Inside the Windows Vista Kernel

Reader trparky recommends an article on Technet (which, be warned, is rather chaotically formatted). Mark Russinovich, whose company Winternals Software was recently bought by Microsoft, has published the first of a series of articles on what's new in the Vista kernel. Russinovich writes: "In this issue, I'll look at changes in the areas of processes and threads, and in I/O. Future installments will cover memory management, startup and shutdown, reliability and recovery, and security. The scope of this article comprises changes to the Windows Vista kernel only, specifically Ntoskrnl.exe and its closely associated components. Please remember that there are many other significant changes in Windows Vista that fall outside the kernel proper and therefore won't be covered."

Soft links?

[Libor+Vanek]

From the article: "...the symbolic file link (or as it's called in UNIX, the soft link) finally arrives in Windows Vista." - anybody heard "soft link"? Me (after 10 years of using Linux) never...

Re:Is this the same as...

[bwd234]

Hell with all that...I'm sticking with my Windows 2000! Best M$ OS I've run yet. More stable than 95 or 98 and w/o all the wastefull eye candy of XP. If it does someday become totally obsolete, I guess I'll have to switch to Linux or whatever, but in the meantime it's 2k all the way!

Whoa

[Sloppy]

I think we've finally seen the very first actually interesting Slashdot story about Vista. About fucking time.

Re:Finally...

How much praise was adorned on Linux when it got an O(1) scheduler? NT has had it for over a decade.

Process startup changed significantly

[Myria]

The article doesn't mention that process startup is now quite different from the other versions of Windows NT.

In previous versions of NT, process creation was quite different from systems such as UNIX. The system call NtCreateProcess creates a "blank" process with nothing in it but ntdll.dll and the new .exe file mapped into memory. No stack is allocated, and no threads are created. In normal process creation, the parent process actually uses the debugger API calls to allocate memory for the stack into the new process's address space, copies the command line and environment into the new memory, and creates the initial thread pointing at kernel32!BaseProcessStartupThunk. It resumes the thread and off it goes. (NT has no concept of environment or command line at the kernel level.)

This changed in Vista for one reason: DRM. Microsoft made it so that certain processes, namely wmplayer.exe and halo2.exe, cannot be a target of the debugger API calls for obvious reasons. It ignores privilege level in blocking the API. If the old method of starting processes were used, then the parent process could start wmplayer.exe with patches to steal the DRM keys or dump decrypted data to disk. Vista's kernel now does the entire initialization for these processes to close this hole.

By the way, Microsoft needs to change that web page so that it doesn't select Spanish over English if you have Spanish listed as an acceptable language in your browser, even if English is higher in the list. This happens for both IE7 and FF2.

Melissa

Video of MS kernel developer talking about this

[Myria]

Click here. He talks about a lot of things, including these "protected processes", and even says that the purpose is for DRM.

Melissa