Windows XP An Overview CSE 8343 Group A6 Brett O Neill Table of Contents Table of Figures 3 Introduction 4 Programs Processes Threads and Jobs 4 Processes 4 Threads 5 Registry and Memory 8 Booting 8 Memory 9 The Registry 10 File System Architecture and Management 13 FAT16 13 FAT32 14 NTFS 14 History 14 Goals 15 Architecture 15 Volume Boot Sector 15 Metadata Files and the MFT 16 Partition and Cluster Sizes 17 Inter Process Communication 19 Dynamic Data Exchange 19 Object Linking and Embedding 20 NetBIOS 20 Named Pipes 20 Windows Sockets 21 Mailslots 22 Remote Procedure Calls 23 References 25 2 Table of Figures 1 1 Fields in an EPROCESS Block 5 1 2 Fields in an ETHREAD Block 6 1 3 Process Priority Classes with Relative Thread Priorities 6 2 1Microsoft Boot Time Performance Goals 8 2 2SBF Register 8 2 3Registry Key Fragmentation 11 2 4Registry Key Searches Windows 2000 vs Windows XP 12 3 1 Basic Organization of a FAT16 Voume 13 3 2 FAT16 Default Cluster Size 13 3 3 Basic Organization of a FAT32 Volume 14 3 4 FAT32 Default Cluster Size 14 3 5 Basic Organization of an NTFS Volume 15 3 6 MFT Resident Attributes 16 3 7 Important MFT Records 17 3 8 NTFS Default Cluster Size 18 4 1 WinSock 2 0 Architecture 22 4 2 RPC Architecture 23 3 Introduction Windows XP is Microsoft s most recent operating system It has introduced numerous enhancements and improvements to previous versions of Windows This paper will detail important features of the new operating system 1 Programs Processes Threads and Jobs The largest unit of work in Windows XP is known as a program A program is simply a static set of instructions Smaller units of work are grouped logically into entities called processes threads and jobs Processes and threads have priority schemes to determine the order in which they should run on the processor 1 1 Processes A process is a container for the set of resources used by threads that execute an instance of a program Each process includes a private virtual address space an executable program a list of open handles to various system resources a security context a unique identifier and at least one thread of execution known as the executive thread Each Windows XP process is represented by an executive process EPROCESS block An EPROCESS block contains many attributes associated with the process as well as several data structures and pointers An EPROCESS block exists in system space with the exception of the Process Environment Block PEB which exists in process address space Additionally Windows XP maintains a parallel structure for each process that executes a Win32 program 4 Kernel Process Block Process ID Parent Process ID Exit Status Create and Exit Times Next Process Block Quota Block Memory Management Information Exception Port Debugger Port Primary Access Token Handle Table Device Map Process Environment Block Image Filename Image Base Address Process Priority Class Win32 Process Block Job Object Figure 1 1 Fields in an EPROCESS Block A job is simply a function to group several processes together making them easy to manage and manipulate as a single unit 1 2 Threads A thread contains a set of instructions that can be executed the contents of machine registers that define the processor state while the thread is running and two stacks one for User mode and one for Kernel mode Kernel mode always has a higher priority than User mode A Windows XP thread is represented by an Executive Thread ETHREAD block An ETHREAD block exists in system space with the exception of the Thread Environment Block TEB which exists in process address space Additionally Windows XP maintains a parallel structure for each thread that executes a Win32 program When a process is created one thread is created This thread is known as the primary thread As this thread executes it can create additional threads All threads in a process run in the same address space and share the same resources Using multiple threads is very efficient because Windows XP can multitask to continue working when some threads are blocked 5 KTHREAD Create and Exit Times Process ID EPROCESS Thread Start Address Access Token Impersonation Information LPC Message Information Timer Information Pending I O Requests Figure 1 2 Fields in an ETHREAD Block Windows XP uses a priority driven preemptive scheduling system for threads the highest priority runnable thread always runs Priority levels are determined by both the process and the thread There are four process priority classes Idle Screen savers and other processes that periodically update the display typically use the Idle class Normal The default process priority class High Processes that use the High priority class receive the bulk of CPU time Real Time Many Kernel mode system processes such as device operations monitoring keyboard and mouse input use the Real Time priority class Each process s priority class sets a range of priority values between 1 and 31 where 1 is the lowest and 31 is the highest for its threads For example a Real Time process s threads will always have priorities in the range 16 31 Real Time thread priority cannot change while the thread is running All other thread priorities are variable however meaning they can change while the thread runs For threads in the High priority class for example priority can be raised or lowered by a value of up to 2 but cannot fall below a program defined base priority When base priorities are adjusted to optimize scheduling the resulting value is called dynamic priority It must be noted that if a thread with priority 31 is running no other threads are allowed to run on the system Thread Priorities Real Time High Normal Idle Time Critical 31 15 15 15 Highest 26 15 10 6 Above Normal 25 14 9 5 Normal 24 13 8 4 Below Normal 23 12 7 3 Lowest 22 11 6 2 Idle 16 1 1 1 6 Figure 1 3 Process Priority Classes with Relative Thread Priorities When a thread is selected to run it runs for an amount of time known as a quantum A quantum is the length of time any particular thread is allowed to run before the operating system interrupts it to see if another thread of the same priority or higher is waiting to run or whether the thread s priority needs to be reduced Quantum values vary from thread to thread A thread does not necessarily always complete its quantum because Windows XP uses preemptive scheduling if another thread with a higher priority becomes ready the currently running thread can be preempted A thread can even be selected to run and then be