New book: Windows Internals, Fifth Edition

We’ve been posting about the progress and availability of Windows Internals, Fifth Edition (Microsoft Press, 2009; ISBN: 9780735625303; 1264 pages), by Mark Russinovich and David Solomon with Alex Ionescu, over the last few months, but today we’d like to share an extended excerpt. Enjoy!

You can find the book’s full Table of Contents and index at Amazon. On this blog we’ve posted the book’s mapping to Exam 70-660 and the book’s Acknowledgments (and another acknowledgment here). Today we post a stretch from Chapter 5, “Processes, Threads, and Jobs.” This excerpt shows a couple examples of one of the book’s best features: its Experiments.

 

Chapter 5

Processes, Threads, and Jobs

In this chapter, we’ll explain the data structures and algorithms that deal with processes,
threads, and jobs in the Windows operating system. The first section focuses on the internal
structures that make up a process. The second section outlines the steps involved in creating
a process (and its initial thread). The internals of threads and thread scheduling are then
described. The chapter concludes with a description of the job object.

Where relevant performance counters or kernel variables exist, they are mentioned. Although
this book isn’t a Windows programming book, the pertinent process, thread, and job
Windows functions are listed so that you can pursue additional information on their use.
Because processes and threads touch so many components in Windows, a number of terms
and data structures (such as working sets, objects and handles, system memory heaps, and
so on) are referred to in this chapter but are explained in detail elsewhere in the book. To
fully understand this chapter, you need to be familiar with the terms and concepts explained
in Chapters 1 and 2, such as the difference between a process and a thread, the Windows
virtual address space layout, and the difference between user mode and kernel mode.

Process Internals

This section describes the key Windows process data structures. Also listed are key kernel
variables, performance counters, and functions and tools that relate to processes.

Data Structures

Each Windows process is represented by an executive process (EPROCESS) block. Besides
containing many attributes relating to a process, an EPROCESS block contains and points to a
number of other related data structures. For example, each process has one or more threads
represented by executive thread (ETHREAD) blocks. (Thread data structures are explained in
the section “Thread Internals” later in this chapter.) The EPROCESS block and its related data
structures exist in system address space, with the exception of the process environment block
(PEB), which exists in the process address space (because it contains information that needs
to be accessed by user-mode code).

In addition to the EPROCESS block and the PEB, the Windows subsystem process (Csrss)
maintains a parallel structure for each process that is executing a Windows program. Finally,
the kernel-mode part of the Windows subsystem (Win32k.sys) will also maintain a per-process
data structure that is created the first time a thread calls a Windows USER or GDI function
that is implemented in kernel mode.

Figure 5-1 is a simplified diagram of the process and thread data structures. Each data structure
shown in the figure is described in detail in this chapter.

image

First let’s focus on the process block. (We’ll get to the thread block in the section “Thread
Internals” later in the chapter.) Figure 5-2 shows the key fields in an EPROCESS block.

image 

image

         image  

         image

Table 5-1 explains some of the fields in the preceding experiment in more detail and includes
references to other places in the book where you can find more information about them. As
we’ve said before and will no doubt say again, processes and threads are such integral parts
of Windows that it’s impossible to talk about them without referring to many other parts of
the system. To keep the length of this chapter manageable, however, we’ve covered those
related subjects (such as memory management, security, objects, and handles) elsewhere.

image

image

The kernel process (KPROCESS) block, which is part of the EPROCESS block, and the process
environment block (PEB), which is pointed to by the EPROCESS block, contain additional
details about the process object. The KPROCESS block (which is sometimes called the PCB or
process control block) is illustrated in Figure 5-3. It contains the basic information that the
Windows kernel needs to schedule the threads inside a process. (Page directories are covered
in Chapter 9, and kernel thread blocks are described in more detail later in this chapter.)

The PEB, which lives in the user process address space, contains information needed by the
image loader, the heap manager, and other Windows system DLLs that need to access it from
user mode. (The EPROCESS and KPROCESS blocks are accessible only from kernel mode.) The
basic structure of the PEB is illustrated in Figure 5-4 and is explained in more detail later in
this chapter.

image

image

 

The chapter then continues for—wait for it—108 more pages of such detail! :-)