Windows Operating System Internals
(now updated for Vista and Windows Server 2008!)

Instructor: David Solomon or Alex Ionescu
Duration: 5 days with hands-on labs or 3 days lecture only
 

Description

This class describes the internals of the Windows operating system kernel (including changes in Vista and Longhorn Server), such as thread scheduling, memory management, security, and I/O, both 32-bit and 64-bit. It shows you how to dig into the system with advanced troubleshooting tools, such as the Kernel Debugger and tools from Sysinternals.com. Having this knowledge helps developers design for performance and debug more effectively.

Mark Minasi, noted Windows speaker and author said after attending: "my head was stuffed by the time that I left, chock-full of useful things. Rarely does a minute go by that you don't either get a better understanding of some part of NT/2000/XP, or pick up a tip about how to make some part of the system better." 

One Microsoft employee said: "I didn't know it was possible for any one person to know this much about NT. This was the best training course I've ever taken. It really opened my eyes to what NT actually does. This is a must for any serious NT engineer."

NOTE: This class does not cover networking internals, Windows API programming, or device driver details. In addition, this class is not a feature overview of Windows.

Hands on Labs

Enjoy rolling up your sleeves and getting your hands dirty? Then choose the 5 day hands-on version of the class, which incorporates experiments that allow students to gain practical experience delving into Windows OS internals and troubleshooting system problems. The tools used include the Microsoft Kernel Debugger, tools from Sysinternals.com as well as other Microsoft support tool sets.

Unlike most hands-on classes there are no schedule "lab periods". Instead, the labs in this class are "continuous" throughout all 5 days--after the instructor explains a topic, the students will go use the appropriate tool to explore that area.

For public classes, each student must bring their own laptop (see setup instructions). For private onsite classes, a computer training room can be used, but the class can also be done in a regular conference room with tables if attendees bring their own laptops.

Prerequisites

Attendees should be familiar with basic operating system principles, such as virtual memory, multitasking, processes & threads, file systems, etc. Experience administering or developing on Windows systems is helpful, though not mandatory.

Topic Outline
1. Introduction

2. Investigating Windows Internals

  • Source code programs
  • Books and articles
  • Tools (Kernel Debugger, Sysinternals)

3. Kernel Architecture

  • Kernel evolution
  • Processes & Threads
  • Address Space Layouts
  • Kernel integrity mechanisms
  • Memory Protection Model
  • Multiprocessor support
  • Executive, Kernel, and HAL
  • Environment Subsystem model
  • Sessions

4. System Architecture

  • Boot & Startup Process
  • System Threads
  • Environment subsystems
  • Service & Svchost internals
  • System Service Dispatching
  • Interrupts & DPCs
  • Time Accounting
  • Kernel Synchronization
  • Object Manager
  • System Shutdown

5. Security

  • Security Ratings
  • Security Components
  • Authentication
  • Authorization
  • Auditing, Impersonation and Privileges
  • Mandatory Integrity Levels
  • User Account Control
 

6. Processes, Threads and Thread Scheduling

  • Process, thread and job data structures
  • Process startup and exit
  • Priority Spectrum
  • Thread scheduling algorithms
  • Priority Boosting

7. I/O System

  • I/O System Components
  • Types of Drivers
  • Driver Operation
  • Plug-and-Play Manager
  • Power Manager
  • Vista/Server 2008 Enhancements
  • Troubleshooting I/O Problems

8. Memory Management

  • Core Mechanisms
  • Virtual Address Translation
  • Working Set Management
  • File System Cache Manager
  • Physical Memory Management
  • Superfetch
  • Paging Files

9. Crash Dump Analysis

  • Why Windows crashes
  • What happens at the crash
  • Basic crash dump analysis
  • Harder dump analysis
  • System hangs