1. Yen-Chin Chen 965202011

2. Outline Job Object Introduction Windows functions to create and manipulate job objects CPU-related and memory-related limits you can specify for a job Conclusion Experiment

3. Outline Job Object Introduction Job Object Introduction Windows functions to create and manipulate job objects CPU-related and memory-related limits you can specify for a job Conclusion Experiment

4. Job Object A job object is a – nameable, – securable, – shareable kernel object that allows control of one or more processes as a group. A job object’s basic function is to allow groups of processes to be managed and manipulated as a unit. A process can be a member of only one job object. In this slides, Job Process Thread,this 3 colors will be used to enhance your reading

5. Job Object By default, Its association with the job object can’t be broken All processes created by the process and its descendents are associated with the same job object as well. The job object also records basic accounting information for all processes associated with the job and for all processes that were associated with the job but have since terminated.

6. Outline Job Object Introduction Windows functions to create and manipulate job objects Windows functions to create and manipulate job objects CPU-related and memory-related limits you can specify for a job Conclusion Experiment

7. Windows functions to create and manipulate job objects. FunctionDescription CreateJobObjectCreates a job object (with an optional name) OpenJobObjectOpens an existing job object by name AssignProcessToJobObjectAdds a process to a job TerminateJobObjectTerminates all processes in a job SetInformationJobObject Sets SetInformationJobObjectSets limits QueryInformationJobObjectRetrieves information about the job, such as CPU time, page fault count, number of processes, list of process IDs, quotas or limits, and security limits

8. Outline Job Object Introduction Windows functions to create and manipulate job objects CPU-related and memory-related limits you can specify for a job CPU-related and memory-related limits you can specify for a job Conclusion Experiment

9. CPU-related and memory-related limits you can specify for a job Maximum number of active processes Limits the number of concurrently existing processes in the job. Jobwide user-mode CPU time Limit Limits the maximum amount of user-mode CPU time that the processes in the job can consume (including processes that have run and exited). Once this limit is reached, by default all the processes in the job will be terminated with an error code and no new processes can be created in the job (unless the limit is reset). The job object is signaled, so any threads waiting for the job will be released. You can change this default behavior with a call to EndOfJobTimeAction.

10. CPU-related and memory-related limits you can specify for a job Per-process user-mode CPU time limit Allows each process in the job to accumulate only a fixed maximum amount of user-mode CPU time. When the maximum is reached, the process terminates (with no chance to clean up). Job scheduling class Sets the length of the time slice (or quantum) for threads in processes in the job. This setting applies only to systems running with long, fixed quantums (the default for Windows Server systems). The value of the job-scheduling class determines the quantum as shown here

11. (Cont’) Job-scheduling class determines the quantum Scheduling ClassQuantum Units 06 112 218 324 430 536 642 748 854 9 Infinite if real-time;60 otherwise

12. CPU-related and memory-related limits you can specify for a job Job processor affinity (Multi-Processor) Sets the processor affinity mask for each process in the job. (Individual threads can alter their affinity to any subset of the job affinity, but processes can’t alter their process affinity setting.) Job process priority class Sets the priority class for each process in the job. Threads can’t increase their priority relative to the class (as they normally can). Attempts to increase thread priority are ignored. (No error is returned on calls to SetThreadPriority (winnt.h, winbase.h, page. 329 from book), but the increase doesn’t occur.) SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_NORMAL);

13. CPU-related and memory-related limits you can specify for a job Default working set minimum and maximum Defines the specified working set minimum and maximum for each process in the job. (This setting isn’t jobwide—each process has its own working set with the same minimum and maximum values.) Process and job committed virtual memory limit Defines the maximum amount of virtual address space that can be committed by either a single process or the entire job.

14. CPU-related and memory-related limits you can specify for a job Jobs can also be set to queue an entry to an I/O completion port object, which other threads might be waiting for, with the Windows GetQueuedCompletionStatus function. You can also place security limits on processes in a job. access token impersonating You can set a job so that each process runs under the same jobwide access token. You can then create a job to restrict processes from impersonating( 模仿 ) or creating processes that have access tokens that contain the local administrator’s group.

15. Access Token An access token is as an object encapsulating the security descriptor of a process Attached to a process, a security descriptor identifies the owner of the object (in this case, the process) An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread. Ref : http://msdn.microsoft.com/en- us/library/aa374909.aspx

16. Impersonation Token Impersonation is a security concept unique to Windows NT, that allows a server application to temporarily "be" the client in terms of access to secure objects. Impersonation has three possible levels: identification, letting the server inspect the client's identity, impersonation, letting the server act on behalf of the client, and delegation, same as impersonation but extended to remote systems to which the server connects (through the preservation of credentials). Ref : http://en.wikipedia.org/wiki/Token_(Windows_NT_archit ecture) If you want to get more details, please read chapter 8 : security of Windows Internal

17. CPU-related and memory-related limits you can specify for a job You can also place user-interface limits on processes in a job. Such limits include being able to Restrict processes from opening handles to windows owned by threads outside the job, reading and/or writing to the clipboard, and changing the many user-interface system parameters via the Windows SystemParametersInfo function.

18. CPU-related and memory-related limits you can specify for a job X-Windows 2000 Datacenter Server has a tool called the Process Control Manager that allows an administrator to define job objects, the various quotas and limits that can be specified for a job, and which processes, if run, should be added to the job. A service component monitors process activity and adds the specified processes to the jobs. Note that this tool is no longer shipped with Windows Server 2003 Datacenter Edition, but will remain on the system if a Windows 2000 Datacenter Server is upgraded to Windows Server 2003 Datacenter Edition.

19. SetInformationJobObject Function BOOL WINAPI SetInformationJobObject ( __in HANDLE hJob, //retrun from // CreateJobObject/OpenJobObject __in JOBOBJECTINFOCLASS JobObjectInfoClass, __in LPVOID lpJobObjectInfo, __in DWORD cbJobObjectInfoLength ); __in : Means Input

20. JOBOBJECTINFOCLASS JobObjectInfoClass typedef enum _JOBOBJECTINFOCLASS { JobObjectBasicAccountingInformation = 1, JobObjectBasicLimitInformation,=>2 JobObjectBasicProcessIdList, JobObjectBasicUIRestrictions, JobObjectSecurityLimitInformation, JobObjectEndOfJobTimeInformation, JobObjectAssociateCompletionPortInformation, JobObjectBasicAndIoAccountingInformation, JobObjectExtendedLimitInformation, JobObjectJobSetInformation, MaxJobObjectInfoClass } JOBOBJECTINFOCLASS;

21. LPVOID lpJobObjectInfo typedef struct _JOBOBJECT_BASIC_LIMIT_INFORMATION { LARGE_INTEGER PerProcessUserTimeLimit; LARGE_INTEGER PerJobUserTimeLimit; DWORD LimitFlags; SIZE_T MinimumWorkingSetSize; SIZE_T MaximumWorkingSetSize; DWORD ActiveProcessLimit; ULONG_PTR Affinity; DWORD PriorityClass; DWORD SchedulingClass; } JOBOBJECT_BASIC_LIMIT_INFORMATION, *PJOBOBJECT_BASIC_LIMIT_INFORMATION; So, how to set the Affinity Mask? I introduce what is ULONG_PTR type first.

22. ULONG_PTR A ULONG_PTR is an unsigned long type used for pointer precision. It is used when casting a pointer to a long type to perform pointer arithmetic. Note In a 64-bit environment (indicated below by a TRUE value for _WIN64), the ULONG_PTR MUST be defined as an unsigned __int64, not as a ULONG.__int64ULONG

23. ULONG_PTR #ifdef _WIN64 typedef __int64 ULONG_PTR; #else typedef ULONG ULONG_PTR; #endif Ref : http://msdn.microsoft.com/en- us/library/cc230394.aspx

24. Processor Affinity public void SetProcessAffinityToPhysicalCPUForHyperthreadOnly(int processid) { int res; int hProcess; int ProcAffinityMask = 0, SysAffinityMask = 0; hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, processid); res = GetProcessAffinityMask( hProcess, ref ProcAffinityMask, ref SysAffinityMask); if (SysAffinityMask == 3) // 1 proc, 2 logical CPUs res = SetProcessAffinityMask(hProcess, 1); else if (SysAffinityMask == 15) //dual proc, 4 virtual CPUs res = SetProcessAffinityMask(hProcess, 3); res = CloseHandle(hProcess); } Ref : http://msdn.microsoft.com/en-us/library/ms686223(VS.85).aspx If not a Hyperthreding system setting, 32-bit : 00000000000000000000000000000111, means CPU 0,1 and 2 threads could run on and alter between them. So just using ‘|’, ’&’, (or/and) bit-operator to set Affinity Mask.

25. Processor Affinity BOOL WINAPI SetProcessAffinityMask ( __in HANDLE hProcess, __in DWORD_PTR dwProcessAffinityMask ); dwProcessAffinityMask [in] The affinity mask for the threads of the process.

26. Processor Affinity DWORD_PTR WINAPI SetThreadAffinityMask ( __in HANDLE hThread, __in DWORD_PTR dwThreadAffinityMask ); dwThreadAffinityMask [in] The affinity mask for the thread. A thread affinity mask is a bit vector in which each bit represents the processors that a thread is allowed to run on. A thread affinity mask must be a subset of the process affinity mask for the containing process of a thread. A thread can only run on the processors its process can run on.

27. Outline Job Object Introduction Windows functions to create and manipulate job objects CPU-related and memory-related limits you can specify for a job Conclusion Conclusion Experiment

28. Conclusion In this chapter, we’ve examined the structure of processes and threads and jobs, seen how they are created, and looked at how Windows decides which threads should run and for how long. Many references in this chapter are to topics related to memory management. Because threads run inside processes and processes in large part define an address space, the next logical topic is how Windows performs virtual and physical memory management—the subjects of Chapter 7.

29. Book : Windows Internal Ref : Book page from 369~374

30. Outline Job Object Introduction Windows functions to create and manipulate job objects CPU-related and memory-related limits you can specify for a job Conclusion Experiment Experiment

31. EXPERIMENT: Viewing the Job Object using Process Explorer Windows Kernel Debugger

32. Process Explorer runas If you want to create other processes in the same job, you need execute them in cmd process by runas shown in next slide Type this command to create a job and a cmd process in this job /user:MachineName\ Administrator Name

33. Process Explorer

34. Double Click cmd.exe row, then a dialog will jump out, and processes in the same job will show the same color.

35. Process Explorer

36. Windows Kernel Debugger Windows Symbols Before above, You must install Windows Symbols from http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx#d http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx#d

37. Windows Kernel Debugger To See all the Processes in O.S. Find out cmd process by runas command Then, search for that cmd process, you’ll see handle of the job :82245cd0

38. Thanks for your Attention ^_^