![Page 1: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/1.jpg)
计算机系•信息处理实验室
Lecture 7 Processes, Threads, and Jobs (1)
xlanchen@04/01/2005
![Page 2: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/2.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
2计算机系信息处理实验室
Contents
The internal structures of process
How to create a process
The internal structures of thread
How to create a thread
Thread Scheduling
Job Objects
![Page 3: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/3.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
3计算机系信息处理实验室
Process structures
Kernel data structures
KPROCESS (knl - per process)
EPROCESS (executive - per process)
KTHREAD (knl – per thread)
ETHREAD (executive – per thread)
WIN32K.SYS (knl – one struct per USER/GDI thread)
Subsystem data structures
CSRSS (Win32 subsystem – per user thread)
User mode data structures
Process Environment Block (one per process)
TEB (one per thread)
![Page 4: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/4.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
4计算机系信息处理实验室
A simplified diagram
![Page 5: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/5.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
5计算机系信息处理实验室
EPROCESS
![Page 6: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/6.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
6计算机系信息处理实验室
EXPERIMENT
Displaying the Format of an EPROCESS Block
![Page 7: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/7.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
7计算机系信息处理实验室
KPROCESS
![Page 8: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/8.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
8计算机系信息处理实验室
PEB
![Page 9: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/9.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
9计算机系信息处理实验室
EXPERIMENT
Examining the PEB
![Page 10: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/10.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
10计算机系信息处理实验室
Kernel Variables Related to Process
PsActiveProcessHead
PsIdleProcess
PsInitialSystemProcess
PspCreateProcessNotifyRoutine
PspCreateProcessNotifyRoutineCount
PspLoadImageNotifyRoutine
PspLoadImageNotifyRoutineCount
PspCidTable
![Page 11: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/11.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
11计算机系信息处理实验室
Performance Counters With these counters
track the processes running on your system;
retrieve these counters programmatically or view them with the Performance tool.
Process-Related Performance Counters
Privileged Time
Processor Time
User Time
Elapsed Time
ID Process
Creating Process ID
Thread Count
Handle Count
![Page 12: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/12.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
12计算机系信息处理实验室
FunctionsCreateProcess /CreateProcessAsUser /CreateProcessWithLogonW
OpenProcess
ExitProcess /TerminateProcess
FlushInstructionCache
GetProcessTimes /GetExitCodeProcess /GetCommandLine
GetCurrentProcessId /GetProcessVersion
GetStartupInfo
GetEnvironmentStrings /GetEnvironmentVariable
Get/SetProcessShutdownParameters
GetGuiResources
![Page 13: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/13.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
13计算机系信息处理实验室
EXPERIMENT
Viewing Process Information with Task Manager
![Page 14: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/14.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
14计算机系信息处理实验室
EXPERIMENT
Viewing the Process Tree
![Page 15: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/15.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
15计算机系信息处理实验室
EXPERIMENT
Viewing Thread Activity with QuickSlice
![Page 16: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/16.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
16计算机系信息处理实验室
EXPERIMENT
Viewing Process Details with Process Viewer
![Page 17: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/17.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
17计算机系信息处理实验室
EXPERIMENT
Using the Kernel Debugger !process Command
![Page 18: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/18.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
18计算机系信息处理实验室
Creating a Win32 process
CreateProcess
CreateProcessAsUser
CreateProcessWithLogonW
Three parts of the OS are involved:
Kernel32.dll
Executive
Subsystem process (Csrss)
Csrss
executive
Kernel32.dll
![Page 19: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/19.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
19计算机系信息处理实验室
Main stages of CreateProcessOpen the image file (.exe) to be executed inside the process.
Create the 2K executive process object.
Create the initial thread (stack, context, and 2K executive thread object).
Notify the Win32 subsystem of the new process so that it can set up for the new process and thread.
Start execution of the initial thread (unless the CREATE_SUSPENDED flag was specified).
In the context of the new process and thread, complete the initialization of the address space (such as load required DLLs) and begin execution of the program.
![Page 20: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/20.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
20计算机系信息处理实验室
The main stages of process creation
![Page 21: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/21.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
21计算机系信息处理实验室
Some notes
CreationFlags the priority class
Priority class
Normal (default)
Real-time
Below Normal
Idle
…
Desktop
![Page 22: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/22.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
22计算机系信息处理实验室
Stage 1:
Opening the Image to Be Executed
The executable file the appropriate Win32 image
Mapped into a section object of the new process
![Page 23: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/23.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
23计算机系信息处理实验室
Choosing a Win32 image
![Page 24: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/24.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
24计算机系信息处理实验室
Decision Tree for Stage 1
If the image is a/anThis image will run
And this will happen
POSIX executable file Posix.exe
Restarts Stage 1
OS/2 1.x image Os2.exe
MS-DOS App. (*.exe, *.com, *.pif)
Ntvdm.exe
Win16 App. Ntvdm.exe
Command procedure MS-DOS App. (*.bat, *.cmd)
Cmd.exe
![Page 25: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/25.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
25计算机系信息处理实验室
Stage 2
Creating the Windows 2000 Executive Process Object
NtCreateProcess
Setting up the EPROCESS block
Creating the initial process address space
Creating the kernel process block
Concluding the setup of the process address space
Setting up the PEB
Completing the setup of the executive process object
![Page 26: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/26.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
26计算机系信息处理实验室
Stage 3:
KiInitializeContextThread
Creating the Initial Thread and Its Stack and Context
Stack
Size
Context
NtCreateThreadinitial thread
Suspended state
![Page 27: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/27.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
27计算机系信息处理实验室
Stage 4:
Notifying the Win32 Subsystem About the New Process
Kernel32.dll sends a message to the Win32 subsystem
Process and thread handles
Entries in the creation flags
ID of the process's creator
Flag indicating whether the process belongs to a Win32 application (so that Csrss can determine whether or not to show the startup cursor)
![Page 28: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/28.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
28计算机系信息处理实验室
Upon receiving the message, the Win32 subsystem
set up for the new process and thread
Allocate Csrss process/thread block
![Page 29: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/29.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
29计算机系信息处理实验室
Stage 5:
Starting Execution of the Initial Thread
the initial thread is now resumed
![Page 30: 计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1) xlanchen@04/01/2005](https://reader033.vdocuments.pub/reader033/viewer/2022061417/56649e215503460f94b0de88/html5/thumbnails/30.jpg)
xlanchen@04/01/2005 Understanding the Inside of Windows2000
30计算机系信息处理实验室
Stage 6:
Performing Process Initialization in the Context of the New Process
KiThreadStartup