Vital Statistics

Title Inside Windows NT, Second Edition Author David A. Solomon Publisher Microsoft Press Redmond, Washington Copyright 1998 ISBN 1-57231-677-2 Pages 528 Price $39.99

Up Close And Personal With Windows NT's Architecture

Compared to its main competitors (especially the various flavors of UNIX), Windows NT is a young operating system. Thanks to Microsoft's gigantic efforts, though, it has quickly evolved to the point of being a reasonably mature environment for serious corporate applications. Moreover, steadily increasing funds have allowed the Redmond-based juggernaut to continue investing in cranking out state-of-the-art technologies geared toward enterprise development, making it an attractive platform for high-end business scenarios at competitive costs.

While learning about the latest subsystems and APIs remains an imperative for cutting-edge software engineers, it is arguable that a solid understanding of the hidden workings of the operating system remarkably improves both their debugging skills and their ability to recognize how each novel addition fits in the big picture.

A direct consequence of the relatively short time Windows NT has been in use in the industry is represented by the lack of punctual and accurate information about the internals of the system, as opposed to the abundance of texts treating higher level themes. The first edition of Inside Windows NT, written by Helen Custer of Microsoft and based on version 3.1 of the product, was indeed one of the best titles falling into the first category. From that solid ground David Solomon has jumped in, updated the contents, and also added a lot of new insights on those topics that characterize the latest releases of Windows NT. The result is not only an up-to-date reproposition of the former book -- it is a largely restructured and organically reorganized manual, whose focus is on Windows NT 4.0 with Service Pack 3. Frequent marginal notes and the entire final chapter also anticipate what to expect from the upcoming Windows NT 5.0.

After spending some pages delineating its target and introducing the basic elements that make up the foundation of NT, the book digs deeper and unveils the logic of most aspects of the system. Processes and threads, the mythical memory manager (whose vivisection turned out particularly well), the cache manager, the HAL (acronym for Hardware Abstraction Layer) and the Executive, kernel mode components, and security are just some of the myriad topics covered throughout the chapters. Things like GDI, USER, networking and COM are deliberately left out, as each of them would deserve an entire book. The level of detail is excellent, but I was just as impressed by the high degree of readability and, in general, by the ability of the author to follow a progressive approach in presenting new material without losing sight of the organic whole. The strength of this book’s educational aspect is a big upside considering the innate complexity of the subject, and renders Inside Windows NT an extraordinary candidate as a textbook in support of professional seminars and academic courses.

As per the target, the author geared the majority of the chapters toward advanced system administrators and developers of systems software. Some chapters deal intensively with intimate aspects of Win32 and therefore will more likely interest the hardcore software engineer than the administrator. The focus always stays on the logic and implementation of the components being analyzed. Don't expect direct coverage of programming with the API or any source code to cut and paste into your next application. This is not to say Inside Windows NT is solely theoretical: several exercises (called "experiments") guide the reader in the personal verification of some concepts, and many of them even help familiarize you with the low-level debugging and monitoring tools provided by the SDK and the resource kit.

Solomon’s background reveals his extensive experience with Windows NT and previously with VMS (to which the very first NT version owes a lot) and in communicating his results to others. In this book, his already ample knowledge is complemented by the special privilege of unlimited access to the source code of the operating system that the Windows NT development group in Microsoft granted to the author .

The strict collaboration with Microsoft also led to some inevitable bias. Although the internals of the system are analyzed quite exhaustively, there is little room for undocumented tricks, critiques on questionable design or implementation choices (sticking to the text it would seem as if there weren't any), or anything else that might put the company in a bad light. If you previously read Andrew Schulman's Undocumented Windows, or Matt Pietrek's Windows 95 Systems Programming Secrets, you will notice the difference. It's a trade-off; what it misses in impartiality it makes up in detail. Ultimately, the reader has the final word on whether it was worth it.

-- Davide Marcato (marcato@programmers.net)

Excerpts from Inside Windows NT, 2nd Edition

From Chapter 3 ("System Mechanisms"), page 127

"Executive software outside the kernel also needs to synchronize access to global data structures in a multiprocessor environment. For example, the memory manager has only one page frame database, which it accesses as a global data structure, and device drivers need to ensure that they can get exclusive access to their devices. By calling kernel functions, the executive can create a spinlock, acquire it, and release it. Spinlocks only partially fill the executive's needs for synchronization mechanisms, however. Because waiting on a spinlock literally stalls a processor, spinlocks can be used only under the following strictly limited circumstances [...]"

From Chapter 5 ("Memory Management"), page 228

"There are two types of nonpaged pools: one for general use and a small one (four pages) reserved for emergency use when nonpaged pool is full and the caller can't tolerate allocation failures. Uniprocessor systems have two paged pools; multiprocessor systems have four. Having more than one paged pool reduces the frequency of system code blocking on simultaneous calls to pool routines. Both nonpaged and paged pool grow automatically to a system-defined maximum computed at system boot time. The initial size of these pools is also calculated on system initialization and depends on memory size. You can override the initial size of these pools by changing HKLM\System...\Control \Session Manager\Memory Management\NonPagedPoolSize or \PagedPoolSize from 0 (which causes the system to compute the size) to the size desired in bytes. You can't, however, increase the system-defined maximum size."

From Chapter 9 ("Windows NT File System (NTFS)"), page 428-429

"A recoverable file system tries to exceed the safety of a careful write file system while achieving the performance of a lazy write file system. A recoverable file system ensures volume consistency by using logging techniques originally developed for transaction processing. If the operating system crashes, the recoverable file system restores consistency by executing a recovery procedure that accesses information that has been stored in a log file. Because the file system has logged its disk writes, the recovery procedure takes only seconds, regardless of size of the volume. The NTFS recovery procedure is exact, guaranteeing that the volume will be restored to a consistent state. None of the inadequate restorations associated with lazy write file systems can happen with NTFS."

Table Of Contents

• Foreword xv
• Acknowledgments xix
• Introduction xxi

Chapter 1

• Concepts and Tools 1
• Foundation Concepts and Terms 1
• Win32 API 1
• Services, Functions, and Routines 3
• Processes and Threads 4
• Virtual Memory 6
• Kernel Mode vs. User Mode 8
• Objects and Handles 12
• Security 13
• Registry 14
• Networking 15
• Unicode 16
• Tools for Digging into Windows NT Internals 17
• Windows NT Resource Kits 18
• Platform SDK and Windows NT DDK 19
• Key Windows NT Base Tools 19
• Free Builds and Checked Builds 22
• Examining Internal Data Structures and Variables 25
• Conclusion 25

Chapter 2

• System Architecture 27
• Requirements and Design Goals 27
• Operating System Models 28
• Architecture Overview 32
• Portability 34
• Symmetric Multiprocessing 35
• Windows NT Workstation vs. Windows NT Server 39
• Key System Components 44
• Environment Subsystems and Subsystem DLLs 45
• NTDLL.DLL 58
• Executive 59
• Kernel 60
• Hardware Abstraction Layer (HAL) 63
• Device Drivers 64
• Peering into Undocumented Interfaces 66
• System Processes 70
• Conclusion 79

Chapter 3

• System Mechanisms 81
• Trap Dispatching 81
• Interrupt Dispatching 83
• Exception Dispatching 94
• System Service Dispatching 99
• Object Manager 101
• Executive Objects 104
• Object Structure 106
• Synchronization 123
• Kernel Synchronization 125
• Executive Synchronization 127
• Windows NT Global Flags 135
• Local Procedure Calls (LPCs) 137
• Conclusion 140

Chapter 4

• Processes and Threads 141
• Process Internals 141
• Data Structures 141
• System Variables 148
• Performance Counters 148
• Relevant Functions 150
• Relevant Tools 151
• Flow of CreateProcess 156
• Stage 1: Opening the Image to Be Executed 159
• Stage 2: Creating the Windows NT Executive Process Object 162
• Stage 3: Creating the Initial Thread and Its Stack and Context 168
• Stage 4: Notifying the Win32 Subsystem About the New Process 168
• Stage 5: Starting Execution of the Initial Thread 169
• Stage 6: Performing Process Initialization in the Context of the New
• Process 170
• Thread Internals 171
• Data Structures 171
• System Variables 175
• Performance Counters 176
• Relevant Functions 177
• Relevant Tools 178
• Flow of CreateThread 180
• Thread Scheduling 184
• Overview of Windows NT Scheduling 184
• Priority Levels 187
• Win32 Scheduling APIs 189
• Relevant Tools 190
• Real-Time Priorities 192
• Interrupt Levels vs. Priority Levels 193
• Thread States 194
• Quantum 195
• Scheduling Data Structures 197
• System Variables 198
• Scheduling Scenarios 199
• Context Switching 203
• Idle Thread 204
• Adjusting Thread Scheduling 204
• Thread Scheduling on Symmetric Multiprocessing Systems 212
• Conclusion 215

Chapter 5

• Memory Management 217
• Services the Memory Manager Provides 218
• Reserving and Committing Virtual Memory 219
• Shared Memory and Mapped Files 220
• Protecting Memory 222
• Copy-On-Write 224
• Heap Functions 226
• System Memory Pools 227
• Digging into the Memory Manager 232
• Components 232
• Internal Synchronization 233
• Tuning the Memory Manager 234
• Examining Memory Usage 236
• Address Space Layout 238
• User Address Space Layout 241
• System Address Space Layout 246
• Address Translation 250
• Translating a Virtual Address 252
• Page Directories 254
• Process and System Page Tables 256
• Page Table Entries 256
• Byte Within Page 261
• Translation Look-Aside Buffer 261
• Page Fault Handling 265
• Invalid PTEs 266
• Prototype PTEs 267
• In-Paging I/O 269
• Collided Page Faults 270
• Page Files 271
• Virtual Address Descriptors 273
• Working Sets 276
• Paging Policies 276
• Process Working Sets 278
• Balance Set Manager and Swapper 281
• System Working Set 282
• Page Frame Database 285
• Page List Dynamics 290
• Modified Page Writer 292
• PFN Data Structures 294
• Section Objects 298
• Conclusion 304

Chapter 6

• Security 305
• Security System Components 307
• Protecting Objects 310
• Security Descriptors and Access Control 310
• Access Tokens and Impersonation 315
• Security Auditing 320
• Logon 321
• WinLogon Initialization 322
• User Logon Steps 323
• Conclusion 324

Chapter 7

• The I/O System 325
• I/O System Structure and Model 326
• I/O Manager 328
• I/O Functions 329
• Device Drivers 332
• Structure of a Driver 338
• Synchronization 340
• Data Structures 341
• File Objects 341
• Driver Objects and Device Objects 344
• I/O Request Packet 348
• I/O Processing 350
• I/O Request to a Single-Layered Driver 350
• I/O Requests to Layered Drivers 356
• Conclusion 360

Chapter 8

• Cache Manager 363
• Key Features of the Windows NT Cache Manager 363
• Single, Centralized System Cache 364
• The Memory Manager 364
• Cache Coherency 365
• Virtual Block Caching 367
• Stream-Based Caching 367
• Recoverable File System Support 368
• Cache Structure 369
• Cache Size 371
• Cache Virtual Size 371
• Cache Physical Size 372
• Cache Data Structures 374
• Systemwide Cache Data Structures 375
• Per-File Cache Data Structures 376
• Cache Operation 378
• Write-Back Caching and Lazy Writing 379
• Intelligent Read-Ahead 382
• System Threads 384
• Fast I/O 385
• Cache Support Routines 387
• Copying to and from the Cache 388
• Caching with the Mapping and Pinning Interfaces 389
• Caching with the Direct Memory Access Interfaces 390
• Write Throttling 392
• Conclusion 393

Chapter 9

• Windows NT File System (NTFS) 395
• NTFS Design Goals and Features 395
• High-End File System Requirements 395
• Additional Features in NTFS 399
• NTFS Internal Structure 402
• NTFS On-Disk Structure 405
• Volumes 405
• Clusters 406
• Master File Table (MFT) 407
• File Reference Numbers 410
• Files Records 410
• Filenames 412
• Resident and Nonresident Attributes 415
• Filename Indexing 419
• Data Compression 421
• Recoverability Support 426
• Evolution of File System Design 426
• Logging 430
• Recovery 436
• Fault Tolerance Support 440
• Volume Management Features 440
• Fault Tolerant Volumes 443
• NTFS Bad-Cluster Recovery 445
• Conclusion 450

Chapter 10

• Windows NT 5.0 and Beyond 451
• Overview of the New Features in Windows NT 5.0 451
• Active Directory 452
• Distributed Security Extensions 453
• Encryption 455
• Security Configuration Editor 457
• Distributed File Services 457
• NTFS Extensions 458
• Microsoft Management Console 459
• Microsoft Software Installer 460
• Storage Management 461
• IntelliMirror 461
• Application Development 462
• Job Object 462
• Plug and Play and WDM 464
• Very Large Memory on Alpha 465
• User Improvements 467
• System Extensions 470
• Clusters 470
• Microsoft Terminal Server 470
• Plug and Play and Power Management 472
• The Evolution of Plug and Play 473
• Windows NT 5.0 Implementation 473
• Driver Changes 475
• Windows NT 5.0 Plug and Play Architecture 476
• 64-Bit Windows NT 480
• Conclusion 481

Glossary 483

Index 505 

Quick Rating

Readability
Originality
Organization
Accuracy
Consistency
Depth
Timeliness
Editing
Design
Overall Value

Explanation of ERCB rating scale: No stars = unacceptable, 1 Star = marginal, 2 Stars = average, 3 Stars = above average, 4 Stars = exceptional.