SlideShare a Scribd company logo
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Sasha Goldshtein
@goldshtn
Windows Internals for
Linux Kernel Developers
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
In This Talk…
• Windows history and design goals
• Processes, threads, virtual memory
• Interrupts, IRQLs, DPC, APC, system threads
• IRPs, driver structure
• Debugging and tracing, poking into the system
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
The Windows Family Tree
NT CE DOS
2000
XP
Vista
8RT
10IoT Core Nano
Server
Core
WM 6
WP 7
WP 8
PoS
šŸ’€
98
ME
šŸ’€
Xbox
One
XP
Embedded
bi-annual visit for the holidays
Surface
Hub
Holo
Lens
WM 10
WM 5
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Windows Design Goals and Architecture
• Portability across hardware
platforms
• Multitasking, multiprocessing,
SMP operating system
• Fully preemptable kernel
• Virtual memory
• User- and role-level security,
auditing, access control
• Modular, component-based OS
• Platform for distributed
computing
• Backwards compatibility for
applications and drivers
• Supports multiple API ā€œflavorsā€
or subsystems (POSIX, OS/2,
SUA, LXSS)
• Moving towards a micro-kernel
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
HAL
Kernel
Executive
Kernel-Mode Drivers Win32k.sys
Ntdll.dll
Subsystem DLLs
Applications, Services, User-Mode Drivers
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Windows Programming Interfaces
• The Win32 API – a flat collection of C functions and structures that
can be called from C, C++, .NET, Python, Perl, etc.
• Names are clear and descriptive, e.g.: ReleaseMutex,
CoMarshalInterThreadInterfaceInStream,
AccessCheckByTypeResultListAndAuditAlarmByHandle
• As of Windows 8, a modern interface called Windows Runtime or
Universal Windows Platform provides a COM-based abstraction of
parts of Win32, accessible from C++, .NET, and JavaScript
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Processes and Threads
Windows Processes
• Container for code execution,
but not schedulable
• Private virtual address space
• Handle table for kernel objects
• Isolation and security boundary
• Relatively expensive to create
• Various IPC mechanisms: named
pipes, sockets, mailboxes, etc.
Windows Threads
• Execution path through
program, schedulable
• All resources are shared within
the parent process
• Private UM and KM stack
• Relatively cheap to create
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Jobs
• Windows does not maintain a meaningful process tree (although
parent pid is recorded)
• Processes may be assigned to a job
• Jobs can be controlled as a unit (e.g., wait, terminate)
• Jobs can be assigned limits (quotas)
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Thread Scheduling
• Threads are scheduled according to priority (0-31) and CPU affinity
• Priorities are not weights; the highest-priority thread always runs
• Using ā€œrealtimeā€ priorities (16-31) requires a special privilege,
because they can directly compete with important system threads
• Thread quantum is configured globally (ranging from 30ms to 180ms)
• Tickless kernel since Windows 8
• Special priority and quantum boosts in some scenarios
• SMP scheduling based on processor-local queues and work stealing,
NUMA and HyperThreading awareness
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Synchronization
• Large variety of user-mode synchronization mechanisms: mutex,
semaphore, event, condition variable, one-time init, reader-writer
lock, WaitOnAddress (a la futex)
• Some kernel-only synchronization mechanisms: ERESOURCE, fast
mutex, gate, spinlock, queued (FIFO) spinlocks
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Virtual Memory
• 32-bit: 4GB address space, 1-2GB reserved for kernel
• 64-bit: 256TB address space, 128TB reserved for kernel
• Memory is reserved and then committed, no over-commit, physical
mapping only on first access
• Paging out based on age, size, process memory priority
• Services for protecting memory (RWX), sharing memory, mapping
files into memory, locking physical pages, and more
• User-mode heap layer in ntdll.dll, kernel-mode pools (paged and non-
paged), lookaside lists
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Interrupts and Kernel Processing
• Support for both classic interrupts and MSI (since Windows Vista)
• Interrupt priorities (IRQL) 0-15 or 0-31 (determined by PnP manager)
• Waiting (or paging) is not allowed at IRQL 2+
• Deferred work goes into DPC (IRQL 2 or priority 31 thread) which can
be delivered to current or other processor
• Context-sensitive work goes into APC (IRQL 1)
• Can also use system threads, kernel thread pool
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Windows I/O Concepts
• Applications perform I/O operations on file handles, which are
internally translated to _FILE_OBJECT
• File objects are created by drivers and associated with
_DEVICE_OBJECT (that has a pointer to _DRIVER_OBJECT)
• The I/O manager manages I/O requests using IRPs that are routed
between drivers; the IRP knows which driver is currently handling it
• Any I/O can be synchronous or asynchronous – it’s just a flag that tells
the I/O manager whether to block the calling thread
• Most I/Os can be prioritized by the calling thread
• Most disk and network I/Os are cancelable
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
I/O Request Flow
NtWriteFile
determines target device
from _FILE_OBJECT,
creates and routes the
_IRP
Ntfs.sys
Application calls WriteFile(hFile, …)
Volmgr.sys
Vendorzzz.sys
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Plug and Play
• At boot time, the Plug and Play (PnP) manager creates a device
enumeration tree
• For each bus (PCIe, 1394, USB, etc.), a bus driver is responsible for
detecting and configuring new hardware and its power state
• Buses can be nested
• Resources such as IRQs, DMA channels, I/O memory ranges are
arbitrated by the PnP manager
• Driver software can be installed on-demand using a user-mode
component that optionally talks to Windows Update
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Driver Frameworks
• Non-software-only drivers adhere to the Windows Driver Model
(WDM), which has bus drivers, function drivers, and filter drivers
• A driver is a collection of callback functions (DriverEntry, AddDevice,
DispatchNnn, Isr, DpcForIsr, …)
• Windows Driver Framework, introduced in Windows Vista, provides a
more object-oriented wrapper on top of WDM
• Also introduces user-mode drivers (UMDF) originally based on COM
• In UMDF 2.0, APIs for user-mode and kernel-mode drivers are
identical; in theory, can port a kernel-mode driver to user-mode
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Debugging and Tracing
• A kernel debugger is built into the kernel and Windows boot process
• Can debug over serial port, USB, 1394, Ethernet (as of Windows 8)
• Local kernel debugging enables view-only, no breakpoint kernel
debugging on a single machine (Livekd emulates a memory dump)
• Crash dumps are generated by default when the system fails, can be
analyzed later and/or reported to Microsoft (and then vendor)
• ETW (Event Tracing for Windows) is a tracepoint-like framework for
tracing – performance and general diagnostics
• Windows Performance Toolkit has ETW recording and analysis tools
kTLV Windows Internals for Linux Kernel Developers @goldshtn
kTLV https://s.sashag.net/ktlv0316 @goldshtn
Thank You!
Sasha Goldshtein
@goldshtn

More Related Content

What's hot (20)

ODP
Dpdk performance
Stephen Hemminger
Ā 
PDF
Security Monitoring with eBPF
Alex Maestretti
Ā 
PDF
Mastering Real-time Linux
Jean-FranƧois Deverge
Ā 
PDF
Linux network stack
Takuya ASADA
Ā 
PDF
Arm device tree and linux device drivers
Houcheng Lin
Ā 
PDF
Q4.11: Using GCC Auto-Vectorizer
Linaro
Ā 
PDF
Building Network Functions with eBPF & BCC
Kernel TLV
Ā 
PDF
BPF Internals (eBPF)
Brendan Gregg
Ā 
PPTX
Linux kernel debugging
Hao-Ran Liu
Ā 
PPTX
The TCP/IP Stack in the Linux Kernel
Divye Kapoor
Ā 
PDF
BPF - in-kernel virtual machine
Alexei Starovoitov
Ā 
PDF
Qemu device prototyping
Yan Vugenfirer
Ā 
PDF
Launch the First Process in Linux System
Jian-Hong Pan
Ā 
PDF
Linux Networking Explained
Thomas Graf
Ā 
PDF
Meet cute-between-ebpf-and-tracing
Viller Hsiao
Ā 
PDF
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
Adrian Huang
Ā 
PDF
I/Oä»®ęƒ³åŒ–ęœ€å‰ē·šć€œćƒćƒƒćƒˆćƒÆćƒ¼ć‚ÆI/Oć‚’äø­åæƒć«ć€œ
Ryousei Takano
Ā 
PDF
YOW2018 Cloud Performance Root Cause Analysis at Netflix
Brendan Gregg
Ā 
PDF
Browsing Linux Kernel Source
Motaz Saad
Ā 
PPTX
Linux Network Stack
Adrien Mahieux
Ā 
Dpdk performance
Stephen Hemminger
Ā 
Security Monitoring with eBPF
Alex Maestretti
Ā 
Mastering Real-time Linux
Jean-FranƧois Deverge
Ā 
Linux network stack
Takuya ASADA
Ā 
Arm device tree and linux device drivers
Houcheng Lin
Ā 
Q4.11: Using GCC Auto-Vectorizer
Linaro
Ā 
Building Network Functions with eBPF & BCC
Kernel TLV
Ā 
BPF Internals (eBPF)
Brendan Gregg
Ā 
Linux kernel debugging
Hao-Ran Liu
Ā 
The TCP/IP Stack in the Linux Kernel
Divye Kapoor
Ā 
BPF - in-kernel virtual machine
Alexei Starovoitov
Ā 
Qemu device prototyping
Yan Vugenfirer
Ā 
Launch the First Process in Linux System
Jian-Hong Pan
Ā 
Linux Networking Explained
Thomas Graf
Ā 
Meet cute-between-ebpf-and-tracing
Viller Hsiao
Ā 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
Adrian Huang
Ā 
I/Oä»®ęƒ³åŒ–ęœ€å‰ē·šć€œćƒćƒƒćƒˆćƒÆćƒ¼ć‚ÆI/Oć‚’äø­åæƒć«ć€œ
Ryousei Takano
Ā 
YOW2018 Cloud Performance Root Cause Analysis at Netflix
Brendan Gregg
Ā 
Browsing Linux Kernel Source
Motaz Saad
Ā 
Linux Network Stack
Adrien Mahieux
Ā 

Viewers also liked (20)

PDF
VLANs in the Linux Kernel
Kernel TLV
Ā 
PPSX
FD.IO Vector Packet Processing
Kernel TLV
Ā 
PDF
Userfaultfd and Post-Copy Migration
Kernel TLV
Ā 
PPTX
WiFi and the Beast
Kernel TLV
Ā 
PPTX
Hardware Probing in the Linux Kernel
Kernel TLV
Ā 
PDF
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
Ā 
PPTX
Linux IO
Liran Ben Haim
Ā 
PDF
Switchdev - No More SDK
Kernel TLV
Ā 
PPTX
DMA Survival Guide
Kernel TLV
Ā 
PPTX
Introduction to DPDK
Kernel TLV
Ā 
PPTX
Linux Security Overview
Kernel TLV
Ā 
PDF
Linux Kernel Cryptographic API and Use Cases
Kernel TLV
Ā 
PPTX
Modern Linux Tracing Landscape
Kernel TLV
Ā 
PPTX
grsecurity and PaX
Kernel TLV
Ā 
PDF
FreeBSD and Drivers
Kernel TLV
Ā 
PDF
Linux Locking Mechanisms
Kernel TLV
Ā 
PPTX
Linux Kernel Init Process
Kernel TLV
Ā 
PDF
High Performance Storage Devices in the Linux Kernel
Kernel TLV
Ā 
PPTX
Linux Interrupts
Kernel TLV
Ā 
PPTX
Linux internals v4
Liran Ben Haim
Ā 
VLANs in the Linux Kernel
Kernel TLV
Ā 
FD.IO Vector Packet Processing
Kernel TLV
Ā 
Userfaultfd and Post-Copy Migration
Kernel TLV
Ā 
WiFi and the Beast
Kernel TLV
Ā 
Hardware Probing in the Linux Kernel
Kernel TLV
Ā 
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
Ā 
Linux IO
Liran Ben Haim
Ā 
Switchdev - No More SDK
Kernel TLV
Ā 
DMA Survival Guide
Kernel TLV
Ā 
Introduction to DPDK
Kernel TLV
Ā 
Linux Security Overview
Kernel TLV
Ā 
Linux Kernel Cryptographic API and Use Cases
Kernel TLV
Ā 
Modern Linux Tracing Landscape
Kernel TLV
Ā 
grsecurity and PaX
Kernel TLV
Ā 
FreeBSD and Drivers
Kernel TLV
Ā 
Linux Locking Mechanisms
Kernel TLV
Ā 
Linux Kernel Init Process
Kernel TLV
Ā 
High Performance Storage Devices in the Linux Kernel
Kernel TLV
Ā 
Linux Interrupts
Kernel TLV
Ā 
Linux internals v4
Liran Ben Haim
Ā 
Ad

Similar to Windows Internals for Linux Kernel Developers (20)

PPT
Case Study 2: WINDOWS VISTA
Munazza-Mah-Jabeen
Ā 
PDF
00-WindowsKernelOverview_University of Tokyo_July 2004.pdf
vtkhuyenhd
Ā 
PDF
12-Case-Study-WindowsNT.pdf in operating sysetm.
DuaRajpoot2
Ā 
PDF
Windows internals Essentials
John Ombagi
Ā 
PPT
Studies
Abhishek Masiiwal
Ā 
PPT
Windows Kernel-
Parth Desai
Ā 
PPT
the windows opereting system
Š®ŃŃƒŃ„ Датторов
Ā 
PPT
Earhart
siam hossain
Ā 
PPT
Case study windows
Padam Banthia
Ā 
PDF
Understanding Windows NT Internals - Part 1
Arun Seetharaman
Ā 
PPT
Windows kernel
Sisimon Soman
Ā 
PPT
casecomp.ppt. shsjsi sjsjjsjsjsjsuaiajjajwjsjsksks
TanishkkJadhav
Ā 
PPT
Evolution of computers aaaaaaaaaaaaaaaaaaaaaaaaaaa
dilshanweeraratnelk
Ā 
PPT
Threads in Operating systems and concepts
RamaSubramanian79
Ā 
PPT
The evolution of an operating system.ppt
krishnakrishkrish100
Ā 
PPT
Process and Threads in Linux - PPT
QUONTRASOLUTIONS
Ā 
PDF
Analysis Of Process Structure In Windows Operating System
Darian Pruitt
Ā 
PPT
욓영첓제딠 Ch22
Jongmyoung Kim
Ā 
PDF
The linux kernel hidden inside windows 10
mark-smith
Ā 
PDF
Process management
Mohd Arif
Ā 
Case Study 2: WINDOWS VISTA
Munazza-Mah-Jabeen
Ā 
00-WindowsKernelOverview_University of Tokyo_July 2004.pdf
vtkhuyenhd
Ā 
12-Case-Study-WindowsNT.pdf in operating sysetm.
DuaRajpoot2
Ā 
Windows internals Essentials
John Ombagi
Ā 
Windows Kernel-
Parth Desai
Ā 
Earhart
siam hossain
Ā 
Case study windows
Padam Banthia
Ā 
Understanding Windows NT Internals - Part 1
Arun Seetharaman
Ā 
Windows kernel
Sisimon Soman
Ā 
casecomp.ppt. shsjsi sjsjjsjsjsjsuaiajjajwjsjsksks
TanishkkJadhav
Ā 
Evolution of computers aaaaaaaaaaaaaaaaaaaaaaaaaaa
dilshanweeraratnelk
Ā 
Threads in Operating systems and concepts
RamaSubramanian79
Ā 
The evolution of an operating system.ppt
krishnakrishkrish100
Ā 
Process and Threads in Linux - PPT
QUONTRASOLUTIONS
Ā 
Analysis Of Process Structure In Windows Operating System
Darian Pruitt
Ā 
욓영첓제딠 Ch22
Jongmyoung Kim
Ā 
The linux kernel hidden inside windows 10
mark-smith
Ā 
Process management
Mohd Arif
Ā 
Ad

More from Kernel TLV (14)

PDF
DPDK In Depth
Kernel TLV
Ā 
PDF
SGX Trusted Execution Environment
Kernel TLV
Ā 
PDF
Fun with FUSE
Kernel TLV
Ā 
PPTX
Kernel Proc Connector and Containers
Kernel TLV
Ā 
PPTX
Bypassing ASLR Exploiting CVE 2015-7545
Kernel TLV
Ā 
PDF
Present Absence of Linux Filesystem Security
Kernel TLV
Ā 
PDF
OpenWrt From Top to Bottom
Kernel TLV
Ā 
PDF
Make Your Containers Faster: Linux Container Performance Tools
Kernel TLV
Ā 
PDF
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Kernel TLV
Ā 
PDF
File Systems: Why, How and Where
Kernel TLV
Ā 
PDF
netfilter and iptables
Kernel TLV
Ā 
PDF
KernelTLV Speaker Guidelines
Kernel TLV
Ā 
PDF
Userfaultfd: Current Features, Limitations and Future Development
Kernel TLV
Ā 
PDF
The Linux Block Layer - Built for Fast Storage
Kernel TLV
Ā 
DPDK In Depth
Kernel TLV
Ā 
SGX Trusted Execution Environment
Kernel TLV
Ā 
Fun with FUSE
Kernel TLV
Ā 
Kernel Proc Connector and Containers
Kernel TLV
Ā 
Bypassing ASLR Exploiting CVE 2015-7545
Kernel TLV
Ā 
Present Absence of Linux Filesystem Security
Kernel TLV
Ā 
OpenWrt From Top to Bottom
Kernel TLV
Ā 
Make Your Containers Faster: Linux Container Performance Tools
Kernel TLV
Ā 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Kernel TLV
Ā 
File Systems: Why, How and Where
Kernel TLV
Ā 
netfilter and iptables
Kernel TLV
Ā 
KernelTLV Speaker Guidelines
Kernel TLV
Ā 
Userfaultfd: Current Features, Limitations and Future Development
Kernel TLV
Ā 
The Linux Block Layer - Built for Fast Storage
Kernel TLV
Ā 

Recently uploaded (20)

PPTX
Comprehensive Guide: Shoviv Exchange to Office 365 Migration Tool 2025
Shoviv Software
Ā 
PPTX
Tally_Basic_Operations_Presentation.pptx
AditiBansal54083
Ā 
PDF
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
Ā 
PDF
Capcut Pro Crack For PC Latest Version {Fully Unlocked} 2025
hashhshs786
Ā 
PDF
Mobile CMMS Solutions Empowering the Frontline Workforce
CryotosCMMSSoftware
Ā 
PDF
Digger Solo: Semantic search and maps for your local files
seanpedersen96
Ā 
PDF
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
Ā 
DOCX
Import Data Form Excel to Tally Services
Tally xperts
Ā 
PDF
Salesforce CRM Services.VALiNTRY360
VALiNTRY360
Ā 
PDF
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
Ā 
PDF
Revenue streams of the Wazirx clone script.pdf
aaronjeffray
Ā 
PPTX
MailsDaddy Outlook OST to PST converter.pptx
abhishekdutt366
Ā 
PPTX
How Apagen Empowered an EPC Company with Engineering ERP Software
SatishKumar2651
Ā 
PDF
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
Ā 
PDF
Unlock Efficiency with Insurance Policy Administration Systems
Insurance Tech Services
Ā 
PPTX
A Complete Guide to Salesforce SMS Integrations Build Scalable Messaging With...
360 SMS APP
Ā 
PPTX
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
Ā 
PDF
HiHelloHR – Simplify HR Operations for Modern Workplaces
HiHelloHR
Ā 
PPTX
Revolutionizing Code Modernization with AI
KrzysztofKkol1
Ā 
PDF
iTop VPN With Crack Lifetime Activation Key-CODE
utfefguu
Ā 
Comprehensive Guide: Shoviv Exchange to Office 365 Migration Tool 2025
Shoviv Software
Ā 
Tally_Basic_Operations_Presentation.pptx
AditiBansal54083
Ā 
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
Ā 
Capcut Pro Crack For PC Latest Version {Fully Unlocked} 2025
hashhshs786
Ā 
Mobile CMMS Solutions Empowering the Frontline Workforce
CryotosCMMSSoftware
Ā 
Digger Solo: Semantic search and maps for your local files
seanpedersen96
Ā 
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
Ā 
Import Data Form Excel to Tally Services
Tally xperts
Ā 
Salesforce CRM Services.VALiNTRY360
VALiNTRY360
Ā 
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
Ā 
Revenue streams of the Wazirx clone script.pdf
aaronjeffray
Ā 
MailsDaddy Outlook OST to PST converter.pptx
abhishekdutt366
Ā 
How Apagen Empowered an EPC Company with Engineering ERP Software
SatishKumar2651
Ā 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
Ā 
Unlock Efficiency with Insurance Policy Administration Systems
Insurance Tech Services
Ā 
A Complete Guide to Salesforce SMS Integrations Build Scalable Messaging With...
360 SMS APP
Ā 
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
Ā 
HiHelloHR – Simplify HR Operations for Modern Workplaces
HiHelloHR
Ā 
Revolutionizing Code Modernization with AI
KrzysztofKkol1
Ā 
iTop VPN With Crack Lifetime Activation Key-CODE
utfefguu
Ā 

Windows Internals for Linux Kernel Developers

  • 1. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Sasha Goldshtein @goldshtn Windows Internals for Linux Kernel Developers
  • 2. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn In This Talk… • Windows history and design goals • Processes, threads, virtual memory • Interrupts, IRQLs, DPC, APC, system threads • IRPs, driver structure • Debugging and tracing, poking into the system
  • 3. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn The Windows Family Tree NT CE DOS 2000 XP Vista 8RT 10IoT Core Nano Server Core WM 6 WP 7 WP 8 PoS šŸ’€ 98 ME šŸ’€ Xbox One XP Embedded bi-annual visit for the holidays Surface Hub Holo Lens WM 10 WM 5
  • 4. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Windows Design Goals and Architecture • Portability across hardware platforms • Multitasking, multiprocessing, SMP operating system • Fully preemptable kernel • Virtual memory • User- and role-level security, auditing, access control • Modular, component-based OS • Platform for distributed computing • Backwards compatibility for applications and drivers • Supports multiple API ā€œflavorsā€ or subsystems (POSIX, OS/2, SUA, LXSS) • Moving towards a micro-kernel
  • 5. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn HAL Kernel Executive Kernel-Mode Drivers Win32k.sys Ntdll.dll Subsystem DLLs Applications, Services, User-Mode Drivers
  • 6. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Windows Programming Interfaces • The Win32 API – a flat collection of C functions and structures that can be called from C, C++, .NET, Python, Perl, etc. • Names are clear and descriptive, e.g.: ReleaseMutex, CoMarshalInterThreadInterfaceInStream, AccessCheckByTypeResultListAndAuditAlarmByHandle • As of Windows 8, a modern interface called Windows Runtime or Universal Windows Platform provides a COM-based abstraction of parts of Win32, accessible from C++, .NET, and JavaScript
  • 7. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Processes and Threads Windows Processes • Container for code execution, but not schedulable • Private virtual address space • Handle table for kernel objects • Isolation and security boundary • Relatively expensive to create • Various IPC mechanisms: named pipes, sockets, mailboxes, etc. Windows Threads • Execution path through program, schedulable • All resources are shared within the parent process • Private UM and KM stack • Relatively cheap to create
  • 8. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Jobs • Windows does not maintain a meaningful process tree (although parent pid is recorded) • Processes may be assigned to a job • Jobs can be controlled as a unit (e.g., wait, terminate) • Jobs can be assigned limits (quotas)
  • 9. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Thread Scheduling • Threads are scheduled according to priority (0-31) and CPU affinity • Priorities are not weights; the highest-priority thread always runs • Using ā€œrealtimeā€ priorities (16-31) requires a special privilege, because they can directly compete with important system threads • Thread quantum is configured globally (ranging from 30ms to 180ms) • Tickless kernel since Windows 8 • Special priority and quantum boosts in some scenarios • SMP scheduling based on processor-local queues and work stealing, NUMA and HyperThreading awareness
  • 10. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Synchronization • Large variety of user-mode synchronization mechanisms: mutex, semaphore, event, condition variable, one-time init, reader-writer lock, WaitOnAddress (a la futex) • Some kernel-only synchronization mechanisms: ERESOURCE, fast mutex, gate, spinlock, queued (FIFO) spinlocks
  • 11. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Virtual Memory • 32-bit: 4GB address space, 1-2GB reserved for kernel • 64-bit: 256TB address space, 128TB reserved for kernel • Memory is reserved and then committed, no over-commit, physical mapping only on first access • Paging out based on age, size, process memory priority • Services for protecting memory (RWX), sharing memory, mapping files into memory, locking physical pages, and more • User-mode heap layer in ntdll.dll, kernel-mode pools (paged and non- paged), lookaside lists
  • 12. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Interrupts and Kernel Processing • Support for both classic interrupts and MSI (since Windows Vista) • Interrupt priorities (IRQL) 0-15 or 0-31 (determined by PnP manager) • Waiting (or paging) is not allowed at IRQL 2+ • Deferred work goes into DPC (IRQL 2 or priority 31 thread) which can be delivered to current or other processor • Context-sensitive work goes into APC (IRQL 1) • Can also use system threads, kernel thread pool
  • 13. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Windows I/O Concepts • Applications perform I/O operations on file handles, which are internally translated to _FILE_OBJECT • File objects are created by drivers and associated with _DEVICE_OBJECT (that has a pointer to _DRIVER_OBJECT) • The I/O manager manages I/O requests using IRPs that are routed between drivers; the IRP knows which driver is currently handling it • Any I/O can be synchronous or asynchronous – it’s just a flag that tells the I/O manager whether to block the calling thread • Most I/Os can be prioritized by the calling thread • Most disk and network I/Os are cancelable
  • 14. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn I/O Request Flow NtWriteFile determines target device from _FILE_OBJECT, creates and routes the _IRP Ntfs.sys Application calls WriteFile(hFile, …) Volmgr.sys Vendorzzz.sys
  • 15. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Plug and Play • At boot time, the Plug and Play (PnP) manager creates a device enumeration tree • For each bus (PCIe, 1394, USB, etc.), a bus driver is responsible for detecting and configuring new hardware and its power state • Buses can be nested • Resources such as IRQs, DMA channels, I/O memory ranges are arbitrated by the PnP manager • Driver software can be installed on-demand using a user-mode component that optionally talks to Windows Update
  • 16. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Driver Frameworks • Non-software-only drivers adhere to the Windows Driver Model (WDM), which has bus drivers, function drivers, and filter drivers • A driver is a collection of callback functions (DriverEntry, AddDevice, DispatchNnn, Isr, DpcForIsr, …) • Windows Driver Framework, introduced in Windows Vista, provides a more object-oriented wrapper on top of WDM • Also introduces user-mode drivers (UMDF) originally based on COM • In UMDF 2.0, APIs for user-mode and kernel-mode drivers are identical; in theory, can port a kernel-mode driver to user-mode
  • 17. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Debugging and Tracing • A kernel debugger is built into the kernel and Windows boot process • Can debug over serial port, USB, 1394, Ethernet (as of Windows 8) • Local kernel debugging enables view-only, no breakpoint kernel debugging on a single machine (Livekd emulates a memory dump) • Crash dumps are generated by default when the system fails, can be analyzed later and/or reported to Microsoft (and then vendor) • ETW (Event Tracing for Windows) is a tracepoint-like framework for tracing – performance and general diagnostics • Windows Performance Toolkit has ETW recording and analysis tools
  • 18. kTLV Windows Internals for Linux Kernel Developers @goldshtn kTLV https://s.sashag.net/ktlv0316 @goldshtn Thank You! Sasha Goldshtein @goldshtn

Editor's Notes

  • #9: Demo: Process Explorer looking for jobs
  • #10: Demo: Priorities.exe starvation, Priorities.exe foreground
  • #12: Demo: VMMap
  • #16: Demo: Device Manager devices by connection
  • #18: Demo: Livekd -ml and then run !process 0 0 WPA analysis of CPU sampling, disk I/O, ISR and DPC latency