Windows NT Structure
NT runs in two modes:
- Kernel mode (Ring 0) - Executive which runs in protected memory mode with full privileges.
- User mode (Ring 3) - Runs with privileges to access its own memory area. User applications and environmental subsystems execute in this mode.
Applications are allocated a virtual 4Gb of memory with 2 for the user and 2 for executive services.
NT is modular in nature allowing it to have cross platform portability due primarily to the HAL module described below. The NT Architecture has 5 layers.
- Application - Runs in user mode.
- Subsystems - Runs in user mode.
- Executive Services - Runs in kernel mode.
- Kernel - Runs in kernel mode.
- HAL - Runs in kernel mode.
The NT architecture model in more detail, from the top down:
- User Level - The environmental subsystem and user applications execute at this level which runs in Ring 3, a non-privileged processor mode. User mode code can be preempted, is pageable, and can be context switched. User applications must use executive services to access devices or memory. The user mode subcategories are:
- Environmental - Each subsystems have an API to allow programs to run. The subsystems are called server objects and the applications are client objects.
- OS/2 - Supports OS/2 Applications. Interfaces with executive services (driver calls) and Win32 subsystem(display calls).
- Win32 - Supports the Windows native 32 bit applications and includes support for other systems. This is also called the Client/Server Runtime (CSR) subsystem which allows the system to be shut down, text windows to be displayed and provides error handling by supporting console and miscellaneous functions.
- NTVDM - NT's virtual DOS machine emulated DOS allowing DOS applications to run.
- Win16 Subsystem, Windows16 on Windows32 (WOW) - Supports 16 bit Windows applications.
- POSIX - Supports POSIX Applications. Interfaces with executive services (driver calls) and Win32 subsystem (display calls).
- Security - Includes the Logon Process and Security Subsystem - An authentification package is built by the security subsystem and it is sent to the Security Reference Monitor.
- Kernel Level also called executive services run in the protected mode of the processor ring. Cannot be paged or context switched.
- Executive Services layer - It supports device drivers, memory management, I/O, processes, threads, IPC, security, window management and graphics device interaction.
- Windows NT Kernel layer - This is the kernel itself which supports synchronization, thread management, context switching, multiprocessor load balancing, exception handling and interrupt handling. It interfaces to the hardware abstraction layer.
- Hardware Abstraction Layer (HAL) - Isolates the hardware from the system for multi-platform support.
In Original Windows systems, the GDI part of the operating system performs graphic functionality for the system and the USER portion is the window manager. In earlier versions of Windows, the GDI and USER parts of the system were included in the WIN32 subsystem. In Windows NT 4.0, these parts of the system were moved into the kernel mode and made part of the executive services.
The Executive Service Layer
It serves as the interface between the user and kernel levels and is composed of the following modules:
- Object Manager monitors the creation and use of objects. It also manages the global name space where access to all local objects is controlled.
- Security Reference Monitor is responsible for enforcing the access-validation and audit-generation policy as defined by the Security subsystem.
- Process Manager creates and deletes processes and also tracks process objects and thread objects.
- Local Procedure Call Facility, using a client/server relationship, provides a communications mechanism between the applications and the Environmental subsystem.
- Virtual Memory Manager maps virtual addresses in the userís address space to physical pages in the computerís memory.
- I/O Manager manages all input and output for the operating system, including cache manager, file system drivers, hardware device drivers, and network device drivers.
- Win32K window manager and GDI - Functions from Win32k.sys for graphics support and communication with graphic devices.
- Graphics device interface (GDI) - Enables graphics devices to communicate with NT.
- Hardware Device drivers - An interface between specific hardware devices and NT which interfaces to HAL.
When dealing with process two terms must be understood:
- Thread - The most basic entity that can be scheduled.
- Process - Made of one or more threads it is generally a program which may create other threads that run semi-independently of its process.
NT uses preemptive multitasking to manage processes but supports cooperative multitasking.
- Preemptive Multitasking - Threads may be assigned relative priorities.
- Cooperative Multitasking - Process in which the applications cooperate by releasing control of the processor. Windows 16 bit applications run this way.
The architecture of Windows NT includes memory protection. It uses:
- Demand-paging - The process of swapping memory between the RAM and the hard drive. The virtual memory manager performs this function.
- Virtual memory - Sets up virtual memory space larger than physical RAM by using the hard drive and swapping memory between RAM and the hard drive.
- Flat, linear address space accessed using 32-bit addresses. Up to 4G can be addressed at a time with 2G reserved for kernel use and the other 2G for user applications.
The system uses permanent and temporary swap files to support demand paging. RAM is managed in 4K byte sized pages. The permanent swap file stays the same size and temporary swap files expand in size as required. The permanent swap file size is controlled by the PAGEFILE.SYS file which is a system file that cannot be deleted. There can be one page file on each system hard drive and NT works fastest this way. Windows has an algorithm called the least recently used (LRU) algorithm which aids in managing these swap files. Page file characteristics:
Windows NT takes about 10M of memory for its own use. The minimum size page file size that can support Windows NT on a given system can be expressed with the formula (RAM - 10M) + pagefile = 22M. This formula can be simplified to (pagefile size) = 32M - RAM. Therefore, on a computer with 24M of RAM, the minimum pagefile size should be no less than 8M. To modify page file settings, open the control panel, run the System applet, and select the Performance tab. Multiple page files may be created on one or more disk drives. Putting a pagefile on each disk makes the system run faster since pagefile requests are performed on all available page files. NT will write to the pagefile with the most free space first. The system works faster if the system files and the pagefile are on a different drives. Minimum page file size is 2Mb according to some documentation.
- Default size at installation is 11M + physical RAM.
- The minimum size is 22M suggested by Microsoft
- The maximum size is three times physical RAM.
Windows NT supports up to 4 G of virtual RAM. There may be up to 2G of virtual memory storage allocated by the virtual memory manager for each application.
Provides support for security and access auditing along with setting file and directory permissions for various users. It uses sector sparing for fault tolerance and supports transaction tracking for data recovery in the event of power loss. Files and directories can be compressed by setting the compression property of the file or folder. The FAT filesystem has none of these features. Be aware that when MS-DOS is installed, it modifies the master boot record and will wipe the Windows NT or 2000 boot manager program when installed last.
An object is a combination of data and functions which may provide a service. It may be shared by multiple processes and will have attributes. An object's type determines its characteristics which include:
- Attributes or data
- Type defined by the system
- Services or functions which are operations that can be performed on the data type.
Two object types are:
- Control - Help control kernel operations and include interrupts, procedure calls, and processes.
- Dispatcher - Control system operation synchronization with objects with on or off signal states such as mutexes, semaphores, and timers.
Types of objects include:
- Symbolic links
- Network shares
The Object Manager subsystem controls object manipulation by monitoring processes that use objects and managing the object global name space which is used to access all objects on the computer. All objects have an access control list (ACL) used to determine if users can access the object.
IRP (I/O request Packet) and object handles are used to communicate between device drivers. I/O request packet is a data structure.
There are two ways for the operating system to use multiple processors (multiprocessing):
- ASMP - Asymmetric multiprocessing uses one processor to support the operating system and I/O devices exclusively. The other processors run user processes and application threads.
- SMP - Symmetric multiprocessing (SMP) shares all tasks whether they are operating system tasks or user processes between the available processors. Windows NT uses symmetric multiprocessing.