计算机系 信息处理实验室 lecture 6 management mechanisms xlanchen@03/25/2005
TRANSCRIPT
![Page 1: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/1.jpg)
计算机系•信息处理实验室
Lecture 6 Management Mechanisms
xlanchen@03/25/2005
![Page 2: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/2.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
2计算机系信息处理实验室
Contents
The Registry
Services
Windows Management Instrumentation
![Page 3: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/3.jpg)
计算机系•信息处理实验室
1. The Registry
![Page 4: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/4.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
4计算机系信息处理实验室
Registry
The repository for systemwide and per-user settings
Used to configure and control 2K systems
For a complete reference to the contents of the 2K registry, please refer “Technical Reference to the Windows 2000 Registry” help file.
![Page 5: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/5.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
5计算机系信息处理实验室
The focus
Registry structure
Data types
Key information in the registry
…
![Page 6: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/6.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
6计算机系信息处理实验室
Registry Data Types
Registry is a database(compare with the file system)
Key: value (directory: file)
Subkey (subdirectory)
Root key (Root directory)
Naming convention
Registry Editor utilities:
Regedit
Regedit32 (for example)
![Page 7: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/7.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
7计算机系信息处理实验室
Registry Data Types
11 typesREG_NONE No value type
REG_SZ Fixed-length Unicode NULL-terminated string
REG_EXPAND_SZ Variable-length, that can have embedded environment variables
REG_BINARY Arbitrary-length binary data
REG_DWORD 32-bit number
REG_DWORD_LITTLE_ENDIAN 32-bit number, low byte first.
REG_DWORD_BIG_ENDIAN 32-bit number, high byte first
REG_LINK Unicode symbolic link
REG_MULTI_SZq Array of Unicode NULL-terminated strings
REG_RESOURCE_LIST Hardware resource description
REG_FULL_RESOURCE_DESCRIPTOR Hardware resource description
![Page 8: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/8.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
8计算机系信息处理实验室
Registry Logical Structure
Six root keys
HKEY_CURRENT_USER
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
![Page 9: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/9.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
9计算机系信息处理实验室
Demo
![Page 10: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/10.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
10计算机系信息处理实验室
HKEY_CURRENT_USER
Contains data regarding the preferences and software configuration of the locally logged-on user
\Documents and Settings\<username>\Ntuser.dat
Link to a subkey of HKER_USER
![Page 11: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/11.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
11计算机系信息处理实验室
HKEY_USERS
contains a subkey for each loaded user profile and user class registration database on the system
![Page 12: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/12.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
12计算机系信息处理实验室
HKEY_CLASSES_ROOT
consists of two types of information: file extension associations and COM class registrations
![Page 13: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/13.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
13计算机系信息处理实验室
HKEY_LOCAL_MACHINE
contains all the systemwide configuration subkeys: HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM
![Page 14: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/14.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
14计算机系信息处理实验室
HKEY_CURRENT_CONFIG
link to current hardware profile, stored under HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current.
![Page 15: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/15.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
15计算机系信息处理实验室
HKEY_PERFORMANCE_DATA
You can access the registry performance counter information directly by opening a special key named HKEY_PERFORMANCE_DATA and querying values beneath it
![Page 16: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/16.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
16计算机系信息处理实验室
EXPERIMENT
Watching Registry Activity
Regmon.exe
![Page 17: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/17.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
17计算机系信息处理实验室
Registry internals
Configuration manager
Manages the registry recoverably
The registry is a set of discrete files called hives
Registry tree
![Page 18: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/18.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
18计算机系信息处理实验室
HKEY_LOCAL_MACHINE\SYSTEM \Winnt\System32\Config\System
HKEY_LOCAL_MACHINE\SAM \Winnt\System32\Config\Sam
HKEY_LOCAL_MACHINE\SECURITY \Winnt\System32\Config\Security
HKEY_LOCAL_MACHINE\SOFTWARE \Winnt\System32\Config\Software
HKEY_LOCAL_MACHINE\HARDWARE Volatile hive
HKEY_LOCAL_MACHINE\SYSTEM\Clone Volatile hive
HKEY_USERS\<security ID of username>
\Documents and Settings\<username>\Ntuser.dat
HKEY_USERS\<security ID of username>_Classes
\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat
HKEY_USERS\.DEFAULT \Winnt\System32\Config\Default
![Page 19: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/19.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
19计算机系信息处理实验室
EXPERIMENT
Looking at Hive Handles
Handleex.exe
![Page 20: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/20.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
20计算机系信息处理实验室
![Page 21: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/21.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
21计算机系信息处理实验室
Hive Structure
Registry block (4KB)
Base block, includes global information about the hive
Signature: regf
Updated sequence numbers
Time stamp
Hive format version number
Checksum
Internal filename
![Page 22: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/22.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
22计算机系信息处理实验室
Cell
To organize the registry data
A cell can hold a key, a value, a security descriptor, a list of subkeys, or a list of key values.
Head of a cell: Size
Data of a cell
Data type
Key cell, value cell, subkey-list cell, value-list cell, security-descriptor cell
![Page 23: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/23.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
23计算机系信息处理实验室
Bin
To minimize some management chores
When a cell joins a hive and the hive must expand to contain the cell, the system creates an allocation unit called a bin
Bin head + bin offset + bin size
![Page 24: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/24.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
24计算机系信息处理实验室
Cell index
Cell indexes: the links that create the structure of a hive
A cell index is the offset of a cell into the hive file
![Page 25: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/25.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
25计算机系信息处理实验室
Internal structure of a registry hive
![Page 26: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/26.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
26计算机系信息处理实验室
Cell map
The hive is buffered in the kernel’s address space (paged pool)
When hive grows, the system must allocate paged pool memory to store the new bins
The paged pool that keeps the registry data in memory isn't necessarily contiguous
Cell map: similar to virtual memory physical memory
![Page 27: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/27.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
27计算机系信息处理实验室
Structure of a cell index
![Page 28: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/28.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
28计算机系信息处理实验室
EXPERIMENT
Viewing Hive Paged Pool Usage
![Page 29: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/29.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
29计算机系信息处理实验室
The Registry Namespace
Registry : key object
\Registry
Name parsing
\Registry : configure manager
the rest of the name configuration manager
![Page 30: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/30.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
30计算机系信息处理实验室
Key object and key control block
APP
Handle table
Key obj
APP
Handle table
Key obj
Key control block
![Page 31: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/31.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
31计算机系信息处理实验室
Flow of control
App: open an existed key
Obj Manager: parse \Registry
Configure Manager: parse the rest of the name
If opened: reference +1
Else: new key control block
Then: new key obj
Obj Manager: return handle
App: OK
![Page 32: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/32.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
32计算机系信息处理实验室
Services
Also called Win32 services
Similar to UNIX daemon processes
Win32 services consist of three components
a service application,
a service control program (SCP),
the service control manager (SCM).
![Page 33: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/33.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
33计算机系信息处理实验室
Service Applications
Consist of at least one executable
A user wanting to start, stop, or configure a service uses an SCP
Service applications are simply Win32 executables (GUI or console) with additional code
To receive commands from the SCM
To communicate the application's status back to the SCM.
![Page 34: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/34.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
34计算机系信息处理实验室
Service Applications (cont.)When installing, setup program must register the service with the system (CreateService )
Usually: auto-start service
The function StartService can be used to start the service
Service characteristics
the service's type
the location of the service's executable image file,
an optional display name,
an optional account name and password
a start type
an error code
And optional information
![Page 35: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/35.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
35计算机系信息处理实验室
Registry key for service
Characteristics: key value
![Page 36: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/36.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
36计算机系信息处理实验室
Inside a service process
![Page 37: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/37.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
37计算机系信息处理实验室
Service Accounts
The Local System Account
Alternate Accounts
Interactive Services
![Page 38: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/38.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
38计算机系信息处理实验室
The Service Control Manager The SCM's executable file is \Winnt\System32\Services.exe
SvcCtrlMain
ScCreateServiceDB
This is the function that builds the SCM's internal service database
![Page 39: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/39.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
39计算机系信息处理实验室
Service Startup
ScAutoStartService for auto-start services
The services are started in a certain order
HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\List
![Page 40: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/40.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
40计算机系信息处理实验室
Startup Errors
If an error is reported, ErrorControl determines the reflection
If SERVICE_ERROR_IGNORE (0) or not specified
The error is ignored
If SERVICE_ERROR_NORMAL (1), an event is written to the system Event Log
“The <service name> service failed to start due to the following error:”
![Page 41: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/41.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
41计算机系信息处理实验室
example
![Page 42: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/42.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
42计算机系信息处理实验室
WMI
An implementation of Web-Based Enterprise Management (WBEM)
WBEM: a standard defined DMTF
![Page 43: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/43.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
43计算机系信息处理实验室
WMI Architecture
![Page 44: 计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005](https://reader033.vdocuments.site/reader033/viewer/2022061405/56649e915503460f94b9620c/html5/thumbnails/44.jpg)
xlanchen@03/25/2005 Understanding the Inside of Windows2000
44计算机系信息处理实验室
The WMI Namespace
Hierarchical organization
Root (dir): subnamespaces
CIMV2
Default
Security
WMI
WMI uses object properties that it defines as keys to identify the objects.