Agenda:

==============

1. window arch
2. Process & thrreads
3. Memory
4. Threads
5. Sockets

1. windows arcgh:
==================

1. Excetive System services : undocumented APIs, NtCreateProcess

2. DDK documentation doesn't mean complete Windows Kernel documentation

3. .COM files should be < 64K and will fit into one segment in Segmented Memory
Management. I t doest contain the exe header and
loads always at memory 100 usually and loads and excutes very fastly

4. Intel provides protection via Rings --> 4 rings, 0,1,2,3

0 --> Any code can run

3 --> Very limited, not able to run privilaged instructions.

windows uses only 0 and 3 to be portable to other hardware. So out of 4GB in 32-bit
systems, first/upper2GB is for OS and the oher is for users.

5. Virtual memory is manaaged in terms of Pages, 32-bit-->4K, 64-Bit-->8K

6. David Kutler

7. POSIX - Portable Operating System Interface

8. unix executable format - cof - common object file format.

windows 3.1 - NE - new Exceutable
windowsNT - PE - Portable executable - Potable across different flavours of
windows.

9. ntvdm - NT Virtual DOS Manager - Sub System for Running DOS in Win NT
10 wowExec - windows on windows exceutor - part of ntvdm

Symmetric and ASmmetric Multi-Processing systems:

=====================================================

1. SMP - OS selects any processor for any thread be it a kerner thread or user
thread.In this even if one processor goes off nothing happens. Both memory and IO
devices are shared.

2. ASMP - One processor for kernel and onefor user. In this if one processor goes
off then those thread will be at a task. IO devices will ebsed by only kernel
processor. Memory is shared.

Windows is a SMP OS.

==> P4 first supported HyperThreading. With HT single Processor can have two states
eneabling two threads to run at a time truely parallely.
--> This is achieved by usingone CU(one bus) and 2 ALUs. If one ALU gets BUS
Lock, another HAS TO Wait.
==> Dual Core is an extension ofUSBC#�8�#######################l#lingle BUS. So to
get true parallel processing we need to feed MANY instructions to BUS.
--> Each unit should have a HUGE cache.

--> CU + ALU = core

==> NUMA - Non-Uniform Memory Acess

--> Create different nodes with separate processor, memory and IO,
interconnected via a BUS, read/wite to actual IO BUS asynchronously.

The number ofprocessors windows supports islimited only by bits its supports. 32 or
64.
--> Windows uses bit masks to identify theprocessors, as the 32 bis ae native
its so.

Physical Memory limitations and others:

==============================
1. Windows XP - 2GB, 2 processors, 10 concurrent connections
2. Windows Vista - 4 to 64 GB

How NTDLL talk to Kernel(NTOSKRNL.EXE):

==========================================

NTOSKRNL.EXE exports all its functions via a stubcalled NTDLL.dll. All the
functions in NTDLL has same signature as NTOSKRNL.exe functions.

Now NTDLL raises Interrupts that wll be caught via actual functions in NTOSKRNL

1. Through System service interrupt via Interrupt Service routines(ISR). ISRs runs
at very highInterrupt ReQuest Levels(IRQLs)
2. ISR makes a DPC - Defferred Procedure call and sends for scheduling the
DPCObjects. There will be a DPC manager that picks up DPC Objects and does the
actual job.
3. DPC manager first checks the priveleges via security reference monitor and then
checks if Object reference presents, if not create the object,
update all DataStuctures and then use Device Drivers to do the function and then
return this HANDLE to User mode.

ALL THIS IS UNDOCUMENTED.

Then what is Kernel32.DLL:

======================

This is just a API wrapper that provides much easy to use and remember API than
NTDLL.dll.
This delegates every call to NTDLL.dll