Skip to main content

Processes, Threads And Jobs [Part-1]

More
18 years 1 month ago #15971 by FallenZer0
Hello All:

A word of caution to all the readers of this thread. This thread was started with two simple questions and in my pursuit to find answers, it grew in its content and it will grow as I provide updates.

The information provided here is by NO means comprehensive. My hope is that it would benefit the readers. Iwould advise the readers to take it for what's it worth.

I have more questions than I have answers. So if anyone can contribute or add value to the subject, that will be greatly appreciated.

Stage-2:] Create Windows Process Object:

'CreateProcess' Calls 'NtCreateProcess' an internal function to Create Windows Process Object which will run the image. The steps involved in creating a windows process object are:

2A:] Set Up EPROCESS Block:
2B:] Create Initial Process Address Space:
2C:] Initialize Kernel Process Block aka Process Control Block:
2D:] Conclude Set Up of the Initial Process Address Space:
2E:] Set Up PEB [Process Environment Block]:
2F:] Conclude Set Up Of The Windows Process Object:

Let's take a look at the above:

2A:] Set Up EPROCESS Block:

-New Processes Inherit the Security Profile of the Parent Process. Now what happens if a Parent Process does NOT exist? Where would the New Process get the Security Profile from? My Common Sense guess would be the New Process Inherits it from the Access Token of th Currently Logged On User.

-Initializes Process Handle Table: If Inherit Handles Flag is set for the Parent Process, any Inheritable Handles are copied from the Parent Process Handle table into the New Process.

-Set the Exit Status of the New Process as Status_Pending. This is self-explanatory. Since the New Process has NOT been created yet, I can understand why the Exit Status is set to Status_Pending.

-Set the Parent Process ID in the New Process.

-Set the Address of Parent Process Quota Block to the New Process Quota Block and increment the Parent Process reference count. Why is the Address of the Parent Process Quota Block set to the New Process Quota Block? No Idea.

2B:] Create Initial Process Address Space:

Initial Process Address Space consists of the following Pages:

-Page Directory:
-HyperSpace Page:
-Working Set List:

Typically One Page Directory exist Per Process. If you run WinDbg.exe and use !process command the field DirBase: gives you the Physical Address of the Page Directory. Page Directory is very useful in Virtual Address Translation to the Physical Memory. A 32-Bit Virtual Address is Broken into Two-Levels. Left Most 10-Bits identify the Page Directory Index, Next 10-Bits Page Table Index and the Last 12-Bits the Byte Index. Please read the links for additional information on PAE/non-PAE x86 Machines

technet2.microsoft.com/WindowsServer/en/...c91033.mspx?mfr=true

www.x86.org/articles/2mpages/2mpages.htm

www.embedded.com/98/9806fe2.htm

I'll do a follow up on the HyperSpace Page and Working Set Lists.

2C:] Initialize Kernel Process Block:

-Kernel Process Block contains a Pointer to a list of Kernel Threads.

-It contains Process's default base-scheduling Priority. Default is 'Normal', unless the Parent Process was set to Idle or Below-Normal, in which case the new Process inherits the Idle or Below-Normal.

-Kernel Process Block also points to the Process's Page Directory Table.

-Sets Default Processor Affinity for the Threads in the Process. What is Processor Affinitty & What is the Default Settings? No Clue as of yet.

2D:] Conclude Set Up Of Process Address Space:

Folks, Step-2D:] involves familiarity with Memory Management. I've no knowledge of the workings of Memory Management and I'd skip this step.

2E:] Set Up Process Environment Block [PEB]:

'CreateProcess' allocates a Page for PEB and initializes a number of fields like:

-ImageBaseAddress:
-NumberOfHeaps:
-MaximumNumberOfHeaps
-ProcessHeaps

etc.

If you would like to know more about the above fields, please look up using any of the search-engines.

2F:] Conclude the SetUp Of The Windows Process Object:

-If Process Auditing is enabled, either as a result of local policy or group policy, the Process's creation is written to the Security Event Log.

-If IMAGE_FILE_UP_SYSTEM_ONLY Flag is set, it indicates that the Image can run only on a UniProcessor System

-The Process's Creation Time is set, the handle to the new process is returned to the caller i.e., createprocess in kernel32.dll

This concludes Stage-2:

Thanks
FallenZer0

-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
More
18 years 1 month ago #15974 by cyberglitch
I may be off base on this but you have to remeber winows XXX was writen in C++. and I do think follows the same memmory alocation and sytem call rules. or at least for MEM alocation and API or DLL calls.
slap me if i'm to far off :)

I do run free BSD
More
18 years 1 month ago #16003 by FallenZer0
Hello All:

Stage-3:] Create Windows Thread Object:

'CreateProcess' Calls 'NtCreateThread' to create the Initial Thread. 'NtcreateThread' in turn Calls 'PspCreateThread' which performs the following:

-The Thread Count in the Process Object is Incremented:

-An Executive Thread Block [ETHREAD] is created:

-Thread ID is generated for the New Thread:

-TEB [Thread Environment Block] is set up in the User-Mode Address Space of the Process:

-'PspCreateThread' now calls 'KelnitThread' to set up KTHREAD Block: The Threads Initial and Current Base Priority aka Scheduling Priority is set to the Process's Priority and the Thread's Affinity and Quantum are set to that of the Process: KelnitThread allocates Kernel Stack for the Thread. KelnitThread sets the Thread State to Initialized and the Thread is readied for Execution:


Note: Information regarding Executive Thread Block, Thread Environment Block, Thread's Affinity and Thread's Quantum will be followed up when doing *Threads*.

This concludes Stage-3:]

Thanks
FallenZer0

-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
More
18 years 1 month ago #16007 by TheBishop
Wow. I learned some things but eventually the tide overwhelmed me. I'll have to go back and re-read very slowly.
Thanks for posting; much appreciated
More
18 years 1 month ago #16052 by FallenZer0
Hello All:

Stage-4:] Notify Windows SubSystem:

At the completion of Stage3:], Kernel32.dll sends a message to the Windows Subsystem [Csrss], so that it can set up for the new Process and Thread. The message includes:

- Process and Thread Handles:

Note: I probably can analyze from where the message is able to include Process Handles. How? In Stage-2:] Create Windows Process Object, one of the steps was Set up EPROCESS Block. It clearly says, if the 'Inherit Handles' Flag is set for the Parent Process, any Inheritable Process Handles are copied from the Parent Process into the New Process. So, it is clear that the message can include the Process Handles.

q:]How about Thread Handles? Is it simply the fact that the Handles in the New Process are Inherited by the New Thread? I have NO answer to that question.

-Entries in the Creation Flags:

Bits in the Creation Flags in the 'CreateProcess' tells the Windows SubSystem about the Process and Thread Priority Class. If more than One Priority Class is assigned Windows chooses the Lowest Priority Class. And if no Priority Class is specifed it defaults to 'Normal'.

-ID of the Process's Creator:

My common sense guess would be the Parent Process ID. If NO Parent Process exist, then what? Is it the currently Logged On User's SID?

-Flag indicating whether the Process belongs to a Windows Application.

I don't know what the Flag is, and What value is the Flag set to, to indicate if the Process belongs to a Windows Application or if a Process does NOT belong to a Windows Application.

The Windows SubSystem, performs the following steps, when it receives the message:

-Checks the Creation Flags. If no Priority is specified, it defaults to Normal.

-Csrss Process Block is allocated:

What is a Csrss Process Block? What Purpose does the Csrss Process Block serve? I've NO idea.

-The New Process's Exception Port is set to be the general function Port for the Windows SubSystem so that the Windows SubSystem will receive a message when an exception occurs in the New Process.

q:] What is a Process Exception?
q:] What can cause Process Exceptions?
q:] What happens when the Windows SubSystem receives a message when an Exception occur?

-If a Proces is being debugged, the Process Debug Port is set to be the general function port for the Windows SubSystem. This ensures debug events are sent to the Windows SubSystem.

-The Csrss Thread Block is allocated:

q:] What is a Csrss Thread Block?
q:] What Purpose does the Csrss Thread Block serves?

-'CreateProcess' inserts the Thread in the list of Threads for the Process. Self-Explanatory.

-The Count of Processes in this session is incremented.

-The Process Shutdown Level is set to 0x280.

q:] What is Process Shutdown Level?
q:] Why is the Process Shutdown Level set to 0x280?
q:] Are there any other Values for the Process Shutdown Levels?

This concludes Stage-4:]

As you can see I have more questions than answers.

Also, I have changed the Subject for this thread. I'm contemplating to do *Threads* as Part-2. I'm hoping that a lot of questions with respect to Threads would be answered in Part-2. Who Knows. Atleast I can Hope. Can't I?

Thanks
FallenZer0

-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
More
18 years 1 month ago #16081 by FallenZer0
Hello All,

Stage-5:] Start Execution Of The Initial Thread:

The Initial Thread created in Stage-4:], is now resumed and performs the remainder of the Process and Image Initialization in the context of the new Process.

Not much in Stage-5:]

This concludes Stage-5:]

I chose to do Stage-6:] in the same post.

Stage-6:] Final Process/Image Initialization:

The new Thread begins life running the Kernel Mode Thread Startup routine 'KiThreadStartup', which lowers the Thread's IRQL level from DPC/Dispatch Level to APC Level, and then Calls the System Initial Thread routine 'PspUserThreadStartup'.

On Windows XP and Windows Server 2003, 'PspUserThreadStartup' checks whether application prefetching is enabled on the system, if so, calls the Logical Prefetcher to process the prefetch instruction file.

When 'PspUserThreadStartup' returns to 'KiThreadStartUp', it returns from Kernel Mode, APC is delivered, and 'LdrInitializeThunk' is called. 'LdrInitializeThunk' routine initializes the Loader, Heap Manager, NLS Tables, and Thread Local Storage Array.

Finally, the Image begins execution in User-Mode when the Loader initialization returns to the User Mode APC dispatcher, which then calls the Thread's start function that was pushed on the User-Stack when the User APC was delivered.

This concludes Stage-6:]

I've made an attempt to provide information on a topic that is beyond the scope of this thread and most importantly due to *MY* Very Limited Knowledge on the subject.

I just got started reading about *Threads* and *Thread Scheduling* and I can say that, I'm able to answer some of the questions in this thread and my hope is, as I do read more, more questions will be answered.

This concludes Part-1.

Thanks
FallenZer0

-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
Time to create page: 0.132 seconds