ADM392 Windows® Server™ 2003 and Windows XP Kernel Changes
Shadow Copies of Shared Folders
Shadow Copies on Shared Folders
Driver Rollback
© 2003 Microsoft Corporation
Сл Текст Сл Текст
1ADM392 Windows® Server™ 2003 and 27Ntdll.dll and runs its initialization
Windows XP Kernel Changes. Mark code, which loads all necessary 32-bit
Russinovich Winternals Software. David DLLs 32-bit Kernel32.dll, ntdll.dll, etc.,
Solomon Expert Seminars. are loaded from %systemroot%\SysWOW64
2Outline. Overview Performance Wow64win.dll - provides thunks for
Scalability 64-bit support File systems Win32k.sys entry-point functions
Reliability and recovery Miscellaneous. Wow64cpu.dll - provides x86 instruction
3About The Speakers. Authors of: Inside emulation; executes mode-switch
Windows 2000, 3rd Edition (Microsoft instructions on Itanium.
Press) Inside Windows 2000/XP/2003 28Wow64. Some advanced Win32 APIs not
Interactive Internals Video Tutorial Used supported (e.g. scatter/gather I/o)
by Microsoft for worldwide internal Interoperability COM, cut/paste
training David Solomon: Teaches Windows interoperate Cannot load 32-bit DLLs in
internals classes ( Writes 64-bit process and vice versa On Itanium,
books and articles on Windows internals slower execution than on native 32-bit
Mark Russinovich: Author of tools on machine Images marked large address space Co-founder and Chief aware get a full 4 GB process virtual
Software Architect for Winternals Software address space OS isn’t mapped there, so
( Teaches Windows space is available for process.
internals classes Writes books and 29Win64 Disk Partitioning. Win64
articles on Windows internals. boot.ini is in non-volatile RAM Extensible
4Level Of Kernel Change. Windows Server Firmware Interface (EFI) First partition
2003 & Windows XP are modest upgrades is FAT GUID Partition Table (GPT) 64-bit
as compared to the changes from Windows NT only Overcomes limitations of MBR
4.0 to Windows 2000 Kernel architecture is partitioning 64-bit offsets and lengths
basically unchanged No new subsystems No Partition table is mirrored No nesting.
new API sets Internal version numbers 30Outline. Overview Performance
confirm this Windows 2000 was 5.0 Windows Scalability 64-bit support File systems
XP is 5.1 (not 6.0) Windows Server 2003 is Reliability and recovery Miscellaneous.
5.2 Not the same kernel as XP (a superset) 31File System Enhancements. FAT32 on
But, nonetheless, still lots of DVD-RAM Read-only NTFS volumes UDF 2.01
interesting kernel changes… (new standard for DVD-ROM, DVD-RAM,
5Outline. Overview Performance DVD-RW, DVD video) Encrypting File System
Scalability 64-bit support File systems (EFS) No longer a separate
Reliability and recovery Miscellaneous. driver—integrated into NTFS Supports
6The Boot Process. Goal: From power on multi-user access to encrypted files
to logon screen in under 30 seconds Boot (supports file sharing).
monitoring tool (Bootvis) developed to 32The Defrag API. Completely rewritten
help Microsoft and hardware vendors API Can defrag MFT and other metadata
optimize Prefetching of drivers I/O files (except log file, paging file) Can
overlapped with device initialization Slow defrag encrypted files No 4KB-cluster
drivers do work asynchronously Winlogon limit on NTFS Command line interface
doesn’t wait for Workstation service to (scriptable).
start if Account doesn't depend on a 33Volume Shadow Copy. Volumes can be
roaming profile Domain policy that affects “snapshotted” Allows “hot backup”
logon hasn't changed since last logon. (including open files) Uses copy on write
7Prefetch Mechanism. File activity is Changes to volume after snapshot cause
traced and used to prefetch data the next original contents of cluster to be stored
time On boot, system monitors first 2 in snapshot file Later, reads to changed
minutes of boot process (stops 30 seconds data return contents at time of snapshot
after the user starts the shell or 60 Applications can tie in with mechanism to
seconds after all services are started) ensure consistent snapshots.
Also applies to application startup First 34Volume Snapshots. Writers. Backup
10 seconds are monitored Prefetch “trace Application. Oracle. Volume Shadow Copy
file” stored in \Window\Prefetch Name of Service. SQL. Volume Shadow Copy Driver
.EXE-<hash of full path>.pf Boot (volsnap.sys). Mirror provider. Providers.
trace: 5. Backup application saves data from
8Prefetch Mechanism. When application volume Shadow copies. 2. Writers told to
run again, system automatically Reads in freeze activity. Backup application
directories referenced Reads in code and requests shadow copy. 4. Writers told to
file data Reads are asynchronous But waits resume (“thaw”) activity. 3. Providers
for all prefetch to complete In addition, asked to create volume shadow copies.
every 3 days, system automatically defrags 35Shadow Copies of Shared Folders. When
files involved in each application enabled, 2003 Server uses shadow copy to
startup! Bottom line: Reduces disk head periodically create snapshots of volumes
seeks This was seen to be the major factor Schedule and space used is configurable.
in slow application/system startup. 36Shadow Copies on Shared Folders.
9Hibernate And Resume. Hibernation file Shadow copies only exposed as network
is better compressed I/O overlapped on IDE shares Clients install Explorer extension
drives Resume is faster Reads are larger that integrates with server that let’s
Device parallelization during power up them View the state of folders and files
improved Power up done asynchronously in within a snapshot Rollback individual
the background by drivers (specifically folders and files to a snapshot.
power-pagable devices without children). 37Outline. Overview Performance
10Other Performance Improvements. Fast Scalability 64-bit support File systems
system calls Uses SYSENTER/SYSEXIT on Reliability and recovery Miscellaneous.
Pentium II or higher; SYSCALL on AMD More 38System Restore. Rollback system to
intelligent working set trimming on MP previous state: Registry, COM+
systems Pages removed are LRA (Least registration database, user profiles,
Recently Accessed) In Windows 2000, was other files not protected by WFP Windows
only done on uniprocessor systems. XP only (not on Server) Replacement of
11Outline. Overview Performance certain file types causes original version
Scalability 64-bit Support File systems to be stored in a restore point folder 569
Reliability and Recovery Miscellaneous. file types monitored – see Platform SDK
12SMP Scalability. Scalability for list Restore operation replaces these
improvements made in several areas of the files Implemented as a service and a
kernel Some of these are in Windows XP filter driver.
More are in Server 2003 Several areas: 39System Restore. Applications. System
Increased physical memory support Bigger Restore Filter. Change.log1. File System
multiprocessor systems Improved Driver (NTFS/FAT). A0009653.exe.
synchronization New types of A0009654.ini. User mode Kernel mode. File
multiprocessor systems Increases in system system request. \System Volume
virtual memory limits. Information\ _restore{XX-XXX-XXX }\ RP5.
13Physical Memory Limits. 32-bit Server 40System Restore. Restore Points are
2003 Enterprise Edition supports 32 GB RAM created Every 24 hours When installing an
Windows 2000 Advanced Server limit was 8 unsigned driver When explicitly requested
GB 32-bit Server 2003 Datacenter Edition by user or an install program (via an API
supports 128 GB Windows 2000 Datacenter or script) WMI interfaces allow scriptable
Server was 64 GB 64-bit Sever 2003 control Create/delete restore points,
Datacenter supports 512GB (!). change configuration.
14Using Extended Physical Memory. On 41Driver Rollback. System saves updated
32-bit Windows, virtual address space is driver in \Windows\System32
still 4 GB, so how can you “use” > 4 GB \ReinstallBackups\nnnn \DriverFiles New
of memory? 1. Although each process can button on device properties to roll back
only address 2 GB (or 3 GB), many may be driver If you choose roll back, also saves
in memory at the same time (e.g. 5 * 2 GB a copy in \Windows\LastGood
processes = 10 GB RAM used) 2. Files in \System32\Drivers Will then automatically
system cache remain in physical memory roll back driver when booting from “last
Although file cache doesn’t know it, known good”.
memory manager keeps unmapped data in 42Driver Verifier Enhancements. New
physical memory 3. Address Windowing verification options: DMA verification –
Extensions allow Win32 processes to detects improper use of DMA buffers,
allocate more than 2 GB of memory Map adapters, and map registers Deadlock
windows as needed. detection – detects lock hierarchy
15Large Pages. Large pages allow a violations with spinlocks, mutexes, fast
single page directory entry to map a mutexes SCSI verification - monitors the
larger region x86: 4 MB Itanium: 16 MB interaction between a SCSI miniport driver
Large pages are used to map NTOSKRNL, HAL, and the port driver Enhanced I/O
boot drivers, and nonpaged pool if a Verification tests drivers' support for
“large memory system” Windows 2000: 128 MB power management, WMI, and filters Simpler
or more Windows XP/2003: 256 MB or more wizard-style GUI (verifier.exe) Defaults
Advantage: improves performance Single TLB verify unsigned drivers.
entry used to map larger area New in 43Side-By-Side Assemblies. Microsoft
Server 2003: applications can VirtualAlloc wants to end DLL hell by letting
large pages with MEM_LARGE_PAGE flag. applications specify DLLs they use by
16Large Pages. Disadvantage: disables version Support multiple versions
kernel write protection With small pages, simultaneously installed Application will
OS/driver code pages are mapped as read use updates only if backward compatible
only; with large pages, entire area must Application that uses assemblies has a
be mapped read/write Drivers can then manifest file XML file that specifies
modify/corrupt system & driver code application version number and DLLs DLLs
without immediately crashing system Can are identified by GUIDs and version number
override by changing and are stored either in the application’s
HKEY_LOCAL_MACHINE\SYSTEM directory or in SystemRoot\Winsxs.
\CurrentControlSet\Control \Session 44Theme-Aware Common Controls. Example:
Manager \Memory Management Windows XP Common Control DLL
LargePageMinimum REG_DWORD -1 (comctrl32.dll) Windows XP version is 6,
EnforceWriteProtection REG_DWORD 1. which supports Luna themes Windows 2000
17Larger Multiprocessor Systems. 64-bit version is 5, which doesn’t support themes
Windows Server 2003, Datacenter edition Non-theme aware applications can behave
supports 64 CPUs. incorrectly if used with v6 controls, If
18SMP Scalability. New, more efficient an application doesn’t have a manifest
locking mechanism (pushlocks) Doesn’t use that specifies v6, it gets v5, which is in
spinlocks when no contention Used for the SystemRoot\System32 directory.
object manager and address windowing 45Outline. Overview Performance
extensions (AWE) related locks Minimized Scalability 64-bit support File systems
lock contention for hot locks E.g., PFN Reliability and recovery Miscellaneous.
(Page Frame Database) lock Some locks 46Miscellaneous. Boot and execute from
completely eliminated Charging ROM OS and drivers copied to RAM
nonpaged/paged pool quotas, allocating and Applications can execute from ROM Hot plug
mapping system page table entries, memory Hot plug PCI Headless server
charging commitment of pages, support (no keyboard, video, mouse) Remote
allocating/mapping physical memory through Installation Service EMS (Emergency
AWE functions. Management Service) allows remote disaster
19Per-CPU Scheduling Queues. Before, recovery/control via serial port or
there was one system-wide list of threads network.
that want to run System had to lock this 47Terminal Services. Terminal Services
database to decide which thread to run included with Windows XP supports multiple
next Now, each CPU has its own list of sessions Home Edition: Supports
threads that want to run Threads always go “disconnect and switch users”
into the ready queue of their ideal Professional: Remote Desktop Connection
processor Instead of locking the Remote desktop redirection for audio,
dispatcher database to look for a serial/parallel port, file system (local
candidate to run, per-CPU ready queue is drives) Server 2003: Load balancing
checked first If there is one, does support, remote audio, local drive &
context swap Else scans other CPU’s ready printer mapping.
queues looking for a thread to run This 48Services Infrastructure. More services
scan is done OUTSIDE the dispatcher lock run in generic service host process
Just acquires per-CPU scheduling database (svchost.exe) Reduces number of processes
lock Global dispatcher lock still acquired Two new less privileged accounts for
to wait or unwait a thread and/or change built-in services LOCAL SERVICE, NETWORK
state of a dispatcher object Bottom line: SERVICE Less rights than SYSTEM Reduces
dispatcher lock is now held for a MUCH possibility of damage if system
shorter time. compromised Four instances of Svchost (at
20Hyperthreading. Support for logical least) SYSTEM SYSTEM (2nd instance – for
processors on hyperthreaded Xeon & RPC) LOCAL SERVICE NETWORK SERVICE.
Pentium 4 processors Does not count 49Debugging. Can now detach debugger
logical processors against CPU license without killing debuggee See new Win32
limit like Windows 2000 E.g., Windows DebugActiveProcessStop Kernel debugging
Server 2003 Enterprise Edition will use 16 Live local system kernel debugging (kd –kl
logical processors on an 8 way or windbg –kl) Kernel debugging over 1394
hyperthreaded Xeon system Windows 2000 (in addition to serial) Auto load of
Advanced Server would only use 8 updated drivers to target.
Scheduling algorithms take into account 50Registry Callbacks. Up until now
logical vs physical processors Used in Regmon has relied on system call “hooking”
choosing idle CPU to run a thread. to intercept Registry accesses Hooking
21NUMA. NUMA (non uniform memory isn’t supported by the kernel As of XP the
architecture) systems Groups of physical system call table is write-protected by
processors (called “nodes”) that have default if a system has < 256 MB,
local memory Connected to the larger requiring a trick Server 2003 introduces a
system through a cache-coherent Registry callback mechanism Driver can see
interconnect bus Still an SMP system (e.g. and modify Registry behavior Latest
any processor can access all of memory) version of Regmon comes with two drivers:
But node-local memory is faster Scheduling one for Server 2003 and one for previous
algorithms take this into account Tries to versions.
schedule threads on processors within the 51System Area Networks. System Area
same node Tries to allocate memory from Networks (SAN) is a connection-oriented
local memory for processes with threads on server interconnect Not to be confused
the node New Win32 APIs to allow with Storage Area Networks (SAN) Provides
applications to optimize. reliable, in-order delivery Both network
22System Virtual Memory Limits. Key and bus semantics: Messages Remote DMA
system memory limits raised in XP & (memory semantics) Segmentation/reassembly
Server 2003 Windows 2000 limit of 200 GB in hardware Interconnect types include
of mapped file data eliminated Previously InfiniBand Ethernet FiberChannel
limited size of files that could be backed Proprietary Even shared memory.
up Maximum System Page Table Entries 52System Area Networks. Data Center. Web
(PTEs) increased Can now describe 1.3 GB Tier Front End (Web Servers). Database
of system space (960 MB contiguous) Backend. Business Logic. Internet Traffic
Windows 2000 limit was 660 MB (220 MB via Standard WAN. High-Speed SAN Fabric.
contiguous) Increases number of users on 53System Area Networks. WinSock Direct
Terminal Servers Also means maximum device (WSD) allows applications to get
driver size is now 960 MB (was 220 MB). performance benefits of SANs No
23Registry Limits. SYSTEM hive was application modification needed Provides
limited to 12MB in Windows 2000 Now third generation task offload.
limited to 200 MB or ? of RAM, whichever 54System Area Networks. Winsock Direct
is lower Total loaded registry hive data Model. Traditional Model. Socket App.
was limited to 376MB in Windows 2000 Socket App. Winsock. Winsock. Winsock
Limited number of terminal server users Switch. WinSock SPI. TCP/IP WinSock
This was because registry hives were read Provider. SAN Winsock Provider. User Mode
into paged pool when loaded Explains why Kernel Mode. TCP/IP Transport Driver. SAN
there was a system registry quota XP/2003: Proxy Driver. NDIS. NDIS Miniport. SAN
No limit to loaded registry hive data NDIS Miniport. NIC. Private interface. SAN
Registry no longer in paged pool Hives are Hardware. TCP/IP WinSock Provider. TCP/IP
accessed as memory mapped files Views are Transport Driver.
mapped as necessary. 55Summary. Server 2003 & XP
24Outline. Overview Performance represent a modest evolution of the NT
Scalability 64-bit support File systems kernel More reliable, more secure, and
Reliability and recovery Miscellaneous. a. much more scalable than Windows 2000
25Windows 64-Bit Editions. Supports Upgrade today!!
64-bit Itanium Intel architecture 64-bit 56For More Information. December 2001
Edition 2003 will support AMD Opteron and MSDN Magazine article Kernel Improvements
Athlon 64 Products Windows XP Professional Create a More Robust, “Windows Powerful,
64-bit edition Windows Server 2003 64-bit and Scalable OS”
editions True 64-bit versions (e.g.
pointers are 64-bits) Much larger address /issues/01/12/XPKernel/XPKernel.asp
space Good for CAD, simulation, other XP/2003 update to our internals video 4th
memory-intensive applications Not a edition of our book To be called “Windows
performance boost in and of itself. Internals” Will cover Windows 2000, XP,
26Itanium Address Space Layout. 64-bit and Server 2003 To be available end of
Windows 32-bit Windows User Address Space 2003.
7152 GB (6.9 TB) 2 or 3 GB System PTEs 128 57Community Resources. Community
GB 1.3 GB System cache 1024 GB (1 TB) 960 Resources
MB Paged pool 128 GB 470 MB Non-paged pool
128 GB 256 MB Page file size 32 TB 16 TB. t.mspx Most Valuable Professional (MVP)
0. User-Mode User Space. 6FC00000000.
Kernel-Mode User Space. User Page Tables. Newsgroups Converse online with Microsoft
1FFFFF0000000000. Session Space. Newsgroups, including Worldwide
2000000000000000. Session Space Page
Tables. 3FFFFF0000000000. System Space. oups/default.mspx User Groups Meet and
E000000000000000. -E000060000000000. learn with your peers
Session Space Page Tables.
FFFFFF0000000000. oups/default.mspx.
2732-Bit Application Support. “Wow64” - 58evaluations.
allows execution of Win32 32-bit 59© 2003 Microsoft Corporation. All
applications on 64-bit OS Wow64.dll - rights reserved. This presentation is for
provides core emulation infrastructure and informational purposes only. MICROSOFT
thunks for Ntoskrnl.exe entry-point MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
functions Loads the x86 version of IN THIS SUMMARY.
