The architecture of Windows NT - a line of operating systems manufactured and sold by Microsoft - is a multi-level design consisting of two main components: user mode and kernel mode.
It is a proactive reentrant operating system designed to work with uniprocessor and symmetric multiprocessor (SMP) computers. To process input and output (I / O) requests, they use packet transmission, which uses IRP packets and asynchronous I / O. Starting with Windows XP, Microsoft began to provide 64-bit versions of the OS, before which these platforms existed only in 32-bit versions.
What are its principles?
The architecture of Windows implements the following principles. Programs and subsystems in user mode are limited in terms of what system resources they have access to, while kernel mode has unlimited access to system memory and external devices.
Kernel mode in Windows NT has full access to the hardware and system resources of the computer. The core of this shell is known as hybrid. The architecture includes a simple core, a hardware abstraction layer (HAL), drivers, and a number of services (collectively referred to as Executive) that all exist in one mode.
User mode in the Windows architecture consists of subsystems that can send I / O requests to the appropriate kernel-mode drivers using the appropriate dispatcher. The user mode layer “Windows” consists of “Environment subsystems”, in which applications written for various operating systems are run, and “Integrated subsystem”, which performs system functions on behalf of the environment subsystems.
Executive interfaces in Windows architecture with all user-mode subsystems deal with I / O, object management, security, and process management. The kernel is located between the hardware abstraction layer and the actuator, providing multiprocessor synchronization, scheduling and scheduling of threads and interrupts, as well as interrupt handling and exception dispatching. The kernel is also responsible for initializing device drivers at boot time.
Drivers for this mode exist at three levels:
The Windows Driver Model (WDM) exists at the intermediate level, and was mainly developed to ensure binary and source code compatibility between Windows 98 and 2000. The lowest level drivers are either legacy Windows NT device installers that control the device directly, or they can be varieties Play (PnP) - hardware bus.
User mode
User mode consists of various system processes and DLLs.
The interface between applications and the kernel functions of the operating system is called the "environment subsystem." The architecture of Windows (7 and others in the NT line) can have more than one of them, each of which implements its own set of APIs. This mechanism was designed to support applications written for many different types of operating systems. None of the subsystems of the environment have direct access to the equipment. Access to hardware functions is done by calling kernel mode routines.
What role do subsystems play?
There are four main subsystems of the environment: Win32, OS / 2, Windows for Linux, and POSIX.
The Win32 environment subsystem can run 32-bit Windows applications. It contains a console, as well as support for a text window, shutdown and handling of serious errors for all other subsystems of the environment. It also supports DOS Virtual Machines (VDM), which allow MS-DOS and 16-bit Win16 applications to run on Windows NT.
There is a special MSDM-DOS VDM that runs in its own address space and emulates the Intel 80486 running MS-DOS 5.0. Win16 programs, however, work in Win16 VDM. Each of them runs by default in the same process, using the same address space, and Win16 VDM provides each program with its own thread for execution. However, the architecture of the Windows NT system allows users to run it in a separate window, which makes it possible to proactively perform multitasking, since Windows will be ahead of the entire VDM process, which contains only one working application.
The Win32 environment subsystem process (csrss.exe) also includes window management functionality, sometimes referred to as the “window manager”. It processes input events (for example, from the keyboard and mouse), and then passes messages to applications that need to receive this input. Each application is responsible for the appearance or updating of its own windows and menus in response to these messages.
The OS / 2 environment subsystem supports 16-bit OS / 2 character applications and emulates OS / 2 1.x, but not the 32-bit or graphical OS 2 applications used in OS / 2 2.x or later for x86 computers only .
To run OS / 2 1.x graphics programs, the Windows NT Add-Ins for Presentation Manager must be installed. The latest version of NT with the OS / 2 subsystem was Windows 2000, and then it was removed starting with the Windows XP architecture.
The POSIX environment subsystem supports applications that are strictly written for either POSIX.1 or the corresponding ISO / IEC standards. It has been replaced by Interix, which is part of Windows Services for UNIX.
The security subsystem works with security tokens, grants or denies access to user accounts based on resource permissions, processes login requests and initiates login authentication, and determines which system resources should be checked by Windows NT.
Kernel mode
Kernel mode in the Windows NT architecture has full access to the hardware and system resources of the computer and runs code in a protected area of memory. It controls access to scheduling, thread prioritization, memory management, and equipment interactions. Kernel mode does not allow user-mode services and applications to access critical areas of the operating system that they should not have access to; its processes must request kernel mode to perform such operations on their behalf.
Although the Windows x86 architecture supports four different privilege levels (0 to 3), only the two extreme ones are used. User-mode programs run with CPL 3, and the kernel starts with CPL 0. These two levels are often called “ring 3” and “ring 0,” respectively. This design decision was made to ensure portability of the code to RISC platforms that support only two levels of privileges, although this violates compatibility with OS / 2 applications that contain segments of I / O privileges trying to directly access the equipment.
Kernel mode consists of executive services, which are composed of many modules that perform certain tasks: kernel drivers, the kernel itself and the level of hardware abstraction (HAL).
Administration
Windows Executive services make up the low-level part of kernel mode and are contained in the NTOSKRNL.EXE file. This applies to I / O, facility management, security, and process management. They are divided into several subsystems, among which a special role is played by Cache Manager, Configuration Manager, I / O Manager, Local Procedure Call (LPC), Memory Manager, Process Structure, and Security Monitoring Monitor (SRM). Grouped together components can be called executive services (internal name Ex). System services (Nt's internal name), that is, system calls, are also implemented at this level, with the exception of very few that access the kernel level directly to improve performance.
The term “service” in this context usually refers to a called routine or a set of called routines. This differs from the concept of a “service process,” which is a user-mode component, somewhat similar to the demonstration on Unix-like operating systems. This is a feature of the architecture of the Windows 10 kernel and all previous distributions.
Object Manager
The Object Manager (internal name Ob) is the executive subsystem through which all other subsystems must go through, especially system calls, to gain access to Windows NT resources, which essentially makes it a resource management infrastructure service. Object manager is used to reduce duplication of resource management functionality in other executive subsystems, which can lead to errors and complicate the development of Windows NT.
For this manager, each resource is an object, regardless of whether it is physical (such as a file system or peripheral device) or logical (such as a file). Each object has a structure or type that Ob should know about.
Creating an object in the architecture of the Windows family of OS is a process that proceeds in two stages - creation and insertion. Creating causes the empty object to be selected and any resources required by the dispatcher to be reserved, such as (optionally) a name in the namespace. If it was successful, the subsystem responsible for the creation fills the empty object. Finally, if the subsystem considers the initialization successful, it instructs the object manager to insert the object, which makes it accessible through its name or cookie called a descriptor. From this moment, the lifetime of the object is processed by the manager, and the subsystem must maintain it in working condition until Ob reports about its removal.
Descriptors are identifiers that represent a reference to a kernel resource through an opaque value. Similarly, opening an object through its name is subject to security checks, but the action through an existing open descriptor is limited only by the access level requested when the object was opened or created.
Object types define procedures and any data specific to it. Thus, Ob allows Windows NT to be an object-oriented operating system, because object types can be thought of as polymorphic classes that define objects. Most subsystems, however, with a notable exception in the I / O manager, rely on the default implementation for all procedures.
Each instance of the created object stores its name, parameters that are passed to the object creation function, security attributes and a pointer to its type.
Cache controller
This architecture element of Windows 7 and other versions closely coordinates work with the memory manager, manager and I / O drivers to provide a common cache for regular file I / O. The Windows Caching Manager works with file blocks (rather than device blocks) for the coordinated operation of local and remote files, and provides a certain degree of consistency with the displays of data loaded in memory.
Input / output manager
This building block of Windows 10 and earlier allows devices to communicate with user-mode subsystems. It translates user-mode read and write commands into IRP, which it passes to device drivers. It accepts file system I / O requests and converts them to device-specific calls, and can include low-level drivers that directly manipulate reading or I / O equipment. It also includes a cache manager to improve disk performance by caching read and write requests to the disk in the background.
Local Procedure Call (LPC)
This structural part of the Windows 10 architecture (and all earlier distributions) provides interprocess communication ports with connection semantics. LPC ports are used by user-mode subsystems to communicate with their clients, Executive subsystems to communicate with user-mode subsystems and as the basis for local transport for Microsoft RPC.
Memory manager
This element of the architecture of Windows 8.1 and other versions manages virtual memory, its protection and swapping from physical and secondary. Thus, he implements a universal allocator of physical memory. It also creates a parser for PE-executable files that allow the executable to be displayed or not to be displayed in one atomic step.
Starting with Windows NT Server 4.0, Terminal Server Edition, the memory manager implements the so-called session space, a kernel-mode memory range that is subject to context switching as well as user-mode memory. This allows multiple instances of the Win32 kernel mode subsystem and GDI drivers to work side by side, despite the flaws in their original design. Each session space is shared by several processes, collectively called a “session.”
In order to provide a certain degree of isolation between sessions without introducing a new type of object, the security link monitor processes communication between processes and sessions as an attribute of the security subject (token) and can be changed only with special privileges.
The relatively simple and special nature of the sessions was due to the fact that they were not part of the original project, and should have been designed with minimal disruption to the main line by a third party (Citrix Systems) as a prerequisite for their terminal server product for Windows NT called WinFrame.
However, starting with the Windows Vista architecture, sessions have finally become its proper aspect. No longer a memory manager design that enters user mode indirectly through Win32, they have been expanded to a comprehensive abstraction that affects most executive subsystems. In fact, regular use of Windows Vista always leads to a multi-session environment.
Process structure
This architecture element of Windows 7 (and other variations) controls the creation and termination of processes and threads, and also implements the Job concept, groups of processes that can be completed as a whole or placed under general restrictions (for example, the total maximum allocated memory or CPU time ) Job objects were introduced in Windows 2000.
Pnp manager
Manages and supports device discovery and installation at boot time. He is also responsible for stopping and starting devices on demand - this can happen when a bus (for example, USB or IEEE 1394 FireWire) acquires a new device and you need to download a driver to support it. Its main part is actually implemented in user mode, in the Plug and Play service, which often performs complex tasks of installing the appropriate drivers, notifying services and applications about the appearance of new devices and displaying a graphical user interface.
Food manager
It works with power events (power off, standby, hibernation, etc.) and notifies affected drivers using special IRP (Power IRP). His role is a control.
Security Monitoring Monitor (SRM)
The main body for ensuring compliance with the safety rules of the integrated security subsystem. It determines whether an object or resource can be accessed using access control lists (ACLs), which themselves are composed of access control entries (ACEs). ACEs contain a security identifier (SID) and a list of operations that ACE provides to the selected group — a user account, group, or logon session — permission (allow, deny, or check) for this resource.
Gdi
The graphics device interface is responsible for tasks such as drawing lines and curves, rendering fonts, and processing palettes. In releases of the Windows NT 3.x series, the GDI component was placed in the client / server subsystem in user mode, but it was switched to kernel mode in the architecture of the Windows NT 4.0 operating system to improve graphics performance.
Nucleus
The kernel in the architecture of Windows is located between HAL and Executive and provides multiprocessor synchronization, scheduling and scheduling of threads and interrupts, as well as handling interrupts and dispatching exceptions. It is also responsible for initializing the device drivers at boot, which are necessary to start the operating system. That is, the core performs almost all the tasks of a traditional microkernel. Executive Kernel , «».
. , , ( , ).