INT201 - Core Windows Internals

Presents the most important aspects of the internal design and implementation of the Windows operating system in a three-day lecture+demo/hands-on format. 

 
Level: Intermediate
Audience:

Application developers; systems software developers; device driver developers; system administrators; system integrators; hardware OEMs; I.T. support personnel

Description:

All modern operating systems implement variations of the same core functions. In this seminar we examine how those functions are implemented in Windows; how the Windows implementations are similar in some ways, but different in others, to those of other operating systems; and, most important, the implications of these details on the system’s behavior, on the behavior of applications, on administrative tasks, and on the design of applications and device drivers

We will examine several key parts of the system, including thread scheduling, paging, virtual memory mapping, and the management of physical memory. Several built-in utilities, the SysInternals tools, and the windows debugging tools will be presented and used, both as aids to understanding the internals principles and as analysis tools for problem situations. 

This information is vital for application developers, who need to know and measure the impact on the system of various design approaches and of specific APIs; for system administrators, who need to be able to properly configure Windows systems and to see and understand the effects of their decisions; for anyone attempting support, performance optimization, or troubleshooting on Windows operating systems; for device driver writers; and for those evaluating or administering Windows security. 
 
You will also learn how the operation and performance of each system mechanism we describe is reflected in the various system monitoring tools. And while this is not specifically a debugging or troubleshooting seminar, the information here is essential for any type of problem analysis.
 
Topics:
  • Introduction and orientation

    • Windows technical description
    • Overview of recent Windows versions 
    • Windows product types (client vs. server)
    • Tools preview (built in tools; Sysinternals tools; debugging tools)
  • User mode environment

    • User vs. kernel mode
    • 32- vs. 64-bit address spaces
    • Types of applications (Win32, .net, WinRT, UWP, etc.)
    • Processes and threads
    • Sessions and jobs
    • Service processes and other background tasks
    • User mode memory allocation
    • Monitoring processes, threads, and CPU usage
    • Calling into kernel mode
  • Kernel mode components and mechanisms

    • User to kernel mode calls (system service dispatcher)
    • Executive, kernel, and HAL
    • Objects, handles, and security (access controls)
    • Registry 
    • Kernel mode programming environment

      • Interrupt handling and deferred procedure calls (DPCs)
      • Interrupt request level (IRQL) and other serialization mechanisms
      • Kernel mode stack
      • Kernel memory pools
    • System (kernel) threads
  • System startup sequence (bootstrapping)

    • Key system processes
  • Thread scheduling

    • Scheduler overview
    • Thread priorities and priority policies
    • Thread scheduling states and transitions
    • Preemption, timeslicing, and waiting
    • CPU time accounting
    • Priority adjustments
    • Multiprocessor issues
    • Monitoring process and thread activity
  • Memory management

    • Virtual memory concepts
    • Virtual address translation
    • Page faults, page files, and memory mapped files
    • Per-process physical memory management (working set management)
    • System-wide physical memory management
    • Interpreting memory-related performance counters, task manager displays, etc.
  • I/O subsystem and device driver architecture

    • Input/output APIs
    • Driver models
    • I/O subsystem and device driver control flow
    • Storage stack
    • Storage performance enhancements
Prerequisites:

Familiarity with basic operating system concepts; experience using, administering, or developing for Windows operating systems 

Operating systems supported:

This seminar primarily addresses Windows 7 through Windows 10 and Windows Server 2012 R2. Most of the material is applicable to earlier versions of Windows. Earlier versions can be specifically addressed upon request.

Durations and formats: 3 days with labs
Labs:

This seminar includes a series of guided experiments. During these, learners are instructed to run various programs that will induce or exercise the system behaviors being discussed, and will then use the appropriate system monitoring tools to show the results and confirm the behaviors. 

Additional information:

Other formats

This seminar is available in two-day, lecture-only versions tailored to specific needs. Please see:

INT150, Windows Internals Essentials
DRV150, Windows Internals Essentials for Device Driver Developers

Combinations

This seminar is offered together with DBG211 to form
CMB221, Windows Internals, Troubleshooting, and Memory Dump Analysis

Longer formats

And for those looking for even more detail and more hand-on time, please see INT250, Windows Internals Workshop (five days).