Almost every operating system has a mechanism to start processes at system startup time that provide services not tied to an interactive user. In Windows, such processes are called services or Windows services. Windows services consist of three components: a service application, a service control program (SCP), and the service control manager (SCM).

Service applications, such as Web servers, consist of at least one executable that runs as a Windows service. Service applications are simply Windows executables (GUI or console, most without an interface) with additional code to receive commands from the SCM as well as to communicate the application's status back to the SCM. A user wanting to start, stop, or configure a service uses an SCP.

When you install an application that includes a service, the application's setup program must register the service with the system. A service configuration program uses the CreateService function to install a service in a SCM database. Here is an example of how to install a service:

#include <windows.h>
#include <stdio.h>

BOOL CreateSampleService() 
{ 
    TCHAR szPath[MAX_PATH]; 
    
    if( !GetModuleFileName( NULL, szPath, MAX_PATH ) )
    {
        printf("GetModuleFileName failed (%d)\n", GetLastError()); 
        return FALSE;
    }
 
    schService = CreateService( 
        schSCManager,              // SCManager database 
        TEXT("Sample_Srv"),        // name of service 
        lpszDisplayName,           // service name to display 
        SERVICE_ALL_ACCESS,        // desired access 
        SERVICE_WIN32_OWN_PROCESS, // service type 
        SERVICE_DEMAND_START,      // start type 
        SERVICE_ERROR_NORMAL,      // error control type 
        szPath,                    // path to service's binary 
        NULL,                      // no load ordering group 
        NULL,                      // no tag identifier 
        NULL,                      // no dependencies 
        NULL,                      // LocalSystem account 
        NULL);                     // no password 
 
    if (schService == NULL) 
    {
        printf("CreateService failed (%d)\n", GetLastError()); 
        return FALSE;
    }
    else
    {
        CloseServiceHandle(schService); 
        return TRUE;
    }
}

When a setup program registers a service by calling CreateService, a message is sent to the SCM on the machine where the service will reside. The SCM then creates a registry key for the service under HKLM\SYSTEM\CurrentControlSet\Services. The Services key is the nonvolatile representation of the SCM's database.

Because most services don't have a user interface, they are built as console programs. The entry point of a console application is its main function. When the SCM starts a service program, it waits for it to call the StartServiceCtrlDispatcher function. So the main function of a service program calls the StartServiceCtrlDispatcher function to connect to the SCM and start the control dispatcher thread. StartServiceCtrlDispatcher accepts a list of entry points into services, one entry point for each service in the process. Each entry point is identified by the name of the service the entry point corresponds to. The dispatcher thread loops, waiting for incoming control requests for the services specified in the dispatch table. Here is an example of Writing a Service Program's main Function.

The SCM sends a service-start command each time it starts a service the process owns. For each start command it receives, the StartServiceCtrlDispatcher function creates a thread, called a service thread, to invoke the starting service's entry point and implement the command loop for the service. StartServiceCtrlDispatcher waits indefinitely for commands from the SCM and returns control to the process's main function only when all the process's services have stopped, allowing the service process to clean up resources before exiting.

A service entry point's first action is to call the RegisterServiceCtrlHandler function. This function receives and stores a pointer to a function, called the control handler, which the service implements to handle various commands it receives from the SCM. RegisterServiceCtrlHandler doesn't communicate with the SCM, but it stores the function in local process memory for the StartServiceCtrlDispatcher function. The service entry point continues initializing the service, which can include allocating memory, creating communications end points, and reading private configuration data from the registry. A convention most services follow is to store their parameters under a subkey of their service registry key, named Parameters. While the entry point is initializing the service, it might periodically send status messages, using the SetServiceStatus function, to the SCM indicating how the service's startup is progressing. After the entry point finishes initialization, a service thread usually sits in a loop waiting for requests from client applications. For example, a Web server would initialize a TCP listen socket and wait for inbound HTTP connection requests.

A service process's main thread, which executes in the StartServiceCtrlDispatcher function, receives SCM commands directed at services in the process and invokes the target service's control handler function (stored by RegisterServiceCtrlHandler). SCM commands include stop, pause, resume, interrogate, and shutdown, or application-defined commands.

This figure shows the internal organization of a service process. Pictured are the two threads that make up a process hosting one service: the main thread and the service thread.

The following is a simplified overview of what happens when a typical service is started by the service control manager:

• The SCM reads the service path from the registry and prepares to start the service. This includes acquiring the service lock.
• The SCM starts the process and waits until either the child process exits (indicating a failure) or reports the SERVICE_RUNNING status.
• The application performs its very simple initialization and calls the StartServiceCtrlDispatcher function.
• StartServiceCtrlDispatcher connects to the service control manager and starts a second thread that calls the ServiceMain function for the service. ServiceMain should report SERVICE_RUNNING as soon as possible.
• When the service control manager is notified that the service is running, it releases the service lock.

By default Windows services are run under the virtual user "LocalService" that has administrative rights on the system. When a service runs as LocalService, Windows allows the user to configure it so it is "allowed to interact with desktop" (that is, display user-visible dialog boxes and other windows). However, if running as any other user, this option is not available.

Service Changes for Windows Vista

There have been significant changes to the services model to improve performance, reliability, security, management, and administration of services. These changes include:

• Delayed Auto-Start: Delayed auto-start services are started shortly after the system has started. This improves system startup performance while still providing automatic startup for these services.
• Restricted Network Access: You can use service SIDs to restrict access to ports, protocols, or the direction of network traffic.
• Session 0 Isolation: Services have always run in session 0. Before Windows Vista, the first user to log on was also assigned to session 0. Now, session 0 is reserved exclusively for services and other applications not associated with an interactive user session. (The first user to log on is connected to session 1, the second user to log on is connected to session 2, and so on.). Session 0 does not support processes that interact with the user.

References:

• Windows Services on MSDN2.
• Windows Internals, 4th edition. (by Mark E. Russinovich, David A. Solomon)

Microsoft has introduced a lot of new features in Windows Vista. I won't talk about the interface, colors, or the flip-3d feature, I'm going to mention features in memory management, security features and system restore... etc. Please note I will not mention all the new features introduced in Windows Vista, simply because I might not have all the knowledge that helps me with that.

#1. SuperFetch: SuperFetch is basically a feature where the OS collects information about how you use your computer, how do you open applications and what loads after what... etc. The OS uses these information to preloads your applications into your system memory so it'll be ready when you need them. Needless to say this saves a lot of time and increases the system response time and performance. More information.

#2. ReadyBoost: Windows Vista introduces Windows ReadyBoost, a new concept in adding memory to a system. You can use non-volatile flash memory, such as that on a universal serial bus (USB) flash drive, to improve performance without having to add additional memory. It's easy to use Windows ReadyBoost. When a removable memory device such as a USB flash drive or a secure digital (SD) memory card is first inserted into a port, Windows Vista checks to see if its performance is fast enough to work with Windows ReadyBoost. If so, you are asked if you want to use this device to speed up system performance. You can choose to allocate part of a USB drive's memory to speed up performance and use the remainder to store files. More info.

#3. BitLocker Drive Encryption: It's a data security feature introduced in Vista. BitLocker enhances data protection by bringing together two major sub-functions: drive encryption and the integrity checking of early boot components. By default it uses the AES encryption algorithm in CBC mode with a 128 bit key, combined with the Elephant diffuser for additional security. More info.

#4. Built-in Diagnostics: Windows Vista contains built-in diagnostics—collections of instrumentation, troubleshooting, and resolution logic—to resolve external problems that affect the way Windows Vista behaves. It provides a number of diagnostic scenarios—including Network Diagnostics and troubleshooting—to address some of the most common and costly problems facing PC users. More info.

#5. Windows photo gallery: Is now easier with features like fix (color, brightness, red-eye... etc.). The more amazing about the photo gallery is that you always have a saved original backup of the image no matter how many times you edit it. Windows Photo Gallery lets users organize their digital photo collection in its Gallery view, by adding titles, rating, captions, and custom metadata tags to photos. More info.

#6. Parental Controls: These controls help parents determine which games their children can play, which programs they can use, and which websites they can visit—and when. You can review easy-to-read activity reports that show how your children have been using the computer. Monitoring your children's computer behavior not only makes it easy for you to keep track of what they are seeing, hearing, and doing, but it also enables you to refine and modify parental controls based on actual feedback. More info.

#7. Windows Defender: Superior scanning and removal technologies use up-to-date spyware definitions created by Microsoft, with help from Windows Defender users who submit reports of potential new spyware. More info.

#8. Backup and Restore Center: The Backup and Restore Center gives you one place to manage all backup-related features. Windows Vista include a useful innovation to help you protect your data: Shadow Copy. This feature automatically creates point-in-time copies of files as you work, so you can quickly and easily retrieve versions of a document you may have accidentally deleted. More info.

#9. Windows SideShow: Wouldn't it be great if you could read an e-mail message, confirm a meeting location, or check a flight reservation without turning on your computer? Windows SideShow is a new technology in Windows Vista that supports a secondary screen on your mobile PC. With this additional display you can view important information whether your laptop is on, off, or in sleep mode. More info.

For more information consider visiting:

• SuperFetch, Windows Vista performance
• Windows Vista SideShow
• Bitlocker, Security in Windows Vista
• Windows Vista demo
• 100 Reasons You'll Be Speechless
• Why Develop on Windows Vista?
• Windows Vista on Wikipedia
• Windows Vista - Show us your Wow

I attended Microsoft TechFest 2007 three weeks ago. I have seen very cool researches going on, and I almost experienced everything myself.

One of the interesting researches that I played with was "Surface-Computing Innovations". Surface computing uses sensing and display technology to imbue everyday surfaces with interaction. PlayAnywhere is a compact surface-computing system shown at TechFest.

The first demo in the video shows a car game, where cars are driven in an environment built using real-time terrain generation with XNA through the use of a depth-sensing video camera and real world objects. To make it easier and shorter for every one to understand, it's just AMAZING!!

Streaming video from Channel 9.

For more information go to Microsoft Research.

I was planning to post my 3rd interview experience with Microsoft... That's when I thought there might be another better idea that is more exciting to everyone... Instead of writing about my personal experience, I'll post some of the puzzles that I was asked during the interview, and I'll give the chance for everyone to answer them, I'm sure that there will always be someone able to answer the puzzle; Because really, if I did it, so can you!

One of the main reasons that I'm going to do that is, this way we'll all have the opportunity to think together, listen to each other, know how others think... It might be one puzzle, but everyone can solve it differently that the other, I'm sure it's very useful for everyone to learn about other ideas, see things in a different way...

You can find part of my MS interview process at First Interview on my personal blog.

I'll not publish your comments immediately, rather I'll wait for a period of time so that everyone can think about the problem... and then I'll publish all the comments at once... Please feel free to send me your suggestions or if you'd prefer that I just write my experience... If no one replied I'll just publish the answer myself hoping that it might be useful to others... Please share your thinking with us... Be useful, let us all learn from each other...

Let's start with Today's puzzle:

The Clock problem:

Write an equation that calculates the angle between the minutes hand and the hours hand in a clock at any given time... Please write down the steps of getting the final equation... That's how you are going to help others... by giving everyone a clear idea of how you think, of how they might think, about other possibilities...

Let's dig deeper into the internal structure and the role each key operating system component plays. The figure below is more detailed diagram of the core Windows system architecture and components. Note that it still does not show all components (networking in particular).

First notice the line dividing the user-mode and kernel-mode parts of the Windows operating system. The boxes above the line represent user-mode processes, and the components below the line are kernel-mode operating system services.

User and kernel modes are two processor access modes, where a kernel mode refers to a mode of execution privilege that grants access to system memory and all CPU instructions.

User mode is a less privileged processor mode than kernel mode. It uses well-defined operating system application program interfaces (APIs) to request system services. A User mode process:

• Have no direct access to hardware or kernel memory (Only kernel mode processes can access kernel resources as a way of protection).
• Is limited to an assigned address space.
• Can be paged out of physical memory into virtual RAM on a hard disk.
• Process at a lower priority than kernel mode components (OS components). Which means that the OS does not slow down or have to wait while an application finishes processing.
• Cannot access another user process address space (Unless opened a handle to the process, which means passing through security access check).

Before we continue let's just have a quick definition for virtual memory. Virtual memory, also known as virtual RAM, allows hard disk space to be used as if it were additional memory. In this manner, the user mode processes have access to more memory than is actually available to them.

Top right of the figure shows the environment subsystems. Environment subsystems provide exposed, documented interface between applications and Windows native APIs (undocumented APIs). The environment subsystem translates environment-specific instructions from an application into instructions that the Executive Services (First layer of the OS kernel) can carry out. Each subsystem can provide access to different subsets of the native services in Windows.

Environment subsystems include POSIX, OS/2 and Windows subsystems. The Windows subsystem major components consists of the environment subsystem process (Csrss.exe which you can see tuning in the task manager), the kernel-mode device driver (Win32k.sys), subsystem DLLs (such as Kernel32.dll, Advapi32.dll, User32.dll, and Gdi32.dll) and Graphics device drivers.

In the user mode and just above the line that divides the user and kernel modes is the Ntdll.dll. Ntdll.dll is a special system support library primarily for the use of subsystem DLLs.

Now let's move on to the kernel mode. Kernel mode is the privileged mode of operation in which the code has direct access to all hardware and all memory, including the address spaces of all user mode processes. Kernel mode components:

• Can access hardware directly.
• Can access all of the memory on the computer.
• Are not moved to the virtual memory page file on the hard disk.
• Process at a higher priority than user mode processes.

The kernel mode in Windows is comprised of the Windows Executive, which includes the Executive Services, the kernel, and the hardware abstraction layer (HAL).

The Windows executive is the upper layer of Ntoskrnl.exe. (The kernel is the lower layer.)The executive provides core OS services. The executive contains major components such as various modules that manage I/O, objects, security, processes, inter-process communications (IPC), virtual memory, and window and graphics management. It also includes device drivers (defined in previous post) functions.

The kernel consists of a set of functions in Ntoskrnl.exe provides the most basic operating system services, such as thread scheduling, first-level interrupt handling, and deferred procedure calls. The kernel resides between the Executive Services and HAL layers.

The other major job of the kernel is to abstract or isolate the executive and device drivers from variations between the hardware architectures supported by Windows.

One of the crucial elements of the Windows design is its portability across a variety of hardware platforms. The hardware abstraction layer (HAL) is a key part of making this portability possible. The HAL is a loadable kernel-mode module (Hal.dll) enables the same operating system to run on different platforms with different processors.

Also part of the kernel is the device drivers. Device drivers in Windows don't manipulate hardware directly, but rather they call functions in the HAL to interface with the hardware.

• Windows Internals, 4th edition. (by Mark E. Russinovich, David A. Solomon)
• Microsoft Windows Nt Technical Support Training (Microsoft Certified Professional). (by Microsoft Corporation (Editor), Microsoft Press (Author))

I started to dig deeper into windows internals. In the past couple of months I started to learn more about kernel, kernel debugging, symbols, memory management and many other windows internals components. I also took a couple of courses one of them was the Windows Internals lectures by David Solomon and Mark Russinovich authors of Windows Internals book. OS is a very interesting field to read about. Most of my information are taken from Windows Internals, 4th edition (Microsoft Press, David Solomon and Mark Russinovich) and my basic knowledge and searching the internet about operating systems in general.

The OS is the software that manages all the computer resources. These resources include managing hardware, memory, running programs, multitasking and scheduling tasks, managing storage, and handling communication.

One thing I read before is that kernel is the heart of the OS. Kernel is the core of an OS which manages the machine's hardware resources (including the processor and the memory), and provides and controls the way any other software component can access these resources. The kernel runs with a higher privilege (kernel mode) than other programs (which called user mode programs). The power and robustness of an OS's kernel play a major role in shaping overall system design and reliability.

So as a critical part of the OS that controls all devices and hardware on your computer, the kernel must be protected from being accessed or modified by a user application. User applications code runs in user mode, whereas OS code runs in kernel mode. User and kernel modes are two processor access modes, where a kernel mode refers to a mode of execution privilege that grants access to system memory and all CPU instructions. Windows protection environment prevents anything running in user mode from directly accessing hardware.

Although each Windows process has its own private memory space (where no other process can access/modify this memory space unless allowed to by the process who owns this private memory space), the kernel-mode operating system code (and by that I mean all the OS resources, system memory and CPU instructions) and the device driver code share one memory space. In other words, once in kernel mode, OS and device driver code has complete access to system memory space and can access objects.

Before we continue let's just define what's a driver is. A device driver is an executable, literally drives the hardware device to behave in a specific way (provided by the OS) and returns any results from the device about that behavior. So, the device driver allows the OS to communicate with a particular piece of hardware.

Back to kernel mode, because the bulk of windows OS runs in kernel mode, it's vital that components running in kernel mode must be carefully designed, implemented and tested; once in kernel mode you have access to all OS data. Any mistake in a driver running in kernel mode (for example trying to access or modify OS resources) will cause the OS to crash at once causing the blue screen with the name of the driver and reason of the violation. This simply means that the blue screen crash done by the windows doesn't mean that Windows is crappy; it's Windows last way of defending itself and defending the user from a misbehaved application trying to access or modify vital information. This vulnerability was one of the reasons behind driver-signing mechanism introduced in windows, which warns the user if an attempt to add an unauthorized (unsigned) driver.

Note this is kind of simplified version of the Windows architecture and it does not show all components.

The types of user-mode processes are:

• Service processes that host windows services, such as Task Scheduler and Spooler services. Services generally run independently of user logins.
• User applications.
• Environment subsystem server processes, which implement part of the support for the operating system environment, or personality presented to the user and programmer.

Under Windows, user applications don't call the native Windows operating system services directly; rather, they go through one or more subsystem dynamic-link libraries (DLLs). The role of the subsystem DLLs is to translate a documented function into the appropriate internal (and generally undocumented) Windows system service calls. This translation might or might not involve sending a message to the environment subsystem process that is serving the user application.

The kernel-mode components of Windows include the following:

• The Windows executive contains the base operating system services, such as memory management, process and thread management, security, I/O, networking, and inter-process communication.
• The Windows kernel consists of low-level operating system functions, such as thread scheduling, interrupt and exception dispatching.
• Device drivers.
• The hardware abstraction layer (HAL) is a layer of code that isolates the kernel, device drivers, and the rest of the Windows executive from platform-specific hardware differences (such as differences between motherboards).
• The windowing and graphics system.