Introduction
.png "Windows Internals, 5th Edition")
Windows Internals, 5th edition is the update to Windows Internals, 4th edition to cover Windows Vista and Windows Server 2008 (32-bit and 64-bit). It was written by Mark Russinovich, a Technical Fellow in Microsoft’s Windows Core Operating System Division, David Solomon, an operating systems expert and Windows internals teacher, and with contributions from Alex Ionescu, who specializes in OS internals and security.
This edition has 25% more content than the previous edition and includes coverage of features new to Windows Vista and Windows Server 2008 like PatchGuard, Hyper-V support, Kernel Transaction Manager, I/O priorities, SuperFetch, ReadyBoot, ReadyBoost, BitLocker, UAC, Windows Integrity Mechanism, and Service Security Hardening, and more. It’s also updated with new experiments and new examples that highlight the use of Sysinternals tools like Process Explorer and Process Monitor.
Sample Chapter
Download the full Chapter 5: Processes, Threads and Jobs to get a look at the deep technical information presented in Windows Internals.
Ordering the Book
The book is available for purchase on Amazon.com and available from O'Reilly in 4 ebook formats, from the iTunes store for an iPhone or iPod Touch, or you can read it online through Safari.
Description of the Book
Get the architectural perspectives and inside details you need to understand how Windows operates
See how the core components of the Windows operating system work behind the scenes—guided by a team of internationally renowned internals experts. Fully updated for Windows Server® 2008 and Windows Vista®, this classic guide delivers key architectural insights on system design, debugging, performance, and support—along with hands-on experiments to experience Windows internal behavior firsthand.
Delve inside Windows architecture and internals:
- Understand how the core system and management mechanisms work—from the object manager to services to the registry
- Explore internal system data structures using tools like the kernel debugger
- Grasp the scheduler’s priority and CPU placement algorithms
- Go inside the Windows security model to see how it authorizes access to data
- Understand how Windows manages physical and virtual memory
- Tour the Windows networking stack from top to bottom—including APIs, protocol drivers, and network adapter drivers
- Troubleshoot file-system access problems and system boot problems
- Learn how to analyze crashes
.gif)
Top of page
Table of Contents
- Introduction
- Architecture
- System Mechanisms
- Management Mechanisms
- Processes, Threads and Jobs
- Security
- I/O System
- Storage Management
- Memory Management
- Cache Manager
- File Systems
- Networking
- Startup and Shutdown
- Crash Dump Analysis
Top of page
Book Tools
Tools referenced in the book and hosted but not referenced on Sysinternals include:
- Notmyfault: Use this executable and driver to crash your system in several different ways. Chapter 7 uses Notmyfault to demonstrate pool leak troubleshooting and Chapter 14 uses it for crash analysis examples. The download includes x86 (in the exe\release directory) and x64 versions (in the exe\relamd directory) as well as full source.
- Testlimit: Chapter 3 uses Testlimit to demonstrate the operating system's per-process limit on the number of concurrently opened handles, but the tool's command-line options also let you test limits of process and thread creation.
- Accvio: This executable generates a user mode access violation by trying to reference virtual address zero, which by default, is marked no access. Chapter 3 uses it to demonstrate the behavior of Windows when an application triggers an unhandled exception.
- Iopriority: This tool is used in Chapter 7 to demonstrate the preference the system gives to high priority I/O over low priority I/O. It does so by creating two threads and having one issue high and the other low priority I/O's. It was written by Jeffrey Richter of Wintellect.
Top of page
Errata
If you have general feedback for us, find an inaccuracy, or have a suggestion for the next edition, please send e-mail to syssite@microsoft.com. We'll post corrections and tool updates to this page.
| p. 25: | In Table 1-3, REGMON should be PROCMON. |
| p. 42: | “lm mv nt” should be “lm vm nt” |
| p. 66: | The command 'lm mv hal' in bold text should be 'lm vm hal'. |
| p. 89: | “...is at interrupt number 0x91...” should be “...is at interrupt number 0x81...” |
| p. 132: | Experiment step 3: “Each offset can be mapped to each function with the ln command, by stripping off the bottom 4 bits” Should read: “Each offset can be mapped to each function with the ln command, by shifting right by 4 bits” And the kernel debugger command at the bottom of the page should change from:
ln KiServiceTable+(033021e0 & -16)
to
ln @@c++(((int*)@@(nt!KiServiceTable))[SYSCALL ID] >> 4) + nt!KiServiceTable
(where SYSCALL ID is the number of the system call) |
| p. 154: | The process ID 0x408 should be 0xAAC in “The following command displays full details about the handle table for process ID 0x408” |
| p. 162: | The reference to the key HKLM\SYSTEM\CurrentControlSet\
Session Manager\Memory Management
should be HKLM\SYSTEM\CurrentControlSet\
Control\Session Manager\Memory Management. |
| p. 186: | The sentence “The wait list head pointers are identical, so there are no waiting threads waiting on this object.” is incorrect; the wait list head pointers are also identical when there’s a single thread waiting on the object |
| p. 191: | ExTryToAcquireResourceExclusiveLite is not documented |
| p. 221: | “Options” in “Now follow the steps in the experiment Viewing Debugging Options” should be “Objects” |
| p. 237: | The example of hypervisor processor assignment should read: “For example, one child partition could be scheduled on logical processors 1,2,3 and 4, while a second child partition is scheduled on processors 5 6,7 and 8”. The subsequent sentence that begins with “Note that the second” should be deleted. |
| p. 240: | In the second paragraph, “(KMT)” should be “(KTM)” |
| p. 243: | The first instance of the address 82227ea5 in “82227ea5 ebfc jmp nt!FsRstTeardownPerFileContexts+0x169 (82227ea5)” should be 82228eaa |
| p. 252: | The reference to HKLM\<SID>\Classes should be to HKLM\<SID>\SOFTWARE\Classes |
| p. 263: | In step 6, launch Regedit by selecting Jump To from the Event menu |
| p. 265: | The -i switch in the psexec command has Process Monitor run on the session 0 desktop |
| p. 497: | The reference to the SetSecurityInfo and SetNamedSecurityInfo APIs should instead refer to SetEntriesInAcl |
| p. 520: | The handle command in the experiment should read: handle -a 15cd5 |
| p. 596: | “The GetQueuedCompletionStatus or GetQueuedCompletionStatusEx API allows...” should be “The GetQueuedCompletionStatusEx API allows...” |
| p. 603: | SetFileIoBandwidthReservation should be SetFileBandwidthReservation |
| p. 666: | The sentence, “This read behavior ... read-operation load balancing.” should be deleted. |
| p. 673: | Figure 8-14, “Disk port driver” should be enclosed with a medium grey box, as it is on page 675, Figure 8-15 |
| p. 716: | “through which applications can disable DEP or their own images” should be “through which applications can disable DEP on their own images” |
| p. 719: | “32 bit Windows can support up to 128GB of physical” should be “32 bit Windows can support up to 64GB of physical” |
| p. 724: | “You can also examine the values of the kernel variables listed in Table 9-6” should be “You can also examine the values of the kernel variables listed in Table 9-5” |
| p. 725: | The text “In this example, CM25-tagged allocations...” should read “In this example, ALPC-tagged allocations...” |
| p. 748: | Figure 9-14, the address FFFF080000000000 should be FFFF800000000000 |
| p. 767: | In the statement “Disables caches of writes to this page so that changes are immediately flushed to disk”, “disk" should be “memory” |
| p. 926: | “except they can only be local to a volume.” should read “except they can only reference local volumes and they can be created by standard user accounts.” |
| p. 990: | The paragraph about switching system cryptographic functions from AES256 to 3DES is not applicable in Windows Vista and should be disregarded, as should the sentence about 3DES enabling larger keys. |
| p. 1111: | The sentence “The only supported way to modify WRP-protected files is through the Windows Modules Installer service, which can run under the TrustedInstaller account.” should read “The only supported way to modify WRP-protected files is through the Windows Modules Installer service, which runs with the TrustedInstaller SID” |
| p. 1197: | The first entry under G is “Gait Waiting”, should be “Gate Waiting” |
| p. 1230: | “callout drivers, 1180” is listed under “WFP (Windows File Protection)”. It should be under “WFP (Windows Filtering Platform)”. |
Top of page
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
