Download presentation
Presentation is loading. Please wait.
1
计算机系 信息处理实验室 Lecture 6 Management Mechanisms xlanchen@03/25/2005
2
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 2 Contents The Registry Services Windows Management Instrumentation
3
计算机系 信息处理实验室 1. The Registry
4
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 4 Registry The repository for systemwide and per-user settings Used to configure and control 2K systems For a complete reference to the contents of the 2K registry, please refer “Technical Reference to the Windows 2000 Registry” help file.
5
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 5 The focus Registry structure Data types Key information in the registry …
6
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 6 Registry Data Types Registry is a database (compare with the file system) Key: value (directory: file) Subkey (subdirectory) Root key (Root directory) Naming convention Registry Editor utilities: Regedit Regedit32 (for example)
7
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 7 Registry Data Types 11 types REG_NONENo value type REG_SZFixed-length Unicode NULL-terminated string REG_EXPAND_SZVariable-length, that can have embedded environment variables REG_BINARYArbitrary-length binary data REG_DWORD32-bit number REG_DWORD_LITTLE_ENDIAN32-bit number, low byte first. REG_DWORD_BIG_ENDIAN32-bit number, high byte first REG_LINKUnicode symbolic link REG_MULTI_SZqArray of Unicode NULL-terminated strings REG_RESOURCE_LISTHardware resource description REG_FULL_RESOURCE_DESCRIPTORHardware resource description
8
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 8 Registry Logical Structure Six root keys HKEY_CURRENT_USER HKEY_USERS HKEY_CLASSES_ROOT HKEY_LOCAL_MACHINE HKEY_CURRENT_CONFIG HKEY_PERFORMANCE_DATA
9
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 9 Demo
10
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 10 HKEY_CURRENT_USER Contains data regarding the preferences and software configuration of the locally logged-on user \Documents and Settings\ \Ntuser.dat Link to a subkey of HKER_USER
11
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 11 HKEY_USERS contains a subkey for each loaded user profile and user class registration database on the system
12
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 12 HKEY_CLASSES_ROOT consists of two types of information: file extension associations and COM class registrations
13
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 13 HKEY_LOCAL_MACHINE contains all the systemwide configuration subkeys: HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM
14
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 14 HKEY_CURRENT_CONFIG link to current hardware profile, stored under HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current.
15
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 15 HKEY_PERFORMANCE_DATA You can access the registry performance counter information directly by opening a special key named HKEY_PERFORMANCE_DATA and querying values beneath it
16
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 16 EXPERIMENT Watching Registry Activity Regmon.exe
17
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 17 Registry internals Configuration manager Manages the registry recoverably The registry is a set of discrete files called hives Registry tree
18
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 18 HKEY_LOCAL_MACHINE\SYSTEM\Winnt\System32\Config\System HKEY_LOCAL_MACHINE\SAM\Winnt\System32\Config\Sam HKEY_LOCAL_MACHINE\SECURITY\Winnt\System32\Config\Security HKEY_LOCAL_MACHINE\SOFTWARE\Winnt\System32\Config\Software HKEY_LOCAL_MACHINE\HARDWAREVolatile hive HKEY_LOCAL_MACHINE\SYSTEM\CloneVolatile hive HKEY_USERS\ \Documents and Settings\ \Ntuser.dat HKEY_USERS\ _Classes \Documents and Settings\ \Local Settings\Application Data\Microsoft\Windows\Usrclass.dat HKEY_USERS\.DEFAULT\Winnt\System32\Config\Default
19
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 19 EXPERIMENT Looking at Hive Handles Handleex.exe
20
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 20
21
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 21 Hive Structure Registry block (4KB) Base block, includes global information about the hive Signature: regf Updated sequence numbers Time stamp Hive format version number Checksum Internal filename
22
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 22 Cell To organize the registry data A cell can hold a key, a value, a security descriptor, a list of subkeys, or a list of key values. Head of a cell: Size Data of a cell Data type Key cell, value cell, subkey-list cell, value-list cell, security-descriptor cell
23
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 23 Bin To minimize some management chores When a cell joins a hive and the hive must expand to contain the cell, the system creates an allocation unit called a bin Bin head + bin offset + bin size
24
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 24 Cell index Cell indexes: the links that create the structure of a hive A cell index is the offset of a cell into the hive file
25
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 25 Internal structure of a registry hive
26
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 26 Cell map The hive is buffered in the kernel’s address space (paged pool) When hive grows, the system must allocate paged pool memory to store the new bins The paged pool that keeps the registry data in memory isn't necessarily contiguous Cell map: similar to virtual memory physical memory
27
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 27 Structure of a cell index
28
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 28 EXPERIMENT Viewing Hive Paged Pool Usage
29
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 29 The Registry Namespace Registry : key object \Registry Name parsing \Registry : configure manager the rest of the name configuration manager
30
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 30 Key object and key control block APP Handle table Key obj APP Handle table Key obj Key control block
31
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 31 Flow of control App: open an existed key Obj Manager: parse \Registry Configure Manager: parse the rest of the name If opened: reference +1 Else: new key control block Then: new key obj Obj Manager: return handle App: OK
32
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 32 Services Also called Win32 services Similar to UNIX daemon processes Win32 services consist of three components a service application, a service control program (SCP), the service control manager (SCM).
33
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 33 Service Applications Consist of at least one executable A user wanting to start, stop, or configure a service uses an SCP Service applications are simply Win32 executables (GUI or console) with additional code To receive commands from the SCM To communicate the application's status back to the SCM.
34
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 34 Service Applications (cont.) When installing, setup program must register the service with the system (CreateService ) Usually: auto-start service The function StartService can be used to start the service Service characteristics the service's type the location of the service's executable image file, an optional display name, an optional account name and password a start type an error code And optional information
35
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 35 Registry key for service Characteristics: key value
36
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 36 Inside a service process
37
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 37 Service Accounts The Local System Account Alternate Accounts Interactive Services
38
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 38 The Service Control Manager The SCM's executable file is \Winnt\System32\Services.exe SvcCtrlMain ScCreateServiceDB This is the function that builds the SCM's internal service database
39
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 39 Service Startup ScAutoStartService for auto-start services The services are started in a certain order HKLM\SYSTEM\CurrentControlSet\Control\Servi ceGroupOrder\List
40
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 40 Startup Errors If an error is reported, ErrorControl determines the reflection If SERVICE_ERROR_IGNORE (0) or not specified The error is ignored If SERVICE_ERROR_NORMAL (1), an event is written to the system Event Log “The service failed to start due to the following error:”
41
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 41 example
42
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 42 WMI An implementation of Web-Based Enterprise Management (WBEM) WBEM: a standard defined DMTF
43
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 43 WMI Architecture
44
计算机系 信息处理实验室 xlanchen@03/25/2005Understanding the Inside of Windows2000 44 The WMI Namespace Hierarchical organization Root (dir): subnamespaces CIMV2 Default Security WMI WMI uses object properties that it defines as keys to identify the objects.
Similar presentations
