Windows Under the Hood

The Registry

• Stores information on everything Windows• Found in Windows\System32\config if you

want to know• Rarely do we go straight to the Registry; use

Device Manager, Control Panel• Regedit or Regedt32 will get you to same

place; Start | Run• Be careful, you can break Windows easily

Registry Root Keys• HKEY_CLASSES_ROOT; class objects, file

associations, type of icon, program to open it• HKEY_CURRENT_USER; current user

preferences, desktop color and pattern• HKEY_USERS; All users for the computer• HKEY_LOCAL_MACHINE (HKLM); system’s

non-user-specific configurations• HKEY_CURRENT_CONFIG; hardware currently

being used

Registry Edits

• Use either program: REGEDIT or REGEDT32• Make a backup before you change anything

(File | Export) – use .REG extension• Be careful of value types if adding key(s)• Saves are automatic; no recovery from deletes

Types of Data in Registry

• String value: any form of data• Binary value: Ones and zeros• Dword value: Binary but limited to 32-bits• Qword value: Binary but limited to 64-bits

XP Boot Process

• System files start the boot process• NTLDR, boot.ini, and ntdetect.com

(ntbootdd.sys); on system partition• Edit boot.ini from System | Advanced |Startup

and Recovery• Later files: ntoskrnl.exe, hal.dll, Registry,

device drivers and winlogon.exe found in boot partition (Windows)

System Partition Files

• NTLDR – MBR starts it; reads Boot.ini to find Windows installations

• Boot.ini uses Advanced RISC Computing (ARC) naming system to identify partitions; edit from System applet in Control Panel

• Ntldr starts protected mode and then calls on ntdetect.com to find hardware

Vista/7 Boot• 32-bit BIOS scans for master boot record; loads

boot sector; bootmgr• 64-bit UEFI loads bootmgr directly• Bootmgr asks which OS to load using Boot

Configuration Data (BCD) file. Edit with bcdedit.exe; then loads winload.exe; then the OS kernel

• Vista/7 boot files and the system files must all reside on the same partition

Processes, Services and Threads

• Applications are processes loaded into RAM; have a window and end when you close the window

• Processes without need for a window are called Services

Task Manager

• One-stop place for Applications, Processes and Services

• CTRL-SHIFT-ESC, CTRL-ALT-DELETE, Start|Run | taskmgr

• Click View | Select Columns for Process Identifier (PID)

• Can log off a user from Users tab if they did not

Task Manager, 2• Applications tab; shows all running applications;

go here to force application to stop• Processes tab; everything is a process; can end

processes but for some, Windows won’t allow you to end them

• Performance tab; quick check of what is going on – CPU use and memory use

• Networking and Users tabs; not really exciting; can see how busy network is

Services Applet

• Control Panel |Administrative Tools | Services• Click on Services button in Services pane of

Task Manager• Run services.msc• Can start, or stop, a service from here;

Windows will not let you stop critical services• This has services in alphabetic order where

Task Manager does not

Performance Console

• Object is a system component that is given a set of characteristics and is a single entity

• Counters track specific information about objects

• Lots of counters; not many books on the Console, read over Michael’s section

Performance – Vista and 7

• Reliability and Performance Monitor in Vista• Performance Monitor in 7• Start with Performance Information and Tools

in Control Panel• Wander with it to get a sense of what it can

tell you – we will do that in lab sessions

Honorable Mention

• Component Services: Allows sharing of objects between programs

• Data Sources: Open DataBase Connectivity (ODBC); sharing of databases among programs