Windows Under the Hood PDF

Summary

This document is a past paper from a computer systems course. It explores the Windows registry, the boot process, processes, services and threads in the operating system. This document is relevant to ICT1001 Computer Systems course taken in 2009.

Full Transcript

Windows Under the Hood

Unitintro: ICT1001 Computer Systems 2009
1
Overview
In this chapter, you will learn how to:
Work with the Registry
Understand and observe the Windows boot
process in detail
Manage processes, services, and threads
Explore Windows tools for programmers

Unitintro: ICT1001 Computer Systems 2009
2
Registry
The Registry is a huge database that stores
everything about your PC.
Hardware information
Network information
User preferences
File types
Application information
Windows store the Registry files in:
\%SystemRoot%\System32\config folder
Unitintro: ICT1001 Computer Systems 2009
3
Accessing the Registry
Registry Editor gives direct access to the
Registry
Enter regedit at a command prompt
Or in the Start | Search bar

Unitintro: ICT1001 Computer Systems 2009
4
Registry Components
The Registry is organized in a tree structure
similar to the folders in the PC.
Once you open the Registry Editor in Windows,
you will see five main subgroups, or root keys:
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG Unitintro: ICT1001 Computer Systems 2009
5
Registry Components (continued)

Figure 13.1 Typical Registry root keys, subkeys, and values
Unitintro: ICT1001 Computer Systems 2009
6
Registry Components (continued)
Root keys are composed of subkeys.
A subkey also can have other subkeys, or values.
The Registry Editor shows only keys—root keys and
subkeys—on the left and values on the right.

Unitintro: ICT1001 Computer Systems 2009
7
Registry Components (continued)
HKEY_CLASSES_ROOT
Defines the standard class objects used by Windows
(i.e., file types and associations)
HKEY_CURRENT_USER and HKEY_USERS
Stores all of the personalized information for all users
on a PC
HKEY_LOCAL_MACHINE
System’s non-user-specific configurations
HKEY_CURRENT_CONFIG
Options currently being used

Unitintro: ICT1001 Computer Systems 2009
8
Talkin’ Registry
Registry nomenclature uses a path type of
syntax.
For example: HKLM\SOFTWARE\Blizzard
Technologies\World of Warcraft
This nomenclature describes the location of a
specific registry value.
Keys and subkeys can have more than one
value.
Unitintro: ICT1001 Computer Systems 2009
9
Talkin’ Registry (continued)

Figure 13.2 Editing the Registry to move World of Warcraft to a new drive
Unitintro: ICT1001 Computer Systems 2009
10
Talkin’ Registry (continued)
Values must have a defined type of data they
store:
String value: any form of data
Binary value: long strings of ones and zeros
DWORD value: Binary values limited to exactly 32
bits
QWORD value: Binary values limited to exactly 64
bits
There are other types of values, but these four
are used for most Registry entries. Unitintro: ICT1001 Computer Systems 2009
11
Manual Registry Edits
Manually editing the Registry may break things
in Windows.
Applications might not start; utilities might not
work; the computer might not boot.
Always back up the Registry before you change
anything.
Create a secure backup on different media (e.g.,
USB thumb drive).
After editing, reboot system to see if the
changes you made had the desired result.
Unitintro: ICT1001 Computer Systems 2009
12
Manual Registry Edits (continued)
Registry Editor’s Export feature enables you to:
Save the full Registry
Or save a single root key or subkey (including all
subkeys and values under it)

Unitintro: ICT1001 Computer Systems 2009
13
Manual Registry Edits (continued)

Figure 13.3 Mike’s Run subkey
Unitintro: ICT1001 Computer Systems 2009
14
Command-Line Registry Editing Tools
reg command
Full Registry editing tool
View Registry keys and values
Import and export some or all of a Registry
Compare two different versions of a Registry
Tailor a command to accomplish very tight Registry edits
regsvr32 command
Modifies the Registry in only one way—adding (or
registering) dynamic link library (DLL) files as
command components
Unitintro: ICT1001 Computer Systems 2009
15
The Boot Process
Current Windows versions support both BIOS
and UEFI boot processes.
BIOS-based system
The BIOS uses its boot order to scan a hard drive for a
master boot record (MBR).
MBR loads its boot sector, which contains code pointing
to the bootmgr file.
The bootmgr loads winload.exe, which readies your
system to load the operating system kernel.
UEFI system
Unitintro: ICT1001 Computer Systems 2009
Bootmgr loads directly. 16
The Boot Process (continued)
Bootmgr starts and reads data from a Boot
Configuration Data (BCD) file.
BCD contains information about the various
operating systems installed on the system as well as
instructions for how to actually load (bootstrap)
them.
Once an operating system is selected
(immediately, if only one is present), bootmgr
loads winload.exe.
Readies your system to load the operating system
Unitintro: ICT1001 Computer Systems 2009

kernel. 17
The Boot Process (continued)
Winload.exe loads:
Hardware abstraction layer
The system Registry
Drivers for any boot devices into memory before
the operating system itself takes over
Once the operating system process
(ntoskrnl.exe) takes over, it loads all of the
various processes and systems that comprise
Windows, and the Windows logo comes up.
Unitintro: ICT1001 Computer Systems 2009
18
Processes, Services, and Threads
In Windows, programs are executable files
waiting on a mass storage device.
When a program is started, Windows loads it
into RAM as a process.
The CPU reads the process; the process tells
the CPU which bits of code to run.
Windows is a multitasking operating system—it
runs many processes simultaneously.
Unitintro: ICT1001 Computer Systems 2009
19
Processes, Services, and Threads
(continued)
Some processes are called applications; some
are called services.
Applications run on screen or in the foreground.
Services run in the background and perform
support tasks.

Unitintro: ICT1001 Computer Systems 2009
20
Task Manager
Windows Task Manager is the one-stop-shop
for anything you need to do with applications,
processes, and services.
To open Task Manager in Windows Vista/7:
Press CTRL-SHIFT-ESC
Start | Search and type taskmgr and press ENTER
Press CTRL-ALT-DELETE and select Task Manager

Unitintro: ICT1001 Computer Systems 2009
21
Task Manager in Windows Vista/7
The Applications tab shows all the running
applications on your system.
Use if an application will not close normally to force
it to shut down.
Switch To enables you to bring any program to the
front.
New Task enables you to start any program you
wish, as long as you know the executable.

Unitintro: ICT1001 Computer Systems 2009
22
Task Manager in Windows Vista/7
(continued)
The Processes tab shows you every running
process on your computer.
A process is named after its executable file.
Usually ends in.exe but can also end with other
extensions.
All processes have a user name to identify who
started the process.
A process started by Windows has the user name
System.

Unitintro: ICT1001 Computer Systems 2009
23
Task Manager in Windows Vista/7
(continued)
All processes have a process identifier (PID).
To identify a process, you use the PID, not the
process name.
Task Manager doesn’t show the PID by default.
Mark the checkbox under View to display the PID.

Unitintro: ICT1001 Computer Systems 2009
24
Task Manager in Windows Vista/7
(continued)

Figure 13.6 Processes tab in Windows 7
Unitintro: ICT1001 Computer Systems 2009
25
Task Manager in Windows Vista/7
(continued)

Figure 13.7 Processes tab showing the PID columnUnitintro:
in Windows 7 Systems 2009
ICT1001 Computer
26
Task Manager in Windows Vista/7
(continued)
The Processes tab shows the amount of CPU
time (percentage) and the amount of RAM
(kilobytes) the process is using.
By default, the Task Manager shows only processes
associated with the current user.
Click on Show processes from all users to see every
process on the system.
If you select a process and click the End Process
button, you’ll instantly end that process.
If the process is an application, that application will
Unitintro: ICT1001 Computer Systems 2009

close. 27
Task Manager in Windows Vista/7
(continued)

Figure 13.9 Processes from all users in Windows 7
Unitintro: ICT1001 Computer Systems 2009
28
Task Manager in Windows Vista/7
(continued)
Right-click on a process to display a number of
options:
Open File Location, Debug, UAC Virtualization,
Dump files, Set priority, Set Affinity, and other
choices
The Properties option offers options similar to
Windows Explorer.
Go to Service(s) will move you to the Services
tab of the Task Manager, showing you all
Unitintro: ICT1001 Computer Systems 2009

services associated with the process.
29
Task Manager in Windows Vista/7
(continued)

Figure 13.10 Processes detail on right-click
Unitintro: ICT1001 Computer Systems 2009
30
Task Manager in Windows Vista/7
(continued)

Figure 13.11 Process priority Unitintro: ICT1001 Computer Systems 2009
31
Task Manager in Windows Vista/7
(continued)

Figure 13.12 Turning off affinity to the first Unitintro:
two cores ICT1001 Computer Systems 2009
32
Task Manager in Windows Vista/7
(continued)

Figure 13.14 Process Explorer
Unitintro: ICT1001 Computer Systems 2009
33
Task Manager in Windows Vista/7
(continued)
Use the Services tab in the Task Manager to work
with services directly—they can be stopped or
started, and you can go to the associated process.
The best way to work with services is to use the
Services Control Panel applet.
Services don’t have their own window, so you use the
Services applet to start, stop, and configure them.
You can see if a service is running by reading the Status
column.
Accessed through run > services.msc
Unitintro: ICT1001 Computer Systems 2009
34
Task Manager in Windows Vista/7
(continued)

Unitintro: ICT1001 Computer Systems 2009
Figure 13.15 Services tab in Task
35Manager
Task Manager in Windows Vista/7
(continued)

Figure 13.16 Services applet Unitintro: ICT1001 Computer Systems 2009
36
Task Manager in Windows Vista/7
(continued)

Figure 13.17 Service Properties dialogUnitintro:
box ICT1001 Computer Systems 2009
37
Task Manager in Windows Vista/7
(continued)
Performance
Task Manager allows one to assess how hard RAM
and the CPU are working at any given moment and
why.
Click the Performance tab to reveal a handy screen
with the most commonly used information:
CPU usage, available physical memory, size of the disk
cache, commit charge (memory for programs), and
kernel memory (memory used by Windows).
Task Manager also tells you what program is using
Unitintro: ICT1001 Computer Systems 2009
CPU and RAM resources. 38
Task Manager in Windows Vista/7
(continued)

Figure 13.18 Task Manager Performance tab ICT1001 Computer Systems 2009
Unitintro:
39
Task Manager in Windows Vista/7
(continued)

Figure 13.19 CPU usage

Unitintro: ICT1001 Computer Systems 2009
40
Task Manager in Windows Vista/7
(continued)
Networking and users
Remaining tabs in Task Manager enable you to see:
Network use at a glance
Which users’ accounts are currently logged on to the
local machine
The Networking tab shows network traffic activity
and can help troubleshoot network performance
problems.
The Users tab enables you to log off other users if
you have the proper permissions. Unitintro: ICT1001 Computer Systems 2009
41
Task Manager in
Windows 8/8.1/10
Significantly updated
New Fewer Details view with a simple interface
for seeing and terminating running programs.

Figure 13.20 Fewer details view
in Windows 8 Task Manager

Unitintro: ICT1001 Computer Systems 2009
42
Task Manager in
Windows 8/8.1/10 (continued)
Processes
In detailed mode, Processes is broken into three
sections: Apps, Background processes, and
Windows processes.
By default, the Processes tab lists a process
description, its status, and its resource use,
including CPU, Memory, Disk I/O, and Network I/O.
Most advanced options have moved to the context
menu of the Details tab.
Unitintro: ICT1001 Computer Systems 2009
43
Task Manager in
Windows 8/8.1/10 (continued)

Unitintro: ICT1001 Computer Systems 2009
Figure 13.22 Processes tab context menu in Windows
44 8 Task Manager
Task Manager in
Windows 8/8.1/10 (continued)
Performance
Networking and Disk I/O have been added to the
Performance tab.
This provides one simple place to view all major
performance metrics.
App history
The App history tab collects recent statistics on CPU
time and network usage.
These statistics help identify resource-hungry
programs. 45
Unitintro: ICT1001 Computer Systems 2009
Task Manager in
Windows 8/8.1/10 (continued)

Figure 13.23
Performance tab in
Windows 8 Task
Manager showing a
very active Disk 0

Unitintro: ICT1001 Computer Systems 2009
46
Task Manager in
Windows 8/8.1/10 (continued)
Startup
The Startup tab enables you to identify and disable rogue
startup programs.
Users
The Users tab shows programs running under a user’s
account and clearly indicates resource use.
Details
The Details tab inherits most of the functionality removed
from the old Processes tab.
Services
The Services tab is virtually unchanged.

Unitintro: ICT1001 Computer Systems 2009
47
Task Manager in
Windows 8/8.1/10 (continued)
The tasklist and taskkill commands
These commands enable you to work with tasks
from the command-line.
The tasklist command enables you to view running
processes on a local or remote system.
You can kill a process using the taskkill command,
using either the name or the PID.

Unitintro: ICT1001 Computer Systems 2009
48
Performance Tools
Reliability and Performance Monitor (Windows
Vista) and Performance Monitor (Windows 7)
These tools track metrics regarding resource usage.
Objects and counters
An object is a system component that is given a set
of characteristics and can be managed by the OS as
a single entity.
A counter tracks specific information about an
object.
Unitintro: ICT1001 Computer Systems 2009
49
Performance Tools (continued)

Figure 13.29 Resource Overview in Windows Unitintro:
Vista ICT1001 Computer Systems 2009
50
Performance Tools (continued)

Figure 13.31 Initial Performance Monitor screen in Windows 7
Unitintro: ICT1001 Computer Systems 2009
51
Performance Tools (continued)
Working with the tools
Performance monitor gathers and displays
real-time data on objects such as memory, physical
disk, processor, and network.
To add counters, open the Add Counters dialog box.
Selecting a counter and pressing CTRL-H makes that
counter data stand out on the graph.

Unitintro: ICT1001 Computer Systems 2009
52
Performance Tools (continued)

Figure 13.33 Add Counters dialog box
Unitintro: ICT1001 Computer Systems 2009
53
Performance Tools (continued)

Figure 13.34 Pressing CTRL-H makes one set of dataUnitintro:
standICT1001
out.Computer Systems 2009
54
Performance Tools (continued)
Data Collector Sets are groupings of counters
you can use to make reports.
You can make your own Data Collector Sets (User
Defined) or use one of the predefined system sets.
Data Collector Sets enable you not only to choose
counter objects to track but also to schedule when
you want them to run.

Unitintro: ICT1001 Computer Systems 2009
55
Performance Tools (continued)

Figure 13.35 Sample report Unitintro: ICT1001 Computer Systems 2009
56
Component Services
Component services are tools to enable
programmers to share data objects (an element of
programs) between applications on a single
computer.
Over time, this sharing was extended so that you
could share objects between computers on a
network.
In almost all cases, sharing objects doesn’t require
you to do anything more than install an application
that uses these features.

Unitintro: ICT1001 Computer Systems 2009
57
Component Services (continued)
Component Services is there for those very rare
times when something’s either wrong or a
programmer needs you to make manual
changes.

Unitintro: ICT1001 Computer Systems 2009
58
Component Services (continued)

Figure 13.36 Component Services in Windows 7 Computer Systems 2009
Unitintro: ICT1001
59
Data Sources
Open Database Connectivity (ODBC)
Coding standard that enables programmers to
write databases and the applications that use them
Can query ODBC to see how to locate and access a
database without any concern about what application or
operating system is used

Unitintro: ICT1001 Computer Systems 2009
60
Data Sources (continued)
Microsoft’s tool to configure ODBC is called
ODBC Data Source Administrator.
Data Source Administrator enables you to create
and manage entries called Data Source Names
(DSNs) that point OBDC to a database.
DSNs are used by ODBC-aware applications to
query ODBC to find their databases.
You will rarely use Data Source Administrator unless
you’re making your own shared databases.
Unitintro: ICT1001 Computer Systems 2009
61
Data Sources (continued)

Figure 13.37 ODBC Data Source Administrator inUnitintro:
Windows ICT1001 Computer Systems 2009
8.1
62
Additional Topics
System Restore
You can create Restore Points to allow recovering
the system to an earlier point of time in the event
of system failure or instability
Safe Mode
Safe Mode starts Windows with a minimal set of
drivers and services. If a system cannot boot
normally, you can boot into Safe Mode to
troubleshoot and fix the issue
Unitintro: ICT1001 Computer Systems 2009
63