„Asides“, „Figures“, „Tables“ and „Experiments“
advertisement
Asides Ch. 1 Concepts and Tools 3 History of the Win32 API Ch. 2 28 31 53 System Architecture W2K vs. Consumer Windows Is W2K a Microkernel-Based System? Is W2K Less Stable with Win32 USER and GDI in Kernel Mode? Ch. 3 System Mechanisms 105 W2K and Real-Time Processing Ch. 4 Startup and Shutdown None Ch. 5 Management Mechanisms 243 SrvAny Tool (from the Resource Kit) 250 Network Drive Letters Ch. 6 Processes, Threads, and Jobs 318 Fibers vs. Threads Ch. 7 Memory Management 384 Determining the System Memory Size (kernel routines) 419 Virtual Address Space in Consumer Windows Ch. 8 Security 490 The Common Criteria Ch. 9 I/O System None Ch. 10 Storage Management 616 GUID Partition Table Partitioning Ch. 11 Cache Manager None Ch. 12 File Systems None Ch. 13 Networking None Figures Ch. 1 Concepts and Tools 6 A process and its resources 7 Address space layouts supported by W2K Ch. 2 34 36 47 48 59 System Architecture Symmetric vs. Asymmetric multiprocessing Simplified W2K architecture W2K architecture Registry Editor showing W2K startup information OS/2 subsystem virtual memory layout Ch. 3 90 94 97 99 109 116 119 122 123 124 128 130 133 139 140 144 153 155 159 162 164 169 170 175 System Mechanisms Trap dispatching x86 APIC architecture Interrupt request levels (IRQLs) Masking Interrupts Delivering a DPC Dispatching an Exception Dr. Watson default settings System service exceptions System service number to system service translation System service dispatching Executive objects that contain kernel objects Structure of an object Process objects and the process type object Process handle table architecture in W2K Structure of a handle table entry Handles and reference counts Incorrect sharing of memory Using a spinlock Waiting on a dispatcher object Selected kernel dispatcher objects Wait data structures Setting system debugging options with Gflags Setting image global flags with Gflags Use of LPC ports Ch. 4 179 189 210 Startup and Shutdown Example hard disk layout Logical Disk Manager driver service settings Crash Dump Settings Ch. 5 222 228 229 232 238 243 245 246 249 250 Management Mechanisms Registry performance counter architecture Internal structure of a registry hive Binary contents of first bin in the SYSTEM hive Structure of a cell index Example of a service registry key Inside a service process Service account settings List of window stations Organization of a service database List of driver objects 251 255 257 258 262 266 270 274 276 ServiceGroupOrder registry key Service startup failure Event Log entry Control set selection key Service recovery options Svchost registry key WMI architecture WMI CIM Studio WMI Object Browser WMI security propterties Ch. 6 278 279 291 291 305 307 318 320 328 336 341 342 347 348 351 353 354 356 357 358 362 Processes, Threads, and Jobs Data structures associated with processes and threads Structure of an executive process block Structure of the kernel process block Fields of the process environment block The main stages of process creation Choosing a Win32 image to activate Structure of the executive thread block Structure of the kernel thread block Fields of the thread environment block In-context thread initialization Thread priority levels Kernel priorities in Win32 vs. Windows 2000 Interrupt priorities vs. Thread priorities Thread states Fields of the Win32PrioritySeparation registry value Adjusting the quantum settings Dispatcher database Voluntary switching Preemptive thread scheduling Quantum end thread scheduling Priority boosting and decay Ch. 7 393 398 399 402 413 415 418 425 430 431 432 436 437 439 443 445 445 446 448 453 464 465 Memory Management Sharing memory between processes The "before" of copy-on-write The "after" of copy-on-write Using AWE to map physical memory The Driver Verifier Manager Layout of special pool allocation x86 virtual address space layout x86 system space layout Mapping virtual addresses to physical memory Components of a 32-git virtual address on x86 systems Translating a valid virtual address (x86-specific) System and process-private page tables Valid x86 hardware PTEs Accessing the translation look-aside buffer Page mappings with PAE Structure of an invalid PTE that points to a page in the paging file Structure of an invalid PTE that points to a page in memory Structure of an invalid PTE that points to the prototype PTE Prototype page table entries Virtual address descriptors Page tables and the page frame number database Page lists in the PFN database 470 474 479 482 State diagram for page frames States of PFN database entries A section object Internal section structures Ch. 8 492 493 500 509 514 516 517 522 Security W2K security components Communication between the SRM and Lsass Access tokens Discretionary access-control list (DACL) Access validation example Flow of security audit records Process and thread security structures Components involved in logon Ch. 9 529 531 536 537 539 545 546 548 555 562 564 572 576 577 580 582 583 584 585 588 591 592 594 595 596 598 599 600 601 603 604 I/O System I/O system components The flow of a typical I/O request Layering of a file system driver and a disk driver Adding a layered driver Primary device driver routines PC card remove/eject utility Device plug and play state transitions System power-state transitions Opening a file object The driver object Data structures involved in a single-layered driver I/O request I/O completion port operation Example device tree Device Manager showing the device tree Devnode internals Keyboard enumeration key Keyboard class key Driver installation component Driver-signing policy options Control flow for an I/O operation Queuing and completing a synchronous request Servicing a device interrupt (phase 1) Servicing a device interrupt (phase 2) Completing an I/O request (phase 1) Completing an I/O request (phase 2) Queuing an asynchronous request to layered drivers Completing a layered I/O request Queuing associated IRPs Completing associated IRPs I/O completion port operation Queuing an asynchronous request to layered drivers Ch. 10 Storage Management 612 Internal dynamic disk organization 613 LDM database layout 620 Winobj showing a Harddisk directory of a basic disk 622 Disk Management MMC snap-in 623 DMIO driver device objects 625 Spanned Volume 626 Striped volume 627 628 631 633 635 642 Logical numbering of physical sectors on a striped volume Mirrored volume RAID-5 volume DMIO I/O operations Mounted devices listed in the Mount Manager's registry key Mounted volume I/O flow Ch. 11 Cache Manager 648 Coherent caching scheme 652 System cache address space 653 Fileds of varying sizes mapped into the system cache 657 The W2K Task Manager doesn't report the size of the system cache 660 System VACB array 660 VACB structure 662 Per-file cache data structures 663 VACB index arrays 664 Multilevel VACB arrays 667 File And Printer sharing for MS Networks Property dialog box 673 Fast I/O decision tree Ch. 12 File Systems 684 Sectors and a cluster on a disk 686 FAT format organization 687 Example FAT file-allocation chains 688 FAT directory entry 691 Local FSD 692 Remote FSD operation 695 Components involved in file system I/O 696 Drive-letter name resolution 710 Volume Properties dialog box 713 Fragmented and contiguous files 714 Components of the W2K I/O system 715 NTFS and related components 716 NTFS data structures 717 Sample disk configurations 719 File records for NTFS metadata files in the MFT 726 File reference 726 MFT record for a small file 729 W2K file namespaces 730 MFT file record with an MS-DOS filename attribute 732 Resident attribute header and value 733 MFT file record for a small directory 733 MFT file record for a large file with two data runs 734 MFT file record for a large directory with a nonresident filename index 734 VCNs for a nonresident data attribute 735 VCN- to LCN mappings for a nonresident data attribute 736 Filename index for a volume's root directory 738 Runs of a noncompressed file 738 MFT record for a noncompressed file 739 Runs of a compressed file containing sparse data 740 MFT record for a compressed file containing sparse data 741 Data runs of a compressed file 742 MFT record for a compressed file 744 Change journal ($UsnJrnl) space allocation 750 Log file service (LFS) 751 Log file regions 753 755 757 758 759 759 762 763 766 768 771 772 773 Update records in the log file Checkpoint record in the log file Analysis pass Redo pass Undo pass Undoing a transaction MFT record for a user file with a bad cluster Bad-cluster remapping Encrypt files by using the Advanced Attributes dialog box EFS architecture Format of EFS information and key entries Encrypted Data Recovery Agents group policy Flow of EFS Ch. 13 Networking 780 OSI reference model 784 OSI model and W2K networking components 787 Named pipe communications 788 Mailslot broadcast 789 Named pipe and mailslot implementation 794 Connection-oriented Winsock operation 797 Winsock implementation 799 RPC operation 802 RPC implementation 804 CIFS file sharing 807 Oplock example 810 NetBIOS API implementation 812 TAPI architecture 815 MPR components 816 The provider order editor 817 Resolving a network resource name 818 Multiple UNC Provider (MUP) 823 NDIS components 830 Connection-oriented NDIS drivers 833 Editing bindings with the Advanced Settings dialog box 836 Active Directory architecture 838 Network Load Balancing operation 840 DFS components 843 QoS architecture Tables Ch. 1 Concepts and Tools 11 Mode-Related Performance Counters 18 Tools for Viewing W2K Internals Ch. 2 38 39 40 41 66 72 75 System Architecture Core W2K System Files Differences between W2K Professional and Server Product Type Registry Values Multiprocessor-Specific vs. Uniprocessor-Specific System Files List of HALs Commonly Used Prefixes (for kernel functions) Names for Process ID 0 in Various Utilities Ch. 3 110 114 129 131 132 134 135 148 161 167 System Mechanisms DPC Interrupt Generation Rules x86 Exceptions and Their Interrupt Numbers Executive Objects Exposed to Win32 Standard Object Header Attributes Generic Object Services Type Object Attributes Object Methods Standard Object Directories Definition of the Signalled States Number of System Worker Threads Ch. 4 Startup and Shutdown 178 Boot Process Components 182 Boot.ini Switches Ch. 5 216 218 219 224 227 239 260 268 Management Mechanisms Registry Value Types Registry Root Keys HKEY_CURRENT_USER Subkeys On-Disk Files Corresponding to Paths in the Registry Cell Data Types Service and Driver Registry Parameters Windows 2000 Services that Run in the SCM Provider Classifications Ch. 6 289 293 294 294 296 307 312 313 319 320 329 329 330 Processes, Threads, and Jobs Contents of the EPROCESS Block Process-Related Kernel Variables Process-Related Performance Counters Process-Related Functions Process-Related Tools Decision Tree for Stage 1 of CreateProcess Initial Values of the Fields of the PEB Win32 Replacements for Initial PEB Values Key Contents of the Executive Thread Block Key Contents of the KTHREAD Block Thread-Related Kernel Variables Thread-Related Performance Counters Win32 Thread Functions 331 343 344 352 355 361 374 375 Thread-Related Tools and Their Functions Scheduling-Related APIs and Their Functions Tools Related to Thread Scheduling Quantum Values Thread-Scheduling Kernel Variables Recommended Boost Values Win32 API Functions for Jobs Quantum-values for job-scheduling classes Ch. 7 382 384 396 404 404 420 421 421 422 427 428 429 437 444 451 456 457 459 464 464 465 466 473 475 478 480 Memory Management Registry Values That Affect the Memory Manager Values That Determine System Memory Size Memory Protection Options Defined in the Win32 API Maximum Pool Sizes System Pool Size Variables and Performance Counters W2K User Process Address Space Layout W2K User Address Space System Variables W2K Virtual Memory Use Performance Counters W2K Address Space Use for Single Process's Performance Counters System Variables that Describe System Space Regions x86 System Space (non-PAE) Session Space Layout PTE Status and Protection Bits Reasons for Access Faults Committed Memory and Page File Performance Counters Page Fault Read Clustering Values Default Minimum and Maximum Working Set Sizes Working Set - Related System Control Variables System Working Set Performance Counters Minimum and Maximum Size of System Working Set System Variables That Store Working Set Minimums or Maximums Page States Modified Page Writer Values Flags Within PFN Database Entries System Variables That Describe Physical Memory Section Object Body Attributes Ch. 8 488 499 501 508 Security RCSEC Rating Levels Well-Known SIDs Some Common Privileges Inheritance Rules for ACE Flags Ch. 9 543 547 550 554 I/O System Device and Driver Plug and Play Capability System Power-State Definitions Example System-to-Device Power Mappings File Object Attributes Ch. 10 Storage Management None Ch. 11 Cache Manager 655 Size and Location of System Data Cache 655 System Variables for the Virtual Size and Address of the System Cache 656 System Variables for the Physical Size of the System Cache and Page Fault Inform. 666 668 668 674 676 676 677 678 679 680 System Variables for Examining the Activity of the Lazy Writer Algorithm for Calculating the Dirty Page Threshold System Variables for Viewing Cache Flush Operations System Variables for Determining Fast I/O Activity Kernel-Mode Functions for Copying to and from the Cache System Variables for Examining Read Activity from the Cache Functions for Finding Metadata Locations System Variables for Examining Pinning and Mapping Activity Functions That Create the DMA Interface System Variables for Examining MDL Activity from the Cache Ch. 12 File Systems 685 Default FAT16 Cluster Sizes in W2K 688 Default Cluster Sizes for FAT32 Volumes 689 Default Cluster Sizes for NTFS Volumes 727 Attributes for NTFS Files 731 NTFS-Generated Filenames 764 Summary of NTFS Data Recovery Scenarios Ch. 13 Networking None Experiments Ch. 1 Concepts and Tools 12 Kernel Mode vs. User Mode Ch. 2 43 44 49 57 67 70 73 76 79 84 86 System Architecture Looking at Multiprocessor-Specific Support Files Checking Which Ntoskrnl Version You're Running Viewing the Image Subsystem Type Watching the POSIX Subsystem Start Determining Which HAL You're Running Viewing the Installed Device Drivers Listing Undocumented Functions Identifying System Threads in the System Process Mapping a System Thread to a Device Driver Viewing Multiple Sessions Listing Installed Services Ch. 3 92 95 98 102 111 117 120 125 125 133 138 141 146 149 152 157 165 168 170 171 System Mechanisms Viewing the IDT Viewing the PIC and APIC Viewing the IRQL Using Kernel Profiler to Profile Execution Monitoring Interrupt and DPC Activity Viewing the Real User Start Address for Win32 Threads Unhandled Exceptions Viewing System Service Activity Exploring the Object Manager Viewing the Type Objects Viewing Open Handles with Nthandle Viewing the Handle Table with the Kernel Debugger Viewing Process Quotas Looking at the Base Named Objects Viewing Namespace Instancing Viewing Queued Spinlocks Looking at Wait Queues Listing System Worker Threads Enabling Image Loader Tracing and Viewing NtGlobalFlag Viewing LPC Port Objects Ch. 4 Startup and Shutdown 213 Forcing a Crash and Retrieving the Stop Code Ch. 5 220 223 225 230 263 Management Mechanisms Viewing the SAM and SECURITY Keys Watching Registry Activity Looking at Hive Handles Viewing Hive Paged Pool Usage Viewing Services Running Inside Processes Ch. 6 280 292 297 298 Processes, Threads, and Jobs Displaying the Format of an EPROCESS Block Examining the PEB Viewing Process Information with Task Manager Viewing the Process Tree 300 301 302 321 328 332 333 337 339 345 350 363 366 369 376 Viewing Thread Activity with QuickSlice Viewing Process Details with Process Viewer Using the Kernel Debugger !process Command Displaying ETHREAD and KTHREAD Structures Examining the TEB Using the Kernel Debugger !thread Command Viewing Thread Information Viewing Ready Threads Thread-Scheduling State Changes Examining and Specifying Process and Thread Priorities Determining the Clock Interval Frequency Watching Foreground Priority Boosts and Decays Watching Priority Boosts on GUI Threads Watching Priority Boosts for CPU Starvation Viewing the Job Object Ch. 7 385 387 405 406 412 422 434 440 450 452 454 460 461 469 471 477 480 484 Memory Management Viewing System Memory Information Accounting for Physical Memory Use Determining the Maximum Pool Sizes Monitoring Pool Usage Viewing the System Look-Aside Lists Viewing Process Memory Utilization Examining the Page Directory and PDEs Translating Addresses Viewing System Page Files Viewing Page File Usage with Task Manager Viewing Virtual Address Descriptors Viewing Process Working Set Sizes Viewing the Working Set List Viewing the PFN Database Viewing Page Fault Behavior Viewing PFN Entries Viewing Section Objects Viewing Control Areas Ch. 8 498 502 517 Security Using GetSID to View Account SIDs Viewing Access Tokens with the Kernel Debugger Viewing Process and Thread Security Information Ch. 9 538 551 558 560 563 565 568 578 589 I/O System Viewing the Loaded Driver List Viewing the System Power Capabilities and Policy Looking at the \Device Directory Viewing Win32 Device Name to W2K Device Name Mappings Displaying Driver and Device Objects Looking at Driver Dispatch Routines Examining IRPs and the Thread IRP Queue Dumping the Device Tree Looking at a Driver's Registered Fast I/O Routines Ch. 10 Storage Management 614 Using DmDiag to View the LDM Database 629 Watching Mirrored Volume I/O Operations 638 Recursive Mount Points 640 Looking at VPBs Ch. 11 Cache Manager 658 Looking at the Cache's Working Set 681 Viewing the Write-Throttle Parameters Ch. 12 File Systems 694 Viewing the List of Registerd File Systems 704 Looking at Streams 706 Creating a Hard Link 707 Creating a Junction 720 Viewing the MFT 778 Viewing EFS Information Ch. 13 Networking 790 Listing the Named Pipe Namespace and Watching Named Pipe Activity 796 Looking at Winsock Service Providers 809 Using Nbtstat to See NetBIOS Names 822 Watching TDI Activity 826 Listing the Loaded NDIS Miniports 830 Using Network Monitor to Capture Network Packets (104 Experiments)
