Upload
jerry
View
49
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Chapter 11 : Windows Vista. This chapter is based on Tanenbaum OS/3E book slides And also from Chapter 21 slides of the book: “ Operating Systems (Third Edition)” , Deitel , Deitel and Choffnes Prentice Hall, 2004. Chapter 11 : Windows Vista. History Programming Windows Vista - PowerPoint PPT Presentation
Citation preview
Chapter 11 : Windows Chapter 11 : Windows VistaVista
This This chapter is based on chapter is based on Tanenbaum OS/3E book slidesTanenbaum OS/3E book slides And also from And also from Chapter 21 Chapter 21
slides slides of the book:of the book:
““Operating Systems (Third Operating Systems (Third Edition)”Edition)”, , Deitel, Deitel and Deitel, Deitel and ChoffnesChoffnes Prentice Hall, 2004Prentice Hall, 2004
1
Chapter 11 : Windows Chapter 11 : Windows VistaVista
HistoryHistory Programming Windows VistaProgramming Windows Vista Operating System StructureOperating System Structure Process and Thread ManagementProcess and Thread Management Thread SchedulingThread Scheduling Memory ManagementMemory Management Input/Output in VistaInput/Output in Vista NTFSNTFS SecuritySecurity Interprocess Communication Interprocess Communication
2
Figure 11-1. Major releases in the history of Microsoft operating systems for desktop PCs.
History (1)
3
HistoryHistory (2) (2) 1976 Bill Gates and Paul Allen found1976 Bill Gates and Paul Allen foundeded Microsoft Microsoft 1981 MS-DOS 1.01981 MS-DOS 1.0 (Known as CP/M) (Known as CP/M)
16-bit addressing16-bit addressing 8 KB memory resident code8 KB memory resident code
1985 Windows 1.01985 Windows 1.0 First Microsoft GUI operating systemFirst Microsoft GUI operating system
1990 Windows 3.1 and Windows for Workgroups 3.11990 Windows 3.1 and Windows for Workgroups 3.1 Added network support (LANs)Added network support (LANs)
1992 Windows NT 3.11992 Windows NT 3.1 NTFSNTFS 32-bit addressing32-bit addressing
1995 Windows 951995 Windows 95 32-bit addressing32-bit addressing DirectXDirectX
Simulates direct access to hardware through APISimulates direct access to hardware through API
4
HistoryHistory (3) (3) 1996 Windows NT 4.01996 Windows NT 4.0
Moved graphics driver into kernelMoved graphics driver into kernel 1998 Windows 981998 Windows 98
Bundled Internet Explorer into operating Bundled Internet Explorer into operating systemsystem
2000 Windows ME2000 Windows ME Does not boot in DOS modeDoes not boot in DOS mode
2000 Windows 20002000 Windows 2000 Active DirectoryActive Directory
Database of users, computers and servicesDatabase of users, computers and services 2001 2001 Windows XPWindows XP
64-bit support64-bit support 2006 2006 Windows Windows VistaVista
5
2000s: NT-based 2000s: NT-based Windows (1)Windows (1)
Figure 11-2. DEC Operating Systems developed by Dave CutlerFigure 11-2. DEC Operating Systems developed by Dave Cutler
NT was inspired from VMS operating systemNT was inspired from VMS operating system DEC (Digital Equipment Company), a minicomputer DEC (Digital Equipment Company), a minicomputer
maker was sold in 1998 to Compaq which was maker was sold in 1998 to Compaq which was bought by HPbought by HP
NT was also jointly developed as OS/2 for IBMNT was also jointly developed as OS/2 for IBM6
•
2000s: 2000s: NT-basedNT-based Windows (2)Windows (2)
Figure 11-3. The Win32 API allows programs to run on Figure 11-3. The Win32 API allows programs to run on almost all versions of Windows.almost all versions of Windows.
7
Figure 11-4. Split client and server releases of Windows.
2000s: NT-based Windows 2000s: NT-based Windows (3)(3)
8
Figure 11-5. Comparison of lines of code for selected kernel-mode modules in Linux and Windows (from Mark Russinovich, co-author of Microsoft Windows Internals).
Windows VistaWindows Vista
9
Programming Windows Programming Windows VistaVista
Figure 11-6. The programming layers in WindowsFigure 11-6. The programming layers in Windows Beneath the applets and GUI layers we have the APIBeneath the applets and GUI layers we have the API These are dynamic link libraries (DLLs)These are dynamic link libraries (DLLs) NTOS is the kernel mode program which provides the NTOS is the kernel mode program which provides the
system call interface for Microsoft programmers (not system call interface for Microsoft programmers (not open to public) open to public)
10
Figure 11-8. Common categories of kernel-mode object types.
The Native NT Application The Native NT Application Programming Interface (1)Programming Interface (1)
11
Figure 11-9. Examples of native NT API calls that use handles to manipulate objects across process boundaries.
The Native NT Application The Native NT Application Programming Interface (2)Programming Interface (2)
12
The Win32 Application The Win32 Application Programming InterfaceProgramming Interface
Win32 API – interface for developing applicationsWin32 API – interface for developing applications Fully documented and publicly disclosedFully documented and publicly disclosed The API is a library of procedures that either wrap The API is a library of procedures that either wrap
(use and call somehow) the native NT system calls or (use and call somehow) the native NT system calls or do the work themselvesdo the work themselves
Two special execution environments are also providedTwo special execution environments are also provided WOW32 (Windows-on-Windows) which is used on 32-bit x86 WOW32 (Windows-on-Windows) which is used on 32-bit x86
systems to run 16-bit Windows 3.x applications by mapping systems to run 16-bit Windows 3.x applications by mapping system calls and parameters between the 16-bit and 32-bit system calls and parameters between the 16-bit and 32-bit worldsworlds
WOW64 does the same thing for 32-bit applications to work on WOW64 does the same thing for 32-bit applications to work on x64 systemsx64 systems
Previously there were OS2 and POSIX environments but not Previously there were OS2 and POSIX environments but not anymoreanymore
13
Figure 11-10. Examples of Win32 API calls and the native NT API calls that they wrap.
The Win32 Application The Win32 Application Programming InterfaceProgramming Interface
14
The Windows Registry The Windows Registry (1)(1)
Figure 11-11. The registry hives in Windows Vista. HKLM is a Figure 11-11. The registry hives in Windows Vista. HKLM is a
short-hand for short-hand for HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE.. Registry is a special file system to record the details of
system configuration The registry is organized into separate volumes called
hives When the system is booted the SYSTEM hive is loaded
into memory 15
The Windows Registry The Windows Registry ((22))
Figure 11-12. Some of the Win32 API calls for using the Figure 11-12. Some of the Win32 API calls for using the registryregistry
Before the registry, older Windows versions kept Before the registry, older Windows versions kept configuration information in configuration information in .ini .ini (initialization) files (initialization) files scattered all around the diskscattered all around the disk
RegeditRegedit is a program to inspect and modify the registry is a program to inspect and modify the registry but be carefullbut be carefull
16
Figure 11-13. Windows kernel-mode organization.
Operating System StructureOperating System Structure
17
Operating System KernelOperating System Kernel The system library (ntdll.dll) executing at user-mode The system library (ntdll.dll) executing at user-mode
contains compiler run-time and low-level librariescontains compiler run-time and low-level libraries NTOS kernel layer: thread scheduling, synchronization NTOS kernel layer: thread scheduling, synchronization
abstractions, trap handlers, interrupts etc.abstractions, trap handlers, interrupts etc. NTOS executive layer contains the services such as NTOS executive layer contains the services such as
management services for virtual memory, cache, I/O management services for virtual memory, cache, I/O etc.etc.
HAL (Hardware Abstraction Layer)HAL (Hardware Abstraction Layer) Interacts with hardware, drives device components Interacts with hardware, drives device components
on mainon main boardboard Abstracts hardware specifics that differ between Abstracts hardware specifics that differ between
systems of the same architecturesystems of the same architecture (such as different (such as different CPUs)CPUs)
Device drivers are used for any kernel-mode activities Device drivers are used for any kernel-mode activities which are not a part of NTOS or HAL (such as file which are not a part of NTOS or HAL (such as file system, network protocols and antivirus software)system, network protocols and antivirus software)
18
Booting Windows VistaBooting Windows Vista On power on, BIOS loads a small bootstrap loader On power on, BIOS loads a small bootstrap loader
found at the beginning of the disk drive partitionsfound at the beginning of the disk drive partitions Bootstrap loader loads Bootstrap loader loads BootMgrBootMgr program from the program from the
root directoryroot directory If hibernated or in stand-by mode If hibernated or in stand-by mode WinResume.exeWinResume.exe is is
loadedloaded If not If not Winload.exeWinload.exe is loaded for a fresh boot. This is loaded for a fresh boot. This
program loads:program loads: Ntoskrnl.exeNtoskrnl.exe Hal.dllHal.dll SYSTEM hiveSYSTEM hive Win32k.sys (kernel-mode parts of Win32 subsystemWin32k.sys (kernel-mode parts of Win32 subsystem Other boot driversOther boot drivers
19
20
Process and Thread Process and Thread ManagementManagement
ProcessProcesses (containers for threads. PEB- es (containers for threads. PEB- Process Environment Block)Process Environment Block)
ThreadsThreads (Basic scheduling unit. Normally (Basic scheduling unit. Normally executes in user-mode. TEB – Thread executes in user-mode. TEB – Thread Environment Block)Environment Block)
JobsJobs Group processes together as a unitGroup processes together as a unit Manage resources consumed by these Manage resources consumed by these
processes (e.g., CPU time, memory processes (e.g., CPU time, memory consumption, etc.)consumption, etc.)
Terminate all processes at onceTerminate all processes at once
21
Process and Thread Process and Thread OrganizationOrganization
FibersFibers Unit of execution (like a thread)Unit of execution (like a thread) Scheduled by thread that creates them, not Scheduled by thread that creates them, not
microkernel.microkernel. Thread must convert itself into a fiber to Thread must convert itself into a fiber to
create fiberscreate fibers Advantage is in switching: Thread switching Advantage is in switching: Thread switching
requires entry and exit to kernel. A fiber requires entry and exit to kernel. A fiber switch saves and restores a few registers switch saves and restores a few registers withou changing modes at allwithou changing modes at all
Used rarelyUsed rarely
22
Process and Thread Process and Thread OrganizationOrganization
Thread poolsThread pools Worker threads that sleep waiting for work Worker threads that sleep waiting for work
itemsitems Each process gets a thread poolEach process gets a thread pool Useful in certain situationsUseful in certain situations
Fulfilling client requestsFulfilling client requests Asynchronous I/OAsynchronous I/O Combining several threads that sleep most of the Combining several threads that sleep most of the
timetime Memory overhead and less control for the Memory overhead and less control for the
programmerprogrammer
Figure 11-24. The relationship between jobs, processes, threads and fibers. Jobs and fibers are optional; not all processes are in jobs or contain fibers.
Processes and ThreadsProcesses and Threads
23
Figure 11-25. Basic concepts used for CPU and resource management.
24
Thread SynchronizationThread Synchronization Dispatcher objectsDispatcher objects
Event objectEvent object Signaled when event occurs; Signaled when event occurs; unsignaled either when one thread awakens or all unsignaled either when one thread awakens or all
threads awaken (choice determined by event’s threads awaken (choice determined by event’s creator)creator)
Mutex objectMutex object One ownerOne owner Acquire – unsignaled; release – signaledAcquire – unsignaled; release – signaled
Semaphore objectSemaphore object Counting semaphoreCounting semaphore Signaled while count > 0; unsignaled when count 0Signaled while count > 0; unsignaled when count 0 Can be acquired multiple times by same threadCan be acquired multiple times by same thread
25
Thread SynchronizationThread Synchronization
Dispatcher objects (cont.)Dispatcher objects (cont.) Waitable timer objectWaitable timer object
Signaled when time elapsesSignaled when time elapses Manual reset vs. auto resetManual reset vs. auto reset Single user vs. periodicSingle user vs. periodic
Objects that can act as dispatcher objects: Objects that can act as dispatcher objects: process, thread, console inputprocess, thread, console input
26
Thread SynchronizationThread Synchronization Kernel mode locksKernel mode locks
Spin lockSpin lock Queued spin lockQueued spin lock
More efficient than spin lockMore efficient than spin lock Guarantees FIFO ordering of requestsGuarantees FIFO ordering of requests
Fast mutexFast mutex Like a mutex, but more efficientLike a mutex, but more efficient Cannot specify maximum wait timeCannot specify maximum wait time Reacquisition by owning thread causes deadlockReacquisition by owning thread causes deadlock
Kernel mode locks (cont.)Kernel mode locks (cont.) Executive resource lockExecutive resource lock
One lock holder in exclusive modeOne lock holder in exclusive mode Many lock holders in shared modeMany lock holders in shared mode Good for readers and writersGood for readers and writers
27
Thread SynchronizationThread Synchronization Other synchronization toolsOther synchronization tools
Critical section objectCritical section object Like a mutex, but only for threads of the same Like a mutex, but only for threads of the same
processprocess Faster than a mutexFaster than a mutex No maximum wait timeNo maximum wait time
Timer-queue timerTimer-queue timer Waitable timer objects combined with a thread Waitable timer objects combined with a thread
poolpool Interlocked variable accessInterlocked variable access
Atomic operations on variablesAtomic operations on variables Interlocked singly-linked listsInterlocked singly-linked lists
Atomic insertion and deletionAtomic insertion and deletion
Figure 11-26. Some of the Win32 calls for managing processes, threads, and fibers.
SynchronizationSynchronization
28
29
Thread SchedulingThread Scheduling (1) (1) Thread StatesThread States
InitializedInitialized ReadyReady StandbyStandby RunningRunning WaitingWaiting TransitionTransition TerminatedTerminated UnknownUnknown
Thread Scheduling (2)Thread Scheduling (2)
Windows kernel does not have a Windows kernel does not have a central scheduling thread. Instead, central scheduling thread. Instead, when a thread can not run any more, when a thread can not run any more, the thread enters kernel-mode and the thread enters kernel-mode and calls into the scheduler itself to see calls into the scheduler itself to see which thread to switch towhich thread to switch to
30
Thread Scheduling (3)Thread Scheduling (3) The following conditions cause the currently running The following conditions cause the currently running
thread to execute the scheduler code:thread to execute the scheduler code: The currently running thread blocks on a The currently running thread blocks on a
semaphore, mutex, event, I/O, etc.semaphore, mutex, event, I/O, etc. The thread signals an object (e.g., does an up on The thread signals an object (e.g., does an up on
a semaphore or causes an event to be signaled).a semaphore or causes an event to be signaled). The quantum expires.The quantum expires.
The scheduler is also called under two otherThe scheduler is also called under two other conditions:conditions: An I/O operation completes.An I/O operation completes. A timed wait expires.A timed wait expires.
31
Figure 11-27. Mapping of Win32 priorities to Windows priorities.
Thread Scheduling (3)Thread Scheduling (3)
32
Thread Scheduling (4)Thread Scheduling (4)
Figure 11-28. Windows Vista supports 32 priorities for Figure 11-28. Windows Vista supports 32 priorities for threads.threads.
Round-robin for highest-priority non-empty ready queueRound-robin for highest-priority non-empty ready queue
33
Memory ManagementMemory Management (1)(1)
Figure 11-30. Virtual address space layout for three user processes on the x86. The white areas are private per process. The shaded areas are shared among all processes.
34
Memory ManagementMemory Management ((22)) Bottom and top 64 KB are intentionally unmappedBottom and top 64 KB are intentionally unmapped 64 KB – 2 GB: User’s private code and data64 KB – 2 GB: User’s private code and data 2 GB – 4 GB (less 64 KB) : Operating system kernel 2 GB – 4 GB (less 64 KB) : Operating system kernel
virtual memory containing code, data, paged and virtual memory containing code, data, paged and nonpaged pools as well as process page table.nonpaged pools as well as process page table.
Kernel virtual memory is shared by all processes Kernel virtual memory is shared by all processes and is only accessible while running in kernel modeand is only accessible while running in kernel mode
For x86 and x64 systems virtual address space is For x86 and x64 systems virtual address space is demand paged with 4 KB sized pages (No demand paged with 4 KB sized pages (No segmentation)segmentation)
35
Figure 11-31. The principal Win32 API functions for managing virtual memory in Windows.
Memory Management System Memory Management System CallsCalls
36
Figure 11-32. Mapped regions with their shadow pages on disk. The lib.dll file mapped into two address spaces at same time.
Implementation of Memory Implementation of Memory ManagementManagement
37
Page Fault Handling (1)Page Fault Handling (1)
Figure 11-33. A page table entry (PTE) for a mapped page on the (a) Figure 11-33. A page table entry (PTE) for a mapped page on the (a) Intel x86 and (b) AMD x64 architecturesIntel x86 and (b) AMD x64 architectures..
D and A bits are used to implement a LRU (Least D and A bits are used to implement a LRU (Least Recently Used) style page replacement algorithmRecently Used) style page replacement algorithm
38
Page Fault Handling (Page Fault Handling (22))
Each page fault can be considered as Each page fault can be considered as being in one of five categories:being in one of five categories:
The page referenced is not committedThe page referenced is not committed (program (program error – page has not been assigned to a process or error – page has not been assigned to a process or in memory)in memory)..
Attempted access to a page in violation of the Attempted access to a page in violation of the permissionspermissions (program error) (program error)..
A shared copy-on-write page was about to be A shared copy-on-write page was about to be modifiedmodified..
The stack needs to grow.The stack needs to grow. The page referenced is committed but not currently The page referenced is committed but not currently
mapped inmapped in (normal page fault in a paged system) (normal page fault in a paged system)..
39
Page Replacement Page Replacement Algorithm (1)Algorithm (1)
The working set concept is usedThe working set concept is used Each process (not each thread) has a Each process (not each thread) has a
working setworking set Each working set has two parameters:Each working set has two parameters:
A minimum size (initally 20 to 50 pages)A minimum size (initally 20 to 50 pages) A maximum size (initially 45 to 345 pages)A maximum size (initially 45 to 345 pages) Every process starts with the same Every process starts with the same
minimum and maximum but these bounds minimum and maximum but these bounds can change over timecan change over time
40
Page Replacement Page Replacement Algorithm (2)Algorithm (2)
Working sets only come into play when Working sets only come into play when physical memory gets lowphysical memory gets low
Otherwise, processes can exceed the Otherwise, processes can exceed the maximum of their working setmaximum of their working set
The working set manager runs periodically The working set manager runs periodically based on a timer and does the following:based on a timer and does the following:
When When llots of memory ots of memory is is availableavailable, it uses the access , it uses the access bits to compute an bits to compute an ageage for each page for each page
When When mmemory getemory gets s tighttight, the working set is fixed , the working set is fixed and oldest pages are replaced when a new page is and oldest pages are replaced when a new page is neededneeded
When When mmemory is tightemory is tight, the working sets are trimmed , the working sets are trimmed below their maximum by removing the oldest pagesbelow their maximum by removing the oldest pages
41
Physical Memory Physical Memory Manager (1)Manager (1)
Figure 11-36. The various page lists Figure 11-36. The various page lists and the transitions between them.and the transitions between them.
42
Physical Memory Physical Memory Manager (2)Manager (2)
1.1. Pages removed from a working set are put Pages removed from a working set are put on either on either modified page list modified page list or or standby standby page list page list (pages which are not modified)(pages which are not modified)
2.2. The pages on these two lists are in The pages on these two lists are in memory so if a page fault occurs and one memory so if a page fault occurs and one of these pages is needed, they are put of these pages is needed, they are put back to the working set with back to the working set with no disk I/O (A no disk I/O (A soft page fault)soft page fault)
3.3. When a process exits all nonshared pages When a process exits all nonshared pages of the working set, modified pages and of the working set, modified pages and standby pages are returned to the standby pages are returned to the free free page listpage list
43
Physical Memory Physical Memory Manager (3)Manager (3)
4.4. A A modified page writer modified page writer thread wakes up thread wakes up periodically and writes modified pages to disk and periodically and writes modified pages to disk and move them to the standby list if there are not move them to the standby list if there are not enough clean pagesenough clean pages
5.5. When a When a page is not needed by a processpage is not needed by a process, it goes to , it goes to the free page listthe free page list
6.6. At a At a page fault (hard fault) page fault (hard fault) a free page is taken a free page is taken from the free page listfrom the free page list
7.7. Whenever the CPU is idle, a lowest priority thread, Whenever the CPU is idle, a lowest priority thread, the the ZeroPage threadZeroPage thread resets free pages to zeros and resets free pages to zeros and puts them on zeroed page listputs them on zeroed page list
8.8. When a zeroed page is needed for security When a zeroed page is needed for security reasons, pages are taken from the reasons, pages are taken from the zeroed page listzeroed page list
44
Input/Output in VistaInput/Output in Vista
The I/O system consists ofThe I/O system consists of Plug-and-play servicesPlug-and-play services The power managerThe power manager The Input/Output managerThe Input/Output manager Device driversDevice drivers
45
Plug-and-Play ServicesPlug-and-Play Services Buses such as PCI, USB, EIDE, and Buses such as PCI, USB, EIDE, and
SATA had been designed in such a way SATA had been designed in such a way that the plug-and-play manager can that the plug-and-play manager can send a request to each slot and ask the send a request to each slot and ask the device there to identify itselfdevice there to identify itself
After identification PnP manager After identification PnP manager allocates hardware resources, such as allocates hardware resources, such as interrupt levels, locates the appropriate interrupt levels, locates the appropriate drivers, and loads them into memorydrivers, and loads them into memory
As each driver is loaded, a As each driver is loaded, a driver driver object object is createdis created
46
Power ManagerPower Manager The power manager adjusts the power The power manager adjusts the power
state of the I/O devices to reduce system state of the I/O devices to reduce system power consumption when devices are not power consumption when devices are not in usein use
This is very important when laptops are This is very important when laptops are on battery poweron battery power
Two special modes of power saving:Two special modes of power saving: Hibernation mode: all of the physical memory Hibernation mode: all of the physical memory
is copied to disk and power consumption is is copied to disk and power consumption is reduced to a minimum levelreduced to a minimum level
Standby mode: power is reduced to the lowest Standby mode: power is reduced to the lowest level enough to refresh the dynamic RAMlevel enough to refresh the dynamic RAM
47
Input/Output ManagerInput/Output Manager Handles I/O system calls and IRP (Handles I/O system calls and IRP (I/O I/O
Request PacketRequest Packet) based operations) based operations
Figure 11-37. Native NT API calls for Figure 11-37. Native NT API calls for performing I/Operforming I/O 48
Device DriversDevice Drivers All drivers must conform to the All drivers must conform to the WDM WDM
(Windows Driver Model)(Windows Driver Model) standarts for standarts for compatibility reasons with the older compatibility reasons with the older windows versionswindows versions
Devices in Windows are represented by Devices in Windows are represented by device objectsdevice objects which are used to which are used to represent represent Hardware, such as busesHardware, such as buses Software abstractions like file systems, Software abstractions like file systems,
network protocol engines and kernel network protocol engines and kernel extensions, like antivirus filter driversextensions, like antivirus filter drivers
49
Device StacksDevice Stacks
Figure 11-40. Windows allows drivers to be stacked to Figure 11-40. Windows allows drivers to be stacked to work with a specific instance of a device. The stacking work with a specific instance of a device. The stacking is represented by device objects.is represented by device objects.
A driver may do the work by itself like a printer driverA driver may do the work by itself like a printer driver Some drivers are stacked, meaning that requests pass Some drivers are stacked, meaning that requests pass
through a sequence of driversthrough a sequence of drivers
50
51
File SystemsFile Systems Three driver layersThree driver layers
Volume driversVolume drivers Low level driversLow level drivers Interact with data storage hardware devicesInteract with data storage hardware devices
File system driversFile system drivers NTFSNTFS FAT16 FAT16 (16 bit disk addresses with disk partitions at the (16 bit disk addresses with disk partitions at the
most 2 GB)most 2 GB) FAT32FAT32 (32 bit disk addresses and supports partitions up (32 bit disk addresses and supports partitions up
to 2 TB, not secure and used mainly for transportable to 2 TB, not secure and used mainly for transportable media, such as flash disks, nowadaysmedia, such as flash disks, nowadays
File system filter driversFile system filter drivers Perform high-level functionsPerform high-level functions Virus scanningVirus scanning EncryptionEncryption
52
File System DriversFile System Drivers
Typical Disk I/OTypical Disk I/O User-mode thread passes file handle to User-mode thread passes file handle to
object managerobject manager Object manager passes file pointer to Object manager passes file pointer to
file system driverfile system driver File system driver passes request to File system driver passes request to
device driver stackdevice driver stack Eventually request reaches diskEventually request reaches disk Disk performs requested I/ODisk performs requested I/O
53
NTFSNTFS
NTFS overviewNTFS overview Windows Windows NTNT file system file system More secure than FATMore secure than FAT Scales well to large disksScales well to large disks
Cluster size depends on disk sizeCluster size depends on disk size 64-bit file pointers64-bit file pointers Can address up to 16 exabytes of diskCan address up to 16 exabytes of disk
Multiple data streamsMultiple data streams Compression and encryptionCompression and encryption
Powers of 10 & 2 - Side Powers of 10 & 2 - Side RemarkRemark
Prefix Symbol Power of 10 Power of 2
Kilo K 103 210
Mega M 106 220
Giga G 109 230
Tera T 1012 240
Peta P 1015 250
Exa E 1018 260
Zetta Z 1021 270
Yotta Y 1024 280
54
64 bits for addressing = 16 Exa bytes
File System StructureFile System Structure Each NTFS volume (e.g., disk partition) Each NTFS volume (e.g., disk partition)
contains files, directories, bitmaps, and contains files, directories, bitmaps, and other data structures other data structures
Each volume is organized as a linear Each volume is organized as a linear sequence of blocks (called as clusters) sequence of blocks (called as clusters) usually 4 KB in size (can be 512 bytes to usually 4 KB in size (can be 512 bytes to 64 KB) and pointed by 64 bit pointers64 KB) and pointed by 64 bit pointers
The main data structure in each volume The main data structure in each volume is the is the MFT (Master File Table)MFT (Master File Table) which which is a linear sequence of is a linear sequence of 1 KB 1 KB recordsrecords
55
NTFS Master File Table NTFS Master File Table (1)(1)
Each MFT record describes one file or Each MFT record describes one file or directory and contains file attributesdirectory and contains file attributes (file (file name, block addresses, timestamps etc.)name, block addresses, timestamps etc.)
The MFT is a file itself and can be placed The MFT is a file itself and can be placed anywhere within the volume thus eliminating anywhere within the volume thus eliminating the problem of defective sectors in the first the problem of defective sectors in the first tracktrack
MFT can grow dynamically up to a maximum MFT can grow dynamically up to a maximum size of 2size of 24848 records records
The The first 16 MFT first 16 MFT records are reserved for records are reserved for NTFS NTFS metadata files metadata files which contain volume which contain volume related system data to describe the volumerelated system data to describe the volume
56
NTFS Master File Table NTFS Master File Table (2)(2)
57
Attributes Used in MFT Attributes Used in MFT RecordsRecords
Each record consists of a sequence of (attribute header Each record consists of a sequence of (attribute header – name & length, value) pairs– name & length, value) pairs
If attribute is small it is kept in the record, if it is long If attribute is small it is kept in the record, if it is long it is put in another block on disk and pointed hereit is put in another block on disk and pointed here
58
MFT Record for A File MFT Record for A File
Figure 11-43. An MFT record for a three-run, nine-block streamFigure 11-43. An MFT record for a three-run, nine-block stream.. File fits one MFT recordFile fits one MFT record Header (0,9): Offset of the first block of the stream (0) and Header (0,9): Offset of the first block of the stream (0) and
offset of the first block not covered by the record (9)offset of the first block not covered by the record (9)
59
MFT Records for A File MFT Records for A File
Figure 11-44. A file that requires three Figure 11-44. A file that requires three MFT records to store all its runsMFT records to store all its runs
60
An MFT Record for A An MFT Record for A Small DirectorySmall Directory
61
An MFT Record for A An MFT Record for A Large DirectoryLarge Directory
Large directories are arranged as B treesLarge directories are arranged as B trees Multiple directory entries can point to Multiple directory entries can point to the the same filesame file File deleted only when File deleted only when an attribute (an attribute (hard_linkhard_link)) drops drops
to zeroto zero
62
63
File CompressionFile Compression Transforms file to take less space on diskTransforms file to take less space on disk Lempel-Ziv Compression AlgorithmLempel-Ziv Compression Algorithm TransparentTransparent
Applications access files using standard API Applications access files using standard API callscalls
System compresses and decompresses filesSystem compresses and decompresses files Applications unaware if file compressedApplications unaware if file compressed
The compression algorithm considers 16 The compression algorithm considers 16 consecutive blocksconsecutive blocks If the compressed form takes less than 16 If the compressed form takes less than 16
blocks then the compression is applied else blocks then the compression is applied else notnot
64
File EncryptionFile Encryption
Protects files from illicit accessProtects files from illicit access Encryption performed in compression Encryption performed in compression
unitsunits KeysKeys
Public key / private key encryptionPublic key / private key encryption Recovery key given to system administratorRecovery key given to system administrator
In case user forgets passwordIn case user forgets password Encrypted versions of keys stored on diskEncrypted versions of keys stored on disk Decrypted keys stored in non-paged poolDecrypted keys stored in non-paged pool
SecuritySecurity Security properties inherited from the Security properties inherited from the
original security design of NT:original security design of NT: Secure login with anti-spoofing measuresSecure login with anti-spoofing measures
(prevents login screen to be imitated)(prevents login screen to be imitated) Discretionary access controlsDiscretionary access controls (owner has the (owner has the
rights)rights) Privileged access controlsPrivileged access controls (superuser can override) (superuser can override) Address space protection per processAddress space protection per process New pages must be zeroed before being mapped New pages must be zeroed before being mapped
inin Security auditingSecurity auditing (log of several security related (log of several security related
events)events)
65
66
Interprocess Interprocess Communication Communication
Data orientedData oriented PipesPipes Mailslots (message queues)Mailslots (message queues) Shared memoryShared memory
Procedure oriented / object orientedProcedure oriented / object oriented Remote procedure callsRemote procedure calls Microsoft COM Microsoft COM (Component Object-Model) (Component Object-Model)
objectsobjects ClipboardClipboard GUI drag-and-drop capabilityGUI drag-and-drop capability
67
Pipes Pipes Manipulated with file system callsManipulated with file system calls
ReadRead WriteWrite OpenOpen
Pipe serverPipe server Process that creates pipeProcess that creates pipe
Pipe clientsPipe clients Processes that connect to pipeProcesses that connect to pipe
ModesModes Read: pipe server receives data from pipe clientsRead: pipe server receives data from pipe clients Write: pipe server sends data to pipe clientsWrite: pipe server sends data to pipe clients Duplex: pipe server sends and receives dataDuplex: pipe server sends and receives data
68
Pipes Pipes Anonymous PipesAnonymous Pipes
UnidirectionalUnidirectional Between local processesBetween local processes SynchronousSynchronous Pipe handles, usually passed through inheritancePipe handles, usually passed through inheritance
Named PipesNamed Pipes Unidirectional or bidirectionalUnidirectional or bidirectional Between local or remote processesBetween local or remote processes Synchronous or asynchronousSynchronous or asynchronous Opened by nameOpened by name Byte stream vs. message streamByte stream vs. message stream
Default mode vs. write-throughDefault mode vs. write-through mode mode
69
Mailslots Mailslots Mailslot server: creates mailslotMailslot server: creates mailslot Mailslot clients: send messages to Mailslot clients: send messages to
mailslotmailslot CommunicationCommunication
UnidirectionalUnidirectional No acknowledgement of receiptNo acknowledgement of receipt Local or remote communicationLocal or remote communication Implemented as filesImplemented as files Two modesTwo modes
Datagram: for small messagesDatagram: for small messages Server Message Block (SMB): for large Server Message Block (SMB): for large
messagesmessages
70
Other FeaturesOther Features
Cookie managementCookie management CertificatesCertificates Trusted Internet ZonesTrusted Internet Zones Automatic UpdateAutomatic Update
Notifies users of security patchesNotifies users of security patches Can download and install patches Can download and install patches
automaticallyautomatically