1 / 60

Windows Processes, Threads, and Jobs All Around

Windows Processes, Threads, and Jobs All Around . Maral Topalian Solution Specialist Midware Data Systems m.topalian@midware.com.lb. Scope of the Session. Process Internals Data Structures, Kernel Variables, Performance Counters, Functions Protected Processes Flow of CreateProcess

amber
Télécharger la présentation

Windows Processes, Threads, and Jobs All Around

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Windows Processes, Threads, and Jobs All Around Maral Topalian Solution Specialist Midware Data Systems m.topalian@midware.com.lb

  2. Scope of the Session • Process Internals • Data Structures, Kernel Variables, Performance Counters, Functions • Protected Processes • Flow of CreateProcess • Thread Internals • Data Structures, Kernel Variables, Performance Counters, Functions • Thread Activity, Thread Pools • Thread Scheduling • Job Objects

  3. Process Internals – Definition • A process is a container that represents an instance of a running program on Windows and holds within it: • Address Space: code and data referenced by the code reside • Handle Table: which is a list of open resources that are kept open by a process such as: • Files • Registry keys • Synchronization Objects • Security Token

  4. Process Internals – Data Structures • Each Windows process is represented by an Executive Process EPROCESS block • EPROCESS block exists in System Address Space with the exception of PEB-Process Environment Block • Plus, Windows subsystem processCsrssmaintains a parallel structure for each process that is executing a Windows program • Finally, the Kernel-mode part of the Windows subsystem (Win32k.sys) maintains a per-process data structure that is created the first time a thread calls a function in kernel mode

  5. Process Internals – Data Structures Each Windows process is represented by an executive process EPROCESS block which: Process environment Block Thread environment block(s) • Contains attributes related to a process • Points to related Data Structures ex: ETHREAD blocks Process Address Space System Address Space Windows process block Process Block Handle table Thread block Thread blocks Thread Block(s)

  6. Structure of an Executive Process Block EPROCESS PsActiveProcessHead Primary access token Handle table Windows process block Job object

  7. Structure of KPROCESSPCB-Process Control Block Fields of the process environment block Process page directory KTHREAD Process heap

  8. Demo 1: Displaying the Format of EPROCESS Block demo

  9. Process Internals – Continued • Kernel Variables • Ex: PsActiveProcessHead, PsIdleProcess, PsInitialSystemProcess … • Performance Counters • Help track running processes • Can be viewed with Performance tool • Ex: Privileged Time, Processor Time, User Time, Thread Count … • Relevant Functions • CreateProcess, CreateProcessAsUser, OpenProcess, ExitProcess

  10. Windows Security Model – Protected Processes • Processes running with a security token containing the debug privilege can request any access right to any other process running on the machine Ex: • read/write process memory • Inject code • Suspend and resume threads • Query info on other processes • Clash with the system behavior for digital rights management requirements imposed by the media industry

  11. Protected Processes • Windows uses Protected Processes to support reliable and protected playback of advanced, high quality digital content • Ex: BluRay, HD-DVD • Add significant constraints to process access rights • Image files need to be signed with a special Windows Media Certificate • Examples: • Audio Device Graph Process Audiodg.exe • Windows Error Reporting Werfault.exe • System process Ksecdd.sys

  12. Protected Processes at the Kernel Level • At the kernel level, support for Protected Processes is: • The bulk of process creation occurs in kernel mode • A special bit set in their EPROCESS structure • Limit access rights for user mode access however: • Admins can still load a kernel mode driver that can disable this bit • This would be a violation for the PMP Model and is considered malicious • On 64-bit and ×86 systems such drivers would be blocked from loading and need to be recognized by PMP else they would be stopped • This policy is implemented by Microsoft and not by kernel detection

  13. How Windows Processes Come to Life How do processes come into being? How do they exist after they fulfill their purpose?

  14. Flow of CreateProcess • A Windows subsystem process is created when an application calls one of the process creation functions ex: • CreateProcess, CreateProcessAsUser, CreateProcessWithTokenW, or CreateProcessWithLogonW • Consists of 6 Stages in 3 parts of the OS: • Windows client-side library Kernel32.dll • Windows Executive • Windows subsystem process Csrss

  15. Flow of CreateProcess – Stage 1 Stage 1 Convert and validate parameters and flags

  16. Flow of CreateProcess – Stage 2 Stage 1 Convert and validate parameters and flags Open EXE and create section object Stage 2

  17. Flow of CreateProcess – Stage 3 Stage 1 Convert and validate parameters and flags Open EXE and create section object Stage 2 Create Windows process object Stage 3

  18. Flow of CreateProcess – Stage 4 Stage 1 Convert and validate parameters and flags Open EXE and create section object Stage 2 Create Windows process object Stage 3 Stage 4 Create Windows thread object

  19. Flow of CreateProcess – Stage 5 Stage 1 Convert and validate parameters and flags Open EXE and create section object Stage 2 Create Windows process object Windows subsystem Stage 3 Stage 4 Create Windows thread object Set up for new process and thread Perform Windows-subsystem-specific process initialization Stage 5

  20. Flow of CreateProcess – Stage 6 Stage 1 Convert and validate parameters and flags Open EXE and create section object Stage 2 Create Windows process object Windows subsystem Stage 3 Stage 4 Create Windows thread object Set up for new process and thread Perform Windows-subsystem-specific process initialization Stage 5 Start execution of the initial thread Stage 6 Return to caller!

  21. Flow of CreateProcess – Stage 7 Stage 1 Convert and validate parameters and flags Open EXE and create section object Stage 2 Create Windows process object Windows subsystem Stage 3 Stage 4 Create Windows thread object New process Set up for new process and thread Perform Windows-subsystem-specific process initialization Stage 5 Stage 7 Final process/image initialization Start execution of the initial thread Stage 6 Start execution at entry point to image Return to caller!

  22. Demo 2: Tracing Process Startup demo

  23. Thread Internals

  24. Thread Internals – Data Structures • ETHREAD block exists in System Address Space with the exception of TEB-Thread Environment Block • Windows subsystem processCsrssmaintains a parallel structure for each thread that is executing a Windows program • The Kernel-mode part of the Windows subsystem (Win32k.sys) maintains a per-thread data structure (W32THREAD) that ETHREAD block points to

  25. Structure of the Executive Thread (ETHREAD) Block TEB EPROCESS Access token Pending I/O requests

  26. Structure of the Kernel Thread (KTHREAD) Block Kernel stack information System Service table Thread local storage array TEB

  27. Demo 3: Displaying ETHREAD and KTHREAD Structures demo

  28. Thread Internals – Continued • Kernel Variables • Ex: PspCreateThreadNotifyRoutine, PspCreateThreadNotifyRoutineCount • Performance Counters • Can be viewed with Reliability and Performance Monitor • Ex: Privileged Time, Processor Time, User Time, Thread Count … • Relevant Functions for creating and manipulating threads: • CreateThread, CreateRemoteThread, OpenThread, ExitThread …

  29. Thread Internals – Continued • A thread is born when a program creates a new thread • In the Windows Executive the process manager: • Allocates space for a thread object • Calls the kernel to initialize the kernel thread block • CreateThread in Kernel32.dll • Why a process is running or hung? • Tools: • WinDbg, Reliability and Process Monitor, and Process Explorer

  30. Limitations of Protected Process Threads • Protected processes have limitations of granting access rights • Actual code running inside a protected process can not be hijacked • Let’s use Process Explorer and its access rights to a protected process like Audiodg.exe

  31. Demo 4: Viewing Protected Process Thread Information demo

  32. Worker Factories – Thread Pools • Worker factories refer to the internal mechanism used to implement user-mode thread pools • Thread pool implementation was completely re-architected in Windows Vista • The management functionality was moved to the kernel to improve efficiency and performance and minimize complexity • Worker factories are responsible for: • Allocating worker threads • Maintaining a minimum and maximum thread count • Ex: Shutting down a thread pool

  33. Demo 5: Looking at Thread Pools demo

  34. Thread Scheduling – key terms • Windows implements a priority-driven, preemptive scheduling system – the highest priority runnable (ready) thread always runs • Some threads might be limited by the processors on which they are allowed to run ≈processor affinity • Processor affinity can be altered by Windows scheduling functions • A Quantum is the amount of time a thread is allowed to run before another thread of the same priority is given a turn to run

  35. Thread Scheduling • Windows Scheduling is implemented in the Kernel • The routine is called the Kernel’s dispatcher • Thread dispatching events occur when a thread: • Is ready to execute • Leaves the running state because its time quantum ends • Terminates or it yields execution or enters a wait state • A thread’s priority changes • A thread’s processor affinity changes

  36. Thread Scheduling – Priority Levels • Windows uses 32 priority levels ranging from 0 to 31 as follows: • 16 through 31 – real time/base • 1 through 15 – dynamic/current • One system level (0), reserved for the zero page thread • Thread priority levels are assigned from 2 perspectives: • Windows API • Windows Kernel • Interrupt Levels: User IRQL 0, Kernel IRQL 1

  37. Real-time time critical Mapping of Windows Kernel Priorities to API Real-time Real-time Levels 16-31 High Real-time idle Dynamic time critical Above Normal Normal Below Normal Dynamic Levels 1-15 Idle Dynamic idle

  38. Demo 6: Examining and Specifying Process and Thread Priorities demo

  39. Thread States Ready (1) Init (0) Standby (3) Deferred ready (7) Running (2) Terminate (4) Waiting (5) or Gate waiting (8) Transition (6)

  40. Demo 7: Thread Scheduling State Changes demo

  41. Dispatcher Database • The Dispatcher Database keeps track of which threads are waiting to execute and which processors are executing which threads Process Process Thread 1 Thread 2 Thread 3 Thread 4 CPU 1 ready queues CPU 0 ready queues

  42. Quantum • The amount of time a thread gets to run before Windows checks if another thread of same priority is waiting to run • Windows Client: Threads run by default for 2 clock intervals • Windows Server 12 clock intervals • Servers take more clock intervals to minimize context switching • The length of the clock interval varies according to the hardware platform • The frequency of the clock interrupts is up to the HAL, not the Kernel • Quantum Target = Processor speed × the number of seconds it takes for one clock tick to fire

  43. Demo 8: Determine the Clock Interval FrequencyDemo 9: Controlling the Quantum demo

  44. Thread Scheduling Scenarios • Voluntary Switch Priority 20 19 18 17 16 15 14 Ready Running To wait state

  45. Thread Scheduling Scenarios • Preemptive Thread Scheduling Priority 20 19 18 17 16 15 14 Ready Running From wait state

  46. Thread Scheduling Scenarios • Quantum End Priority 15 14 13 12 11 Ready Running

  47. Thread Scheduling Scenarios • Termination • Context Switching • Idle Thread • Priority Boosts

  48. Job Objects

  49. Job Objects • A job object is a nameable, securable, shareable kernel object that allows control of one or more processes as a group • Function is to allow groups of processes to be managed as a unit • Records information for all processes associated with a job • A process can be a member of only one job • Ex of job Functions: • CreateJobObject, OpenJobObject, AssignProcessToJobObject, TerminateJobObject, SetInformationJobObject, QueryInformationJobObject

More Related