Appendix
Contents of Windows Internals, Seventh Edition, Part 1

Introduction

Chapter 1   Concepts and tools

Windows operating system versions

Windows 10 and future Windows versions

Windows 10 and OneCore

Foundation concepts and terms

Windows API

Services, functions, and routines

Processes

Threads

Jobs

Virtual memory

Kernel mode vs. user mode

Hypervisor

Firmware

Terminal Services and multiple sessions

Objects and handles

Security

Registry

Unicode

Digging into Windows internals

Performance Monitor and Resource Monitor

Kernel debugging

Windows Software Development Kit

Windows Driver Kit

Sysinternals tools

Conclusion

Chapter 2   System architecture

Requirements and design goals

Operating system model

Architecture overview

Portability

Symmetric multiprocessing

Scalability

Differences between client and server versions

Checked build

Virtualization-based security architecture overview

Key system components

Environment subsystems and subsystem DLLs

Other subsystems

Executive

Kernel

Hardware abstraction layer

Device drivers

System processes

Conclusion

Chapter 3   Processes and jobs 101

Creating a process

CreateProcess* functions arguments

Creating Windows modern processes

Creating other kinds of processes

Process internals

Protected processes

Protected Process Light (PPL)

Third-party PPL support

Minimal and Pico processes

Minimal processes

Pico processes

Trustlets (secure processes)

Trustlet structure

Trustlet policy metadata

Trustlet attributes

System built-in Trustlets

Trustlet identity

Isolated user-mode services

Trustlet-accessible system calls

Flow of CreateProcess

Stage 1: Converting and validating parameters and flags

Stage 2: Opening the image to be executed

Stage 3: Creating the Windows executive process object

Stage 4: Creating the initial thread and its stack and context

Stage 5: Performing Windows subsystem–specific initialization

Stage 6: Starting execution of the initial thread

Stage 7: Performing process initialization in the context of the new process

Terminating a process

Image loader

Early process initialization

DLL name resolution and redirection

Loaded module database

Import parsing

Post-import process initialization

SwitchBack

API Sets

Jobs

Job limits

Working with a job

Nested jobs

Windows containers (server silos)

Conclusion

Chapter 4   Threads

Creating threads

Thread internals

Data structures

Birth of a thread

Examining thread activity

Limitations on protected process threads

Thread scheduling

Overview of Windows scheduling

Priority levels

Thread states

Dispatcher database

Quantum

Priority boosts

Context switching

Scheduling scenarios

Idle threads

Thread suspension

(Deep) freeze

Thread selection

Multiprocessor systems

Thread selection on multiprocessor systems

Processor selection

Heterogeneous scheduling (big.LITTLE)

Group-based scheduling

Dynamic fair share scheduling

CPU rate limits

Dynamic processor addition and replacement

Worker factories (thread pools)

Worker factory creation

Conclusion

Chapter 5   Memory management

Introduction to the memory manager

Memory manager components

Large and small pages

Examining memory usage

Internal synchronization

Services provided by the memory manager

Page states and memory allocations

Commit charge and commit limit

Locking memory

Allocation granularity

Shared memory and mapped files

Protecting memory

Data Execution Prevention

Copy-on-write

Address Windowing Extensions

Kernel-mode heaps (system memory pools)

Pool sizes

Monitoring pool usage

Look-aside lists

Heap manager

Process heaps

Heap types

The NT heap

Heap synchronization

The low-fragmentation heap

The segment heap

Heap security features

Heap debugging features

Pageheap

Fault-tolerant heap

Virtual address space layouts

x86 address space layouts

x86 system address space layout

x86 session space

System page table entries

ARM address space layout

64-bit address space layout

x64 virtual addressing limitations

Dynamic system virtual address space management

System virtual address space quotas

User address space layout

Address translation

x86 virtual address translation

Translation look-aside buffer

x64 virtual address translation

ARM virtual address translation

Page fault handling

Invalid PTEs

Prototype PTEs

In-paging I/O

Collided page faults

Clustered page faults

Page files

Commit charge and the system commit limit

Commit charge and page file size

Stacks

User stacks

Kernel stacks

DPC stack

Virtual address descriptors

Process VADs

Rotate VADs

NUMA

Section objects

Working sets

Demand paging

Logical prefetcher and ReadyBoot

Placement policy

Working set management

Balance set manager and swapper

System working sets

Memory notification events

Page frame number database

Page list dynamics

Page priority

Modified page writer and mapped page writer

PFN data structures

Page file reservation

Physical memory limits

Windows client memory limits

Memory compression

Compression illustration

Compression architecture

Memory partitions

Memory combining

The search phase

The classification phase

The page combining phase

From private to shared PTE

Combined pages release

Memory enclaves

Programmatic interface

Memory enclave initializations

Enclave construction

Loading data into an enclave

Initializing an enclave

Proactive memory management (SuperFetch)

Components

Tracing and logging

Scenarios

Page priority and rebalancing

Robust performance

ReadyBoost

ReadyDrive

Process reflection

Conclusion

Chapter 6   I/O system 483

I/O system components

The I/O manager

Typical I/O processing

Interrupt Request Levels and Deferred Procedure Calls

Interrupt Request Levels

Deferred Procedure Calls

Device drivers

Types of device drivers

Structure of a driver

Driver objects and device objects

Opening devices

I/O processing

Types of I/O

I/O request packets

I/O request to a single-layered hardware-based driver

I/O requests to layered drivers

Thread-agnostic I/O

I/O cancellation

I/O completion ports

I/O prioritization

Container notifications

Driver Verifier

I/O-related verification options

Memory-related verification options

The Plug and Play manager

Level of Plug and Play support

Device enumeration

Device stacks

Driver support for Plug and Play

Plug-and-play driver installation

General driver loading and installation

Driver loading

Driver installation

The Windows Driver Foundation

Kernel-Mode Driver Framework

User-Mode Driver Framework

The power manager

Connected Standby and Modern Standby

Power manager operation

Driver power operation

Driver and application control of device power

Power management framework

Power availability requests

Conclusion

Chapter 7   Security

Security ratings

Trusted Computer System Evaluation Criteria

The Common Criteria

Security system components

Virtualization-based security

Credential Guard

Device Guard

Protecting objects

Access checks

Security identifiers

Virtual service accounts

Security descriptors and access control

Dynamic Access Control

The AuthZ API

Conditional ACEs

Account rights and privileges

Account rights

Privileges

Super privileges

Access tokens of processes and threads

Security auditing

Object access auditing

Global audit policy

Advanced Audit Policy settings

AppContainers

Overview of UWP apps

The AppContainer

Logon

Winlogon initialization

User logon steps

Assured authentication

Windows Biometric Framework

Windows Hello

User Account Control and virtualization

File system and registry virtualization

Elevation

Exploit mitigations

Process-mitigation policies

Control Flow Integrity

Security assertions

Application Identification

AppLocker

Software Restriction Policies

Kernel Patch Protection

PatchGuard

HyperGuard

Conclusion

Index