Recommended reading:
Yosifovich, Paul – Ionescu, Alex – Russinovich, Mark E. – Solomon, David A.:
Windows Internals. 7th ed. Part 1. System architecture, processes, threads, memory management, and more. Pearson Education, 2017.
Micskei Zoltán: The Windows operating system. Budapest: Budapest University of Technology and Economics, 2014.
Overview of Windows Components (2024-03-26)
Wikipedia, selected entries. (2024-03-04)
The main components of the Windows operating system:
software (sw) layers
main sw layers in an IBM PC or Wintel-compatible computer [Wintel refers to the partnership of Microsoft Windows and Intel producing personal computers using Intel x86 (or x64) compatible processors running Microsoft Windows]
- [lowest layer]
- hardware (hw) architecture
- BIOS* or UEFI*
- implemented as firmware* on the motherboard
- launching the OS loader
- operating system (OS)*
(e.g. MS Windows 8/10 → Search/Cortana: System Information; Command Prompt: winver or systeminfo)
- [OS components running in kernel mode]
- hardware abstraction layer (HAL) (sets of routines that provide access to hw resources through standardized or unified interfaces; they allow the programmers to write device independent apps)
- device drivers (a driver is a program that operates a particular type of device; it provides a software interface for the given device enabling the OS and other programs to access hw functions without needing to know precise details about the hardware being used; kernel mode drivers are located in files with *.sys extension)
(e.g. MS Windows 8/10 → Search/Cortana: [This PC → Properties → Settings →] Device Manager, e.g. Network Adapters → Realtek PCIe FE Family Controller [interfacing the CPU PCI Express bus to a Fast Ethernet (100Mbps) network] → Driver)- kernel* (the core of the OS which is the first OS program to be loaded and always resident in memory; generally, the kernel facilitates and controls interactions between hardware and software components; specifically, the kernel provides the core functions of the OS like task scheduling and interrupt handling; the components of the kernel are located in the ntoskrnl.exe file in the System32 directory)
- executive (executive services provide higher level functions such as memory management, security, I/O management, IPC management, process and thread management, PnP management, power management etc.; the services are implemented as objects which can be accessed by handles through well-defined interfaces; the objects are managed by the Object Manager; the components of the executive are also located in the ntoskrnl.exe file in the System32 directory)
- due to performance reasons the Windows subsystem runs in kernel mode; it is managed by the Window Manager and uses the Graphics Device Interface (GDI) functions; the functions of the windowing and graphics subsystem are located in the win32k.sys file in the System32 directory)
- [OS components running in user mode]
- dynamic-link libraries (DLLs)(a DLL is a shared library in the Microsoft Windows operating system which can contain portable executable code, functions, data and other resources (e.g. icons, fonts etc.) in an executable file format; e.g. device driver files are implemented as DLLs in the Windows OSs, such as printer drivers that control the operation of the printers)
Note that executable files (.exe), DLL files (.dll) and driver files (.drv) use the same format.
- Windows API* functions (the Windows application programming interface is the user-mode system programming interface for the Windows OS family)
- Windows Native API functions (offering native system services requested by system or supervisor (SVC) calls which trigger an interrupt into kernel mode; most of the native API functions are implemented in the ntdll.dll file in the \Windows\System32 folder; other functions reside in one or more corresponding DLL files following the form nt*.dll)
- kernel support functions or routines (they can be called and executed only in kernel mode; these functions are implemented in the hal.dll file in the \Windows\System32 folder; since 2020 it has been merged into ntoskrnl.exe in Windows 10)
- ...
- user mode device drivers (e.g. files with .drv extension)
- codecs (a program that encodes or decodes a data stream or signal; the name comes from coder/decoder)
(e.g. MS Windows 8/10 → Windows Media Player → Help → About WMP → Tech Support Inf)- processes and threads,* including
- – system processes* (they are always present and responsible for the boot process and the operation of the computer)
- Session Manager Subsystem (SMSS) (it calls directly the functions of the ntdll.dll native library)
- Windows Subsystem / Win32 or Win64 environment subsystem (Client/Server Runtime Subsystem, CSRSS) (it calls directly the functions of the ntdll.dll native library)
- – background processes (each providing a set of resources for running apps)
- Windows services (Windows services are processes that are launched by the OS and operate in the background independently from the logged-on users (similarly in concept to Unix daemons); they offer common services to the programs or processes in system, local or network context)
(e.g. MS Windows 8/10 → Search/Cortana: Services; Task Manager: Services; e.g. Device Setup Manager, DHCP Client, DNS Client, Print Spooler, Windows Update etc.)- programs, including
- – utility programs (as parts of the OS)
- command line interface* (Command Prompt, CMD; PowerShell)
- file magagement utilities (This PC; Windows Explorer or File Explorer)
- accessories (e.g. Calculator, Notepad, WordPad, Paint, Windows Media Player etc.)
- ...
- – utility programs (from external, preferably open sources; some of them can be considered as apps), e.g.
- antivirus utilities (e.g. ESET; cf. Windows Defender)
- file managers (e.g. Total Commander)
- image viewers (e.g. IrfanView)
- pdf readers (e.g. Sumatra)
- media players (e.g. VLC)
- ...
- – application programs (apps) (note that the term 'task' can refer to both programs and processes)
- [highest layer]
The terms layer and interface, as well as client and service describe interaction between software components in an abstract way.
Each layer provides an interface for the higher (i.e. more abstract) layer in a form of services implementing basic functions of the layer. So the higher layer can use the services through the interface in a standardized way without having to know the details of the implementation.
Sometimes the higher layer is called a client, and the lower layer that provides services (i.e. callable routines, functions, methods, objects etc.) for the client is called a server. The communication mechanism between them (called inter-process communication or IPC) is provided by the OS in order to manage shared data.
There are different approaches of IPC (e.g. through data records or files, shared memory buffers, pipes, message passing or LPC, message queues or mailboxes etc.).
further reading:
Wikipedia: IBM PC compatible
Wikipedia: Wintel
Wikipedia: Inter-process communication Wikipedia: Utility software
firmware (fw)
- fw is a sw that contains hardware specific ("low-level" or machine level) programs to control a given hw (e.g. computer peripherals etc.)
- fw implements basic functions of a spec device
- modern CPUs also contain fw which is specific to the applied motherboard (containing integrated peripheral controllers)
- a specific fw is often called a microprogram
- fw can be implemented as a set of microcodes
- fw hides the hw spec details providing hw abstraction services to "high-level" sw (e.g. to the OS or apps)
- fw often provides a standardized interface for "high-level" programs (where the available basic functions for a hw device are independent from the different hw implementations)
- fw is held in non-volatile memory devices (such as ROM, EPROM, EEPROM, flash memory etc.)
- in general, programs which provide hw abstraction services to "high-level" sw and stored in non-volatile memory devices are considered fw (like BIOS and UEFI)
further reading:
Wikipedia: Firmware
BIOS (basic input-output system)
- implemented as a firmware*
- immediately after startup you have the option to activate a configuration or setup utility (BCU) by pressing a particular key or key sequence
- the BIOS setup utility allows the user to set system configuration options through an interactive menu system controlled through the keyboard
- formerly IBM-compatible PCs held the configuration settings in battery-backed RAM
- modern Wintel-compatible machines usually store the BIOS configuration settings in flash ROM (e.g. in the same flash ROM that holds the BIOS itself)
- when you turn on the computer (power-on startup), the first program that runs is a set of instructions kept in the computer's read-only memory (ROM) [it is called booting process; from 1996 the BIOS boot specification is considered as a de facto standard]
- the BIOS firmware performs hw initialization
- it checks the PC for errors to make sure everything is functioning properly; the BIOS firmware tests the hw components of the computer system (power-on self test)
- CPU test
- memory test
- keyboard test
- HDD test
- ...
- once successful, the software will begin to activate the boot (or bootstrap) loader on the computer's boot device (e.g. the hard disk drive)
- in the booting process the BIOS loads the kernel of the OS into memory and turns control of the computer over to the operating system
- other services
- in the DOS era the BIOS set up small driver programs that controlled the various hardware units; the BIOS interrupt calls were provided for the keyboard, display, mass storage devices etc.; they standardized an interface to the OS and to the application programs [i.e. BIOS provided an interface between the hw units and the "higher" sw layers]
- more recent OSs do not use the BIOS interrupt calls after startup
- UEFI is a successor to the legacy BIOS
further reading:
Wikipedia: BIOS
UEFI (Unified Extensible Firmware Interface)
- like BIOS, UEFI initializes and tests system hw components (memory, PCI, USB etc.) and then loads the boot loader from a mass storage device or through a network connection
- unlike the legacy BIOS, UEFI does not rely on boot sectors; it defines instead a boot manager (as part of the UEFI specification)
- when the computer is powered on, the boot manager executes the specified OS boot loader according to the boot configuration (stored in NVRAM, Non-Volatile RAM)
- OS boot loaders can be automatically detected by UEFI (e.g. in removable devices such as USB flash drives); the automated detection relies on standardized file paths to the OS boot loader
- UEFI provides a shell environment which can be used to execute other UEFI applications (including UEFI boot loaders) and commands; the available UEFI commands can be used for obtaining various information about the computer system or the firmware itself
- UEFI also provides a GUI for the main settings (just like BIOS)
further reading:
Wikipedia: UEFI
kernel
there are different kernel architecture designs
- monolithic kernel (it runs entirely in a single address space executing services in supervisor mode, mainly for speed)
- microkernels (they run most of their services in user space like user processes do, mainly for resilience and modularity)
– the Linux kernel is both monolithic and modular, since it can insert and remove loadable kernel modules at runtime- hybrid or modular kernel (an extension of the microkernel architecture on the basis of the monolithic kernel architecture; it is running most of the system services in kernel mode in kernel or system address space (such as executive services, kernel functions, device drivers, the windowing and graphics system etc.), but it also provides microkernel services in user address space.
– MS Windows NT and 8/10 implement a hybrid kernel
further reading:
Wikipedia: Kernel
Windows API (Application Programming Interface)
The Windows API provides core services to build desktop and server apps that can run successfully on all versions of MS Windows. The functions provided by the Windows API can be grouped into certain categories. (The functions reside in one or more corresponding DLL files in the \Windows\System32 folder.)
- Base Services (accessing to the basic resources, e.g. file system, devices, processes, threads and error handling; these functions reside in kernel32.dll and KernelBase.dll on 32 and 64 bit Windows)
- Advanced Services (accessing to functions beyond the kernel, e.g. access the Windows registry, shutdown or restart the system, create, start and stop a Windows service, and manage user accounts; these functions reside in advapi32.dll and advapires32.dll on 32 bit Windows)
- Graphics Device Interface (GDI) (providing functions for representing and displaying graphics content to monitors, printers or other output devices; it supports apps in drawing lines and curves, rendering fonts, handling color palettes etc. in a scalable way; these functions reside in gdi32.dll on 32 bit Windows in user mode)
- Graphical User Interface (GUI) (providing functions to create and manage screen windows, basic controls and dialog boxes, and receive keyboard and mouse input; these functions reside in user32.dll on 32 bit Windows)
- Common Dialog Box Library (providing access to for standard dialog boxes to open and save files, choose color, font and size etc.; these functions reside in comdlg32.dll on 32 bit Windows)
- Common Control Library (providing access to basic controls such as buttons, scrollbars, etc. and advanced controls such as status bars, progress bars, tabs etc.; these functions reside in comctl32.dll on 32 bit Windows)
- Windows Shell (providing functions to manage the user-system interaction by prompting users to input, interpreting it, sending it to the OS, and then handling the output from the underlying OS; these functions reside in shell32.dll on 32 bit Windows)
- Network Services (providing functions to access to the various networking abilities of the OS, including remote procedure call (RPC), Dynamic Host Configuration Protocol (DHCP), domain name system (DNS) etc.; these functions reside in netapi32.dll on 32 bit Windows)
further reading:
Wikipedia: Windows API⇒
.NET Framework
The .NET Framework (pronounced as "dot net") is a proprietary software framework developed by Microsoft that runs primarily on Microsoft Windows. The .NET ("dot net") is a free and open-source managed computer software framework for Windows, Linux, and macOS operating systems.
Both platforms provide various services (user interface, data access, database connectivity, cryptography, web application development, numeric algorithms, network communications etc.) for application program developers to build desktop, web, and mobile apps in a software environment that can be implemented and run on any OS.
- .NET applications written in managed code (consisting of binary Common Intermediate Language (CIL) instructions)
- Framework Class Library (FCL) (a collection of types that implement functionality typically needed by client and server applications within the .NET Framework)
- the .NET software environment implemented in Windows
- Common Language Runtime (CLR) engine (an application virtual machine for the .NET Framework including a Just In Time (JIT) compiler that can translate CIL instructions to the underlying CPU machine language)
- Windows API
- Windows kernel
further reading:
Wikipedia: .NET Framework⇒
Wikipedia: .NET⇒
Microsoft: What is .NET Framework?⇒
Microsoft: What is .NET?⇒
processes and threads
In general, a program is a static sequence of instructions, whereas a process is a container for a set of resources used when executing the program. When a client (a program or one of its processes) needs a particular resource, the corresponding process will serve the requested resource for the client by its promptly created instance or thread.
- In case the requested server process is not running, it is created by the client program or process that first needs its service (e.g. from the DLL file where the code of the process is located).
- For each program or process, the OS keeps track of the pointers or handles to the requested processes in a virtual table which is actualized (and then maintained) every time when a new thread of the process is created.
- The threads are removed from the memory by the OS when they are not used any more (sometimes this process is called garbage collection).
A program (or process) can create one or more processes each of which can also be a parent of one or more child processes. In this way the parent-child relationships between the processes form a tree hierarchy where each child process points to its parent process. (In case a parent process is deployed, its child processes will be called orphans.)
A thread is an instance of a process which can be executed. Multiple threads can run concurrently. There should normally be at least one thread for each running process, and a process can host many threads.The requests for particular resources by the running program can be sent either by direct procedure calls of the corresponding function of the server process or by IPC sending a signal to the kernel which activates the interrupt mechanism of the OS (and switches from the client program or thread into the server process).
The tasks (i.e. the apps, the background processes, and the system processes including their threads) that are actually running on the computer can be explored by the Task Manager. Some noteworthy information provided by the Task Manager are as follows:
- the name of the current apps and background processes (click on More details at the bottom, and View → Group by type)
- when there is more than one thread of execution, the number of threads are indicated after the program or process name (in parentheses)
- the unique program or process ID (PID) can be displayed by right-clicking on the header row and selecting the PID option
- the details of each thread can be displayed by right-clicking on the name of the thread and select the Properties option
- the location of each thread can be displayed by right-clicking on the name of the thread and select the Location option
- the CPU, memory, disk and network usage of each program or process
Note that the parent and child processes may form a process tree but the Task Manager does not show the parent-child relationships between processes. Instead, we can use the Process Explorer from Sysinternals, or the tlist /t command from the Windows SDK.
further reading:
Wikipedia: Thread (computing)
Microsoft: Process Explorer⇒
system processes
- System Idle Process (PID 0, 1 instance or thread; it represents or measures the percentage of the CPU usage when it is idle and available for other tasks)
- System Process (PID 4; its child process is the smss.exe; it is the NT kernel; it provides callable interfaces which contain functions or routines that can be executed in kernel mode; these interfaces form the Windows Executive Services, including e.g.
– File Cache Manager;
– Configuration Manager;
– Plug and Play (PnP) Manager;
– Power Manager;
– I/O Manager;
– Virtual Memory Manager (VMM);
– Process and Thread Manager;
– IPC Manager;
– Object Manager;
– Security Reference Monitor (SRM);
when a program or process running in user mode issues a system call through the ntdll.dll native library, the corresponding function of the kernel is resolved using the System Service Descriptor or Dispatch Table (SSDT); while the smss.exe and csrss.exe system processes can call ntdll.dll directly, the other programs or processes can have access to ntdll.dll through the kernel32.dll, advapi32.dll, user32.dll or gdi32.dll libraries of the Windows API;
the kernel process is located is the ntoskrnl.exe file in the System32 directory)
- ...
- Session Manager Subsystem (→)
- ...
- Session Manager Subsystem (SMSS; when the power is on, the system process creates the first ("master") SMSS instance which resides in the memory even after the boot process; its location is the smss.exe file in the System32 directory)
- In the boot process the master SMSS process creates some instances of itself; these smss.exe child processes are as follows:
- [Session 0] the first instance of smss.exe is responsible for creating the wininit.exe system process which starts the csrss.exe process
- Windows Initialization Process (→)
- Windows Subsystem Process (→)
- [Session 1] the second instance of smss.exe represents the first logged-on user, and it is responsible for creating the winlogon.exe process which starts the crss.exe process
- Windows Logon Process (→)
- Windows Subsystem Process (→)
- [for each new session] a new instance of smss.exe will be created; it will create the winlogon.exe process which will start the crss.exe process
- Windows Logon Process (→)
- Windows Subsystem Process (→)
- All instances of smss.exe will exit after finishing their job.
- Windows Initialization Process (WININIT) (the windows initialization process is responsible for initializing and setting a lot of things; e.g. it sets the default environment variables, it creates the Services Control manager by launching the services.exe process, it creates the 'temp' directory in the system root directory etc.; its location is the wininit.exe file in the System32 directory)
- Local Security Authentication Service (→)
- Service Control Manager (→)
- Font Driver Host (fontdrvhost.exe)
- Local Security Authentication Service (LSASS) (it is responsible for managing authentication on the machine; it has one instance; its location is the lsass.exe file in the System32 directory)
- Service Control Manager (SCM) (it is responsible for handling (e.g. start, stop etc.) services defined in the system; it launches the Windows services as child processes; it has one instance; its location is the services.exe file in the System32 directory)
- ...
- Service Host (a shared-service process that serves as a shell for loading a particular group of services from the corresponding DLL files; it has multiple instances; its location is the svchost.exe file in the System32 directory)
- ...
- Windows Subsystem Process (Client/Server Runtime Subsystem, CSRSS)
(the CSRSS environment or emulation subsystem provides the user mode side of the Win32 subsystem creating the Windows environment and implementing (or emulating) the Windows personality;
the CSRSS subsystem is primarily involved with
– process and thread management,
– console window (CMD) handling,
– side-by-side assembly loading (i.e. storing multiple versions of DLLs and loading them in demand), and
– the shutdown process;
– historically it was also responsible for window management and graphics rendering but they have been moved to kernel mode;
the CSRSS subsystem has one instance for each session; its location is the csrss.exe file in the System32 directory)
- Windows Logon Process (WINLOGON) (it handles everything related to user's logons/logoffs and user initialization; its location is the winlogon.exe file in the System32 directory)
- Logon User Interface (LogonUI.exe)
- User Initialization Process (userinit.exe)
- Explorer (→)
- Font Driver Host (fontdrvhost.exe)
- Desktop Window Manager (→)
- ...
- Explorer (it is a core shell process which generates the Windows Graphical User Interface (GUI) on the screen; it is an orphan process because its parent, the 'userinit.exe' process exits after launching the 'explorer.exe'; is has one instance for each logged on user; its location is the explorer.exe file in the System32 directory)
- ...
- (various apps)
- ...
- Desktop Window Manager (DWM) (a process that is responsible for rendering graphical objects (windows, icons etc.) and 2D or 3D graphical effects to enhance user experience using an off-screen buffer for each window; is has one instance for each logged on user; its location is the dwm.exe file in the System32 directory)
further reading:
Medium: Windows System Processes –
– An Overview for Blue Teams by Nasreddine Bencherchali⇒
Wikipedia: Client/Server Runtime Subsystem
GUI (graphical user interface; Windows)
- Desktop (Windows shell)
- icons
- Taskbar (including the Start Menu, search bar, pinned apps, hidden icons, internet access, loudspeaker, keyboard, current date and time, notifications etc.)
- separate windows
- give the operating system commands to be executed
- pointing to an icon and (double) clicking on it with a mouse
- using a menu and select an item (e.g. the start menu)
- ...
further reading:
Wikipedia: Windows shell