This seminar provides a comprehensive guided tour through and analysis of the internal design, implementation, and operation of the major components of the Windows operating system, with a corresponding tour of the Windows source code.

Level

Intermediate to advanced

Audience

Microsoft Code Center Premium licensees for Microsoft Windows source code for Windows Vista, Windows Server 2003, Windows XP, or Windows 2000. Windows XP or Windows Server 2003 source code will be used for the examples during the seminar.

Description

The Windows Server 2003 or Windows XP source code amounts to almost 6 GB, about a quarter of a million files spread over more than 20,000 directories! In this workshop the attendee will learn the organization, function, and interactions of the most important components of the Windows operating system, and where to find those components in the source code tree. We closely examine several key parts of the system, including user-to-kernel mode transitions, internal synchronization mechanisms, thread scheduling, memory management, the I/O subsystem, and security. In addition to in-depth coverage of Windows's security components, we cover various other security-related mechanisms throughout the operating system. 

While discussing each area or component of the operating system, we visit the corresponding branches of the source tree, identifying the most important source files and the key or "top level" routines and data structures. Many such routines are studied in detail.

Since the Windows source tree is very large, the code examined in the seminar must of necessity represent only a tiny fraction of what is available. Our purpose is to show the overall structure of the code; to illustrate certain concepts and implementation details which we feel are both non-obvious and essential to understand; and to enable you to find and understand the code in which you are interested after the seminar. We also show how we used the search facilities of Code Center Premium to find the source code files under discussion.

We will show you how to analyze a running Windows operating system or a memory dump file and find the Windows source code corresponding to each Windows-supplied executable, DLL, device driver, or other component in the system. 

Finally, we address the use of the source code via Code Center Premium with the Windows Debugging Tools. Several memory dump analysis and "live" system debugging scenarios are presented in the form of lab problems.

Topics

• Code Center Premium

• General description

• Installing and connecting (demonstration)

• Troubleshooting connection issues

• First look at directory tree structures

• Search tools, strategies, and techniques

• Windows general architecture, components, and source tree structure

• General principles
  

• 32- and 64-bit address spaces

• Execution context: Processes, threads, and "others"

• Windows services (background processes)

• Finding source code for Windows processes
  

• Kernel mode components
  

• Tools for investigating and monitoring
  

• Introduction to the Windows Debugger
  

• User mode architecture and components
  

  • Processes and address space
    

  • Executable file format
    

  • User mode memory management
    

  • Threads
    

  • Process and thread components and data structures
    

  • Program execution environment

  • User to kernel mode calls
    

  • Process and thread creation and deletion
    

  • Explorer and Internet Explorer
    

  • .NET
    

• Security architecture and components
  

  • Security concepts

  • Windows security model and certifications
    

  • Windows security features
    

  • Windows security components and implementation (WinLogon, LSASS, Security Reference Monitor)

  • Security improvements in Vista
    

• Kernel mode architecture and components
  

  • User to kernel mode calls, part 2 (system service dispatcher)

  • Objects and handles, object manager, and security
    

  • The registry
    

  • Kernel mode execution environment

  • Interrupt-driven contexts

  • Deferred Procedure Calls (DPCs)

  • Kernel mode synchronization mechanisms (IRQLs, spinlocks, resources)

  • Kernel memory allocation
    

  • Thread scheduler
    

  • Virtual memory manager
    

  • I/O subsystem, device drivers, and file cache
    

• Memory dump analysis and live debugging
  

  • Debugging with source code access
    

  • Compiler optimizations

  • Relating assembly language to source

  • Debugging with incomplete or older sources

  • Understanding bugcheck codes and stack traces
    

Prerequisites

• Experience with Windows at at least the "power user" or administrator level; and

• Familiarity with basic operating system concepts; and

• Reading familiarity with the C programming language; and

• Access to Windows source code via Code Center Premium.

This workshop is for authorized source code licensees, as determined by Microsoft. If you have any questions about whether you are an authorized licensee, please contact the .

Attendees, if they wish to participate in "live" browsing of the source code during the seminar, are required to bring their smart card readers and smart cards for Code Center Premium access. The smart cards must already be activated and must be enabled for either Windows XP or Windows Server 2003 source access. Each attendee, or the source code licensing contact within their organization, must obtain authorization from their Windows source licensing representative to access Code Center Premium from the seminar location if it is different from the location specified in your source license agreement.

For information on obtaining source access, please visit the Microsoft Shared Source site.

Windows versions

Windows Vista; Windows Server 2003; Windows XP; Windows 2000. This seminar is presented using the Windows Server 2003/Windows XP  architecture and source code as the "baseline." Vista differences will be noted, where they are significant.

Duration and formats

5 days lecture/demonstration/lab format (customizable)

Labs

This seminar is presented in a mixed lecture, guided demonstration, and lab format. The seminar leader will frequently use various utilities (including the Windows Debugger) to demonstrate key points, and students will be encouraged to perform the same exercises on their systems. In some topic areas, particularly debugging, there are distinct lab periods with problems for the attendees to solve.

Customizations

Although there is a certain amount of core material that we feel is essential  for all attendees, other areas can be more or less emphasized according to the attendees' requirements, and certain material can be omitted completely. Please contact us for details.