Читаем Windows® Internals, Sixth Edition, Part 1 полностью

From the command prompt, use the runas command to create a process running the command prompt (Cmd.exe). For example, type runas /user:<domain>\< username> cmd. You’ll be prompted for your password. Enter your password, and a Command Prompt window will appear. The Windows service that executes runas commands creates an unnamed job to contain all processes (so that it can terminate these processes at logoff time).

From the command prompt, run Notepad.exe.

Then run Process Explorer, and notice that the Cmd.exe and Notepad.exe processes are highlighted as part of a job. (You can configure the colors used to highlight processes that are members of a job by clicking Options, Configure Colors.) Here is a screen shot showing these two processes:

Double-click either the Cmd.exe or Notepad.exe process to bring up the process properties. You will see a Job tab in the process properties dialog box.

Click the Job tab to view the details about the job. In this case, there are no quotas associated with the job, but there are two member processes:

Now run the kernel debugger on the live system, display the process list with !process, and find the recently created process running Cmd.exe. Then display the process by using !process , find the address of the job object, and finally display the job object with the !job command. Here’s some partial debugger output of these commands on a live system:lkd> !process 0 1 cmd.exe PROCESS 8567b758 SessionId: 1 Cid: 0fc4 Peb: 7ffdf000 ParentCid: 00b0 DirBase: 1b3fb000 ObjectTable: e18dd7d0 HandleCount: 19. Image: Cmd.exe ... BasePriority 8 CommitCharge 636 ... Job 85557988 lkd> !job 85557988 Job at 85557988 TotalPageFaultCount 0 TotalProcesses 2 ActiveProcesses 2 TotalTerminatedProcesses 0 LimitFlags 0 ...

You can also use the dt command to display the job object and see the additional fields shown about the job, such as its member level, if it is part of a job set:lkd> dt nt!_ejob 85557988 nt!_EJOB +0x000 Event : _KEVENT ... +0x0b8 EndOfJobTimeAction : 0 +0x0bc CompletionPort : 0x87e3d2e8 +0x0c0 CompletionKey : 0x07a89508 +0x0c4 SessionId : 1 +0x0c8 SchedulingClass : 5 ... +0x120 MemberLevel : 0 +0x124 JobFlags : 0

Finally, if the job has UI limits, you can use the dt command to display the Win32k job structure (tagW32JOB). To do this, you must first obtain the W32PROCESS structure pointer as shown in the experiment at the beginning of this chapter, and then display the pW32Job field within it.

For example, here is the Win32k job structure for a process using the Block Access To Global Atom Table UI limitation. The structure shows the local atom table this process is using in pAtomTable. You can further explore this structure with the dt nt!_RTL_ATOM_TABLE command and see which atoms are defined:lkd> ?? ((win32k!tagPROCESSINFO*)(((nt!_EPROCESS*)0x847c4740)->Win32Process))->pW32Job struct tagW32JOB * 0xfd573300 +0x000 pNext : 0xff87c5d8 tagW32JOB +0x004 Job : 0x8356ab90 _EJOB +0x008 pAtomTable : 0x8e03eb18 +0x00c restrictions : 0xff +0x010 uProcessCount : 1 +0x014 uMaxProcesses : 4 +0x018 ppiTable : 0xfe5072c0 -> 0xff97db18 tagPROCESSINFO +0x01c ughCrt : 0 +0x020 ughMax : 0 +0x024 pgh : (null)

Conclusion

In this chapter, we examined the structure of processes and threads and jobs, saw how they are created, and looked at how Windows decides which threads should run and for how long, and on which processor or processors.

In the next chapter, we’ll look at a part of the system that sometimes receives more attention than anything else: the Windows security reference monitor.

Chapter 6. Security

Preventing unauthorized access to sensitive data is essential in any environment in which multiple users have access to the same physical or network resources. An operating system, as well as individual users, must be able to protect files, memory, and configuration settings from unwanted viewing and modification. Operating system security includes obvious mechanisms such as accounts, passwords, and file protection. It also includes less obvious mechanisms, such as protecting the operating system from corruption, preventing less privileged users from performing actions (rebooting the computer, for example), and not allowing user programs to adversely affect the programs of other users or the operating system.

In this chapter, we explain how every aspect of the design and implementation of Microsoft Windows was influenced in some way by the stringent requirements of providing robust security.

Security Ratings