Jump to content

Architecture of Windows NT

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Mav (talk | contribs) at 03:39, 26 May 2005 (body text by user:Ta bu shi da yu from Windows 2000 ; working on ref section now). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)
File:Windows 2000 architecture.PNG
The Windows 2000 operating system architecture consists of two layers (user mode and kernel mode), with many different modules within both of these layers.

The architecture of Windows 2000 creates a highly modular system that consists of two main layers: a user mode and a kernel mode. Windows 2000 is a 32-bit, preemptible, interruptible operating system, which has been designed to work with either uniprocessor or symmetrical multi processor (SMP) based Intel x86 computers. To process I/O requests, uses packet driven I/O which utilise I/O request packets (IRPs) and asynchronous I/O. However, Windows 2000 is known as a hybrid operating system as the microkernel is essentially the kernel, while higher-level services are implemented by the executive, which exists in kernel mode [1].

User mode in Windows 2000 is made of subsystems capable of passing I/O requests to the appropriate kernel mode drivers by using the the I/O manager. Two subsystems make up the user mode layer of Windows 2000: the Environment subsystem (runs applications written for many different types of operating systems), and the Integral subsystem (operates system specific functions on behalf of the environment subsystem). Kernel mode in Windows 2000 has full access to the hardware and system resources of the computer. The kernel mode stops user mode services and applications from accessing critical areas of the operating system that they should not have access to.

The Executive interfaces with all the user mode subsystems. It deals with I/O, object management, security and process management. The Microkernel sits between the Hardware Abstraction Layer and the Executive to provide multiprocessor synchronization, thread and interrupt scheduling and dispatching, and trap handling and exception dispatching. The microkernel is also responsible for initialising device drivers at bootup. Kernel mode drivers exist in three levels: highest level drivers, intermediate drivers and low level drivers. Windows Driver Model (WDM) exists in the intermediate layer and was mainly designed to be binary and source compatible between Windows 98 and Windows 2000. The lowest level drivers are either legacy Windows NT device drivers that control a device directly or can be a PnP hardware bus.

User mode

The user mode is made up of subsystems which can pass I/O requests to the appropriate kernel mode drivers via the I/O manager (which exists in kernel mode). Two subsystems make up the user mode layer of Windows 2000: the Environment subsystem and the Integral subsystem.

The environment subsystem was designed to run applications written for many different types of operating systems. None of the environment subsystems can directly access hardware, and must request access to memory resources through the Virtual Memory Manager that runs in kernel mode. Also, applications run at a lower priority than kernel mode processes. Currently, there are three main environment subsystems: the Win32 subsystem, an OS/2 subsystem and a POSIX subsystem.

The Win32 environment subsystem can run 32-bit Windows applications. It contains the console as well as text window support, shutdown and hard-error handling for all other environment subsystems. It also supports Virtual DOS Machines (VDMs), which allow MS-DOS and 16-bit Windows 3.x (Win16) applications to be run on Windows. There is a specific MS-DOS VDM which runs in its own address space and which emulates an Intel 80486 running MS-DOS 5. Win16 programs, however, run in a Win16 VDM. Each program, by default, runs in the same process, thus using the same address space, and the Win16 VDM gives each process it's own thread to run on. However, Windows 2000 does allow users to run a Win16 program in a separate Win16 VDM, which allows the program to be preemptively multitasked as Windows 2000 will preempt the whole VDM process, which only contains one running application. The OS/2 environment subsystem supports 16-bit character-based OS/2 applications and emulates OS/2 1.3 and 1.x, but not 2.x or later OS/2 applications. The POSIX environment subsystem supports applications that are strictly written to either the POSIX.1 standard or the related ISO/IEC standards.

The integral subsystem looks after operating system specific functions on behalf of the environment subsystem. It consists of a security subsystem, a workstation service and a server service. The security subsystem deals with security tokens, grants or denies access to user accounts based on resource permissions, handles logon requests and initiates logon authentication, and determines which system resources need to be audited by Windows 2000. It also looks after Active Directory. The workstation service is an API to the network redirector, which provides the computer access to the network. The server service is an API that allows the computer to provide network services.

Kernel mode

Windows 2000 kernel mode has full access to the hardware and system resources of the computer and runs code in a protected memory area. It controls access to scheduling, thread prioritisation, memory management and the interaction with hardware. The kernel mode stops user mode services and applications from accessing critical areas of the operating system that they should not have access to as user mode processes ask the kernel mode to perform such operations on it's behalf.

Kernel mode consists of executive services, which is itself made up on many modules that do specific tasks, kernel drivers, a microkernel and a Hardware Abstraction Layer, or HAL.

Executive

The Executive interfaces with all the user mode subsystems. It deals with I/O, object management, security and process management. It contains various components, including the I/O Manager, the Security Reference Monitor, the Object Manager, the IPC Manager, the Virtual Memory Manager (VMM), a PnP Manager and Power Manager, as well as a Window Manager which works in conjunction with the Windows Graphical Device Interface (GDI). Each of these components exports a kernel-only support routine allows other components to communicate with one another. Grouped together, the components can be called executive services. No executive component has access to the internal routines of any other executive component.

File:Winobj.PNG
Each object in Windows 2000 exists in its own namespace. This is a screenshot from SysInternal's WinObj

The object manager is a special executive subsystem that all other executive subsystems must pass through to gain access to Windows 2000 resources — essentially making it a resource management infrastructure service. The object manager is used to reduce the duplication of object resource management functionality in other executive subsystems, which could potentially lead to bugs and make development of Windows 2000 harder [2]. To the object manager, each resource is an object, whether that resource is a physical resource (such as a filesystem or peripheral) or a logical resource (such as a file). Each object has a structure or object type that the object manager must know about. When another executive subsystem requests the creation of an object, they send that request to the object manager which creates an empty object structure which the requesting executive subsystem then fills in [3]. Object types define the object procedures and any data specific to the object. In this way, the object manager allows Windows 2000 to be a object oriented operating system, as object types can be thought of as classes that define objects.

Each instance of an object that is created stores its name, parameters that are passed to the object creation function, security attributes and a pointer to its object type. The object also contains a object close procedure and a reference count to tell the object manager how many other objects in the system reference that object and thereby determines whether the object can be destroyed when a close request is sent to it [4]. Every object exists in a hierarchical object namespace.

Further executive subsystems are the following:

  • I/O Manager: allows devices to communicate with user-mode subsystems. It translates user-mode read and write commands in read or write IRPs which it passes to device drivers. It accepts file system I/O requests and translates them into device specific calls, and can incorporate low-level device drivers that directly manipulate hardware to either read input or write output. It also includes a cache manager to improve disk performance by caching read requests and write to the disk in the background
  • Security Reference Monitor (SRM): the primary authority for enforcing the security rules of the security integral subsystem [5]. It determines whether an object or resource can be accessed, via the use of access control lists (ACLs), which are themselves made up of access control entries (ACEs). ACEs contain a security identifier (SID) and a list of operations that the ACE gives a select group of trustees — a user account, group account, or logon session [6] — permission (allow, deny, or audit) to that resource. [7] [8]
  • IPC Manager: short for Interprocess Communication Manager, this manages the communication between clients (the environment subsystem) and servers (components of the Executive). It can use two facilities: the Local Procedure Call (LPC) facility (clients and servers on the one computer) and the Remote Procedure Call (RPC) facility (where clients and servers are situated on different computers. Microsoft has had significant security issues with the RPC facility [9].
  • Virtual Memory Manager: manages virtual memory, allowing Windows 2000 to use the hard disk as a primary storage device (although strictly speaking it is secondary storage). It controls the paging of memory in and out of physical memory to disk storage.
  • Process Manager: handles process and thread creation and termination
  • PnP Manager: handles Plug and Play and supports device detection and installation at boot time. It also has the responsibility to stop and start devices on demand — sometimes this happens when a bus gains a new device and needs to have a device driver loaded to support that device. Both Firewire and USB are hot-swappable and require the services of the PnP Manager to load, stop and start devices. The PnP manager interfaces with the HAL, the rest of the executive (as necessary) and with device drivers.
  • Power Manager: the power manager deals with power events and generates power IRPs. It coordinates these power events when several devices send a request to be turned off it determines the best way of doing this.
  • The display system has been moved from user mode into the kernel mode as a device driver contained in the file Win32k.sys. There are two components in this device driver — the Window Manager and the GDI:
    • Window Manager: responsible for drawing windows and menus. It controls the way that output is painted to the screen and handles input events (such as from the keyboard and mouse), then passes messages to the applications that need to receive this input
    • GDI: the graphical device interface is responsible for tasks such as drawing lines and curves, rendering fonts and handling palettes. Windows 2000 introduced native alpha blending into the GDI.

Microkernel & Kernel-mode drivers

The Microkernel sits between the HAL and the Executive and provide multiprocessor synchronization, thread and interrupt scheduling and dispatching, and trap handling and exception dispatching. The Microkernel often interfaces with the process manager. [10] The microkernel is also responsible for initialising device drivers at bootup that are necessary to get the operating system up and running.

Windows 2000 uses kernel-mode device drivers to enable it to interact with hardware devices. Each of the drivers has well defined system routines and internal routines that it exports to the rest of the operating system. All devices are seen by user mode code as a file object in the I/O manager, though to the I/O manager itself the devices are seen as device objects, which it defines as either file, device or driver objects. Kernel mode drivers exist in three levels: highest level drivers, intermediate drivers and low level drivers. The highest level drivers, such as file system drivers for FAT and NTFS, rely on intermediate drivers. Intermediate drivers consist of function drivers — or main driver for a device — that are optionally sandwiched between lower and higher level filter drivers. The function driver then relies on a bus driver — or a driver that services a bus controller, adapter, or bridge — which can have an optional bus filter driver that sits between itself and the function driver. Intermediate drivers rely on the lowest level drivers to function. The Windows Driver Model (WDM) exists in the intermediate layer. The lowest level drivers are either legacy Windows NT device drivers that control a device directly or can be a PnP hardware bus. These lower level drivers directly control hardware and do not rely on any other drivers.

The Windows Driver Model, or Win32 Driver Model (WDM) was introduced to the NT kernel in Windows 2000. WDM exists in the intermediary layer of Windows 2000 kernel-mode drivers and was introduced to increase the functionality and ease of writing drivers for Windows. The WDM was mainly designed to be binary and source compatible between Windows 98 and Windows 2000. However, this may not always be desired and so specific drivers can be developed for either operating system. WDM consists of:

  • Class drivers: these can be thought of as built-in framework drivers that miniport and other class drivers can be built on top of. The class drivers provide an interfaces between different levels of the WDM architecture. Common functionality between different classes of drivers can be written into the class driver and used by other class and miniport drivers. The lower edge of the class driver will have its interface exposed to the miniport driver, while the upper edge of top level class drivers is operating system specific. Class drivers can be dynamically loaded and unloaded at will. They can do class specific functions that are not hardware or bus-specific (with the exception of bus-type class drivers) and in fact sometimes only do class specific functions like enumeration).
  • Miniport drivers: these are USB, Audio, SCSI and network adapters. They should usually be source and binary compatible between Windows 98 and Windows 2000 and are hardware specific but control access to the hardware through a specific bus class driver.
  • Software bus drivers: Microsoft provides bus drivers for most common buses, such as PCI, PnpISA, SCSI, USB and Firewire. Each software vendor can create their own bus drivers if needed.
  • OS Services: this layer is all the operating system functionality that has been abstracted away from the miniport driver.
  • Virtualisation drivers: have been part of Windows since v3.0 and are used for legacy hardware.

In the layered architecture of Windows kernel-mode drivers, class/mini port drivers are functional drivers.

Hardware Abstraction Layer

The Windows 2000 Hardware Abstraction Layer, or HAL, is a layer between the physical hardware of the computer and the rest of the operating system. It was designed to hide differences in hardware and therefore provide a consistent platform to run applications on. The HAL includes hardware specific code that controls I/O interfaces, interrupt controllers and multiple processors.

Windows 2000 used to support the DEC Alpha, however they did not extend Alpha support beyond beta 3 of Windows 2000. The HAL now only supports hardware that is compatible with the Intel x86 architecture.


Notes

  1. ^ MCSE Exam 70-215, Microsoft Windows 2000 Server. Chapter 1, Introduction to Microsoft Windows 2000, pg 7-18.
  2. ^ Mark Russinovich (October 1997). Inside NT's Object Manager. Introduction.
  3. ^ Mark Russinovich (October 1997). Inside NT's Object Manager. "Object Types".
  4. ^ Mark Russinovich (October 1997). Inside NT's Object Manager. "Objects".
  5. ^ Microsoft. "Active Directory Data Storage".
  6. ^ MSDN. Trustee definition.
  7. ^ Siyan, Kanajit S., 2000.
  8. ^ MSDN. ACE definition.
  9. ^ Microsoft has had numerous security issues caused by vulnerabilities in its RPC mechanisms. A list follows of the security bulletins that Microsoft have issued in regards to RPC vulnerabilities:
    • Microsoft Security Bulletin MS03-026: issue with a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports.
    • Microsoft Security Bulletin MS03-001: A security vulnerability results from an unchecked buffer in the Locator service. By sending a specially malformed request to the Locator service, an attacker could cause the Locator service to fail, or to run code of the attacker's choice on the system.
    • Microsoft Security Bulletin MS03-026: Buffer overrun in RPC may allow code execution
    • Microsoft Security Bulletin MS03-010: This particular vulnerabilty affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. To exploit this vulnerability, an attacker would need to establish a TCP/IP connection to the Endpoint Mapper process on a remote machine. Once the connection was established, the attacker would begin the RPC connection negotiation before transmitting a malformed message. At this point, the process on the remote machine would fail. The RPC Endpoint Mapper process is responsible for maintaining the connection information for all of the processes on that machine using RPC. Because the Endpoint Mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions.
    • Microsoft Security Bulletin MS04-029: This RPC Runtime library vulnerability was addressed in CAN-2004-0569, however the title is "Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service".
    • Microsoft Security Bulletin (MS00-066): A remote denial of service vulnerability in RPC is found. Blocking ports 135-139 and 445 can stop attacks.
    • Microsoft Security Bulletin MS03-039: "There are three newly identified vulnerabilities in the part of RPCSS Service that deals with RPC messages for DCOM activation- two that could allow arbitrary code execution and one that could result in a denial of service. The flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the Distributed Component Object Model (DCOM) interface within the RPCSS Service. This interface handles DCOM object activation requests that are sent from one machine to another. An attacker who successfully exploited these vulnerabilities could be able to run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges. To exploit these vulnerabilities, an attacker could create a program to send a malformed RPC message to a vulnerable system targeting the RPCSS Service."
    • Microsoft Security Bulletin MS01-041: "Several of the RPC servers associated with system services in Microsoft Exchange Server, SQL Server, Windows NT 4.0 and Windows 2000 do not adequately validate inputs, and in some cases will accept invalid inputs that prevent normal processing. The specific input values at issue here vary from RPC server to RPC server. An attacker who sent such inputs to an affected RPC server could disrupt its service. The precise type of disruption would depend on the specific service, but could range in effect from minor (e.g., the service temporarily hanging) to major (e.g., the service failing in a way that would require the entire system to be restarted)."
  10. ^ Inside Microsoft Windows 2000 (Third Edition). Microsoft Press.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Architecture_of_Windows_NT&oldid=14248040"