win_internals

Question 1

What is the Windows NT code base?

Answer 1

The code base used by Windows NT beginning with version 3.1.

Question 2

What is the Windows API?

Answer 2

The system programming interface to the Windows operating system family.

Question 3

Where is the Windows API described?

Answer 3

In the Windows Software Development Kit (SDK) documentation. (www.msdn.microsoft.com)

Question 4

What does the Windows API consist of?

Answer 4

Thousands of callable functions

Question 5

What 7 major categories is the Windows API divided into?

Answer 5

1. Base services

Question 6

What are some of the key base services in the Windows API? (4)

Answer 6

1. Processes and threads

Question 7

What does the .NET framework consist of?

Answer 7

1. A library of classes called the Framework Class Library (FCL) and

Question 8

What are Windows API functions?

Answer 8

Documented, callable subroutines in the Windows API

Question 9

What are native (or executive) system services?

Answer 9

The undocumented, underlying services in the operating system that are callable from user mode.

Question 10

What are Windows services?

Answer 10

Processes started by the Windows service control manager

Question 11

What are DLLs?

Answer 11

A set of callable subroutines linked together as a binary file that can be dynamically loaded by applications that use the subroutines

Question 12

What is the difference between a program and a process?

Answer 12

A program is a static sequence of instructions, whereas a process is a container for a set of resources used when executing the instance of the program.

Question 13

At the highest level of abstraction, what is a Windows process comprised of? (6)

Answer 13

1. A private virtual address space

Question 14

What do all threads within a process share?

Answer 14

The process’s virtual address space (in addition to the rest of the resources belonging to the process) meaning that all the threads in a process can write to and read from each other’s memory

Question 15

When can threads in one process reference the address space of another process? (2)

Answer 15

1. When the other process makes available part of its private address space as a shared memory section (called a file mapping object in the Windows API) or

Question 16

In addition to a private address space and one or more threads, what does each process have?

Answer 16

A security identification (contained in the access token) and a list of open handles to objects (such as files, shared memory sections), or one of the synchronization objects (such as mutexes, events, or semaphores)

Question 17

Where is a process’s security context stored?

Answer 17

In an object called an access token

Question 18

What does a process’s access token contain?

Answer 18

The process’s security identification and credentials

Question 19

Do threads have their own access tokens?

Answer 19

By default, threads don't have their own access token, but they can obtain one.

Question 20

If a thread obtains its own access token, what becomes possible?

Answer 20

Individual threads can impersonate the security context of another process—including processes running on a remote Windows system—without affecting other threads in the process.

Question 21

What are virtual address descriptors?

Answer 21

Virtual address descriptors (VADs) are data structures that the memory manager uses to keep track of the virtual addresses the process is using.

Question 22

What is a job?

Answer 22

An extension to the process model.

Question 23

What is a job object’s main function?

Answer 23

To allow groups of processes to be managed and manipulated as a unit.

Question 24

When using virtual memory, how does the operating system ensure that individual processes don't bump into one another or overwrite operating system data?

Answer 24

At run time, the memory manager, with assistance from hardware, translates, or maps, the virtual addresses into physical addresses, where the data is actually stored. By controlling the protection and mapping, the operating system can ensure that individual processes don't bump into one another or overwrite operating system data

Question 25

How does using virtual memory work when most systems have much less physical memory than virtual memory?

Answer 25

The memory manager transfers, or pages, some of the memory contents to disk which frees physical memory so that it can be used for other processes or for the operating system itself.

Question 26

What happens if a thread accesses a virtual address that has been paged to disk?

Answer 26

The virtual memory manager loads the information back into memory from disk.

Question 27

On a 32-bit x86 system, what is the theoretical maximum of the total virtual address space?

Answer 27

4GB

Question 28

How does Windows allocate virtual address space?

Answer 28

2GB (the lower half from x00000000 through x7FFFFFFF) are allocated to processes for their unique private storage.

Question 29

Why does Windows use two processor access modes?

Answer 29

To protect user applications from accessing and/or modifying critical operating system data

Question 30

What does kernel mode refer to?

Answer 30

A processor execution mode that grants access to all system memory and all CPU instructions

Question 31

What privilege levels (rings) does Windows use for kernel mode and user mode?

Answer 31

Windows uses privilege level 0 (or ring 0) for kernel mode and privilege level 3 (or ring 3) for user mode.

Question 32

Why does Windows use only two of the four available privilege levels?

Answer 32

Some hardware architectures that were supported in the past (such as Compaq Alpha and Silicon Graphics MIPS) implemented only two privilege levels.

Question 33

Although each Windows process has its own private memory space, these two share a single virtual address space:

Answer 33

The kernel-mode operating system and device driver code

Question 34

How are read/write restrictions maintained between pages in system space and pages in user address space?

Answer 34

Each page in virtual memory is tagged as to what access mode the processor must be in to read and/or write the page. Pages in system space can be accessed only from kernel mode, whereas all pages in the user address space are accessible from user mode.

Question 35

What mode does the processor need to be in to write to read-only pages?

Answer 35

Trick question: Read-only pages (such as those that contain static data) are not writable from any mode.

Question 36

How does Windows prevent inadvertent code execution in data areas?

Answer 36

On processors that support no-execute memory protection, Windows marks pages containing data as non-executable.

Question 37

What is “private read/write system memory”?

Answer 37

…

Question 38

Once in kernel mode, what does operating system and device driver code have complete access to?

Answer 38

System space memory. This means operating system and device driver code can bypass Windows security to access objects.

Question 39

Why is it so important to be careful when loading a third-party device driver?

Answer 39

Because once in kernel mode the software has complete access to all operating system data.

Question 40

How has Windows responded to the potential for a dangerous third-party driver to be loaded by users?

Answer 40

1. Windows introduced the driver-signing mechanism

Question 41

What's the difference between 32-bit and 64-bit versions of Windows when it comes to installing unsigned drivers?

Answer 41

With 64-bit Windows, the user cannot explicitly force the installation of an unsigned driver, even as an administrator (unless this restriction is disabled manually at boot time by pressing F8 and choosing the advanced boot option Disable Driver Signature Enforcement).

Question 42

When do user applications switch from user mode to kernel mode?

Answer 42

When they make a system service call.

Question 43

How do user applications switch from user mode to kernel mode?

Answer 43

The transition is accomplished by the use of a special processor instruction that causes the processor to switch to kernel mode. The operating system traps this instruction, notices that a system service is being requested, validates the arguments the thread passed to the system function, and then executes the internal function. Before returning control to the user thread, the processor mode is switched back to user mode.

Question 44

What does terminal services refer to?

Answer 44

The support in Windows for multiple interactive user sessions on a single system.

Question 45

What three forms of access control does Windows have over objects?

Answer 45

1. Discretionary access control

Question 46

What is discretionary access control?

Answer 46

The method by which owners of objects (such as files or printers) grant or deny access to others.

Question 47

What is privileged access control?

Answer 47

A method of ensuring that someone can get to protected objects if the owner isn't available. (Admin needs access to files under an ex-employee's control, for example)

Question 48

What is mandatory integrity control?

Answer 48

An additional level of security control to protect objects that are being accessed from within the same user account.

Question 49

What is the registry?

Answer 49

The system database

Question 50

What does the registry contain? (4)

Answer 50

1. The information required to boot and configure the system

Question 51

What kinds of in-memory volatile data is the registry a window into? (2)

Answer 51

1. The current hardware state of the system (what device drivers are loaded, the resources they are using, and so on)

Question 52

How does Windows differ from most other operating systems?

Answer 52

Most internal text strings are stored and processed as 16-bit-wide Unicode characters.

Question 53

What is Unicode?

Answer 53

Unicode is an international character set standard that defines unique 16-bit values for most of the world's known character sets.

Question 54

What does kernel debugging mean?

Answer 54

Examining internal kernel data structures and/or stepping through functions in the kernel

Question 55

What do symbol files contain?

Answer 55

The names of functions and variables

Question 56

Where does the symbol file come from?

Answer 56

It’s generated by the linker.

Question 57

Who uses the symbol file?

Answer 57

Debuggers use them to reference and display symbol names during a debug session

Question 58

What's the minimum requirement to use any of the kernel debugging tools to examine internal Windows kernel data structures?

Answer 58

The correct symbol files for at least the kernel image, Ntoskrnl.exe.

Question 59

What are the debugger extension commands?

Answer 59

Commands that begin with "!" that allow you to display the contents of internal data structures such as threads, processes, I/O request packets, and memory management information.

Question 60

What does the LiveKd tool allow you to do?

Answer 60

It allows you to use the standard Microsoft kernel debuggers to examine the running system without booting the system in debugging mode.

Question 61

Why might it be useful to debug a running system without booting that system into debugging mode?

Answer 61

When kernel-level troubleshooting is required on a machine that wasn't booted in debugging mode. A reboot with the debug option enabled might not result in the same error.

Question 62

What does the Windows SDK contain?

Answer 62

The documentation, C header files, and libraries necessary to compile and link Windows applications.

Question 63

Although the Windows WDK is aimed at device driver developers, what else makes it useful?

Answer 63

It’s an abundant source of Windows internals information. For example, the WDK documentation contains a comprehensive description of all the Windows kernel support functions and mechanisms used by device drivers in both tutorial and reference form (information not included in the Windows Internals book).

Question 64

In addition to documentation, what else does the WDK contain?

Answer 64

Header files

Question 65

What are three important header files contained in the WDK documentation?

Answer 65

ntddk.h, ntifs.h, and wdm.h

Question 66

What is a private virtual address space?

Answer 66

A set of virtual memory addresses that the process can use

Question 67

What's an access token?

Answer 67

A security context

Question 68

What's a process ID?

Answer 68

A unique identifier (internally part of an identifier called a client ID)

Question 69

Is it possible to have a process with no threads?

Answer 69

Yes, although it’s not useful.

Question 70

What does the access token identify? (6)

Answer 70

1. The user

Question 71

What does the CLR provide?

Answer 71

A managed code execution environment

Question 72

What kind of features does CLR provide? (4)

Answer 72

1. Just-in-time compilation

Question 73

What are Windows Performance Counters?

Answer 73

Counters that profile system performance

Question 74

What is a virtual address space?

Answer 74

A set of virtual memory addresses that the process can use

Question 75

What does an executable program define?

Answer 75

Initial code and data and is mapped into the process’s virtual address space

Question 76

What are some examples of system resources that have handles?

Answer 76

Semaphores, communication ports, and files

Question 77

What does the access token identify? (6)

Answer 77

1. The user

Question 78

What do the header files in the WDK define? (2)

Answer 78

1. Key internal data structures and constants

Question 79

What’s the implication of all threads within a process sharing the process’s virtual address space?

Answer 79

All the threads in a process can write to and read from each other’s memory.

Question 80

What’s a file mapping object?

Answer 80

In the Windows API, this is the term for when one process makes available part of its private address space as a shared memory section to another process.

Question 81

What is the driver-signing mechanism?

Answer 81

A mechanism which warns the user if an attempt is made to add an unauthorized (unsigned) driver.

Question 82

How does the Driver Verifier mechanism help device driver writers?

Answer 82

It helps writers find bugs (such as buffer overruns or memory leaks) that can cause security or reliability issues.

Question 83

What does the Kernel Mode Code Signing policy state?

Answer 83

That 64-bit device drivers must be signed with a cryptographic key assigned by one of the major code certification authorities.

Question 84

What is the Windows service control manager (SCM)?

Answer 84

A special system process which starts, stops and interacts with Windows service processes.

Question 85

What’s a Windows service?

Answer 85

A long-running executable that performs specific functions and is designed not to require user intervention. Windows services are similar in concept to a Unix daemon.

Question 86

What’s an object?

Answer 86

A single, run-time instance of a statically defined object type.

Question 87

CID

Answer 87

Client ID.The internal name for a process ID.