| Historical Perspective |
xv |
| Foreword |
xvii |
| Acknowledgments |
xix |
| Introduction |
xxv |
| CHAPTER ONE Concepts and Tools |
1 |
| Foundation Concepts and Terms |
1 |
| Win32 API |
2 |
| Services, Functions, and Routines |
3 |
| Processes, Threads, and Jobs |
4 |
| Virtual Memory |
7 |
| Kernel Mode vs. User Mode |
9 |
| Objects and Handles |
14 |
| Security |
15 |
| Registry |
16 |
| Unicode |
17 |
| Digging into Windows 2000 Internals |
17 |
| Tools on the Companion CD |
19 |
| Performance Tool |
20 |
| Windows 2000 Support Tools |
20 |
| Windows 2000 Resource Kits |
21 |
| Kernel Debugging Tools |
21 |
| Platform Software Development Kit (SDK) |
24 |
| Device Driver Kit (DDK) |
24 |
| Systems Internals Tools |
25 |
| CHAPTER TWO System Architecture |
27 |
| Requirements and Design Goals |
27 |
| Operating System Model |
30 |
| Portability |
32 |
| Symmetric Multiprocessing |
33 |
| Scalability |
35 |
| Architecture Overview |
35 |
| Windows 2000 Product Packaging |
38 |
| Checked Build |
41 |
| Multiprocessor-Specific System Files |
42 |
| Key System Components |
46 |
| Environment Subsystems and Subsystem DLLs |
47 |
| Ntdll.dll |
60 |
| Executive |
60 |
| Kernel |
63 |
| Hardware Abstraction Layer |
66 |
| Device Drivers |
67 |
| Peering into Undocumented Interfaces |
71 |
| System Processes |
74 |
| CHAPTER THREE System Mechanisms |
89 |
| Trap Dispatching |
89 |
| Interrupt Dispatching |
91 |
| Exception Dispatching |
113 |
| System Service Dispatching |
121 |
| Object Manager |
125 |
| Executive Objects |
128 |
| Object Structure |
130 |
| Synchronization |
153 |
| Kernel Synchronization |
154 |
| Executive Synchronization |
158 |
| System Worker Threads |
165 |
| Windows 2000 Global Flags |
168 |
| Local Procedure Calls (LPCs) |
171 |
| CHAPTER FOUR Startup and Shutdown |
177 |
| Boot Process |
177 |
| Preboot |
177 |
| The Boot Sector and Ntldr |
180 |
| Initializing the Kernel and Executive Subsystems |
190 |
| Smss, Csrss, and Winlogon |
194 |
| Safe Mode |
196 |
| Driver Loading in Safe Mode |
197 |
| Safe-Mode-Aware User Programs |
199 |
| Boot Logging in Safe Mode |
200 |
| Recovery Console |
201 |
| Shutdown |
204 |
| System Crashes |
206 |
| Why Does Windows 2000 Crash? |
206 |
| The Blue Screen |
207 |
| Crash Dump Files |
210 |
| CHAPTER FIVE Management Mechanisms |
215 |
| The Registry |
215 |
| Registry Data Types |
216 |
| Registry Logical Structure |
217 |
| Registry Internals |
224 |
| Services |
236 |
| Service Applications |
237 |
| Service Accounts |
244 |
| The Service Control Manager |
247 |
| Service Startup |
251 |
| Startup Errors |
255 |
| Accepting the Boot and Last Known Good |
256 |
| Service Failures |
258 |
| Service Shutdown |
259 |
| Shared Service Processes |
260 |
| Service Control Programs |
264 |
| Windows Management Instrumentation |
265 |
| WMI Architecture |
266 |
| Providers |
268 |
| The Common Information Model and the Managed Object Format Language |
269 |
| The WMI Namespace |
272 |
| Class Association |
273 |
| WMI Implementation |
275 |
| WMI Security |
275 |
| CHAPTER SIX Processes, Threads, and Jobs |
277 |
| Process Internals |
277 |
| Data Structures |
277 |
| Kernel Variables |
293 |
| Performance Counters |
293 |
| Relevant Functions |
294 |
| Relevant Tools |
295 |
| Flow of CreateProcess |
304 |
| Stage 1: Opening the Image to Be Executed |
306 |
| Stage 2: Creating the Windows 2000 Executive Process Object |
309 |
| Stage 3: Creating the Initial Thread and Its Stack and Context |
314 |
| Stage 4: Notifying the Win32 Subsystem About the New Process |
314 |
| Stage 5: Starting Execution of the Initial Thread |
316 |
| Stage 6: Performing Process Initialization in the Context of the New Process |
316 |
| Thread Internals |
317 |
| Data Structures |
317 |
| Kernel Variables |
329 |
| Performance Counters |
329 |
| Relevant Functions |
330 |
| Relevant Tools |
331 |
| Flow of CreateThread |
333 |
| Thread Scheduling |
337 |
| Overview of Windows 2000 Scheduling |
337 |
| Priority Levels |
341 |
| Win32 Scheduling APIs |
343 |
| Relevant Tools |
344 |
| Real-Time Priorities |
346 |
| Interrupt Levels vs. Priority Levels |
347 |
| Thread States |
348 |
| Quantum |
349 |
| Scheduling Data Structures |
353 |
| Scheduling Scenarios |
355 |
| Context Switching |
359 |
| Idle Thread |
359 |
| Priority Boosts |
360 |
| Job Objects |
374 |
| CHAPTER SEVEN Memory Management |
379 |
| Memory Manager Components |
380 |
| Configuring the Memory Manager |
382 |
| Examining Memory Usage |
385 |
| Services the Memory Manager Provides |
389 |
| Reserving and Committing Pages |
390 |
| Locking Memory |
392 |
| Allocation Granularity |
392 |
| Shared Memory and Mapped Files |
393 |
| Protecting Memory |
395 |
| Copy-on-Write |
398 |
| Heap Functions |
400 |
| Address Windowing Extensions |
401 |
| System Memory Pools |
403 |
| Look-Aside Lists |
411 |
| Driver Verifier |
413 |
| Address Space Layout |
417 |
| User Address Space Layout |
420 |
| System Address Space Layout |
424 |
| Address Translation |
429 |
| Translating a Virtual Address |
431 |
| Page Directories |
433 |
| Process and System Page Tables |
435 |
| Page Table Entries |
436 |
| Byte Within Page |
438 |
| Translation Look-Aside Buffer |
439 |
| Physical Address Extension |
442 |
| Page Fault Handling |
443 |
| Invalid PTEs |
445 |
| Prototype PTEs |
446 |
| In-Paging I/O |
448 |
| Collided Page Faults |
449 |
| Page Files |
450 |
| Virtual Address Descriptors |
452 |
| Working Sets |
455 |
| Paging Policies |
455 |
| Working Set Management |
457 |
| Balance Set Manager and Swapper |
462 |
| System Working Set |
463 |
| Page Frame Number Database |
465 |
| Page List Dynamics |
469 |
| Modified Page Writer |
472 |
| PFN Data Structures |
474 |
| Section Objects |
478 |
| CHAPTER EIGHT Security |
487 |
| Security Ratings |
487 |
| Security System Components |
490 |
| Protecting Objects |
494 |
| Access Checks |
494 |
| Security Identifiers |
497 |
| Tokens |
499 |
| Impersonation |
504 |
| Restricted Tokens |
506 |
| Security Descriptors and Access Control |
507 |
| Security Auditing |
515 |
| Logon |
521 |
| Winlogon Initialization |
522 |
| User Logon Steps |
523 |
| CHAPTER NINE I/O System |
527 |
| Design Goals |
527 |
| I/O System Components |
528 |
| The I/O Manager |
531 |
| Device Drivers |
532 |
| The Plug and Play (PnP) Manager |
541 |
| The Power Manager |
546 |
| I/O Data Structures |
553 |
| File Objects |
554 |
| Driver Objects and Device Objects |
556 |
| I/O Request Packets |
562 |
| I/O Completion Ports |
570 |
| Driver Loading, Initialization, and Installation |
573 |
| The Start Value |
574 |
| Device Enumeration |
575 |
| Devnodes |
579 |
| Devnode Driver Loading |
581 |
| Driver Installation |
583 |
| I/O Processing |
586 |
| Types of I/O |
587 |
| I/O Request to a Single-Layered Driver |
590 |
| I/O Requests to Layered Drivers |
597 |
| I/O Completion Port Operation |
602 |
| Synchronization |
604 |
| CHAPTER TEN Storage Management |
607 |
| The Evolution of Windows 2000 Storage |
607 |
| Partitioning |
609 |
| Basic Partitioning |
610 |
| Dynamic Partitioning |
611 |
| Storage Drivers |
617 |
| Disk Drivers |
618 |
| Device Naming |
619 |
| Basic Disk Management |
620 |
| Dynamic Disk Management |
621 |
| Disk Performance Monitoring |
624 |
| Multipartition Volume Management |
624 |
| Spanned Volumes |
625 |
| Striped Volumes |
626 |
| Mirrored Volumes |
627 |
| RAID-5 Volumes |
630 |
| Volume I/O Operations |
632 |
| The Volume Namespace |
634 |
| The Mount Manager |
634 |
| Mount Points |
636 |
| Volume Mounting |
639 |
| CHAPTER ELEVEN Cache Manager |
645 |
| Key Features of the Windows 2000 Cache Manager |
645 |
| Single, Centralized System Cache |
646 |
| The Memory Manager |
646 |
| Cache Coherency |
647 |
| Virtual Block Caching |
649 |
| Stream-Based Caching |
650 |
| Recoverable File System Support |
650 |
| Cache Structure |
651 |
| Cache Size |
654 |
| Cache Virtual Size |
654 |
| Cache Physical Size |
655 |
| Cache Data Structures |
659 |
| Systemwide Cache Data Structures |
660 |
| Per-File Cache Data Structures |
661 |
| Cache Operation |
665 |
| Write-Back Caching and Lazy Writing |
665 |
| Intelligent Read-Ahead |
669 |
| System Threads |
671 |
| Fast I/O |
672 |
| Cache Support Routines |
675 |
| Copying to and from the Cache |
675 |
| Caching with the Mapping and Pinning Interfaces |
677 |
| Caching with the Direct Memory Access Interfaces |
679 |
| Write Throttling |
680 |
| CHAPTER TWELVE File Systems |
683 |
| Windows 2000 File System Formats |
684 |
| CDFS |
685 |
| UDF |
685 |
| FAT12, FAT16, and FAT32 |
685 |
| NTFS |
689 |
| File System Driver Architecture |
690 |
| Local FSDs |
690 |
| Remote FSDs |
692 |
| File System Operation |
694 |
| NTFS Design Goals and Features |
700 |
| High-End File System Requirements |
700 |
| Advanced Features of NTFS |
702 |
| NTFS File System Driver |
713 |
| NTFS On-Disk Structure |
717 |
| Volumes |
717 |
| Clusters |
717 |
| Master File Table |
718 |
| File Reference Numbers |
725 |
| File Records |
726 |
| Filenames |
729 |
| Resident and Nonresident Attributes |
732 |
| Indexing |
735 |
| Data Compression and Sparse Files |
737 |
| Reparse Points |
743 |
| The Change Journal File |
743 |
| Object IDs |
745 |
| Quota Tracking |
745 |
| Consolidated Security |
745 |
| NTFS Recovery Support |
746 |
| Evolution of File System Design |
746 |
| Logging |
749 |
| Recovery |
756 |
| NTFS Bad-Cluster Recovery |
761 |
| Encrypting File System Security |
766 |
| Registering Callbacks |
769 |
| Encrypting a File for the First Time |
769 |
| The Decryption Process |
775 |
| Backing Up Encrypted Files |
777 |
| CHAPTER THIRTEEN Networking |
779 |
| The OSI Reference Model |
780 |
| OSI Layers |
781 |
| Windows 2000 Networking Components |
782 |
| Networking APIs |
784 |
| Named Pipes and Mailslots |
785 |
| Windows Sockets |
793 |
| Remote Procedure Call |
798 |
| Common Internet File System (CIFS) |
803 |
| NetBIOS |
807 |
| Other Networking APIs |
811 |
| Network-Resource Name Resolution |
814 |
| Multiple Provider Router |
814 |
| Multiple UNC Provider |
817 |
| Domain Name System |
819 |
| Protocol Drivers |
819 |
| NDIS Drivers |
823 |
| Variations on the NDIS Miniport |
828 |
| Connection-Oriented NDIS |
829 |
| Binding |
832 |
| Layered Network Services |
834 |
| Remote Access |
834 |
| Active Directory |
835 |
| Network Load Balancing |
837 |
| File Replication Service |
838 |
| Distributed File System |
839 |
| TCP/IP Extensions |
840 |
| Glossary |
845 |
| Index |
871 |
