1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your...
-
Upload
erin-jordan -
Category
Documents
-
view
213 -
download
0
Transcript of 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your...
![Page 1: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/1.jpg)
1
Windows Vista and “Longhorn” Server: Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals Under the Hood of the Operating System Internals and Your Applicationand Your Application
Richard B. WardRichard B. Ward Karthik ThirumalaiKarthik ThirumalaiFUN417FUN417 Program ManagerProgram [email protected]@[email protected]@microsoft.com
![Page 2: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/2.jpg)
2
Simplified Windows CoreSimplified Windows Core
Memory ManagerMemory Manager I/O ManagerI/O Manager
SecuritySecurity
SchedulerScheduler
Object ManagerObject Manager
Inter-process Inter-process CommunicationCommunication
Hardware Abstraction LayerHardware Abstraction Layer
User ModeUser Mode
Kernel ModeKernel Mode
NTDLLNTDLL
advapi32advapi32kernel32kernel32
RegistryRegistry
Power Power ManagementManagement
Plug and PlayPlug and Play
. . .. . .
![Page 3: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/3.jpg)
3
Simplified Windows CoreSimplified Windows Core
Memory ManagerMemory Manager I/O ManagerI/O Manager
SecuritySecurity
SchedulerScheduler
Object ManagerObject Manager
Inter-process Inter-process CommunicationCommunication
Hardware Abstraction LayerHardware Abstraction Layer
User ModeUser Mode
Kernel ModeKernel Mode
NTDLLNTDLL
advapi32advapi32kernel32kernel32
RegistryRegistry
Power Power ManagementManagement
Plug and PlayPlug and Play
. . .. . .
![Page 4: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/4.jpg)
4
Core ChangesCore Changes
New Boot environment New Boot environment Platform and Firmware independent and Platform and Firmware independent and highly portablehighly portable
Supports 32 and 64 bit systems via PC/AT BIOS Supports 32 and 64 bit systems via PC/AT BIOS or EFIor EFI
Fully localized, supporting many languagesFully localized, supporting many languages
Hot Add/Replace of processor and memoryHot Add/Replace of processor and memory
Enhanced power management with Hybrid Enhanced power management with Hybrid SleepSleep
Combines Standby and HibernateCombines Standby and Hibernate
Suspend to RAM and disk at the same timeSuspend to RAM and disk at the same time
![Page 5: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/5.jpg)
5
Core ChangesCore Changes
Memory managerMemory managerDynamic system address spaceDynamic system address space
System virtual address (VA) space kernel System virtual address (VA) space kernel page tables allocated on-demandpage tables allocated on-demand
NUMA and large page supportNUMA and large page support
Paging video memoryPaging video memory
![Page 6: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/6.jpg)
6
Core ChangesCore Changes
User Mode Driver FrameworkUser Mode Driver FrameworkInfrastructure to run a device driver in user-modeInfrastructure to run a device driver in user-mode
Implementation of the WDF Driver ModelImplementation of the WDF Driver Model
Supports core WDF objectsSupports core WDF objects
User-Mode Drivers are isolated from other driversUser-Mode Drivers are isolated from other drivers
Kernel is isolated from User-Mode driversKernel is isolated from User-Mode drivers
System can recover after a driver crash – System can recover after a driver crash – no blue no blue screenscreen
Enhanced multimedia support Enhanced multimedia support Multimedia Class Scheduler Service Multimedia Class Scheduler Service
Support for soft real-time memory allocationsSupport for soft real-time memory allocations
Scheduled File I/OScheduled File I/O
![Page 7: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/7.jpg)
7
Security EnhancementsSecurity Enhancements
Kernel mode malware on the riseKernel mode malware on the risePresents new categories of problemsPresents new categories of problems
Malicious code running with the Malicious code running with the highest privilegeshighest privileges
Device drivers can monitor and affect Device drivers can monitor and affect almost anything on the systemalmost anything on the system
![Page 8: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/8.jpg)
8
Security EnhancementsSecurity Enhancements
Kernel mode codeKernel mode codemust be digitally signedmust be digitally signed
Enforced at install Enforced at install andand load time load time
x64 only for Vistax64 only for Vista
User mode codeUser mode codeCritical system processes will require Critical system processes will require signed codesigned code
![Page 9: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/9.jpg)
9
Windows ServicesWindows Services
Architecture overviewArchitecture overview
Changes to the services modelChanges to the services modelSecuritySecurity
Session 0 isolation, Service hardening Session 0 isolation, Service hardening
Performance Performance Delayed Start, State change notificationsDelayed Start, State change notifications
ReliabilityReliabilityFailure action on non-crash failuresFailure action on non-crash failures
![Page 10: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/10.jpg)
10
Services Model OverviewServices Model Overview
SCM API clientsSCM API clients
Service ControlControl Manager
HKLM\System\HKLM\System\CCS\ServicesCCS\Services
Svchost.exe OwnProc.exe
LRPCLRPC RPC/TCP (Vista+)RPC/TCP (Vista+) RPC/NP (legacy)RPC/NP (legacy)
Service process communication channel
Start, stop,Start, stop,controlscontrols
Hosts a configurable number of servicesHosts a configurable number of services
![Page 11: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/11.jpg)
11
Service Start TypesService Start Types
Automatic Automatic Started during boot by SCMStarted during boot by SCM
Auto-start services have a significant Auto-start services have a significant performance effectperformance effect
Lots of I/O requests and contention over Lots of I/O requests and contention over global resourcesglobal resources
Can have a significant effect on boot timeCan have a significant effect on boot time
ManualManualStarted on demand by a clientStarted on demand by a client
Reduces impact on boot performanceReduces impact on boot performance
![Page 12: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/12.jpg)
12
Start Types – Delayed Start Types – Delayed StartStart
Delayed Auto Start – Delayed Auto Start – new in Windows Vistanew in Windows VistaMany services are auto start simply because they want Many services are auto start simply because they want “unattended” start, but do not need to be running “unattended” start, but do not need to be running immediately after bootimmediately after boot
Delayed start services are started in low priority CPU & Delayed start services are started in low priority CPU & IO threads shortly after bootIO threads shortly after boot
Client code must tolerate service’s unavailabilityClient code must tolerate service’s unavailability
SERVICE_DELAYED_AUTO_START_INFO sdaInfo;SERVICE_DELAYED_AUTO_START_INFO sdaInfo;sdaInfo.fDelayedAutoStart = TRUE;sdaInfo.fDelayedAutoStart = TRUE;
ChangeServiceConfig2(hService,ChangeServiceConfig2(hService, SERVICE_CONFIG_DELAYED_AUTO_START_INFO, SERVICE_CONFIG_DELAYED_AUTO_START_INFO, &sdaInfo);&sdaInfo);
![Page 13: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/13.jpg)
13
Service Security ModelService Security Model
Built-in accounts for easy managementBuilt-in accounts for easy managementNo password management requirementsNo password management requirements
LocalSystemLocalSystem
Very powerful and has most privileges – use Very powerful and has most privileges – use cautiouslycautiously
LocalServiceLocalService and and NetworkServiceNetworkService
Greatly reduced privilege setGreatly reduced privilege set
NetworkService uses machine account for NetworkService uses machine account for remote authenticationremote authentication
Session-0 Isolation – Session-0 Isolation – new in Windows Vistanew in Windows VistaServices are isolated from interactive sessionsServices are isolated from interactive sessions
Helps mitigate UI attacksHelps mitigate UI attacks
![Page 14: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/14.jpg)
14
Windows Service Windows Service HardeningHardeningMotivationMotivation
Services are attractive targets for malwareServices are attractive targets for malwareRunning on a large number of systemsRunning on a large number of systemsServices typically are higher privileged than usersServices typically are higher privileged than usersWorms target services, e.g. Sasser, Code Red, etc.Worms target services, e.g. Sasser, Code Red, etc.
GoalsGoalsRun with least privilege necessaryRun with least privilege necessaryUse only resources needed by the service Use only resources needed by the service Reduce the damage potential and number of critical Reduce the damage potential and number of critical vulnerabilities in services.vulnerabilities in services.Extend existing security model for more granular controlExtend existing security model for more granular control
![Page 15: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/15.jpg)
15
Running With Least Running With Least PrivilegePrivilege
Privilege strippingPrivilege strippingEnables a service to run with least privilegeEnables a service to run with least privilege
Use only required privilegesUse only required privilegesExpress required privileges during service configuration Express required privileges during service configuration
SeBackupPrivilege, SeRestorePrivilege, etc.SeBackupPrivilege, SeRestorePrivilege, etc.ChangeServiceConfig2ChangeServiceConfig2 API ( API (sc.exesc.exe can be used as well) can be used as well)
SCM computes union of all hosted service required SCM computes union of all hosted service required privileges privileges
Permanently removes unnecessary privileges from process Permanently removes unnecessary privileges from process token when service token when service processprocess starts starts
No privileges are addedNo privileges are addedTarget account must support required privileges, e.g. a Target account must support required privileges, e.g. a service in LocalService account cannot get SeTCBPrivilegeservice in LocalService account cannot get SeTCBPrivilege
![Page 16: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/16.jpg)
16
Service IsolationService Isolation
Service-specific SIDService-specific SID1:1 mapping between service name and SID1:1 mapping between service name and SID
Use to ACL objects the service needs to allow access Use to ACL objects the service needs to allow access onlyonly to to service-specific SIDservice-specific SID
Use ChangeServiceConfig2, sc.exe to control service SIDUse ChangeServiceConfig2, sc.exe to control service SID
Set ServiceSidType to SERVICE_SID_TYPE_UNRESTRICTEDSet ServiceSidType to SERVICE_SID_TYPE_UNRESTRICTED
Service-specific SID assigned at start timeService-specific SID assigned at start timeWhen service When service processprocess starts starts
SCM adds service SIDs to process tokenSCM adds service SIDs to process token
S-1-5-80-XXXXX-YYYYYS-1-5-80-XXXXX-YYYYY
SID enabled/disabled when SID enabled/disabled when serviceservice starts/stops starts/stops
Service SIDs are local to the machineService SIDs are local to the machine
![Page 17: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/17.jpg)
17
Reducing Damage PotentialReducing Damage Potential
Restricted ServicesRestricted ServicesUses Service SIDs and Uses Service SIDs and RestrictedRestricted tokens tokens
Write-restricted service processWrite-restricted service processAllows service process write access Allows service process write access onlyonly to objects to objects allowing WRITE for service SIDsallowing WRITE for service SIDs
Reduces the scope of resources accessed on the systemReduces the scope of resources accessed on the system
When service When service processprocess starts startsSCM adds service SID to both normal and restricted SID list SCM adds service SID to both normal and restricted SID list in process tokenin process token
SID enabled/disabled when SID enabled/disabled when serviceservice starts/stops starts/stops
AllAll services in a process must be restricted services in a process must be restricted
![Page 18: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/18.jpg)
18
Service ManagementService Management
Service State ChangesService State ChangesClients used QueryServiceStatus polling loop to discover Clients used QueryServiceStatus polling loop to discover state changesstate changes
Many bugs found in such loopsMany bugs found in such loops
Performance hit due to lots of threads looping at bootPerformance hit due to lots of threads looping at boot
New notification API New notification API NotifyServiceStatusChangeNotifyServiceStatusChangeNotification of service state changes & Create/DeleteNotification of service state changes & Create/Delete
Works both locally and remotelyWorks both locally and remotely
Callback basedCallback based
Uses cross-process APC mechanism locallyUses cross-process APC mechanism locally
Uses async RPC remotelyUses async RPC remotely
![Page 19: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/19.jpg)
19
Service ManagementService Management
SCM supported automatic recovery on service SCM supported automatic recovery on service crashescrashes
Enabled by specifying the Enabled by specifying the FailureActionFailureAction settings for a settings for a service.service.
Recovery usually invoked only on service process crashRecovery usually invoked only on service process crash
Support for recovery on non-crash – Support for recovery on non-crash – new in Windows new in Windows VistaVista
Service can fail in other ways than crashingService can fail in other ways than crashing
Leaks, System load etc.Leaks, System load etc.
Enabled by specifying Enabled by specifying FailureActionOnNonCrashFailures FailureActionOnNonCrashFailures flag in addition to the flag in addition to the FailureActionFailureAction settings settings
Invoked on service stop with Invoked on service stop with dwWin32ExitCode != dwWin32ExitCode != ERROR_SUCCESSERROR_SUCCESS
![Page 20: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/20.jpg)
20
Windows RegistryWindows Registry
Architecture overviewArchitecture overview
Changes in Windows VistaChanges in Windows VistaTransactional registryTransactional registry
Registry virtualizationRegistry virtualization
Enhanced registry filteringEnhanced registry filtering
![Page 21: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/21.jpg)
21
Windows RegistryWindows Registry
Most widely used configuration storeMost widely used configuration storeOne of the first OS sub-systems to be startedOne of the first OS sub-systems to be started
Used by the kernel, drivers, apps and anything else that Used by the kernel, drivers, apps and anything else that needs to store or share state informationneeds to store or share state information
Simple programming modelSimple programming modelHierarchical layout to provide structured access to dataHierarchical layout to provide structured access to data
Abstracts the complex data management schemesAbstracts the complex data management schemes
Reg* APIs in user mode, Zw APIs in kernel modeReg* APIs in user mode, Zw APIs in kernel mode
Data is stored in Registry hivesData is stored in Registry hivesImplemented as files Implemented as files
Logically, registry is a “FS in a file”Logically, registry is a “FS in a file”
![Page 22: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/22.jpg)
22
Architecture OverviewArchitecture Overview
UserUserKERNELKERNEL
CM (registry)CM (registry)
NTFSNTFSCC CC Cache ManagerCache Manager
DiskDisk
ADVAPI32.DLLADVAPI32.DLL
Win32 Registry APIsWin32 Registry APIs
svchost.exesvchost.exe
regsvc.dllregsvc.dll
NT APIs
PRIMARY file(CC PRIVATE_WRITE streams)
.LOG file(NO_INTERMEDIATE_BUFFERING)
MMMMMemory ManagerMemory Manager
Volatile StorageVolatile Storage
![Page 23: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/23.jpg)
23
Windows Vista - Windows Vista - Transactional RegistryTransactional Registry
Needed for “all or none” semantics when Needed for “all or none” semantics when changing a group of settingschanging a group of settings
Adds ACID semantics to group of registry Adds ACID semantics to group of registry operations operations
Integrates with TxF and any other Resource Integrates with TxF and any other Resource Manager which participates in KTM transactionsManager which participates in KTM transactions
A transaction can span across FS and Registry operations A transaction can span across FS and Registry operations
Provides easier way for apps to clean up on error Provides easier way for apps to clean up on error pathpathMore information on Transactional technologies in Vista – FUN320More information on Transactional technologies in Vista – FUN320
![Page 24: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/24.jpg)
24
Windows Vista – Registry Windows Vista – Registry VirtualizationVirtualization
Enable legacy applications to run as non- adminEnable legacy applications to run as non- adminApplications that want to write to keys that require Applications that want to write to keys that require admin privilegesadmin privileges
Redirect globally impactful registry write to a per Redirect globally impactful registry write to a per user virtual keyuser virtual key
Only keys under HKLM\Software are virtualizedOnly keys under HKLM\Software are virtualized
Redirection is transparent to callersRedirection is transparent to callers
Applications use the user’s virtual key while runningApplications use the user’s virtual key while running
Is not platform support for sandboxingIs not platform support for sandboxingShould be treated as an assistance technologyShould be treated as an assistance technology
![Page 25: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/25.jpg)
25
Virtualization – How It Virtualization – How It WorksWorks
WriteWrite
HKLM\Sofware\Key1HKLM\Sofware\Key1
V1 V1
V2V2
V3V3 -> RegSetValueEx(…) -> RegSetValueEx(…)
ACCESS_DENIED =>ACCESS_DENIED =>
HKU\{SID}_Classes\VirtualStore\Machine\Software\K1HKU\{SID}_Classes\VirtualStore\Machine\Software\K1
V3V3
Opening key for WRITE_ACCESS returns Opening key for WRITE_ACCESS returns MAX_ALLOWEDMAX_ALLOWED
![Page 26: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/26.jpg)
26
What Is Not Virtualized?What Is Not Virtualized?
Application is identified as an “admin application”Application is identified as an “admin application”
Key is not changeable by adminsKey is not changeable by adminsKey is Windows Resource ProtectedKey is Windows Resource Protected
Caller is Kernel mode Caller is Kernel mode
Caller is using ImpersonationCaller is using Impersonation
Any 64 bit applicationAny 64 bit application
Keys marked as ‘Keys marked as ‘Do Not VirtualizeDo Not Virtualize’’HKLM\Software\ClassesHKLM\Software\Classes
![Page 27: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/27.jpg)
27
VirtualizationVirtualizationConfigurationConfiguration
Globally controlled by the caller’s Globally controlled by the caller’s tokentoken
Can be turned on/off on individual Can be turned on/off on individual keys in the Software hivekeys in the Software hive
New FLAGS option in reg.exe for key New FLAGS option in reg.exe for key level virtualization controllevel virtualization control
Allows recursive enable/disable of Allows recursive enable/disable of virtualizationvirtualization
Allows control of “open access right Allows control of “open access right policy”policy”
Changing ACLs on specific keysChanging ACLs on specific keys
![Page 28: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/28.jpg)
28
VirtualizationVirtualizationGotchas’Gotchas’
Using the registry for IPCUsing the registry for IPCService and user apps will have different Service and user apps will have different views of the keyviews of the key
Impersonating callersImpersonating callersWill not be virtualized Will not be virtualized
Audit for possible elevation pathsAudit for possible elevation pathsVirtualization is at the value levelVirtualization is at the value level
Default for the Software hive is enable Default for the Software hive is enable recursive virtualizationrecursive virtualization
![Page 29: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/29.jpg)
29
Registry FilteringRegistry Filtering
Certain class of applications have the need Certain class of applications have the need for filtering registry callsfor filtering registry calls
Anti Virus, Management apps, etc.Anti Virus, Management apps, etc.
Kernel mode callback model to allow for Kernel mode callback model to allow for filtering registry operationsfiltering registry operations
Allows monitoring and blocking of registry Allows monitoring and blocking of registry operationsoperations
Multiple drivers can register callbacksMultiple drivers can register callbacks
LimitationsLimitationsNo support to modify parameters or redirect No support to modify parameters or redirect callscalls
No concept of No concept of altitudesaltitudes
![Page 30: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/30.jpg)
30
Windows VistaWindows VistaEnhanced Registry FilteringEnhanced Registry Filtering
Introduces a layered model with altitudes Introduces a layered model with altitudes for callback registrationfor callback registration
Consistent with the file system mini-filter modelConsistent with the file system mini-filter model
Altitudes have to be registered with MicrosoftAltitudes have to be registered with Microsoft
Ability to modify parameters and re-direct Ability to modify parameters and re-direct callscalls
Supports three modes of operation – Monitor, Supports three modes of operation – Monitor, Block and ModifyBlock and Modify
Compatible with existing registry callbacksCompatible with existing registry callbacksLegacy callbacks will be registered at a default Legacy callbacks will be registered at a default altitudealtitude
First come first serve registration semantics First come first serve registration semantics retained for these legacy callbacksretained for these legacy callbacks
![Page 31: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/31.jpg)
31
What Is WoW64?What Is WoW64?
32-bit Windows emulation layer on 32-bit Windows emulation layer on 64-bit Windows64-bit Windows
Binary compatibility with 32-bit Binary compatibility with 32-bit Windows applications Windows applications
32-bit code executes as if it is 32-bit code executes as if it is running on a native x86 processorrunning on a native x86 processor
![Page 32: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/32.jpg)
32
WoW64 ArchitectureWoW64 Architecture
64-bit ntdll.dll64-bit ntdll.dll
WoW64.dllWoW64.dll WoW64win.dllWoW64win.dll
WoW64cpu.dllWoW64cpu.dll
Win32k.sysWin32k.sys
NT ExecutiveNT Executive
Kernel ModeKernel Mode
User ModeUser Mode
32-bit ntdll.dll32-bit ntdll.dll
32-bit modules32-bit modules
Reserved Address SpaceReserved Address Space
0x00000000`7FFEFFFF or 0x00000000`7FFEFFFF or 0x00000000`FFFEFFFF0x00000000`FFFEFFFF
32-bit kernel32.dll32-bit kernel32.dll 32-bit user32.dll32-bit user32.dll
![Page 33: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/33.jpg)
33
WoW64 ArchitectureWoW64 Architecture
Address space is limited to 2GB (or 4GB if the Address space is limited to 2GB (or 4GB if the application is marked Large-Address-Aware in the application is marked Large-Address-Aware in the header)header)WoW64 processes can NOT load 64-bit DLLs WoW64 processes can NOT load 64-bit DLLs except for the core one!except for the core one!
Likewise, native 64-bit processes can NOT load 32-bit Likewise, native 64-bit processes can NOT load 32-bit DLLsDLLsLoadLibrary() will failLoadLibrary() will failNo 16-bit support on 64-bit WindowsNo 16-bit support on 64-bit Windows
32-bit kernel drivers won’t run on 64-bit Windows32-bit kernel drivers won’t run on 64-bit WindowsNeeds to be ported and support WoW64Needs to be ported and support WoW64
Target 64-bit platform may not support specific Target 64-bit platform may not support specific featuresfeatures
GetNativeSystemInfo()GetNativeSystemInfo() retrieves info about the native retrieves info about the native systemsystem
![Page 34: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/34.jpg)
34
WoW64 RegistryWoW64 Registry
Two views of the registry exist on 64-bit Windows Two views of the registry exist on 64-bit Windows Native and WoW64Native and WoW64
Native 64-bit Windows application sees the native Native 64-bit Windows application sees the native registry viewregistry view
WoW64 application sees the WoW64 viewWoW64 application sees the WoW64 view
Why different WoW64 registry views?Why different WoW64 registry views?CompatibilityCompatibility
Separates 32-bit application state from 64-bit stateSeparates 32-bit application state from 64-bit state
Not supported features stored in the registryNot supported features stored in the registry
Provides a safe execution environment for both 32-bit Provides a safe execution environment for both 32-bit and and 64-bit applications64-bit applications
A registry value hosting a DLL pathA registry value hosting a DLL path
![Page 35: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/35.jpg)
35
Registry RedirectionRegistry Redirection
Certain parts of the system registry are separatedCertain parts of the system registry are separatedHKEY_LOCAL_MACHINE\SoftwareHKEY_LOCAL_MACHINE\Software
HKEY_CLASSES_ROOTHKEY_CLASSES_ROOT
When a WoW64 process opens/creates a keyWhen a WoW64 process opens/creates a keyWoW64 redirects the path of the key if it is one of the WoW64 redirects the path of the key if it is one of the above by inserting ‘WoW6432Node’ to the above pathabove by inserting ‘WoW6432Node’ to the above path
Transparent for Win32 applicationsTransparent for Win32 applications
RegConnectRegistryRegConnectRegistry selects server view based on selects server view based on the caller bitnessthe caller bitness
Only on new clients (Windows XP 64 and beyond)Only on new clients (Windows XP 64 and beyond)
![Page 36: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/36.jpg)
36
Registry ReflectionRegistry Reflection
Enables 64-bit and 32-bit application Inter-Enables 64-bit and 32-bit application Inter-OpOpthrough COMthrough COMMirrors certain registry keys and values Mirrors certain registry keys and values between between the 32-bit and 64-bit registry viewsthe 32-bit and 64-bit registry viewsOwnership-based reflectionOwnership-based reflection
Helps intelligent reflection of COM serversHelps intelligent reflection of COM servers
Rules for HKEY_CLASSES_ROOT\CLSID Rules for HKEY_CLASSES_ROOT\CLSID reflectionreflection
InProcServer32 and InProcHandler32 areInProcServer32 and InProcHandler32 arenot reflectednot reflected
LocalServer32 is reflectedLocalServer32 is reflected
Delete reflected keys only if written byDelete reflected keys only if written byWoW64 reflectorWoW64 reflector
![Page 37: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/37.jpg)
37
32/64 Inter-Op Issues32/64 Inter-Op Issues
Pointer data type storage is 64-bit (8 bytes) on 64-bit Pointer data type storage is 64-bit (8 bytes) on 64-bit Windows systems while it is 32-bits (4 bytes) on 32-bit Windows systems while it is 32-bits (4 bytes) on 32-bit Windows systemsWindows systems
Alignment is different as wellAlignment is different as well
Client/Server applications communicating using shared Client/Server applications communicating using shared memorymemory
Client is 32-bit running on 64-bit Windows and server is 64-bit Client is 32-bit running on 64-bit Windows and server is 64-bit or or vice versavice versa
Shared structures are pointer-dependentShared structures are pointer-dependent
Two solutionsTwo solutions32-bit Client writes compatible 64-bit structures32-bit Client writes compatible 64-bit structures
64-bit Server doesn’t need to be WoW64 aware64-bit Server doesn’t need to be WoW64 aware
64-bit Server reads 32-bit and 64-bit structures64-bit Server reads 32-bit and 64-bit structures
64-bit Server is WoW64 aware64-bit Server is WoW64 aware
32-bit Client may need to change if source request is not 32-bit Client may need to change if source request is not known to the 64-bit serverknown to the 64-bit server
![Page 38: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/38.jpg)
38
32/64 Inter-Op Issues32/64 Inter-Op Issues
32-bit 32-bit Windows-Windows-Compiled Compiled data typedata type
64-bit Windows 64-bit Windows compiled data type compiled data type representing 32-bit representing 32-bit Windows-Compiled Windows-Compiled data typedata type
How to convert?How to convert?
HANDLEHANDLE LONGLONG LongToHandle LongToHandle (handle_value32)(handle_value32)
Process and thread handle Process and thread handle are signed-extendedare signed-extended
PVOIDPVOID ULONGULONG UlongToPtr (pvoid_value32)UlongToPtr (pvoid_value32) Addresses should never be Addresses should never be sign-extendedsign-extended
ULONGULONG ULONGULONG No conversion is neededNo conversion is needed
HWNDHWND LONGLONG (HWND)LongToHandle (HWND)LongToHandle (hwnd32)(hwnd32)
Window handles are sign-Window handles are sign-extendedextended
Don’t pass addresses above 2GB (or 4GB) to a WoW64 Don’t pass addresses above 2GB (or 4GB) to a WoW64 applicationapplication
How to convert data types?How to convert data types?
![Page 39: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/39.jpg)
39
Community ResourcesCommunity Resources
At PDCAt PDCFor more information, go see For more information, go see
FUN Track loungeFUN Track lounge
Labs: FUNHOL19; FUNHOL13 Labs: FUNHOL19; FUNHOL13
Related sessionsRelated sessionsFUN320 – Transactional NTFS and RegistryFUN320 – Transactional NTFS and Registry
FUN210; FUN406 – Security and UAPFUN210; FUN406 – Security and UAP
PNL07 – Future Directions for Windows InternalsPNL07 – Future Directions for Windows Internals
![Page 40: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/40.jpg)
40
Community ResourcesCommunity Resources
After PDCAfter PDCKernel Changes in Windows Vista – Kernel Changes in Windows Vista – http://http://go.microsoft.com/fwlink/?LinkIdgo.microsoft.com/fwlink/?LinkId=52437=52437
UMDF - UMDF - http://www.microsoft.com/http://www.microsoft.com/whdc/driver/wdf/default.mspxwhdc/driver/wdf/default.mspx
Registry filter driver registration - Registry filter driver registration - http://whdc.microsoft.com/minifilter/default.aspxhttp://whdc.microsoft.com/minifilter/default.aspx
WoW64 - WoW64 - http://msdn.microsoft.com/library/en-us/win64/win64/runhttp://msdn.microsoft.com/library/en-us/win64/win64/running_32_bit_applications.aspning_32_bit_applications.asp
![Page 41: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/41.jpg)
41
Questions?Questions?
![Page 42: 1 Windows Vista and “Longhorn” Server: Under the Hood of the Operating System Internals and Your Application Richard B. WardKarthik Thirumalai FUN417Program.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649ced5503460f949ba46c/html5/thumbnails/42.jpg)
42
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.