny, ,
( ).
?
-.

, . , .
, , . ,
.

.

, , . 3.19.
3.19.

( )
(- )

( )
227
( )
,
,

( )
( )
, ,
, .
,
, .3.26.
, ( Windows API ) . ,
, .
, ,
,
.
( DPC-). ,
.
, ,
,
(. 5). , , ,
.
: , , .
, ,
, , ,
228 3.

, ,
.

.
, ,

.
( -

.
,
.

.
.
.

.

.

.
.
. 3.26.
229
, ,
.
.
,
. , Windows,
Windows
Windows via C/C++. Visual
C++.

, ,
,
, .
, . Wdm.h, WDK,
.
,
.
, ( ).
Type, ,
. , , . , , Debug Active
. ,
, : ,
, .
, . ,
, ,
, .
, , . ,
,
. , (. 5),
,
(
, ), PRCB
.
, , , (
). ( ), ,
WaitForMulti pleObjects ( 0,
).
230 3.
, ,
, , : ,
() . ,
, , ,
.
,

, . , . 3.20.
3.20.
WaitBlockActive
(2)
(
)
WaitBlock
Inactive (3)
(
)
,
,
( ,
, )

,
,

WaitBlock
BypassStart (0)
(
)
(
,
)
,
,

,

WaitBlock
BypassComplete
(1)
(
,
,
, ()
,

( ),
( ,
) ,
. ,
231
, , ,
, , APC-.

:
, ,
.
(,
WaitForSingleObject), (WaitInProgress), .
,
. ,
, .
, , .
WaitInProgress,
Waiting ().
, , -
.
(, , WaitBlockActive),
, . , ,
,
, (
WaitForMulti pleObjects). ,
(address ordering).
,
- , ,

. ,
,
.
, , ,
, , . , (
)
( , ,
). ,
, (
). , ,
, .
232 3.
,
,
. , ,
, , .
,
,
,
, , .
PRCB, , ,
, , , .
, .

, , , ,
. , , , (. 5).
, , , , ,
, .
, , , . ,
,
WaitBlockBypassStart,
WaitAborted ( ).
,
APC-, WaitAborted,
.
APC- APC-,
, APC- , .
,
, ,

, .
.3.27 , PRCB. 0
( ): 1 ,
2 . , , , 2 ,
. ,
,
1, - . 1
, WaitAny,
.
233
PRCB 0
. 3.27. ,
:
, , !thread. ,
, !process, ,
:
kd> !process
THREAD fffffa8005292060 Cid 062c062c.0660 Teb: 000007fffffde000 Win32Thread:

fffff900c01c68f0 WAIT: (WrUserRequest) UserMode Non-Alertable
fffffa80047b8240 SynchronizationEvent
,
dt:
lkd> dt nt!_DISPATCHER_HEADER
+0x000 Type
:
+0x001 TimerControlFlags :
+0x001 Absolute
:
fffffa80047b8240
0x1 ''
0 ''
0y0
234 3.
+0x001Coalescable
: 0y0
+0x001 KeepShifting
: 0y0
+0x001 EncodedTolerableDelay : 0y00000 (0)
+0x001 Abandoned
: 0 ''
+0x001 Signalling
: 0 ''
+0x002 ThreadControlFlags
: 0x6 ''
+0x002 CpuThrottled
: 0y0
+0x002 CycleProfiling
: 0y1
+0x002 CounterProfiling
: 0y1
+0x002 Reserved
: 0y00000 (0)
+0x002 Hand
: 0x6 ''
+0x002 Size
: 0x6
+0x003 TimerMiscFlags
: 0 ''
+0x003 Index
: 0y000000 (0)
+0x003 Inserted
: 0y0
+0x003 Expired
: 0y0
+0x003 DebugActive
: 0 ''
+0x003 ActiveDR7
: 0y0
+0x003 Instrumented
: 0y0
+0x003 Reserved2
: 0y0000
+0x003 UmsScheduled
: 0y0
+0x003 UmsPrimary
: 0y0
+0x003 DpcActive
: 0 ''
+0x000 Lock
: 393217
+0x004 SignalState
: 0
+0x008 WaitListHead
: _LIST_ENTRY [ 0xfffffa80'047b8248 - 0xfffffa80'047b8248 ]
,
,
(- ),
. ,
,
, Windows
WDK. . 3.21
, .
3.21.
Absolute
,
,
Coalescable
KeepShiftig
,

. ,
FALSE
235
Encoded
ToleableDelay
(
, ),
,

Abandoned
, ,
Signaling
CpuThrottled
( )
(CPU throttling),
DFSS- ( Distributed Fair-Share
Scheduler)
CycleProfiling
Counter
Profilng
Size
4,
Hand
Index
Insered
Expired
DebugActive
ActiveDR7
, DR7

Instrumented
, ( Windows
x64)
UmsScheduled
()

(UMS Worker)
UmsPrimary
() UMS-
DpcActive
DPC-
Lock
,
;
7 (0x80) Type
236 3.
Type .
KOBJECTS,
:
lkd> dt nt!_KOBJECTS
EventNotificationObject = 0
EventSynchronizationObject = 1
MutantObject = 2
ProcessObject = 3
QueueObject = 4
SemaphoreObject = 5
ThreadObject = 6
GateObject = 7
TimerNotificationObject = 8
TimerSynchronizationObject = 9
Spare2Object = 10
Spare3Object = 11
Spare4Object = 12
Spare5Object = 13
Spare6Object = 14
Spare7Object = 15
Spare8Object = 16
Spare9Object = 17
ApcObject = 18
DpcObject = 19
DeviceQueueObject = 20
EventPairObject = 21
InterruptObject = 22
ProfileObject = 23
ThreadedDpcObject = 24
MaximumKernelObject = 25
,
, .
,
, , ,
:
dt nt!_KWAIT_BLOCK 0xfffffa80'053cf628
+0x000 WaitListEntry
: _LIST_ENTRY [ 0xfffffa80'02efe568 - 0xfffffa80'02803468 ]
+0x010 Thread
: 0xfffffa80'053cf520 _KTHREAD
+0x018 Object
: 0xfffffa80'02803460
+0x020 NextWaitBlock
: 0xfffffa80'053cf628 _KWAIT_BLOCK
+0x028 WaitKey
: 0
+0x02a WaitType
: 0x1 ''
+0x02b BlockState
: 0x2 ''
+0x02c SpareLong
: 8
,
WaitListEntry
( !thread
237
), , . ,
. , , , ,
NextWaitBlock.

, , - , .
,
,
. , , , ,
,
.
, EnterCriticalSection , , ,
, , , , LeaveCriticalSection. ,
.
, , .
,
, . ,
:
. 16- ,
.
, , ,
. , ,
.
LeaveCriticalSection,
.
,

.
, .
( ) ( ) .
, .
,
, , (
). - ,
238 3.
,
, 1. ,
, ,
, ,
, .
, EnterCriticalSection
.
, EnterCriticalSection NtWaitFor
KeyedEvent ,
NULL, ,
.
ExpCritSecOutOf
MemoryEvent. ,
.
, .
, ,
, , ,
,
2.
. . ,
, ,

. , ,
, , , ,
.
, , ,
, - ( ).
, ,
(ETHREAD), KeyedWaitSemaphore. (
ALPC.) 5.
. ,
Windows XP . ,
, ,
, .
, ,
.
1
2
239
. , .
,
, . , .
.
, ,
.
,
KeyedWaitChain (
, LARGE_INTEGER,
, )
(ETHREAD). 5.
Windows , -.
Windows ( ), .
- ,
,
,
Win32 API.

, , , , , , ,
, ,
,
.
.
.

APC- (
). : ExAcquireFastMutex ExAcquireFastMutexUnsafe.
APC IRQL-
APC. APC , IRQL
APC-. ExTryToAcquireFastMutex
, ,
, FALSE.
, ,
.
240 3.
, (
KGATE). KeAcquireGuardedMutex KeAcquireGuardedMutexUnsafe,
APC- IRQL APC-
, APC-
KeEnterGuardedRegion. ,
KeTryToAcquireGuardedMutex. ,
, , , APC- ,
IRQL-.

:
IRQL-,
APIC ,
SMP-.
IRQL, IRQL-
- PIC.
.
,
, , ,
.

.

, .

,
( -
; ).
IRQL-
.
Windows 2003 ,
APC- (
), , .
Windows,
. Windows

,
.
, ,
KeAreApcsDisabled. Windows Server 2003 -
241
, APC-, ,
. Windows Server 2003 ,
, , , , TRUE,
APC- .
,
APC- ,
KeGetCurrentIrql , IRQL
APC , APC- . ,
, ,
IRQL-.
KeAreAllApcsDisabled.
APC- () IRQL APC-,
, .

, . ,
APC- . ,
, .
, ,
,
-
- (, ).
, , , , , , .
,
,
,
, .
,
- , , ,
. ,
, , , ,
: , ,
, , , .
, , :
ExAcquireResourceSharedLite, ExAcquireResourceExclusiveLite, ExAcquireShared
StarveExclusive, ExAcquireShareWaitForExclusive.
WDK.
242 3.
:

!locks .

, ,
d . :
lkd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks.
Resource @ 0x89929320
Exclusively owned
Contention Count = 3911396
Threads: 8952d030-01<*>
KD: Scanning for held locks.......................................
Resource @ 0x89da1a68Shared1owningthreads
Threads:8a4cb533-01<*>***ActualThread8a4cb530
, (contention count),
,
, ,
- .
, , , , , ,
v :
lkd> !locks -v 0x89929320
Resource @ 0x89929320
Exclusively owned
Contention Count = 3913573
Threads: 8952d030-01<*>
THREAD 8952d030 Cid 0acc.050c Teb: 7ffdf000 Win32Thread: fe82c4c0 RUNNING on
processor 0
Not impersonating
DeviceMap
9aa0bdb8
Owning Process
89e1ead8
Image:
windbg.exe
Wait Start TickCount
24620588
Ticks: 12 (0:00:00:00.187)
Context Switch Count
772193
UserTime
00:00:02.293
KernelTime
00:00:09.828
Win32 Start Address windbg (0x006e63b8)
Stack Init a7eba000 Current a7eb9c10 Base a7eba000 Limit a7eb7000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Unable to get context for thread running on processor 1, HRESULT 0x80004001
1 total locks, 1 locks currently held
243
-
, ,
-. ,
, . .
, -
.
: 56,
- . , -
WDK,
( API- , ).
-: -.
- ,
(4 32- 8 64- ).
-, -
,
- . - - ,
- ,
, , . -,
, , ,
, .
- ,
, .
- . -
:
, 1, ;
, 1,
- ;
, 1,
, 1, -

;
28 ( 32- Windows) 60 ( 64- Windows) , ,
-.
, - , , , . - .
244 3.
.
,
, 16-
, 4 -
. ; 4
.
, .
-, -, () - -
-, . -, , , -, ;
-, -,
- .
, , -
,
.
, (
lock cmpxchg ).
,
, (
,
), ,
. -
, -

. , , . ,
(

), : , -,
-.

, ,
,
, , .
. Driver Verifier

-, .
245
, -,
,
, , , -, Address
Windowing Extension (AWE).

, Windows
, .
, ,
, , (
99% , ). -
, , ,
, .

, -.
0, ,
1. ,
.
,
1 0. , , 1
,
, . , , .
,
, , ,
.
, .

, . ,
( ),
( ) ,
. ,
246 3.
, .

.
, , . (RTL_RESOURCE)
, .
, .
, .
,
.

Security Account Manager (SAM)
Windows API .
API-
Windows Vista - Slim
Reader-Writer Locks (SRW Locks), , - .

Windows , .
,
.
.

InitializeConditionVariable
. , , SleepConditionVariableCS,
( ) .
WakeConditionVariable (
WakeAllConditionVariable)1. , , ,
.
,
,
, ( Windows API auto-reset, manual-reset).
,
, .
.
247
. , ,
PulseEvent1.
leepConditionVariableCS,
. ( ) .
-, ,
API- SleepConditionVariableCS. ( , -),
,
. ,
,
, ,
.
-
(Slim Reader-Writer Locks)
, . ,
,
. ,
.
-,
- (Slim Reader-Writer Locks, SRW-)
. ,
,
,
, . - : , SRW-

. ,
. , SRW-
,
- .

.
SRW-
, ,
.
SRW- .
248 3.
InitializeSRWLock,
, API-: AcquireSRWLockExclusive,
ReleaseSRWLockExclusive, AcquireSRWLockShared ReleaseSRWLockShared.
API- Windows APIs, SRW - .

, , . ,
, ,
, , .
Windows SRW- ,
, , , ,
.
, , , , ,
. SRW- , ,
, , .

SRW- ,
API- SleepConditionVariableSRW. , SRW . SRW-
,
,
.

, (,
,
), .
, 1, ,
.
Windows , init once,
one-time initialization ( run once
initialization), .
(
), (
DllMain, DLL-.
249
).
.
,

. , ,
parameter, .
context. Boolean. ,

InitOnceExecuteOnce parameter, context INIT_ONCE API-
InitOnceInitialize. .
, , InitOnceBeginInitialize BOOLEAN pending status
context. pending status FALSE, ,
, context.
FALSE , . pending status TRUE, , .
, ,
. , InitOnceComplete context,
BOOLEAN- status. status TRUE, ,
, , ,
.
, , .
, status FALSE, , .
,
, InitOnceBeginInitialize. , ,

INIT_ONCE_CHECK_ONLY, ,
context (, ).
status, TRUE , context , ,
FALSE, ,
.
, SRW-.
,
SRW-. ( ),
250 3.
. ,
.

Windows System
,
. , DPC/dispatch, , IRQL.
, DPC-, (
DPC , )
IRQ- DPC/dispatch,
, . DPC-
IRQL, ,
IRQL-, DPC/dispatch.
,
(passive) .
,
,
. , ExQueueWorkItem
IoQueueWorkItem.
( Device,
,
, ). (work item)
, .
API- IoQueueWorkItemEx, IoSizeofWorkItem, IoInitializeWorkItem IoUnini
tializeWorkItem ,
Driver Device.
, .
,
passive. , DPC-,
, ,
,
,, . -
.

- .
, ,
.
, DPC- , .
251
:
(delayed worker threads) -
12, ,
,
.
,
, .
(critical worker threads) 13, Windows Server .
(hypercritical worker thread)
15 .

, .
,
ExpWorkerInitialization, , , ,
, . .3.22
, . ExpInitializeWorker
AdditionalDelayedWorkerThreads AdditionalCriticalWork
erThreads HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Executive 16 16 .
3.22.

.
ExpWorkerThreadBalanceManager ,
. ,
ExpWorkerThreadBalanceManager, ,
:
.
(
, )
.
.
252 3.
10
. , , 16 .
:
,
, !exqueue:
lkd> !exqueue
Dumping ExWorkerQueue: 820FDE40
**** Critical WorkQueue( current = 0 maximum = 2 )
THREAD 861160b8 Cid 0004.001c Teb: 00000000 Win32Thread:
THREAD 8613b020 Cid 0004.0020 Teb: 00000000 Win32Thread:
THREAD 8613bd78 Cid 0004.0024 Teb: 00000000 Win32Thread:
THREAD 8613bad0 Cid 0004.0028 Teb: 00000000 Win32Thread:
THREAD 8613b828 Cid 0004.002c Teb: 00000000 Win32Thread:
**** Delayed WorkQueue( current = 0 maximum = 2 )
THREAD 8613b580 Cid 0004.0030 Teb: 00000000 Win32Thread:
THREAD 8613b2d8 Cid 0004.0034 Teb: 00000000 Win32Thread:
THREAD 8613c020 Cid 0004.0038 Teb: 00000000 Win32Thread:
THREAD 8613cd78 Cid 0004.003c Teb: 00000000 Win32Thread:
THREAD 8613cad0 Cid 0004.0040 Teb: 00000000 Win32Thread:
**** HyperCritical WorkQueue( current = 0 maximum = 2 )
THREAD 8613c2d8 Cid 0004.004c Teb: 00000000 Win32Thread:
00000000
00000000
00000000
00000000
00000000
WAIT
WAIT
WAIT
WAIT
WAIT
00000000
00000000
00000000
00000000
00000000
00000000
00000000
WAIT
WAIT
WAIT
WAIT
WAIT
WAIT
WAIT
00000000 WAIT
Windows
Windows , NtGlobalFlag,
, .
NtGlobalFlag GlobalFlag HKLM\SYSTEM\CurrentControlSet\Control\
Session Manager. ,
, , .
, ,
(

).
, Gflags.
exe, ( , ), . Gflags ,
.
gflags /?. ,
, .3.28.
253
. 3.28. Gflags
System Registry ( )
, Kernel Flags ( ) .
Image File ( )
. , ( ).
, .3.29 ,
.3.28.
: NtGlobalFlag
NtGlobalFlag
!gflag.
.
!gflag -?.

,
.
254 3.
. 3.29. Gflags
UNIX-,
, , , , . Windows
IPC- (Advanced Local Procedure Call, ALPC),
,
.
, ALPC
Windows:
Windows-, (remote
procedure call, RPC), API,

ALPC, RPC- ncalrpc, RPC,
. ALPC RPC-
, .
ALPC () Windows,
Windows (,
) (CSRSS).
ALPC session
manager (SMSS).
Winlogon ALPC
, LSASS.
255
( , -
6) ALPC LSASS-.
ALPC -
,
, .
ALPC Windows Error Reporting
.
User-Mode Driver Framework
(UMDF) , ALPC.
ALPC IPC-, Windows NT,

LPC, ,
- LPC. ,
LPC ALPC ,
, ALPC-.

ALPC-
. ALPC-

.
ALPC ,
. ,
ALPC-, :
(server connection port). ,
. , .
(server communication port). , .
.
(client communication port). , .
(unconnected communication port).
, .
ALPC , - BSD .
(NtAlpcCreatePort),
(NtAlpcConnectPort). , (NtAlpcAcceptPort). ,
,
256 3.
.
(NtAlpcSendWaitReceiveMessage), ,
( ).
, - . -
, , ,
.
- , , , ,
.
.
(
, ) , .3.30.

. 3.30. ALPC-

ALPC , NtAlpcSend
WaitReplyPort, ,
. ALPC
, , - -
257
. ALPC
, :

, ( -),
. ,
LPC,
256, ALPC 64 .
ALPC-,
.
,
Memory Descriptor List (MDL),
, , .

, , , ,
. ALPC
NtAlpcCancelMessage.
: ALPC-
ALPC-
WinObj Sysinternals. Winobj.exe .
.
258 3.
ALPC-, ,
Windows. ALPC-, RPC, \RPC Control. Local RPC,
ALPC Windows,
ALPC DLL-, Windows-. ( UNIX-.) CSRSS , ALPC-
\Sessions\ X \Windows,
.
ALPC- ,
ALPC-:
(main queue). ,
(pending queue). , -
, .
(large message queue). -
, .

.
(canceled queue). , , .
, , ,
, , .
259

ALPC LPC-
NT IPC-,
Mach-. IPC- ,
,
,
( ) . ALPC
,
RPC- , -
. ALPC,
LPC, .
.
ALPC- .
, .
, . ,
,
. , ,
ALPC ( Windows
-). ALPC ,
,
e ,
.
, Windows (
ALPC).
,
,
.
API-,
ALPC- , ,
. RPC- Windows
RPC ( ncalrpc) ,
.
, ALPC,
, ALPC
,

.
NtSetInformationAlpcPort, . ,

.
260 3.
,
,
, Windows:
. ,
.
, ,

. , , ,
LPC-, ,
. ,
, ,

. , ,
,
ASLR-.
ALPC ,
. ALPC
ALPC API-
NtAlpcCreatePortSection, ,
(
API- ). ALPC ,
ALPC,
, . ,
, .
.

, . ().
,
, , .
, . ,
,
, ()
( MmSecureVirtualMemoryAgainstWrites).
. , ,
, ALPC-
IPC-.
261
ALPC ,

,
. ALPC
. , ALPC . :
, , -
, ALPC (
);
, , ALPC-;
, , ( .
).

ALPC. ALPC ,
.
, , ALPC
, .
, , . LPC-, ,
, - ,
- - .
ALPC- API-, AlpcInitializeMessageAttribute
AlpcGetMessageAttribute.
,
ALPC
(), ,
, . , ALPC
, , ,
. , ALPC
, (blobs). ,
,
.
262 3.
, , ,
, . , ALPC
(
) , ,
ALPC, ALPC .
ALPC , , ,
, ALPC. ALPC :
, , -
ALPC;
, ,
. ;
, ,
ALPC . ;
, ALPC (.
);
, ,
ALPC.
, . : ,
ALPC, .
, ALPC-,
. ,
(
),
. ALPC
.
, ,
( ),
. , ALPC
,
. ,
.
ALPC ,

IPC. ALPC
263
,
,
ACL. , ALPC (SID), LPC.
, , , .
SID
.
,
,
,
.
ALPC ,
,
. Windows , API-
NtAlpcImpersonateClientThread. API- ALPC (SID),
,
(LUID, locally unique identifier) (. 6).
ALPC ,
, . , , MDL, ,
. MDL- (
), ,
, , IPC-.
64-
,
-,
, . ,
, MDL
,
, .
,
.
ALPC
.
( MDL),
, .
264 3.
,
. ,
, , ,
, , . , NtAlpcSetInformationPort.
, ,
, , ,
, - .
, . ,

, ,
.

ALPC- .
ALPC-, ,
,

!alpc. , , IT- ALPC- ALPC-
Event Tracing for Windows (ETW). ETW- , , ,
- -. ,
!alpc
ALPC- .
:
CSRSS API- Windows, 1 (Session 1),
.
Windows- API- CSRSS .
1.
!object:
0: kd> !object \Sessions\1\Windows\ApiPort
Object: fffffa8004dc2090 Type: (fffffa80027a2ed0) ALPC Port
ObjectHeader: fffffa8004dc2060 (new version)
Directory Object: fffff8a001a5fb30 Name: ApiPort
2. !alpc /p. , , ,
CSRSS:
265
0: kd> !alpc /p fffffa8004dc2090
Port @ fffffa8004dc2090
Type
: ALPC_CONNECTION_PORT
CommunicationInfo
: fffff8a001a22560
ConnectionPort
: fffffa8004dc2090
ClientCommunicationPort : 0000000000000000
ServerCommunicationPort : 0000000000000000
OwnerProcess
: fffffa800502db30 (csrss.exe)
SequenceNo
: 0x000003C9 (969)
CompletionPort
: 0000000000000000
CompletionList
: 0000000000000000
MessageZone
: 0000000000000000
ConnectionPending
: No
ConnectionRefused
: No
Disconnected
: No
Closed
: No
FlushOnClose
: Yes
ReturnExtendedInfo
: No
Waitable
: No
Security
: Static
Wow64CompletionList
: No
Main queue is empty.
Large message queue is empty.
Pending queue is empty.
Canceled queue is empty.
3. , , Windows-, ,

!alpc /lpc. , , ,
:
0: kd> !alpc /lpc fffffa8004dc2090
Port @fffffa8004dc2090 has 14 connections
SRV:fffffa8004809c50 (m:0, p:0, l:0) <-> CLI:fffffa8004809e60
Process=fffffa8004ffcb30 ('winlogon.exe')
SRV:fffffa80054dfb30 (m:0, p:0, l:0) <-> CLI:fffffa80054dfe60
Process=fffffa80054de060 ('dwm.exe')
SRV:fffffa8005394dd0 (m:0, p:0, l:0) <-> CLI:fffffa80054e1440
Process=fffffa80054e2290 ('winvnc.exe')
SRV:fffffa80053965d0 (m:0, p:0, l:0) <-> CLI:fffffa8005396900
Process=fffffa80054ed060 ('explorer.exe')
SRV:fffffa80045a8070 (m:0, p:0, l:0) <-> CLI:fffffa80045af070
Process=fffffa80045b1340 ('logonhlp.exe')
SRV:fffffa8005197940 (m:0, p:0, l:0) <-> CLI:fffffa800519a900
Process=fffffa80045da060 ('TSVNCache.exe')
SRV:fffffa800470b070 (m:0, p:0, l:0) <-> CLI:fffffa800470f330
Process=fffffa8004713060 ('vmware-tray.ex')
SRV:fffffa80045d7670 (m:0, p:0, l:0) <-> CLI:fffffa80054b16f0
Process=fffffa80056b8b30 ('WINWORD.EXE')
(m:0, p:0, l:0),

(m:0, p:0, l:0),
(m:0, p:0, l:0),
(m:0, p:0, l:0),
(m:0, p:0, l:0),
(m:0, p:0, l:0),
(m:0, p:0, l:0),
(m:0, p:0, l:0),
266 3.
SRV:fffffa80050e0e60 (m:0, p:0, l:0) <-> CLI:fffffa80056fee60
Process=fffffa800478f060 ('Winobj.exe')
SRV:fffffa800482e670 (m:0, p:0, l:0) <-> CLI:fffffa80047b7680
Process=fffffa80056aab30 ('cmd.exe')
SRV:fffffa8005166e60 (m:0, p:0, l:0) <-> CLI:fffffa80051481e0
Process=fffffa8002823b30 ('conhost.exe')
SRV:fffffa80054a2070 (m:0, p:0, l:0) <-> CLI:fffffa80056e6210
Process=fffffa80055669e0 ('livekd.exe')
SRV:fffffa80056aa390 (m:0, p:0, l:0) <-> CLI:fffffa80055a6c00
Process=fffffa80051b28b0 ('livekd64.exe')
SRV:fffffa8005551d90 (m:0, p:0, l:0) <-> CLI:fffffa80055bfc60
Process=fffffa8002a69b30 ('kd.exe')
(m:0, p:0, l:0),

(m:0, p:0, l:0),
(m:0, p:0, l:0),
(m:0, p:0, l:0),
(m:0, p:0, l:0),
(m:0, p:0, l:0),
4. , ( 0, ).
, Windows- . UNIX,
\PSXSS\ApiPort.

Windows
.
, ETW, . , ETW,
:
.
.
(. :
TCP/IP , . 268) XPerf
Windows Performance Toolkit (. : DPC , . 135).
. GUID (globally unique identifiers) ,
,
ETW. , .
. , .

.
Windows
, , Active Directory
(Service Control Manager), , Explorer.
ETW NT Kernel Logger ( -
267
, ) .
NT Kernel Logger ETW Ntoskrnl.
exe .
,
ETW- ( \Windows\System32\Ntdll.dll)
NtTraceControl, ETW- , . ( ),
,
. , . ,
,
.
, , ETW- ,
, , , .
, . ,
, ,
( ), , ,
.
, , , :
Disk I/O ( -). .
File I/O ( -). .
File I/O Completion ( -). -
.
Hardware Configuration ( ).
plug and play.
Image Load/Unload (- ). .
Page Faults ( ). .
Hard Page Faults ( ,
). .
Process Create/Delete (- ).
(. 5).
Thread Create/Delete (- ). .
Registry Activity ( ).
(. 4).
Network TCP/IP ( TCP/IP). TCP/IP.
Process Counters ( ). .
Context Switches ( ). .
Deferred Procedure Calls ( ). .
Interrupts (). .
System Calls ( ). .
268 3.
Sample Based Profiling ( ).
HAL.
Driver Delays ( ). -.
Split I/O ( -). -.
Power Events ( ). .
ALPC. .
Scheduler and Synchronization ( ).
( 5).
: TCP/IP

TCP/IP, :
1. (Performance Monitor) (Data Collector Sets) (User
Defined).
2. (User Defined), (New),
(Data Collector Set).
3.
(, ),
(Next), ( ) (Create
Manually (Advanced)).
4.
(Create Data Logs),
(Event Trace Data), (Next).
(Providers) (Add)
Windows (Windows Kernel Trace).
(Properties) ()
(Keywords(Any)), (Edit).
269
5. Net TCP/IP (Network TCP/IP),
OK.
6. (Next), . C:\Perflogs\<>\
\, ,
. (Next)
(Run As)
.
(Finish). , .
7. ( ,
), (Start). ,
-.
8. ,
(Stop).
9. C:\Perflogs\
\00001 (or the directory into which you specified that the trace
log file be stored).
10. tracerpt,
:
tracerpt DataCollector01.etl o dumpfile.csv of CSV
270 3.
11. dumpfile.csv Microsoft Excel .
TCP () UDP.
ETW , , Windows SDK.
Wow64
Wow64 ( Win32 64- Windows) , 32- x86 64- Windows.
DLL- ,
32- ,
64- ,
(process environment block, PEB) (thread
environment block, TEB).
Wow64
Get/SetThreadContext. Wow64 DLL-
:
Wow64.dll.
, , Ntoskrnl.exe. , .
Wow64Cpu.dll. 32-
, Wow64,

32- 64-, .
Wow64Win.dll. GUI,
Win32k.sys.
IA32Exec.bin Wowia32x.dll IA64.
IA-32 . Itanium
32- x86 ( 30%),
( )
.
DLL- .3.31.
Wow64
Wow64 2 4 . -
Wow64 271
32- EXE, DLL

32- Ntdll.dll
Gdi32.dll
User32.dll
Wow64cpu.dll
Wow64.dll
Wow64win.dll
64- Ntdll.dll
Ntoskrnl.exe
Win32k.sys
. 3.31. Wow64
(large-address-aware flag),
,
4
. , ,
, 2.

Wow64 , 32-
64- 32- .

64- Ntdll.dll, 32-
Ntdll.dll Wow64. ,
Wow64, Wow64.
dll. Wow64 , 32- Ntdll, 32-
32- .
,
32- .
32- Ntdll.dll, User32.dll Gdi32.dll
\Windows\Syswow64 ( DLL, , Rpcrt4.
dll). 32-
Wow64, , ,
64- , ,
( 32- 64-),
, 64- . , Wow64
32- ,
, 64- 32- .
272 3.

Wow64 Ntdll KiUserExceptionDispatcher. 64- Wow64-, Wow64
,
32- , 32- .
APC
Wow64 APC
Ntdll- KiUserApcDispatcher. 64- APC
Wow64-, 32- APC-
64- . 64-
Ntdll- APC- 32- .
32- APC-
, 32- .

Csrss.exe, ,
, 32- 64- Windows. ,
32- RPC- 64- rpcrt4.dll, 32- Kernel.dll Wow64
Wow,
Csrss Conhost.exe.

Wow64 .
Wow64 , ,
: 64
32, , 32 64.

Win32 64- Windows,
. \Windows\System32
64- . Wow64
, API- \Windows\System32 \Windows\Syswow64. Wow64
\Windows\LastGood \Windows\LastGood\syswow64,
Wow64 273
\Windows\Regedit.exe \Windows\syswow64\Regedit.exe. %PROGRAMFILES%

\Program Files (x86) 32- ,
64- \Program Files.
CommonProgramFiles CommonProgramFiles
(x86), 32- ,
ProgramW6432 CommonProgramW6432
64- .
32-
64- , , \Windows\
Sysnative, - , 32- , .
, ,
System32 ,
Wow64.
\Windows\System32, ,
32- ,
. :
%windir%\system32\drivers\etc
%windir%\system32\spool
%windir%\system32\catroot %windir%\system32\catroot2
%windir%\system32\logfiles
%windir%\system32\driverstore
, Wow64
Wow64 Wow64
Wow64DisableWow64FsRedirection Wow64
RevertWow64FsRedirection. DLL, ,
,
, 64-
. ,
c:\windows\sysnative .

.
, . 32- 64- ,

, .
274 3.
-
32- , : Wow64. 32- 32- , 64- 64-
.
32- 64- 32-
64- , .
Wow64 , , ,
Wow64- . Wow64
:
HKLM\SOFTWARE
HKEY_CLASSES_ROOT
, 32- 64- ,
.
Wow64
Wow6432Node. 32- . 32-
64- (, HKLM\SYSTEM).
, 32- REG_SZ REG_EXPAND_
SZ, %ProgramFiles% %commonprogramfiles%,
Wow64 %ProgramFiles(x86)% %common
programfiles(x86)%, , .
32- ,
. ,
, system32,
, syswow64,
,
KEY_WOW64_64KEY reflected
keys, MSDN.
, , RegOpenKeyEx,
RegCreateKeyEx, RegOpenKeyTransacted, RegCreateKeyTransacted RegDelete
KeyEx :
KEY_WOW64_64KEY 64-
32- 64-
REG_SZ REG_EXPAND_SZ;
KEY_WOW64_32KEY 32-
32- 64- .
-
-
Wow64 275
, Windows API- DeviceIoControl.

() .
, , ,
, Wow64-,
() 32- 64-
, 32-
4 , 64- 8 . ,
, . , - Wow64,
IoIs32bitProcess1.
16-
Wow64 16- . 16- ,
Wow64 ,
16- , :
Microsoft ACME Setup : 1.2, 2.6, 3.0 3.1;
InstallShield 5.x ( x
).
API- CreateProcess()
16- Ntvdm64.dll,
, 16-
. , 32-
CreateProcess.

32- 64- Windows . 64-
.
64-
Windows 64- ,
32- .
Splwow64.exe, RPC- Wow64.
Splwow64 64-
, 64- .
Wow64 16- ( 32- Windows) 32-

( 64- ).
Wow64- 32- DLL-
Supporting 32-Bit I/O in Your 64-Bit Driver MSDN-
.
276 3.
64- DLL-.
64- 32- DLL-.
-
DLL-, , , DLL- , .
, - Wow64 IA64 ReadFileScatter ,
WriteFileGather , GetWriteWatch , AVX-, XSAVE
AWE. DirectX. (
Wow64 .)

.

Dbgk, Debugging Framework.
, , .
, Dbgk,
Ntdll.dll, API, DbgUi. API-

( ), , DbgUi-
API-. , DLL- . , API- ( KernelBase.dll Windows),

.

. ,
Windows API-
, , , DbgUi.
, ,
,
, ,
, ,
. ,
,
, .
, ,
. 3.23,
.
277
3.23.
DbgKmExceptionApi

KiDispatchException -
,
DbgKmCreate
ThreadApi
DbgKmCreate
ProcessApi
DbgKmExit
ThreadApi
DbgKmExit
ProcessApi
DbgKmLoadDllApi
DLL
NtMapViewOfSection,
( EXE)
DbgKmUnloadDllApi
DLL-
NtUnmapViewOfSection,
( EXE)
DbgKmError
ReportApi

Windows
Error Reporting (WER)
KiDispatchException -
, ,

, ,
, , .
create process create
thread ,
,
. DLL- load dll ,
(Ntdll.dll), DLL-, ,
.
, .
.
,
. .
, dbgk- ,
. ,
278 3.
Win32, .

. ,
ContinueDebugEvent.
, ,
, ,
,
.

,
Windows-,
DbgUi- Ntdll.
dll. , , , (
Ntdll.dll ). ,
, Windows API . , , .
. thread
environment block (TEB) , (. 5). DbgSsReserved[1].
, , , int 3 (
), , . ,
.
Ntdll.dll.
, Ntdll.dll API- , Windows
API-.
:
WinDbg ,
, . Notepad.
exe ,
:
1. WinDbg File (), Open Executable
( ).
2. \Windows\System32\ Notepad.exe.
3. , , ,
. WinDbg , g.
279
4. Process Explorer ,
. ( View
(), Lower Pane View ( ), Handles
().) ,
View (), Show Unnamed Handles And
Mappings ( ).
5. Windbg.exe
.
. ( ,
, Type.)
.
. Notepad , WinDbg
:
ERROR: WaitForEvent failed, NTSTATUS 0xC0000354
This usually indicates that the debuggee has been
killed out from underneath the debugger.
You can use .tlist to see if the debuggee still exists.
WaitForEvent failed
,
NTSTATUS, : An attempt to do an operation
on a debug port failed because the port is in the process of being deleted,
, , , ,
- , .
, DbgUi-, ,
. Win32.
.
Windows
, ,
Microsoft Visual Studio WinDbg,
280 3.
, Kernel32.dll.
API- Windows.
, : .
, DLL- load
DLL ,
. wait Kernel32.dll
, ,
() . ,
, ,
() , .
DbgSsReserved TEB, ,
, .
Kernel32.dll .
.

continue, Kernel32.dll ,
, , . , ,
.

,
(. 5) ,
. ,
. , ,
,
.
. ,
Ldr.
DLL-
Ntdll.dll .
, DLL-,
. ,
( Ntdll.dll
), ,
1.
,
. ,

, ,
,
Ntdll.dll. 5.
281
DLL- . :
, -
( )
thread-local storage (TLS)
(FLS);
import table (IAT) DLL- (
IAT DLL),
DLL-, , ( , forwarder entries, DLL-);
DLL- ,
(
);
(
hotpatching), ;
;
, , DLL- ;
API- API-,
MinWin ;

SwitchBranch.
, . ,
, .
,
API- ,
. , ,
. ,
,
.
:

, loader snaps.
.
1. , WinDbg, Gflags.exe, Image File ( ).
2. Image () Notepad.exe,
Tab. . Show
Loader Snaps ( ),
OK, .
282 3.
3. :
(. 278) Notepad.exe.
4. ,
:
0924:0248 @ 116983652 - LdrpInitializeProcess - INFO: Initializing process 0x924
0924:0248 @ 116983652 - LdrpInitializeProcess - INFO: Beginning execution of
notepad.exe (C:\Windows\notepad.exe)
0924:0248 @ 116983652 - LdrpLoadDll - INFO: Loading DLL "kernel32.dll" from path
"C:\Windows;C:\Windows\system32;C:\Windows\system;C:\Windows;
0924:0248 @ 116983652 - LdrpMapDll - INFO: Mapped DLL "kernel32.dll" at address
76BD000
0924:0248 @ 116983652 - LdrGetProcedureAddressEx - INFO: Locating procedure
"BaseThreadInitThunk" by name
0924:0248 @ 116983652 - LdrpRunInitializeRoutines - INFO: Calling init routine
76C14592 for DLL "C:\Windows\system32\kernel32.dll"
0924:0248 @ 116983652 - LdrGetProcedureAddressEx - INFO: Locating procedure
"BaseQueryModuleData" by name
5. -
, , ,
, .
G, , , .
6. , ,
.
.
,
, ,
(
).

Ntdll.dll,
DLL-, ,
( ). 5 ,
, ,
Windows- CreateProcess.
, , - ,
. :
1.
Image File Execution Options,
DEP- SEH- .
2. , ,
.NET- ( ,
.NET-).
283
3. National Language Support tables (NLS).

4. Wow64, 32- 64- Windows.
5. , . ,
, .
6. ,
.
7. FLS TLS.
8. .
9. SxS (Side-by-Side Assembly)/
Fusion. DLL-,
, DLL-,
, (. 5).
10. \KnownDlls DLL.
Wow64 \KnownDlls32.
11. ,
( ).
12. Ntdll.dll .

, , DLL,
. DLL-
,
,
DLL- . DLL-
.
DLL-
,
PE- ,
. ( ,
..) ,
, LoadLibrary, .
Windows-
, ,

,
, .
284 3.
, , .

. , , Windows XP SP2 ,

DLL-, .

, :
1.
2.
3.
4.
5.
6.
, .
Windows (, C:\Windows\System32).
16- Windows (, C:\Windows\System).
Windows (, C:\Windows).
.
, %PATH%.
DLL- DLL . ,
, ,
, ,
%PATH% API-
SetEnvironmentVariable, API-
SetCurrentDirectory DLL- API- SetDllDirectory. DLL-,
,
DLL, .
DLL
, APL- LoadLibraryEx LOAD_WITH_
ALTERED_SEARCH_PATH.
APL- DLL ,
, DLL-.
DLL
DLL
DLL.
DLL, Win32
Windows-.
:
API- MinWin. API-
, Windows
285
,
API- , .
.LOCAL-. .LOCAL-
,
DLL, , ,
DLL .
DLL , .local (, MyLibrary.dll.local),
.local DLL-
(, C:\Program Files\My App\.LOCAL\MyLibrary.dll).
DLL-,
.LOCAL, , ,
SxS. (. .)
.LOCAL- DLL-
, .
, (Fusion (SxS) Redirection).
, ( side-by-side, SxS), Windows,
(
) ,
. , , , Windows Windows
common controls package (comctl32.dll), , ;
. Visual Studio 2005,
, Microsoft linker,
Fusion C-
.
Fusion
, Windows,
, (activation
contexts). ;
,
, . , ,
API- ActivateActCtx
DeactivateActCtx, ,
DLL, .
DLL,
, -
286 3.
, ;
,
.
DLL-. DLL-
, DLL , DLL ,
.
DLL
DLL, 64-
WOW64. DLL , ,
, 64- 32- ,
,
, ,
. ,

%PATH% 64-, 32- .
: DLL
, DLL-, Process Monitor Sysinternals.
DLL-, , CreateFile,
, DLL,
.
, , Myapp.exe
Mylibrary.dll. C:\Myapp,
C:\. -
( Visual Studio ), C:\Myapp\Myapp.exe.
local, .
, Process Monitor myapp.exe
, mylibrary.dll.
287
.
, ,
.LOCAL, , ,
C:\Windows\System32 ( 32-
, C:\Windows\SysWOW64), 16- Windows, C:\Windows , ,
. Load Image ,
.

(DLL-, ), .
,
process environment block, PEB (. 5), , Ldr
PEB_LDR_DATA. ,
, - :
, .
,
(LDR_DATA_TABLE_ENTRY), .
.3.24 , .
3.24.
BaseDllName
ContextInformation
SwitchBranch ( )
GUID Windows,

DllBase
EntryPoint
( DllMain)
EntryPointActivation
Context

SxS/Fusion
Flags
. ( . 3.25.)
ForwarderLinks
FullDllName
HashLinks
List Entry Links
LoadCount
(,
)
288 3.
LoadTime
OriginalBase
( ),

PatchInformation
, (hotpatch)
ServiceTagLinks
( 4),
SizeOfImage
StaticLinks
TimeDateStamp
, , PE-
TlsIndex

WinDbg PEB. ,
LDR_DATA_TABLE_ENTRY.
:

,

Notepad.exe WinDbg.
(,
g), :
1. PEB-
!peb. Ldr
(. 5).
0: kd> !peb
PEB at 000007fffffda000
InheritedAddressSpace:
No
ReadImageFileExecOptions: No
BeingDebugged:
No
ImageBaseAddress:
00000000ff590000
Ldr
0000000076e72640
Ldr.Initialized:
Yes
Ldr.InInitializationOrderModuleList: 0000000000212880 . 0000000004731c20
Ldr.InLoadOrderModuleList:
0000000000212770 . 0000000004731c00
Ldr.InMemoryOrderModuleList:
0000000000212780 . 0000000004731c10
Base TimeStamp
Module
ff590000 4ce7a144 Nov 20 11:21:56 2010 C:\Windows\Explorer.EXE
289
76d40000 4ce7c8f9 Nov 20 14:11:21 2010 C:\Windows\SYSTEM32\ntdll.dll
76870000 4ce7c78b Nov 20 14:05:15 2010 C:\Windows\system32\kernel32.dll
7fefd2d0000 4ce7c78c Nov 20 14:05:16 2010 C:\Windows\system32\KERNELBASE.dll
7fefee20000 4a5bde6b Jul 14 02:24:59 2009 C:\Windows\system32\ADVAPI32.dll
2. , Ldr, PEB_LDR_DATA. , WinDbg

, ,
.
3.

, LDR_DATA_
TABLE_ENTRY. , ,
WinDbg ,
!list :
!list t ntdll!_LIST_ENTRY.Flink x "dt ntdll!_LDR_DATA_TABLE_ENTRY @$extret\"
0000000076e72640
, : , Ldr.
InLoadOrderModuleList.
4. :
0:001> !list -t ntdll!_LIST_ENTRY.Flink -x "dt ntdll!_LDR_DATA_TABLE_ENTRY
@$extret\" 001c1cf8
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x1c1d68 - 0x76fd4ccc ]
+0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x1c1d70 - 0x76fd4cd4 ]
+0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x018 DllBase
: 0x00d80000
+0x01c EntryPoint
: 0x00d831ed
+0x020 SizeOfImage
: 0x28000
+0x024 FullDllName
: _UNICODE_STRING "C:\Windows\notepad.exe"
+0x02c BaseDllName
: _UNICODE_STRING "notepad.exe"
+0x034 Flags
: 0x4010
, Ntdll.dll, ,

DLL-, .
,
PsActiveModuleList. ,
, !list, ,
nt!PsActiveModuleList.

, , , !peb . . 3.25.
, ,
290 3.
,

(, .NET-).
3.25.
LDRP_STATIC_LINK (0x2)
LDRP_IMAGE_DLL (0x4)
DLL ( DLL
)
LDRP_IMAGE_INTEGRITY_
FORCED (0x20)
/FORCEINTEGRITY (
PE- IMAGE_DLLCHARACTERISTICS_
FORCE_INTEGRITY_)
LDRP_LOAD_IN_PROGRESS
(0x1000)
LDRP_UNLOAD_IN_PROGRESS
(0x2000)
LDRP_ENTRY_PROCESSED
(0x4000)
LDRP_ENTRY_INSERTED
(0x8000)
LDRP_FAILED_BUILTIN_LOAD
(0x20000)
LDRP_DONT_CALL_FOR_
THRAS (0x40000)
DLL_THREAD_ATTACH/DETACH DLL

LDRP_PROCESS_ATTACH_
CALLED (0x80000)
ATTACH
LDRP_DEBUG_SYMBOLS_
LOADED (0x100000)
LDRP_IMAGE_NOT_AT_BASE
(0x200000)
DLL DLL_PROCESS_
LDRP_COR_IMAGE (0x400000) .NET-

LDRP_COR_OWNS_UNMAP
(0x800000)

.NET-
LDRP_SYSTEM_MAPPED
(0x1000000)

System PTE (
)
LRP_IMAGE_VERIFYING
(0x2000000)

Driver Verifier
LDRP_DRIVER_DEPENDENT_
DLL (0x4000000)
DLL, ,
LDRP_ENTRY_NATIVE
(x000000)
Windows 2000
.
Driver Verifier
,
291
LDRP_REDIRECTED
(0x10000000)

DLL
LDRP_NON_PAGED_DEBUG_
INFO (0x20000000)
LDRP_MM_LOADED
(0x40000000)
MmLoadSystemImage
LDRP_COMPAT_DATABASE_
PROCESSED (0x80000000)
DLL

,
, ,
.
:
1. DLL, .
2. , DLL , . ,
DLL .
3.
, DLL, , DLL, ,

, . ,
.local ( DLL ), ,
DLL, ,
.
4. DLL , ,
- . ,
DLL .
, DLL.
5. DLL
.
6. DLL , DLL
.
7. DLL IAT
. ,
( ).

DLL . ,
.
292 3.
8. , , .
, , DLL. , , DLL-, ,
. Windows
, , , .
9. DLL
(forwarder entry), ,
DLL.
,
DLL, ,
1.
DLL- (
),
, : , DLL- ,
. , ,
(
), (, LoadLibrary). , ,
,
. , , ,
, , . 3.32.
. 3.32. , ,
DLL

.
:
1. , .NET-,
.NET- , , .
293
2. , ,
.
, .
3. , TLS, TLS-,
.
4. Windows-, kernel32.dll
Windows
Authz/AppLocker (. 6). Kernel32.dll ,
, MinWin
Kernelbase.dll.
5. , , .
6. , WinDbg,
.
g.
7. , ,
.
8.
data execution prevention (DEP), , DEP.
9. , - , , , .
10. SecuROM,
SafeDisc ,
DEP ( DEP).
11. .
12. (Shim Engine),
,
.
13. PEB , DLL-, .
Windows- , , ,
.

. DLL DllMain,
DLL ,
DLL.
, TLS DLL.
, . DllMain
DLL,
. TLS-
.
294 3.
SwitchBack
(, API-)
Windows , ,
. Windows SwitchBack, , GUID-,
Windows, ,
. , , Windows 7 API, GUID- Windows7,
,
, Windows Vista,
GUID- Windows Vista. SwitchBack SwitchBack-
DLL- ( .sb_data), ,
API- .
SwitchBack ,
API- ,
DLL-, .
Windows GUID-, Windows Vista, Windows7:
{e2011457-1546-43c5-a5fe-008deee3d3f0} Windows Vista;
{35138b9a-5d96-4fbd-8e2d-a2440225f93a} Windows 7.
GUID-
SupportedOS ID,
. GUID,
Windows Vista.
Windows 7 :
RPC-
Windows.
DirectDraw Lock .
(blitting)
(clipping) .
GetOverlappedResult.
Windows API , , SbSwitchProcedure,

SwitchBack-.
SwitchBack, SwitchBack, .
SwitchBack.
, , .
, Windows Vista
Windows 7. -
295
SwitchBack, , ,
( ) . ,

, .
Windows 7 GUID, SwitchBack-
API- SbSelectProcedure
.
, .
SwitchBack ETW, SwitchBack , Windows AIT
(Application Impact Telemetry ).
Microsoft
, , (
), .
,
. ,
- pContextData . (
5.) GUID- ,
, ,
API-, SwitchBack.
API-
SwitchBack API-, Windows ,
API-.
API- Windows DLL-
DLL-,
API-,
Windows-. , Windows , Kernel32.dll
Advapi32.dll ( ) DLL-.
, , Kernel32.dll, Windows,
DLL-, API-MS-WIN. DLL- API-,
Kernel32, API,
Kernel32.dll. , CORE-STRING
Windows.
:
-
API-, ;
296 3.
-, Microsoft Windows, ,
, (, , ),
DLL-
API-.
Kernel32, ,
, -.
, (
) Windows- MinWin
, , ( , , CSRSS
(Service Control Manager)) Windows-.
Windows Embedded ,
Platform Builder. ,
,
Windows components,
. Windows , , , ,
, . ,
MinWin .
PspInitialize
ApiSetMap, (
) API-,
%SystemRoot%\System32\ApiSetSchema.dll.
(Hyper-V) 297
, .apiset,
API-, DLL- API DLL-, API-.
ApiSetMap PEB-
, , .
, LdrpApplyFileNameRedirection,
.local SxS/Fusion
, API-, , API-
( , ). API- , ,
DLL-
DLL- .
,
Sysinternals Strings, , DLL-
:
C:\Windows\System32>strings apisetschema.dll
...
MS-Win-Core-Console-L1-1-0
kernel32.dllMS-Win-Core-DateTime-L1-1-0
MS-Win-Core-Debug-L1-1-0
kernelbase.dllMS-Win-Core-DelayLoad-L1-1-0
MS-Win-Core-ErrorHandling-L1-1-0
MS-Win-Core-Fibers-L1-1-0
MS-Win-Core-File-L1-1-0
MS-Win-Core-Handle-L1-1-0
MS-Win-Core-Heap-L1-1-0
MS-Win-Core-Interlocked-L1-1-0
MS-Win-Core-IO-L1-1-0
MS-Win-Core-LibraryLoader-L1-1-0
MS-Win-Core-Localization-L1-1-0
MS-Win-Core-LocalRegistry-L1-1-0
MS-Win-Core-Memory-L1-1-0
MS-Win-Core-Misc-L1-1-0
MS-Win-Core-NamedPipe-L1-1-0
MS-Win-Core-ProcessEnvironment-L1-1-0
MS-Win-Core-ProcessThreads-L1-1-0
MS-Win-Core-Profile-L1-1-0
MS-Win-Core-RtlSupport-L1-1-0
ntdll.dll
MS-Win-Core-String-L1-1-0
(Hyper-V)
, , , ,
298 3.
, .
,
, ,
. :
,

.
,
( ).

,
. , ,
,
, ,
.

, ,
,
. .3.33
.

1

**
* ,
Virtual PC
**

. 3.33.
Hyper-V, Windows

( Hyper-V). ,
, ,

, WMI (. 4).
, ,
, Windows Server host, Windows, , (enlightenments). , -
(Hyper-V) 299
, , ,
,
, -
* , .
,
Windows, .3.34.
Windows
Server 2003, 2008
Linux,
Xen
VMBus
WMI-

Windows
Server 2008
Windows
VSP
IHVVMBus
Windows
VSP
VMBus
Linux VSC
Hypercall-
Windows
Windows (Designed for Windows)
. 3.34. Windows Hyper-V
, Windows, . ,
, ,
,
. Windows ,
, , , . , , Hyper-V
, Windows
Server, .
,
,
, . , , ,
, .
300 3.

Windows
, - , . , ,
- .
Windows , Windows .
,
, , ,
.
, , .
Microsoft, ,
Windows-.
, . ,
, .3.35.

WMI-

Windows
(Virtualization service
providers , VSP)
. 3.35.

Windows ( ,
)
,
( ), .
.
(Hyper-V) 301

(%SystemRoot%\System32\Vmms.
exe) Windows Windows Management Instrumentation (WMI),
Microsoft Management Console (MMC).
, .
,
.
, virtual machine
worker processes (VMWP)
( ), .
(
, )
, ,
, ,
,
.
,
- ,
,
: Vmwp.
exe ( ). ,
, RDP,
.

Virtualization service providers (VSP) , 1, , (VM service) , VSP- .
VSP- ,
.

API-
-
(, ,
, VSP ,
, .
302 3.
), ,
. VM infrastructure driver (VID). VID
, MMIO
ROM.
, , ( hypercalls).
(
), ,
, .
Winhv.sys.
,
( ).
hvboot.sys, .
Intel AMD , ,
, CPUID-
, . Intel- Hvix64.exe, AMD-
Hvax64.exe.

, , , 1.
, APIC, -
,
( Guest Virtual Address Space, GVA, )
. . ,
( ).
, ,
. ,
,
, ,
.
(Hyper-V) 303
, . .3.36
, Windows.
(VSC-)
Windows
(Enlightenments)
. 3.36.
:
LiveKd
Sysinternals LiveKd,
Windows XP ,
. LiveKd hvl,

:
LiveKd hv,
, . Livekd,
LiveKd, ,
LiveKd , ,
. , LiveKd
, p, LiveKd
. , , LiveKd
.
!vm, , , Hyper-V.
304 3.

virtualization service clients (VSC-)

(VSP). VSP-, VSC-
, .
(enlightenments) , Windows-.
Windows,
,
, -. ,
.
- .

.
(Hyper-V) 305
, , APIC,
.
, TLB-
(. 9).
,
, . ,
,
,
. Windows
, ,
,
.

. ,
,
. , ,
.
. .3.26
, .
3.26.
,

, (, )

.

.
, 0
,

.
,

306 3.
,
(
VDevs). VDevs COM-,
,
, . VDevs
WMI-. Windows
:
( - enlightened I/O).
,
, . ,

,
.

-, ,
. , ( .3.34).
, , .
,
,
.
,
,
,
Windows.
, (, VSC) ,
Windows (
, , ).
,
. COM- (
), .
Hyper-V Intel i440BX, S3 Trio Intel 21140 NIC.
(Hyper-V) 307

10/, VGA- 16-
, ,
, (, GbE- 1000/,
3D- ).

( ). , , ,
IC-:
(VSP-);
(VSC-);
VMBus.
3.37 , -, -
, .
.3.37, VSP- ,
, (enlightening) .
. VSC-
. ,
,
. , VSP :
;
COM- ;
.
VSP
. , VSC-
,
, -,
, . , , VMBus.
-, VSP -
, .
VSP- , ,
308 3.

Windows
-
StorPort
(VSP)
(VSC)
StorPort
(VSC)
iSCSIprt
VMBus
Windows
. 3.37. Hyper-V, -
. VSP ,
, .
, VMBus , , . VMBus
, ,
Plug and Play .
,
, .

. , , ,
, . ,
. , , -
-.
VMBus ,
(Hyper-V) 309
.
.

(
, ), , , .
,
. (,
, ,
), . ,
1, 2, 3 4,
5, 6, 7 8.
, VP.

, ,
.
, , ,
.

, .
APIC ,
APIC, , APIC- ( ). APIC ,
,
PIC- i8059.
, Windows ,
.

,
,
, .
,
310 3.
(
).
. , 0 ,

, .
,
(guest physical address
space, GPA-). GPA 0, . GPA
-
.
( system physical address space,
SPA-),
.
, , x86 x64.
( , GVA-),
, . ,
, ,
SPA-. .3.38
.
0x41404
NtWriteFile
0x80841404
0x910B4
GVA
GVA
SPA
. 3.38.
,
, SPA-
. ,
,
GPA, GPA- -
(Hyper-V) 311
SPA-.
(shadow page tables, SPT-),
, GVA- SPA- ,
, SPA .

(TLB)
GVA GPA SPA
( ),
, , ,
. ,
,
GVA SPA,
.
Second-Level Address Translation (SLAT),
( ), (
). , , Intel
VT Extended/Nested Page Table (NPT),
AMD AMD-V Rapid Virtualization Indexing (RVI).
Hyper-V
,
,
, -.
, SLAT Hyper-V ,
.
Hyper-V ,
, ( Hyper-V)
. , Microsoft,
SLAT
1,62,5. , 10
2%,
.
, Intel, AMD ,
, , RISC-,
ARM, MIPS PPC.
,

translation look-aside buffer (TLB). CISC-,
x86 x64, TLB

TLB , ,
. , -
312 3.
, TLB ,
,
. , . TLB TLB, -
, .
TLB , Hyper-V,
. , ,
,
TLB ,
.
TLB Hyper-V ,
. AMD
RVI TLB- Address Space Identifier, ASID, Intel Nehalem-EX processors TLB
Virtual
Processor Identifier (VPID).

, (Dynamic Memory),

, ,
Windows , . ,
, ,
, .
, .3.39.
:
yy , . .
yy VSP (DM VSP),
(VMWP) ,
.
yy VSC (DM VSC, %SystemRoot%\System32\
Drivers\D mvsc.sys),
(enlightenment driver), .

Dynamic () (.3.40).
(Hyper-V) 313

VMMS

VSP

VSC
VMBus
Windows
. 3.39.
,
(Startup RAM),
, (Maximum RAM), ,

, ,
.

,
, . ,
,
,

.
DM VSC ,
, ,

.
,
, .
,
, , ,
314 3.
. 3.40.
, ,
. ,
DM VSC DM VSP VMBus.
, Windows
, VSC ,
.
DM VSP
,
:
= /
,
. ,
20 , ,
.
(Hyper-V) 315
, , VMMS. , DM VSP, ,
.
Hyper-V NUMA spanning, :
, NUMA-.

. NUMA-
, , . NUMA spanning
, ,
.
NUMA- ,

. ,

, ,
, .

,
,
, ,
.
, ,
,
.
.
400 30
1 . ,
, ,
SLAT,
, .
,
, .
,
32- Windows,
, 4 .
, (WP)
. ,
WP DM VSC VMBUS ,
DM VSC ( ) , MmAllocatePagesForMdlEx. GPA-
, Hyper-V. , , GPA-
SPA- .
316 3.
, WP
Hyper-V, -
,
VSC. , WP GPA , , VSC
,
. ,
,
, , Hyper-V

Windows
GPA-, , ,
DM VSC.
:
,
, 64- , Windows 7
Windows Server 2008 R2. Hyper-V , Hyper-V Dynamic
Memory Balancer Dynamic Memory VM. ,

( ,
), , ,
:
(Hyper-V) 317
Guest Visible
Physical Memory Physical Memory. ,
Guest
Visible Physical Memory value, , Physical Memory.
Sysinternals Testlimit
:
testlimit -m 1000 -c 1

, Testlimit 1 , .
,
, , .
30 , ,
, , ,
.
Testlimit, ,
,
. ,
Guest Visible Physical Memory ,
Physical Memory ,
, Testlimit.
318 3.
,
,
,
, . ,
. :
-, .
MSR-, APIC.
GPA-, , -
. ( ,
, , .)
, , (,
).
, ,
. ( )
( ,
, ).

, , Hyper-V
Windows Windows Failover Cluster .
(Hyper-V) 319
(Live Migration) ,
,
. , , ,
. (
), ,
TCP,
, .
,
.3.41:
1. . VMMS- ()
TCP- .
,
,
. VMMS-
() , . VMMS-
, , TCP-. VMMS- .
1.
2.
3.
. 3.41.

2. . :
1) VMWP ,
. , ,
(dirty), ,
.
2) VMWP
,
, .
320 3.
3) VMWP dirty-, 16- , dirty-

,
dirty- . VMWP
.
4) dirty- VMWP
, - ( dirty) . ,
, - , .
, , ,
, .
3. . VMWP
dirty-,
,
.
, .
,
. ,
VMMS- , , , ,
.
.

, (VHD).
Windows- Traditional Windows Clustering , - ,
(LUN)
.
, LUN, LUN- , .
, LUN-, , ,
,
. ,
LUN- , ,
LUN, , LUN,
, .
LUN-
, ,
,
.
321
, ,

Clustered Shared Volumes (CSV). CSV,
LUN,
.
, ,
, VHD-,
,
LUN-,
. ,
(, VHD) ,
, SMB2 -,
.
CSV LUN
, . ,
, ,
, .
.3.42 .
VM
VM
LUN
VHD
VHD
LUN
. 3.42.

.
,
322 3.
,
. , , , ,
,
.
,
.
,
.

Kernel Transaction
Manager (KTM), , , distributed transaction
coordinator (DTC). ,
API-.
KTM , .

, , .
Windows- .
, NT File System (NTFS)
, ,
, , ,
. . ,
,
(. 4),
.
KTM , , , NTFS , ,
. NTFS ,
TxF. ,
TxR.
KTM , ,
DTC
. KTM
.
TxF, TxR API-
, , ,
.
, KTM ,
323
API-, . KTM NTFS

, .
,
. . 3.27.
3.27. KTM
Transaction (- , )

.
, ,
Enlistment ()

-,
,

.
,

Resource Manager
(RM) ( ,
)
,
,
Transaction
Manager (TM)
( )
,

,

. TM
;
(RM) TM
,
.
,

,
:
Windows
Ktmutil.exe, ,
( ).
,
Windows-.
:
Ktmutil.exe tm list
Windows :
C:\Windows\system32>ktmutil tm list
TmGuid
TmLogPath
-------------------------------------- -----------------------------------------
324 3.
{fef0dc5f-0392-11de-979f-002219dd8c25} \Device\HarddiskVolume2\$Extend\$RmMetadata\
$TxfLog\$TxfLog::KtmLog
{fef0dc63-0392-11de-979f-002219dd8c25} \Device\HarddiskVolume1\$Extend\$RmMetadata\
$TxfLog\$TxfLog::KtmLog
{5e68e4aa-129e-11e0-8635-806e6f6e6963} \Device\HarddiskVolu m e2\Windo ws\
ServiceProfiles\NetworkService\ntuser.dat{5e68e4a8-129e-11e0-8635-806e6f6e6963}.TM
{5e68e4ae-129e-11e0-8635-005056c00008} \Device\HarddiskVolu m e2\Windo ws\
ServiceProfiles\LocalService\ntuser.dat{5e68e4ac-129e-11e0-8635-005056c00008}.TM
{51ce23c9-0d6c-11e0-8afb-806e6f6e6963} \SystemRoot\System32\Config\TxR\{51ce23c7-0d6c11e0-8afb-806e6f6e6963}.TM
{51ce23ee-0d6c-11e0-8afb-005056c00008} \Device\HarddiskVolume2\Users\markruss\
ntuser.dat{51ce23ec-0d6c-11e0-8afb-005056c00008}.TM
{51ce23f2-0d6c-11e0-8afb-005056c00008} \Device\HarddiskVolume2\Users\markruss\
AppData\Local\Microsoft\Windows\UsrClass.dat{51ce23f0-0d6c-11e0-8afb-005056c00008}.TM

, Windows ,
( hotpatch), ,
.
,
, ( ).
. 3.28.
3.28.
- DLL-,

,
,

,
,
, ,
DLL
( ).
,
( ), ,

( , DLL)
,
,
( ,
,
)
325
DLL
,
.

DLL-,

DLL Ntdll.dll
Ntdll.
dll
,
.
,
,
,
.
Windows Windows
Update, , ,
Update.exe, .
.hp. PE-,
.HOT1. , ,
.
, , (,
, )
. .
(. 5) , ,
, .

7 4
, 2 ,
. ,
:
lkd> u nt!NtCreateFile - 5
nt!FsRtlTeardownPerFileContexts+0x169:
82227ea5 90
nop
82227ea6 90
nop
82227ea7 90
nop
82227ea8 90
nop
82227ea9 90
nop
nt!NtCreateFile:
82227eaa 8bff
mov
edi,edi
326 3.
,

.
, nop , mov edi, edi NtCreateFile , . 7 NtCreateFile

,
. NtCreateFile
, :
lkd> u nt!NtCreateFile - 5
nt!FsRtlTeardownPerFileContexts+0x169:
82227ea5 e93d020010
jmp
nt_patch!NtCreateFile (922280e7)
nt!NtCreateFile:
82227eaa ebfc
jmp
nt!FsRtlTeardownPerFileContexts+0x169 (82227ea5)

, , , .
. :
, -
,

.
,
.
, ,
.

32- Windows
. ,

. 64- Windows x64 ,
, Microsoft
64- Windows.
x64 Windows
Kernel Patch Protection (KPP), PatchGuard.
KPP
- . .3.29
, , .
327
3.29. , KPP
Ntoskrnl.exe, Hal.dll, Ci.dll,

Kdcom.dll, Pshed.dll, Clfs.
sys, Ndis.sys, Tcpi p.sys
Kernel, HAL
. () HAL
.
Ndis.sys

Global Descriptor Table

(GDT) ( )

(Ring 0 Ring 3)

(callgate),
, (Ring 3)
(Ring 0)
Interrupt Descriptor Table

(IDT) ( )

-

,
.

INT2E

System Service Descriptor

Table (SSDT) (

)
Processor Machine State

Registers (MSRs) ( )
LSTAR MSR

SYSENTER ()
SYSCALL,

LSTAR

,

KdpStub, KiDebugRoutine,
,
,

KdpTrap
328 3.
3.29 ()
PsInvertedFunctionTable

, x64,

, ,

,
KPP,

, (

)
,
,

(,
),

DKOM (Direct Kernel Object
Modification )
, ,
,

,
KPP,
DPC,
,
KPP . .
, KPP,

,
-
KPP
64- Intel x64,

(prefetch) . KPP
,
. , -
(Hyper-V) (
), , ,
.
, , , .
329
KPP ( ), 0x109 CRITICAL_

STRUCTURE_CORRUPTION ( ).
, , KPP,
:
- ,
DLL-,

.
(. 4) .
,
.
(. 5).
,
DLL-.
,
, .
(. ,
).
, ()
.
KPP .
, KPP ,
.

Windows,
( , DLL ) , .
,
.
Kernel Mode Code Signing (KMCS), ,

Authenticode certificate, , , Verisign Thawte.
KMCS
64- , Windows . , , ,
330 3.
- .
32-
, , ,
.
.3.43 , 64-
Windows, .
Windows , Plug and Play. Plug and Play,

,
Plug and Play, (
64- , KMCS).
. 3.43. ,
64- ,
32- Windows (Code Integrity event log).
, -, , ,
32- . -
.
331
.

, . (
.) , ,
,
( ).
, .
,
Windows.
,
Windows: , Windows Windows
Management Instrumentation (WMI).
4.

Microsoft Windows, :
.
.
(Unified Background Process Manager).
Windows (Windows Management
Instrumentation).
Windows (Windows Diagnostics Infrastructure).
Windows
. , . , ,
, , Windows.
,
, Windows
. ,
. ,

.

, : ,
, . ,
, . Windows
graphical
user interface (GUI), ,
.
Windows GUI- Regedit.exe
. , , Reg.exe, ,
, ,
. ,
333
UAC-, . ,
Regini.exe, ,
ASCII Unicode.
Windows Driver Kit (WDK) Offreg.dll,
Offline Registry Library.
, ,
Windows .
, ,
.
,
,
-, .

.
Boot Configuration Database (BCD)
, , , (Boot Manager)
.
, ,
,
, .
Explorer Windows ,
, , , ,
, , , ,
.
,
, ,
,
, .
, ,
.
, ,

.
, , , -
334 4.
, .
, , Process Monitor Sysinternals.
:
,
- , , Windows,
.
,
.
Plug
and Play , , , ,

, , .

,
. , , ,
. , () ,
. (
, , ).
,
. ,
mark, trade, trade\mark.

. Regedit
( ).
,
12 , . 4.1. REG_DWORD, REG_BINARY REG_SZ.
REG_DWORD (-).
REG_BINARY , 32
, ;
REG_SZ (, Unicode),
, , , .
REG_LINK ,
. ,
. , \Root1\Link
REG_LINK \Root2\RegKey, RegKey RegValue, RegValue : \Root1\
Link\RegValue \Root2\RegKey\RegValue. -
335
, Windows : 3 6
,
.
4.1.

REG_NONE
REG_SZ
Unicode
REG_EXPAND_SZ
Unicode ,
REG_BINARY
REG_DWORD
32-
REG_DWORD_BIG_ENDIAN
32- ,
REG_LINK
Unicode
REG_MULTI_SZ
Unicode,
REG_RESOURCE_LIST
REG_FULL_RESOURCE_DESCRIPTOR
REG_RESOURCE_REQUIREMENTS_LIST
REG_QWORD
64-

. 6 (
), , . 4.2.
H?
Windows handles (H),
keys (KEY). 1
, HKLM
HKEY_LOCAL_MACHINE. .4.3
. .
4.2.

HKEY_CURRENT_USER
, ,

HKEY_USERS
336 4.
4.2 ()

HKEY_CLASSES_ROOT

, Component Object Model (COM)
HKEY_LOCAL_MACHINE
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
4.3.
HKEY_
HKCU

HKEY_
CURRENT_USER
, - USERS,

HKEY_USERS
HKU
HKEY_CLASSES_ HKCR
ROOT
- ,
COM-

HKLM\SOFTWARE\
Classes HKEY_
USERS\<SID>
HKEY_LOCAL_
MACHINE
HKLM
HKEY_
CURRENT_
CONFIG
HKEY_PERFOR
MANCE_DATA
HKCC
HKLM\SYSTEM\
CurrentControlSet\
Hardware Profiles\Current
HKPD
\SOFTWARE\Classes
HKEY_CURRENT_USER
HKCU , .

, \Users\<_>\Ntuser.dat (. ).
(, )
HKCU HKEY_USERS.
.4.4 HKCU.
337
4.4. HKEY_CURRENT_USER
AppEvents
Console
(, ,
)
Control Panel
, ,
,
Environment
EUDC
Identities
Windows
Keyboard Layout
(, US. UK.)
Network
Printers
Software
Volatile Environment
HKEY_USERS
HKU , .
HKU\.DEFAULT, ( , , .
). Winlogon, ,
, ,
, .
( ),
, ,
%SystemDrive%\Users\Default.
, ,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\
ProfilesDirectory, %SystemDrive%\
Users. ProfileList , . , security identifier (SID),
, (. 6). , , ( ProfileLoadTimeLow), SID
Sid
ProfileImagePath. Windows , ,
(User Profiles),
, (Settings)
(User Profiles) (Advanced) (Advanced System Settings) -
338 4.
(System) (Control Panel).

(User Profiles) .4.1.
. 4.1.
:
Runas ( )
, , , ,
. ,
Regedit ,
HKEY_USERS. Regedit, F5, ,
.
HKEY_CLASSES_ROOT
HKCR :
;
COM-;
-
User Account Control (UAC) (. 6).
. REG_SZ,
HKCR, ,
, .
, HKCR\.xls Microsoft
Office Excel , HKCU\.xls\Excel.Sheet.8.
COM-,
. UAC VirtualStore,
, HKCR.
339
, HKEY_CLASSES_ROOT,
:
, HKCU\SOFTWARE\Classes (
\Users\<_>\AppData\Local\Microsoft\
Windows\Usrclass.dat);
,
HKLM\SOFTWARE\Classes.
, , , , , .
:

HKEY_CLASSES_ROOT
.
(
, ),
.
HKEY_LOCAL_MACHINE
HKLM , : BCD00000000, COMPONENTS ( ), HARDWARE, SAM, SECURITY, SOFTWARE
SYSTEM.
HKLM\BCD00000000 Boot Configuration Database (BCD),
. Boot.ini, Windows Vista, .
BCD, , Windows
, Objects:
, GUID ( ),
, . BCD MSDN.
.
, ,
.
BCDEdit BCD,
. ,
, , .
, ,
BCD . ,
.
340 4.
HKLM\COMPONENTS , Component Based Servicing (CBS).

,
Windows Windows installation image ( Automated Installation Kit OEM OEM Preinstallation Kit) . API- CBS,
, ,
, . ,
, ( ), (
).
(
), CBS.
HKLM\HARDWARE .
, ,
, , ACPI BIOS.
( (Device Manager) (System)
(Control Panel)) , ,
HARDWARE ( HKLM\SYSTEM\CurrentControlSet\Enum).
HKLM\SAM , , .
Windows Server, ,
Active Directory, ,
1.
SAM ,
.
HKLM\SECURITY . HKLM\SAM SECURITY HKLM\SECURITY\SAM.
HKLM\SECURITY HKLM\SAM\SAM,

System. , PsExec Regedit
, .
- ,
,
.
HKLM\SOFTWARE Windows , .
, ,
Active Directory .
341

.
HKLM\SYSTEM , ,
.
, Windows
.

, ,
, . , Windows , .
: BCD
BCD
. ,
, BCD,
,
BCD . /DEBUG, :
1. , HKLM\
BCD00000000. ,
Elements.
342 4.
2. Windows
Description
Type, 0x10200003, 0x12000004 Elements. Element Windows, Windows 7.
Windows,
0x22000002, ,
\Windows.
3. , GUID Windows,
Elements GUID 0x260000a0. ,
.
4. ,
Element.
5. , 01.
. .
0x12000004 BcdLibraryString_ApplicationPath,
0x22000002 BcdOSLoaderString_SystemRoot.
, 0x260000a0
BcdOSLoaderBoolean_KernelDebuggerEnabled.
BCD MSDN.
343
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
, HKLM\SYSTEM\CurrentControl
Set\Hardware Profiles\Current. Windows
, -
, .
HKEY_PERFORMANCE_DATA
, Windows
, ,
. ,
,
API .
, HKEY_PERFORMANCE_DATA
.
, , ,
Windows , RegQueryValueEx.
,
.

Performance Data Helper (PDH), API Performance Data
Helper (Pdh.dll). .4.2 ,
.

Transactional Registry (TxR)
(. 3) Kernel Transaction
Manager (KTM) API,
, , .

API-: RegCreateKeyTransacted, RegOpenKeyTransacted RegDeleteKey
Transacted. , ,
,
. KTM- CreateTransaction.
, ,
, , -
344 4.
Performance
Pdh.dll
RegQueryValueEx
Windows Management Instrumentation

Advapi32.dll
DLL
Perf Lib
DLL
DLL
. 4.2. ,

, . ,
, ,
API- RegDeleteKeyTransacted.
,
RegDeleteKeyEx.
, KTM, common logging file system (CLFS).
( ,
), , , ,
, API-,
. ,
, , ,
, .
, ,
, ,
, , , ,
. , ,
, .
345
(I ACID), TxR, read-commit ( ),

, ( ) .
, ,
predictable-reads
( cursor-stability
). predictable-reads,
, . Read-commit .
,
- .
,
, KTM- CommitTransaction. , , - ,
API- RollbackTransaction.
API- .
, CreateTransac
tion, ( ,
, ), .
CLFS, KTM, TxR

%SystemRoot%\System32\Config\Txr ;
.regtrans-ms, .
, , , TxR
Windows Windows Update and Component Based Servicing
,

. , , ,
.
, , global registry resource manager
(RM). RM , .
, , RM , KTM , RM-, ,
-. RM CLFS , , System32\Config\
Txr. ( ).
,
.regtrans-ms.
, .
346 4.

, - .
, ,
, , , .
, ,
, . Process Monitor
Windows Sysinternals (http://technet.microsoft.com/sysinternals).
Process Monitor . Process Monitor ,
, , ,
. ,
, , ,
, ,
, .
Process Monitor ,
,
, .
Process Monitor
Process Monitor ,
, .
, ,
, Load Driver,
Debug. , ,
, .
:

RegNotifyChangeKey,
, Process Monitor
,
.
,
.
Process Monitor , , .
, , Process Properties ( ), , .
347
: Process Monitor

, , ,
.
(Notepad) Process Monitor. , Windows, , , ,
. Process Monitor
, , . :
1. ,
, Process Monitor. ,
, Times New Roman,
.
2. Process Monitor.
Process Name,
notepad.exe. , Process Monitor , notepad.
exe.
3. , ,
Process Monitor ,
Capture Events ( ) File ().
4. .
5. Ctrl+F, Find
(), times new. Process Monitor , , ,
,
. , ,
.
348 4.
6.
Jump To ( ). Process Monitor
Regedit ( )
, , .

Process Monitor
, ,
, Process Monitor.
Process Monitor, -
. .
Process Monitor, ,
, Process Monitor, . , , Process Monitor

( Ctrl+E).
,
, , - .
, , , (
), .
, , . Process
Monitor
.
Microsoft Excel ( ) 1. ,
. ( WinDiff, Windows SDK.)
Process Monitor, Result
NAME NOT FOUND ( ) ACCESS DENIED ( ),
, . NAME
NOT FOUND , .
, , , .
, , ,
.
- ,
, ,
,
, ,
, .
349
, . ,

, .
BUFFER OVERFLOW
( ). ,
, . ,
,
, , , ,
.
, ,
. ,
,
. . , ,
BUFFER OVERFLOW, .
Process Monitor
Windows. Internet Explorer
, . ,
Internet Explorer
( Internet Explorer
, ).
Process Monitor Internet Explorer , Internet Explorer, HKCU\Software\Microsoft\RAS
Phonebook. , ,
,
. ,
, ,
, Internet
Explorer. , Internet Explorer
.

-
,
,
,
. , Process
Monitor , . ,
, Process Monitor
Runas.
350 4.
,
, Process Monitor . ,
, ,
, Process Monitor . Process
Monitor
At, Windows, /interactive, Sysinternals PsExec:
psexec i 0 s d c:\procmon.exe
i 0 PsExec Process Monitor 0

. s PsExec Process Monitor
, d PsExec Process Monitor
, Process Monitor.
Process Monitor
, ,
.

, , Process Monitor .
, Enable Boot Logging (
) Options ().
Process Monitor
%SystemRoot%\Procmon.pml. , ,
Process Monitor.
,
Windows, 50 150.

, , ,
. ,
, .
,
.
,
, .
351
, ,
. . , , ,
, . .4.5
.
, , , .
, ,
HKLM\SYSTEM\CurrentControlSet\
Control\Hivelist, . ,
, ,
.
, , . 4.5,
.
, .
.
HKLM\HARDWARE,
.
,
.
4.5.

HKEY_LOCAL_MACHINE\BCD00000000
\Boot\BCD
HKEY_LOCAL_MACHINE\COMPONENTS
%SystemRoot%\System32\Config\
Components
HKEY_LOCAL_MACHINE\SYSTEM
%SystemRoot%\System32\Config\System
HKEY_LOCAL_MACHINE\SAM
%SystemRoot%\System32\Config\Sam
HKEY_LOCAL_MACHINE\SECURITY
%SystemRoot%\System32\Config\Security
HKEY_LOCAL_MACHINE\SOFTWARE
%SystemRoot%\System32\Config\
Software
HKEY_LOCAL_MACHINE\HARDWARE
HKEY_USERS\<SID
%SystemRoot%\ServiceProfiles\
LocalService\Ntuser.dat
>
HKEY_USERS\<SID -
>
%SystemRoot%\ServiceProfiles\
NetworkService\NtUser.dat
HKEY_USERS\<SID >
\Users\<username>\Ntuser.dat
HKEY_USERS\<SID -
>_Classes
\Users\<username>\AppData\Local\
Microsoft\Windows\Usrclass.dat
HKEY_USERS\.DEFAULT
%SystemRoot%\System32\Config\Default

. , Windows HKLM\SYSTEM.
352 4.
, Winload HKLM\SYSTEM
,
. Winload
Ntoskrnl ,
, HKLM\SYSTEM.
32- Winload 400
,
, . x64
1,5. Itanium 32.
:
Regedit ,
(File). ,
. Regedit
HKLM\SYSTEM, Windows Setup
.
1. HKLM HKU, Regedit, HKLM (Load
Hive) Regedit (File).
2. (Load Hive)
%SystemRoot%\System32\Config\RegBack, System
. Test , .
3. HKLM\Test .
4. HKLM\SYSTEM\CurrentControlSet\Control\Hivelist
\Registry\Machine\Test, , Hivelist.
5. HKLM\Test, (File)
Regedit (Unload Hive).

, ,
. ,
. , HKLM\SAM
SAM.
RegCreateKey RegCreateKeyEx
REG_CREATE_LINK. REG_LINK, SymbolicLinkValue,
. REG_LINK,
REG_SZ, Regedit,
, .
353
:
,
( 3), .
,

System , . ,
Process Explorer, System.
System, Handles ()
Lower Pane View ( ), View
().
, .

, , , ,
. , 4096 (4).
,
. .
,
:
regf, ;
;
, ,
1;
.
354 4.
, Winload;
;
;
(, \Device\HarddiskVolume1\
WINDOWS\SYSTEM32\CONFIG\SAM).
.
1.3 (
) , System
Software, Windows 2000.
System Software 1.5 - ( 1) (

).
Windows , , . , ,
, .

. .4.6.
, (
CM_) .
, , , , (bin).
4.6.

CM_KEY_
NODE
, , (key node).
:
(kn , kl );

;
,
;
,
;

;
,
;
(, CurrentControlSet).
,
,
, ,

355
- CM_KEY_
VALUE
, . (kv), (, REG_ DWORD REG_BINARY)

(, Boot-Execute). ,

CM_KEY_
INDEX
, ,

CM_KEY_
INDEX
, ,

CM_KEY_
SECURITY
, .
(ks),
, ,
,
.

,
, , .
, .
, , hbin ,
.
Windows .
, , ,
. ,
, , . ,
, .
, ,
. ,

.
1.
, , .

,
.
, Windows- RegSaveKey RegReplaceKey,
Windows Backup.
356 4.
. ,
,
. , . 4.6, , ,
,
, , ,
.
, .
, , , , , ,
,
.
, . ,
, , ,
, .
, , . , ,
. .4.3
. , . ,
: Root Sub Key. Root
, Val1 Val2.
, Root,
Root.
. .4.3
, .

Root
Val 1
Sub
Val 2
Key
1
( )

. 4.3.

.
,
.
, ,
, ,
357
, ;
. , .
,
.

, , ,
.

, ,
. Winload
SYSTEM: Winload SYSTEM
, ,
. ,
, ,
, . ,
, ,
.
, , ,
, Windows
.
, .4.4,
( ), , ,
, . ,
, Windows .
.

, ,
. Windows ,
, . 1024 , , 512 .
.
. , 0,
, , ,
LRU-
.
358 4.

32
1023
511

. 4.4.
:

, , , Windows
, , .
!reg dumppool
, ,
, .
. (
32 .)
kd> !reg dumppool
dumping hive at e20d66a8 (a\Microsoft\Windows\UsrClass.dat)
StableLength=1000
1/1pagespresent
VolatileLength=0
dumping hive at e215ee88 (ettings\Administrator\ntuser.dat)
StableLength=f2000
242/242pagespresent
VolatileLength=2000
2/2pagespresent
dumpinghive at e13fa188 (\SystemRoot\System32\Config\SAM)
StableLength=5000
5/5pagespresent
VolatileLength=0
359
.

, ,
.

. Registry Windows,
. Regedit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet,
Windows
(, \Registry\Machine\System\CurrentControlSet). Windows ,
Registry . ,
,
. ,
. ,
, .
,
.
, ,
.
.
, ,
, , ,
,
, . Windows
-, .
,
,
, .
,
API-
, . ,
, .
- .
, ,
360 4.

,
, ,
. ,
, , ( -
). ,
. , \Registry\Machine\
Key1\Subkey2 \Registry\Machine ,
\Registry\Machine.
,
. ,
. ,
, .
,
. ,
, , , , . -
,
,
. , ,
,
. ,
.

, , . ,
, ,
0, , . , API-
, ,
, ,
.
:
, , !reg openkeys. ,
, !reg findkcb:
kd> !reg findkcb \registry\machine\software\microsoft
Found KCB = e1034d40 :: \REGISTRY\MACHINE\SOFTWARE\MICROSOFT
You can then examine a reported key control block with the !reg kcb command:
361
kd> !reg kcb e1034d40
Key:\REGISTRY\MACHINE\SOFTWARE\MICROSOFT
RefCount:1f
Flags:CompressedName,Stable
ExtFlags:
Parent:0xe1997368
KeyHive:0xe1c8a768
KeyCell:0x64e598[cellindex]
TotalLevels:4
DelayedCloseIndex:2048
MaxNameLen:0x3c
MaxValueNameLen:0x0
MaxValueDataLen:0x0
LastWriteTime:0x1c42501:0x7eb6d470
KeyBodyListHead:0xe1034d700xe1034d70
SubKeyCount:137
ValueCache.Count:0
KCBLock:0xe1034d40
KeyLock:0xe1034d40
Flags , , SubKeyCount
, 137 .

( ),
(log hives). ,
, , logN.
.
: .log1 .log2.
- .log1 ,
,
.log2 .
,
( .log1 , ) .log2.
, .log1 ,
.
, .log1.
, %SystemRoot%\System32\Config,
System.log1, Sam.log1 .log1
.log2.
, 512- ,
. ,
, .
362 4.
( , , .)

.
.

. ,
,
. , .
API- RegFlushKey ,
,
, . ,
,
.
,
.
,

, , , .

.
, . , ,
, .
, . .
Windows Boot Loader , . ,
System.log ,
. ,
(, , ,
)
, ,
, .
,
, .
363

Windows , , Process Monitor. ,
.
,
.
, .
.

, ,
, . ,
,

. Windows
, . , ,
,
Microsoft,
.

( ,
),
(, , Wow64). ,
, , .
,

.
(create) (open),
.

. , , ,
, .
,
. ,
364 4.
, ,
,
. ,
.

. Unicode , Unicode-,
ASCII-, ASCI.
(, ),
Unicode.
ASCII .
.
. , ,
\Registry\System\Control, Control,
. ,
,

.
-
.

, -. , . ,
,
, ,
.
.

.
,
, ,
. Windows Windows-,
API- Windows. UNIX
- -
. Windows- -,
,
- , ,
.
365
Windows- : , service control program (SCP)

service control manager (SCM). , SCM.
.
, SCM , ,
SCM .

, -, , Windows-. , , , SCP. Windows
SCP, , ,
,
SCP,
, .
Windows
( )
SCM,
SCM .
, .
, , . Windows- CreateService , , Advapi32.dll
(%SystemRoot%\System32\Advapi32.dll). Advapi32 (DLL- API- Advanced API) API- SCM,
.
,
CreateService, SCM , , . SCM
HKLM\SYSTEM\CurrentControlSet\Services. Services SCM.
, ,
.
StartService.
, ,
, , ,
SCM .
CreateService,
, . :
( ,
, );
366 4.
;
, -
, , -

SCP;
, , ;
, , ,
, .
SCM ,
. .4.5 , .
.4.7 , ( )
.
,
, Parameters, , .
, .
. 4.5. ,
367
SCM Parameters ,
. SCM ,
, , Parameters.
4.7. ,
Start
SERVICE_BOOT_START Winload ,
(0)
.
SERVICE_ SYSTEM_
START
SERVICE_SYSTEM_
START (1)

SERVICE_ BOOT_START
SERVICE_AUTO_START SCM (2)

SCM- Services.exe
ErrorControl
Type
SERVICE_DEMAND_
START (3)
SCM
SERVICE_DISABLED
(4)
SERVICE_ERROR_
IGNORE (0)

, ,

SERVICE_ERROR_
NORMAL (1)
SERVICE_ERROR_
SEVERE (2)

,
,
SERVICE_ERROR_
CRITICAL (3)

,
,
SERVICE_KERNEL_

DRIVER (1)
SERVICE_FILE_

SYSTEM_DRIVER (2)
SERVICE_ADAPTER (4)
SERVICE_
RECOGNIZER_DRIVER
(8)
368 4.
4.7 ()
SERVICE_WIN32_
OWN_PROCESS (16)
SERVICE_WIN32_
SHARE_PROCESS (32)
SERVICE_
INTERACTIVE_
PROCESS (256)

, (0)

Group
Tag
ImagePath
ImagePath ,

-
%SystemRoot%\System32\Drivers.
Windows
Depend
OnGroup
Depend
OnService
,
.
, ,
SERVICE_
AUTO_START SERVICE_DEMAND_
START
ObjectName
LocalSystem,

,
,
. ObjectName
,
LocalSystem.

.\Administrator
DisplayName

. ,
Descri ption
32 767
FailureActions ,

- , SCM, .

369
Failure
Command
SCM ,
FailureActions, .
DelayedAuto
Start
0 1 (TRUE
SCM
SCM.
, SCM
FALSE)
Preshutdown
Timeout

180 .
SCM
,
ServiceSid
Type
SERVICE_SID_TYPE_
NONE (0)
SERVICE_SID_TYPE_
UNRESTRICTED (1)
SCM SID

SERVICE_SID_TYPE_
RESTRICTED (3)
, , SCM SID
SID , SID
(world), ( logon)
(write-restricted)
Required
Privileges
,
. SCM
, ,
Security

, ,

, SCM. , SCM
,
, Type , : ,
.
Windows,
Services. SCM Start SERVICE_AUTO_START SERVICE_DEMAND_START,
, SCM
. , SERVICE_WIN32_OWN_PROCESS
SERVICE_WIN32_SHARE_PROCESS, . , ,
SERVICE_WIN32_SHARE_PROCESS.
370 4.

,
. ,
, , ,
. ,
(,
, ).
SCM ,
StartServiceCtrlDispatcher.
, .
, .
SCM StartServiceCtrlDispatcher
, SCM. SCM
, .
StartServiceCtrlDispatcher
, , .
StartServiceCtrlDispatcher SCM
,
.
RegisterService
CtrlHandler. , ,
SCM. .
RegisterServiceCtrlHandler SCM, StartServiceCtrlDispatcher.
,
, . ,
, ,
Parameters, .
,
SCM , SetServiceStatus,
. , . , -
TCP HTTP-.
,
StartServiceCtrlDispatcher, SCM, , ,
RegisterServiceCtrlHandler. SCM-
(stop), (pause), (resume),
(interrogate) (shutdown) , . .4.6 .
, ,
: .
371

Main

SCM
RegisterServiceCtrlHandler
4
1.
2.
3.
4.


. 4.6.

, , ,
.
- , (
SYSTEM, LocalSystem).
. ,
. Windows,
, ,
.
.

,

Windows, ,
(%SystemRoot%\System32\Smss.exe), Windows (Csrss.
exe), Local Security Authority
process (%SystemRoot%\System32\Lsass.exe)
Logon process (%SystemRoot%\System32\Winlogon.exe). 6.
C ,
,
. ,
. :
. .4.8 -
, .
372 4.
( , , , ).
,
.4.9.
4.8. ,

(Local System)

(Network Service)

(Local Service)
Everyone
Everyone
Everyone
Authenticated Users
Authenticated Users
Authenticated Users
Administrators
Users
Users
Local
Local
Local Service
Local Service
Service
Service
4.9. ,

(Local System)

(Network Service)

(Local Service)
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeCreateTokenPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeLoadDriverPrivilege
SeLockMemoryPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemTimePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
SeUndockPrivilege (
)
SeAssignPrimaryToken
Privilege
SeAuditPrivilege
SeShutdownPrivilege
SeUndockPrivilege
( )
, Everyone,
Authenticated Users
Users
SeAssignPrimaryToken
Privilege
SeAuditPrivilege
SeShutdownPrivilege
SeUndockPrivilege ( )
, Everyone,
Authenticated Users
Users
373
.
, , ,
.
, ,
(HKU\.DEFAULT).
, .
Windows, (SID)
, . , ,
( )
.

(, , ..),
, ,
, . , , NullSessionPi pes NullSessionShares, HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters.
(Network Service)
,
,
, ,
,
. , , ,
, ,
. ,
. , ,
,
.
, ,
, . , , HKU\S-1-5-20,
, , %SystemRoot%\
ServiceProfiles\NetworkService.
, , DNS, DNS- .
374 4.

, , , , .
.4.9 , ,
, . 4.8 ,
, , Local
Service, Network Service. , , , HKU\S-1-5-19
%SystemRoot%\ServiceProfiles\LocalService.
, ,
Remote Registry Service,
, LmHosts,
NetBIOS.

,
.
Windows- (Windows
Services MMC) , .
,
(Properties), (Log On)
(This Account), .4.7.
. 4.7. ,

, , , , ,
, ,
- .
375
, Windows
, , , SCM ,
.
, , , ,
.

API- ChangeServiceConfig2. API-
Parameters, .
SCM , .
RequiredPrivileges ( ), SCM , , . ,
, ,
, SCM
, . , ,
, . ,
SCM , .
, ,
.
,
Change Notify.
: ,

Service Control, Sc.exe qprivs. ,
,
, Process Explorer, , Sc.exe .
, :
1. , Dhcp,
Sc.exe,
:
sc qprivs dhcp

: SeCreateGlobalPrivilege
SeChangeNotifyPrivilege.
2. Process Explorer .
Svchost.exe,
. Process Explorer .
376 4.
3. , Dhcp.
,
LocalServiceNetworkRestricted, Audiosrv Eventlog. ,
Svchost ,
, - (-).
4. , , Properties ()
Security ().
, , , ,
Windows, ,
, . 4.9.
, -
, ,
, ,
Audiosrv Eventlog, , ,
Process Explorer. ,
Sc.exe .

, ,

377
. , ,
. ,
,
, access
control lists (ACL) .

, , . ,

, , ACL- , .
ACL- ( ), .
Windows :
,

. Windows Vista, ACL-
, . SCM SID, ,
SID
, . SID- - ,
SID-. SCM
, , API- ChangeServiceConfig2.
- ( ),
SID- ,
, , , , SID .
SID ACL-
.
,
, ,
, .
, SID-
: Deny, SID , ,
. .
,
,
, Deny access control entries (ACE),
SID- : SID (restricted service SID,
378 4.
SERVICE_SID_TYPE_RESTRICTED) SID (unrestricted

service SID, SERVICE_SID_TYPE_UNRESTRICTED). , .
SID SID ,
ACE-, SID-
, SCM.
SID-
.
, SID -
(. 6). ,
, SID ,
, ,
. ,
( ),
SID, SID
. ,
SID-:
SID (world SID) ,
, ,
, DLL- .
SID ,
SCM.
SID, , ,
,
. , Windows Event Tracing for
Windows (ETW) SID ,
, , .
.4.8 - , , SID- .
, Base Filtering Engine (BFE), Windows Firewall,
,
, ,
- . (
, , , , , .)
,
(
, ), SID
, .
, , ,
, , ,
.
379
. 4.8. SID-
Windows ,
SID- , (.. 4.10).
4.10.
shell
hardware detection service
(ShellHWDetection)

( ,

RPC (Rpcss) 135 (TCP

UDP)

DNS (Dns)
(UDP)

TCP UDP

TCP UDP
380 4.

(Session 0)
, , , ,
MessageBox .
Windows
, ,
Windows (window
station). , Session Zero Isolation.
,
.
Windows Windows- .
, .

. Terminal Services
e,
. Windows WinSta0,
WinSta0.
, Windows ,
, ,
Service-0x0-3e7$. . , 3e7,
.
Local Security Authority process (LSASS)
, SCM ,
.
, (
),
. LSASS , . .4.9
Sysinternals WinObj , Windows .
(WinSta0)
(Service-0x0-3e7$).
,
, , , , ,
. ,
,
, . , , -

.
381
. 4.9.

MB_SERVICE_NOTIFICATION MB_DEFAULT_DESKTOP_ONLY
API- MessageBox
, . -
, ,
IDOK,
.

.
, Type, ,
SERVICE_INTERACTIVE_PROCESS. (, ,
, .) SCM , ,
,
WinSta0, .
-
, , WinSta0
,
. 0 ,
Windows,
, , .
, 0.
382 4.
,
, .
,
, .
, , Windows , , .
Interactive Services Detection (UI0Detect)
WinSta0 0
, 0 .
(Terminal Services)
.

,
, .

RPC COM.
, .4.10, , , , . 0,

. , ,
Microsoft Paint, Sysinternals PsExec , PsExec Paint 0.
, :
psexec s i 0 d mspaint.exe
PsExec Microsoft Paint

(s), 0 (i 0), ,
(d).
View The Message ( ),
0 ( ).

(SCM)
%SystemRoot%\System32\Services.exe, , ,
Windows. Wininit
SCM . SCM, SvcCtrl-Main,
, .
383
. 4.10.
Interactive Services Detection
SvcCtrlMain SvcctrlStart
Event_A3752DX, .
SCM ,
SCP-, . SCM SCP OpenSCManager.
SCP SCM , SCM
, SvcctrlStartEvent_A3752DX.
SvcCtrlMain ScGenerate
ServiceDB, , SCM.
ScGenerateServiceDB ,
HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\List,
REG_MULTI_SZ, .
Group,
. , Windows
, Group,

. SCM ,
, . NDIS, TDI, Primary
Disk, Keyboard Port Keyboard Class ( ).
. , Microsoft Transaction
Server MS Transactions.
ScGenerateServiceDB HKLM\
SYSTEM\CurrentControlSet\Services,
384 4.
. ,
, , . SCM , , SCM
, ,
,
.
. - ,
, , , SCM.
ScGenerateServiceDB Group,

.
,
DependOnGroup DependOnService. .4.11 , SCM . ,
.
, SCM Services, Windows
.
SCM LSASS (,
), SCM LSASS LSA_RPC_SERVER_ACTIVE,
.
Wininit LSASS, LSASS SCM, , LSASS SCM
, . SvcCtrlMain
ScGetBootAndSystemDriverState,
,
.
ScGetBootAndSystemDriverState , ,
\Driver. , -
,
, . .4.12 , WinObj
Driver. SvcCtrlMain ,
ScFailedDrivers.
, , SCM . (RPC) , \Pi pe\Ntsvcs, RPC
SCP-.
SCM ,
SvcctrlStartEvent_A3752DX.
c Windows RegisterServiceProcess SCM
.
385
1
Type
Start
DependOnGroup
DependOnService
Status
Group
2
Type
Start
DependOnGroup
DependOnService
Status
Group
3
Type
Start
DependOnGroup
DependOnService
Status
Group
. 4.11.
. 4.12.

SCM
, :
GUI-, , . SCM ,
Multiple Provider Router (MPR) \BaseNamedObjects\ScNetDrvMsg. MPR
,
386 4.
(. 7 ). MPR
, SCM Windows- GetDriveType
. , SCM Windows-
WM_DEVICECHANGE. SCM
DBT_DEVICEREMOVECOMPLETE, DBT_DEVICEARRIVAL. Windows Explorer,
(Computer),
.

, Start (
), SvcCtrlMain SCM-
ScAutoStartServices. , . , ,
, - .
ScAutoStartServices, ,
. , ,
, HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\
List. List, . 4.13, ,
SCM . ,
, .
. 4.13. ServiceGroupOrder
, ScAutoStartServices , . ScAutoStartServices
, ,
. , , SCM .
( .)

, DependOnGroup
, . , ,
, ,
. ,
387
,
, SCM (circular
dependency). ScAutoStartServices Windows
, ,
, , .
DependOnService, , .
, ,
ServiceGroupOrder\List , SCM .
, , .
, ScAutoStartServices
,
.
, SCM , , , . HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
: Minimal
Network, SCM,
, .
Safe Mode
Safe Mode With Command Prompt, SCM Minimal, Safe Mode With Networking, SCM
Network. Option SafeBoot
, ,
, .
SCM , ScStartServi
ce, .
ScStartService Windows,
, ,
ImagePath , . Type, SERVICE_WINDOWS_SHARE_
PROCESS (0x20), SCM , ,
,
, . ( ,
, ,
LocalService, ,
Svchost, netsvcs,
LocalSystem.) ObjectName, , , .
, ObjectName ObjectName of LocalSystem,
.
SCM ,
. SCM , SCM,
(image database),
ImagePath. ImagePath
, SCM . SCM ,
388 4.
, , ImagePath. SCM
ImagePath.
ImagePath, SCM , ,
. SCM ImagePath,
, , ,
. ,
,
, , SCM .
, ,
SCM ScLogonAndStartImage. SCM , System
LSASS- LogonUserEx. , SCM
LSASS, LSASS,
HKLM\SECURITY\Policy\Secrets1. SCM LogonUserEx,
, LSASS Secrets
_SC_< >.
SCP , SCM LSASS ,
LsaStorePrivateData. , LogonUserEx
. Windows
,
SCM , .
SCM
, , LoadUserProfile
DLL- UserEnv (%SystemRoot%\System32\Userenv.dll).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<
>\ProfileImagePath
, LoadUserProfile ,
HKEY_CURRENT_USER.
WinSta0,
ScLogonAndStartImage WinSta0, ,
HKLM\SYSTEM\CurrentControlSet\Control\Windows\NoInteractiveServices .
, , , .
, ,
0 .
ScLogonAndStartImage
, (, ). SCM
, Windows SECURITY , System.
389
CreateProcessAsUser. SCM ,
,
\Pi pe\Net\NtControlPi peX, X ,
, SCM . SCM
ResumeThread
SCM-. , HKLM\SYSTEM\
CurrentControlSet\Control\ServicesPi peTimeout , SCM StartServiceCtrlDispatcher
, SCM ,
, . ServicesPi peTimeout
, SCM ,
30 . SCM
.
SCM,
.
, SCM
.
, SCM , ,
StartServiceCtrlDispatcher ,
(Event Log), ,
.
, SCM ScStartService,
Type SERVICE_KERNEL_DRIVER SERVICE_
FILE_SYSTEM_DRIVER, ,
ScStartService
ScLoadDeviceDriver.
SCM-, NtLoadDriver, ImagePath, , .
ImagePath, , SCM
, %SystemRoot%\System32\Drivers\.
ScAutoStartServices ,
, ,
. , SCM
DependOnService.
SCM , ,
. , SCM
Tag Windows,
HKLM\SYSTEM\CurrentControlSet\Services.
Tag -,
, , , .
SCM ,
ServiceGroupOrder\List, , ,
,
, .
390 4.
SCM ScInitDelay
Start. , -
, ,
ScAutoStartServices - ,
. .
120 ,
AutoStartDelay HKLM\SYSTEM\CurrentControlSet\
Control. SCM , .
,
, .

Windows , ,
.

.
,
,
. RPC,
.
, Windows
Update.
,
,
,
. ,
, , - .
API-
ChangeServiceConfig2. ,
qc bits sc.exe.
,
, SCM
\BaseNamedObjects\SC_AutoStartComplete. Windows Setup
.
,
SCM- , SCM ErrorControl,
, . ErrorControl
SERVICE_ERROR_IGNORE (0) , SCM .
391
ErrorControl SERVICE_ERROR_NORMAL (1), SCM

, : <
> - :. SCM Windows,
SCM .
, ErrorControl
SERVICE_ERROR_SEVERE (2) SERVICE_ERROR_CRITICAL (3), SCM
,
ScRevertToLastKnownGood.
, , . ,
NtShutdownSystem,
. ,
.
. 4.14. ,

SCM ,
, HKLM\SYSTEM\CurrentControlSet,
. CurrentControlSet Services, CurrentControlSet
SCM. Control,
.
. ,
, -
392 4.
, ErrorControl SERVICE_ERROR_
SEVERE SERVICE_ERROR_CRITICAL, .
SCM, , , , ,
Winlogon (%SystemRoot%\System32\Winlogon.
exe).
NotifyBootConfigStatus, SCM.

NotifyBootConfigStatus ( , ), SCM NtInitializeRegistry,
.
Winlogon
. , , Microsoft SQL
Server, , SQL Server .

, ,
HKLM\SYSTEM\CurrentControlSet\Control\
BootVerificationProgram. ,
Winlogon NotifyBootConfigStatus,
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\ReportBootOk 0. ,
SCM
,
NotifyBootConfigStatus.
Windows
CurrentControlSet, CurrentControlSet
, .
HKLM\SYSTEM\ControlSetnnn, nnn , 001 002.
HKLM\SYSTEM\Select ,
. , CurrentControlSet
ControlSet001, Current Select 1.
LastKnownGood Select
, ,
. , Select, Failed, ,

. .4.15 Select.
NtInitializeRegistry
,
CurrentControlSet. , ,
. , , CurrentControlSet.
,
, CurrentControlSet (,
393
HKLM\SYSTEM\Control
), . F8
,
, ,
.
. 4.15.

, , FailureActions FailureCommand, SCM
. SCM , SCM .
SCM , ,
, ,
, . ,

, , .
SERVICE_STOPPED, , SCM, ERROR_SUCCESS. SCM ,
, , FailureActions
OnNonCrashFailures, ,
. , API- ChangeServiceConfig2
Sc.exe
Failureflag FailureActionsOnNonCrashFailures 1. -
394 4.
, 0, SCM
, Windows.
, SCM,
, . ,
(failure actions),
, . ,
SCM , ,
. IIS Admin Service SCM
IISReset,
. .4.16,
MCC- (Services),
(Recovery) (Properties).
. 4.16.

Winlogon Windows- ExitWindowsEx, Csrss Windows
Csrss- . Csrss
, . , SCM, Csrss ,
HKU\.DEFAULT\Control Panel\
Desktop\WaitToKillAppTimeout ( 20),
, . Csrss
SCM, ,
, SCM. Csrss SCM,
, Csrss
395
SCM Csrss RegisterServicesProcess . SCM ,

Csrss , SCM ,
. , SCM. SCM HKLM\
SYSTEM\CurrentControlSet\Control\WaitToKillServiceTimeout
12.
SCM ,

SCM. SCM- ScShutdownAllServices
SCM , , .
, , SCM ,
,
SCM. SCM
. SCM ,
, ,
, .
, , SCM , , , SCM , .
, SCM
. SCM
, , ,
,
, .
SCM , Csrss SCM. ,
Csrss, , SCM (
, WaitToKillServiceTimeout), Csrss
SCM .
, , ,
.
, , , ,
20 , .
, , ,
,
SCM,
.
Windows
, .
,
. ,
API- SetServiceStatus, SCM
.
396 4.
, , ,
(, ,
),
. SCM 3 ,
. , ;
, ,
SCM.
, (preshutdown),
,
. , (, Group Policy
Windows Update),
HKLM\SYSTEM\
CurrentControlSet\Control\PreshutdownOrder.
,
, , . ,
- , ,
.
, Windows,
, .
, LSASS ,
,
Security Accounts Manager (SamSs), Net Logon
(Netlogon) Key Isolation (KeyIso)
Crypto Next Generation (CNG).
Service Host (SvcHost%SystemRoot%\System32\
Svchost.exe), .
SvcHost.
, SvcHost, Telephony (TapiSrv), Remote Procedure
Call (RpcSs) Remote Access
Connection Manager (RasMan). Windows ,
SvcHost, DLL- ImagePath
%SystemRoot%\System32\svchost.exe k netsvcs , . Parameters
ServiceDll, DLL- .
, SvcHost,
( k netsvcs), SCM.
SCM ,
ImagePath SvcHost ,
397
SvcHost . SvcHost- , HKLM\

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost. SvcHost
,
SCM, , SCM.
SCM SvcHost- (
) ImagePath,
, ,
SvcHost, ImagePath. SvcHost ServiceDll
, , DLL
.
.4.11 Windows , .
4.11.
LocalService
Network Store Interface, Windows

Diagnostic Host, Windows Time,
COM+ Event System, HTTP AutoProxy Service, Software Protection
Platform UI Notification, Thread
Order Service, LLDT Discovery,
SSL, FDP Host, WebClient
,

(, ,
)
LocalService
AndNoImperso
nation
UPnP and SSDP, Smart Card,

TPM, Font Cache, Function
Discovery, AppID, qWAVE,
Windows Connect Now, Media
Center Extender, Adaptive
Brightness
,
.
,

LocalService
Network
Restricted
DHCP, Event Logger, Windows

Audio, NetBIOS, Security Center,
Parental Controls, HomeGroup
Provider
LocalService
NoNetwork
Diagnostic Policy Engine, Base

Filtering Engine, Performance
Logging and Alerts, Windows
Firewall, WWAN AutoConfig
,

. ,
LocalSystem
Network
Restricted
DWM, WDI System Host, Network

Connections, Distributed Link
Tracking, Windows Audio Endpoint,
Wired/WLAN AutoConfig, Pnp-X,
HID Access, User-Mode Driver
Framework Service, Superfetch,
Portable Device Enumerator,
HomeGroup Listener, Tablet Input,
Program Compatibility, Offline Files
398 4.
4.11 ()
NetworkService
Cryptographic Services, DHCP

Client, Terminal Services,
WorkStation, Network Access
Protection, NLA, DNS Client,
Telephony, Windows Event
Collector, WinRM
,
(

)
NetworkService KTM DTC

AndNoImperso
nation
,
.
,

NetworkService IPSec Policy Agent

Network
Restricted
: ,
Process Explorer , . Process Explorer
Services () Process Properties (
) : Services.exe, Lsass.exe
Svchost.exe.
SvcHost ,
, Process
Explorer Username ( )
Username ( ) Image (),
Process Properties ( ).
, SvcHost, .

Main

SCM
RegisterServiceCtrlHandler
1.
2.
3.
4.



399
,
, , Process Explorer
. , DLL, . (
Threads) ,
, , ,
.
, ,
tlist.exe Debugging Tools for Windows, Tasklist,
Windows. Tlist
:
tlist /s
tasklist :
tasklist /svc
,
, .

,
, ,
. ,
, , .
- ,
, . ,
,
, DLL-,
, ,
.
Windows , , SCM ScGenerateServiceTag .
, .
SubProcessTag thread environment
block (TEB), (. 5
), ,
( , API ).
SCM, Windows-, Netstat.exe, API-
. TCP/IP
, TCP/IP,
Netstat b,
, . , -
400 4.
, ScTagQuery Winsider
Seminars & Solutions Inc. (www.winsiderss.com/tools/sctagquery/sctagquery.htm).
SCM,
, .
, - .
( ,
.) , - ,
, ,
DLL-, .

(hosted) (background) ,
,
Windows. Service Control Manager
Task Scheduler, DCOM- DCOM
Server Launcher WMI-
(hosted) ,
(out-of-process). Windows
Unified Background Process Manager (UBPM), ( , ) (SCM Task
Scheduler), .
UBPM Services.exe, , SCM, , RPC
( Plug and Play Services.exe, ).
DLL- Ubpm.dll,
API- Trigger,
SCM. SCM
SCM SCM Extension DLL (Scext.dll), Ubpm.
dll. MinWin, Scext.dll
, SCM .
.4.17.
UBPM SCM, UbpmInitialize ScExtInitializeTerminateUbpm DLL SCM Extension. , DLL, SCM, .

UBPM
. Windows
UBPM ,
,
1000 ( -
401
Public API
SCM
(services.exe)
Task Scheduler
(Schedsvc.dll)
SCM Extension DLL
UBPM API DLL (Ubpm.dll)
Unified Background
Process Manager (UBPM)
(Services.exe)
...
...
. 4.17. UBPM
,
10000).
UBPM ,
Flags HKLM\
Software\Microsoft\Windows NT\CurrentVersion\Tracing\UBPM\Regular. UBPM
WPP, Windows Driver Kit.
,
UBPM . TASKSCHED GUID,
ETW,
TaskScheduler.log.
UBPM ETW- ,
, UBPM ,
ETW-. UBPM ETW (
, ) UBPM.
(
) , .
UbpmpEvent
Callback ,
UbpmpConsumeEvents , SCM-,
, ( ) .
, ProcessTrace,
402 4.
ETW , ETW- ( UBPM).

,
ETW- , .
ETW ,
ProcessTrace, ,
. UBPM SCM, ,

.
.
UBPM RPC- TaskHost
UBPM, , ,
, RPC-,
API-, UBPM ( -,
..). API-
Ubpm.dll RPC RPC-
UBPM Services.exe.
UBPM,
, .
API- UBPM
UBPM API- :
-,
;
;
-;
-.

DLL- SCM Extension, ScExtpRegisterProvider,
ScExtGenerateNotification. UBPM API- UbpmRegisterTriggerProvider.
, GUID,
, (,
ETW-).
. ,
UBPM, ,
ETW-, -
, GUID ETW-
, .
, .
403
,
API- . ,

, GUID ETW- .
, ,
GUID , ,
, .
: - UBPM
, UBPM ETW-,
, (Performance Monitor).
:
1. , (Start),
(Run).
2. perfmon OK.
3. ,
(Data Collector Sets).
4. (Event Trace
Sessions), UBPM.
UBPM
. .
, ,
. , BfeTriggerProvider .
.
404 4.

ScExtRegisterTriggerConsumer, DLL-
SCM Extension.
SCM ( MSDN API Service Trigger
Events, MSDN) , UBPM. , DLL- SCM Extension DLL
: UBPM UBPM
Start Service UBPM UBPM Stop Service.
Scheduled Tasks,
UBPM,
- UBPM, Ubpm.dll.
API- RegisterTask
-,
, UBPM Start EXE. ,
, UBPM , (
), API UbpmRegisterTriggerConsumer.
, UbpmTrigger
ProviderRegister, , GUID ETW-,
.
: ,

Windows-
,
. ,
Windows Time Service, Tablet Input Service Computer Browser Service. sc
qtriggerinfo.
1. .
2. , Windows
Time Service:
sc qtriggerinfo w32time
[SC] QueryServiceConfig2 SUCCESS
SERVICE_NAME: w32time
START SERVICE
DOMAIN JOINED STATUS
[DOMAIN JOINED]
STOP SERVICE
DOMAIN JOINED STATUS
[NOT DOMAIN JOINED]
: 1ce20aba-9851-4421-9430-1ddeb766e809
: ddaf516e-58c2-4866-9574-c3b615d42ea1
405
3. Tablet Input Service:
sc qtriggerinfo tabletinputservice
SERVICE_NAME: tabletinputservice
START SERVICE
DEVICE INTERFACE ARRIVAL
[INTERFACE CLASS GUID]
DATA
DATA
DATA
DATA
: 4d1e55b2-f16f-11cf-88cb-001111000030
:
:
:
:
HID_DEVICE_UP:000D_U:0001
4. , Computer Browser Service:

sc qtriggerinfo browser
SERVICE_NAME: browser
START SERVICE

FIREWALL PORT EVENT
[PORT OPEN]
DATA
DATA
DATA
STOP SERVICE
FIREWALL PORT EVENT
[PORT CLOSE]
DATA
DATA
DATA
: b7569e07-8421-4ee0-ad10-86915afdad09
: 139;TCP;System;
: 137;UDP;System;
: 138;UDP;System;
: a144ed38-8e12-4de4-9d96-e64740b1a524
: 139;TCP;System;
: 137;UDP;System;
: 138;UDP;System;
, Windows Time Service

,
, Tablet Input Service HID ClassID,
Tablet Device. , Computer Browser
Service ,
137, 138 139, SMB, .
Task Host
- Windows TaskHost UBPM,
SCM.
RPC-, UBPM , , .
, RPC API- Task
HostSendResponseReceiveCommand:
;
;
406 4.
;
.
, - RPC API- Task

HostReportTaskStatus, UBPM
UbpmReportTaskStatus.
COM Task, , ,
COM-.

(SCP)
Windows, , SCM,
:
CreateService;
OpenService;
StartService;
ControlService;
QueryServiceStatus;
DeleteService.
SCM- SCP SCM, OpenSCManager.

SCP ,
. , SCP , SCM,
OpenSCManager .
SCM , SCM, Windows , ,
. ,
, Authenticated Users SCM- . ,
, .
, SCM, SCM . SCP ,
CreateService, , SCM
. SCM
Security , ,
Services , .
, SCP OpenSCManager ,
SCM, SCP SCM
OpenService, .
, SCP,
,
.
407
SCP, , , , MMC (Services), Windows, %SystemRoot%\System32\Filemgmt.dll. Windows

Sc.exe (Service Controller tool), , , .
SCP- ,
SCM. , MMC- (Services)
. .
SCP-,
SCM,
. SCP-
QueryServiceStatus.
, SCM
, .
Windows Management Instrumentation

Windows Management Instrumentation (WMI)
- Web-Based
Enterprise Management (WBEM), ,
Distributed Management Task Force (DMTF). WBEM

, ,
, .
WMI
.4.18, WMI :
, WMI,
. Windows-,

.
, WMI, API-
.
,

.
,
.
, , , . (
.)
,
. ,
Windows WMI-
408 4.
ODBC

ActiveX
C/C++
Windows Management API

COM/DCOM
CIM
CIM (CIMOM)
WMI
COM/DCOM
SNMP
Windows
SNMP
Windows
. 4.18. WMI
,
. (,
) Microsoft ,
API-,

.
WMI, CIMOM (OM) Common Information Model (CIM),
.
. WMI
, , ,
CIMOM. WMI
API-, ,
.
WMI Windows
( Windows PowerShell) API- WMI COM,
API-. API COM API Open Database Connectivity (ODBC)
Microsoft Access.
409
WMI ODBC
.
, WMI.
WMI ActiveX API- . - ActiveX WMI-
-. API- WMI API- , , Microsoft Visual
Basic. WMI-
Microsoft.
, WMI COM API- . , , COM-, COM- COM- (Distributed COM,
DCOM). WMI- DLL-, WMI- Windows-
Windows-. Microsoft ,
, API-
(Performance API), ,
(Event Manager), Active Directory, SNMP .
WMI SDK WMI-.
WBEM CIM-, DMTF. CIM

, ,
, ,
. CIM , ,
. CIM-
Managed Object Format (MOF).
, ,
WMI . WMI , .
WMI- . 4.12. ,
,
, , , .
. 4.12, , . Event Log , Event Log Computer, Event Log Record
Event Log File. Event Log (Instance provider),

. , Event Log , Event Log File (Win32_NTEventlogFile).
Event Log
( System Event Log,
Application Event Log Security Event Log).
410 4.
Event Log .
WMI , Event Log
Event Log File (backup)
(restore). Event Log
(Method provider). ,
. , Event Log WMI
, WMI , (Event provider).
4.12.
Class (
)
, ,
.
. , , Active Directory
Instance ( )
, , , , . .

Property ( )
Method (
)
Event (
)
Event consumer
( )
Common Information Model

Managed Object Format
Common Information Model (CIM)
- , C++ C#, .
,
.
, . , , .
: , .
DMTF ,
WBEM. CIM , .
411
CIM. CIM_ManagedSystemElement.
,
, , ,
. , , . , CIM_LogicalElement CIM_PhysicalElement
CIM_ManagedSystemElement.
CIM. WBEM ,
, ( ).
, .
,
, .
, .
CIM_FileSystem,
CIM_LogicalElement. , Windows, Linux UNIX,
, , CIM_FileSystem
.
,
. Windows , , Windows. , CIM
CIM_LogicalFile. CIM_DataFile CIM_LogicalFile,
Windows Win32_
PageFile Win32_ShortcutFile.
Event Log. .4.19
WMI CIM Studio, , WMI Administrative Tools,
(Download Center) Microsoft - .
, Event Log
Win32_NTEventlogFile, CIM_DataFile. Event
Log , , (LogfileName)
, (NumberOfRecords).
, , , Win32_NTEventlogFile , CIM_DataFile
CIM_LogicalFile, CIM_LogicalElement, CIM_LogicalElement
CIM_ManagedSystemElement.
, WMI- MOF. Event Log Win32_NTEventlogFile,
.4.19.
.4.19
MOF-. , , CIM Studio
.
Win32_NTEventlogFile .
412 4.
. 4.19. WMI CIM Studio
, , , Win32_NTEventlogFile,
MOF-. , WMI WMI- ,
413
,
. ,
WMI, WMI- .
,
, .
dynamic: ToInstance, provider("MS_NT_EVENTLOG_PROVIDER"), Locale(1033),
UUID("{8502C57B-5FBB11D2-AAC1-006008C78BC7}")]
class Win32_NTEventlogFile : CIM_DataFile
{
[read] string LogfileName;
[read, write] uint32 MaxFileSize;
[read] uint32 NumberOfRecords;
[read, volatile, ValueMap{"0", "1..365", "4294967295"}] string OverWritePolicy;
[read, write, Units("Days"), Range("0-365 | 4294967295")] uint32 OverwriteOutDated;
[read] string Sources[];
[implemented, Privileges{"SeSecurityPrivilege", "SeBackupPrivilege"}] uint32
ClearEventlog([in]
string ArchiveFileName);
[implemented, Privileges{"SeSecurityPrivilege", "SeBackupPrivilege"}] uint32
BackupEventlog([in]
string ArchiveFileName);
};
: MOF- WMI-
MOF- WMI-
WbemTest, Windows.
MOF- Win32_
NTEventLogFile:
1. Wbemtest (Run), (Start).
2. (Connect),
(Namespace) root\cimv2 .
3. (Enum Classes),
(Recursive option)
OK.
4. Win32_NTEventLogFile,
, .
5. MOF (Show MOF), ,
MOF.
MOF WMI- WMI

. WDM
MOF- , binary MOF (BMF),
MOF- , BMF- WDM-
.
414 4.
MOF- API- WMI COM WMI-. , MOF- (Mofcomp.exe), WMI-

.
WMI
,
. WMI , , WMI .
.
WMI root.
WMI- , root: CIMV2, Default, Security WMI.
. ,
CIMV2 Applications
ms_409.
. WMI ( WMI-
Windows) Windows root.
: WMI
, , WMI CIM Studio. ,
.
WMI CIM Studio
. Windows
root.
, , WMI
. , , WMI , .

415
. , . , Event Log
Win32_NTLog
Event. : , Logfile, , , Record
Number, . ,
WMI , , . , , :
\\DARYL\root\CIMV2:Win32_NTLogEvent.Logfile="Application",
RecordNumber="1"
(\\DARYL) , , (\root\CIMV2) , . ,
.
.
WMI ,
,
, .

. , , , ,
.. WMI
(association class)
. ,
: Ref.
, MOF- Event Log
Win32_NTLogEvent Win32_ComputerSystem. ,
.
.
[dynamic: ToInstance, provider("MS_NT_EVENTLOG_PROVIDER"): ToInstance, EnumPrivileg
es{"SecurityPrivilege"}:
ToSubClass, Locale(1033): ToInstance, UUID("{8502C57F-5FBB-11D2-AAC1006008C78BC7}"):
ToInstance, Association: DisableOverride ToInstance ToSubClass]
class Win32_NTLogEventComputer
{
[key,read:ToSubClass]Win32_ComputerSystemrefComputer;
[key,read:ToSubClass]Win32_NTLogEventrefRecord;
};
.4.20 WMI Object Browser (

WMI Administrative Tools),
CIMV2. Windows CIMV2. Object Browser
Win32_ComputerSystem- ALEX-LAPTOP, . Object Browser ,
416 4.
Win32_ComputerSystem, ALEX-LAPTOP.
Object Browser
. .
Object Browser , Event
Log Win32_NTLogEventComputer ALEX-LAPTOP Win32_NTLogEvent. ,
MOF- Win32_NTLogEventComputer
Win32_ComputerSystem Win32_NTLogEvent,
. Win32_NTLogEvent Object Browser Properties () .
Microsoft Object Browser WMI-
, .
. 4.20. WMI Object Browser
: WMI

WMI .
Microsoft , , ,
, . Microsoft - Microsoft TechNet Scripting Center.
-,
.vbs cscript script.vbs, script ,
. Cscript
Windows Script Host (WSH).
417
TechNet,
Win32_Process,
, ,
:
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colMonitoredProcesses = objWMIService. _
ExecNotificationQuery("select * from __instancecreationevent " _
& " within 1 where TargetInstance isa Win32_Process")
i = 0
Do While i = 0
SetobjLatestProcess = colMonitoredProcesses.NextEvent
Wscript.Echo objLatestProcess.TargetInstance.Name
Loop
, ExecNotificationQuery, ,
select.
WMI,
ANSI
Structured Query Language (SQL), WQL. WMI
, WMI. , Cscript,
(Notepad) :
C:\>cscript monproc.vbs
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
NOTEPAD.EXE
WMI
WMI Svchost-,
. - Wmi prvse.exe,
RPC. WMI Wmiprvse , ,
HostingModel WMI Win32Provider,
. Wmiprvse ,
, ,
.
WMI, Windows MOF-, DLL-
WMI DLL- , %SystemRoot%\System32 %SystemRoot%\System32\Wbem. %SystemRoot%\
System32\Wbem, Ntevt.mof, MOF-
Event Log. Ntevt.dll, DLL- Event
Log, WMI.
418 4.
: Wmiprvse
Wmiprvse , Process Explorer
Wmic. Wmiprvse Svchost, - RPC-. Process Explorer
(job highlighting), , . , , ,
Wmiprvse ,

, (.5).
, %SystemRoot%\System32\Wbem, , MOF- .
WMI , CIMOM, Microsoft JET.
%SystemRoot%\System32\Wbem\
Repository\.
WMI ,
HKLM\SOFTWARE\Microsoft\WBEM\CIMOM, .
WMI . WMI WMI System Control
commands WDM. , \root\WMI.
WMIC
Windows Wmic.exe, WMI ,
WMI. WMI-
, , WMIC
.
419
WMI
WMI . ,

.
WMI (WMI Control) ,
.
ACL- ,
Windows, (.
6).
WMI
(Start) (Control Panel).
(System And Maintenance)
(Administrative Tools) (Computer Management).
(Services And Applications).
WMI (WMI Control)
(Properties), WMI, .4.21.
(Security), (Security). : WMI (WMI Control Properties)
,
.
. 4.21. WMI
420 4.
Windows
Windows Windows Diagnostic Infrastructure
(WDI) , .
Windows , WDI

. ,
. , , .
.
, WDI
Windows , ,
.
WDI
Windows
WDI .
.
WDI API-
:
, ,

, - . WDI ,
: - .

. - ,
. real-time Event Tracing for Windows
(ETW), DiagLog. Scenario Event Mapper (SEM) ETW- WDI-.
,
, SEM .
,
WDI,
, .
,
,
421
,
.
, . WDI
,
.

Diagnostic Policy Service (DPS, %System
Root%\System32\Dps.dll)
WDI-. DPS ( Svchost),

,
, DiagLog. DPS
WDI .4.22.
DPS ,
- , , ,
. , DPS ,
, .

DPS , , -
.

ETW-
(DiagLog)
. 4.22. Windows Windows

Diagnostic Infrastructure
DPS (Group Policy) .

(%SystemRoot%\System32\
Gpedit.msc ). ,
.4.23, (Computer Confi
guration) (Administrative Templates)
(System) (Troubleshooting And Diagnostics).
422 4.
. 4.23.

Windows .
:
, Self-Monitoring
Analysis and Reporting Technology (SMART)

(%SystemRoot%\System32\Driver\Classspnp.sys)
. WDI . ,
Windows ,
. Windows Windows File Protection
, .
, WDI
, , , ,
,
. 7
.
,
, Windows.
,
, ,
. , .
423
Windows,
(Boot Manager)
,
Windows Error Reporting (WER) ,
.
Windows startup repair tool,
, , .
Boot Configuration
Data(BCD), ,
MBR , .
, , ,

.
Windows,
Windows, Windows,
Windows Windows.
,
, Windows ,
, , ,
, WDI , .
Program Compatibility Assistant
(PCA),
Windows, . PCA
, , ,

User Account Control (UAC). PCA
, , .
, PCA
,
.
, Windows, , , .
,
, .
5. ,
,
, Microsoft
Windows. , . , ( ).
, .
Windows
, (
, , ..)
,
. ,
, 1
2 . , , ,
, ,
Windows.

Windows,
, .

Windows , (EPROCESS). , , EPROCESS
. , , (.
), (ETHREAD).
EPROCESS- .
process environment block (PEB), ( ,
, ). ,
, ,
, ,
, .
, Win32, Win32 (Csrss)
425
CSR_PROCESS. , Win32,
(Win32k.sys), W32PROCESS.
Windows- USER GDI, .
(idle process),
EPROCESS
(. 3).
, , WinObj,
. \ObjectTypes Process. API-
EPROCESS, .
.5.1 .
, , .
Win32k
. 5.1. ,

, .
,
, .
(
).
EPROCESS .5.2.
, , , , API- . (
426 5. ,
(PCB)

PsActiveProcessHead
Session Object
EPROCESS

,

,

Win32k

KTHREAD
-

,

. 5.2. ,
, ,
427

.)
.5.2, ,
, (process
control block, PCB). KPROCESS .
EPROCESS, , ,
, ,
KPROCESS.
,
.
: EPROCESS
, EPROCESS , (. 1)
dt nt!_eprocess. ( )
32- :
lkd>dtnt!_eprocess
+0x000 Pcb
: _KPROCESS
+0x080 ProcessLock
: _EX_PUSH_LOCK
+0x088 CreateTime
: _LARGE_INTEGER
+0x090 ExitTime
: _LARGE_INTEGER
+0x098 RundownProtect
: _EX_RUNDOWN_REF
+0x09c UniqueProcessId : Ptr32 Void
...
+0x0dc ObjectTable
: Ptr32 _HANDLE_TABLE
+0x0e0 Token
: _EX_FAST_REF
...
+0x108 Win32Process
: Ptr32 Void
+0x10c Job
: Ptr32 _EJOB
...
+0x2a8 TimerResolutionLink : _LIST_ENTRY
+0x2b0 RequestedTimerResolution : Uint4B
+0x2b4 ActiveThreadsHighWatermark : Uint4B
+0x2b8 SmallestTimerResolution : Uint4B
+0x2bc TimerResolutionStackRecord : Ptr32 _PO_DIAG_STACK_RECORD
(Pcb)
KPROCESS. .
, ,
, EPROCESS:
lkd>dt_kprocess
nt!_KPROCESS
+0x000 Header
+0x010 ProfileListHead
+0x018 DirectoryTableBase
...
+0x074 StackCount
: _DISPATCHER_HEADER
: _LIST_ENTRY
: Uint4B
: _KSTACK_COUNT
428 5. ,
+0x078
+0x080
+0x088
+0x08c
+0x090
ProcessListEntry
CycleTime
KernelTime
UserTime
VdmTrapcHandler
:
:
:
:
:
_LIST_ENTRY
Uint8B
Uint4B
Uint4B
Ptr32 Void
dt

, , , dt nt!_eprocess UniqueProcessId,
(process ID).
, , Pcb EPROCESS,
KPROCESS,
.
, KPROCESS dt nt!_eprocess Pcb. , (KPROCESS)
.. , dt r, . , ,
.
dt ,
- .
,
dt EPROCESS.
EPROCESS, ,
!process 0 0 ( ).
KPROCESS EPROCESS,
EPROCESS dt _kprocess
KPROCESS.
Windows, , , .
, ,
, , , .
PEB
, . ,
, Windows,
. EPROCESS
KPROCESS .
PEB .5.3 .
CSR_PROCESS ,
Windows (Csrss). , Windows
CSR_PROCESS (,
Smss ). ,
Windows, CSR_PROCESS
Csrss .
CSR_PROCESS .5.4
.
429

GDI

FLS/TLS
. 5.3.
CSR_PROCESS
CSR_PROCESS

CSR_SESSION
CSR_PROCESS
CSR_THREAD
LPC-

DLL- CSR_SERVER
. 5.4. CSR-
:
!process
!process . .
. (
, !process ,
430 5. ,
, 0, WinDbg.)
lkd>!process
PROCESS 85857160 SessionId: 1 Cid: 0bcc
Peb: 7ffd9000 ParentCid: 090c
DirBase: b45b0820 ObjectTable: b94ffda0 HandleCount: 99.
Image: windbg.exe
VadRoot 85a1c8e8 Vads 97 Clone 0 Private 5919. Modified 153. Locked 1.
DeviceMap 9d32ee50
Token
ebaa1938
...
'
PageFaultCount
37066
MemoryPriority
BACKGROUND
BasePriority
8
CommitCharge
6242

. : !thread (. 429).
, ,
!handle,
(. 3, ). 6
.
, PEB,
!peb,
PEB . PEB , .
PEB ,
WinDbg . .process,
EPROCESS.
: PEB
PEB !peb, PEB ,
, 0.
, ,
PEB-.
lkd>!peb 7ffd9000
PEB at 7ffd9000
InheritedAddressSpace:
No
ReadImageFileExecOptions: No
BeingDebugged:
No
ImageBaseAddress:
002a0000
Ldr
77895d00
...
WindowTitle: 'C:\Users\Alex Ionescu\Desktop\WinDbg.lnk'
ImageFile:
'C:\Program Files\Debugging Tools for Windows\windbg.exe'
431
CommandLine: '"C:\Program Files\Debugging Tools for Windows\windbg.exe" '
DllPath:
'C:\Program Files\Debugging Tools for Windows;C:\Windows\
system32;C:\Windows\system;C:\Windows
Environment: 001850a8
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Alex Ionescu\AppData\Roaming
...
: CSR_PROCESS
CSR_PROCESS !dp , Csrss , .
, File (), Attach To A Process ( ). , . Noninvasive
( ), .
!dp PID , CSR_PROCESS.
. !dp
dt, .
0:000> !dp v 0x1c0aa8-8
PCSR_PROCESS @ 001c0aa0:
+0x000 ClientId
: _CLIENT_ID
+0x008 ListLink
: _LIST_ENTRY [ 0x1d8618 - 0x1b1b10 ]
+0x010 ThreadList
: _LIST_ENTRY [ 0x1c0b80 - 0x1c7638 ]
+0x018 NtSession
: 0x001c0bb8 _CSR_NT_SESSION
...
+0x054 Luid
: _LUID
+0x05c ServerDllPerProcessData : [1] (null)
Threads:
Thread 001c0b78, Process 001c0aa0, ClientId 198.19c, Flags 0, Ref Count 1
Thread 001c0e78, Process 001c0aa0, ClientId 198.1cc, Flags 0, Ref Count 1
...
W32PROCESS , . , Windows .
(Win32k) GUI-
( ,
USER/GDI). W32PROCESS
.5.5 .
: W32PROCESS

W32PROCESS , Win32k.
dt win32k!_W32PROCESS ,
432 5. ,
. !process (
, EPROCESS),
dt nt!_EPROCESS Win32Process,
EPROCESS.
W32PROCESS
Explorer.exe:
lkd> dt win32k!_W32PROCESS 0xff991490
+0x000 Process
: 0x84a2b030 _EPROCESS
+0x004 RefCount
: 1
...
+0x020 W32Pid
: 0x590
+0x024 GDIHandleCount
: 383
+0x028 GDIHandleCountPeak : 0x239
+0x02c UserHandleCount
: 228
+0x030 UserHandleCountPeak : 0x16c
...
+0x088 hSecureGdiSharedHandleTable : 0x84a24159
+0x08c DxProcess
: 0xa2c93980
DxProcess , ,
DirectX, .
W32PROCESS
EPROCESS

GDI
DirectX
DXGPROCESS
W32PROCESS
. 5.5. Win32k

Windows , , ( ),
, . ,
, ,
. , Process
Explorer ,
.
433
( , )
, - ,
, , Blu-ray DVD.
Windows
.
Windows,
, (
).
, , Windows
Media Certificate. Windows Protected Media
Path (PMP) ,
, , DVD,
API- Media Foundation.
Audio Device Graph (Audiodg.exe) ,
.
, Windows Error
Reporting (WER) (Werfault.exe)
, . , System ,
Ksecdd.
sys . System
, (
System
).
: -,
. -,
, EPROCESS,
,
,
. , :
PROCESS_QUERY/SET_LIMITED_INFORMATION,
PROCESS_TERMINATE
PROCESS_SUSPEND_RESUME.
, ,
.
Process Explorer
API- ,
.
, , WinDbg,
,
434 5. ,
, .
Process Explorer , Audiodg.exe,
.
1,
(
bcdedit /debug on Msconfig).
Protected Media Path (PMP),
. .

. , EPROCESS,
,
. PMP- , , , 64- ,

. 32- PMP, .
Microsoft .
Microsoft ,
.

CreateProcess
, , ,
. ,
, , .
Windows ,
- . CreateProcess, CreateProcessAsUser, CreateProcessWithTokenW
CreateProcessWithLogonW. Windows , : Windows Kernel32.dll, ( CreateProcessAsUser, CreateProcessWithTokenW CreateProcessWithLogonW
Advapi32.dll),
Windows Windows (Csrss).
Windows ,
( -
CreateProcess 435
) ,
Windows. ,
Windows- CreateProcess
, , ,
Windows, ,
.

Windows- CreateProcess. , ,
.
CreateProcess ( ),
NtCreateUserProcess
. ,
.
Windows- Create
Process:
1. ; Windows ; , .
2. (.exe),
.
3. .
4. (,
Windows).
5. Windows ,
.
6. (
CREATE_SUSPENDED).
7.
(, DLL-) .
.5.6 , Windows
.
1.

, CreateProcess
, .
CreateProcess
CreationFlags. CreateProcess . Windows

.
436 5. ,
EXE-

Windows
Windows

Windows ,

Windows

. 5.6.
,
Normal,
, , Idle () Below
Normal ( ),
, .
Real-time (
) , ,
Increase Scheduling Priority,
High (). ,
CreateProcess , Real-time;
, Real-time.
CreateProcess 437
,
. CreateProcess ,
.
,
DOS- virtual DOS machine (VDM), .
, , ,
.
, ,
Kernel32 Ntdll.dll
DbgUiConnectToDbg
(TEB) .
Kernel32.dll ,
.
Windows
. , , . 5.1,
Windows API, .
, CreateProcess,
,
, TEB
. ,
.
5.1.

PS_CP_PARENT_
PROCESS
Windows
PROC_THREAD_ATTRIBUTE_
PARENT_PROCESS.

PS_CP_DEBUG_
OBJECT

DEBUG_PROCESS
PS_CP_PRIMARY_
TOKEN
PS_CP_CLIENT_ID

CreateProcessAsUser/

,

,
WithToken
CreateProcessAsUser

Win32 API
TID
PID

438 5. ,
5.1 ()

Windows
PS_CP_TEB_ADDRESS

TEB
PS_CP_FILENAME
-

API- CreateProcess
PS_CP_IMAGE_INFO
SECTION_
IMAGE_INFORMATION,
PS_CP_MEM_RESERVE -
,
,

,

,
,

SMSS CSRSS
PS_CP_PRIORITY_
CLASS

API CreateProcess
PS_CP_ERROR_MODE
CREATE_
DEFAULT_ERROR_
MODE
PS_CP_STD_HANDLE_
INFO
PS_CP_HANDLE_LIST
HANDLE_LIST
,
,

CreateProcess 439

Windows
PS_CP_GROUP_
AFFINITY
GROUP_AFFINITY
PS_CP_PREFERRED_
NODE
PROC_THREAD_
ATTRIBUTES_PRFERRED_
NODE
() ,

.
,

PS_CP_IDEAL_
PROCESSOR
PROC_THREAD_
ATTTRIBUTE_IDEAL_
PROCESSOR
() ,

PS_CP_UMS_THREAD
UMS_THREAD
UMS,
PS_CP_EXECUTE_
OPTIONS
PROC_THREAD_
MITIGATION_POLICY
,

(SEHOP,
ATL-, NX)
() ,

, CreateProcess NtCreateUserProcess .
Kernel32.dll , Windows- POSIX,
16 DOS-, , CreateProcess
.
2. ,

.5.7, NtCreateUserProcess
Windows-, , , ,
. -
, CreateProcess
(. . 5.2), CreateProcess .
Windows- .exe, NtCreateUserProcess
. , .
,
440 5. ,
Run Cmd.exe
MS-DOS .bat
or .cmd
Run Ntvdm.exe
Win16
Use .exe directly

Windows
POSIX
Run Posix.exe
MS-DOS .exe,
.com, or .pif
Run Ntvdm.exe
. 5.7. Windows-
Windows-, DLL-
POSIX-. POSIX-, ,
, Posix.exe, CreateProcess 1. DLL-,
CreateProcess .
NtCreateUserProcess
Windows-, HKLM\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options
( , Image.exe). ,
PspAllocateProcess Debugger.
, , ,
, CreateProcess 1.

Windows
,
.
, Windows-
.exe (, MS-DOS-, Win16- POSIX-),

CreateProcess
Windows-, . ,
, Windows-, Windows
, , , , Windows-. ,
POSIX- CreateProcess Windows Posix.exe. MS-DOS Win16,
CreateProcess 441
, , Windows- Ntvdm.
exe. , ,
Windows-. Windows , Windows- ( . 5.2),

CreateProcess .
5.2. 2
CreateProcess
...

POSIX
PsCreateSuccess

...
Posix.exe
...
CreateProcess -
PsCreateFailOn
MSDOS SectionCreate
.exe, .com .pif
Ntvdm.exe
Win16
PsCreateFailOn
SectionCreate
Ntvdm.exe
Win64
32-
( PPC,
MIPS Alpha)
PsCreateFail
MachineMismatch
PsCreateFailExe
Name
Debugger
CreateProcess 1
PsCreateFailExe
Format
CreateProcess
PsCreateFailOn
FileOpen
CreateProcess
Cmd.exe
CreateProcess -
Debugger
CreateProcess -
1
CreateProcess -
1
CreateProcess

Windows EXE
(
.bat
.cmd)
PsCreateFailOn
SectionCreate
, Create
Process , :
MS-DOS .exe, .com

.pif, Windows , MS-DOS (Ntvdm.exe,
WOW\cmdline). ,
MS-DOS. ( Windows VDM ( DOS-) .)

CreateProcess . , Ntvdm.exe,
CreateProcess 1.
442 5. ,
.bat .cmd, Cmd.exe, Windows,

CreateProcess 1.
Cmd.exe .
Win16 (Windows 3.1),
CreateProcess ,
VDM- VDM-, (
). CreateProcess
CREATE_SEPARATE_WOW_VDM CREATE_SHARED_WOW_VDM.
, HKLM\SYSTEM\CurrentControlSet\Control\WOW\DefaultSeparateVDM.
VDM,
ntvdm.exe,
16- , CreateProcess 1. Windows
, , VDM-
. ( VDM-
, ,
, VDM-.)
VDM-, Windows
, , CreateProcess . VDM- ( , ),
VDM, CreateProcess 1.
3.
Windows (PspAllocateProcess)
NtCreateUserProcess Windows
.
Windows PspAllocateProcess. ( ) :
EPROCESS;
;
(KPROCESS);
PEB;
(
, ).
. .
CreateProcess 443
3. EPROCESS
:
1. ,
( ).
2. , ,
.
3. - (page priority)
. , (5) - (Normal).
4. STATUS_PENDING.
5. ;
, . ,
, .
6. InheritedFrom
UniqueProcessId .
7. Image File Execution Options ,
.
, , NTDLL DLL,
.
8. Image File Execution Options ,
NUMA-.
( NUMA-
), NUMA-,
NUMA-,
.
9. , , ,
Addressspacelayoutrandomization (ASLR).
10. , .
Real-time, ,
.
11. ( ).
.
CreateProcessAsUser, .
,

.
, SeAssignPrimaryToken
.
444 5. ,
12.
, ,
.
13.

. CreateProcessAsUser,
.
, .
14. PspMinimumWorkingSet PspMaximumWorkingSet.
, PerfOptions
Image File Execution Options ,
.
,
(soft limits), ,
PerfOptions
( ).
15. (.3). , .
16. , .
,
NUMA- ( NUMA-),
, PspProcessGroupAssignment.
0, 1, .
17. KPROCESS, (.3).
18. .
19. ,
,
. ,
, .
20. . ,
(. 3). ,
, CreateProcessAsUser
, .
21. ,
PerfOptions. PerfOptions
, -, -
CreateProcess 445
,
.
22.
.
23. , PEB (. 3/3).
24. .
25. PID , PID
PID,
( ).
3.

:
(, -
, x86 PAE-
64- );
;
VAD;
.
:
1.
.
2. MmTotalCom
mittedPages MmProcessCommit.
3.
(PsMinimumWorkingSet) MmResidentAvailable
Pages.
4. . ( , ,
, , .)
3.

PspAllocateProcess KPROCESS (Pcb- EPROCESS).
KeInitializeProcess, :
, ,
( ).
( ) , -
446 5. ,
), 6
PspComputeQuantumAndPriority.
Windows
.
.
, , -
3.
, .
, (resident).
,
(
,
).
KeNodeBlock ( NUMA-),
.
3.

,
.
, Windows.
1. .
( )
, .
2.
.
3. ( )
,
.
4. Ntdll.dll ; Wow64, 32- Ntdll.dll.
5. , .

Session Manager (SMSS) .
6. ,
.
CreateProcess 447
7. (memory
reservations), . , 1 16
. ,
, (
, ).
8. ,
( ,
).
9. PEB.
10. MinWin API.
POSIX- , ,
. POSIX-

,
PEB.
3. PEB
NtCreateUserProcess MmCreatePeb,
national language support (NLS) .
MiCreatePebOrTeb
PEB , ,
, MmHeap*,
MmCriticalSectionTimeout MmMinimumStackCommitInBytes.
, Windows- PE-
PE-.
IMAGE_FILE_UP_
SYSTEM_ONLY ( ,
),
(MmRotatingUniprocessorNumber).
,
.
.
3.
(PspInsertProcess)
,
, PspInsertProcess
:
448 5. ,
1. ( ,
),
.
2. ,
,
. , .
3. PspInsertProcess Windows (PsActiveProcessHead).
4. , , ,
NoDebugInherit (
). ,
.
5. , ,
, , PspInsertProcess
, , ,
, . , ,
,
.
6. , PspInsertProcess ,
ObOpenObjectByPointer, . ,
,
,
,
.
4. ,

Windows
. , -
. .
PspCreateThread, NtCreateThread.
,
, PspCreateThread:
PspAllocateThread PspInsertThread.
PspAllocateThread
, PspInsertThread ,
CreateProcess 449
KeStartThread
. , , ( 5).
( CreateProcess,
CreateThread) PEB.
, ( 6).
PspAllocateThread :
1. , user-mode scheduling (UMS), Wow64,

.
2. .
3. , .
4. , LPC,
- .
5. thread ID (TID).
6. , , , .
,
. Wow64,
Wow64.
7. thread
environment block (TEB).
8. ETHREAD.

Ntdll.dll (RtlUserThreadStart).
Windows ETHREAD , , Process Explorer, .
9. KTHREAD KeInitThread.
,
, .
(.
). KeInitThread
,
, ,
. ,
KiThreadStartup. ,
450 5. ,
KeInitThread Initialized ()
PspAllocateThread.
10. UMS-, PspUmsInitThread UMS-.

, NtCreateUserProcess
PspInsertThread, :
1. ,
( ).
,
.
2. , ,
. , .
3. KeStartThread KTHREAD,
. , ,
,
KPROCESS. , x64
, KiProcessListHead,
PatchGuard PsActiveProcessHead, . ,
.
4.
- - . -
, .
,
( ,
POSIX).
5. UMS, UMS.
6. , ,
.
7. , APC , KTHREAD
CpuThrottled.
8. , . (
, CreateProcess),
.
9. ObOpenObjectByPointer .
10. KeReady
Thread. ,
.
CreateProcess 451
5.
, Windows
NtCreateUserProcess ,
. Kernel32.dll ,
, Windows.
,
Windows .
,
Windows- ( ). Windows Server 2008 R2, Windows Web Server
2008 R2 Windows HPC Server 2008 R2, ,
, -
API-.

, .
, ,
, . ,
PEB, ( 6).
Kernel32.dll Windows,
SxS-, , DLL .

Windows. :
;
;
;
, , Windows- (
Csrss , );
;
DLL- .local;
.
Windows
:
1. CsrCreateProcess . 1 ( ) 2.
2. , CsrCreateProcess ,
.
3. Csrss (CSR_PROCESS).
4. Windows,
452 5. ,
, . (
3.)
5. Csrss (CSR_THREAD).
6. CsrCreateThread .
7. .
8. 0x280 ( ,
MSDN Library, SetProcessShutdownParameters).
9. Csrss- ,
Windows.
10. ,
Windows, (W32PROCESS).
11. .
, Windows : - ,
.

GUI, .
GUI , CsrCreateProcess
, . CsrCreateProcess .
Csrss , CreateProcess , (
ShellExecute AppInfo , ). ,
. , ,
, (.
6).
, ,
AppInfo (. 6).
, ,
Windows Vista Windows,
, . , ,
, , ,
, - ,
. , (Shim Engine) ,
,
.
6.
,
, , Windows
CreateProcess 453
.
CREATE_SUSPENDED, ,
,
(7).
7.

KiThreadStartup. IRQL-
deferred
procedure call (DPC)/dispatch APC,
PspUserThreadStartup.
.

, POSIX
( setuid). ,
, TEB (Locale ID) , ,
. DbgkCreateThread,
, .
, , Ntdll.
dll. , ,
, ( ) .
, . , PspUserThreadStartup
, .
, (
), (CREATE_PROCESS_
DEBUG_INFO) .

Ntdll.dll. DbgkCreateThread
( ContinueDebugEvent).
, , PspUserThreadStartup
.
, .
, , ,
.
, , , ( Superfetch)
( ) ,
10 .
PspUserThreadStartup ,
cookie- SharedUserData.
454 5. ,
, , , DPC . cookie-
,
.
, PspUserThreadStartup
(initial thunk)
(LdrInitializeThunk Ntdll.dll),
thread startup stub (RtlUserThreadStart Ntdll.dll).
,
. LdrInitializeThunk
, , NLS-,
thread-local storage (TLS) fiber-local storage (FLS),
.
DLL DLL_PROCESS_
ATTACH DLL.
, NtContinue

.
RtlUserThreadStart . .
. -, Ntdll.
dll ,
. (
, ..)
-, ,
,
Ntdll.dll Kernel32.dll.

.
SetUnhandledExceptionFilter, .
:
,
, Process Monitor, -
, .

,
, Superfetch,
- , DLL- .
Notepad.exe
(Cmd.exe). ,
CreateProcess 455
Cmd.exe, Notepad.
exe. ,
CreateProcess,
, .
, Process
Monitor: Cmd.exe Notepad.exe
. ,
, ,
. .
, (
Capture Events File),
. (
File CTRL+E
), Notepad.exe . Windows-
- 500 1500 .
Sequence () Time Of Day ( ),
. .
456 5. ,
1 CreateProcess, ,
Cmd.exe HKLM\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution

Options. ,
Notepad.exe , .
, , Process Monitor, ,
, , , ,
. RegOpenKey
Stack ().
32- Windows-.
, , (
NtCreateUserProcess),
PspAllocateProcess.
, , . ,
, , ,
.
CreateProcess 457
Side-By-Side,
Manifest MUI/Language, . , -
.sdb, . -
,
- .
(Notepad) Microsoft ,
.
, Notepad.
,
. Notepad.exe Ntdll.
dll, ,
Notepad,
.
,
, Notepad. ,
,
,
. , , DLL-.
DLL-,
DLL-,
, ,
.
DLL-, ,
.
458 5. ,
, , ,
. ,
LdrpInitializeProcess, , ,
,
.
, , kernel32.dll, .
459
, , WinMain Notepad,
, .
,
, ,
.

,
. , ,
,
( 2).

Windows
.
ETHREAD, , , KTHREAD. .5.8. ETHREAD
, ,
, thread
environment block (TEB), (- , , ).
Windows (Csrss) , ,
CSR_THREAD. , USER- GDI-
Windows, ,
(Win32k.sys), (
W32THREAD), KTHREAD.
, , ,
Win32k KTHREAD, ETHREAD,

.
, .5.8, .
ETHREAD, Tcb (Thread control block
), KTHREAD.
, , ,
( -,
), ,
460 5. ,
(KTHREAD)

EPROCESS

ALPC-

-

System

APC-

,
TEB
. 5.8.

, ,
Asynchronous Local Procedure Call (ALPC) -. .
ETHREAD
dt, .
,
: KTHREAD TEB. KTHREAD ( Tcb ETHREAD) ,
Windows , .
461
: ETHREAD KTHREAD
ETHREAD KTHREAD dt .
ETHREAD 32- :
lkd>dtnt!_ethread
nt!_ETHREAD
+0x000 Tcb
: _KTHREAD
+0x1e0 CreateTime
: _LARGE_INTEGER
+0x1e8 ExitTime
: _LARGE_INTEGER
+0x1e8 KeyedWaitChain
: _LIST_ENTRY
+0x1f0 ExitStatus
: Int4B
...
+0x270 AlpcMessageId
: Uint4B
+0x274 AlpcMessage
: Ptr32 Void
+0x274 AlpcReceiveAttributeSet : Uint4B
+0x278 AlpcWaitListEntry
: _LIST_ENTRY
+0x280 CacheManagerCount
: Uint4B
KTHREAD
dt nt!_ETHREAD Tcb, EPROCESS KPROCESS:
lkd>dtnt!_kthread
nt!_KTHREAD
+0x000 Header
+0x010 CycleTime
+0x018 HighCycleTime
+0x020 QuantumTarget
...
+0x05e WaitIrql
+0x05f WaitMode
+0x060 WaitStatus
:
:
:
:
_DISPATCHER_HEADER
Uint8B
Uint4B
Uint8B
: UChar
: Char
: Int4B
: !thread
!thread
. ,
, - ,
, , , -
, , , .

!process (
), !thread
.
TEB, .5.9, , ,
462 5. ,
( ). ,
TIB (Thread Information
Block), OS/2 Win9x.

TIB (Initial TIB).

TIB

RPC
PEB
LastError

User32
GDI32
OpenGL
TLS
Winsock
. 5.9.
:
, Tlist
Debugging Tools for Windows. ,
Win32StartAddr. , CreateThread
. , Process Explorer,
,
( Ntdll.dll), , .
C:\Program Files\Windows Kits\8.0\Debuggers\x86>tlist winword
3232 WINWORD.EXE
648739_Chap05.docx - Microsoft Word
CWD:
C:\Users\Alex Ionescu\Documents\
CmdLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Alex
Ionescu\Documents\Chapter5.docx
VirtualSize:
531024 KB
PeakVirtualSize:
585248 KB
WorkingSetSize:122484 KB
PeakWorkingSetSize:181532 KB
NumberOfThreads: 12
463
2104 Win32StartAddr:0x2fde10ec LastErr:0x00000000 State:Waiting
2992 Win32StartAddr:0x7778fd0d LastErr:0x00000000 State:Waiting
3556 Win32StartAddr:0x3877e970 LastErr:0x00000000 State:Waiting
912 Win32StartAddr:0x74497832 LastErr:0x00000000 State:Waiting
1044 Win32StartAddr:0x389b0926 LastErr:0x00000583 State:Waiting
1972 Win32StartAddr:0x694532fb LastErr:0x00000000 State:Waiting
4056 Win32StartAddr:0x75f9c83e LastErr:0x00000000 State:Waiting
14.0.5123.5000 shp 0x2FDE0000 C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
6.1.7601.17725 shp 0x77760000 C:\Windows\SYSTEM32\ntdll.dll
6.1.7601.17651 shp 0x75CE0000 C:\Windows\system32\kernel32.dll
TEB DLL- Windows. , ,

.
, ,
. TEB
!thread.
: TEB
TEB
!teb. :
kd>!teb
TEB at 7ffde000
ExceptionList:
StackBase:
StackLimit:
SubSystemTib:
FiberData:
...
PEB Address:
LastErrorValue:
LastStatusValue:
Count Owned Locks:
HardErrorMode:
019e8e44
019f0000
019db000
00000000
00001e00
7ffd9000
0
c0000139
0
0
CSR_THREAD, .5.10,
CSR_PROCESS, . , , ,
Csrss-
Windows, .
CSR_THREAD , Csrss , CSR_PROCESS.
.
464 5. ,
CSR_THREAD

CSR_THREAD
CSR_WAITBLOCK
. 5.10. CSR-
: CSR_THREAD
CSR_THREAD !dt, Csrss.
, ,
CSR_PROCESS. :
0:000> !dt v 001c7630
PCSR_THREA @ 001c7630:
+0x000 CreateTime
+0x008 Link
+0x010 HashLinks
+0x018 ClientId
+0x020 Process
+0x024 ThreadHandle
+0x028 Flags
+0x02c ReferenceCount
+0x030 ImpersonateCount
:
:
:
:
:
:
:
:
:
_LARGE_INTEGER 0x1cb9fb6'00f90498
_LIST_ENTRY [ 0x1c0ab0 - 0x1c0f00 ]
_LIST_ENTRY [ 0x75f19b38 - 0x75f19b38 ]
_CLIENT_ID
0x001c0aa0 _CSR_PROCESS
0x000005c4
0
1
0
, W32THREAD, .5.11, WIN32PROCESS, .

W32 THREAD
ETHREAD

DC-

. 5.11. Win32k
465
,
GDI ( DC-), User Mode Print Driver framework (UMPD),
.
, .
: W32THREAD
W32THREAD !thread, Win32Thread . , dt, KTHREAD
Win32Thread,
. , W32THREAD
GUI-, , , ,
W32THREAD. -
W32THREAD , dt:
dt win32k!_w32thread ffb79dd8
+0x000 pEThread
: 0x83ad4b60 _ETHREAD
+0x004 RefCount
: 1
+0x008 ptlW32
: (null)
+0x00c pgdiDcattr
: 0x00130740
+0x010 pgdiBrushAttr
: (null)
+0x014 pUMPDObjs
: (null)
+0x018 pUMPDHeap
: (null)
+0x01c pUMPDObj
: (null)
...
+0x0a8 bEnableEngUpdateDeviceSurface : 0 ''
+0x0a9 bIncludeSprites : 0 ''
+0x0ac ulWindowSystemRendering : 0

, .
Windows,

(KTHREAD). Windows- CreateThread Kernel32.dll
Windows:
1. CreateThread Windows API ,
(OBJECT_ATTRIBUTES).
2. CreateThread : client ID TEB.
CreateThread , .
3. NtCreateThreadEx, ,
466 5. ,
4.
5.
6.
7.
. PspCreateThread (.
CreateProcess, 3 5).
CreateThread , (side-by-side assembly). , , ,
.
TEB .
CreateThread Windows ,
.
, 3.
, CREATE_SUSPENDED,
.
, ,
, ,
7. .

,
, ,
(, Svchost.exe, Dllhost.exe Lsass.exe).
Windows-
: WinDbg ( ), (Performance
Monitor) Process Explorer (. ).
Process Explorer
(
Process (), Properties ()).
Threads ().
. (ID) , ( ),
, , .
.
,
. Options (), Difference Highlight Duration
( ). ( , , ).
Process Explorer , , , ,
467
, , ,
, .
Kill (), , .
Suspend (),
,
, - .
,
, Kill. , Permissions ()
(. 6).
, .
Process Explorer . ,
,
( ) , .
, , , ,
0%. ,
,
. ,
Windows . (
.)
!,
.exe .dll. (. 1, :
Process Explorer, . 27). , Module (). Explorer
,
(, .exe .dll).
, Windows- CreateThread, Process Explorer

, CreateThread, . , Windows
- (RtlUserThreadStart Ntdll.dll).
Process Explorer , ,
, ,
. Process Explorer ,
( ),
-, , RtlUserThreadStart.
468 5. ,
,
, .
,
(, ,
). , .
( Stack ()). Process
Explorer ( , ,
).
(WinDbg, Ntsd Cdb)

. WinDbg
.
, .
Microsoft Office PowerPoint. ,
PowerPoint Process Explorer,
. .5.12.
. 5.12. PowerPoint
, PowerPoint ( 10)
Mso.dll, OpenPrinterW Winspool.drv. Winspool.
drv OpenPrinterRPC,
DLL- RPC, ,
. ,
PowerPoint , , , , . , ,
PowerPoint ( Microsoft Office
). , .
, 32- , 64- Wow64 (. 3), Process Explorer -
469
32-, 64- .
64- , 64-
64- Wow64.
Wow64 32-, 64- . Wow64 Microsoft Office
Word 2007 .5.13. ,
, 32- 32- . , ,
64 .
. 5.13. Wow64
,

, , ,
,
, .
. , ,
, - Windows-, ,
.

THREAD_SUSPEND_RESUME
THREAD_SET/
QUERY_LIMITED_ INFORMATION.
470 5. ,
:

, Process Explorer
. Process Explorer ,
, , ,

.
Audiodg.exe. , ,
Windows, , ,
.
Performance (). WS Private, WS Shareable WS Shared,
0, - . THREAD_QUERY_INFORMATION
THREAD_QUERY_LIMITED_INFORMATION.
, Threads (). ,
Process Explorer Win32
, Ntdll.dll. Stack ()
, Process Explorer , .
, , Base Dynamic, I/O Memory ,
( ) 471
,
.
Audiodg.exe
,
THREAD_TERMINATE.
( )
,
.
Ntdll.dll, Windows API
, ,

.
,
, , , Windows
, ,
, . , API- , . ,
Ntdll.dll API-,
.
, ,
, TpWorkerFactory, (NtCreateWorkerFactory, NtWorkerFactoryWorkerReady,
NtReleaseWorkerFactoryWorker, NtShutdownWorkerFactory), - (NtQueryInformationWorkerFactory NtSetInformation
WorkerFactory) (NtWaitForWorkViaWorkerFactory).
,
TpWorkerFactory,
, ,
. , Windows API,
Ntdll.dll, ,
( TP_WORK), Ntdll.
dll, .
, (
), ( ,
), .
,
, , .
472 5. ,

, , ,
.
:
-
, (
500 ).
(
, , ALPC-,
) , .
- (IRP-), .
.
10 ( ).
, , .
Windows Server
,
.
, ,
( ).
, Ntdll.dll. (, ,
.) ,
.
Windows, -, ,
, kernel queues (KQUEUE).
,
. -
,
API-
-. , , ( )
IoSetIoCompletionEx, ,
IoRemoveIoCompletion.
.
,
, , - ,
( ) 473
,
,
.
, , ,
, ,
, .
, API- NtQueryInformationWorkerFactory
.
:
-
,
, ALPC- (

). , , Process
Explorer. , :
1. Process Explorer View () Show
Unnamed Handles And Mappings ( ). , Ntdll.dll
,
.
2. Lsm.exe . ,
(View (), Show Lower Pane ( )) (View (), Lower Pane
View ( ), Handles ()).
3. ,
Select Columns ( ). , Type (), , .
4. , Type (), TpWorker
Factory.
474 5. ,
, TpWorkerFactory IoCompletion ( ; , Handle
()). , ,

-, .
5. Lsm.exe
Threads ().
( )
Lsm.exe ( )
.
TppWorkerThread,
Ntdll.dll.
6. Ntdll.dll
(TppWorkerThread)
, .
Wait
State ,
, .
LPC-, (. .
. 475).
Lsm.exe LPC-.
LPC , Smss Csrss,
,
475
LPC . (
,
LPC.)
, ,
, .
, , .
, API-
Ntdll.dll.

Windows-.

Windows .
Windows API, Windows.
Windows,
,
, Windows,
, .
Windows
Windows , ,
()
476 5. ,
, , , ,
. .
, 64.
(
Windows, 64),
,
API- ,
.
, ,
,
. , , API- ,
. ,
.
:

!ready. , . , 32- ,
8
10, 9 8 . ,
,
( 857d9030 0, 857c0030 1), ,
,
, .
.
kd>!ready
Processor 0: Ready Threads at priority 8
THREAD 857d9030 Cid 0ec8.0e30 Teb: 7ffdd000
THREAD 855c8300 Cid 0ec8.0eb0 Teb: 7ff9c000
THREAD 857c0030 Cid 04c8.0378 Teb: 7ffdf000
THREAD 87fc86f0 Cid 0ec8.04c0 Teb: 7ffd3000
THREAD 88696700 Cid 0ec8.0ce8 Teb: 7ffa0000
THREAD 856e5520 Cid 0ec8.0228 Teb: 7ff98000
THREAD 85609d78 Cid 0ec8.09b0 Teb: 7ffd9000
THREAD 85fdeb78 Cid 0ec8.0218 Teb: 7ff72000
Win32Thread: 00000000 READY

Win32Thread: fef7f8c0 READY
477
, , . ,
,
.
:
( ,
).
,
.
, Windows
:
, .
!
Windows . , ,
, . ,
, .
:
,
- ,
,
.
,
, Windows .
,
, .
Windows ,
, , ,
.
,
.
,
,
.
, Windows . , ,
, ,
.
478 5. ,
, , .
, 10 ,
2 12 ,

, Windows 50 % .

, ,
, Windows. .5.14,
Windows 32 , 0 31.
:
( 16 31);
( 0 15), 0 -
.
31
16
16
15
16
1
0

( , )
. 5.14.
:
Windows API Windows. Windows API ,
( PROCESS_PRIORITY_CLASS,
): Real-time (4), High (3),
Above Normal (7), Normal (2),
Below Normal (5) Idle (1).

. ,
: Time-critical (15),
Highest (2), Above-normal (1),
Normal (0), Below-normal (1), Lowest (2)
Idle (15).
479
Windows API ,
.
PspPriorityTable PROCESS_
PRIORITY_CLASS, 4, 8, 13, 14, 6 10 .
( , .)
. , Highest-
, .
Windows-
Windows . 5.3.
5.3. Windows Windows API
/

Realtime
High
Above
Normal
Below
Normal
Idle
Time Critical (+ )
31
15
15
15
15
15
Highest (+2)
26
15
12
10
Above Normal (+1)
25
14
11
Normal (0)
24
13
10
Below Normal (1)
23
12
Lowest (2)
22
11
Idle ( )
16
, Time-Critical
Idle ( Realtime). , Windows API
(saturation) 16 16
( 15 15).
, KTHREAD
Saturation. ,

( )
. ,

, .
,
: .
.
, ,
( 0 15). Windows
( 16 31),
.

. -
480 5. ,
, .
CreateProcess
.
SetPriorityClass
, , Process
Explorer (
). , ,
, . ,
, .
, (normal), 8. Windows
(, , )
, , Normal (8).
,
, 8.

, ,
,
. ,
Windows, , , ,
,
(, , - ).
,
( ) Windows API-
. ,

. , API- SetThreadPriority
API- NtSetInformationThread
ThreadBasePriority,
. ,
Windows API 2 2 ( ), CSRSS . , ,
- 16 31,
, Windows API
.
API- ThreadActual
BasePriority -
481
,
.
. 5.15,
interrupt request levels (IRQL), Windows
, , . ,
Windows
, .

.5.15 (IRQL) 32-
. IRQL 0 (
, ) IRQL 1 (APC-).
.

(

).
IRQLs
031
31
High
30
Power fail
29
Inter-processor interrupt
28
Clock
27
Profile
26
Device n
Device 1
DPC/dispatch
APC
Passive
. 5.15. IRQL- x86
, ,
APC, IRQL
, , ,
, -.
IRQL dispatch ,
482 5. ,
, ,
IRQL dispatch.
dispatch- ,
.
, , APC-,
APC- ,
IRQL APC-, APC-
(. 3). APC- , , ;
APC- . ,
APC-, ,
passive.

Process Explorer. Process Explorer, .
,
(Performance Monitor), Process Explorer
WinDbg.
- ,
, ,
(),
.

start Windows.
, , , start,
cmd /c.
, . , (Notepad) low, cmd /c start /low Notepad.exe.
:
js
:
1. start /
realtime notepad. (Notepad).
2. Process Explorer Notepad.exe . Notepad.exe,
, Threads (),
. ,
Notepad 24.
, .
483
3. . Ctrl+Shift+Esc, ,
(Processes).
Notepad.exe (Set Priority).
, Notepad
(Realtime).
484 5. ,
Windows
Windows Server 2008 R2 Enterprise Edition Windows Server 2008 R2
Datacenter Edition ,
Windows Windows
System Resource Manager (WSRM). ,
, ( ,
). , WSRM ,
.
(
), .

.
WSRM
,
.
SetProcessWorkingSetSizeEx,
.
, . ,
WSRM ,
. ,
. ,
WSRM Address Windowing Extensions (AWE),
( ).

,
, . :
(Ready). ,
( ).
,
.
, (Deferred ready). , , . ,

.
485
(Standby). -
.
,
.
. ,

, , , ,
, ,
.
(Running). , .
, (
),
, , .
(Waiting).
:
,
(, -),
. ,
, .
(Transition). , , .
,
.
(Terminated). ,
. , (
) (,
, ).
(Initialized).
.
. 5.4 ,
.5.16 . ( .) Ready, Standby Deferred Ready .
, Standby Deferred Ready
.
,
Ready, Running Waiting.
.
KiSearchForNewThread
KiSelectNextThread
Standby
Ready
Running
Ready
Init
Init
Running
Standby
Terminated Waiting
5.4.
Transition
Ki-DeferredReady-Thread

Deferred Ready

(KeStartThread)
Psp-InsertThread
Deferred Ready

Psp-InsertThread
Tran
sition
Waiting
Termi
nated
(
)

transition

.

Running
KeTerminateThread
488 5. ,
Init (0)
Ready (1),
Standby (3),
Deferred ready
(7)
Transition (6)
Running (2)
Terminate (4)
Waiting (5)
. 5.16.
:
Windows (Performance).
,
, .

(Performance) :
1. (Notepad.exe).
2. (Performance),
(Start) (All Programs),
(Administrative Tools), (Performance Monitor).
(Monitoring Tools),
(Performance Monitor).
3. , -
.
4.
(Properties).
5. (Graph) (chart vertical scale
maximum) 7. ( , 0 7.)
OK.
6. (Add),
(Add Counters).
489
7. (Thread),
(Thread State).
(Show Description),
.
8. (Instances) < > (<All instances>) Notepad (Search). ,

(notepad/0); (Add).
9. ,
(Instances), Mmc ( Microsoft Management Console,
), (mmc/0, mmc/1 . .),
, (Add).
.
490 5. ,
10. (Add Counters),
OK.
11. Notepad (
), 5. , 7,
(
GUI-).
12. , Mmc (
) ( 2). , ,
.
13. Notepad (
), Mmc
,
.

, ,
(.5.17). , .
491
.5.17, , , Windows
. ,
, ,
.
31
31
31
31
. 5.17. Windows
,

processor control block (PRCB). ( PRCB, dt nt!_kprcb.)
, PRCB.
(DispatcherReadyListHead)
, . 32
. ,
Windows 32- ,
(ReadySummary).

. ( 0 ..)
492 5. ,
, ,
(
),
. , , ,
Windows O(1) .
IRQL
DISPATCH_LEVEL (. 3, ). IRQL
,
IRQL 0 1.
IRQL ,
IRQL
(. ).

, ,
, Windows
, .
, , Windows
.
Windows (clock intervals),
12 .

. ,
, .
. HAL, .
, x86 (
Windows )
10,
x86 x64 15. KeMaximumIncrement .
, - ,
,
. , ,
, , (
KiCyclesPerClockQuantum).
( -
493
) ,
( KeMaximumIncrement).
,
,
, , , ,
, .

, , ,
,
. ,
,
.
:
Windows- GetSystem
TimeAdjustment. Clockres Windows
Sysinternals (www.microsoft.com/technet/sysinternals). ,
64- Windows 7,
:
C:\>clockres
ClockRes v2.0 - View the system clock resolution
Copyright (C) 2009 Mark Russinovich
SysInternals - www.sysinternals.com
Maximum timer interval: 15.600 ms
Minimum timer interval: 0.500 ms
Current timer interval: 15.600 ms

(KPROCESS) .
(KTHREAD), .
(
, ),
, .
,
, .
(
) , .
, , .
494 5. ,

. (, .) , Windows
6 (2 3)
36 (12 3). KiCyclesPerClockQuantum
,
, .
,
, , ,
Windows,
Windows Vista.
. ,
. , , ,
, ,
, .
,
, .
:

Windows - , ,
,
, WinDbg :
1. ,
Windows. , PRCB-
MHz, !cpuinfo.
Intel, 2829,
:
lkd> !cpuinfo
CP F/M/S Manufacturer MHz PRCB Signature
MSR 8B Signature Features
0 6,15,6 GenuineIntel 2829 000000c700000000 >000000c700000000<a00f3fff
1 6,15,6 GenuineIntel 2829 000000c700000000
a00f3fff
Cached Update Signature 000000c700000000
Initial Update Signature 000000c700000000
2. ().
,
. 2829000000 .
3. clockres
.
. , ,
15,600100.
495
4.
. 1000, , 3, 1000.
0,0156001 .
5. , 2. 44132682,9 .
6. ,
, . 14710894, 0xE0786E .
, ,
2829 , 15.
7. ,
KiCyclesPerClockQuantum . .
lkd> dd nt!KiCyclesPerClockQuantum L1
81d31ae8 00e0786e

,
: (2 , ,
) (12 , ,
).
, ,
. .
(Computer) Windows Explorer

(Properties),
(Advanced System Settings),
(Advanced), Settings ()
(Performance) , , (Advanced).
.5.18.
: (Programs), , ,
Windows.
Terminal Services
, ,
,
.
, Windows Server
.
: ,
(Background Services) , -
496 5. ,
. 5.18.
(Performance Options)
, .
. ,
,
,
. , , ,
, : ,
(Background Services),
: (Programs).
, :
(Programs) , ,
.

, PspForeground
Quantum, PspComputeQuantum,
(PspVariableQuantums). ,
, (
, ). ,
, ,
. ,
.
,
, , ,
: -
497
( 2) .
, ,
. Windows
,
, 2, 2
, , .
. 5.5 (, , ),
.
5.5.

18
12
18
12
24
36
18
18
36
36
36
, , , ,
, :
, ,
,
. ,
,
, , ,
, (
, ,
).
,

PriorityControl\Win32PrioritySeparation. ( ),
, ,
(, , , , ). 6,
, .5.19.
, .5.19, :
. 1 , -
2 . 0 3 ,
,
(
).
498 5. ,
. 1
, , . 0 3 ,
,
(
).
. (
PsPrioritySeparation) ( 2),
.
. 5.19. Win32PrioritySeparation
,
(Performance Options), .5.18,
: ,
,
. , Win32PrioritySeparation.
, , ,
(idle),
(2 ), ,
, .
Windows Server, ,
Win32PrioritySeparation 26, ,
(Performance Options)
: (Programs).

Windows, , .
499
Windows , ,
Win32PrioritySeparation 2.
(Short vs. Long) (Variable vs. Fixed)
,
( ,
). (Priority Separation)
2. (Performance Options),
.
:
(Kd WinDbg), ,
, ,
PsPrioritySeparation PspForegroundQuantum, QuantumReset . :
1. (System) (Control
Panel) (
(Properties)).
(Advanced
System Settings), (Advanced),
(Settings) (Performance) , , (Advanced). :
(Programs) (Apply).
.
2. PsPrioritySeparation PspForegroundQuantum,
. ,
Windows 1. , , , , , 2:
lkd> dd PsPrioritySeparation L1
81d3101c 00000002
lkd> db PspForegroundQuantum L3
81d0946c 06 0c 12
...
3. QuantumReset
. ,
.
, KPROCESS.
, 6, WinDbg,
, ,
PspForegroundQuantum:
lkd> .process
Implicit process is now 85b32d90
lkd> dt nt!_KPROCESS 85b32d90 QuantumReset
nt!_KPROCESS
+0x061 QuantumReset
: 6 ''
500 5. ,
4. , 1, (Performance),
: ,
(Background Services).
5. , 2 3.
,
:
lkd> dd nt!PsPrioritySeparation L1
81d3101c 00000000
lkd> db nt!PspForegroundQuantum L3
81d0946c 24 24 24
lkd> dt nt!_KPROCESS 85b32d90 QuantumReset
nt!_KPROCESS
+0x061 QuantumReset
: 36 '$'
$$$

Windows ,
.
( , ) . ,
.
,
( ):
(
).
- ( ).
(
).
( ).
,
( ).
, , , .
Windows
( 16 31).
. Windows ,
, .
Windows
, .
,
501
. , MultiMedia Class Scheduler Service (MMCSS),

, (
API-, ).
.
,
MMCSS , .

KiExitDispatcher
KiProcessThreadWaitList, KiCheckForThreadDispatch,
, , .
,
,
. AdjustUnwait, ,
,
:
APC-.
.
,
.
.
.
.
, , ,
UMS- UMS-.
, API (,
SetEvent),
. Windows , .
2, API-
,
.
AdjustBoost,
.
, ,
X, -
502 5. ,
<= X.
( X), ,
, ,
X. , ,
. AdjustBoost
:
, KeSetEventBoostPriority,
- ERESOURCE;
, KeSignalGateBoostPriority,
,
, (unwait boosts),
,
( Ready), , ,
( Running).
, ,
, , , ,
,
Ready. , .
Windows
, ,
API-, KeSetEvent KeReleaseSemaphore, , MUTANT_INCREMENT EVENT_INCREMENT.
1,
, ,
, , 1. API ,
, NtSetEvent,
. , API- Ke, _INCREMENT.
-
: ,
, .
, APC- .
APC-,
-.
. ,
.
503
+1
, ,
.
,
. , ,
, : 4, 8, 5
.

. ,
NT-,
( ). ,
, ,
.
, ,
,
ERESOURCE, .

, . , ,
,
,
.

(ERESOURCE) ,
, . , ,
,
AdjustBoost. AdjustIncrement (
) , GUI. KiExitDispatcher,
KiRemoveBoostThread,
( KiComputeNewPriority). ,
(lock convoy), ,
, .
, -, ,
(, , , -), -
504 5. ,
- . ,
,
, , ,
( ).
,
, ,
,
, .
-
Windows -, , -,
, .

Windows Driver Kit (WDK) ( #define IO
Wdm.h Ntddk.h),
. ( . 5.6.)
-
IoCompleteRequest. .5.6
, - , , .
5.6.
, -,
,
, , , - 2

,
, -
, , . ,
API- IoCompleteRequest
APC ( -), ( -). IoCompleteRequest,
, IO_DISK_INCREMENT ,
KeInsertQueueApc ,
IO_DISK_INCREMENT. , -
APC, , 1.
, , , Microsoft,
, . ,
, , -
505
, , , ,
8, , .
-
Windows -, Microsoft,
IoCompleteRequest. ,
RAID SATA , ,
StorPortCompleteRequest.
, Storport.sys
.
, Windows (
FILE_DEVICE_DISK_FILE_SYSTEM FILE_DEVICE_NETWORK_FILE_
SYSTEM), IO_DISK_INCREMENT,
IO_NO_INCREMENT. ,
.
, 1
,
,
( ) ,
. , , ,
,
24 , 40 ,
- .

(ERESOURCE),
, , .

, , .
,
,
, , 14 (
, , 14),
.
,
, ,

. , , -,
506 5. ,
. ,

Disable Boost,

.
, . ,
,
- 14,
, . -
(
), , .
,
, - .
, ,
, , .

,
, (
) PsPrioritySeparation.
( ,
.) , PsPrioritySeparation ,
.
.
: ,
,
.
:

CPU Stress ( - http://
live.sysinternals.com/WindowsInternals), . :
1. (System) (Control Panel)
( (Properties)).
(Advanced System Settings),
(Advanced),
(Settings) (Performance) ,, (Advanced).
507
2.
3.
4.
5.
6.
: (Programs). ,
PsPrioritySeparation 2.
Cpustres.exe 1
(thread 1) Low Busy.
(Performance),
(Monitoring Tools),
(Add Counter) (
Ctrl+N),
(Add Counters).
(Thread),
(Priority Current).
(Instances) < > (<All Instances>)
(Search). , CPUSTRES.
( 1). ( GUI.)
.
7. (Add), OK.
8. (Action) (Properties). (Graph)
: (Vertical Scale Maximum) 16,
(General) (Graph Elements)
(Sample Every) 1.
508 5. ,
9. CPUSTRES .
, CPUSTRES 2, .
10. , CPUSTRES 2,
, 25 %
, . ( Busy.) .
Activity level ( ) Maximum (-
509
), , Maximum
CPUSTRES .
, .
11. ,
CPU Stress.
GUI-
-
2 - , . (Win32k.sys)
, KeSetEvent , GUI-.
.
:
GUI-
GUI-
, GUI-
2
. :
1. (System) (Control
Panel) (
(Properties)).
(Advanced
System Settings), (Advanced),
(Settings) (Performance) , ,
(Advanced). , : (Programs). ,
PsPrioritySeparation 2.
2. (Start) ,
(All Programs) (Accessories)
(Notepad).
3. (Performance),
(Start) (All Programs)
(Administrative Tools) (Performance Monitor).
(Monitoring Tools)
4. (Add Counter) (
Ctrl+N),
(Add Counters).
5. (Thread),
(Priority Current).
6. (Instances) Notepad, (Search). , Notepad/0. ,
(Add), OK.
510 5. ,
7. , (Action),
(Properties). (Graph) :
(Vertical Scale Maximum) 16, (General)
(Graph Elements) (Sample Every) 1 OK.
8. 0 Notepad 8 10.
Notepad ,
2, ,
10 8.
9. (Performance
Monitor) (Notepad).
( .) ,

10, 9. ( ,
8 , , GUI- 2 ,
,

2.)
10. . ,
12 ( 11,
), : 2,
GUI-
, 2,
.
11. ( ,
- ), ,
11 ( 10 ), ,
.
2 ,
,
.
12. ,
(Performance Monitor) (Notepad).
,
(CPU Starvation)
: 7, 4 - , 11 -
, 4.
7
, 4
, , 11. Windows
?
511
, -,
.
, ,
. Windows , ( ,
).

, ( )
4. ,
15 3 .
,
.
,
,
, 4 .

, .
16 ; ,
, , . ,
10, 10 ,
( ), .
, Windows , O(1).
, , ,
.

, . ,
,
.
?
, . ,
, , ,
.
512 5. ,
:

, CPU Stress,
. .
:
1. Cpustres.exe. ( Thread 1) Low Maximum. Normal
Below Normal.
.
2. (Performance),
(Monitoring Tools),
3. (Add Counter) (
Ctrl+N),
(Add Counters).
4. (Thread),
(Priority Current).
5. (Instances) CPUSTRES, (Search). , ,
(thread1). ( GUI-.) .
513
6. (Add), OK.
7. (Performance
Monitor) ,
(Task Manager), (Processes)
Mmc.exe. , (Set Priority),
(Realtime). (
,
(Yes).)
, : (Set
Affinity). , 0.
8. CPU Stress. Thread 1 Low
Maximum.
9. (Performance
Monitor).
,
15 .
, , Ctrl+F, Ctrl+U,
.
Ctrl+U.
,
CPU Stress.
514 5. ,
:
, ,
, :
1. - , MMCSS ( ), Multi
Media Class Scheduler Service, ,
(Start), (Programs), (Administrative Tools), (Services).
2. Windows Media Player ( -
) a-
.
3. Cpustres
Thread 1 Maximum.
4. (Task Manager) Windows Media Player, Cpustres
.
5. Thread 1 Cpustres Normal
Time Critical.
6. ,
.
7. ,
15
,
.
8. Cpustres Windows Media Player
MMCSS.

KiExitDispatcher, , KiProcessThreadWaitList,
. , . ,
DeferredReady, (
Active Bypassed),
: AdjustReason AdjustIncrement. (Adjust), ,
, .
KiDeferredReadyThread, : ,
, ; , .
,
, ,
.
515
, (AdjustUnwait), ,

SetThreadPriorityBoost, DisableBoost
KTHREAD. , , , ,
( ,
, ), ,
.
,
AdjustIncrement . , ,
( ,
MEMORY_PRIORITY_FOREGROUND, Win32k.sys
),
(PsPrioritySeparation) .
, .
, , ,
15 ,
.
.
,
ForegroundBoost KTHREAD,
PriorityDecrement .
, AdjustBoost, , AdjustIncrement
( , )
13 . , , AdjustIncrement
, 13. UnusualBoost KTHREAD,
PriorityDecrement , .
, PriorityDecrement,
, ,
KiLockQuantumTarget. , , ,
, ( ), .
AdjustBoost, 13
14 .
, AdjustReason
AdjustNone.
516 5. ,

KiDeferredReadyThread
( ) .
.
AdjustNone , ,
, - , ,
, ,
. , . AdjustUnwait AdjustBoost
, ,
, (
, ). ,
14 , ,
PriorityDecrement ,
, ,
.
, ,
,
( PriorityDecrement) , , . ,
, (
). , ,
, ,
. , AdjustUnwait
. , , ,
.
,
KiRemoveBoostThread. ,
, ,
, ,
( ).
- DPC-, , ERESOURCE.
, ForegroundBoost
UnusualBoost, PriorityDecrement
GUI-,
, . , Windows 7, , , ,
,
.
517
.5.20 , .
( )
. 5.20.

, ,
Windows,

, , , Windows Media Player
3D.

Windows,
Windows ,
.
Windows MMCSS,
, , - .
MMCSS , :
;
;
;
;
;
;
.
518 5. ,
MMCSS, (
, ), , HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\
SystemProfile. , SystemResponsiveness , MMCSS .
, , .
Scheduling Category,
, , MMCSS. . 5.7 .
5.7.
High ()
2326
(Pro Audio), , ,
Medium
()
1622
, ,
Windows Media Player
Low
()
815
17
Exhausted
( )
,
, ,

, MMCSS,
,
. Exhausted,
, ,
.
80%
, 20% (
10, 8 2).
MMCSS 27, Pro Audio-
Exhausted.
, - KTHREAD
(MMCSS , ), - .
,
,
, .
519
, , ,
, ,
. ,
MMCSS
, , MMCSS

( , ).
: ,
MMCSS
, , MMCSS. , (Performance), Windows
Media Player.
1. Windows Media Player ( API-,
MMCSS) -
.
2. , Wmplayer.exe,
(
CPUSTRES).
3. (Performance),
(Start) (All Programs)
(Administrative Tools) (Performance Monitor).
(Monitoring Tools)
4. (Add Counter) (
Ctrl+N),
(Add Counters).
5. (Thread),
(Priority Current).
6. (Instances) Wmplayer, (Search),
. (Add),
OK.
7. , (Action)
(Properties). (Graph) : (Vertical
Scale Maximum) 31, (General) (Graph Elements)
(Sample Every) 1 OK.
Wmplayer 21,
, , ,
Exhausted.
8. Cpustres
Thread1 Maximum.
520 5. ,
9. Thread 1 Normal Time Critical.
10. ,
. .
Cpustres.
11. (Performance)
Cpustres, , Highest,
Time Critical. ,
MMCSS.
Exhausted
,
(CPUSTRES), , 21
Wmplayer ,
.
MMCSS . - Windows
NDIS- deferred procedure calls (DPC)

. DPC-
IRQL- , (. 3),
-
, ,
.
521
MMCSS ,
,
.
( ,
, , ).

, .
,
1000/,
( ). MMCSS Microsoft
.

.
:
.
.
, (
).
,
( ) ,
KTHREAD .
,
. ,
, . APC- ,
, ,
IRQL (. 3). , .

Windows ?
, ?
,
, .

, -
522 5. ,
(, , , -, , , ..) Windows-
(WaitForSingleObject WaitForMulti pleObjects).
.5.21 , , Windows
. () ,
( ,
).
, ,
,
, .

20
19
18
17
16
15
14

. 5.21.
,
.
:
. ( -
.)
.
Windows ,
, ,
.
,
, .
.5.22.
523
18
17
16
15
14
13
. 5.22.
, , , , , .
.
.5.22 18
, ( 16) .
, ,
; ,
.

, Windows , , ,
.
, Windows . (,
, ,
.)

, Windows
(
). .5.23.
,
.
524 5. ,

15
14
13
12
11
. 5.23.
, , , Windows
.
, Windows
, .
, , :
. ( -
,
.)
, - . , , .
, , .
, ,
.
(
).

. , ,
, , , , -
. ( ,
, .)
,
, , .
.5.24.
Windows
, ,
( ),
525

A
. 5.24.
Windows
,
, ,
Windows, .
:
.
, - -
. ,
, .
, , .
, ,
,
.
, , ,
, , .

, . .
A ,
.
.5.25.

. 5.25. Windows
526 5. ,

(
, ExitThread,
TerminateThread),
. , ,
.

, , Windows
. , ,

,
.
PRCB- .
.
. , ,
EPROCESS/KPROCESS ETHREAD/KTHREAD,

. .
( !process
0 0.)
.
:

!pcr. PCR processor control
region .
PCR, processor control block (PRCB). !pcr
, , PCR .
0,
, !pcr 0 .

, 64-, :
3: kd> !pcr 0
KPCR for Processor 0 at fffff800039fdd00:
Major 1 Minor 1
NtTib.ExceptionList: fffff80000b95000
NtTib.StackBase: fffff80000b96080
NtTib.StackLimit: 000000000008e2d8
NtTib.SubSystemTib: fffff800039fdd00
NtTib.Version: 00000000039fde80
527
NtTib.UserPointer:
NtTib.SelfTib:
SelfPcr:
Prcb:
Irql:
IRR:
IDR:
InterruptMode:
IDT:
GDT:
TSS:
CurrentThread:
NextThread:
IdleThread:
DpcQueue:
fffff800039fe4f0
000000007efdb000
0000000000000000
fffff800039fde80
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
fffffa8007aa8060
0000000000000000
fffff80003a0bcc0
, CPU 0 , ,
CurrentThread IdleThread . ( , !pcr1, !pcr2
.., , , ,
IdleThread .)
!thread
:
3: kd> !thread fffff80003a0bcc0
THREAD fffff80003a0bcc0 Cid 0000.0000 Teb: 0000000000000000 Win32Thread:
0000000000000000
RUNNING on processor 0
Not impersonating
DeviceMap
fffff8a000008aa0
Owning Process
fffff80003a0c1c0
Image:
Idle
Attached Process
fffffa800792a040
Image:
System
Wait Start TickCount
50774016
Ticks: 12213 (0:00:03:10.828)
Context Switch Count
1147613282
UserTime
00:00:00.000
KernelTime
8 Days 07:21:56.656
Win32 Start Address nt!KiIdleLoop (0xfffff8000387f910)
Stack Init fffff80000b9cdb0 Current fffff80000b9cd40
Base fffff80000b9d000 Limit fffff80000b97000 Call 0
Priority 16 BasePriority 0 UnusualBoost 0 ForegroundBoost 0 IoPriority 0 PagePriority 0
Child-SP
RetAddr
: Args to Child
[...]: Call Site
fffff800'00b9cd80 00000000'00000000 : fffff800'00b9d000 [...]: nt!KiIdleLoop+0x10d
, !process , - Owning Process, . 3,

!process
:
528 5. ,
3: kd> !process fffff80003a0c1c0 3
PROCESS fffff80003a0c1c0
Image: Idle
VadRoot fffffa8007846c00 Vads 1 Clone 0 Private 1. Modified 0. Locked 0.
DeviceMap 0000000000000000
Token
fffff8a000004a40
ElapsedTime
00:00:00.000
UserTime
00:00:00.000
KernelTime
00:00:00.000
QuotaPoolUsage[PagedPool]
0
QuotaPoolUsage[NonPagedPool]
0
Working Set Sizes (now,min,max) (6, 50, 450) (24KB, 200KB, 1800KB)
PeakWorkingSetSize
6
VirtualSize
0 Mb
PeakVirtualSize
0 Mb
PageFaultCount
1
MemoryPriority
BACKGROUND
BasePriority
0
CommitCharge
0
THREAD fffff80003a0bcc0 Cid 0000.0000 Teb: 0000000000000000 Win32Thread:
0000000000000000
THREAD fffff8800310afc0 Cid 0000.0000 Teb: 0000000000000000 Win32Thread:
0000000000000000
THREAD fffff8800317bfc0 Cid 0000.0000 Teb: 0000000000000000 Win32Thread:
0000000000000000
THREAD fffff880031ecfc0 Cid 0000.0000 Teb: 0000000000000000 Win32Thread:
0000000000000000
dt nt!_
EPROCESS, dt nt!_KTHREAD, .
, . Image () Idle () ( ImageFileName EPROCESS).

Windows ,
. (Task Manager) Process Explorer
System Idle Process, Tlist System Process.
(process ID) (thread ID)
(
client Ids, Cid) , PEB- TEB-,
,
0. ,

529
, , . , .

, .
( , ),
.
PsIdleProcess.
, , ,
, Windows , 0 ( , x64 16).
,
,
, . ,
,
. (, Windows
0
(zero page thread).)
, .
KiIdleLoop , .
, ,
PRCB . ,
,
NextThread PRCB . .
-
, :
1. , , ( STI CLI x86 x64).
,
.
2. , , ,
.
3. DPC ( 3). DPC- ,
DPC-, .
DPC-, ,
KiRetireDpcList.
530 5. ,
,
; , .
KiRetireDpcList ,

1. KiRetireDpcList .
4. ,
, .
, , , 3 DPC-

,
.
5. , , ,
, ,
. (
.)
6. (
), ( intelppm.sys), HAL,
.

, KiSelectNextThread. :
, -
,
,
, .
, SMT-,
, , SMT .
, ,
.
,
( ,
Priority () Affinity).
:
KiSelectReadyThread,
, , ,
.
531
, ,
, , Standby
NextThread KPRCB
KiSelectNextThread
, ,
(
Standby).
,
( , ),
:
, ,
, ,
, ,
.

YieldProcessor NtYieldExecution,
.
,
.
,
.
, ,
.
, , ,
( KiSelectNextThread)
, , (
KiSelectReadyThread).
,
( KPRCB).
KiSelectReadyThread
, , ,
( , ,
KiSelectNextThread). (
), .

, , , , .
532 5. ,
,
, . ,
, ,
, DPC- ( ),
.
KiSearchForNewThread, ,
,
.

: , .
, Windows
,
, , . ,
Windows , ,
, - ,
.
,
, ,
, Windows

, Windows (SMT,
NUMA).
SMT-
Windows KPRCB
. , CoresPerPhysicalProcessor, ,
, CPUID, ,
. , LogicalProcessorsPerCore, ,
SMT-, , Intel
HyperThreading, CPUID
. , .
, PRCB
PackageProcessorSet, ,
, (
533
) . , CoreProcessorSet
,
SMT-. , GroupSetMember ,
. , 3
GroupSetMember, 8 (2 3).
:

, Windows SMT-,
!smt.
Intel Core i5 SMT ( ):
SMT Summary:
KeActiveProcessors:
****------------------------------------------------------- (000000000000000f)
KiIdleSummary:
-*-*------------------------------------------------------- (000000000000000a)
----------------------------------------------------------- (0000000000000000)
----------------------------------------------------------- (0000000000000000)
----------------------------------------------------------- (0000000000000000)
No PRCB
SMT Set
APIC Id
0 fffff8000324ae80 **--------------------------(0000000000000003) 0x00000000
1 fffff880009e5180 **--------------------------(0000000000000003) 0x00000001
2 fffff88002f65180 --**------------------------(000000000000000c) 0x00000002
3 fffff88002fd7180 --**------------------------(000000000000000c) 0x00000003
Maximum cores per physical processor:
8
Maximum logical processors per core:
2
NUMA-
Windows , nonuniform memory access
(NUMA). NUMA- , . ,
-. ,

.
, .
NUMA-
, KNODE. KeNodeBlock
KNODE- . KNODE-
dt,
:
534 5. ,
lkd> dt nt!_KNODE
+0x000 PagedPoolSListHead : _SLIST_HEADER
+0x008 NonPagedPoolSListHead : [3] _SLIST_HEADER
+0x020 Affinity
: _GROUP_AFFINITY
+0x02c ProximityId
: Uint4B
+0x030 NodeNumber
: Uint2B
...
+0x060 ParkLock
: Int4B
+0x064 NodePad1
: Uint4B
: NUMA-
, Windows NUMA-,
!numa.
64- NUMA- HewlettPackard :
26:kd>!numa
NUMASummary:
-----------NumberofNUMAnodes:16
NumberofProcessors:64
MmAvailablePages:0x03F55E67
KeActiveProcessors:**********************************************************
(ffffffffffffffff)
NODE0(E000000084261900):
ProcessorMask:****---------------------------------------------------...
NODE1(E0000145FF992200):
ProcessorMask:----****-----------------------------------------------...
, NUMA-
,
, Windows
NUMA- - , NUMA- (. ).

, SMT-, Windows
, (
).
KePerformGroupConfiguration, 1.
, , NUMA- 0 , , 0.
535
(KeNumberNodes) (
). MaximumProcessors
KeNodeBlock, NUMA- .
NUMA Proximity ID, (proximity ID),
. NUMA (NUMA
distance array, KeNodeDistance) , 3,
NUMA-.
, NUMA-,
. , Hyper-V
(, ) , NUMA- ( )
0. , Hyper-V
64 .

, ( ).
NUMA-.
, NUMA-,
,
Group Assignment Node
Distance HKLM\SYSTEM\CurrentControlSet\Control\NUMA.
,
(proximity ID) ,
32- .
, , , , ,
. , NUMA- 0
0, , NUMA-
. , , .
NUMA- , ,
, . , NUMA. ,
/MAXGROUP,
BCD- maxgroup.
NUMA ( ,
, ).

536 5. ,
( maxgroup ),
0.
, Windows
NUMA- ( ), , .
,
.
,
( ).
,
, ( 4).
.
, .
NUMA-
. ,
. . , 0.
,
, , Windows 64
, , ,
/GROUPSIZE, BCD- groupsize.
, , , , ( 8
1, 2 4 ).
, /FORCEGROUPAWARE (BCD- groupaware),
, 0,
, ,
DPC, .
1,
, ,

, (
).
, , ,
, Windows
, ,
CoresPerPhysicalProcessor, SMT ,
LogicalProcessorsPerCore.
, NUMA- .
, ,
Multiple-Chip Modules (MCM),
.
537
,
. ACPI SRAT MCM-, NUMA-,
Windows . MCM- .
,
(
),
: NUMA-
, NUMA-. , Windows
NUMA- , . ,
, NUMA. ,
, , NUMA-,
. , NUMA-,
.

Windows ,
. Windows .
(KeActiveProces
sors), . ,
, Windows ,
.
KeRegisteredProcessors , . .
, KeMaximumProcessors
, , ,
,
HAL ACPI SRAT, .
(KiIdleSummary) . , CpuSet,
, , SMTSet,
SMT-.
(KiNonParkedSummary)
.

, -
538 5. ,
(, , ),
-,
PRCB, DISPATCH_
LEVEL. ,
PRCB-. ,
PRCB-, , ,
. -,
.
, . ,
, ;

.
, , - PRCB-. ,
,
KiProcessDeferredReadyList ,
, ( ,
) .
, ,
KiDeferredReadyThread, , .
, , ,
, ,
(standby) .
Core Parking
engine: ,
. KiDeferredReadyThread ( ), .
,
.
. (, )
, ,

, .
,
.
:
539
SetThreadAffinityMask
SetProcessAffinityMask -
. (Task Manager) Process

Explorer GUI,
(Set
Affinity). Psexec ( Sysinternals)
. (
a .)
,
,
SetInformationJobObject.

1.
uniprocessor. (MmRotatingProcessorNumber),
, . ,
, , 0, 1,
0,
1 . .
, ,
, .
,
,
Imagecfg.exe. , , ,
Microsoft Application Compatibility
Toolkit ,

.
:

:
1. (Cmd.exe).
2. (Task Manager) Process Explorer Cmd.exe .
Windows- -
www.microsoft.com Portable Executable and Common Object File Format
Specification.
540 5. ,
3.
(Set Affinity). .
, .
4.
OK. .
5. (Notepad.exe)
( Notepad.exe).
6. (Task Manager) Process Explorer
Notepad.
(Set Affinity).
,
. ,
.
Windows , ,
, , , . , ,
: 0 8,
, 1
4,
. 6, 0.
? Windows 8 0 1 (
4),
6 .
, ,
, Windows
. ,
,
Windows , .

64 , ,
( 64 64- ), Windows (KAFFINITY_EX),
,
( 4).

541
, , ,
. API-
, , API-,
.
, API- Windows
,
( ).
. API-

. ,
4 256 , 1
4, 2 68, 4
132, 4 196,
0x10 (0b10000 )
0, 1, 2 3.
0xFFFFFFFF ,
( ,
).
,
. (
, .)

Windows ( ),
, ,

.
API- KeSetSystemAffinityThread(Ex)/
KeSetSystemGroupAffinityThread KeRevertToUserAffinityThread(Ex)/KeRevert
ToUserGroupAffinityThread.

,
, :
, , -
, , -
542 5. ,
, ,
(seed) . ,
,
. , 0.
1.
1, 2 .. ,
.
, , . , , .
, ,

SetThreadIdealProcessor.
, SetThreadIdealProcessorEx,
.
64- Windows
KPRCB
Stride. ,
NUMA-, .
( SMT-) ( SMT-).
32- Windows , stride ,
, SMT-. , SMT , 0,
2,
1, 3 ..
, .

NUMA- .
0, 1 .. .

.

. .
543

, .
(
), (
). ,
,
KiSearchForNewThread. : - ,
NtDelayExecutionThread, Windows, API- Sleep API.
Sleep(1),
, SwitchToThread() . (sleep)
, ,
(yield)
.
KiSearchForNewThread ,
( NextThread); ,

(Running).
KiSelectReadyThread, , .
, (
)
( ,
). ,
, Distributed Fair Share Scheduling,
, , (idle-only queue),
. , ,
, , .
, .
NUMA-
, , .
, , KiFindReadyThread, ,
KPRCB,
.
Distributed Fair Share Scheduler, , , ,
,
.
544 5. ,
,
. .,
NUMA-.
..,
(Windows
).
, NULL,
( ). , .

, Windows
, (
), , ,
. ,
, Windows
:
.
, Windows, ,
.

, KiDeferredReadyThread, Windows : , , ,
, .
Windows ,

. :
1. ,
Core Parking. , .
2. ,
( , ), .
3. SMT- SMT-,
, . , Windows ,
SMT- .
545
4. Windows ,
. ,
.
, , , . ,
, . ( ,
, ,
, .)
5. , Windows ,
( ,
). ,
, .
6. , ,
Windows , , SMT-,
. , Windows
, SMT- , , .
, Windows ,
SMT-, () , . SMT
-, ,
- , .
7. ,
, Windows
.
, , (standby), PRCB-
, .
, , DPC-,
.
,
KiCheckForThreadDispatch, ,
,
, ( APC-),
DPC-.

, -
546 5. ,
( ),
Windows , .
KiSelectCandidateProcessor,
Core Parking,
. Core Parking
, .
, .
, , ,
, , .
Windows , ( ) ,
, , .
, ( ),
, ,
.
, Windows ,

, . ,
, Windows DPC-

.
, ,
,
.
, , , , - .
,
, , ,
, ,
.
,

Windows ,
Windows
NT ( , ,
). , ,
, 547

.
,

. ,
,
,
,
.

,
Windows: session-based Distributed Fair
Share Scheduler (DFSS) ,
SID.
DFSS
, Smss SOFTWARE-,
PsBootPhaseComplete , PsInitializeCpuQuota. ,
(DFSS ) . DFSS,
EnableCpuQuota :
HKLM\SOFTWARE\Policies\Microsoft\Windows\Session Manager\Quota System
, 1, HKLM\
SYSTEM\CurrentControlSet\Control\Session Manager\Quota System ( TRUE), ,
.
- ( http://technet.
microsoft.com/en-us/library/ee808941(WS.10).aspx) DFSS .
.

(Computer Configuration) (Administrative
Templates) Windows (Windows Components) (Remote Desktop Services) (Remote Desktop
Session Host) (Connections).
Turn off Fair Share CPU Scheduling.
548 5. ,
DFSS , PsCpuFairShare
Enabled true,
- () DFSS.
DFSS- 150, , (credit).
DFSS-, ,
( - ) , PspCpuQuotaControl.
DFSS ,
.

DFSS (
0) MiSessionCreate PsAllocateCpuQuotaBlock
.
(, 1),
DFSS PspLazyInitializeCpuQuota.

DFSS, , DPC-, (
PspCpuQuotaDpcRoutine), ,
. ,
, , , ,
DFSS. DFSS,
, ,
, , .
DFSS ,
PsAllocateCpuQuotaBlock ,
. ,
, ,
.
(session ID),
5.
, ,
DFSS. ,
.
. PspCpuQuotaControl
( ),
( ). ,
, 549
PspCalculateCpuQuotaBlockCycleCredits
.
, ,
CpuQuotaBlock MM_SESSION_SPACE
. EPROCESS ( CpuQuotaBlock
),
. , ,
, , ( ),
ETHREAD APC-
. , RateApcState
ETHREAD PsRateApcContained, ,
APC- (Quota APC), DFSS
( APC-, ). , KTHREAD ThreadControlFlags CpuThrottled.
DFSS
, ,
, EPROCESS
. , ,
, .
DPC- ,
APC- .
,
PsDeleteCpuQuotaBlock. ,
PspCalculateCpuQuotaBlockCycleCredits .

, DFSS-
,
. , API- ,
( , ).
PsChargeProcessCpuCycles, ,
.

DFSS , , TotalCyclesAccumulated.
,
DPC- . c
DPC-, PspStartNewFairShareInterval, ,
150. , , ,
550 5. ,
. 150 ,
DFSS.
, (generation)
, ( ),
DFSS . ,
, PspReplenishCycleCredit,
. , PspCalculateCpu
QuotaBlockCycleCredits ,

.
: (150), . ,
(CyclesRemaining), .
, ,
. ,
.
PsChargeProcessCpuCycles CyclesRemaining,
PsCheckThreadCpuQuota, ,
( ). ,

, - , .
PsCheckThreadCpuQuota
( ), , .
, ,
150 ,
PspReplenishCycleCredit. , ,
. , ,
.
DPC , , ( APC )
. -
, APC , , .
,
( DISPATCH_LEVEL), DPC ,
APC . (
, 551
.) , 150 , DPC-
PspStartNewFairShareInterval.

, , DFSS, ( )
( , DFSS), , ,
150. ,
APC , .
, APC .
APC ,
(Quota Wait Block), , . ,
. APC-
DFSS . ,
( , ,
). , ,
,
DFSS (
PspCpuQuotaControl).
PspInsertQuotaBlockCpuEntry.
DFSS ( ), ,
,
. ,
150 , ( ),
, DFSS .
,
(Quota Entry) ( ,
),
, (Quota Wait Block).
, DFSS-
.
, APC
WrCpuRateControl. ,
Sysinternals PsList, Process Explorer,
552 5. ,
( )
, DFSS-.
DFSS- 0
DPC
DFSS- 1
DFSS- 2
...
DFSS- 255
ID
.
.
.
.
.
.
.
.
.
255
2
...
n
Word
( 1)
SQL
( 0)

, , , , , , ,
? 150 . ,
PspStartNewFairShareInterval . , PspFlushProcessorIdleOnlyQueue,
, (
),
.
, . ,
150.
, , .
DFSS-, PsReleaseThreadF
romIdleOnlyQueue , , , DFSS. DFSS
, 553
:
KiSelectReady
Thread , , KiSearch
ForNewThread DFSS .

(
KiSelectReadyThread PRCB), - ,
DFSS-.
, , PsRelea
seThreadFromIdleOnlyQueue DFSS-.
DFSS-
PsReleaseThreadFromIdle
OnlyQueue , (

), , .
- DFSS, ,
PspFin
dHighestPriorityThreadToRun.
, ,
(, ,
Quota Wait Block ). , (
), ,

. ( ,
,
.)
DFSS -
, ,
, : DFSS ,
. - ,
DFSS, , .
, , ,
.
,
,
. DFSS
554 5. ,
,
.
, . ,
, , ,
. ,
, , ,
(
, )
.
,
PsReleaseThreadFromIdleOnlyQueue
DPC-,
APC- ( , DPC- ). ,
APC ,
, , DISPATCH_LEVEL.
, APC,
, , APC;
DPC-.
DPC-,
ThreadWaitBlockForRelease DFSS,
. ,
DPC , , ,
, (Quota Wait Block).
, (Idle Scheduler), IdleSchedule
KPRCB, ,
.
: , , ,
.
PsReleaseThreadFromIdleOnlyQueue
, , . ,
KiCyclesPerClockQuantum,
.
.
, ,

150 . ,
KiCyclesPerClockQuantum, . ,
,
, 555
. ,
( ),
, .

, ,
5. 1 9, DFSS API- :
PsQueryCpuInformation Set-.
( ) , (Set
API) ,
, PspCpuQuotaControl. PspCalculateCpuQuotaBlockCycleCredits
. , (Query API)
.
SeIncreaseQuotaPrivilege,
SESSION_MODIFY_ACCESS ,
. API-
API- NtQuerySystemInformation,
SystemCpuQuotaInformation.
API- Windows API ,
Windows Windows System
Resource Manager,
Weighted_Remote_Sessions . T
Premium (), Standard () Basic ()
DFSS- 1, 5 9 .

Windows ( ,
Windows NT)
: , . ,
,
, ,
.
, , ,
CPU rate limits in Windows Server 2008 R2 and
Windows7 Microsoft Technet Knowledge Articles http://
technet.microsoft.com/en-us/library/ff384148(WS.10).aspx.
556 5. ,
HKLM\
SYSTEM\ CurrentControlSet\Control\Session Manager\QuotaSystem,
NtSetInformationProcess. -
DWORD- CpuRateLimit
(SID)
, ,
DWORD- CpuRateLimit.
NtSetInformationProcess
, , ,
.
;
, . ,
, 10%
, CpuRateLimit 10. ,
,
. ,
,
, ,
, ,
.
DPC APC
DPC APC,
,
-
( , ).
, ,
, (
, ). ,
-
, ,
WrCpuRateControl.
APC-
,
. DPC,
( )

.
557

, , ( ). ,
. (,
- .)
,
.
,
. .
,
( ),
. ACPI BIOS
,
.
HAL,
KeStartDynamicProcessor. ,
, .
. ,
, .
DPC,
global descriptor table (GDT),
interrupt Dispatch table (IDT), processor control region (PCR),
process control block (PRCB) .
, ,
(look-aside list), . , , ,
-, ,
.
, DPC
,
. , .
,
(,
). -
558 5. ,

Windows Windows Hardware Error Architecture (WHEA) ,
.
HAL . , ,
.

. ,
.

, ProcessorAdd, .
,
,
, ,
, , .
,
, Plug and Play,
,
, . ,
, .
( ) -
(
,
, ).
, .
API- Windows SetProcessAffinityUpdateMode QueryProcessAffi
nityMode, NtSet/Query
InformationProcess, ,
( AffinityUpdateEnable
EPROCESS)
AffinityPermanent EPROCESS.
, ,
,
, .
KeStartDynamicProcessor, ,
PsUpdate
ActiveProcessAffinity. Windows-
,
,
559
API-. System, Svchost Smss

.

, ,

, .

.
. ,
.
,
, , ,
.
Windows- GetQueuedComple
tionStatus -, .
( ) ,
(, , ).

, :
.
.

, (
, ).

, (
). , , , .
SetInformation
JobObject EndOfJobTimeAction
.

.
. (
).
560 5. ,
. -
. (
,
.)
. ,
. .
,
.
.
. ( ). . (
SetThreadPriority , .)
.
. (
,
.)
, .
,
, .
.
,
. ,
, , . ,
, , ,
, , security ID (SID)
.
, ,
. ,
, ()
,
Windows- SystemParametersInfo. ,
,
GDI/USER, Win32k.sys, Windows, ,
, (job).
561
. ,
, . ,
,
, (
,
).
,
,
.
:

(Performance) tool. ( Job Object Job Object Details.)
!job dt nt!_ejob.
, , !process Process Explorer.
:
1. runas
, (Cmd.exe). ,
runas /user:<>\<_> cmd. . ,
. Windows, runas, ( ).
2. Notepad.
exe.
3. Process Explorer , Cmd.exe Notepad.exe . (
, , , Options (),
Configure Colors ( ).) , .
4. Cmd.exe, Notepad.
exe, .
Job ().
5. Job (),
. , , ,
-.
562 5. ,
6. , , !process,
, Cmd.exe. ,
!process < >, ,
!job.
, :
lkd>!process01 cmd.exe
PROCESS8567b758SessionId:1Cid:0fc4Peb:7ffdf000ParentCid:00b0
DirBase:1b3fb000ObjectTable:e18dd7d0HandleCount:19.
Image:Cmd.exe
...
BasePriority8
CommitCharge636
...Job85557988
lkd>!job85557988
Jobat85557988
TotalPageFaultCount0
TotalProcesses2
ActiveProcesses2
TotalTerminatedProcesses0
LimitFlags0
...
7. ,
dt , , ,
:
lkd>dtnt!_ejob85557988
563
nt!_EJOB
+0x000
...
+0x0b8
+0x0bc
+0x0c0
+0x0c4
+0x0c8
...
+0x120
+0x124
Event
: _KEVENT
EndOfJobTimeAction
CompletionPort
:
CompletionKey
:
SessionId
:
SchedulingClass :
MemberLevel
JobFlags
: 0
0x87e3d2e8
0x07a89508
1
5
: 0
: 0
8. , UI-,
dt Win32k (tagW32JOB).
W32PROCESS,
,
pW32Job.
, Win32k ,

Block Access To Global Atom
TableUI. , pAtomTable
.
dt nt!_RTL_ATOM_TABLE ,
:
lkd> ?? ((win32k!tagPROCESSINFO*)(((nt!_EPROCESS*)0x847c4740)->Win32Process))>pW32Job
struct tagW32JOB * 0xfd573300
+0x000 pNext
: 0xff87c5d8 tagW32JOB
+0x004 Job
: 0x8356ab90 _EJOB
+0x008 pAtomTable
: 0x8e03eb18
+0x00c restrictions
: 0xff
+0x010 uProcessCount
: 1
+0x014 uMaxProcesses
: 4
+0x018 ppiTable
: 0xfe5072c0 -> 0xff97db18 tagPROCESSINFO
+0x01c ughCrt
: 0
+0x020 ughMax
: 0
+0x024 pgh
: (null)
, , Windows
, ,
.
,
, : Windows
.
6.
, , .
, , ,
. , , .
, ,
(, )

.
, Microsoft Windows
.

( ), , ,
, .
,
, (Common Criteria, CC). , Windows,
,
Windows, Trusted Computer System Evaluation Criteria (TCSEC).

(National Computer Security
Center, NCSC) 1981 (National Security Agency, NSA) (U.S.
Department of Defense, DoD). NCSC
, . 6.1,
,
. ,
http://csrc.nist.gov/publications/history/dod85.pdf,
1983 .
TCSEC ,

.
565
A1
Verified Design .
B-,
C2.
6.1. TCSEC

A1
Verified Design ( )
B3
Security Domains ( )
B2
Structured Protection ( )
B1
Labeled Security Protection ( )
C2
Controlled Access Protection ( )
C1
Discretionary Access Protection ( ) ( )
Minimal Protection ( )
1995 Windows NT 3.5 (

) Service Pack 3 Windows NT,
C2. 1999 Windows NT 4 Service Pack 3 E3
,
C2.
1999 Windows NT 4 Service Pack 6a C2 , .
C2 , - :
, -
, .
, (, ) ,
. , , .
, ,
, , . ,
, ,
.
, , ,
, ,
. ,
566 6.
,
, ,
, .
, , .

, .
Windows B-:
,

. Windows

Ctrl+Alt+Delete,
. ,
secure
attention sequence (SAS),
Windows ( )
, . (
,

API- SendSAS.) SAS
, , .
, .
, (),
, ,
.
Windows
.

1996 , , , ,

Common Criteria for Information Technology Security Evaluation
(CCITSE). CCITSE,
Common Criteria (CC), .
CC www.niap-ccevs.org/cc-scheme/.
CC TCSEC , ITSEC,
TCSEC. CC
Protection Profile (PP),
,
Security Target (ST), , PP. CC
Evaluation Assurance
567
Levels (EAL), .
, CC ( ITSEC)
,
TCSEC .
Windows 2000, Windows XP, Windows Server 2003
Windows Vista Enterprise Common Criteria Controlled Access Protection Profile
(CAPP). TCSEC C2.
EAL 4+, . EAL 4
, .
2011 Windows 7 Windows Server 2008
R2 , 1. Hyper-V, , , Windows
EAL-4+.
- http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf ,
, , - http://www.commoncriteriaportal.
org/files/epfiles/st_vid10390-st.pdf.

Windows
:
Security reference monitor (SRM). ,
Windows (%SystemRoot%\
System32\Ntoskrnl.exe) -
,
, ( ) .

Local Security Authority subsystem (LSASS).
%SystemRoot%\System32\Lsass.exe, (, ,
, ,
, , ,
),
(Event Log).
LSASS
The Local
Security Authority service (Lsasrv %SystemRoot%\System32\Lsasrv.dll).
LSASS. ,
.
US Government Protection Profile for General-Purpose Operating Systems in a Networked Environment,
1.0 30 2010 (GPOSPP) (http://www.commoncriteriaportal.org/files/ppfiles/
pp_gpospp_v1.0.pdf).
568 6.
ACL- HKLM\SECURITY.
, , , ,
, (,
),
.
LSASS , ,
Windows .
Windows 4 .
Security Accounts
Manager (SAM). , , .
SAM-, %SystemRoot%\System32\
Samsrv.dll, LSASS.
SAM. , , . SAM ,
,
, .
HKLM\SAM.
Active Directory. , , .
, . Active Directory
, , . Active
Directory
, ,
. Active Directory, %SystemRoot%\System32\Ntdsa.dll,
LSASS. Active Directory 7 .
(Authentication packages). dynamic-link libraries (DLL), LSASS,
Windows .
DLL- ,

LSASS ,
, LSASS .
(Winlogon). , %SystemRoot%\System32\
Winlogon.exe, SAS . , Winlogon
, .
Logon user interface
(LogonUI). , %System
569
Root%\System32\LogonUI.exe, ,
. LogonUI
.
Credential providers (CP).
COM-, LogonUI (
Winlogon SAS)
, PIN- - (, ). CP
%SystemRoot%\System32\authui.dll %SystemRoot%\System32\
SmartcardCredentialProvider.dll.
Network logon service (Netlogon). Windows
(%SystemRoot%\System32\Netlogon.dll)
, ,
( Windows NT 4) LAN Manager
NT LAN Manager (v1 v2). Netlogon
Active Directory.
Kernel Security Device Driver
(KSecDD). ,
advanced
local procedure call (ALPC),
LSASS
, ,
Encrypting File System (EFS). KSecDD %SystemRoot%\
System32\Drivers\Ksecdd.sys.
AppLocker.
, ,
, DLL-
. AppLocker
(%SystemRoot%\System32\Drivers\AppId.sys) (%SystemRoot%\
System32\AppIdSvc.dll), SvcHost.
. 6.1 , .
SRM, ,
LSASS, ,
ALPC, 3 .
SRM SeRmCommandPort, LSASS. LSASS, ALPC SeLsaCommandPort. SRM ,
. SRM
, 256,
. SRM LSASS
,
.

- , .
.6.2 ,
.
570 6.
Lsass
Winlogon
Netlogon
LSA
LogonUI
LSA
Active
Directory
Active
Directory
SAM
Msv1_0.dll
SAM
Kerberos.dll
()
plug and play
( )
Win32 USER,
GDI
(HAL)

(, -, , , DMA, - . .)
. 6.1. Windows

(LSA)
SeLsaCommandPort
SeRmCommandPort
(SRM)
. 6.2. SRM LSASS
571
: HKLM\SAM HKLM\Security
, SAM Security,
,
.
,
. Regedit.exe .
PsExec, Windows
Sysinternals, s:
C:\>psexecsidc:\windows\regedit.exe

. Windows
, , , (
), , , , , ,
, , , , , LPC-, , , , ,
, , , , ,
Active Directory .. , . , (, ), .
572 6.

, . ,
( ), , Windows
.
3, , . .6.3 Sysinternals Winobj
.
, , Windows
,
. , ,
.
, , .6.3,

discretionary access control list, DACL. DACL .
,
. ,
Windows
.
,
, , ,
.
, , . (impersonation), -
, , , .
573
. 6.3. ,
Winobj
,
, .
, , , , - ,
.
,
. , ,
, Alice ,
Alice . Windows Windows (Windows integrity mechanism),
. Windows
, User Account Control (UAC),
Internet Explorer Protected Mode Internet Explorer (PMIE) User Interface Privilege Isolation (UIPI).

Windows , , ,
, .
, ,
SRM, , , ( )
. 3 ,
574 6.

.
,
,
. ,

. ,
, , , ObpCreateHandle.
, ObpCreateHandle , .
ObpCreateHandle ObpGrantAccess, ,
, , ObpCreateHandle ExCreateHandle
.
ObpGrantAccess
ObCheckObjectAccess.
ObpGrantAccess ObCheckObjectAccess
, , , (, , ..), .
ObCheckObjectAccess
.

.
( )
. ObCheckObjectAccess
, .

.
.
, ,
SRM, ,
. SRM
, ,
.
,
SeDefaultObjectMethod. ,
, . , ,
, . ,
, .
-, , , ,
( ). ,
575
,
NTFS, - ,
. , ObCheckObjectAccess
, ,
.
, (,
Windows- SetFileSecurity GetFileSecurity).
ObCheck
ObjectAccess SRM- SeAccessCheck. SeAccessCheck
, Windows.
SeAccessCheck ,
, ObCheckObjectAccess,
. SeAccessCheck
True False, ,
.
,
, . , ,
API- Windows . , , , . ,
,
, , .
,
.
,
Windows- WriteFile, .
NtWriteFile, WriteFile Ntdll.dll, ObReferenceObjectByHandle,
. ObReference
ObjectByHandle ,
.
ObReferenceObjectByHandle , .
ObReferenceObjectByHandle ,
,
.
Windows Windows-
SRM (
API- AuthZ,
), Windows
. ,

576 6.
, API- Windows, . SeAccessCheck

AuthZ API- AccessCheck. , Windows
Windows .
SRM ,
: , ,
, . , , ,
. ,
, .

( ,
), , , Windows
security identifiers (SID). SID ,
, , , .
SID , SID-, 48-
32-
relative identifier (RID). , SID,
Windows .
, ,
RID- , Windows
SID SID. -
SID- Windows SID , , Windows
SID - .
SID S, :
S-1-5-21-1463437245-1224812800-863842198-1128
SID 1,
5 ( Windows), RID (1128),
SID. SID ,
SID , .
Windows Windows Setup SID
. Windows SID- ,
. SID
SID RID. RID-
1000
577
1 .
Dcpromo.exe (Domain Controller Promote), ,
Windows, SID ,
SID , SID
, - . Windows
SID- , SID RID- (
1000 1
). RID 1028 , SID
.
Windows SID-, SID
RID- . , RID 500, RID 501. ,
SID RID, 500:
S-1-5-21-13124455-12541255-61235125-500
Windows SID
. , SID,
( ),
Everyone SID: S-1-1-0. ,
SID-, , , , .
SID S-1-5-2. .6.2
Windows SDK ,
SID-, . SID SID- Windows
. , , Everyone
, , Everyone , ,
. ,
,
Everyone.
SID-
Microsoft Knowledge Base 243330,
http://support.microsoft.com/kb/243330.
, Winlogon SID
. SID access control entry (ACE),
. , Windows
LogonUser.
, SID
. SID ACE,
578 6.

. SID S-1-5-5-0,
RID .
6.2. SID-
SID
S-1-0-0
Nobody () , SID
S-1-1-0
Everyone ()
S-1-2-0
Local ()
, ,
()
S-1-3-0
Creator Owner
,
ID (ID - , . SID )
ACE-
S-1-3-1
Creator Group
ID (ID
)
,

, . SID ACE-
S-1-9-0
Resource Mana
ger (
)
,
,
(, Microsoft Exchange)
: PsGetSid Process Explorer

SID-
SID- , PsGetSid Sysinternals.
PsGetSid SID-, .
PsGetSid , SID,
. , Administrator
RID 500, ,
( , ),
PsGetSid SID
, 500.
SID , :
c:\>psgetsidredmond\daryl
SID ,
PsGetSid:
c:\>psgetsidRedmond
, RID , ,
, (
999 RID), -
579
( ,
,
). , RID, SID RID, PsGetSid. PsGetSid , SID -
RID ,
, , ,
RID, .
, , RID,
, PsGetSid SID , 1027:
c:\>psgetsidS-1-5-21-1787744166-3910675280-2727264193-1027
AccountforS-1-5-21-1787744166-3910675280-2727264193-1027:
User:redmond\daryl
Process Explorer Security () SID- .

.
(, Explorer.exe) , Security (). -,
.
580 6.
, User (), , ,
SID SID-. Group
() ,
. ( .)

, , , ,

. mandatory integrity
control (MIC) SRM
.
,
.
SID. , .
. 6.3.
6.3. SID-
SID
()
S-1-16-0x0 Untrusted (0)

()
, Anony
mous.
S-1-160x1000
Low (1) ()
Internet Explorer.

( )
S-1-160x2000
Medium (2)
()
,
UAC
S-1-160x3000
High (3) (- , )

UAC,
UAC
S-1-160x4000
System (4) ()

(, Wininit, Winlogon, Smss ..)
:

Process Explorer Sysinternals.
1. Internet Explorer .
2. .
3. Microsoft Paint ( ).
581
4. Process Explorer,
,
Select Columns ( ). ,
, .
5. Integrity Level ( )
OK, .
6. Process Explorer
.
Internet Explorer
Low (), Microsoft Paint Medium ()
, ,
High (). ,
System ().
582 6.
,
:
( -
, , ,
).
, , medium () ,
, .

,
(, Internet Explorer
, ).
DuplicateTokenEx,
,
SetTokenInformation,
CreateProcessAsUser.
:
Internet Explorer
,
Windows Internet Explorer,
Protected Mode Internet Explorer (PMIE).
Internet Explorer 7
Windows. , PMIE
.
Internet Explorer Process
Monitor.
1. , UAC PMIE (
),
Internet Explorer.
2. Process Monitor Filter ()
.
Iexplore.exe, .
583
3. Process Explorer , Integrity Level (
).
4. Internet Explorer. ,
Process Monitor,
Process Explorer, .
Internet Explorer , Process Explorer
Iexplore.exe, Iexplore.exe, medium (), ,
low ().
, PMIE, , Iexplore.exe, -, low (). Internet Explorer
,
Iexplore.exe.
Iexplore.exe, , ,
low () , , ,
.
. 6.3 , ,
? ,
, mandatory label.
Windows (, ),

, .
medium (),
, ( ) ,
, , medium ().
,
. medium
medium. medium,
,
.
, , , high system, medium, , UAC.

, , UAC,
, ,
- ,
(high).
, -
584 6.
. ,
:
;
;
;
.
,

(, DLL- ).
:
,
, ,
Accesschk Sysinternals. , Windows LocalLow.
1. C:\Users\UserName\.
2. Accesschk AppData:

C:\Users\UserName> accesschk v appdata
3. Local LocalLow
, :
C:\Users\UserName\AppData\Local
Medium Mandatory Level (Default) [No-Write-Up]
[...]C:\Users\UserName\AppData\LocalLow
Low Mandatory Level [No-Write-Up]
[...]
C:\Users\UserName\AppData\Roaming
Medium Mandatory Level (Default) [No-Write-Up]
[...]
4. , LocalLow , Low, Local Roaming

Medium (Default). default ,
.
5. Accesschk
, e.
AppData, ,
LocalLow.
o (Object, ), k (Registry Key, ) p (Process, ) , .
, ,
. . 6.4.
ACE.
585
6.4.
No-Write-Up
( -
)
No-Read-Up
(
)
,
.

No-ExecuteUp
( )

COM
,
.
COM
COM-
SRM
( ). , , , . ,
ID , UAC. (
UAC .)
(
) LSASS ,
. , ,
, .
:
Built-In Administrators ( );
Certificate Administrators ( );
Domain Administrators ( );
Enterprise Administrators ( );
Policy Administrators ( );
Schema Administrators ( );
Domain Controllers ( );
Enterprise Read-Only Domain Controllers ( -
, );
Read-Only Domain Controllers ( ,
);
Account Operators ( );
586 6.
Backup Operators ( );
Cryptographic Operators ( );
Network Configuration Operators ( );
Print Operators ( );
System Operators ( );
RAS Servers ( RAS);
Power Users ( );
Pre-Windows 2000 Compatible Access ( -
, Windows 2000).

. ,
.
:
SeBackupPrivilege ( );
SeCreateTokenPrivilege ( );
SeDebugPrivilege ( );
SeImpersonatePrivilege ( );
SeLabelPrivilege ( );
SeLoadDriverPrivilege ( );
SeRestorePrivilege ( );
SeTakeOwnershipPrivilege ( );
SeTcbPrivilege ( ).
.

, LSASS ( )
.
, Winlogon ( Userinit.exe).
UAC , , .
,
. , Windows-
LogonUser. , , LogonUser, Windows- CreateProcessAsUser.
CreateProcessWithLogon ,
Runas .
,
587
.

.
.6.4.
ID
Windows
ID
. SID ID
SID .
security reference monitor (SRM) -
SID- ,
ID

, NTFS-.
SID-

,

. ,

,
DACL
, .
,
SID
1.
SID 1
SID- SID,
. SRM ,
SID n
,

SID 1
.
, ,
, SID n
.
1
, .
,
, .
n

.
. 6.4.

discretionary access control list (DACL)
, Windows ,
.
Windows
,
.
, .
SID- , .
588 6.
,
, ( ,
,
). , , ( ).
, , (MIC)
. :
TOKEN_MANDATORY_NO_WRITE_UP, ,
No-Write-Up ( ), ,
.
TOKEN_MANDATORY_NEW_PROCESS_MIN,
, , SRM
.
, UAC UIPI, .
.
,
Application Identification ( AppLocker),
AppLocker . AppLocker .
. (source) .
, ,
, , Windows Session Manager, remote procedure call (RPC).
locally unique identifier
(LUID), SRM .
Windows LUID (executive LUID), ,
. LUID
, .
LUID ID .
ID LsaLogonUser.
LUID, LSASS LUID LUID
. LSASS ID ,
. ID , ,
, .
589
ID LUID . ID

.
, ( ). ,
, (

), , SID-,
.
, ,
.
Windows .
:
dt _TOKEN
. , Windows API,
. Windows SDK.
,
dtnt!_TOKEN, :
kd>dtnt!_TOKEN
+0x000 TokenSource
+0x010 TokenId
+0x018 AuthenticationId
+0x020 ParentTokenId
+0x028 ExpirationTime
+0x030 TokenLock
+0x034 ModifiedId
+0x040 Privileges
+0x058 AuditPolicy
+0x074 SessionId
+0x078 UserAndGroupCount
+0x07c RestrictedSidCount
+0x080 VariableLength
+0x084 DynamicCharged
+0x088 DynamicAvailable
+0x08c DefaultOwnerIndex
+0x090 UserAndGroups
+0x094 RestrictedSids
+0x098 PrimaryGroup
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
_TOKEN_SOURCE
_LUID
_LUID
_LUID
_LARGE_INTEGER
Ptr32 _ERESOURCE
_LUID
_SEP_TOKEN_PRIVILEGES
_SEP_AUDIT_POLICY
Uint4B
Uint4B
Uint4B
Uint4B
Uint4B
Uint4B
Uint4B
Ptr32 _SID_AND_ATTRIBUTES
Ptr32 _SID_AND_ATTRIBUTES
Ptr32 Void
590 6.
+0x09c
+0x0a0
+0x0a4
+0x0a8
+0x0ac
+0x0b0
+0x0b4
+0x0b8
+0x0bc
+0x0c0
+0x0c4
+0x0c8
+0x0d0
+0x158
+0x1e0
DynamicPart
DefaultDacl
TokenType
ImpersonationLevel
TokenFlags
TokenInUse
IntegrityLevelIndex
MandatoryPolicy
ProxyData
AuditData
LogonSession
OriginatingLogonSession
SidHash
RestrictedSidHash
VariablePart
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
Ptr32 Uint4B
Ptr32 _ACL
_TOKEN_TYPE
_SECURITY_IMPERSONATION_LEVEL
Uint4B
UChar
Uint4B
Uint4B
Ptr32 _SECURITY_TOKEN_PROXY_DATA
Ptr32 _SECURITY_TOKEN_AUDIT_DATA
Ptr32 _SEP_LOGON_SESSION_REFERENCES
_LUID
_SID_AND_ATTRIBUTES_HASH
_SID_AND_ATTRIBUTES_HASH
Uint4B
!token.
!process:
lkd> !process d6c 1
Searching for Process with Cid == d6c
PROCESS 85450508 SessionId: 1 Cid: 0d6c
Peb: 7ffda000 ParentCid: 0ecc
DirBase: cc9525e0 ObjectTable: afd75518 HandleCount: 18.
Image: cmd.exe
VadRoot 85328e78 Vads 24 Clone 0 Private 148. Modified 0. Locked 0.
DeviceMap a0688138
Token
afd48470
ElapsedTime
01:10:14.379
UserTime
00:00:00.000
KernelTime
00:00:00.000
QuotaPoolUsage[PagedPool]
42864
QuotaPoolUsage[NonPagedPool]
1152
Working Set Sizes (now,min,max)
(566, 50, 345) (2264KB, 200KB, 1380KB)
PeakWorkingSetSize
582
VirtualSize
22 Mb
PeakVirtualSize
25 Mb
PageFaultCount
680
MemoryPriority
BACKGROUND
BasePriority
8
CommitCharge
437
lkd> !token afd48470
_TOKEN afd48470
TS Session ID: 0x1
User: S-1-5-21-2778343003-3541292008-524615573-500 (User: ALEX-LAPTOP\Administrator)
Groups:
00 S-1-5-21-2778343003-3541292008-524615573-513 (Group: ALEX-LAPTOP\None)
Attributes - Mandatory Default Enabled
01 S-1-1-0 (Well Known Group: localhost\Everyone)
591
02 S-1-5-21-2778343003-3541292008-524615573-1000 (Alias: ALEX-LAPTOP\Debugger Users)
03 S-1-5-32-544 (Alias: BUILTIN\Administrators)
Attributes - Mandatory Default Enabled Owner
04 S-1-5-32-545 (Alias: BUILTIN\Users)
05 S-1-5-4 (Well Known Group: NT AUTHORITY\INTERACTIVE)
06 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
07 S-1-5-15 (Well Known Group: NT AUTHORITY\This Organization)
08 S-1-5-5-0-89263 (no name mapped)
Attributes - Mandatory Default Enabled LogonId
09 S-1-2-0 (Well Known Group: localhost\LOCAL)
10 S-1-5-64-10 (Well Known Group: NT AUTHORITY\NTLM Authentication)
11 S-1-16-12288 Unrecognized SID
Attributes - GroupIntegrity GroupIntegrityEnabled
Primary Group: S-1-5-21-2778343003-3541292008-524615573-513 (Group: ALEX-LAPTOP\None)
Privs:
05 0x000000005 SeIncreaseQuotaPrivilege
Attributes 08 0x000000008 SeSecurityPrivilege
Attributes 09 0x000000009 SeTakeOwnershipPrivilege
Attributes 10 0x00000000a SeLoadDriverPrivilege
Attributes 11 0x00000000b SeSystemProfilePrivilege
Attributes 12 0x00000000c SeSystemtimePrivilege
Attributes 13 0x00000000d SeProfileSingleProcessPrivilege
Attributes 14 0x00000000e SeIncreaseBasePriorityPrivilege
Attributes 15 0x00000000f SeCreatePagefilePrivilege
Attributes 17 0x000000011 SeBackupPrivilege
Attributes 18 0x000000012 SeRestorePrivilege
Attributes 19 0x000000013 SeShutdownPrivilege
Attributes 20 0x000000014 SeDebugPrivilege
Attributes 22 0x000000016 SeSystemEnvironmentPrivilege
Attributes 23 0x000000017 SeChangeNotifyPrivilege
Attributes - Enabled Default
24 0x000000018 SeRemoteShutdownPrivilege
Attributes 25 0x000000019 SeUndockPrivilege
Attributes 28 0x00000001c SeManageVolumePrivilege
Attributes 29 0x00000001d SeImpersonatePrivilege
30 0x00000001e SeCreateGlobalPrivilege
33 0x000000021 SeIncreaseWorkingSetPrivilege
Attributes 34 0x000000022 SeTimeZonePrivilege
Attributes 35 0x000000023 SeCreateSymbolicLinkPrivilege
Attributes -
592 6.
Authentication ID:
(0,be1a2)
Impersonation Level:
Identification
TokenType:
Primary
Source: User32
TokenFlags: 0x0 ( Token in use )
Token ID: 711076
ParentToken ID: 0
Modified ID:
(0, 711081)
RestrictedSidCount: 0
RestrictedSids: 00000000
OriginatingLogonSession: 3e7
Security () Process Explorer Properties ().

, .
:
Low ()
, (Run As
Administrator), ,
, ( PMIE) ,
Psexec Sysinternals:
1. (Notepad) ,
:
c:\psexec l notepad.exe

2. (,
.XML) %SystemRoot%\System32. ,
,
.
3.
(File) (New), -
%SystemRoot%\System32.

(Documents).
4. .
, .
5. LocalLow , ,
.
593
LocalLow ,
, LocalLow
. ,
, medium ().
( Accesschk.)
%SystemRoot%\System32,
, ,
.

(impersonation)
Windows, . Windows -.
, ,
, . , . , ,
.
, NTFS-, , , ,
.
SID-

. , ,
. Windows .
SRM ,
, .
,
SRM,
, .
, .
:
.
,
.
.
, ,
, .
Windows . , ,
ImpersonateNamedPi peClient, Windows API, SRM
, .
594 6.
Dynamic Data Exchange (DDE) RPC,

DdeImpersonateClient
RpcImpersonateClient. ImpersonateSelf ,
.
, , SID- .
Security Support Provider
Interface (SSPI) ImpersonateSecurityContext . SSPI-
, LAN Manager 2 Kerberos. , COM,
API-, CoImpersonateClient.

.
. (,
, ,
.)
. , ,
(
)

. ( .)

, . LogonUser Windows. LogonUser
, ,
, (, ,
) , . , , ,
. ,
,
LogonUser, , API- CreateProcessAsUser,
, ,
. ,
. , ,
, , .
,
Windows .
, , security quality of service
(SQOS). ,
595
Windows- CreateFile SECURITY_ANONYMOUS, SECURITY_

IDENTIFICATION , SECURITY_IMPERSONATION SECURITY_DELEGATION .

:
SecurityAnonymous
SecurityIdentification -
(SID-) ,
.
SecurityImpersonation .
SecurityDelegation . .
, RPC, (, RPC_C_IMP_LEVEL_IMPERSONATE).
,
Windows SecurityImpersonation. CreateFile

SECURITY_EFFECTIVE_ONLY SECURITY_CONTEXT_TRACKING:
SECURITY_EFFECTIVE_ONLY -
.
SECURITY_CONTEXT_TRACKING , , ,
, . ,

.
.
,
,
, LogonUser
,
.
, . , , ,
,
. ,
, ,
, LsaLogonUser,
.

CreateRestrictedToken.
596 6.
, , :
.
SID-
(deny-only). SID- ,
SID- ACE-,
ACE-, ,
SID .
SID- .
SID- , SID-
. ,
, .
, ,
,
. , , ,
, .

, UAC ,
. :
medium ().
SID-
, , .
, access
control list (ACL),
, , . ,
,

, .
Change Notify, Shutdown, Undock,
Increase Working Set Time Zone.
:
UAC-,
Explorer
, :
597
1. ,
.
2. (Start), (Programs),
(Accessories), (Command
Prompt),
(Run As Administrator).
(Administrator) .
3. , ,
.
4. Process Explorer
Security
() Properties (). , SID
(deny-only) Medium Mandatory Lavel
. ,
, ,
,
, .

Windows ,
( ),
Windows (. 4).
598 6.
Windows ,
Windows (, Local Service
Network Service), .
, Local Service,

, ,
.
,
. ,
,
, .

. NT SERVICE\, .
(Group
Policy), .
,
- .
Windows .
(Local System and other service accounts),
, .
:

, ,
Sc (service control, ), :
1. , , create,
Sc (service control)
, . srvany Windows
Resource Kit:
:\Windows\system32>sc create srvany obj= "NT SERVICE\srvany" binPath= "d:\a\
C
test\srvany.exe"
[SC] CreateService:

2. ( ,
)
. -
(Services) (services.msc),
(Log On)
(Properties).
599
3. .
NT SERVICE\_ . ,
,

, .
600 6.
4. Process Explorer
Security () Properties (), , ,

(SID).
5. (, ),
. (Security) (Properties) ACL,
, ,
(, NT SERVICE\srvany)
(srvany)
,
.
6. ( ) . srvany
.
7. , lusrmgr.
msc, ,
SAM .
System ( ),
HKLM\Security\Policy\
Secrets:
C:\>psexecsidc:\windows\regedit.exe
601

, ,
, .
, ,
, . -
602 6.
.
:
. SRM, -
. , -
. . 6.5.
SID . .
SID . ( POSIX).
Discretionary access control
list (DACL). , .
System access control list
(SACL). , .
6.5.
SE_OWNER_
DEFAULTED
(SID) , . ,

SE_GROUP_
DEFAULTED
(SID) , . ,

SE_DACL_
PRESENT
, DACL.
, DACL
NULL,

SE_DACL_
DEFAULTED

DACL. , DACL,
DACL, ,
. ,
DACL access
control entry (ACE). , SE_DACL_PRESENT
SE_SACL_
PRESENT
, system access control list (SACL)
SE_SACL_
DEFAULTED

SACL. , SACL,
SACL .
, SACL
ACE. ,
SE_SACL_PRESENT
603
SE_DACL_
UNTRUSTED
, ACL, DACL
, .
ACE, SID-
SID ACE-
, ,
, ACL, ACL,
(
). GRANT ACE-
ACE-,
.
, ,
, DACL
. , DACL ,
SE_DACL_AUTO_INHERITED
, ,
, SACL
. , SACL ,
SE_SACL_AUTO_INHERITED
, DACL
ACE .

, SACL
ACE .

DACL
ACE-.
SACL
ACE-
,
.
8, ,

(self-relative format),
.
,
SE_SERVER_
SECURITY
SE_DACL_
AUTO_
INHERIT_REQ
SE_SACL_
AUTO_
INHERIT_REQ
SE_DACL_
AUTO_
INHERITED
SE_SACL_
AUTO_
INHERITED
SE_DACL_
PROTECTED
SE_SACL_
PROTECTED
SE_RM_
CONTROL_
VALID
SE_SELF_
RELATIVE
604 6.
(ACL) (ACE), .
ACL-: DACL SACL. DACL ACE-
SID ( , ),
(, , ..),
SID.
ACE-, DACL: , , , , ,
, ,
. , , ,
ACE , ACE
, . ACE-
, API- AuthZ
( ) ,
AuthZ
ACE.
,
Active Directory. ACE-
GUID, , ACE
( ,
GUID-). , GUID (128- , )
, ACE
Active Directory, ACE.
ACE ACE- *-callback , API- AuthZ.
, ACE, , ACL-.
DACL (
DACL), . DACL
( ACE-), .
ACE-, DACL-, ,
ACE, .
. -
-, .
. ACE , ACE
, ACE. .6.6,
Windows SDK,
ACE.
SACL ACE-, ACE- ACE- . ACE- ,
.
605
6.6. ACE
CONTAINER_
INHERIT_ACE
, , ,
ACE ACE-. ACE , NO_PROPAGATE_INHERIT_ACE
INHERIT_ONLY_ ACE, ACE

, .
, ACE ,
INHERITED_ACE , ACE . -
ACE
NO_
PROPAGATE_
INHERIT_ACE
ACE ,
OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE
ACE. ACE
OBJECT_
INHERIT_ACE
ACE
ACE. ,
, ACE
ACE, NO_PROPAGATE_INHERIT_ACE
Audit Log.
, .
DACL ACE, , , ACE-, ,
GUID, , ACE, GUID, ACE
. SACL- ,
. ,
ACE- DACL, ACE-
ACE- .
.6.5 DACL.
DACL
USER1

TEAM1
,
ACE
ACE
ACE
. 6.5. (DACL)
. 6.5, ACE USER1 . ACE TEAM1

, ACE
(Everyone) .
606 6.
:

.

. , ,
.
,
.
, . (
, Process Explorer AccessChk .)
1. .
2. !process 0 0 explorer.exe
Explorer:
kd> !process 0 0 explorer.exe
l
Peb: 7ffd4000 ParentCid: 0a84
PROCESS 85a3e030 SessionId: 1 Cid: 0aa4

DirBase: 0f419000 ObjectTable: 952cdd18 HandleCount: 1046.

Image: explorer.exe
3. !object ,
PROCESS :
lkd> !object 85a3e030
Object: 85a3e030 Type: (842339e0) Process
ObjectHeader: 85a3e018 (new version)
4. dt _OBJECT_HEADER ,
, :
lkd> dt _OBJECT_HEADER 85a3e018
nt!_OBJECT_HEADER
+0x000 PointerCount
: 0n497
+0x004 HandleCount
: 0n8
+0x004 NextToFree
: 0x00000008 Void
+0x008 Lock
: _EX_PUSH_LOCK
+0x00c TypeIndex
: 0x7 ''
+0x00d TraceFlags
: 0 ''
+0x00e InfoMask
: 0x8 ''
+0x00f Flags
: 0 ''
+0x010 ObjectCreateInfo
: 0x8577e940 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x8577e940 Void
+0x014 SecurityDescriptor : 0x97ed0b94 Void
+0x018 Body
: _QUAD
607
5. , !sd
.
, .
32- ,
,
, & 8. 64- ,
& 10.
lkd> !sd 0x97ed0b94 & -8
->Revision: 0x1
->Sbz1
: 0x0
->Control : 0x8814
SE_DACL_PRESENT
SE_SACL_PRESENT
SE_SACL_AUTO_INHERITED
SE_SELF_RELATIVE
->Owner
: S-1-5-21-1488595123-1430011218-1163345924-1000
->Group
: S-1-5-21-1488595123-1430011218-1163345924-513
->Dacl
:
->Dacl
: ->AclRevision: 0x2
->Dacl
: ->Sbz1
: 0x0
->Dacl
: ->AclSize
: 0x5c
->Dacl
: ->AceCount
: 0x3
->Dacl
: ->Sbz2
: 0x0
->Dacl
: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl
: ->Ace[0]: ->AceFlags: 0x0
->Dacl
: ->Ace[0]: ->AceSize: 0x24
->Dacl
: ->Ace[0]: ->Mask : 0x001fffff
->Dacl
: ->Ace[0]: ->SID: S-1-5-21-1488595123-1430011218-1163345924-1000
->Dacl
->Dacl
->Dacl
->Dacl
: ->Ace[1]: ->Mask : 0x001fffff
->Dacl
: ->Ace[1]: ->SID: S-1-5-18
->Dacl
->Dacl
->Dacl
: ->Ace[2]: ->AceSize: 0x1c
->Dacl
: ->Ace[2]: ->Mask : 0x00121411
->Dacl
: ->Ace[2]: ->SID: S-1-5-5-0-178173
->Sacl
:
->Sacl
: ->AclRevision: 0x2
->Sacl
: ->Sbz1
: 0x0
->Sacl
: ->AclSize
: 0x1c
->Sacl
: ->AceCount
: 0x1
->Sacl
: ->Sbz2
: 0x0
->Sacl
: ->Ace[0]: ->AceType: SYSTEM_MANDATORY_LABEL_ACE_TYPE
->Sacl
->Sacl
->Sacl
: ->Ace[0]: ->Mask : 0x00000003
->Sacl
: ->Ace[0]: ->SID: S-1-16-8192
608 6.
ACE: (S-1-5-21-14885951231430011218-1163345924-1000), System (S-1-5-18)
SID- Logon SID (S-1-5-5-0-178173). (S-1-16-8192), medium ().
ACL
, DACL ,

:
1.
, .
- (,
- \BaseNamedObjects
), ACE (ACE-,
) DACL,
SE_DACL_PROTECTED, .
2.
, , . ACE , , ,
. - ACE-,
ACL-,
. ( ACE-,
-, ,
.)
3. ACE, DACL .
Windows DACL-,
(, , LSA SAM).
4. , ACE-
DACL-, DACL,
( ) .
,
DACL. ,
SACL, , DACL, .
, ACE-
, , SE_SACL_
PROTECTED ( SE_DACL_PROTECTED,
DACL). , ACE SACL, SACL
609
. , DACL, SACL.
, ACE, ,
ACE- .
( , DACL ACE- DACL, SE_DACL_
PROTECTED, SACL ACE- SACL,
SE_SACL_PROTECTED.) ,
ACE- , ACE-,
ACL, ACE-,
. ACE-
:
, DACL, ACE,
, DACL,
ACE.
DACL ACE, ,
DACL ACE.
Active Directory, ACE
,
ACE, .
Active Directory, DACL ACE-,
, DACL.
, ACE- ACL
Windows.
- ,
, Active Directory, . API Windows, , SetEntriesInAcl, DLL-
(%SystemRoot%\System32\Ntmarta.dll), ,
-.

:
, ,
,
.
, ,
.
, Windows- DACL SeAccessCheck,
610 6.

.
(TOKEN_MANDATORY_NO_WRITE_
UP TOKEN_MANDATORY_NEW_PROCESS_MIN, ),
,
, DACL
. , , ,
, ,
DACL .
,
, , ,
, DACL .
, , , , ,
. Internet Explorer Protected Mode Internet
Explorer ,
,
,
.
, ,
NoRead-Up. ,
, , DACL ,
. , DACL
, . 6.6 , ,

.
. 6.6.

611

Windows User Interface Privilege Isolation (UIPI).
, ,
, ,
:
yy WM_NULL
yy WM_MOVE
yy WM_SIZE
yy WM_GETTEXT
yy WM_GETTEXTLENGTH
yy WM_GETHOTKEY
yy WM_GETICON
yy WM_RENDERFORMAT
yy WM_DRAWCLIPBOARD
yy WM_CHANGECBCHAIN
yy WM_THEMECHANGED

shatter attack (, , , ). UIPI

, , ,
, .
,

.
, API- ChangeWindowMessageEx.
,
Windows.
API- ChangeWindowMessageFilter , , .
ChangeWindowMessageFilter

,
, ,
.
UIPI
, (Osk.exe) (
, ), (UI Access).
612 6.
,
,
( 0x2000 0x3000)
, , .
, . ,
,
%SystemRoot% %ProgramFiles%.
,
,
,
:
,
Windows- Get
EffectiveRightsFromAcl. ,
MAXIMUM_ALLOWED,
API-, .
, ,
Windows- AccessCheck Access
CheckByType.
DACL:
1. DACL ( DACL),
.
2. (take-ownership), DACL (write-owner). (

.)
3. , SID
OWNER_RIGHTS- SID
.
(read-control) DACL (write-DACL).
4. ACE- (access-denied),
SID, SID- , ACE- (granted-access mask).
5. ACE- , SID, SID- ,
ACE- , .
DACL, .
613
,
.
.
Windows-, GetEffectiveRightsFromAcl,
, 2 , SID
.

, ,

DACL,
Windows SID Owner Rights SID.
SID :

. , ,

ACL- . ( .) SID ,

ACL .
. , , , , ,
- .
, - .
, Windows SID
. , SID , ,
, (, ), SID .
, , ,
, . SID
.
,

. Windows API, , , , . ,
, :
1. DACL ( DACL),
.
2.
(take-ownership),
DACL (write-owner).
, , DACL.
614 6.
3. , SID
OWNER_RIGHTS SID
.
(read-control) DACL (write-DACL).
, ,
DACL.
4. ACE- DACL .
ACE:
1) ACE , SID ACE
SID (SID- )
SID .
2) ACE , SID ACE SID ,
.
3) SID, SID ACE SID
.
4) ACE .
5) ACE , ACE ;
, . ACE
-
, .
6) DACL
, .
7) ,
SID,
ACE- DACL, , ,
SID ACE- SID
.
, DACL.
ACE-.
, ACE-, ACE
, ,
ACE . ACE , ,
.
Windows, SetSecurityInfo SetNamedSecurityInfo,
ACE- ,
ACE- . ,
,
, , NTFS-
. SetSecurityInfo SetNamedSecurityInfo -
615
ACE ,
.
. 6.7 , ACE.
, ACE- DACL
, ACE, ( Writers), ACE, .

: Dave C
1: Administrators
2: Writers

: Write ()
SID

DACL
ACL
Writers
ACE
Dave C
ACE
. 6.7.
,
DACL , SRM , . ,
,
, DACL . ,
,
,
. , Windows
( ) .
616 6.
,
DACL , ,
, . - DACL (
), DACL ,
DACL .
,

, Active Directory,
-

.
(Full Control) (Everyone)
(Administrator), , ACE- (Everyone) ACE- (Administrator),
, . , ,
ACL
ACE ACE.
(Permissions)
(Advanced Security Settings) ACE- DACL.
, DACL
ACE-
ACE- .
617

( ,
)
(Effective Permissions)
, (Advanced) (Properties).
, , .
618 6.
AuthZ API
Windows API- AuthZ
, ,
%SystemRoot%\
System32\Authz.dll . ,
, , Windows,
,
.
API- AuthZ
, SID- . , AuthZ AUTHZ_CLIENT_CONTEXT.
AuthZ Windows ,
AuthzAccessCheck AuthZ AccessCheck Windows API, SeAccessCheck .
, , AuthZ,
, AuthZ -
,
.
AuthZ Windows SDK.
,
, Windows NT , , .
, (SID)
, ,
identity-based access control (IBAC), ,
, DACL.
Windows
Claims Based Access Control (CBAC),
,
,
. ,
AppLocker. CBAC ,
DACL , , .
CBAC ACE- ( ACE)
ACE- *-callback, AuthZ API- SeAccessCheck.
SeSrpAccessCheck ACE-, CBAC , API- AuthZ.
, CBAC
, , AppLocker.
CBAC API CBAC, AuthZ.
AuthZ API 619
CBAC , :
, IT-.

Microsoft Outlook .

.
- ( ).
ACE-,
, . -
Unicode, :/._. :
64- , Unicode, .
ACE-
SDDL (Security
Descriptor Definition Language) ACE-
. SDDL :
AceType;AceFlags;Rights;ObjectGuid;InheritObjectGuid;AccountSid;(Conditional
Expression).
ACE (AceType) ACE XA ( SDDL_CALLBACK_ACCESS_ALLOWED), XD ( SDDL_CALLBACK_ACCESS_DENIED). , ACE-
(
AuthZ API AppLocker)
.
, . 6.7.
6.7.

exists _
.
(
) , _
: Contains any_of , ==, !=, <, <=, >, >=
_ ||
_
,
true
_ && , _
true
620 6.
6.7 ()

!(_)
Member_of{SidArray}

, SID_AND_ATTRIBUTES, , (SID) ,
SidArray
ACE- ,
, false, , true. ACE
API- AddConditionalAce
API- AuthzAccessCheck.
ACE ,
, :
Role () Architect (),
Program Manager ( ) Development Lead (
) Division () Windows.
ManagementChain ( )
John Smith.
CommissionType ( ) Officer (), PayGrade ( ) 6 (
General Officer ).
Windows
ACE-.

, ,
, . ,

, . ,
, Windows
, .

, , .
, ,
, .
,
, MMC-
Active Directory Active Directory Users and Groups, -
621
Local
Security Policy Editor (%SystemRoot%\System32\secpol.msc).
(Administrative Tools)
(Control Panel) (Start) (
). .6.8 (User Rights Assignment)
(Local Security Policy Editor),
,
Windows. , -
. 6.8.

622 6.
. ,
, ,
.

. , ,
LsaLogonUser. Winlogon, , API- LogonUser
, LogonUser LsaLogonUser. LogonUser , , ,
, , .
Local Security Authority (LSA)
, , LSA
. LSA , ,
, , ,
. . 6.8 , Windows.
6.8.

Deny logon locally ( - ), Allow logon

,
locally (
)
Deny logon over the network (
), Allow
logon over the network (
)
Deny logon through Terminal Services

(
), Allow logon
through Terminal Services (
)
Deny logon as a service (

),

Allow logon as a service (

)
Deny logon as a batch job (

), Allow logon as a batch job
( )
623
Windows- LsaAddAccountRights Lsa

RemoveAccountRights
, LsaEnumerateAccountRights ,
.
, ,
. ,
LSA , , . , ,

API- Windows OpenProcess, . . 6.9
, .

, API- PrivilegeCheck LsaEnumerate
AccountRights SeSinglePrivilegeCheck
SePrivilegeCheck . API-,
, ,
API-, ,
.
,
. , .
, ,
.
:
, ,
(Date and Time Control Panel) SeTimeZonePrivilege

:
1. Process Explorer
(Paused).
2.
(Adjust Date/Time). F5
Rundll32.
3. Rundll32 ,
(target) / (Time Date Control
Panel Applet), Timedate.cpl. Rundll32, DLL-
, DLL-,
, .
624 6.
4. Security () Properties () Rundll32.
, SeTimeZonePrivilege .
5. (Change Time Zone)

,
625
Properties (), .
Security () , SeTimeZonePrivilege .
6.9.
SeAssign
PrimaryToken
Privilege
,
NtSetInformationJob,

SeAudit
Privilege
API - ReportEvent
SeBackup
Privilege
NTFS
,
:
READ_CONTROL, ACCESS_SYSTEM_SECURITY, FILE_
GENERIC_READ, FILE_TRAVERSE. ,

FILE_FLAG_BACKUP_SEMANTICS.
RegSaveKey
626 6.
6.9 ()
SeChange
NotifyPrivilege
NTFS, .
,

SeCreate
Global
Privilege

, ,

SeCreate
Pagefile
Privilege
NtCreatePagingFile,
SeCreate
Permanent
Privilege
- )
SeCreate
SymbolicLink
Privilege
NTFS
API-
CreateSymbolicLink
SeCreate
TokenPrivilege

NtCreateToken,
SeDebug
Privilege
,

NtOpenProcess NtOpenThread,
( )
SeEnable
Delegation
Privilege
Active Directory

SeImperso
natePrivilege
,

, ,
,
SeIncrease
BasePriority
Privilege
SeIncrease
QuotaPrivilege

627
SeIncrease
WorkingSet
Privilege

SetProcessWorkingSetSize
. VirtualLock

SeLoadDriver - NtLoadDriver
- NtUnloadDriver
Privilege

SeLock
Memory
Privilege
NtLockVirtualMemory, VirtualLock
SeMachine
Account
Privilege
SeManage
Volume
Privilege
SeProfile
Superfetch SingleProcess -
API-
Privilege
NtQuerySystemInformation
SeRelabel
Privilege
SRM ,
,
, ,

SeRemote
Shutdown
Privilege
Winlogon , - , InitiateSystemShutdown,

SeRestore
Privilege
NTFS
,
:
WRITE_DAC
WRITE_OWNER
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_WRITE
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
DELETE
,
FILE_FLAG_BACKUP_SEMANTICS. RegSaveKey

628 6.
6.9 ()
SeSecurity
Privilege
- SACL ,
SeShutdown
Privilege
NtShut
downSystem NtRaiseHardError,

SeSyncAgent
Privilege
LDAP.
,
SeSystem
Environment
Privilege
NtSetSystemEnvironment
Value NtQuerySystemEnvironment Value

hardware abstraction layer
(HAL)
SeSystem
Profile
Privilege
NtCreateProfile, . ,
, Kernprof
SeSystemtime Privilege

SeTake
Ownership
Privilege
SeTcbPrivilege

,
ID
Plug and Play Plug and Play , BroadcastSystemMessageEx,
BSM_ALLDESKTOPS,
LsaRegisterLogonProcess NtSetInformationProcess , VDM
SeTimeZone
Privilege
SeTrusted
CredMan
Access
Privilege
,
, ,
.
Winlogon
629
SeUndock
Privilege
Plug and Play,

,
-,

SeUnsolicited InputPrivilege
Windows

:
Bypass Traverse Checking (
SeNotifyPrivilege) .
, .
1. ,
- .
2. Explorer
(Properties) (Security).
(Advanced) ,
.
, (Copy).
3. , . , (Deny)
.
4. (File)
(Open). .
5. (File Name) (Open) . .
, NTFS ,
.
, ,
, ,
.
. ,
, ,

.
630 6.

. ,
Lock Pages In Physical Memory,
(denial-of-service attacks),
. , (UAC)
, (high)
, :
(Debug programs). -
( Protected Process),
. , LSASS-,
, , Windows API- CreateRemoteThread,

. .
(Take ownership).
(
)
SID (owner) .
, DACL ,
DACL,
, .
,
, LSASS, ,
.
(Restore files and directories).
, ,
.
, .
(Load and unload device drivers).

.
, System,
, .
(Create a token object).
,

.
(Act as part of operating
system). LsaRegisterLogonProcess,
LSASS.
631
, , LSASS, LsaLogonUser,
.
LsaLogonUser ,
SID-,
,
.
,
,
SID-
.
, , ,

, ,
, .

, , .6.9,
. ,
ACL
ACL
SID
SID
SID
SID
ACL
ACL
ACL
ACL

ACL
SID
ACL
SID
SID
SID
SID
SID
SID
SID
ACL
ACL
. 6.9.
632 6.
ACL-,
. 2 3
, 1 .

, Windows-, ,
.
. : SeSecurity
Privilege SeAuditPrivilege.
SACL
SeSecurityPrivilege. , , SeAuditPrivilege.
. ,
, LSASS,
,
, .6.10.
( , , )
HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv.
. 6.10.
LSASS SRM, , .
LSASS , SRM,
633
(Event Logger). LSASS ( SRM) , , ,

.
SRM ALPC LSASS.

. , SRM, LSASS, SAM , LSASS
, API- AuthZ ,
. .6.11.
Audit calls
LSA
SAM
LSA
Windows
ALPC
RPC
ALPC

(SRM)

-
NTFS

NPFS

. 6.11.
LSA,
. SRM . ( ALPC),
ALPC-.
SRM LSASS. , SRM ,
LSASS, ALPC-.

, . (Audit
Object Access) ACE , .
,
, .
634 6.
, SRM ACL .
ACE- : . ACE
, ,
, ( ) ,
.

, .
, ,
, SDDL (Security Descriptor Definition Language).
, ,
, , ,
,
, .
.6.10 , ( ).
:

:
1. Explorer ,
. (Properties) (Security),
(Advanced). (Auditing)

. System
Access Control List .
635
2. (Add).
(Select User Or Group)
,
, (Everyone), (Check Names), OK. (Auditing Access
Control Entry)
.
3. (Successful) (Full control) (

).
OK,
(Properties).
4. Explorer, ,
.
5. Event Viewer
Security log. ,
. ,
.
6.
(Local Policies), (Audit Policy). (Audit Object Access),
(Success), .
7. Event Viewer Action (), Refresh
(). ,
.
8. Explorer, ,
.
636 6.
9. Event Viewer Action (), Refresh
(). ,
.
,
Event ID 4656, , .
Access Reasons.
, : READ_CONTROL
ReadAttributes. , ,
Access Control Entry.
ACE SID , ,
A:FA, , SID
Allowed (A) all file access methods (FA).

ACE- ,
,
,
, .
,
SACL .

AuditPol /resourceSACL.
, API- AuditSetGlobalSacl
AuditQueryGlobalSacl. SACL- , SACL- SeSecurityPrivilege.
637
:
AuditPol.
1. ,

( .6.10),
(Audit Object Access) , , . , SACL-,
, ,
,
- .
2. :
C:\> auditpol /resourceSACL

.
3.
:
C:\> auditpol /resourceSACL /type:File /view
C:\> auditpol /resourceSACL /type:Key /view
Global SACL . (, File Key .)

4.
:
C:\> auditpol /resourceSACL /set /type:File /user:yourusername /success /failure
/access:FW
,
(FW)
, .
, (, (Everyone)),
, _ \_ SID.
5. , Explorer
, .

.
6. auditpol SACL, 4:
C:\> auditpol /resourceSACL /remove /type:File /user:yourusername

HKEY_LOCAL_MACHINE\SECURITY\Policy\
638 6.
GlobalSaclNameFile HKEY_LOCAL_MACHINE\SECURITY\Policy\GlobalSacl
NameKey. Regedit.
exe System (), ,
.
, SACL-.

SACL- , SACL-
. , ,
SACL-
.

, .

,
, .6.12 (Advanced Audit Policy
Configuration).
. 6.12.

,
.6.10, , . ,
,
,
639
. ,
,
.
,
. , .
(Global Object Access
Auditing) (Advanced Audit
Policy Configuration)
(Global SACL), , , Explorer
.

( )
(Winlogon),
(LogonUI)
, LSASS, SAM
Active Directory. DLL-, . Kerberos
Windows , MSV1_0 Windows ,
Windows,
Windows 2000, , .
Winlogon , , .
, , ,
, LogonUI ,
.
Winlogon , , , . , Winlogon ,

, .
Winlogon . COM-, DLL-.
%SystemRoot%\System32\authui.dll
%SystemRoot%\System32\SmartcardCredentialProvider.dll, , PIN .
Windows . , ,
640 6.

.
Winlogon
, Winlogon (,
, , Winlogon ),
Windows- LogonUI.exe. , Winlogon ,
.
Winlogon LogonUI ,
- .
Winlogon ,
, RPC-
Win32k.sys. Winlogon LogonUI,
.
Winlogon LSASS,
. ,
. ,
, . 6.13.
Lsass
Other
LSA-
MSV1_0
LogonUI
ALPC
Kerberos
Winlogon
Kerberos
Key Distribution
Center
DLL

Active Directory
Active
Directory
SAM
SAM
SECURITY
. 6.13. ,
, LogonUI
DLL- , .
641
, . ,
Windows,
UNIX. UNIX Windows-
. .
Winlogon
, , Winlogon , , ,
:
1. (, \Sessions\1\
Windows\WindowStations\WinSta0 )
, . Winlogon
, ACE-, SID.
,
, Winlogon.
2. : (\Sessions\1\
Windows\WinSta0\Default, )
Winlogon (\Sessions\1\Windows\WinSta0\Winlogon,
). Winlogon
, Winlogon.
Winlogon, . , ,
Winlogon,
, . Windows
,
.
3. - ,
Winlogon. , Ctrl+Alt+Delete (Default) Winlogon LogonUI. ( ,
, Ctrl+Alt+Delete,
, Windows.)
, SAS , Winlogon.
4. ALPC- LSASS- LsaAuthenticationPort.

, ,
LsaRegisterLogonProcess.
5. Winlogon RPC-,
SAS,
642 6.
Win32k.
SAS.
Wininit (. 3) ,
1 2, 0, ,
, 0 .
SAS
SAS ,
Ctrl+Alt+Delete Winlogon
. Win32k.sys
Ctrl+Alt+Delete , Windows
( Win32k) ,
RPC- Winlogon, . ,
, , , ,
, ,
,
SAS Winlogon.
Windows- SetWindowsHook ,
, ,
. Windows,
,
Ctrl+Alt+Delete, , . , ,
, Winlogon.
Winlogon , . Winlogon ,
. Winlogon . (
Winlogon.)

, SAS
(Ctrl+Alt+Delete). SAS Winlogon
LogonUI,
. Winlogon SID ,
( , ). Winlogon
SID LSASS LsaLogonUser.
, SID , .
643
, ,
,
.
Winlogon LSASS- LsaLookupAuthenticationPackage.
HKLM\SYSTEM\
CurrentControlSet\Control\Lsa. Winlogon
LsaLogonUser.
, Winlogon
.
, .
Windows
: Kerberos MSV1_0.
Windows- MSV1_0 (%SystemRoot%\System32\
Msv1_0.dll), LAN Manager 2. LSASS MSV1_0 ,
Windows, Windows
2000,
. (, ,
.) Kerberos,
%SystemRoot%\System32\Kerberos.dll, , Windows. Windows Kerberos
Kerberos, ,
Kerberos. Internet RFC 1510. (
Kerberos - Internet Engineering
Task Force [IETF] www.ietf.org.)
MSV1_0 SAM-
, ,
, , .
MSV1_0 ,
.
SAM,
, MSV1_0 LSA .
MSV1_0
, SAM.
, MSV1_0 LSASS, LSA (
SECURITY). , MSV1_0 LUID
LSASS, , . ( , SID , SID-
.)
MSV1_0
,
Windows, Windows 2000, MSV1_0
644 6.
Netlogon Netlogon
. Netlogon
MSV1_0 , , .
, MSV1_0 ,
-, ,
, .
.
, EFS-
, .
Kerberos
MSV1_0.
( ),

. Kerberos TCP/IP ( 88)
Kerberos. Kerberos Key Distribution Center (%SystemRoot%\
System32\Kdcsvc.dll), Kerberos,
LSASS- .
Active Directory
, %SystemRoot%\System32\Ntdsa.dll, Kdcsvc LSASS , ,
,
( ).
Kerberos ,
, .
Kerberos
Windows,
.
, LSASS
,
, , . ,
. LSASS
, , Winlogon, , ,
. , LSASS (, Everyone,
645
Interactive ..). LSASS SID-

.
LSASS , .

.
LSASS , , Winlogon, .
, . LSASS
Winlogon , LUID ,
, .
:

LUID , Windows
.
LogonSessions
Sysinternals, LsaEnumerateLogonSessions
( Windows SDK):
C:\>logonsessions
Logonsesions v1.21
Copyright (C) 2004-2010 Bryce Cogswell and Mark Russinovich
Sysinternals - wwww.sysinternals.com
[0] Logon session 00000000:000003e7:
User name:
KERNELS\LAPT8$
Auth package: NTLM
Logon type:
(none)
Session:
0
Sid:
S-1-5-18
Logon time:
2012-01-16 22:03:38
Logon server:
DNS Domain:
UPN:
[1] Logon session 00000000:0000cf19:
User name:
Auth package: NTLM
Logon type:
(none)
Session:
0
Sid:
(none)
Logon time:
2012-01-16 22:03:38
Logon server:
DNS Domain:
UPN:
[2] Logon session 00000000:000003e4:
646 6.
[3]
[4]
[5]
[6]
User name:
Auth package:
Logon type:
Session:
Sid:
Logon time:
Logon server:
DNS Domain:
UPN:
Logon session
User name:
Auth package:
Logon type:
Session:
Sid:
Logon time:
Logon server:
DNS Domain:
UPN:
Logon session
User name:
Auth package:
Logon type:
Session:
Sid:
Logon time:
Logon server:
DNS Domain:
UPN:
Logon session
User name:
Auth package:
Logon type:
Session:
Sid:
Logon time:
Logon server:
DNS Domain:
UPN:
Logon session
User name:
Auth package:
Logon type:
Session:
Sid:
Logon time:
Logon server:
DNS Domain:
UPN:
KERNELS\LAPT8$
Negotiate
Service
0
S-1-5-20
2012-01-16 22:03:40
00000000:000003e5:
NT AUTHORITY\LOCAL SERVICE
Negotiate
Service
0
S-1-5-19
2012-01-16 22:03:40
00000000:00021ed2:
NT AUTHORITY\ANONYMOUS LOGON
NTLM
Network
0
S-1-5-7
2012-01-16 22:03:46
00000000:000882c2:
LAPT8\jeh
NTLM
Interactive
1
S-1-5-21-1488595123-1430011218-1163345924-1000
2012-01-17 01:34:46
LAPT8
00000000:000882e3:
LAPT8\jeh
NTLM
Interactive
1
S-1-5-21-1488595123-1430011218-1163345924-1000
2012-01-17 01:34:46
LAPT8
647
, , SID ,
,
. , Negotiate,
2 , Kerberos NTLM, ,
.
LUID Logon Session ,
Handle ( Sysinternals)
, . ,
5
, :
C:\Windows\system32>handle -a 882c2
Handle v3.46
System
pid: 4
type: Directory
D60: \Sessions\0\DosDevices\00000000000882c2
winlogon.exe
pid: 440
type: Event
DC:
\BaseNamedObjects\00000000000882c2_WlballoonSmartCardUnlockNotificationEventName
winlogon.exe
pid: 440
type: Event
E4:
\BaseNamedObjects\00000000000882c2_WlballoonKerberosNotificationEventName
winlogon.exe
pid: 440
type: Event
1D4:
\BaseNamedObjects\00000000000882c2_WlballoonAlternateCredsNotificationEventName
lsass.exe
pid: 492
type: Token
508: LAPT8\jeh:882c2
lsass.exe
pid: 492
type: Token
634: LAPT8\jeh:882c2
svchost.exe
pid: 892
type: Token
7C4: LAPT8\jeh:882c2
svchost.exe
pid: 960
type: Token
E70: LAPT8\jeh:882c2
svchost.exe
pid: 960
type: Token
1034: LAPT8\jeh:882c2
svchost.exe
pid: 960
type: Token
1194: LAPT8\jeh:882c2
svchost.exe
pid: 960
type: Token
1384: LAPT8\jeh:882c2
Winlogon HKLM\SOFTWARE\
Microsoft\Windows NT\Current Version\Winlogon\Userinit
.
( .EXE,
.)
Userinit.exe, ,
, HKCU\SOFTWARE\Microsoft\
Windows NT\Current Version\Winlogon\Shell, .
. , Userinit.exe HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\
Winlogon\Shell, Explorer.exe.
Userinit ( Explorer.exe
Process Explorer).

, , ,
648 6.
. Windows 7 Windows Server 2008/R2

, , .
, .

.
, ,
Object Identifier (OID), ,
, , (, ), (SID), ,
. ACE- DACL
SID
.
(group claim). ,
,
, , . ,
,
.

Windows ,
IT- IT-
. , OID , OID Active
Directory (SID-).
,
. , , ,
(,
- , ).
authentication protocols (AP)
OID- ,
. OID-
SID-, , , . OID
Active Directory.
,
Contractor (), Full Time Employee (
) Senior Management ( ), Contractor-Users, FTE-Users
SM-Users. Abby ,
Senior Management,
, ,
( SID ), ,
SM-Users. ( -
649
ACL) ,
FTE-Users SM-Users ( SID
ACE). Abby ,
, , ( ),
,
FTE-Users, SM-Users.
Toby, , , Contractor,
, ACE, FTE-Users
SM-Users.

Windows , ,
.
, Windows Biometric Framework , ,
, .
Windows Biometric Framework
.6.14. ,
Windows:
Windows Windows Biometric Service (%System
Root%\System32\Wbiosrvc.dll). ,
.
API Windows Windows Biometric API. Windows, WinLogon LoginUI,
.
API- , Windows.
API WinBioEnumServiceProviders.
API- %SystemRoot%\
System32\Winbio.dll.
Fingerprint
Biometric Service Provider.
, , Windows Biometric
Service.
,
. , ,
, DLL- :
yy , ,
. , , -
650 6.
Microsoft
IHV/ISV
Microsoft
IHV/ISV
IHV/ISV
API- Windows
Windows

Microsoft
Windows
UMDF
KMDF
WDM
IHV/ISV
. 6.14. Windows Biometric Framework
Windows- -.
Windows ,
, Windows Biometric
Device Interface (WBDI).
.
yy ,
,
. DLL- , DLL
- . .
yy .
, . Windows ,
Windows,
. .
Windows Windows Biometric
Driver Interface. ( IRP, DeviceIoControl ..), ,

Windows.
WBDI Windows Driver Kit. WBDI-.
. WBDI

, USB. User-Mode Driver Framework (UMDF),
Kernel-Mode Driver Framework
651
(KMDF), Windows Windows Driver Model

(WDM). . Microsoft
UMDF USB.
:
1. . , , DeviceIoControl IOCTL_BIOMETRIC_CAPTURE_DATA
WBDI .
2. WBDI
IOCTL_BIOMETRIC_CAPTURE_DATA , .
3. . WBDI
, , IOCTL_BIOMETRIC_CAPTURE_DATA.
4.
Fingerprint Biometric Service Provider, ,
, .
5. , , .
6.

.
. , ,
.
7. ,
WinLogon DLL .

Advanced Local Procedure Call, ,
.

UAC ,
, . ( ) ,

,
-
652 6.
.

.
, UAC . -,
Windows
, ,
,
. -, UAC
, ,
, ,
.
UAC , ,
.
UAC ,
.
, UAC
,
,
. , ,
, , ,
, ,
.
, UAC.
Windows ,
, , .
, ,

, IT-,
ActiveX .
,
UAC, , . ,
, ,
, , , , API- ,
.
.

,
-
653
.

%AppData%,

HKEY_CURRENT_USER\Software .

%ProgramFiles% HKEY_LOCAL_MACHINE\Software,
Windows
UAC , , ,
.
Windows

.

, Windows , .
, Windows
, , .
Windows ,
:
64-.
, , 32- . 64-
,
,
.
.
.
.
.
, , , ,
, .
UAC
( requestedExecutionLevel, ).

. ,
UAC,
.
.
654 6.
( ,
)
UAC (UAC Virtualization),
. 6.15. Windows,
Desktop Window Manager (Dwm.exe), -
Client Server Run-Time Subsystem (Csrss.exe)
Explorer, ,
UAC , . Internet Explorer (Iexplore.exe)
,
ActiveX ,
.
. 6.15.
,
. , , ,
,
, , . Windows
,
. ,
.6.10. ,
655
.
6.10. UAC
ElevateCreateProcess
CreateProcess ERROR_ELEVATION_
REQUIRED (application information service)

ForceAdminAccess
VirtualizeDeleteFile
LocalMappedObject
VirtualizeHKCRLite
COM ,
VirtualizeRegisterTypeLib
typelib-

, ,
%ProgramFiles%, %ProgramData% %SystemRoot%,
. , , .exe, .bat, .scr, .vbs .,
. , ,
,
, , .
, ,
%LocalAppData%\VirtualStore. Local
, (roam)
,
(roaming profile). Explorer , ,
(Compatibility Files), .6.16.

VirtualStore .
UAC UAC File Virtualization Filter Driver (%SystemRoot%\System32\
Drivers\Luafv.sys). ,
, . .6.17,
656 6.
. 6.16.
Windows Vista

\Windows\App.ini

Luafv.sys

\Users\<user>\AppData\
Local\VirtualStore\
Windows\App.ini

\Windows\App.ini
Ntfs.sys
Access
denied!
. 6.17. UAC
,
,
.
\Windows , UAC,
657
, ,
, .
,
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\Luafv\Parameters\ExcludedExtensionsAdd .
.
: ,

UAC:
1. (
UAC)
. ,
UAC (UAC Virtualization)
, .
2. C:\Windows
:
echo hello-1 > test.txt

3. :
dir test.txt
, .
4. ,
(Processes) , UAC (UAC Virtualization),
, 3. , .
VirtualStore :
dir %LOCALAPPDATA%\VirtualStore\Windows\test.txt
5. .
6. ,
, ,
2 3, hello-2.
7. , :
echo test.txt
658 6.
8. , test.txt:
del test.txt
6 . ,

,
.

,
, ,
.

, .
HKEY_LOCAL_MACHINE\Software, :
HKLM\Software\Microsoft\Windows
HKLM\Software\Microsoft\Windows NT
HKLM\Software\Classes
, , . Windows ,
HKEY_ CURRENT_USER\
Software\Classes\VirtualStore.
Classes, %LocalAppData%\Microsoft\Windows\UsrClass.dat, ,
, . , Windows
, ,
. 6.11.
659
6.11.
REG_KEY_DONT_
VIRTUALIZE
, .
,
REG_KEY_DONT_
SILENT_FAIL
REG_KEY_DONT_VIRTUALIZE ( ), , ,
, ,
, MAXIMUM_ALLOWED ( , ). ,

REG_KEY_
RECURSE_FLAG
,
()

Windows
Reg.exe flags. , .6.18 , HKLM\Software , Windows (
)
REG_KEY_DONT_SILENT_FAIL.
. 6.18. UAC Software Windows
, , (. 4).
, ,
,
, UAC-
. .6.19.

,
,
660 6.
HKLM\Software\App

Ntoskrnl.exe
HKCU\Software\Classes\VirtualStore\
Machine\Software\App
. 6.19. UAC
. ,
.
Windows ,
. ,
, , ,
,
, .
, UAC ,
. ,
, .
Windows , , , .
, , ,
,
. ,
, , ,
.

Windows run
as ( ), ,
661
, .
, , , . ( .)

, Windows , , Admin Approval Mode (AAM).
:
.
Windows ,
AAM, , Windows
, ,
.

.
( ,
, ),
over-the-shoulder (OTS), , ,
,
. , AAM-, ,
.
, , AAM-
-, .
, Windows
, , ,
Windows , .
, ,
application information service (AIS,
%SystemRoot%\System32\Appinfo.dll), - (%SystemRoot%\System32\Svchost.exe) Consent.
exe (%SystemRoot%\System32\Consent.exe). Consent
, ,
, ( ),
,
.
, ,
.
662 6.
Windows,
Microsoft, Windows,
,
.6.20, , .
Microsoft, -
Microsoft, Windows, ,
. , ,
, , . ,
, ,
:
(Unknown publisher).
.
(Show details)
, ,
.
. 6.20. AAC UAC,

OTS-, .6.21, ,
.
.
663
. 6.21. OTS-
, Windows
, .
, (Yes), AIS
CreateProcessAsUser . AIS
, AIS
API- CreateProcessAsUser,
,
. (
5 .) , Process
Explorer, , -
AIS. .6.22 , .

. , Explorer,
(Run As Administrator)
. -
, ,
.
(Run As Administrator) Explorer
API- ShellExecute runas.
,
, ,
.
664 6.
Explorer
ShellExecute
(Admin.exe)

AppInfo
Consent.exe
CreateProcessAsUser
(Admin.exe)
Admin.exe
. 6.22.

, setup (), install () update ().
, , .
,
, .
,
,
RequireAdministrator RunAsInvoker.

requestedExecutionLevel
.
, . 6.12.
trustInfo ( eventvwr.exe) ,
UAC
requestedExecutionLevel. uiAccess ,
(UIPI).
665
6.12.

As Invoker (

,
,
Highest ()
Available Request
.

,
-; AAM
,

,
,
, ,

. ,
, Microsoft Management
Console
Event Viewer
Require Administrator

OTS,
AAM
,

, ,

-)
(
)
C:\>strings c:\Windows\System32\eventvwr.exe
...
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="highestAvailable"
uiAccess="false"
/>
</requestedPrivileges>
</security>
</trustInfo>
<asmv3:application>
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/
WindowsSettings">
<autoElevate>true</autoElevate>
</asmv3:windowsSettings>
</asmv3:application>
...
, , Sysinternals Sigcheck:
sigcheck m <executable>
666 6.

. RequireAdministrator
Regedit.exe,
.
1. %SystemRoot% Regedit.exe
(, C:\
).
2. HKLM\Software\Microsoft\Windows NT\
CurrentVersion\AppCompatFlags\Layers
, Regedit.exe, c:\regedit.exe
3. RUNASINVOKER.
Regedit.exe , . (
.)
AAM, Regedit.exe
.
,
,
.

(
), Windows
-, . ,
- ,

;
.
. Windows.
, Windows (
Microsoft) : %SystemRoot%\System32 , %Systemroot%\Ehome ,
%ProgramFiles%, ,
Windows Windows Defender Windows Windows Journal.
, .
.exe, Mmc.exe, , autoElevate
.
EventVwr.exe.
667
Windows ,
autoElevate. Spinstall.exe, , Pkgmgr.
exe, . , Windows 7;
Windows, autoExecute
. ,
,
Windows, .
Mmc.exe , , . Mmc.exe
, .msc, ,
, . Mmc.exe
(
), Windows . Windows , Mmc.exe
Windows, .msc.
Windows executable, , ,
.msc,
.
, COM-
. Elevation REG_DWORD Enabled, 1. COM-,
,
Windows ,
.
UAC
UAC ,
.6.23. ,
(Control Panel) (Action Center)
(Change User Account Control
Settings). Windows 7
.6.23.
, .6.13.
, UAC-
, .
, , .
,

- , UAC.
,
UAC
. ,
668 6.
. 6.23.
6.13.
Windows,

,
,

(Run As
,
Administrator)

( )
UAC- UAC-

Windows
Vista
- UAC- UAC

Windows 7
669
UAC

UAC-

(
)
UAC
UAC
6.14. ,

ConsentPrompt ConsentPrompt EnableLUA

BehaviorAdmin BehaviorUser
PromptOn
SecureDesktop
2 (
(- AAC UAC )

)
3 (
OTS UAC

)
1 ()
1 ()
5 (
AAC UAC-

Windows)
0 (; UAC

(
)
0 (.
0

670 6.
, -, .

Internet Explorer. -
,
- OTS- ,
Windows, , Explorer
(Run As Administrator).
. 6.14, UAC HKEY_LOCAL_
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
. ConsentPromptBehaviorAdmin UAC- ,
,
ConsentPromptBehaviorUser UAC- ,
.
(AppID)
Windows ( SID
), (AppLocker,
, , ,
Rights Management Services ..)
.

, . AppID

API- .
, AppID, DCOM/
COM+, GUID , CLSID-, AppID,
Windows Live.
,
AppID . AppID :
, , -
, ,
. APPID://FQBN Fully Qualified Binary Name,
: {\\_,}.
Subject x.509, , -
(AppID) 671
: O = Organization (), L = Locality

(), S = State ( ) C = Country ().
. ,
. APPID://SHA256HASH.
SRP x.509 SHA-1 (APPID://SHA1HASH). APPID://SHA256HASH
SHA-256 .
. APPID://Path - (*).
AppID , ,
.
AppID ,
. AppLocker ACE ( ) ,
.
AppID , ,
.
, , . (.6.24).
. 6.24. , AppID,
.
672 6.
AppLocker
Windows 7 Windows Server 2008/R2 ( Enterprise
Ultimate) , AppLocker,
. Windows XP
Software Restriction Policies (SRP),
, SRP ,
. SRP . AppLocker SRP, SRP, AppLocker SRP.
AppLocker, SRP
Group Policy object (GPO),
AppLocker. , AppLocker
SRP, AppLocker,
AppLocker (
) , , ,
. AppLocker ,
.
AppLocker
:
(.EXE .COM);
(.DLL .OCX);
Microsoft Software Installer (.MSI .MSP) ,
;
Windows PowerShell (.PS1);
(.BAT .CMD);
VisualBasic (.VBS);
JavaScript (.JS).
AppLocker GUI- ,
, ,
, ACE- AppID-. AppLocker
:
, ;
, .

. ,
C:\Windows C:\Program Files,
.
AppLocker
. ,
AppLocker 673
. ,
, Finance security,
.
, Finance security,
( ), -
, .
Receptionists .
AppLocker ACE- , AppID.
:
, , -
,
, . ,
, Contoso Reader,
9.0 graphics
Contoso GraphicsShop,
14.*. , SDDL- , RestrictedUser (
SID ), ,
, Contoso:
D:(XD;;FX;;;S-1-5-21-3392373855-1129761602-2459801163-1028;
((Exists APPID://FQBN)
&& ((APPID://FQBN) >= ({"O=CONTOSO, INCORPORATED, L=REDMOND,
S=CWASHINGTON, C=US\*\*",0}))))
, ,
.
. ,
SDDL- ,
RestrictedUser ( SID ),
C:\Tools:
D:(XD;;FX;;;S-1-5-21-3392373855-1129761602-2459801163-1028;(APPID://PATH
Contains "%OSDRIVE%\TOOLS\*"))
, , ,
.
,
. , SDDL- , RestrictedUser ( SID ),
:
D:(XD;;FX;;;S-1-5-21-3392373855-1129761602-2459801163-1028;(APPID://SHA256HASH
Any_of {#7a334d2b99d48448eedd308dfca63b8a3b7b44044496ee2f8e236f5997f1b647,
#2a782f76cb94ece307dc52c338f02edbbfdca83906674e35c682724a8a92a76b}))
674 6.
AppLocker MMC- (Security Policy,

%SystemRoot%\System32\secpol.msc ) Windows
PowerShell , . AppLocker
:
HKLM\Software\Policies\Microsoft\Windows\SrpV2. HKLM\SOFTWARE\Wow6432Node\Policies\
Microsoft\Windows\SrpV2. XML.
HKLM\SYSTEM\CurrentControlSet\Control\Srp\Gp\Exe.
SDDL ACE.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
PolicyObjects\{GUID}Machine\Software\Policies\Microsoft\Windows\SrpV2.
AppLocker-,
Group Policy Object (GPO), XML.
, ,
HKLM\SYSTEM\CurrentControlSet\Control\AppID\CertStore. AppLocker
( HKLM\SYSTEM\
. 6.25. AppLocker

AppLocker 675
CurrentControlSet\Control\AppID\CertChainStore) ,
, (.6.25).
AppLocker PowerShell (
cmdlets), . .6.26
PowerShell ,
, AppLocker XML- ,

RestrictedUser.
AppID SRP (%SystemRoot%\System32\AppIdSvc.dll),
SvcHost.
, GPO,
AppLocker UI MMC- .
, AppID
(%SystemRoot%\System32\AppIdPolicyConverter.exe),
XML- ACE- SDDL, AppID AppLocker, , .
Srp\Gp. (SYSTEM)
(Administrators) -
. 6.26. Powershell,
, AppLocker
XML-,

676 6.
. AppID
,
.
(%SystemRoot%\System32\AppIdCertStoreCheck.exe)
, . AppID (%SystemRoot%\System32\
drivers\AppId.sys) AppID APPID_POLICY_CHANGED DeviceIoControl (.6.27).
,
, (.6.28), ( AppLocker ).
AppID, AppLocker SRP
, ,
, .
AppID LocalService, Trusted
Root Certificate Store. .
AppID :
;
;
AppLocker AppID.
AppID AppLocker
( DeviceIoControl) AppID,
ACL,
NT SERVICE\AppIDSvc, NT SERVICE\LOCAL SERVICE BUILTIN\Administrators.
, .
AppID (CreateProcessNotifyEx) PsSetCr
eateProcessNotifyRoutineEx. CreateProcessNotifyEx,
PPS_CREATE_NOTIFY_INFO (
). AppID,
, . SeSrpAccessCheck,
ACE- AppLocker, ,
. , STATUS_ACCESS_DISABLED_BY_POLICY_OTHER (Status)
PPS_CREATE_NOTIFY_INFO,
( ).
DLL DLL
DeviceIoControl AppID.
DLL,
ACE- AppLocker, ,
.
AppLocker 677
. 6.27. ,
,
XML
. 6.28. , AppLocker,
. Event
ID 8004 , 8002

678 6.
DLL , . ,
DLL, ,
(Advanced) AppLocker (Local Security Policy).
MSI- API SRP , ,

, . API- SRP
API- AuthZ
ACE-.

Windows , Software Restriction
Policies ,
.
,
.6.29, ,
.
. 6.29.

:
(Enforcement)
, DLL,
.
679
(Designated File Types) -
, .
(Trusted Publishers) , -
, .

, , (
Internet Explorer) , ,
(Disallowed) (Unrestricted).
(Enforcement),
, ,
.
:
Windows- CreateProcess, %SystemRoot%\System32\Kernel32.dll,
.
DLL Ntdll (%SystemRoot%\System32\Ntdll.dll)
DLL-.
Windows (%SystemRoot%\System32\Cmd.exe)
,
.
Windows Scripting Host, %System
Root%\System32\Cscri pt.exe ( ), %System
Root%\System32\Wscri pt.exe ( UI-) %SystemRoot%\
System32\Scrobj.dll ( ),
, .
, , HKEY_LOCAL_MACHINE\Software\
Microsoft\Policies\Windows\Safer\CodeIdentifiers\TransparentEnabled,
1 , . ,
, , CodeIdentifiers, , ,
. ,
, DefaultLevel CodeIdentifiers.

, .
,
, ,
. , , -
, ,
, .
680 6.
:

,
, .
1. secpol.msc,
,
(Software Restriction Policies).
2. , (Create New Policies).
3. %SystemRoot%\System32\Notepad.exe.
4. Process Monitor (include)
Safer. ( Process Monitor 4.)
5. (Notepad) .
Notepad ,
, , Process
Monitor (cmd.exe),
.
Windows , , . ,
. .
7.
Microsoft Windows ,
,
- API- Windows. , API-,
,
.
Windows , API-,
, Windows,
.
Windows .

Windows Open Systems
Interconnection (OSI). API-,
Windows, . , ,
,
. , ,
, , .
Windows
(
-) ,
,
. . , x y
z, , ,
z
, .
, .
, ,

. , .
OSI
, 1984 International
682 7.
Organization for Standardization (ISO)

.
Open Systems Interconnection (OSI).
, .7.1.
7
. 7.1. OSI
OSI , ,
.
,
. , . ,
, ,
, .
OSI
,
.
, ,
, OSI.
,
,
, , , .
(Physical).
OSI, - ( ,
, ).
, ,
, , ,
. . Ethernet
(IEEE802.3) Wi-Fi (IEEE 802.11).
Windows 683
(Datalink).
( ) ( )
, .
, ,
. ,
(, ,
, Ethernet).

.
,
.
,
wide area networks (WAN),
, local area networks
(LAN). LAN-, ,
802 IEEE
(Institute of Electrical and Electronics Engineers),

.
: Logical Link Control (LLC),
Medium Access Control (MAC). LLC-

802.x MAC,
LAN. MAC-
, , , ,
CRC- .. .
(Network).
,
. (
) ,
. ,
, ,
,
.
: , ,
(, , ), .
, ,
, ,
.
.
684 7.
(Transport).
.
,
,
.
.

.
(Session).
.
( ),
. ,
(), (),
. ,
,
.
,
.
(Presentation). , .
, ,
carriage return line feed (CR/LF),
carriage return (CR), , (little-endian)
(big-endian) ..
,
.
(Application). , ,
, , . ,
.
.7.1 , . , ,
. ,
, .
OSI.
( .) , TCP/IP ( OSI)
OSI.
(, , ) , -
Windows 685
, .
, , ( ) ,
.
Windows
.7.2 Windows, , OSI . OSI-
,
. :
API-,
, .
API-
, .
API-,
. ( , API ,
, .)
Transport Driver Interface
(TDI), , API-,
. TDI- ,
-
I/O request packets (IRP)
Windows Transport Driver Interface ( Windows Driver Kit).
. TDI
Windows . TDI- TDI Extension (TDX).
, ,
Winsock Kernel (WSK).
TDI- ( )
Network Driver Interface Specification (NDIS) ( ), . IRP- TDI- ,
IRP-.
, TDI- (, TCP, UDP () IP) , IRP,
NDIS- ( Windows Driver
Kit). TDI-, ,
,
, , .
686 7.
...

WinInet
WinHTTP
API
WinHTTP
API
WinInet
Winsock 2.0 API
( )
IIS 7 HTTP

Winsock
LSP #1
LSP #2
LSP #2 . . .
(LSP-

)
...

TCP/IP
...
UDP
Winsock
AFD.SYS
UDP
NetBIOS
NetBT.SYS

TDI WSK

TDI-TDI Extension Driver (TDX)
TCP/IP
IPSec
TCPIP.SYS
802.3
X.500 . . .
DNS
WAN
1394
HTTP.SYS
Winsock (WSK)
RAW
Loopback
API- Network Driver Interface Specification (NDIS)
ATM
ATM.SYS
LSP #1
API

TCP
UDP
...
Winsock
SPI-

HTTPAPI.DLL
SPI-
Winsock 2.0 SPI
Windows (WFP)
WS2_32.DLL
IP-
PPP/SLIP
(NetIO)
. 7.2. OSI Windows
Microsoft , TCP/IP -
, ,
, TCP/IP.
TCP/IP Winsock Transport Layer Network Provider Interface (TLNPI),
.
Windows 687
Winsock Winsock Kernel (WSK), -
API- , TDI.
WSK
, , Winsock , ,
-, - (IRP) , .
WSK IP 6 (IPv6)
Next Generation TCP/IP Windows.
Windows Windows Filtering Platform (WFP), API- ,
. WFP

Windows, .
, , .
WFP WFP callout drivers,
, , WFP ,
TCP/IP , , WFP.
NDIS (Ndis.sys), , (Network Interface Card, NIC),
-
(NDIS miniports),
Windows- . NDIS-
TCP/IP TDI.
- NDIS, , NIC.
- NDIS ,
NDIS- Windows. - NDIS
IRP-,
NDIS, ,
NIC, .
- NDIS ,
NDIS,
hardware abstraction layer (HAL).
.7.2 , OSI- . , WSK .

. ,
, .
,
.7.2 ( , ),
Windows.
688 7.
API
Windows API-, .
API
. , ,
API , API, ,
API, API (
) API
Windows, . API:
Windows Windows Sockets (Winsock);
Winsock Winsock Kernel (WSK);
Remote procedure call (RPC);
API- Web access API;
(named pipes) (mailslots);
NetBIOS;
API.
Windows
Windows- (Winsock) 1.0
Microsoft BSD (Berkeley Software Distribution),
API, 1980-
UNIX- . Windows UNIX Windows
. Winsock
BSD-, , Microsoft-specific,
. Winsock ,
, , 1.
Windows Winsock 2.2, ,
BSD Sockets, ,
- Windows,
,
BSD Sockets.
Winsock :
-, -
(scatter-gather), , .
Quality of Service (QoS), -

, , , QoS.
, ,
.
API 689
, Winsock
( ).
. , ,
Active Directory, , ,
Active Directory.
,
.
Winsock, , Winsock.
Winsock
Winsock Winsock API
. Winsock
, .
,
getaddrinfo ( freeaddrinfo, ). getaddrinfo ,
, ,
, . , , IP
4 (IPv4), IPv6 ()
,
IPv4, IPv6. (IPv6, IPv4.) Winsock
API-, , ,
Winsock. , , , connect
.
,
, API- recv send. ,
(connectionless),
API-, ,
send recv, sendto recvfrom. API- select WSAPoll
- .
Winsock
. Winsock API
, ,
bind. : TCP/
IPv4, TCP/IPv6 - , .
690 7.
, listen, ,
, Winsock ,
. accept, . ,
accept , ,
. ,
accept , . ( , ,
,
.) , recv send.
Winsock, select WSAPoll
,
Winsock- WSAEventSelect () -. .7.3 ,
.
listen
connect

accept
send, recv

. 7.3. Winsock,
, , , :
, . ,
, , , ,
( ).
, (
).
Winsock
, , BSD Sockets, Microsoft ,
BSD. , AcceptEx TransmitFile,
, , - Windows . AcceptEx
accept,
API 691
. AcceptEx accept,
. -
Winsock-, .
- , -. TransmitFile Windows,
.
(zero-copy), ,
( ) . ,
TransmitFile , ,
,
- ,
. Internet Information Services
(IIS), Windows, , AcceptEx, TransmitFile.
Windows API, ConnectEx, DisconnectEx TransmitPackets.
ConnectEx . DisconnectEx

AcceptEx ConnectEx. , TransmitPackets
TransmitFile, , , ,
. , WSAImpersonateSocketPeer
WSARevertImpersonation, Winsock
(. 6) .
Winsock
Winsock Windows API, ,
Winsock , , , , -.

Winsock .
Winsock Winsock
service provider interface (SPI). Winsock, Winsock
,
connect accept, ,
. ,
692 7.
, ,
.
;

.
Winsock Winsock layered service provider
(LSP) .
- Winsock ,
,
. , TCP/IP, , .
, -, -, - (IP-
:80, ,
HTTP). . ,
Active Directory,
Active Directory.
Winsock Winsock , getaddrinfo getnameinfo.
: Winsock

Network Shell (Netsh.exe), Windows,
netsh winsock show catalog
Winsock . ,
TCP/IP,
Winsock, TCP/
IP. Netsh, :
C:\Users\Toby>netsh winsock show catalog
Winsock Catalog Provider Entry
-----------------------------------------------------Entry Type: Base Service Provider
Description: MSAFD Tcpip [TCP/IP]
Provider ID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1001
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 1
Protocol: 6
Service Flags: 0x20066
API 693
Protocol Chain Length: 1
Description: MSAFD Tcpip [UDP/IP]
Version: 2
Address Family: 2
Socket Type: 2
Protocol: 17
Description: MSAFD Tcpip [RAW/IP]
Version: 2
Address Family: 2
Socket Type: 3
Protocol: 0
.
.
.
Name Space Provider Entry
-----------------------------------------------------Description: Network Location Awareness Legacy (NLAv1) Namespace
Provider ID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Name Space: 15
Active: 1
Version: 0
-----------------------------------------------------Description: E-mail Naming Shim Provider
Provider ID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Name Space: 37
Active: 1
Version: 0
-----------------------------------------------------
694 7.
Description: PNRP Cloud Namespace Provider
Provider ID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Name Space: 39
Active: 1
Version: 0
.
.
.
,
, , Autoruns Windows Sysinternals (www.microsoft.
com/technet/sysinternals).
Winsock
Winsock .7.4.
API DLL, Ws2_32.dll (%SystemRoot%\System32\Ws2_32.dll), Winsock Ws2_32.dll
,
. Mswsock.dll (%SystemRoot%\System32\
mswsock.dll) , Microsoft,
Winsock Helper
. , Wshtcpi p.dll (%SystemRoot%\System32\wshtcpi p.
dll) TCP/IP. Mswsock.dll
Microsoft Winsock, TransmitFile
WSARecvEx.
Windows DLL- TCP/IPv4,
TCPv6, Bluetooth, NetBIOS, IrDA (Infrared Data Association )
PGM (Pragmatic General Multicast).
DNS (TCP/IP), Active Directory (NTDS), NLA (Network
Location Awareness), PNRP (Peer Name Resolution Protocol) Bluetooth.
API- ( ), Winsock - Windows .
, Msafd.
dll (%SystemRoot%\System32\msafd.dll)
Ancillary
Function Driver (AFD %SystemRoot%\System32\Drivers\Afd.sys). AFD

Transport Layer Network Provider Interface (TLNPI)
, . TLNPI
AFD TCP/IP.
, Windows
TDI-TLNPI, TDX (%SystemRoot%\System32\Drivers\tdx.
sys) TDI IRP- TLNPI-.
API 695
Ws2_32.dll
Mswsock.dll, ...
Wshtcpip.dll, ...
SPI
Ntdll.dll
NtReadFile,
NtWriteFile,
NtCreateFile,
NtDeviceIoControlFile
AFD
TDI
NetBIOS
TLNPI
TDI
TCP/IP
. 7.4. Winsock
Winsock

API-, , , Windows
, Winsock Kernel (WSK). WSK
TDI API,
Windows, . TDI, WSK ,
,
. , WSK
Windows
TCP/IP, TDI .
.7.5, WSK Windows- Network Module Registrar (NMR), %SystemRoot%\
System32\drivers\NetIO.sys, ,
Winsock, . ,
Http.sys HTTP Server API (
) WSK-. NMR WSK ,
API-, ,
WSK (WskRegister, WskDeregister, WskCaptureProviderNPI
WskReleaseProviderNPI).
696 7.
Raw .
, .
WSK , .
(TCP/IP) . WSK , ,
.

-
Network Module
Registrar (NMR)
Winsock Kernel (WSK)
(TCP/IPv4)
(TCP/IPv6)
(Raw)
. 7.5. WSK
WSK
WSK .7.6.
WSK, TCP/IP Next Generation
TCP/IP Stack (%SystemRoot%\System32\Drivers\Tcpi p.sys)
NetIO (%SystemRoot%\System32\Drivers\NetIO.sys),
WSK AFD.
WSK API. TCP/IP ( .7.5). WSK
WSK, , WSK
API .
WSK WSK, .
WSK
NPI WSK
NPI WSK

WSK
WSK
. 7.6. WSK
API 697
WSK WSK NMR WSK, WSK , WSK ,

WSK API .
WSK- , WskSocket, WskAccept, WskBind,
WskConnect, WskReceive WskSend, (
) Winsock-
. , Winsock ,
WSK , ,
:
, -
.
.
, .
, .
, , ,
.
, WSK ,
. , ,
. WskAcceptEvent, WskInspectEvent,
WskAbortEvent, WskReceiveFromEvent, WskReceiveEvent, WskDisconnectEvent
WskSendBacklogEvent.
, Winsock , WSK , . , WSK.

Remote procedure call (RPC) ,
1980-. Open Software Foundation
( Open Group) RPC
distributed computing environment (DCE), . RPC-
SunRPC, Microsoft RPC OSF/DCE. RPC
API-,
Winsock, ,

.
698 7.
, RPC , , ,
.
RPC
RPC , , , ,
. , ,
,
.

-. , Windows
, -.
, , ,
.
, , , .
, - ,
.
RPC- . RPC-
,

. RPC- , RPC-
, .7.7,
.
RPC- . ,
-,
, ..,
RPC .
Windows RPC
, .

RPC

RPC
ServerFunction() {
...
}
ServerFunction()
-
RPC
-
RPC
. 7.7. RPC
API 699
RPC-, , , . , , (
, ).
, ,

, RPC-.
RPC- .
, , .
DLL-,
-, .
, - ,
DLL-.
DCOM, , . - , ,

. ,
,
.
- RPC ,
, , , , ,
. RPC-,
( , ),
, .
, ,
.
, , Windows RPC RPC,
RPC- , ,
, .
, , , RPC .
RPC ,
.
, ,
WaitForSingleObject, WaitForMulti pleObjects. asynchronous procedure call
(APC),
APC , RPC1. -,
APC , .
APC 3 .
700 7.
GetQueuedCompletionStatus, . , ,
RpcAsyncGetCallStatus.
RPC Microsoft
RPC ,
Microsoft Microsoft Interface Definition Language
(MIDL). MIDL- RPC- -. ( C C++),
, . ,
, , , ,
.
Interface Definition Language (IDL).
IDL- MIDL, - , , .
-,
.
, .
, RPC-,

RPC .
RPC RPC.
, RPC , RPC- , .
Windows RPC DLL-
, HTTP, TCP/IP UDP.
, RPC .
Windows RPC-,
, ,
. , , ,
, , ,
. API-, , RPC.
, , ,
RPC Active Directory. Active Directory
, RPC
NetBIOS. RPC
.
API 701
RPC
Windows RPC security support providers (SSP), RPC
. RPC
,
RPC,
. ,
. RPC .
, ,
, , , RPC-
RPC-. ,
. (principal name).
, RPC.
SSP , SSP.
SSP RPC, Winsock. Windows
SSP-, Kerberos SSP, Kerberos 5 ( AES), Secure Channel (SChannel),
Secure Sockets Layer (SSL),
Transport Layer Security (TLS). SChannel
TLS SSL,
AES, elliptic curve
cryptographic (ECC). , open cryptographic interface (OCI)
crypto-agile capabilities, SChannel .
SSP-
RPC . ,
RPC. , TCP, ,
RPC SSP .
RPC
.
RPC-
RpcImpersonateClient. RpcRevertToSelf
RpcRevertToSelfEx (. 6).
702 7.
RPC
RPC .7.8, , RPC DLL- RPC
(%SystemRoot%\System32\Rpcrt4.dll). RPC-, . DLL- RPC
RPC , RPC,
RPC-. RPC
, ,
DLL- RPC
API- advanced local procedure call (ALPC) (. 3).
RPC , DLL- RPC
API Winsock .
RPC (RPCSS %SystemRoot%\System32\Rpcss.dll) , Windows. RPCSS RPC-,

, .
( . 7.8, RPCSS, DLL RPC .)
Rpcrt4.dll

Winsock
LPC
Svchost.exe
Rpcss.dll
Ws2_32.dll
Winsock
Active
Directory
Ntdll.dll
FSD
AFD (Winsock)
. 7.8. RPC
Windows RPC ,
RPC- (%SystemRoot%\System32\Drivers\
Msrpc.sys). RPC ,
ALPC. Winlogon RPC-
,
RPC- , Win32k.sys RPC-,
Winlogon , -
API 703
secure
attention sequence (SAS). Windows TCP/IP ( WFP)
RPC ,
Network Storage Interface (NSI),
.
API- -
- Windows
, API- .
API-, HTTP- FTP- HTTP-, . API- Windows Internet,
WinInet,
FTP HTTP, WinHTTP, HTTP-. WinHTTP
, WinInet ( Windows-
). HTTP Server API- ,
- .
WinInet
WinInet HTTP, FTP Gopher. API-
API-, .
API-, FTP, InternetConnect HTTP, HttpOpenRequest, HTTP-, HttpSendRequestEx
, InternetWriteFile
InternetReadFileEx ,
TCP/IP- . API-, HTTP,
cookie-,
,
. WinInet Windows,
Windows Explorer Internet Explorer.
WinINet . WinHTTP.
WinHTTP HTTP v1.1

HTTP, , WinInet API, HTTP. WinInet HTTP API- ,
WinHTTP API- ,
HTTP-. Windows, ,
, API- WinInet.
, API- WinHTTP
704 7.
(, , 4)
, , API- WinInet.
HTTP
HTTP Server API, Windows,
HTTP- URL, HTTP- HTTP-. HTTP Server
API SSL,
HTTP-. API
, , IPv4, IPv6 . API HTTP
IIS Windows, HTTP .
HTTP Server API, %System
Root%\System32\Httpapi.dll, %SystemRoot%\
System32\Drivers\Http.sys. Http.sys HttpInitialize.
HttpCreateServerSession , HTTP Server API. HttpCreateRequestQueue
HttpCreateUrlGroup URL-, URL-, HttpAddUrlToUrlGroup . URL- (
HttpSetUrlGroupProperty), Http.sys
HTTP- (, 80),
HTTP-
URL-, .7.9.
HttpReceiveHttpRequest ,
URL-, HttpSendHttpResponse HTTP-. ,
GetOverlappedResult
-, .
Http.sys HttpAddFragmentToCache
( URL-) . Http.sys MmAllocate
PagesForMdlEx . (
Http.sys
.) Http.sys
,
, , , MmMapLockedPagesSpecifyCache,
MmUnmapLockedPages, . Http.sys
, -
API 705
.....
URL-
URL-
URL
URL
URL
URL
URL
.......
URL
URL-
URL
URL
...
URL
HTTP
. 7.9. HTTP- URL-

. Http.sys
, .
HttpSendHttpResponse, Http.sys
TCP/IP,
. Http.sys
, SSL, API
.
, HTTP Server API ,
, ,
, , ,
, SSL-.

(named pipes) (mailslots) API .
,
, .
, . Windows API- ,
706 7.
Windows-
,
.
, , Windows Universal Naming Convention (UNC),
Windows.
UNC- .

. , , .
\\\\_.
,
. (
.) DNS- (, mspress.microsoft.com), NetBIOS- (mspress) IP-
(131.107.0.1). Pipe,
_ , .
, \\MyComputer\Pi pe\MyServerApp\ConnectionPi pe.
Windows CreateNamedPi pe. \\.\Pi pe\_.
\\.\ Windows , , (
). ,
, , , , ,
, , , ,
, ,
.
API- ,
, , , ,
. , , ,
.

.
CreateNamedPi pe
, .
, ,
API 707
,
CreateNamedPi pe.
Windows- ConnectNamedPi pe, , ,
. ConnectNamedPi pe
, ( ).
Windows CreateFile CallNamedPi pe, ,
. ConnectNamedPi pe,
, ( ,
), (.
6). ,
,
, ConnectNamedPi pe .
Windows- ReadFile
WriteFile.
, , ,
. .7.10
.
\\Server\Pipe\AppPipe
. 7.10.
API ,
ImpersonateNamedPi peClient1. API
API-
TransactNamedPi pe.
, ,
. ,
, ,
.

, ,
. (multicast) , -
6, .
708 7.
,
,
(broadcast), . , ,
,
. , . (
),

, .
, Windows
API.
CreateMailslot. UNC \\.\Mailslot\__. , , , ,
, . CreateMailslot
,
. , CreateMailslot, ,
, , ,
, .
,
CreateMailslot ,
CreateNamedPi pe.
, ,
ReadFile , .
, ,
, ,
. ,
CreateFile, .
\\\Mailslot\__. (
\\.\.)
,
, ,
\\*\Mailslot\__,
, : \\_\Mailslot\__.
, , WriteFile.
- , 424. 424 ,
,
- ,
.
API 709
, 424.
.7.11 ,
.
\\Server1\Mailslot\AppSlot
\\*\Mailslot\AppSlot

\\Server2\Mailslot\AppSlot
. 7.11. ,

Windows,
Kernel32.
dll, Windows DLL- .
ReadFile WriteFile, ,
, Windows -.
CreateFile,
, , Windows -. ,
, .7.12, ,
(%SystemRoot%\System32\Drivers\Npfs.sys)
(%SystemRoot%\System32\Drivers\Msfs.sys).
Kernel32.dll
Ntdll.dll
NtReadFile, NtWriteFile,
NtCreateFile, NtCreateNamedPipeFile,
NtCreateMailslotFile

\Device\NamedPipe
Named pipe FSD
\Device\Mailslot
Mailslot FSD
. 7.12.
\Device\NamedPi pe \Global??\
Pi pe.
710 7.
\Device\Mailslot \Global??\Mailslot,
. (, \Global??, 3.) ,
CreateFile \\.\Pi pe\ \\.\Mailslot\,
\\.\, \Global??\, .
CreateNamedPi pe CreateMailslot NtCreateNamedPi peFile NtCreateMailslotFile,
IoCreateFile.
,
, , , H,

,
file-system driver (FSD) ,
. FSD- ,
, -, ( )
Server Message Block (SMB).
:
Windows -
FSD-
.
FSD-
, CreateFile.
Windows, ReadFile WriteFile.

FSD- .
FSD-
, .
:

Windows API FSD , API-. ,
, , , ,
CreateNamedPipe, PipeList
Sysinternals. PipeList :
C:\>pipelist
PipeList v1.01
API 711
by Mark Russinovich
http://www.sysinternals.com
Pipe Name
--------InitShutdown
lsass
protected_storage
ntsvcs
scerpc
net\NtControlPipe1
plugplay
net\NtControlPipe2
Winsock2\CatalogChangeListener-394-0
epmapper
Winsock2\CatalogChangeListener-25c-0
LSM_API_service
net\NtControlPipe3
eventlog
net\NtControlPipe4
Winsock2\CatalogChangeListener-3f8-0
net\NtControlPipe5
net\NtControlPipe6
net\NtControlPipe0
atsvc
Winsock2\CatalogChangeListener-2c8-0
net\NtControlPipe7
net\NtControlPipe8
net\NtControlPipe9
net\NtControlPipe10
net\NtControlPipe11
net\NtControlPipe12
142CDF96-10CC-483c-A516-3E9057526912
net\NtControlPipe13
net\NtControlPipe14
TSVNCache-000000000001b017
TSVNCacheCommand-000000000001b017
Winsock2\CatalogChangeListener-2b0-0
TermSrv_API_service
Ctx_WinStation_API_service
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
net\NtControlPipe15
keysvc
Instances
--------3
6
3
3
3
1
3
1
1
3
1
3
1
3
1
1
1
1
1
3
1
1
1
1
1
1
1
1
1
1
1
20
2
1
1
3
3
2
1
3
Max Instances
-------------1
-1
-1
-1
-1
1
-1
1
1
-1
1
-1
1
-1
1
1
1
1
1
-1
1
1
1
1
1
1
1
1
1
1
1
-1
-1
1
1
-1
-1
-1
1
-1
,
. , InitShutdown WinInit
, Atsvc
712 7.
,
.
Process Explorer, ,
.
Max Instances, 1, ,
.
NetBIOS
1990- API-
- Network Basic Input/Output System (NetBIOS)
API PC-.
NetBIOS ,
, ,
. Windows NetBIOS . Microsoft
NetBIOS, API-,
Winsock, . NetBIOS
Windows TCP/IP.
NetBIOS
NetBIOS , 16- NetBIOS-.
NetBIOS ,
.
NetBIOS,
.
.
Windows NT4,
Windows 9x/Me Windows
NetBIOS , 15 Domain Name System (DNS), . , mspress.microsoft.
com, NetBIOS- mspress.
, NetBIOS, LAN-
(LANA). LANA- NetBIOS- ,
. ,
TCP/IP NWLink ,
LANA-. LANA-
, NetBIOS- LANA,
.
,
, .
API 713
NetBIOS
NetBIOS NetBIOS API
LANA-, , NetBIOS-,
LANA.
, NetBIOS-
listen .
, NetBIOS- . ,
.
, , NetBIOS NetBIOS, NetBIOS- .
NetBIOS- .
,
send NetBIOS- .
NetBIOS ,
Netbios.
, NetBIOS MS-DOS
MS-DOS. NetBIOS- MS-DOS NetBIOS,
. Netbios-
Windows , , , , .
: Nbtstat
NetBIOS-
,
NetBIOS TCP/IP,
NetBIOS-, Windows Nbtstat. Nbtstat n, NetBIOS-, :
C:\Users\Toby>nbtstat -n
Local Area Connection:
Node IpAddress: [192.168.0.193] Scope Id: []
NetBIOS Local Name Table
Name
Type
Status
--------------------------------------------WIN-NLRTEOW2ILZ<00> UNIQUE
Registered
WORKGROUP
<00> GROUP
Registered
WIN-NLRTEOW2ILZ<20> UNIQUE
Registered
NetBIOS API
, NetBIOS API, .7.13. Netbios
%SystemRoot%\System32\Netbios.dll. Netbios.dll , NetBIOS- (%SystemRoot%\
System32\Drivers\Netbios.sys ),
Windows- DeviceIoControl. NetBIOS- NetBIOS-
714 7.
, , TDI-,
.
Netapi32.dll
Netbios
Ntdll.dll
NtDeviceIoControlFile
\Device\Netbios
NetBIOS
emulation driver
TDI
\Device\Netbt_XXX
NetBT
TDI IRP
TDX
TLNPI
TCP/IP
. 7.13. NetBIOS API
NetBIOS TCP/IP,
NetBIOS- NetBT- (%SystemRoot%\
System32\Drivers\Netbt.sys). NetBT NetBIOS, TCP/IP, NetBIOS,
NetBIOS
NetBIOS Extended User Interface (NetBEUI),
Windows, TCP/IP. , NetBIOS NetBEUI NetBIOS , NetBT TCP/IP.
API
Windows API,
API- (
). , :
Background Intelligent Transfer
Service (BITS),
API 715
Distributed Component Object
Model (DCOM);
Message Queuing (MSMQ);

Peer-to-Peer Infrastructure (P2P)
Plug and Play Universal Plug and Play (UPnP)
Plug and Play Plug and Play Extensions (PnP-X),
Windows- , .

Background Intelligent Transfer
Service (BITS) , API-, SMB, HTTP, HTTPS-. BITS
,
, ,
, BITS-
, .
BITS
, ,
( , 5).
, ( ) , . BITS 4.0
BranchCache ( )
.
BITS Windows,
Microsoft Update, Windows Update, Internet Explorer ( 9 ,
), Microsoft Outlook ( ), Microsoft
Security Essentials ( )
, BITS
.
BITS :
. BITS,
, .
,
, BITS .
, , .
, , ,
. , (, Windows Update),
, .
. BITS :
( ), ( )
( , ).
716 7.
. , -
( Foreground,
Background High, Background Normal, Background Low).
, . , BITS ,
, .
. BITS ,
, BITS API
. HTTPS.
. BITS API , , ,
, , .
BITSAdmin,
Windows, Windows PowerShell,
.
BITS
. , BITS , . IBackgroundCopyJob::Complete ( Complete-BitsTransfer
PowerShell), BITS , , .
, BITS .
BITS . BITS ,
. , PowerShell Windows Management Instrumentation
(WMI) Internet Information Services (IIS)
BITSAllowOverwrites True.
BITS , IIS- BITS-
IIS. BITS-
- ( POST HTTP), -
.
BITS- IIS , . ,
IIS .
BITS IIS
,
.
API 717
BITS
. ,
, . , BITS
, ,
,
.
IIS BITS Compact Server.
Compact Server ,

:
25 URL-, -
URL- .
, .
.
.7.14 , BITS- PowerShell,

BITS PowerShell.
.7.15 BITSAdmin,
, BITS PowerShell.
. 7.14. BITS PowerShell
718 7.
. 7.15. BitsAdmin
.7.16 BITS, .
. 7.16. BITS

(Peer-to-Peer Infrastructure)
API-,
Windows
API 719
(peer-to-peer, P2P) .
P2P- ,
.7.17.
API- WIn32

NSP
SSP
PNRP
Winsock API
Crypto API
Microsoft TCP/IP 6
. 7.17.
:
Peer-to-Peer Graphing.

.
Peer-to-Peer Namespace
Provider.
() .
Peer-to-Peer Grouping.
()
.
Peer-to-Peer Identity
Manager. ,
, ,
, API .
Windows
Peer-to-Peer Collaboration
Interface, P2P-
(, )
Real-Time Communications
(RTC), Windows.
People Near Me (PNM).
720 7.
DCOM
Microsoft COM API
, ,
. COM- -
. COM-
,
.
DCOM (Distributed Component Object Model ) COM, , , , COM- ,
- . , DCOM , . DCOM
API, RPC.

Message Queuing
,
(loosely coupled messaging). API .
,
,
,
. ,
, ,
.
,
Microsoft Transaction Server (MTS) SQL
Server, Microsoft
Distributed Transaction Coordinator (MS DTC). MS DTC
.
UPnP PnP-X
Plug and Play
, . , ,
,
, , , .
Plug and Play , ,
TCP/IP -,
.
API 721
Plug and Play ,

. , IP-,
. Control Point
API UPnP technology
.
, .
Plug and Play (PnP-X), .7.18, Windows,
Plug and Play.
PnP-X, , ,
, .
(, .)
Plug and Play

Network Explorer
IPBusEnum
DevNode
API-

WSD
SSDP
. 7.18. PnP-X
, PnP-X, UPnP- ( Simple Service Discovery Protocol), - ( WSDiscovery) Device Profile for Web Services (DPWS), PnP-X
,
IP (%SystemRoot%\System32\Ipbusenum.dll). IP
Plug and Play,
Plug and Play (,
). ( Bluetooth) ( USB), PnP-X-

Network Explorer.
DPWS v1.1 OASIS- 2009,

UPnP, UPnP.
722 7.

(
) UNC-, \\_\__\.
UNC-,
,
. ,
, UNC-
API- Windows
Windows Networking (WNet) API. SMB-
Microsoft SMB-,
, -, ,
. Microsoft
, WebDAV-,
NFS v2/v3 ( ) .
Windows .
, ,
UNC-. :
Multiple Provider Router (MPR),
DLL- (%SystemRoot%\System32\Mpr.dll),
, , Windows
WNet API .
UNC- Multiple UNC Provider (MUP),
(%SystemRoot%\System32\Drivers\Mup.sys), , , API-
- Windows UNC-
, UNC-.
(MPR)
Windows WNet- ( ) ,
, .
WNet API-
,
, . .7.19 ,
.
,
Windows . , WNet,
, .
723
WNet- SMB DLL-, .

DLL- .
WNet API
Ntlanman.dll
Mpr.dll
...
RPC
Ntdll.dll

MUP FSD
. 7.19. MPR
WNet, MPR DLL. MPR ,

, . DLL, MPR,
.
MPR , ,
WNet. SMB SMB Workstation,
%SystemRoot%\System32\Ntlanman.dll,
ProviderPath HKLM\SYSTEM\CurrentControlSet\
Services\LanmanWorkstation\NetworkProvider.
API- WNetAddConnection2 WNetAddConnection3
MPR
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\HwOrder\
ProviderOrder, , .
, ,
. ProviderOrder , (Advanced Settings),
.7.20. ,
(Start)
.
724 7.
(Network Connections). Alt

.
(Advanced) (Advanced Settings),
(Provider Order).
. 7.20.
WNetAddConnection .
WNetAddConnection .
, , , , , ( FSD) .
.7.21 Session 0 DosDevices, LUID
, , .
, ,
,
MUP-. , MUP \Device\LanmanRedirector,
\Device\MUP ( , \Device) , , MUP-, -
. \Global?? ,
,
DosDevices.
WNet API ,
,
. -, FSD, .
725
. 7.21.
UNC- (MUP)
UNC- (MUP, %SystemRoot%\System32\Drivers\
mup.sys) , Windows
. ,
- ( Windows
Vista
). MUP - ( UNC- ,
) , . ,
(redirects) - .
MUP
,
.
MUP , , (>]),
. ,
, (HKLM\System\CurrentControlSet\
Control\NetworkProvider\Order\ProviderOrder) ,
, MUP . . ProviderOrder (HwOrder Order),
726 7.
ProviderOrder .
:
ProviderOrder
REG_SZ
RDPNP,LanmanWorkstation,webClient
HKLM\System\CurrentControlSet\
Services, NetworkProvider. ,
HKLM\System\CurrentControlSet\Services\RDPNP\NetworkProvider
:
DeviceName
DisplayName
Name
ProviderPath
REG_SZ
REG_EXPAND_SZ
REG_SZ
REG_EXPAND_SZ
\Device\RdpDr
@%systemroot%\system32\drprov.dll,-100
Microsoft Terminal Services
%SystemRoot%\System32\drprov.dll
DeviceName , . DisplayName . ( , , ,
DLL-.) Name , net use ,
. ProviderPath
DLL .
. ( RDPNP,
LanmanWorkstation, webclient.) ,
, , ,
, - MUP FsRtlRegisterUncProviderEx
RxRegisterMinirdr.
( ), , , UNC , (\\<_>\<__>[\<>]). , \\Server\Users\Brian\Documents

\\Server\Users, MUP , , ,
\\Server\Users\David\Documents\Chapter7.doc,
\\Server\Backups
. , (, \\Server), MUP
(, \\Server\Users, \\Server\WebDAV ..) .
MUP , ProviderOrder, , , HKLM\System\
CurrentControlSet\Services\<_>\NetworkProvider\DeviceName.
DeviceName ,
MUP, \Device\MUP\;LanmanRedirector. ( , , , MUP
.)
727
MUP , , .7.22.
CSC-
DFS
OS API

SMB
NFS
DAV
-

()
UNC-
SMBNFSWebDAV
MRxSMB10.SYS
CSC-
(
)
MRxSMB20.SYS
CSC
. 7.22. MPR UNC

Windows Vista (
Offline files) - SMB, DFS-N
(Distributed File System Namespace ) MUP. ,
Windows Vista .
DFS-N ,
MUP, Offline files
, -,
. :
728 7.
Offline Files (%SystemRoot%\System32\Drivers\csc.

sys), ,
, .
.
Distributed File System Client
(%SystemRoot%\System32\Drivers\dfsc.sys), ,
() ,
. ( DFS-N ,

.) DFSC .
, MUP , Offline files , ,
MUP Offline files -,
. DFS
.
, MUP
.
,
, . . UNC-,
, ,
, ( ,
). , Windows, :
DLL-, MPR -
, ,
, ,
;
, ,
RDBSS (Redirected Drive Buffering SubSystem
) (%SystemRoot%\
System32\Drivers\rdbss.sys). - -, .

:
DLL-
, ,
729
. , ( SVCHOST) \\\
_.
,
Transport Driver Interface (TDI) , , ,
Windows. ( , TCP/IP.)
.
, . ,
WebDav WebClient, , ,
WebDav, HTTP API-.
, , .
Windows API- -, . , ,
.
, (redirects) .
, Windows,
- , , -, RDBSS. RDBSS , -
. RDBSS MUP
FsRtlRegisterUncProviderEx.
- RDBSS RxRegister
MiniRdr, RDBSS MUP
FsRtlRegisterUncProviderEx. MUP (IRP-)
RDBSS, , ,
- , .
RDBSS ,
, IRP-s. - .
RDBSS , -
RDBSS
(,
FILE_FLAG_NO_BUFFERING API- CreateFile).
, .

. RDBSS -, ,
730 7.
() . , - SMB
opportunistic locks (
oplocks). oplock ,
, .
( )
( , ),
, .
, , , - .
-
,
. -
. ,
, ,
.
Windows -:
RDPDR (Remote Desktop Protocol Device Redirection -
),

(%SystemRoot%\System32\Drivers\rdpdr.sys).
SMB (Server Message Block ), ,
Windows (%SystemRoot%\System32\Drivers\MRxSMB.SYS). CIFS, Common Internet File System
-. MRxSMB.SYS (SubRedirectors), .
WebDAV (Web Differencing and Versioning), HTTP(S)- (%SystemRoot%\System32\
Drivers\MRxDAV.SYS).
MailSlot ( MRxSMB.SYS). , .
- ,
. ( , mailslot, -
.) - ,
SMB-.
Network File System (NFS) ,
Unix Services For Unix (SFU),
Windows,
731
(Programs and Features)1. -
2 3.
Offline Files,
, , SMB-.
MUP.

Server Message Block (SMB)
,
Windows, 1980- . SMB 1.0 (
, SMB) LAN, 10/
.
.
WAN- , . 1996 SMB
IETF - Common Internet File
System (CIFS). Microsoft CIFS/SMB
MS-CIFS MS-SMB.
SMB 2.0 Windows Vista Windows Server 2008
Windows. SMB 2.0 SMB, :
:
WAN-,
, LAN-;

;
, (
, );
;
;
(HMAC SHA-256 MD5);
;
Network Address
Translation (NAT);
.
1
Windows (Turn Windows Features On

Or Off), NFS (Services For NFS).
732 7.
2.1 SMB ( Windows 7 Windows

Server 2008/R2) , MS-SMB2. :
opportunistic lock (oplock),
,
.
( MTU), 64 1 ( ,
8 ).
SMB- SMB2
SMB,
. - SMB
,
, ,
SMB-. SMB2
SMB, , SMB, SMB2. SMB2,
SMB2,
SMB2.
SMB2. SMB2, SMB,
SMB1:
%SystemRoot%\System32\Drivers\MRxSMB.sys
.
%SystemRoot%\System32\Drivers\MRxSMB10.sys SMB 1.
%SystemRoot%\System32\Drivers\MRxSMB20.sys SMB 2.

Distributed File System
Namespace (DFS-N)
Windows.
,
,
. DFS-N
( ),
. , , Aura Corporation
: \\Development\Projects, \\Accounting\FY2012 \\Marketing\
CoolStuff.
733
DFS-N \\Aura\Teams, DFS-N- \\Aura\Teams\\Aura\Development, \\Aura\Teams\Accounting \\Aura\

Teams\Marketing. , \\Aura\
Teams\Marketing, \\Marketing\CoolStuff
. \\Marketing\
CoolStuff \\Aura\Teams\Marketing. ,
, \\
Marketing\CoolStuff\Presentations.
, DFS-N,
. DFS
, , , DFS DFS Replication (DFSR).
:
.

wide area network (WAN) .

, , . DFS-N-,
\\Aura\Teams\Accounting , , , \\AccountingEurope\FY2012
\\AccountingUS\FY2012. DFS-N-
(
Active Directory), , .
, DFS-N
, . DFS-N-
, , ,
, , ,
.
DFS Replication (DFS-R), . DFS-N
Windows- (%SystemRoot%\System32\Dfssvc.exe)
(%SystemRoot%\System32\Drivers\Dfs.sys). DFSSVC- DFS- DFS-
( , Active Directory systems),
Active Directory. DFS-
, , , .
DFS-N
MUP (%SystemRoot%\System32\Drivers\Dfsc.sys) MPR/WNet, %SystemRoot%\System32\
Ntlanman.dll. Distributed
File System Client (DFSC) , UNC-
DFS, ,
. DFS-N- SMB-. DFS-N-
734 7.
- .
MUP, DFSC -.
DFS-N MS-DFSC MSDFSNM.

Distributed File System
Replication (DFS-R) , .
, (,
, DFS-N-), DFS-R
\SYSVOL, Windows
1. DFS-R
(multimaster replication), , DFS-R
.
DFS- DFS-,
,
.
, DFS-R.

( ).
, , , .
Active Directory.
NTFS-,
DFS-R NTFS USN-.
DFS-R , WAN-, .
Remote Differential Compression (RDC) DFS-R ,
, . DFS-R
, , .
735
. Enterprise Datacenter DFS-R

RDC, RDC Similarity,
,
, ,
,
.
DFS-R Windows Server 2008 R2 , .
DFS-R Windows- (%SystemRoot%\
System32\DfsrS.exe), , , RPC
. WMI-
, - , , , DLL-
MSCS. DFS-R MSFRS2.

(Offline Files)
(client-side caching, CSC) ( ) ,
, .
, ,
SMB-.
,
Always Available Offline (
), . (Sync Center)
.
.
, . , ACL-,
%SystemRoot%\CSC. (
(Control Panel),
(Sync Center),
(Manage Offline Files), (Encryption)
(Encrypt)). COM
API- IOfflineFilesXxx.
(Sync Center) ( (Manage Offline
Files) (View Your Offline Files)).
736 7.
:
Files (). , .
NTFS- , NTFS-
.
Win32 (), , ACL ()
.
Scope ( ).
, .
DFS ,
DFS-. DFS- . DFS ,
.
NTFS-
:
,
.
, -
.
Extended
Attributes (EA). , , EA-,
,
, EA- , .
(.7.23) :
( %SystemRoot%\System32\cscsvc.dll),
SVCHOST.

. COM-, .
(%SystemRoot%\System32\Drivers\
csc.sys), MUP -. ,
-, .
,
-.
DLL- Explorer ( %SystemRoot%\
System32\cscui.dll) , , ,
() .
CSCUI %SystemRoot%\System32\cscobj.dll,
.
737
BranchCache
BranchCache Server
SMB
UNC-
(MUP)
(RDBSS)

SMB
. 7.23.
DLL- (%SystemRoot%\System32\cscapi.dll), -
Win32 API-
.
COM- (%SystemRoot%\System32\cscobj.dll),
COM API-
.

. , ,
.
Online
, , . .
,
. .
738 7.

, SMB-
.
Offline (Slow Connection)
( )
,
( ) Offline (Slow Connection),
. Windows 7
80
().
(%SystemRoot%\
gpedit.msc)
(Configure Slow-Link Mode).

- .
,
(Configure Background
Sync).
.
,
,
.

(.7.24).
. 7.24.
739
Offline (Working Offline)

,
Explorer (Work Offline).
. (Configure Background
Sync) ,
.
, Explorer
(Work Online).
Offline (Not Connected)

, .
,
.
, , ,
. ,
, ,
,
(Sync Center).
Offline (Need to Sync)
( )

, ,
( Offline (Need to Sync)
, .
, ,
,
, , .
,
.
, . , ,
, , . .
, . Explorer -
. , - .
-
740 7.
, ,
.
, , .
, ,
- .
, ,
, .

,
.

. ,
. , EFS ,
.

, .
, , Able Baker, , Able
, ,
Able. , Baker
, Baker ,
Baker,
.
, EFS, , ,
.
.

%SystemRoot%\CSC DACL,
,
, . .7.25, ,
( , 2.0.6)
, SID S-1-5-12, , ,
741
.
.
C:\Windows
\CSC
\v2.0.6
\namespace
<->
<->
< >
\temp
pq
sm
. 7.25.
.
Priority Queue (pq), SID- SID Map
(sm). (Priority Queue) ,

.
.
.
SID-
.
,
.
namespace
, . temp
,
, namespace . temp
.
742 7.

NTFS CscBitmapStream,
, ,
, ( ).
4.
.
, .
, , ,
, .
, .
BranchCache
BranchCache , , WAN-.
BranchCache ( ) , WAN-,
LAN- ,
, .
,
WAN-.
, ,
BranchCache , , URL-, , -, HTTP
, .
BranchCache CSC-, CSC
BranchCache. BranchCache
.
BranchCache , :
Server Message Block (SMB).
;
HTTP(S). -, , URL;
Background Intelligent
Transfer Service (BITS).
HTTP/TLS 1.1.
BranchCache . 7.26.

Office
CopyFile
Explorer
Office
SMB (CSC/SRV)
SharePoint
BITS
HTTP (WebIO/http.sys)
BranchCache
. 7.26. BranchCache
WMP
IE
BranchCache 743
.7.26 , BranchCache , .
BranchCache,
( ),
, BranchCache.

content information (CI), ,
. CI ,
. CI
BranchCache. -
, ,
BranchCache, ,
BranchCache, .
BranchCache , .7.27:
-. (
Windows Server 2008/R2 ) BranchCache,

BranchCache.

. 7.27. BranchCache
744 7.
. -,
,
.
.
, . , ,
, (
).
, ,

, , .
() , - 300 , ,
Web Services Discovery (WS-D).
BranchCache (end-to-end
encryption), IPsec. , CSC,

Windows ,
, .
BranchCache ,
. , BranchCache , WAN- . ,

-,
BranchCache ( ). BranchCache
:
AES-.
, , BranchCache
, 64.
( HKLM\System\CurrentControlSet\Services\PeerDistKM\Parameters\
MinContentLength.)

BranchCache
BranchCache ( , BranchCache WAN-, ,
BranchCache BranchCache -):
, -
, API- BranchCache
Server (PeerDistServerXxx).
, BranchCache
, ,
BranchCache 745

.
, BranchCache. ,
BranchCache ,
BranchCache-:
yy () , BranchCache, BranchCache (
BranchCache), BranchCache
, , ,
BranchCache.
API- PeerDistServer Xxx,
HTTPBranchCache BITS-BranchCache.
yy , BranchCache,
BranchCache

. . SMB-BranchCache.
, BranchCache, ,
BranchCache, WAN-
. BranchCache
WAN- . ,
BranchCache-,
, ,
, BranchCache
. , , BranchCache ,
BranchCache (,
- ) .
-
, .
, ,
, ,
.
, , , %SystemRoot%\ServiceProfiles\NetworkService\
746 7.
AppData\Local\PeerDistPub. , , NetSh:
netsh branchcache set publicationcache directory=C:\PublicationCacheFolder
netsh branchcache set publicationcachesize size=20 percent=TRUE
( ),
BranchCache, BranchCache,
.
BranchCache. 28 , ,
.
, ,
, %SystemRoot%\ServiceProfiles\NetworkService\
AppData\Local\PeerDistRepub. , , NetSh:
netsh branchcache set localcache directory=C:\BranchCache\Localcache
netsh branchcache set localcache size=20 percent=TRUE
BranchCache
,
. , BranchCache
, , .
, .
.
SMB-BranchCache , SMB-BranchCache (
) , SMB . ,
.
BranchCache (.7.28), (NetSh, .7.29)

, ( ).
BranchCache:
BranchCache %SystemRoot%\
PeerDistSvc.dll. BranchCache
, , , ( ).
HTTP %SystemRoot%\System32\
Drivers\PeerDistKM.sys.
Network Module Registrar (NMR)
http.sys HTTP-, .

BranchCache, -.
BranchCache 747
. 7.28. BranchCache

. 7.29. BranchCache
748 7.
FPI- BranchCache (PeerDistXxx)

%SystemRoot%\System32\PeerDist.dll,
BranchCache LRPC/ALPC-.
HTTP- BranchCache SystemRoot%\

System32\PeerDistHttpTrans.dll, ,
:
Peer Content Caching and Retrieval: Retrieval Protocol [MSPCCRR] BranchCache ()
-. MS-PCCRR
, , , HTTP.
- Web Services Discovery Provider

%SystemRoot%\System32\PeerDistWSDDiscoProv.dll,
WS-D- ,
LAN- ( ).
BranchCache Network
Shell Helper %SystemRoot%\System32\PeerDistSh.
dll Network Shell
(%SystemRoot%\System32\Netsh.exe),
BranchCache .
DLL- Network Shell HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\NetSh, Network Shell
DLL-.
API- BranchCache %SystemRoot%\System32\PeerDistHashPeerDistHash.dll (
Windows Server), API-
BranchCache ,
BranchCache. Windows-, BranchCache,
SMB Groveler, .
Hash groveler %SystemRoot%\
System32\smbhash.exe ( Windows Server). -, , .
BranchCache- . -
-, .
BranchCache ,
www.microsoft.com:
Peer Content Caching and Retrieval: Content

Identification, [MS-PCCRC],
.
:
Peer Content Caching and Retrieval: Discovery Protocol,
BranchCache 749
[MS-PCCRD], (multicast)
Web Services Dynamic Discovery (WS-Discovery)
[WS-Discovery]. WS-Discovery : .
IP .
(Content Discovery).
:
Peer Content Caching and Retrieval: Retrieval Protocol,

[MS-PCCRR], ,
, , - .
(Content Retrieval).
- Peer Content Caching and Retrieval: Hosted Cache Protocol,

[MS-PCHC], HTTPS
- - .
(Content Notification).
(HTTP) Peer
Content Caching and Retrieval: Hypertext Transfer Protocol (HTTP) Exten
sions, [MS-PCCRTP], , PeerDist, HTTP/1.1 HTTP/1.1
.
.
2.1 Server Message Block (SMB)
Version 2.1 Protocol, [MS-SMB2], 2.1

,
. () Metadata
(Hash) Retrieval.
SMB-BranchCache
, . client-side
caching (CSC). SMB Server Driver (srv2.sys)
-, ,
, SMB SMB Hash Generation Service
( ), ,
SMB.
750 7.

BranchCache: SMB-
, , BranchCache, ,
(.7.30).
,
SMB, CreateFile (
- , CreateFile, fopen)
. HTTP ( WinHTTP, WinInet),
, - ,
.
BranchCache SMB Windows
. , SMB
. ,
BranchCache . .
Branch
Cache
-
CSC
SMB

SMB
CSC
SMB
CSC-
. 7.30. BranchCache
HashGen
BranchCache 751

SMB.
, BranchCache , SMB-.
, ,
BranchCache, :
1. -
, :
.
,
.
( )
.
Branch
Cache.
64.
64 .
2. ,
.
3.
.
, . ,
SMB-
, ,
BranchCache-
.
4. ,
,
BranchCache.
5. BranchCache ,
- ( ). ,
,
.
6. BranchCache,
, BranchCache, 8
.
7. ,
752 7.
, BranchCache,
.
. ,
, BranchCache.
8. BranchCache,
BranchCache .
,
.
BranchCache,
BranchCache , BranchCache.
(
) ,
,
BranchCache. .
BranchCache,
SMB,
BranchCache, . ( .7.30.)

BranchCache:
HTTP
, , BranchCache, ,
.
,
HTTP,
HTTP-, API WinInet, API WinHTTP.
BranchCache HTTP , HTTP.sys , WinInet WinHTTP
. SMB-BranchCache,
BranchCache , ,
HTTP- ,
BranchCache. HTTP-BranchCache WAN- ( WAN-
), , BranchCache,
BranchCache.
1. HTTP-.
2. BranchCache,
HTTP ( WinInet, WinHTTP) , -
BranchCache 753
3.
4.
5.
6.
7.
8.
, PeerDist- HTTP (
[MS-PCCRTP]).
HTTP ,
WAN-.
HTTP- (HTTP.sys) . BranchCache, HTTP.sys HTTP- BranchCache (PeerDistKM.
sys),
( URL-
) BranchCache.
HTTP HTTP-
-, ( IIS
-) .
HTTP- ,

HTTP.sys.
BranchCache , HTTP.sys
PeerDistKM.sys.
HTTP-
( ) , :
yy PeerDistKM.sys BranchCache
, URL- .
yy HTTP.sys .
yy HTTP.sys
BranchCache.
9. ,
HTTP, , , ,
:
yy PeerDistKM.sys ,
BranchCache.
yy , ,
PeerDist-.
yy HTTP.sys (, , ) .
yy HTTP.sys , Branch
Cache .
10. . BranchCache, HTTP BranchCache, , ,
754 7.
11.
12.
13.
14.
BranchCache ,
.
BranchCache (
) , BranchCache- ,
- ( ).
- , BranchCache HTTP- , HTTP-

( , ).

, , .
,
HTTP- , .

, ,
www.microsoft.com Mycomputer, ,
192.168.1.1, .
, TCP/IP
, : Domain Name System (DNS),
Windows- Windows Internet Name Service (WINS),
Peer Name Resolution
Protocol (PNRP).

Domain Name System (DNS)
(RFC 1035 .), - ( www.microsoft.
com) IP-. ,
DNS- IP-,
DNS, UDP/IP (TCP/IP
, 512 ) DNS-.
DNS , IP-,
,
. DNS
, DNS Windows,
,
Windows.
DNS- Windows Windows (%SystemRoot%\
System32\Dns.exe), Windows.
DNS- ,
, DNS- Windows Active Directory.
755

Peer Name Resolution Protocol
(PNRP) ,

IPv6. , , ( ) IPv6-,
.
, IPv6-
.
PNRP DNS, , , ,
( ), .
. DNS , ,
DNS-. PNRP
,
, DNS . , PNRP
,
.
Peer Name Resolution Protocol [MS-PNRP]
www.microsoft.com.
PNRP Windows PNRP
API, getaddrinfo Winsock API, PNRP ID
( ),
.pnrp.net.
PNRP ( P2P ID) :
(Authority). (
) SHA-1 ,
.
, PNRP .
(Classifier).
, ,
.
.7.31, PNRP ID, PNRP P2P ID
128- ID, (Service location).
P2P ID . (PNRP
: , IPv6 , , IPv6-
fe80::/10 IPv4.)
756 7.

authority.classifier
} P2P ID
(128 )
(128 )
} PNRP ID
. 7.31. PNRP ID
PNRP
PNRP :
(Endpoint determination). -
IPv6-, ,
PNRP ID .
PNRP ID (PNRP ID resolution). , , IPv6, PNRP- PNRP ID . , , , PNRP
ID. , 4
, , .
PNRP ()
, ,
, ,
PNRP ID. :
,
PNRP ID. ,
, PNRP ID (, ID ).
,
PNRP ID,
ID. ,
, IPv6- ,
PNRP ID. IPv6- .
, ,
. ,
200, 350, 450, 500 800, .7.32
,
PNRP 800 ( ).
PNRP ID
PNRP-
( , ,
), .
757
B
450
E
4
800
3
200
1
2
4
1 PNRP PNRPID ,
500
800, PNRPID
IPv6-
500 ( ),
.
800
5 PNRP2 PNRPID 800,
D

- , 800,
.
350
, 6 ,

, 800.
.
3 PNRP-
PNRPID (450), .
. 7.32. PNRP
, , PNRP-
PNRP ID.
PNRP ID
, .

,
,
. Windows
Network Location Awareness (NLA),

,
Link-Layer Topology Discovery (LLTD),
.

Network Location
Awareness (NLA)
Winsock Winsock Namespace Provider (NSP) , -
758 7.
, .
, , NLA, ,
. NLA
, , ,
VPN- , .
IP-
DNS-
, NLA API-
. NLA API ,
. NLA :
Logical network identity. -
DNS-.
, NLA
, .
Logical network interfaces.
, , NLA , , NIC RAS- .
IP API- (%SystemRoot%\System32\i phlpapi.dll)
.

GUID . NLA
.
, , , , ,
. API-
WSALookupServiceXxx .
API Network
List Manager (NLM),\ INetworkListManager, INetwork, IEnumNetworks,
INetworkEvents ..

Network Connectivity Status
Indicator (NCSI) .
NLA NLA. , , NLA , . NCSI
759
NLA, NLA
. NCSI
-, , ,
.

, ,
, DNS- - .
,
Networking Tray Icon, Mini Map, Network Connection Wizard, Windows
Media Center, DirectAccess, Windows Update Outlook. NCSI . , NCSI .
NCSI , .

( ) NCSI
.
Network
Storage Interface (NSI), :
1) - . NSI
.
- ,
;
2. , ,
. ,
,
- ( ) ( ). NSI ,
.
IP- (, IPv4 IPv6)
, , ;
3) , -. IP- - Web Proxy AutoDetect (WPAD), DNS, , . NSI
TCP- .
-, ,
;
4) , Security Association (SA) IPSEC, , IPv6-,
,
( );
760 7.
5) , , NSI , IPv6-,
.
.
NSI-, NCSI
, . , NCSI ,
.

NCSI . , NSI-
DHCP.
NCSI , ,
, .
, 15 ,
. 15 (, )
,
.
NCSI DHCP-
( ). DHCP
, ,
.

NCSI , API
. NCSI
:
HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatus
Indicator

NCSI
, ( ) .

. http://www.
msftncsi.com/ncsi.txt
Microsoft NCSI. ,
.
NCSI -, , ,
761
-. , - HTTP.
-
, - .
, -, .
, IPv4, IPv6.
NCSI ,
, IPv4 IPv6, , IPv4,
.
,
,
-, - DNS-.
. DNS-
DNS- , dns.msftncsi.com.
- HTTP .
,
-. , -
. ,
- -. -
DNS, NCSI , -, .
, HTTP-, , . , NCSI , ,
( HTTP- ).
API- Network List
Manager (NLM) Shell
Service Object (SSO) PNIDUI (%SystemRoot%\System32\pnidui.dll),
, ,
. MAC-

-.
NSCI
(.7.33) .
Link-Layer
Link-Layer Link-Layer Topology Discovery
(LLTD) ,
. , Windows
Network Map LLTD
762 7.
. 7.33. NCSI
,
LLTD-. LLTD
Quality of Service (QoS), ,
. OSI,
LLTD
, .
Link-Layer Link-Layer Topology Discovery protocol
[MS-LLTD] www.microsoft.com.
LLTD , - LLTD LLTD Mapper I/O LLTD- LLTD
Responder.
. ,
IP, LLTD API- NDIS. LLTD-
.
, ,
.

- .
API . API-
, API-
. -
763
TCP/IP TCP/IP ,
Windows.
Defense Advanced Research Projects Agency (DARPA) TCP/IP 1969
, , TCP/IP
WAN- , WAN-. TCP/IP
Windows, .
, IPv4 TCP/IP-, IP- .

, . IPv6, 16- . Windows TCP/IP-, TCP/IP-
Next Generation TCP/IP Stack,
IPv4, IPv6, IPv6.
IPv6 IPv4 . TCP/IP-
,
:
Receive Window Auto Tuning.
TCP , , , .
,
.
, . Windows
TCP/IP- ,
.
TCP Compound TCP (CTCP).
.
CTCP , , .
, ,
, . CTCP
.
Explicit Congestion Notification (ECN).
TCP- ( ), TCP
, - ,
, . ECN , ,
764 7.
Windows TCP/IP-
.
, , .
ECN- ,
ECN
, . ,
ECN, Microsoft Internet
Connectivity Evaluation Tool (http://www.microsoft.com/windows/using/tools/
igd/default.mspx). .7.34,
ECN ( ).
. 7.34.
TCP
High-
loss throughput improvements,

NewReno NewReno Fast Recovery Algorithm, Enhanced Selective Acknowledgment (SACK),
Forward RTO-Recovery (F-RTO) Limited Transit. TCP-
, - TCP-.
TCP.
765
TCP/IP- (%SystemRoot%\System32\Drivers\
Tcpi p.sys), .7.35, TCP, UDP, IP, ARP, ICMP IGMP.
, NetBIOS,
TDI-, TDX (TDI translation TDI-),
, ,
, ,
-, TDI IRP-. TDX , ,
TDI-: \Device\Tcp6, \Device\Tcp, \Device\Udp6, \Device\Udp,
\Device\Rawi p \Device\Tdx.
Winsock
WSK
WSK
TDI
TDX
TCP/IP- (Tcpip.sys)
TCP
UDP
RAW
IPv4
802.3
WLAN
IPv6
Loopback
TDI
API
Windows
IPv4 IPv6
NDIS
. 7.35. Windows TCP/IP-
: TCP/IP
TCP/IP . !drvobj

!devobj ,
.
kd> !drvobj tdx
Driver object (861d9478) is for:
\Driver\tdx
Driver Extension List: (id , addr)
Device Object list:
861db310 861db440 861d8440 861d03e8
861cd440 861d2318 861d9350
lkd> !devobj 861cd440
Device object (861cd440) is for:
Tcp6 \Driver\tdx DriverObject 861d9478
766 7.
Dacl 8b1bc54c DevExt 861cd4f8 DevObjExt 861cd500
ExtensionFlags (0x00000800)
Unknown flags 0x00000800
Device queue is not busy.
lkd> !devobj 861db440
Device object (861db440) is for:
RawIp \Driver\tdx DriverObject 861d9478
Dacl 8b1bc54c DevExt 861db4f8 DevObjExt 861db500
lkd> !devobj 861d8440
Device object (861d8440) is for:
Udp6 \Driver\tdx DriverObject 861d9478
Dacl 8b1bc54c DevExt 861d84f8 DevObjExt 861d8500
lkd> !devobj 861d03e8
Device object (861d03e8) is for:
Udp \Driver\tdx DriverObject 861d9478
Dacl 8b1bc54c DevExt 861d04a0 DevObjExt 861d04a8
lkd> !devobj 861cd440
Device object (861cd440) is for:
Tcp6 \Driver\tdx DriverObject 861d9478
Dacl 8b1bc54c DevExt 861cd4f8 DevObjExt 861cd500
Tcp \Driver\tdx DriverObject 861d9478
Dacl 8b1bc54c DevExt 861d23d0 DevObjExt 861d23d8
Tdx \Driver\tdx DriverObject 861d9478
767
Dacl 8b0649a8 DevExt 00000000 DevObjExt 861d9408
Windows Filtering Platform

Windows , .
Windows Filtering Platform (WFP)
Windows, TCP/IP.
Network Address
Translation (NAT), IP-, IP-
IP- Internet Protocol Security (IPsec). .7.36 WFP TCP/IP-. :
(Filter engine).
, .
,
. , RPC
IPsec, , 10, ,
TCP/IP-, 50 .
(Shims). .

, .
: , , , ,
, (, ).
Base filtering engine (BFE). BFE (%SystemRoot%\System32\Bfe.
dll), WFP-. WFP-,
.
Callout drivers. , ,
, WFP.
, WFP
. ,
Network Address Translation IPsec.
768 7.
API-

(fwpucInt.dll)
API- API-

(fwpucInt.dll)
(fwpucInt.dll)
Ws2_32.dll
API-

(fwpucInt.dll)
RPC- ()
RPC-
()
API
(fwpucInt.dll)
RPC-
RPC-
(rpcrt4.dll)
IPsec- (
)
Windows
(mpssvc)
UM
IKE-
AuthIP
(ikeext)

(bfe)
UM RPC
IKE IPsec (v4/v6)
TCP/IP-
(tcpip.sys)
IOCTL-
IPsec

(IPv4/IPv6)
/ ALE-
(v4/v6)
/
(v4/v6)
API
(TCP/UDP)

/
(v4/v6)
API
( )
IP- /
(v4/v6)

IDS-

NAT

IPsec
KM
. 7.36. Windows
SFP- (fwpkcInt.sys)
769

Network Address Translation (NAT) , IP- IP-. NAT
IP-. NAT
IP- , IP-
. NAT IP- IP- ,
.
NAT- Windows NAT,
%SystemRoot%\System32\Drivers\i pnat.sys,
WFP , ,
,
.
IP-
Windows IP-,
,
IP-. ,

, ,
.
Windows
, Windows
. ,
TCP/IP-, ,
, , Windows WFP.
Windows,
(public), (private) (domain).
, ( ),
, , . ,
, , , ,
-, .
Windows, Svchost,
BFE , , IPNat. WFP

, IP-.
NAT
TCP/IP ,
, TCP/IP .
770 7.
Windows Microsoft Protection

Service (%SystemRoot%\System32\Drivers\Mpsdrv.sys),
PPTP- FTP-, .
, ,
.
, .

Internet Protocol Security (IPsec),
Windows TCP/IP-, 1
IP- , (eavesdropping), -
(sniffer attacks), , IP- (IP address
spoofing) man-in-the-middle ( ),
, , VPN.
IPsec
(defense-in-depth) , ,
, , ,
,
, . IPsec
,
.
IP-, ,
IPsec :
,
IP- ,
;
, IP-
;
,
IP-. ,
IPsec- , . ;
( ), IP-.
IP-
- -.

.
IPsec
IPsec- .
IPsec , Windows-.
771
IPsec IPsec- IPsec IP-

.
Active Directory ,
, IPsec- ( )
Group Policy objects (GPO)
Windows
(Advanced Security). ,
IPsec-. ,
Active Directory, Active Directory, .
.
IPsec AuthIP,
Microsoft- Internet Key
Exchange (IKE):
Kerberos 5 -
NTLMv2;
x.509;
SSL- ;
NAP;
( );
.
AuthIP , IPsec
IKE. Windows- IPsec IPsec- Requests for Comments (RFC). Windows IPsec-
Windows ,
IPsec (IPsec Policy Agent), IKE - Authenticated Internet Protocol (AuthIP),
IPsec WFP, :
Windows .
, Windows

IPsec,
, Active Directory.
IPsec. .
(Services) Microsoft Microsoft
Management Console (MMC), IPsec
.
IPsec- Active Directory , IP- IPsec,
IKE.
772 7.
Windows,
IPsec Active Directory.
IKE AuthIP. IKE , , IPsec.
IKE security
associations (SA) IPsec, , SA- IPsec.
IKE
, ,
. SA- IPsec ,
, ,
IPsec. SA-
, .
IPsec- IKE SA.
IKE- IKE SA IKE main mode
SA ( ISAKMP). (
IPsec) SA. AuthIP IKE,
Windows Vista , Windows 7 Windows Server
2008 R2 IKEv2, . IPsec.
IPsec WFP.
(%SystemRoot%\System32\Drivers\Fwpkclnt.sys), WFP , TCP/
IP. IPsec IP, ,
IP-. WFP IPsec
, ,
.
IPsec- SA-
SA-.

(New Connection Security Rule Wizard), .7.37,
MMC- Windows Windows Firewall with Advanced Security (%SystemRoot%\System32\
Wf.msc). ,
Active Directory.
Netsh netsh advfirewall
consec. IPsec- ,
Windows Netsh
netsh advfirewall monitor, IPsec
, .
NDIS- 773
. 7.37.
NDIS-
, , ,
.

( ),
,

. 1989 Microsoft 3Com
Network Driver
Interface Specification (NDIS),
. , NDIS,
NDIS- - NDIS. Windows 7 Windows
Server 2008 R2 NDIS 6.20.
NDIS (%SystemRoot%\System32\Drivers\Ndis.sys)
, ,
TCP/IP . NDIS
, NDIS-
, NDIS-. NDIS-
774 7.
, .
, NDIS, .7.38.
TCP/IP-
NDIS
(Net Buffer Lists, NBL)
NDIS-

NDIS -
()
NDIS
NDIS
()
NDIS
NDIS -

(HAL)
. 7.38. NDIS-
NDIS-,
NDIS NDIS- .
NDIS- -
Windows, , NDIS. NDIS-
, NDIS-
IRP-. , , TCP/IP,
NDIS-, NdisAllocateNetBufferList, NDIS, NDIS- (NdisSendNetBufferLists).
, TCP/IP- Windows
NET_BUFFER_LIST, TCP/IP
WSK, NDIS.
NDIS :
NDIS , ,
Windows
. .
, TCP/IP-
, DHCP.
NDIS- 775
NDIS ,
,
NDIS (NDIS Lightweight Filter). NDIS,
NDIS 6. ( NDIS 6, -
.)
.
TCP/IP, Chimney-.

TCP/IP, . NDIS
IPsec 2(IPsec Task Offload Version 2), , IPsec,
AES, IPv6. Chimney-
( chimney)
,
.

.

. NDIS receive-side
scaling (RSS) interface DPC, .
(wake-on-LAN) , , . ,
, (, ),
(TCP/IP-
Address Resolution Protocol
[ARP]), , , Ethernet-, ( , 16
Ethernet).

Ethernet, ,
, .
, ,
.
NDIS, Connection-oriented
NDIS (CoNDIS), NDIS- -
776 7.
( , WAN), ISDN- PPP.

, NDIS- NDIS- , ,
HAL.
: NDIS--
Ndiskd !miniports
!miniport, -,
, - (
, Windows -),
-. !miniports !miniport
- ,
-,
PCI Ethernet. (, - WAN
.)
lkd>.loadndiskd
LoadedndiskdextensionDLL
lkd> !miniports
NDIS Driver verifier level: 0
NDIS Failed allocations
: 0
Miniport Driver Block: 86880d78, Version 0.0
Miniport: 868cf0e8, NetLuidIndex: 1, IfIndex: 9, RAS Async Adapter
Miniport Driver Block: 84c3be60, Version 4.0
Miniport: 84c3c0e8, NetLuidIndex: 3, IfIndex: 15, VMware Virtual Ethernet
Adapter
Miniport Driver Block: 84c29240, Version 0.0
Miniport: 84c2b438, NetLuidIndex: 0, IfIndex: 2, WAN Miniport (SSTP)
...
lkd> !miniport 84bcc0e8
Miniport 84bcc0e8 : Broadcom NetXtreme 57xx Gigabit Controller, v6.0
AdapterContext : 85f6b000
Flags
: 0c452218
BUS_MASTER, 64BIT_DMA, IGNORE_TOKEN_RING_ERRORS
DESERIALIZED, RESOURCES_AVAILABLE, SUPPORTS_MEDIA_SENSE
DOES_NOT_DO_LOOPBACK, SG_DMA,
NOT_MEDIA_CONNECTED,
PnPFlags
: 00610021
PM_SUPPORTED, DEVICE_POWER_ENABLED, RECEIVED_START
HARDWARE_DEVICE, NDIS_WDM_DRIVER,
MiniportState
: STATE_RUNNING
IfIndex
: 10
Ndis5MiniportInNdis6Mode : 0
InternalResetCount
: 0000
MiniportResetCount
: 0000
References
: 5
NDIS- 777
UserModeOpenReferences: 0
PnPDeviceState
: PNP_DEVICE_STARTED
CurrentDevicePowerState : PowerDeviceD0
Bus PM capabilities
DeviceD1:
0
DeviceD2:
0
WakeFromD0:
0
WakeFromD1:
0
WakeFromD2:
0
WakeFromD3:
1
SystemState
DeviceState
PowerSystemUnspecified
PowerDeviceUnspecified
S0
D0
S1
S2
S3
D3
S4
D3
S5
D3
SystemWake: S5
DeviceWake: D3
WakeupMethods Enabled 2:
WAKE_UP_PATTERN_MATCH
WakeUpCapabilities:
MinMagicPacketWakeUp: 4
MinPatternWakeUp: 4
MinLinkChangeWakeUp: 0
Current PnP and PM Settings:
: 00000030
DISABLE_WAKE_UP, DISABLE_WAKE_ON_RECONNECT,
Translated Allocated Resources:
Memory: ecef0000, Length: 10000
Interrupt Level: 9, Vector: a8
MediaType
: 802.3
DeviceObject
: 84bcc030, PhysDO : 848fd6b0 Next DO: 848fc7b0
MapRegisters
: 00000000
FirstPendingPkt: 00000000
DriverVerifyFlags : 00000000
Miniport Interrupt : 85f72000
Miniport version 6.0
Miniport Filter List:
Miniport Open Block Queue:
8669bad0: Protocol 86699530 = NDISUIO, ProtocolBindingContext 8669be88, v6.0
86690008: Protocol 86691008 = VMNETBRIDGE, ProtocolBindingContext 866919b8, v5.0
84f81c50: Protocol 849fb918 = TCPIP6, ProtocolBindingContext 84f7b930, v6.1
84f7b230: Protocol 849f43c8 = TCPIP, ProtocolBindingContext 84f7b5e8, v6.1
Flags - , -
64- (64BIT_DMA),
(NOT_MEDIA_CONNECTED)
778 7.
, (SUPPORTS_MEDIA_SENSE).

, Plug and Play .
NDIS- -
NDIS NDIS- , NDIS-.
NDIS- -.
NDIS- - NDIS- , NDIS NDIS- -. NDIS-
, ,
.
NDIS- ,

, Microsoft
Network Load Balancing Provider. , NDIS-
lightweight filter drivers (LWF),
, . LWF-
.
-.
(
) , .
NDIS-,

,
(, PPP), Windows,
Windows. NDIS-, , API-,
NDIS-, NDIS-, , ,
.
- ,
, NDIS ,
-, :
(call managers) NDIS-,
, ,
. -, ,
()
, .
NDIS- 779

.
- Integrated miniport call
manager (MCM) -,
, , . MCM
NDIS- - .
, MCM
NDIS- -,
. , ,

, ,
,
, , .
.7.39.
,

NDIS-

NDIS
NDIS-
NDIS-
NDIS- ,
MCM-
. 7.39. NDIS-,
: Network Monitor

Microsoft Network Monitor, NDIS-
- NDIS- (Netmon). Network Monitor
http://www.microsoft.com/download/en/details.aspx?id=4865.
NetMon http://nmparsers.
780 7.
codeplex.com/,
Microsofts. Network Monitor , , .7.40.
. 7.40. Network Monitor

Select Networks ( ) Network Monitor , .
New Capture (
) .
, Start ()
. ,
(, -), , Network Monitor , Stop (). Frame
Summary ( )
. Network
Conversations ( ) , , , .
Iexplore.exe Network Monitor Frame
Summary ( ) ,
(.7.41).
HTTP-, Network Monitor - Microsoft Internet Explorer.
, Network Monitor , , Frame Details (
NDIS- 781
), ,
.
. 7.41. Network Monitor

Network Monitor , ,
.
, . Network Monitor
Microsoft v CodePlex (http://
nmparsers.codeplex.com).
Remote NDIS
Remote NDIS , USB, ,
NDIS -, USB WDM (.7.42).
Remote NDIS USB-.
NDIS- -, ,
USB. Remote NDIS
NDIS- , ,
.
782 7.
TCP/IP
NDIS
USB-
- NDIS
USB
USB
PCI
USB
USB
. 7.42. NDIS- - USB-
Remote NDIS, .7.43, Microsoft NDIS- -, %SystemRoot%\System32\Drivers\

Rndismp.sys, NDIS- USB. NDIS- - Remote NDIS USB-.
TCP/IP
NDIS
USB-
-
Remote NDIS
-
Remote NDIS USB
USB
USB
PCI
USB
USB
. 7.43. Remote NDIS USB-
USB ,
RNDIS Windows.
QoS
- , IP- , .
, -
NDIS- 783
, . ,
(,
), ,

Quality of Service (QoS), . , ,
,
enterprise resource planning (ERP). QoS

, ,
QoS1.
Windows QoS , TCP/IP (Next
Generation TCP/IP network stack), WFP NDIS- .
, , IP- ,
. QoS
Active Directory, .
QoS ,
. IP-, Differentiated Services Code Point (DSCP). ,
DSCP,
. QoS Windows
DSCP-,
.

, QoS
.
.7.44, Windows QoS
. , QoS
(%SystemRoot%\System32\Gptext.dll),
(Inspection Module) QoS , QoS
. , QoS ( , Enterprise Quality of Service eQoS), WFP , TCP/IP-, ,
QoS Packet Scheduler,
, . , , QoS Packet Scheduler, Pacer (%SystemRoot%\System32\
, IEEE 802.1P, , QoS-
OSI ( ).
784 7.
Drivers\Pacer.sys), NDIS-,
DSCP-
QoS-. Pacer GQoS
(Generic QoS QoS) TC (Traffic Control ) API- Windows-,
.

QoS

(TCP/UDP)
(IPv4/IPv6)

(802.3/802.11/etc.)
TCP/IP- (tcpip.sys)
NDIS 6.0
QoS
QoS NPI
Pacer.sys
. 7.44. QoS,
QoS, QoS, Windows , ,

QoS API-,
- Windows Quality Windows Audio/Video
Experience, qWAVE.
-, , Voice over
IP (VoIP), qWAVE API

, . qWAVE

, , , .
, , ,
.
qWAVE API- QoS2 ( %SystemRoot%\
System32\Qwave.dll) :
785
(admission control),
, ,
.
, ,

.
,
.
,
802.11p DSCP
, .
.7.45 qWAVE.

qWAVE
UDP/TCP
. 7.45. qWAVE
Windows , API,
, NDIS- . ,
, .

, .
INF-.
, API , .
, Service
Control Manager (. 4)
786 7.
, ,
. , INF- , .
,
, .
, ()
TCP/IP. ,
(Adapters And Bindings)
(Advanced Settings) (.7.46), 1.
,
. ,
, .
. ,
,

. (Advanced Settings),
.
. 7.46.
(Advanced Settings)
Bind
Linkage, , . , HKLM\SYSTEM\CurrentControlSet\

.
787
Services\LanmanWorkstation\Linkage\Bind, -
(Workstation).

Windows , API-
, .
, ,
Active Directory,
Distributed File System (DFS), DFS DFS
Replication (DFSR).

, Windows Server (Routing and Remote Access),

, ,
, , . Windows :
, , -
.

.
virtual private network
(VPN), VPN-
IP-, . Windows
Secure Socket Transmission Protocol (SSTP),
VPN-,
,
PPTP- L2TP/IPsec-. PPP- SSL- HTTPS-.
443 , , VPN .
,
- Windows,

, .
Active Directory
Active Directory Windows- (RFC 4510)
Lightweight Directory Access
788 7.
Protocol (LDAP). Active Directory , , , Windows. , Active Directory

Windows ,
.
, ,
. Active Directory ,
, -
, - (. 6).
Active Directory API-, Active Directory:
LDAP C API, API ,
LDAP. , C C++ API

, , ,
.
Active Directory Active Directory Service
Interfaces (ADSI), COM- Active Directory,
LDAP, LDAP. ADSI , Microsoft
Visual Basic, C Microsoft Visual C++. ADSI
Microsoft Windows Script Host (WSH).
API Messaging API (MAPI),
- Microsoft Exchange Outlook
Address Book.
API-
Security Account Manager (SAM),
Active Directory,
, MSV1_0 (%SystemRoot%\System32\
Msv1_0.dll,
NT LAN) Kerberos (%SystemRoot%\System32\Kdcsvc.dll).
API- Windows NT (Net API), Windows NT 4 Active Directory SAM.
NTDS API, SID-
GUID- Active Directory (
DsCrackNames), , Active Directory .
, Active Directory API-.
Active Directory ,
%SystemRoot%\Ntds\Ntds.dit, . Active Directory,
Windows,
Local Security Authority Subsystem (LSASS) , DLL-,
, -
789
. Active
Directory Extensible
Storage Engine (ESE), , JET Blue, , Microsoft Exchange Server 2007,
Desktop Search Windows Mail. ESE (%SystemRoot%\
System32\Esent.dll) , , .
Active Directory .7.47.

(
)
DLL
Kerberos
(Kerberos.dll)
Winsock

(Netlogon.dll)

Kerberos
(Kdcsvc.dll)
NT LAN
(Msv1_0.dll)
SAM
API
SAM
API
SAM-
(Samsrv.dll)

Active Directory
(Ntdsa.dll)
Net API
LDAP/ADSI
MAPI
Esent.dll
Lsass
Active
Directory
(Ntds.dit)
. 7.47. Active Directory
Network Load Balancing

, Network
Load Balancing, Windows,
NDIS. Network Load Balancing
, 32 , .
IP- IP-, .
790 7.
,
. NDIS-
. ,
,
. , ,
, , TCP/IP, , , ,
. , , ,
.
. ,
- .
Network Load Balancing ,
, ,
: -, , TCP/IP- Windows, -,
, Network
Load Balancing. , ,

, , Network Load
Balancing . ,
Network Load Balancing, -, , Windows Media Server, .
.7.48.

, , , , , , .
,
, .
, ,
, .
, , ,
,
,

.
Network Access Protection (NAP)
, , -
791
1
Web-
2
Web-
TCP/IP-
TCP/IP-
NDIS-
NDIS-
NDIS-
Network
Load Balancing
NDIS-
Network
Load Balancing
NDIS-
-
NDIS-
-
...
Network Load Balancing
. 7.48.
, .
, ,
.
, , ,
.
, ,
.
NAP ,
,
, , , . NAP , , , Mac OS X Linux,
(System Health
Agents), (System Health
Validators) .
NAP , .7.49 7.50
, NAP . NAP http://technet.
microsoft.com/en-us/network/bb545879.aspx.
, NAP :
System Health Agent (SHA).
792 7.
SHA
COM DLL-
,

SHA
SHA
Windows
(SVCHOST.EXE)
NAP(QAGENTRT.DLL)
Windows
MS-SHA
(MSSHA.DLL)
COM API System Health Agent
NAP UI
(NAPSTAT.EXE )

(SVCHOST.EXE)
X.509
SoH
COM API
EAP Host Service

Process
(EAPSVC.DLL)
EAP Host
(EAPHOST.DLL)
MS-PEAP
MS-EAPTLS
IPsec EC
(NAPIPSEC.DLL)
RDP EC
DHCP EC
(TSGQEC.DLL) (DHCPQEC.DLL)
(KMSVC.DLL)
NAP-
(QAGENT.DLL)
IPsec
EAP EC
(EAPQEC .DLL)
MS-CHAP
EAP Host Process

(EAP3HOST.EXE)
EAP-
(EAPP3HST.DLL)
,
802.1X
VPN
Microsoft
ES
COM DLL-
ES
HTTP
RDP
DHCP
. 7.49. NAP
Statements of Health (SoH) NAP-

. , SHA
SoH. SHA , , .
, SHA
, ,
. SHA- . , SHA
, System Health Validator (SHV),
NAP- SHV, ,
. Windows XP 3
SHA (%SystemRoot%\System32\Mssha.dll),
Windows Action Center
(SHA-WAC). SHA Windows SHA, WSH.
SHA, API- INapSystemHealthAgentBinding2,
INapSystemHealthAgentCallback INapSystemHealthAgentRequest. SHA System Health Validator (SHV), , SHA
SHV.
793
SHV

COM DLL-

SHV
SHV
Windows

(NPS.MSC)
(SVCHOST.EXE)
NAP(QSHVHOST.DLL)
NPS
(IASUIHELPER.DLL)
MS-SHV
(MSSHV.DLL)

SVH
(SHVCNFG.EXE)
GUI
COM API System Health Validator
NAP-
(QSVRMGMT.DLL)
NPS
COM-
RADIUS
HRA
MS RDP
MS DHCP
ES
MS-HCEP
RDP
DHCP
. 7.50. NAP
SHA ,
IP- (, 802.1x),
SHA .
, IP- (,
NAP VLAN), SHA

IP-.
NAP Agent. %SystemRoot%\System32\

qagentRT.dll ( )
, SoH SHA
NAP-. NAP- NAP-
(Network Policy Server) Microsoft Statement of Health protocol [MS-SoH].
Enforcement Client (EC). Enforcement Point
NAP-. , NAP NAP
794 7.
.
, NAP EC NAP-
. Windows EC- IPsec (%SystemRoot%\
System32\NapIPsec.dll), 802.1X VPN EAP (%SystemRoot%\System32\Eapqec.dll), DHCP (%SystemRoot%\
System32\Dhcpqec.dll ) Remote
Desktop gateway ( %SystemRoot%\System32\Tsgqec.dll ). EC, API- INapEnforcementClientBinding ,
INapEnforcementClientCallback INapEnforcementClientConnection2.
.
,
, ( , ,
).
NAP-. Network
Policy Server (NPS), IAS. -, NPS
RADIUS-, NPS . NPS
Statement of Health (SoH)
, SoH SHV.
NPS, RADIUS- (,
802.1x, VPN-, DHCP- ..)
RADIUS UDP. ALPC-1. RADIUS
(RFC 2865) 4096,
, SHA .
IPsec EC Health Registration Authority (HRA) HTTP. HRA
IIS ISAPI , SoH NPS ( ALPC) (
). HRA DNS,
HRA- DNS. RADIUS-
NPS UDP.
System Health Validator
(SHV). SoH-, SHA

, ,
, Health Requirements Server (HRS).
, HRS
.
UDP, ALPC Windows Server,

DHCP-, .
795
Health
Requirements Server ; SHV
SHV , SoH
SHA , , HRS. SHV, API INapSystemHealthValidator INapSystemHealthValidationRequest2.
SHV System Health
Agent (SHA), , SHA SHV.

(Remediation Server), . SHV
, (
). , SoH ,
.
NAP- , ,
(Enforcement
Client), , MMC-
NAP (NAP client configuration) (%SystemRoot%\System32\Napclcfg.
msc) (%SystemRoot%\System32\Netsh.exe),
.7.517.53.

, , DNS.
. 7.51. NAP-
796 7.
. 7.52.
Direct Access
Windows 7 (Ultimate) (Enterprise)
Microsoft ,
Virtual Private Network (VPN),
DirectAccess (DA).
, . DA-
,
. , ,
. DA IPsec,
IPv6, IPv4 , IPv6-
. DA,
, DA HTTPS (TCP 443)
(IP-HTTPS).
VPN-, ,
DA , . IT-

797
. 7.53. NAP
. IT-
, (, ,
..) , DA.
DA-
6 .

(, ).
798 7.
.7.54, DA-
: IPv6, Intra-Site Automatic Tunnel Addressing Protocol
(ISATAP), IPv4 IPsec, 6--4 tunnel, Teredo.
DA-.
Denial of Service
(DoS) , ,
IPv6 .
DA- IPsec IPv6, VPN- VPN-
.

DNS
;

IPsec-
E2E
IPsec - IPv6
IPv6

RODC NAP
IPv4
E2E
NAT,
IPsec - IPv4
IPv4

IPsec

6--4

NAT

Teredo
6--4
IGD
NAT
IPv4
--

DNS
d
re
Te

(IPv4, IPv6
ISATAP)
IIPv4 () IPV6

(
)
IPv4
DirectAccess
:
IPsecDoS
Teredo ( )
6--4
ISATAP ( )
:
DirectAccess

IPv6-
ISATAP

( )
. 7.54. DA-
, , IPv6- DA-:
.
,
Domain Name System (DNS) .
. ,
, .
DA NAP. Health Registration Authority
(HRA) ( DeMilitarized Zone, DMZ).
HRA ( IP-
DNS-). ,
HRA
799
Statement of Health. ,
,
DMZ. ,
, IPsec DA-.
Windows API-,
. Windows -
,
. , API
Windows.
, API-, Windows,

,
.

Внутреннее Устройство Microsoft Windows. 6-е Издание

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Внутреннее Устройство Microsoft Windows. 6-е Издание

Enviado por

Direitos autorais:

Formatos disponíveis

., .

89 Microsoft Windows. 6- . .: , 2013. 800 .:

Microsoft Press, 2012

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2

Windows API Windows

(Graphics and Multimedia Services).

. 1.1. .NET Framework

DLL (dynamic-link libraries

Process Explorer Sysinternals , , ,

thread-local storage (TLS) ,

. 1.4. 32- Windows

. 1.5. 64- Windows

: % (Thread: % User Time)

(, 16-) ANSI (, 8-). Windows- ,

Startup Programs Viewer (

Dependency Walker ( DEPENDS

Windows Driver Kit

Process Monitor ( - PROCMON

Task (Process) List (

Debugging Tools for Windows Windows,

Debugging Tools for Windows , . ,

Windows Software Development Kit

Windows Driver Kit

MS-DOS. , UNIX, OS/2 NetWare.

Kernel32.dll, Advapi32.dll, Windows- DLL-

64-, Windows NT 32- . Windows 2000 Alpha AXP 64-

Windows Server 2008

Windows Web Server

Windows Server 2008

Windows Server 2008

Windows Server 2008

Windows Server 2008

2.2. Windows 7 Windows Server 2008 R2

plug and play

, Notepad () GUI-, Cmd

UNIX- Windows Windows

Ntdll. Windows API

, Hyper-V Windows Server 2008, -

_KPCR _KPRCB dt,

Advanced Programmable Interrupt

x64- HAL- Hal.dll. x64- , ACPI APIC. , ACPI

, Ntoskrnl HAL, , , Ntoskrnl. ( .) Ntoskrnl

Windows Driver Foundation

System Idle Process

Process Status (Pstat.exe)

Process Explorer (Procexp.exe)

System Idle Process

Task List (Tasklist.exe)

System Idle Process

Lsass.exe (Local Security Authentication Subsystem Server

Process Explorer - . , Options

Winlogon, LogonUI Userinit

. 3.2. APIC- x86

IRQL-. .3.3 IRQL-

5 Corrected Machine Check Interrupt

. 3.3. (IRQL) x86

Corrected Machine Check

Dispatch/DPC & Synch

. 3.4. (IRQL) x64 IA64

PIC , HAL, - IRQL-

and Power Interface, ACPI), ,

Pos:IDT-00 Ref-0 edg hi