Microsoft Windows Kernel Architecture

Question 1

Operating systems are fundamentally an abstraction layer between users and physical components:

Answer 1

• Simplification of interactions
• Ability to replace components, at times including emulation
• Most modern systems provide different types of multiplexing and protective mechanisms
• Requirements vary considerably: General-purpose systems value responsive multi-programming, transaction processing can be accomplished with batch programming and real-time systems require provable response-time boundaries

Question 2

Core Operating System Functions - Scheduling:

Answer 2

• Prioritisation, fairness

* Deadlock avoidance

Question 3

Core Operating System Functions - Memory Management:

Answer 3

• Protection of concurrent programs, self-protection

* Virtual memory abstraction

Question 4

Core Operating System Functions - Storage Management:

Answer 4

Persistent storage provisioning in a consistent abstraction

Question 5

Core Operating System Functions - I/O Management:

Answer 5

• Abstraction of hardware properties

* Synchronization and concurrency management

Question 6

Most modern operating systems use a modular or layered construction. Privileges are also used in different modes or rings, Windows uses…

Answer 6

Ring based approach, but with only two rings active. Legacy of the original multi-platform design : MIPS, PPC. Only supported two modes. Important ramifications for security

Question 7

While subsequent generations have embellished the architecture of Windows NT…

Answer 7

The current generation (Win8) takes a step back an uses a more minimal (MinWin) core. Several subsystems have since been added, but some also have been depreciated

Question 8

The Universal Windows Platform app mechanism introduces a parallel user mode layer; on desktop platforms the Win32 layer will be retained. UAP is a…

Answer 8

Superset of the earlier Windows 8, RT and WinRT user-mode runtime environment based in part of the Metro interface. UAP Applications are sandboxed and restricted to only a subset of the Win32 and COM APIs either via a Windows Runtime component or the Platform Invocation Services

Question 9

The Hardware Abstraction Layer (HAL) provides an abstraction to upper kernel layers that insulates particulars of given hardware platforms, primarily:

Answer 9

• Multi-processor, multi-core and independent execution units
• Interrupt controllers
• Low-level I/O interfaces

Question 10

Layered between the HAL and Executive is the Kernel, which was the core of the original microkernel design:

Answer 10

Layered between the HAL and Executive is the Kernel, which was the core of the original microkernel design:

Question 11

Executive Components - Object Manager:

Answer 11

Windows uses objects to encapsulate most resources, their creation, destruction, control and protection is handled through the Object Manager, which also provides name spaces

Question 12

Executive Components - Objects are divided into Administrative Elements:

Answer 12

Name, handle and reference count, type information

Question 13

Executive Components - Kernel Objects:

Answer 13

Owned by the kernel

Question 14

Executive Components - Executive Objects:

Answer 14

Owned by the executive, if it is not an outright kernel object

Question 15

Executive Components - Configuration Manager:

Answer 15

Responsible for implementation and management of Registry database

Question 16

Executive Components - Advanced Local Procedure Call:

Answer 16

Message passing interface between client and server processes, also used as local transport for RPC calls

Question 17

Executive Components - I/O Manager:

Answer 17

Provides device-independent I/O and is the interface to layered device driver

Question 18

Executive Components - Cache Manager:

Answer 18

Retains recently referenced file I/O in memory and manages deferred writing of cache content, cache replacement. Tied closely to the Memory Manager

Question 19

Executive Components - Process Manager:

Answer 19

Creates and terminates threads and processes, mainly as a layered service on top of the microkernel

Question 20

Executive Components - Memory Manager:

Answer 20

Implements Virtual Memory Management, including providing virtual address spaces, fie mapping, locking of physical memory and shared memory

Question 21

Executive Components - Power Manager:

Answer 21

Coordinates power events and generates notifications to device drivers and can put CPU to sleep in idle conditions

Question 22

Executive Components - Plug & Play:

Answer 22

Determines types of drivers required to support devices and loads installs driver packages. Also assigns resources and must handle system notifications of device addition or removal

Question 23

Executive Components - System Reference Monitor:

Answer 23

Enforces security policies on the local computer system, performs run-time object protection and auditing, communicates with user-mode components

Question 24

Executive Components - Kernel-Mode Driver Contains Windows Subsystems - GDI

Answer 24

Abstraction layer for graphics interfaces (2D)

Question 25

Executive Components - Kernel-Mode Driver Contains Windows Subsystems - DXG:

Answer 25

Provides a wrapper and access interface for other services via a common interface (DDI)

Question 26

Executive Components - Kernel-Mode Driver Contains Windows Subsystems - USER:

Answer 26

Provides window manager and graphics services including keyboard and mouse, messaging services

Question 27

Executive Components - Hypervisor Library:

Answer 27

Kernel support for Hyper-V virtualisation and operating in a client partition of a virtual machine environment

Question 28

Executive Components - Kernel Transaction Manager:

Answer 28

Provides a common 2-phase commit protocol for resource managers including transactional registry and transactional NTFS

Question 29

Executive Components - Kernel Debugger Library:

Answer 29

Provides access to kernel debuggers using KD protocol layers

Question 30

Executive Components - Errata Manager:

Answer 30

Contains workarounds for non-standard hardware, known errors, or non-compliant hardware components

Question 31

The I/O subsystem must meet multiple objectives:

Answer 31

• Insulate shareable resources and provide abstractions
• Dynamic loading and unloading of device drivers
• Providing layered device drivers for extensions and modifications to driver behaviour
• Supporting installable file systems

Question 32

Microsoft Windows I/O Components - I/O Manager:

Answer 32

Orchestrates I/O processing and connects application and kernel components

Question 33

Microsoft Windows I/O Components - Device Drivers:

Answer 33

Provides I/O interfaces for a particular device or class of devices in case of layered drivers. May also only provide aspects to other drivers

Question 34

Microsoft Windows I/O Components - PnP Manager:

Answer 34

Allocates resources, monitors and manages addition and removal devices. This is performed in coordination with the I/O Manager and bus drivers for gives types of interfaces

Question 35

Microsoft Windows I/O Components - Power Manager:

Answer 35

Handles power-state transitions, individual power states must be realised by device drivers

Question 36

Microsoft Windows I/O Components - Windows Management Instrumentation (WMI):

Answer 36

The Windows Management Instrumentation (WMI), also referred to as the Windows Driver Model (WDM) support, provides an interface with the user-mode WMI service

Question 37

Microsoft Windows I/O Components - Registry:

Answer 37

The registry holds a database for basic device data and individual driver configurations

Question 38

Microsoft Windows I/O Components - Configuration Files:

Answer 38

Driver installation files (.INF files) are scripts describing specific devices

Question 39

Microsoft Windows I/O Components - HAL:

Answer 39

The HAL provides abstractions for I/O mechanisms and is the bus driver “root” for all devices and interfaces on the mainboard

Question 40

I/O Request Flow:

Answer 40

User-Mode API > I/O System API > Kernel-Mode Device Drivers > HAL I/O Access Routines > I/O Ports and Registers

Question 41

User-Mode Device Driver - Virtual Device Drivers:

Answer 41

VDDs are only for 16-bit legacy systems are no longer supported on 64-bit platforms

Question 42

User-Mode Device Driver - Printer Drivers:

Answer 42

Responsible for translating device-independent graphics commands to device-specific ones. These are typically forwarded to kernel-mode port drivers

Question 43

User-Mode Device Driver - UMDF:

Answer 43

The User-Mode Driver Framework allows drivers to be hosted in used mode

Question 44

Kernel-Mode Device Driver - File System Drivers:

Answer 44

This type of layered driver accepts I/O requests for files and translates them into mass-storage or network driver requests, potentially across multiple layers

Question 45

Kernel-Mode Device Driver - Plug and Play Drivers:

Answer 45

These are aware of PnP and interoperate with the PnP and Power Manager

Question 46

Kernel-Mode Device Driver - Non-PnP Drivers:

Answer 46

May either be legacy drivers or ones that are not linked to specific hardware such as when extending kernel functionalities

Question 47

Kernel-Mode Device Driver - Windows Display Driver Model (WDDM):

Answer 47

The Windows Display Driver Model introduced with Vista and changed in each version since

Question 48

Windows Driver Model - Bus Drivers:

Answer 48

These Manage physical or logical buses and are responsible for handling device additions and removals together with the PnP manager, power setting for the bus and communicating with attached devices

Question 49

Windows Driver Model - Function Drivers:

Answer 49

These handle the actual devices as presented through the PnP manager and bus driver and provide the operating system with an interface to device functions

Question 50

Windows Driver Model - Filter Drivers:

Answer 50

These can be logically layered above or below function drivers and modify or extend behaviour of a device or another device driver

Question 51

Windows Driver Model - Miniport Drivers:

Answer 51

Provide a mapping of generic I/O to a port into requests specific to a device

Question 52

Simple Layering Example (File Access):

Answer 52

1) User-mode component places call: NtWriteFile(file_handle, buffer)
2) System services translate call into I/O Manager requests
3) I/O Manager instructs file system driver(FSD) to write at specific offset into a file
4) FSD translates file-relative to volume-relative offsets and calls next driver via I/O Manager
5) I/O Manager calls disk driver to write data at specified volume-relative offset
6) Disk driver translates volume-relative offset into disk-relative offset and transfers data

Question 53

Display drivers have been dealt with as a special case since Windows NT 4.0 resulting in a number of legacy interfaces:

Answer 53

• With increasing graphics processing unit (GPU) power, off-loading of computations and rapid memory access became more important
• The WDDM differs from the regular WDM and has also undergone significant changes, including in to WDDM 2.0 in Windows 10 introducing GPU virtual addressing - previously GPUs were able to access main memory directly, placing a burden on the host to manage virtual memory
• Code on the GUP running in physical rather than virtual address mode may independently read and modify arbitrary memory locations

Question 54

One design objective for Windows was to consolidate system and user configuration data into a common database format…

Answer 54

This is separated into multiple databases based on usage

Question 55

Some applications may still use custom configuration file formats…

Answer 55

• These can come in different formats, the legacy .INI format is merely one of them: Unstructured and un-typed key/value pairs
• Others may include separate or proprietary database formats, RDF, plain or customised XML files or relational databases

Question 56

Registry Database - Keys:

Answer 56

Can be considered similar to directories in file systems and may themselves contain subkeys. Top-level keys are referred to as root keys

Question 57

Registry Database - Values:

Answer 57

Can be considered comparable to files

Question 58

Registry Sections and Hives - HKEY_CURRENT_USER:

Answer 58

Data associated with the currently logged-on user. This is stored in a separate file (NTUSER.DAT or USRCLASS.DAT) and can be used in a roaming profile

Question 59

Registry Sections and Hives - HKEY_CLASSES_ROOT:

Answer 59

File associations and Component Object Model (COM) object registration information. This information is merged from machine- and user-specific data

Question 60

Registry Sections and Hives - HKEY_LOCAL_MACHINE:

Answer 60

System-related information for the local machine (authentication or SAM, security, software and system keys; hardware-related keys are generated dynamically and are not stored in the database)

Question 61

Registry Sections and Hives - HKEY_USERS:

Answer 61

Data for all local user accounts

Question 62

Registry Sections and Hives - HKEY_PERFORMANCE_DATA:

Answer 62

Performance information

Question 63

Registry Sections and Hives - HKEY_CURRENT_CONFIG:

Answer 63

Volatile information generated at boot time and amended during run-time

Question 64

In networked Windows environments, user authentication and data as well as access control is often maintained via Active Directory…

Answer 64

This is an extended version of the LDAP protocol. A number of further services (Kerberos authentication, name resolution, network administration) are also supported. Organisation is into domains and forests and can replicate across sites and trust hierarchies

Question 65

The interacts with local configuration databases and the local authentication and Security Account Manager (SAM) subsystem. Access and changes to a local registry can also be…

Answer 65

Constrained by Group Policy entries among other attributes. This is typically used in larger enterprise environments