计算机系信息处理实验室 lecture 6 management mechanisms xlanchen@03/25/2005

计算机系•信息处理实验室

Lecture 6 Management Mechanisms

xlanchen@03/25/2005

xlanchen@03/25/2005 Understanding the Inside of Windows2000

2计算机系信息处理实验室

Contents

The Registry

Services

Windows Management Instrumentation

计算机系•信息处理实验室

1. The Registry

Registry

The repository for systemwide and per-user settings

Used to configure and control 2K systems

For a complete reference to the contents of the 2K registry, please refer “Technical Reference to the Windows 2000 Registry” help file.

The focus

Registry structure

Data types

Key information in the registry

Registry Data Types

Registry is a database(compare with the file system)

Key: value (directory: file)

Subkey (subdirectory)

Root key (Root directory)

Naming convention

Registry Editor utilities:

Regedit

Regedit32 (for example)

Registry Data Types

11 typesREG_NONE No value type

REG_SZ Fixed-length Unicode NULL-terminated string

REG_EXPAND_SZ Variable-length, that can have embedded environment variables

REG_BINARY Arbitrary-length binary data

REG_DWORD 32-bit number

REG_DWORD_LITTLE_ENDIAN 32-bit number, low byte first.

REG_DWORD_BIG_ENDIAN 32-bit number, high byte first

REG_LINK Unicode symbolic link

REG_MULTI_SZq Array of Unicode NULL-terminated strings

REG_RESOURCE_LIST Hardware resource description

REG_FULL_RESOURCE_DESCRIPTOR Hardware resource description

Registry Logical Structure

Six root keys

HKEY_CURRENT_USER

HKEY_USERS

HKEY_CLASSES_ROOT

HKEY_LOCAL_MACHINE

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_CURRENT_USER

Contains data regarding the preferences and software configuration of the locally logged-on user

\Documents and Settings\<username>\Ntuser.dat

Link to a subkey of HKER_USER

HKEY_USERS

contains a subkey for each loaded user profile and user class registration database on the system

HKEY_CLASSES_ROOT

consists of two types of information: file extension associations and COM class registrations

HKEY_LOCAL_MACHINE

contains all the systemwide configuration subkeys: HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM

HKEY_CURRENT_CONFIG

link to current hardware profile, stored under HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current.

HKEY_PERFORMANCE_DATA

You can access the registry performance counter information directly by opening a special key named HKEY_PERFORMANCE_DATA and querying values beneath it

EXPERIMENT

Watching Registry Activity

Regmon.exe

Registry internals

Configuration manager

Manages the registry recoverably

The registry is a set of discrete files called hives

Registry tree

HKEY_LOCAL_MACHINE\SYSTEM \Winnt\System32\Config\System

HKEY_LOCAL_MACHINE\SAM \Winnt\System32\Config\Sam

HKEY_LOCAL_MACHINE\SECURITY \Winnt\System32\Config\Security

HKEY_LOCAL_MACHINE\SOFTWARE \Winnt\System32\Config\Software

HKEY_LOCAL_MACHINE\HARDWARE Volatile hive

HKEY_LOCAL_MACHINE\SYSTEM\Clone Volatile hive

HKEY_USERS\<security ID of username>

\Documents and Settings\<username>\Ntuser.dat

HKEY_USERS\<security ID of username>_Classes

\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat

HKEY_USERS\.DEFAULT \Winnt\System32\Config\Default

EXPERIMENT

Looking at Hive Handles

Handleex.exe

Hive Structure

Registry block (4KB)

Base block, includes global information about the hive

Signature: regf

Updated sequence numbers

Time stamp

Hive format version number

Checksum

Internal filename

To organize the registry data

A cell can hold a key, a value, a security descriptor, a list of subkeys, or a list of key values.

Head of a cell: Size

Data of a cell

Data type

Key cell, value cell, subkey-list cell, value-list cell, security-descriptor cell

To minimize some management chores

When a cell joins a hive and the hive must expand to contain the cell, the system creates an allocation unit called a bin

Bin head + bin offset + bin size

Cell index

Cell indexes: the links that create the structure of a hive

A cell index is the offset of a cell into the hive file

Internal structure of a registry hive

Cell map

The hive is buffered in the kernel’s address space (paged pool)

When hive grows, the system must allocate paged pool memory to store the new bins

The paged pool that keeps the registry data in memory isn't necessarily contiguous

Cell map: similar to virtual memory physical memory

Structure of a cell index

EXPERIMENT

Viewing Hive Paged Pool Usage

The Registry Namespace

Registry : key object

\Registry

Name parsing

\Registry : configure manager

the rest of the name configuration manager

Key object and key control block

Handle table

Key obj

Handle table

Key obj

Key control block

Flow of control

App: open an existed key

Obj Manager: parse \Registry

Configure Manager: parse the rest of the name

If opened: reference +1

Else: new key control block

Then: new key obj

Obj Manager: return handle

App: OK

Services

Also called Win32 services

Similar to UNIX daemon processes

Win32 services consist of three components

a service application,

a service control program (SCP),

the service control manager (SCM).

Service Applications

Consist of at least one executable

A user wanting to start, stop, or configure a service uses an SCP

Service applications are simply Win32 executables (GUI or console) with additional code

To receive commands from the SCM

To communicate the application's status back to the SCM.

Service Applications (cont.)When installing, setup program must register the service with the system (CreateService )

Usually: auto-start service

The function StartService can be used to start the service

Service characteristics

the service's type

the location of the service's executable image file,

an optional display name,

an optional account name and password

a start type

an error code

And optional information

Registry key for service

Characteristics: key value

Inside a service process

Service Accounts

The Local System Account

Alternate Accounts

Interactive Services

The Service Control Manager The SCM's executable file is \Winnt\System32\Services.exe

SvcCtrlMain

ScCreateServiceDB

This is the function that builds the SCM's internal service database

Service Startup

ScAutoStartService for auto-start services

The services are started in a certain order

HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\List

Startup Errors

If an error is reported, ErrorControl determines the reflection

If SERVICE_ERROR_IGNORE (0) or not specified

The error is ignored

If SERVICE_ERROR_NORMAL (1), an event is written to the system Event Log

“The <service name> service failed to start due to the following error:”

example

An implementation of Web-Based Enterprise Management (WBEM)

WBEM: a standard defined DMTF

WMI Architecture

The WMI Namespace

Hierarchical organization

Root (dir): subnamespaces

Default

Security

WMI uses object properties that it defines as keys to identify the objects.

计算机系信息处理实验室 lecture 6 management mechanisms xlanchen@03/25/2005

Documents

rheology and deformation mechanisms

path o mechanisms

计算机系信息处理实验室 lecture 7 processes,...

计算机系信息处理实验室 lecture 5 startup and...

optimal mechanisms

new perspectives of real and virtual mechanisms models...

andrew abbott mechanisms and relations

mechanisms of nucleation

alternative mechanisms of service delivery

spasticity mechanisms

movement transformation mechanisms in spanish

计算机系信息处理实验室 lecture 8 processes,...

mechanics of machines: linkage mechanisms

mechanisms of leukemia-‐induced immunosuppression

计算机系信息处理实验室 lecture 4 system...

characteristics and mechanisms emissions

molecular mechanisms of cardiovascular aging

theory of mechanisms

deformation mechanisms

计算机系信息处理实验室 lecture 14 cache manager...

计算机系 信息处理实验室 lecture 6 management mechanisms xlanchen@03/25/2005

计算机系信息处理实验室 lecture 6 management mechanisms xlanchen@03/25/2005