We’ve been posting about the progress and availability of Windows Internals, Fifth Edition (Microsoft Press, 2009; ISBN: 9780735625303; 1264 pages), by Mark Russinovich and David Solomon with Alex Ionescu, over the last few months, but today we’d like to share an extended excerpt. Enjoy!
You can find the book’s full Table of Contents and index at Amazon. On this blog we’ve posted the book’s mapping to Exam 70-660 and the book’s Acknowledgments (and another acknowledgment here). Today we post a stretch from Chapter 5, “Processes, Threads, and Jobs.” This excerpt shows a couple examples of one of the book’s best features: its Experiments.
Processes, Threads, and Jobs
In this chapter, we’ll explain the data structures and algorithms that deal with processes,threads, and jobs in the Windows operating system. The first section focuses on the internalstructures that make up a process. The second section outlines the steps involved in creatinga process (and its initial thread). The internals of threads and thread scheduling are thendescribed. The chapter concludes with a description of the job object.
Where relevant performance counters or kernel variables exist, they are mentioned. Althoughthis book isn’t a Windows programming book, the pertinent process, thread, and jobWindows functions are listed so that you can pursue additional information on their use.Because processes and threads touch so many components in Windows, a number of termsand data structures (such as working sets, objects and handles, system memory heaps, andso on) are referred to in this chapter but are explained in detail elsewhere in the book. Tofully understand this chapter, you need to be familiar with the terms and concepts explainedin Chapters 1 and 2, such as the difference between a process and a thread, the Windowsvirtual address space layout, and the difference between user mode and kernel mode.
This section describes the key Windows process data structures. Also listed are key kernelvariables, performance counters, and functions and tools that relate to processes.
Each Windows process is represented by an executive process (EPROCESS) block. Besidescontaining many attributes relating to a process, an EPROCESS block contains and points to anumber of other related data structures. For example, each process has one or more threadsrepresented by executive thread (ETHREAD) blocks. (Thread data structures are explained inthe section “Thread Internals” later in this chapter.) The EPROCESS block and its related datastructures exist in system address space, with the exception of the process environment block(PEB), which exists in the process address space (because it contains information that needsto be accessed by user-mode code).
In addition to the EPROCESS block and the PEB, the Windows subsystem process (Csrss)maintains a parallel structure for each process that is executing a Windows program. Finally,the kernel-mode part of the Windows subsystem (Win32k.sys) will also maintain a per-processdata structure that is created the first time a thread calls a Windows USER or GDI functionthat is implemented in kernel mode.
Figure 5-1 is a simplified diagram of the process and thread data structures. Each data structureshown in the figure is described in detail in this chapter.
First let’s focus on the process block. (We’ll get to the thread block in the section “ThreadInternals” later in the chapter.) Figure 5-2 shows the key fields in an EPROCESS block.
Table 5-1 explains some of the fields in the preceding experiment in more detail and includesreferences to other places in the book where you can find more information about them. Aswe’ve said before and will no doubt say again, processes and threads are such integral partsof Windows that it’s impossible to talk about them without referring to many other parts ofthe system. To keep the length of this chapter manageable, however, we’ve covered thoserelated subjects (such as memory management, security, objects, and handles) elsewhere.
The kernel process (KPROCESS) block, which is part of the EPROCESS block, and the processenvironment block (PEB), which is pointed to by the EPROCESS block, contain additionaldetails about the process object. The KPROCESS block (which is sometimes called the PCB orprocess control block) is illustrated in Figure 5-3. It contains the basic information that theWindows kernel needs to schedule the threads inside a process. (Page directories are coveredin Chapter 9, and kernel thread blocks are described in more detail later in this chapter.)
The PEB, which lives in the user process address space, contains information needed by theimage loader, the heap manager, and other Windows system DLLs that need to access it fromuser mode. (The EPROCESS and KPROCESS blocks are accessible only from kernel mode.) Thebasic structure of the PEB is illustrated in Figure 5-4 and is explained in more detail later inthis chapter.
The chapter then continues for—wait for it—108 more pages of such detail! :-)
i am aldis hello