Download the full version of the textbook now at textbookfull.

com

Windows Internals Part 2 Developer Reference

7th Edition Russinovich

https://textbookfull.com/product/windows-
internals-part-2-developer-reference-7th-edition-
russinovich/

Explore and download more textbook at https://textbookfull.com

 Recommended digital products (PDF, EPUB, MOBI) that
you can download immediately if you are interested.

Windows Internals Part 1 7th Edition Pavel Yosifovich

https://textbookfull.com/product/windows-internals-part-1-7th-edition-
pavel-yosifovich/

textbookfull.com

Windows Security Internals 1 / converted Edition James

Forshaw

https://textbookfull.com/product/windows-security-
internals-1-converted-edition-james-forshaw/

textbookfull.com

Windows Security Internals: A Deep Dive into Windows

Authentication, Authorization, and Auditing 1 / converted
Edition James Forshaw
https://textbookfull.com/product/windows-security-internals-a-deep-
dive-into-windows-authentication-authorization-and-
auditing-1-converted-edition-james-forshaw/
textbookfull.com

LISP Network Deployment and Troubleshooting The Complete

Guide to LISP Implementation on IOS XE IOS XR and NX OS
1st Edition Tarique Shakil
https://textbookfull.com/product/lisp-network-deployment-and-
troubleshooting-the-complete-guide-to-lisp-implementation-on-ios-xe-
ios-xr-and-nx-os-1st-edition-tarique-shakil/
textbookfull.com
You Brought Me the Ocean Alex Sanchez

https://textbookfull.com/product/you-brought-me-the-ocean-alex-
sanchez/

textbookfull.com

Nanosensor Technologies for Environmental Monitoring

Inamuddin

https://textbookfull.com/product/nanosensor-technologies-for-
environmental-monitoring-inamuddin/

textbookfull.com

Trump and Political Philosophy: Leadership, Statesmanship,

and Tyranny Angel Jaramillo Torres

https://textbookfull.com/product/trump-and-political-philosophy-
leadership-statesmanship-and-tyranny-angel-jaramillo-torres/

textbookfull.com

Finding consciousness : the neuroscience, ethics, and law

of severe brain damage First Edition Sinnott-Armstrong

https://textbookfull.com/product/finding-consciousness-the-
neuroscience-ethics-and-law-of-severe-brain-damage-first-edition-
sinnott-armstrong/
textbookfull.com

Environmental Consulting Fundamentals: Investigation,

Remediation, and Brownfields Redevelopment 2 New edition
Edition Benjamin Alter
https://textbookfull.com/product/environmental-consulting-
fundamentals-investigation-remediation-and-brownfields-
redevelopment-2-new-edition-edition-benjamin-alter/
textbookfull.com
Insect Behavior: From Mechanisms to Ecological and
Evolutionary Consequences First Edition, Impression 1.
Edition Alex Córdoba-Aguilar
https://textbookfull.com/product/insect-behavior-from-mechanisms-to-
ecological-and-evolutionary-consequences-first-edition-
impression-1-edition-alex-cordoba-aguilar/
textbookfull.com
Windows Internals
Seventh Edition
Part 2

Andrea Allievi
Alex Ionescu
Mark E. Russinovich
David A. Solomon
© WINDOWS INTERNALS, SEVENTH EDITION, PART 2
Published with the authorization of Microsoft Corporation by:
Pearson Education, Inc.

Copyright © 2022 by Pearson Education, Inc.

All rights reserved. This publication is protected by copyright, and permission

must be obtained from the publisher prior to any prohibited reproduction,
storage in a retrieval system, or transmission in any form or by any means,
electronic, mechanical, photocopying, recording, or likewise. For information
regarding permissions, request forms, and the appropriate contacts within
the Pearson Education Global Rights & Permissions Department, please visit
www.pearson.com/permissions.

No patent liability is assumed with respect to the use of the information con-
tained herein. Although every precaution has been taken in the preparation
of this book, the publisher and author assume no responsibility for errors or
omissions. Nor is any liability assumed for damages resulting from the use of
the information contained herein.

ISBN-13: 978-0-13-546240-9
ISBN-10: 0-13-546240-1

Library of Congress Control Number: 2021939878 Editor-in-Chief: Brett Bartow

ScoutAutomatedPrintCode Development Editor: Mark Renfrow

TRADEMARKS Managing Editor: Sandra Schroeder

Microsoft and the trademarks listed at http://www.microsoft.com on the
Senior Project Editor: Tracey Croom
“Trademarks” webpage are trademarks of the Microsoft group of companies.
All other marks are property of their respective owners. Executive Editor: Loretta Yates

WARNING AND DISCLAIMER Production Editor: Dan Foster

Every effort has been made to make this book as complete and as accurate
Copy Editor: Charlotte Kughen

on an “as is” basis. The author, the publisher, and Microsoft Corporation shall Indexer: Valerie Haynes Perry
have neither liability nor responsibility to any person or entity with respect to
Proofreader: Dan Foster
any loss or damages arising from the information contained in this book or
from the use of the programs accompanying it. Technical Editor: Christophe Nasarre

SPECIAL SALES Editorial Assistant: Cindy Teeters

For information about buying this title in bulk quantities, or for special sales
Cover Designer: Twist Creative, Seattle
opportunities (which may include electronic versions; custom cover designs;
and content particular to your business, training goals, marketing focus, or Compositor: Danielle Foster
branding interests), please contact our corporate sales department at corp-
Graphics: Vived Graphics
[email protected] or (800) 382-3419.

For government sales inquiries,

please contact [email protected].

For questions about sales outside the U.S.,

please contact [email protected].
 To my parents, Gabriella and Danilo, and to my brother,
Luca, who all always believed in me and pushed me in following
my dreams.
—ANDREA ALLIEVI

To my wife and daughter, who never give up on me and are a

constant source of love and warmth. To my parents, for inspiring
me to chase my dreams and making the sacrifices that gave me
opportunities.
—ALEX IONESCU
Contents at a Glance

About the Authors xviii

Foreword xx
Introduction xxiii

CHAPTER 8 System mechanisms 1

CHAPTER 9 Virtualization technologies 267
CHAPTER 10 Management, diagnostics, and tracing 391
CHAPTER 11 aching and file s stems
CHAPTER 12 Startup and shutdown 777

Contents of Windows Internals, Seventh Edition, Part 1 851

Index 861
Contents
About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xx
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

Chapter 8 System mechanisms 1

Processor execution model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Task state segments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Hardware side-channel vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Out-of-order execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
The CPU branch predictor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
The CPU cache(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Side-channel attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Side-channel mitigations in Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

KVA Shadow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Hardware indirect branch controls (IBRS, IBPB, STIBP, SSBD) . . . . . . . 21
Retpoline and import optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
STIBP pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Trap dispatching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Interrupt dispatching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Line-based versus message signaled–based interrupts . . . . . . . . . . . 50
Timer processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
System worker threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Exception dispatching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
System service handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

WoW64 (Windows-on-Windows). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

The WoW64 core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
File system redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Registry redirection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
X86 simulation on AMD64 platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
ARM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

vii
 Memory models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
ARM32 simulation on ARM64 platforms . . . . . . . . . . . . . . . . . . . . . . . . 115
X86 simulation on ARM64 platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Object Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Executive objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Object structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
High-IRQL synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Low-IRQL synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Advanced local procedure call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209

Connection model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Message model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Asynchronous operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Views, regions, and sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Blobs, handles, and resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Handle passing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Power management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
ALPC direct event attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Debugging and tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
WNF features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
WNF users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
WNF state names and storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
WNF event aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237

User-mode debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239

Kernel support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
Native support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Windows subsystem support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242

Packaged applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243

UWP applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Centennial applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246

viii Contents
 The Host Activity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249
The State Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
The Dependency Mini Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Background tasks and the Broker Infrastructure . . . . . . . . . . . . . . . . .256
Packaged applications setup and startup . . . . . . . . . . . . . . . . . . . . . . .258
Package activation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Package registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266

Chapter 9 Virtualization technologies 267

The Windows hypervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
Partitions, processes, and threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
The hypervisor startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
The hypervisor memory manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Hyper-V schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
Hypercalls and the hypervisor TLFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Intercepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
The synthetic interrupt controller (SynIC) . . . . . . . . . . . . . . . . . . . . . . . 301
The Windows hypervisor platform API and EXO partitions . . . . . . .304
Nested virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
The Windows hypervisor on ARM64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

The virtualization stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Virtual machine manager service and worker processes . . . . . . . . . 315
The VID driver and the virtualization stack memory manager . . . . 317
The birth of a Virtual Machine (VM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
VMBus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
Virtual hardware support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
VA-backed virtual machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

Virtualization-based security (VBS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340

Virtual trust levels (VTLs) and Virtual Secure Mode (VSM) . . . . . . . .340
Services provided by the VSM and requirements . . . . . . . . . . . . . . . .342

The Secure Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345

Virtual interrupts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Secure intercepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348

Contents ix
Visit https://textbookfull.com
now to explore a rich
collection of eBooks, textbook
and enjoy exciting offers!
 VSM system calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349
Secure threads and scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
The Hypervisor Enforced Code Integrity . . . . . . . . . . . . . . . . . . . . . . . .358
UEFI runtime virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
VSM startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360
The Secure Kernel memory manager . . . . . . . . . . . . . . . . . . . . . . . . . . .363
Hot patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368

Isolated User Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Trustlets creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372
Secure devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
VBS-based enclaves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
System Guard runtime attestation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Chapter 10 Management, diagnostics, and tracing 391

The registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Viewing and changing the registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Registry usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Registry data types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393
Registry logical structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Application hives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402
Transactional Registry (TxR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
Monitoring registry activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Process Monitor internals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
Registry internals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Hive reorganization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
The registry namespace and operation . . . . . . . . . . . . . . . . . . . . . . . . . 415
Stable storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
Registry virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
Registry optimizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425

Windows services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426

Service applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426
Service accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
The Service Control Manager (SCM) . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

x Contents
 Service control programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450
Autostart services startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Delayed autostart services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457
Triggered-start services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458
Startup errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459
Accepting the boot and last known good . . . . . . . . . . . . . . . . . . . . . . .460
Service failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Service shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Shared service processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
Service tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
User services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469
Packaged services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473
Protected services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Task scheduling and UBPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475

The Task Scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .476
. . . . . . . . . . . . . . . . . . 481
Task Scheduler COM interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486

Windows Management Instrumentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486

WMI architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .487
WMI providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488
The Common Information Model and the Managed
Object Format Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Class association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .493
WMI implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496
WMI security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .498

Event Tracing for Windows (ETW) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499

ETW initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
ETW sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502
ETW providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506
Providing events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509
ETW Logger thread . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Consuming events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
System loggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
ETW security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .522

Contents xi
 Dynamic tracing (DTrace) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .525
Internal architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .528
DTrace type library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534

Windows Error Reporting (WER) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535

User applications crashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .537
Kernel-mode (system) crashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543
Process hang detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .554

Kernel shims . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .557

Shim engine initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .557
The shim database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .559
Driver shims . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .560
Device shims . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564

Chapter 11 Caching and file systems

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565

Key features of the cache manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .566

Single, centralized system cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
The memory manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
Cache coherency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Virtual block caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .569
Stream-based caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .569
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .570
NTFS MFT working set enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Memory partitions support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571

Cache virtual memory management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .572

Cache size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

Cache virtual size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Cache working set size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Cache physical size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

Cache data structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576

Systemwide cache data structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .579

xii Contents
File system interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .582
Copying to and from the cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Caching with the mapping and pinning interfaces . . . . . . . . . . . . . . .584
Caching with the direct memory access interfaces . . . . . . . . . . . . . . .584

Fast I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .585

Read-ahead and write-behind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .586

Intelligent read-ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587
Read-ahead enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .588
Write-back caching and lazy writing . . . . . . . . . . . . . . . . . . . . . . . . . . . .589
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595
Forcing the cache to write through to disk . . . . . . . . . . . . . . . . . . . . . .595
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595
Write throttling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596
System threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
Aggressive write behind and low-priority lazy writes . . . . . . . . . . . .598
Dynamic memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
Cache manager disk I/O accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . .600
File systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602
CDFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602
UDF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .603
FAT12, FAT16, and FAT32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .603
exFAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .606
NTFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .606
ReFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .608
File system driver architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .608
Local FSDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .608
Remote FSDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
File system operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
. . . . . . . . . .622
Cache manager’s lazy writer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .622
Cache manager’s read-ahead thread . . . . . . . . . . . . . . . . . . . . . . . . . . .622
Memory manager’s page fault handler . . . . . . . . . . . . . . . . . . . . . . . . .623
. . . . . . . . . . . . . . . . . . . . . . . . . .623

Contents xiii
 Filtering named pipes and mailslots . . . . . . . . . . . . . . . . . . . . . . . . . . . .625
Controlling reparse point behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . .626
Process Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627

The NT File System (NTFS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .628

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .628
Recoverability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .629
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .629
Data redundancy and fault tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . .629
Advanced features of NTFS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .630
Multiple data streams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Unicode-based names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .633
General indexing facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .633
Dynamic bad-cluster remapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .633
Hard links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .634
Symbolic (soft) links and junctions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .634
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .637
Change logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .637
Per-user volume quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .638
Link tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .639
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
POSIX-style delete semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Defragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643
Dynamic partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .646
NTFS support for tiered volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .647

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .652

NTFS on-disk structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .654

Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655
Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656
File record numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .660
File records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
File names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .664
Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .666
Resident and nonresident attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . .667
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .670

xiv Contents
 Compressing sparse data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Compressing nonsparse data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .673
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .675
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .675
Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .679
Object IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
Quota tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
Consolidated security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .682
Reparse points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .684
Storage reserves and NTFS reservations. . . . . . . . . . . . . . . . . . . . . . . . .685
Transaction support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .688
Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .689
Transactional APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .690
On-disk implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
Logging implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .693

NTFS recovery support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .694

Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .694
Metadata logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .695
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .695
Log record types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .697
Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .699
Analysis pass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .700
Redo pass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Undo pass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
NTFS bad-cluster recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .703
Self-healing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .706
Online check-disk and fast repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
The decryption process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
Online encryption support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719

Contents xv
 Direct Access (DAX) disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .720
DAX driver model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
DAX volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .722
Cached and noncached I/O in DAX volumes . . . . . . . . . . . . . . . . . . . .723
Mapping of executable images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .724
Block volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .728
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .730
Flushing DAX mode I/Os . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
Large and huge pages support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .732
Virtual PM disks and storages spaces support . . . . . . . . . . . . . . . . . . .736

Resilient File System (ReFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .739

Minstore architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .740
B+ tree physical layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742
Allocators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743
Page table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745
Minstore I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .746
ReFS architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .748
ReFS on-disk structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751
Object IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .752
Security and change journal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .753

ReFS advanced features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .754

File’s block cloning (snapshot support) and sparse VDL . . . . . . . . . .754
ReFS write-through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
ReFS recovery support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759
Leak detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761
Shingled magnetic recording (SMR) volumes . . . . . . . . . . . . . . . . . . . 762
ReFS support for tiered volumes and SMR. . . . . . . . . . . . . . . . . . . . . . .764
Container compaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .766
Compression and ghosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769

Storage Spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .770

Spaces internal architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
Services provided by Spaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .772

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .776

xvi Contents
Chapter 12 Startup and shutdown 777
Boot process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777
The UEFI boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777
The BIOS boot process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
Secure Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
The Windows Boot Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .785
The Boot menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .799
Launching a boot application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .800
Measured Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
Trusted execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .805
The Windows OS Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .808
Booting from iSCSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811
The hypervisor loader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811
VSM startup policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
The Secure Launch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816
Initializing the kernel and executive subsystems . . . . . . . . . . . . . . . . . 818
Kernel initialization phase 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .824
Smss, Csrss, and Wininit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .830
ReadyBoot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .835
Images that start automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .837
Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .837
Hibernation and Fast Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840
Windows Recovery Environment (WinRE) . . . . . . . . . . . . . . . . . . . . . . .845
Safe mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .847
Driver loading in safe mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 848
Safe-mode-aware user programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .849
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .850

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .850

Contents of Windows Internals, Seventh Edition, Part 1 . . . . . . . . . . . . . . . . .851

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .861

Contents xvii
About the Authors

ANDRE A ALLIE VI is a system-level developer and security research

engineer with more than 15 years of experience. He graduated from
the University of Milano-Bicocca in 2010 with a bachelor’s degree in
computer science. For his thesis, he developed a Master Boot Record
(MBR) Bootkit entirely in 64-bits, capable of defeating all the Windows
7 kernel-protections (PatchGuard and Driver Signing enforcement).
Andrea is also a reverse engineer who specializes in operating systems
internals, from kernel-level code all the way to user-mode code. He

published in 2012), multiple PatchGuard bypasses, and many other research papers and
articles. He is the author of multiple system tools and software used for removing mal-
ware and advanced persistent threads. In his career, he has worked in various computer
security companies—Italian TgSoft, Saferbytes (now MalwareBytes), and Talos group of
Cisco Systems Inc. He originally joined Microsoft in 2016 as a security research engineer
in the Microsoft Threat Intelligence Center (MSTIC) group. Since January 2018, Andrea
has been a senior core OS engineer in the Kernel Security Core team of Microsoft,
where he mainly maintains and develops new features (like Retpoline or the Speculation
Mitigations) for the NT and Secure Kernel.

Andrea continues to be active in the security research community, authoring technical

articles on new kernel features of Windows in the Microsoft Windows Internals blog, and
speaking at multiple technical conferences, such as Recon and Microsoft BlueHat. Follow
Andrea on Twitter at @aall86.
 ALE X IONE SCU is the vice president of endpoint engineering at
CrowdStrike, Inc., where he started as its founding chief architect. Alex is
a world-class security architect and consultant expert in low-level system
software, kernel development, security training, and reverse engineering.
Over more than two decades, his security research work has led to the
repair of dozens of critical security vulnerabilities in the Windows kernel
and its related components, as well as multiple behavioral bugs.

Previously, Alex was the lead kernel developer for ReactOS, an open-source Windows
clone written from scratch, for which he wrote most of the Windows NT-based subsys-
tems. During his studies in computer science, Alex worked at Apple on the iOS kernel,
boot loader, and drivers on the original core platform team behind the iPhone, iPad, and
AppleTV. Alex is also the founder of Winsider Seminars & Solutions, Inc., a company that
specializes in low-level system software, reverse engineering, and security training for
various institutions.

Alex continues to be active in the community and has spoken at more than two dozen
events around the world. He offers Windows Internals training, support, and resources
to organizations and individuals worldwide. Follow Alex on Twitter at @aionescu and his
blogs at www.alex-ionescu.com and www.windows-internals.com/blog.

About the Authors xix

Visit https://textbookfull.com
now to explore a rich
collection of eBooks, textbook
and enjoy exciting offers!
Foreword

H aving used and explored the internals of the wildly successful Windows 3.1 operat-
ing system, I immediately recognized the world-changing nature of Windows NT 3.1
when Microsoft released it in 1993. David Cutler, the architect and engineering leader for
Windows NT, had created a version of Windows that was secure, reliable, and scalable,
but with the same user interface and ability to run the same software as its older yet
more immature sibling. Helen Custer’s book Inside Windows NT was a fantastic guide to
its design and architecture, but I believed that there was a need for and interest in a book
that went deeper into its working details. VAX/VMS Internals and Data Structures, the

you could get with text, and I decided that I was going to write the Windows NT version
of that book.

-
ware company. To learn about Windows NT, I read documentation, reverse-engineered
its code, and wrote systems monitoring tools like Regmon and Filemon that helped me
understand the design by coding them and using them to observe the under-the-hood
views they gave me of Windows NT’s operation. As I learned, I shared my newfound
knowledge in a monthly “NT Internals” column in Windows NT Magazine, the magazine
for Windows NT administrators. Those columns would serve as the basis for the chapter-
length versions that I’d publish in Windows Internals, the book I’d contracted to write
with IDG Press.

My book deadlines came and went because my book writing was further slowed by
my full-time job and time I spent writing Sysinternals (then NTInternals) freeware and
commercial software for Winternals Software, my startup. Then, in 1996, I had a shock
when Dave Solomon published Inside Windows NT, 2nd Edition. I found the book both
impressive and depressing. A complete rewrite of the Helen’s book, it went deeper and
broader into the internals of Windows NT like I was planning on doing, and it incorpo-
rated novel labs that used built-in tools and diagnostic utilities from the Windows NT
Resource Kit and Device Driver Development Kit (DDK) to demonstrate key concepts and
behaviors. He’d raised the bar so high that I knew that writing a book that matched the
quality and depth he’d achieved was even more monumental than what I had planned.

As the saying goes, if you can’t beat them, join them. I knew Dave from the Windows
conference speaking circuit, so within a couple of weeks of the book’s publication I
sent him an email proposing that I join him to coauthor the next edition, which would
document what was then called Windows NT 5 and would eventually be renamed as
Windows 2000. My contribution would be new chapters based on my NT Internals
column about topics Dave hadn’t included, and I’d also write about new labs that used
my Sysinternals tools. To sweeten the deal, I suggested including the entire collection of
Sysinternals tools on a CD that would accompany the book—a common way to distribute
software with books and magazines.

Dave was game. First, though, he had to get approval from Microsoft. I had caused
Microsoft some public relations complications with my public revelations that Windows NT
Workstation and Windows NT Server were the same exact code with different behaviors
based on a Registry setting. And while Dave had full Windows NT source access, I didn’t,
and I wanted to keep it that way so as not to create intellectual property issues with the
software I was writing for Sysinternals or Winternals, which relied on undocumented APIs.
The timing was fortuitous because by the time Dave asked Microsoft, I’d been repairing my
relationship with key Windows engineers, and Microsoft tacitly approved.

Writing Inside Windows 2000 with Dave was incredibly fun. Improbably and
completely coincidentally, he lived about 20 minutes from me (I lived in Danbury,
Connecticut and he lived in Sherman, Connecticut). We’d visit each other’s houses for
marathon writing sessions where we’d explore the internals of Windows together, laugh
at geeky jokes and puns, and pose technical questions that would pit him and me in
-
bugger, and Sysinternals tools. (Don’t rub it in if you talk to him, but I always won.)

one of the most commercially successful operating systems of all time. We brought in

Vista. Alex is among the best reverse engineers and operating systems experts in the
world, and he added both breadth and depth to the book, matching or exceeding our
high standards for legibility and detail. The increasing scope of the book, combined with
Windows itself growing with new capabilities and subsystems, resulted in the 6th Edition
exceeding the single-spine publishing limit we’d run up against with the 5th Edition, so
we split it into two volumes.

I had already moved to Azure when writing for the sixth edition got underway, and by
the time we were ready for the seventh edition, I no longer had time to contribute to the
book. Dave Solomon had retired, and the task of updating the book became even more
challenging when Windows went from shipping every few years with a major release and
version number to just being called Windows 10 and releasing constantly with feature
and functionality upgrades. Pavel Yosifovitch stepped in to help Alex with Part 1, but he
too became busy with other projects and couldn’t contribute to Part 2. Alex was also
busy with his startup CrowdStrike, so we were unsure if there would even be a Part 2.

Foreword xxi
 Fortunately, Andrea came to the rescue. He and Alex have updated a broad swath of
the system in Part 2, including the startup and shutdown process, Registry subsystem,
and UWP. Not just content to provide a refresh, they’ve also added three new chapters

the Windows Internals book series being the most technically deep and accurate word on
the inner workings on Windows, one of the most important software releases in history,
is secure, and I’m proud to have my name still listed on the byline.

A memorable moment in my career came when we asked David Cutler to write the
foreword for Inside Windows 2000. Dave Solomon and I had visited Microsoft a few times
to meet with the Windows engineers and had met David on a few of the trips. However,
we had no idea if he’d agree, so were thrilled when he did. It’s a bit surreal to now be
on the other side, in a similar position to his when we asked David, and I’m honored to
be given the opportunity. I hope the endorsement my foreword represents gives you

Cutler’s did for buyers of Inside Windows 2000.

Mark Russinovich

Microsoft

March 2021
Bellevue, Washington

xxii Foreword
Introduction

W indows Internals, Seventh Edition, Part 2 is intended for advanced computer

professionals (developers, security researchers, and system administrators) who
want to understand how the core components of the Microsoft Windows 10 (up to and
including the May 2021 Update, a.k.a. 21H1) and Windows Server (from Server 2016 up
to Server 2022) operating systems work internally, including many components that are
shared with Windows 11X and the Xbox Operating System.

With this knowledge, developers can better comprehend the rationale behind design

decisions to create more powerful, scalable, and secure software. They will also improve
their skills at debugging complex problems rooted deep in the heart of the system, all

System administrators can leverage this information as well because understand-

ing how the operating system works “under the hood” facilitates an understanding of
the expected performance behavior of the system. This makes troubleshooting system
problems much easier when things go wrong and empowers the triage of critical issues
from the mundane.

-
ing system can misbehave and be misused, causing undesirable behavior, while also un-
derstanding the mitigations and security features offered by modern Windows systems
against such scenarios. Forensic experts can learn which data structures and mechanisms

Whoever the reader might be, after reading this book, they will have a better under-
standing of how Windows works and why it behaves the way it does.

History of the book

This is the seventh edition of a book that was originally called Inside Windows NT
(Microsoft Press, 1992), written by Helen Custer (prior to the initial release of Microsoft
Windows NT 3.1). Inside Windows NT
NT and provided key insights into the architecture and design of the system. Inside
Windows NT, Second Edition (Microsoft Press, 1998) was written by David Solomon. It
updated the original book to cover Windows NT 4.0 and had a greatly increased level of
technical depth.

xxiii
 Inside Windows 2000, Third Edition (Microsoft Press, 2000) was authored by David
Solomon and Mark Russinovich. It added many new topics, such as startup and shutdown,

kernel changes in Windows 2000, such as the Windows Driver Model (WDM), Plug and
Play, power management, Windows Management Instrumentation (WMI), encryption, the
job object, and Terminal Services. Windows Internals, Fourth Edition (Microsoft Press, 2004)
was the Windows XP and Windows Server 2003 update and added more content focused
on helping IT professionals make use of their knowledge of Windows internals, such as us-
ing key tools from Windows SysInternals and analyzing crash dumps.

Windows Internals, Fifth Edition (Microsoft Press, 2009) was the update for Windows
Vista and Windows Server 2008. It saw Mark Russinovich move on to a full-time job
at Microsoft (where he is now the Azure CTO) and the addition of a new co-author,
Alex Ionescu. New content included the image loader, user-mode debugging facil-
ity, Advanced Local Procedure Call (ALPC), and Hyper-V. The next release, Windows
Internals, Sixth Edition (Microsoft Press, 2012), was fully updated to address the many
kernel changes in Windows 7 and Windows Server 2008 R2, with many new hands-on

Seventh edition changes

of allowing the authors to publish parts of the book more quickly than others (March
2012 for Part 1, and September 2012 for Part 2). At the time, however, this split was purely
based on page counts, with the same overall chapters returning in the same order as
prior editions.

brought together the Windows 8 and Windows Phone 8 kernels, and eventually incorpo-
rated the modern application environment in Windows 8.1, Windows RT, and Windows
Phone 8.1. The convergence story was complete with Windows 10, which runs on desk-
tops, laptops, cell phones, servers, Xbox One, HoloLens, and various Internet of Things

With the seventh edition (Microsoft Press, 2017), the authors did just that, joined for

insider” and overall book manager. Working alongside Alex Ionescu, who like Mark,
had moved on to his own full-time job at CrowdStrike (where is now the VP of endpoint

xxiv Introduction
Random documents with unrelated
content Scribd suggests to you:
The Project Gutenberg eBook of Huilunsoittaja
This ebook is for the use of anyone anywhere in the United States
and most other parts of the world at no cost and with almost no
restrictions whatsoever. You may copy it, give it away or re-use it
under the terms of the Project Gutenberg License included with this
ebook or online at www.gutenberg.org. If you are not located in the
United States, you will have to check the laws of the country where
you are located before using this eBook.

Title: Huilunsoittaja
Runoja

Author: Einari Vuorela

Release date: March 6, 2024 [eBook #73113]

Language: Finnish

Original publication: Porvoo: WSOY, 1919

Credits: Tuula Temonen

*** START OF THE PROJECT GUTENBERG EBOOK

HUILUNSOITTAJA ***
HUILUNSOITTAJA

Runoja

Kirj.

EINARI VUORELA

Porvoossa, Werner Söderström Osakeyhtiö, 1919.

SISÄLLYSLUETTELO:

Prologi.

HUILUNSOITTAJA

Kulkurin kosinta.
Armahan kulku.
Kotiintulo.
Heräävä rakkaus.
Oven takana.
Lemmen-nosto.
Pienellä huilulla huutelen.
Nuoruus.
Ero.
Kotini näky.
Metsän kaiku.
Pelko.
Ikävä.
Odotus.
Humalan loihtu.
Päivänlasku.
KEVÄÄSTÄ KESÄÄN

Huhtikuu.
Huhtikuun tunnelma.
Takatalvi.
Kevät-yö.
Kultaiset hetket.
Toukokuu.
Kevään tulo.
Kesä-yö.
Elon aikana.
Kesä-aamu.

LAULUJA ARMAALLE

Lumikukka.
Soidin.
Kaksi ihmistä.
Tulin luokses taas.
Aatokseni.
Hyljätty.
Kyläkutsu.

SOTATORVI

Vapaustaisteluun.
Vapaaehtoisten marssi.
Rakuunan iltalaulu.
Huhtikuun myrsky.

SALOMAALLA
 Metsässä.
Aamutunnelma.
Salomaalla.
Raiskattu talo.
Paimeneen.
Metsänkävijä.
Takamailta tulija.

Prologi.

Metsä mulle pillin antoi soitan sillä metsän kieltä. Soitan

korven kohinoita, laulunpätkät metsätiellä.

Eksyin kylän kisamäille,

yllä kiilsi pilven kulta,
alla väikki vaaran vaski,
hongat hohti helkatulta.

Huvit siellä mieltä hurmas,

povessani poltti, huusi,
vierelläni neiot nauroi,
kupehella kukki kuusi.

Otin huilun huulilleni: lehdot leikki nuorten häinä, saraheinät

helisivät, tytöt kulki kukkapäinä.
HUILUNSOITTAJA
KULKURIN KOSINTA.

Kulkuri olen minä aina ollut, kulkuri olen minä nytkin! Näithän:
varsani valkoharjan juuri mä seinään kytkin!

Kulkurin kullaksi kyselen sua —

kulkunen luokalla laulaa,
tuuheat taljat ne reslassa vuottaa.
Katsos sä orhini kaulaa!

Kulkurin pirtti on pitkän pitkä,

tähdet sen lamppuina leiskaa,
tuhannet värttinät kultia kehrää,
silkkiset uutimet heiskaa.

Kulkurin karjaa metsän tyttö

havujen lehvillä huiskii.
Lammaskatraita illansuussa
kuusien peittohon kuiskii.

Kulkurin takassa räiskähtelee

raikasta revontulta,
kulkurin kihlana kimmeltääpi
kirkkahin Lapin kulta!
 Kulkurin kello ei kuudelta käske, unia saat sinä kyllä!
Heiluthan hetkisen keskellä päivää sinistä silkkiä yllä!
ARMAHAN KULKU.

Ettenkö häntä tuntisi!

Hänen polullaan paistaa päivä,
hänen kupeillaan hohtelee kuu,
hänen kiireeltään kimaltelee tähti.

Tunnen ilman, joka on häntä: syleillyt.

Tunnen oksan, joka on häntä hyväillyt.
Tunnen tuulen, joka on liehuttanut
hänen hiuksiaan.

En tiedä, mistä minä sen tunnen.

Mutta mun tulee vain niin hyvä olla.
Jossain otetaan tulta lamppuun,
jossain lauletaan laulu,
jossain soitetaan sävel.

Niin, se on omassa sydämessäni.

Ettenkö minä häntä yössä tuntisi!
Kirkkaana hymynä kiertyy pimeys kaulaani
ja suutelee minua.
KOTIINTULO.

Tie johdatti korpehen valkoiseen ihan etehen punaisen uksen.

Käyn ovesta pirttihin ääneti ja nurkkahan pystytän suksen.

Lie kauan jo vuoteltu, koskapa noin käsi kiihkeä kiertyvi

kaulaan, lumiturkkia riemuiten riisutaan ja hymyten viedähän
naulaan.
HERÄÄVÄ RAKKAUS.

Taas oli yö.

Hämärä ja hyvä.
Hän näki unta, — heräsi ja uneksi. —
Tuolla ihan sydämessä tuntui syttyvän.
Toisinaan valtasi hänet ankara,
miltei hurja riemu.
Hän painoi hellästi kehittyviä rintojaan.
Povea poltti.

Toisinaan hän herätessään löysi

kirkkaan kyyneleen silmäsopesta.
Mitä on huomenna?
Mitä ylihuomenna?
Mitä kesällä?
Hän unohtui iltaisin pitkiksi ajoiksi ikkunaan. —
Kaikki nukkui.
Puut ja pellot.
Koko kylä uneksi.
Siihen hän unohtui.
Yön himmeä valo leikki hiuksilla ja ajatus hiipi
kauas, kauas sanattomassa yössä.
OVEN TAKANA.

Muistan kuinka ennen mulle iloisesti uksi aukes, kuinka

hymys herkkä varsi, kuinka kuulsi kaunis kaula, kuinka
helläks luonto laukes.

Nyt ei uksi ulvahtanut.

Sisästä ei kuulu kapse.
Kello käy vain verkallehen,
takoo niin kuin oma sydän,
kuuluu rikkorattaan rapse.

Astuu hämy silmäin eteen, syytös sydänoven pieleen:

Suolta nousee harmaa sumu vilun kanssa verkallensa,
niinkuin murhe miehen mieleen.
LEMMEN-NOSTO.

Laulele lintuna likkalapsi!

Naapurin Ormo jo aikoo…
Sitäpä juuri, siksipä juuri
Kuppari-Kaisakin taikoo.

Liikehdi keijuna ketteräkenkä,

kuiskuta illan kuulle,
kohta se Ormo jo omansa ottaa,
ja suukkoja sataa suulle.

Heilahda heilana herranterttu,

sokeritoppanen teijaa!
Kohta ne kihlat rinnalla helkkyy,
kaulalla silkki leijaa!
PIENELLÄ HUILULLA HUUTELEN.

Pienellä huilulla huutelen

myöhällä illansuussa. —
Luhdin lehdillä tyttöjä nukkuu
ja peippoja pihapuussa.

Pienellä huilulla huutelen

karhulle korven poveen. —
Koputan pienellä laulun päällä
Tapion tyttöin oveen.

Pienellä huilulla huutelen

omankin kullan tupaan.
Akkunan alla kihloja näytän
ja pappilamatkaa lupaan.

Pienellä huilulla huutelen

korpeen ja korven yli.
Kuuntelen: kaikuja kumpuilee
korpi ja korven syli.
NUORUUS.

Ah, te entiset ilot siellä kaukana! Kaikki siellä kieppuu kauniin

ajatuksen ympärille. Nainen, nuori ja kaunis! Tyttö vehmas
kuin keväinen koivu, — valkovyö, kultahius, silkkisukka!
Naurahdan ajatuksissani. —

Nuoruus!
Yksi ainoa suvinen päivä:
niinkuin virta se kuljetti,
niinkuin viini se hurmasi,
niinkuin salainen tuli se kulutti!
Aamu hartauttaan metsässä piti,
puu punersi,
linnut oksilla keinuivat
keveinä kuin sävel,
joka havukon helmassa helisi.

Nuoruus, sinä olet ystävä, jonka hyviin silmiin jokainen

uskoo, Paljon sinä lupaat, mutta useimmin annat työkirveen
kouraan, pitkän lauluttoman arkisen askareen.
 Nuoruus, sinä olet hyvä!
Kuljetat ihmistä kuin kuninkaanlasta —
satusaarissa, tuulentuvissa.
Sitten naurahdat ja herätät hänet
pirtissä, jonka akkunaa ruoskii
alakuloinen sade.

Mitäpä surra!
Rinta täyteen havuntuoksua!
Jalka keveäksi, suu nauruun!
Mikä tuntuu raskaalta, se keveäksi kuvitellaan.
Mikä tuntuu ikävältä, annetaan sitä
ilon hyppysen hypistää.
ERO.

Kansanlaulun tapaan.

En minä itke ilkeyttäni, enkä minä itke muuta. Eroa itken —

toki kun oltiin ihka kuin samaa puuta!

Häll' oli hellä luonnonlaatu

ja muuten niin sopiva ääni.
Hänen kanssansa naurusuulla
olisin viettänyt hääni!

Mutta se kutvale kukersi hälle,

hattupää harakka hyppi,
polvelle pyrki ja pyydysteli,
vieläpä viiksestä nyppi.

Siinä se liversi liehuhäntä, vieläpä suikkasi suuta. Eroa

itken, toki kun oltiin ihka kuin samaa puuta!