Windows Internals Book
Introduction
.png "Windows Internals, 5th Edition")
Windows Internals, 5th edition is the update to Windows Internals, 4th edition to cover Windows Vista and Windows Server 2008 (32-bit and 64-bit). It was written by Mark Russinovich, a Technical Fellow in Microsoft’s Windows Core Operating System Division, David Solomon, an operating systems expert and Windows internals teacher, and with contributions from Alex Ionescu, who specializes in OS internals and security.
This edition has 25% more content than the previous edition and includes coverage of features new to Windows Vista and Windows Server 2008 like PatchGuard, Hyper-V support, Kernel Transaction Manager, I/O priorities, SuperFetch, ReadyBoot, ReadyBoost, BitLocker, UAC, Windows Integrity Mechanism, and Service Security Hardening, and more. It’s also updated with new experiments and new examples that highlight the use of Sysinternals tools like Process Explorer and Process Monitor.
Sample Chapter
Download the full Chapter 5: Processes, Threads and Jobs to get a look at the deep technical information presented in Windows Internals.
Ordering the Book
The book is available for purchase on Amazon.com and available from O'Reilly in 3 ebook formats, from the iTunes store for an iPhone or iPod Touch, or you can read it online through Safari.
Description of the Book
Get the architectural perspectives and inside details you need to understand how Windows operates
See how the core components of the Windows operating system work behind the scenes—guided by a team of internationally renowned internals experts. Fully updated for Windows Server® 2008 and Windows Vista®, this classic guide delivers key architectural insights on system design, debugging, performance, and support—along with hands-on experiments to experience Windows internal behavior firsthand.
Delve inside Windows architecture and internals:
- Understand how the core system and management mechanisms work—from the object manager to services to the registry
- Explore internal system data structures using tools like the kernel debugger
- Grasp the scheduler’s priority and CPU placement algorithms
- Go inside the Windows security model to see how it authorizes access to data
- Understand how Windows manages physical and virtual memory
- Tour the Windows networking stack from top to bottom—including APIs, protocol drivers, and network adapter drivers
- Troubleshoot file-system access problems and system boot problems
- Learn how to analyze crashes
.gif)
Top of page
Table of Contents
- Introduction
- Architecture
- System Mechanisms
- Management Mechanisms
- Processes, Threads and Jobs
- Security
- I/O System
- Storage Management
- Memory Management
- Cache Manager
- File Systems
- Networking
- Startup and Shutdown
- Crash Dump Analysis
Top of page
Book Tools
Tools referenced in the book and hosted but not referenced on Sysinternals include:
- Notmyfault: Use this executable and driver to crash your system in several different ways. Chapter 7 uses Notmyfault to demonstrate pool leak troubleshooting and Chapter 14 uses it for crash analysis examples. The download includes x86 (in the exe\release directory) and x64 versions (in the exe\relamd directory) as well as full source.
- Testlimit: Chapter 3 uses Testlimit to demonstrate the operating system's per-process limit on the number of concurrently opened handles, but the tool's command-line options also let you test limits of process and thread creation.
- Accvio: This executable generates a user mode access violation by trying to reference virtual address zero, which by default, is marked no access. Chapter 3 uses it to demonstrate the behavior of Windows when an application triggers an unhandled exception.
- Iopriority: This tool is used in Chapter 7 to demonstrate the preference the system gives to high priority I/O over low priority I/O. It does so by creating two threads and having one issue high and the other low priority I/O's. It was written by Jeffrey Richter of Wintellect.
Top of page
Errata
If you have general feedback for us, find an inaccuracy, or have a suggestion for the next edition, please send e-mail to syssite@microsoft.com. We'll post corrections and tool updates to this page.
| p. 25: | In Table 1-3, REGMON should be PROCMON. |
| p. 42: | “lm mv nt” should be “lm vm nt” |
| p. 66: | The command 'lm mv hal' in bold text should be 'lm vm hal'. |
| p. 89: | “...is at interrupt number 0x91...” should be “...is at interrupt number 0x81...” |
| p. 154: | The process ID 0x408 should be 0xAAC in "The following command displays full details about the handle table for process ID 0x408" |
| p. 162: | The reference to the key HKLM\SYSTEM\CurrentControlSet\
Session Manager\Memory Management
should be HKLM\SYSTEM\CurrentControlSet\
Control\Session Manager\Memory Management. |
| p. 186: | The sentence “The wait list head pointers are identical, so there are no waiting threads waiting on this object.” is incorrect; the wait list head pointers are also identical when there’s a single thread waiting on the object. |
| p. 191: | ExTryToAcquireResourceExclusiveLite is not documented. |
| p. 237: | The example of hypervisor processor assignment should read: “For example, one child partition could be scheduled on logical processors 1,2,3 and 4, while a second child partition is scheduled on processors 5 6,7 and 8.” |
| p. 240: | In the second paragraph, “(KMT)” should be "(KTM)". |
| p. 243: | The first instance of the address 82227ea5 in “82227ea5 ebfc jmp nt!FsRstTeardownPerFileContexts+0x169 (82227ea5)” should be 82228eaa |
| p. 252: | The reference to HKLM\<SID>\Classes should be to HKLM\<SID>\SOFTWARE\Classes |
| p. 263: | In step 6, launch Regedit by selecting Jump To from the Event menu |
| p. 265: | The -i switch in the psexec command has Process Monitor run on the session 0 desktop |
| p. 497: | The reference to the SetSecurityInfo and SetNamedSecurityInfo APIs should instead refer to SetEntriesInAcl |
| p. 520: | The handle command in the experiment should read: handle -a 15cd5 |
| p. 673: | Figure 8-14, “Disk port driver” should be enclosed with a medium grey box, as it is on page 675, Figure 8-15 |
| p. 716: | “through which applications can disable DEP or their own images.” should be “through which applications can disable DEP on their own images.” |
| p. 719: | “32 bit Windows can support up to 128GB of physical” should be “32 bit Windows can support up to 64GB of physical” |
| p. 748: | Figure 9-14, the address FFFF080000000000 should be FFFF800000000000 |
| p. 767: | In the statement "Disables caches of writes to this page so that changes are immediately flushed to disk", "disk" should be "memory." |
| p. 990: | The paragraph about switching system cryptographic functions from AES256 to 3DES is not applicable in Windows Vista and should be disregarded, as should the sentence about 3DES enabling larger keys. |
| p. 1197: | The first entry under G is "Gait Waiting", should be "Gate Waiting" |
Top of page
Related Content
Mark’s TechNet Magazine articles on Windows Vista and Windows Server 2008 internals:
Mark’s webcasts on Windows Vista and Windows Server 2008 internals:
Top of page