450 likes | 463 Views
Accepting the Boot and Last Known Good. Accepting the Boot and Last Known Good. HKEY_LOCAL_MACHINESYSTEMCurrentControlSet is the “last known good control set” 上次正確的設定控制項集合
E N D
Accepting the Boot and Last Known Good • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSetis the “last known good control set” • 上次正確的設定控制項集合 • The last known good control set works by keeping a backup control set of the last successful boot. The rules for determining if the last boot was successful, and therefore good. • No system critical errors involving the failure of a driver or system file. • A user can log onto the system at least once.
What is the Last Known Good Control Set Good For? • You install a new device driver and restart Windows NT. The system stops responding (hangs) when you start (boot) the computer. The last known good control set will enable you to boot because it does not contain any reference to the new, faulty driver.
What is the Last Known Good Control Set Good For? • You install a new video driver and are able to restart the system. However, you cannot see anything because the new video resolution is incompatible with your video adapter. In this case, do not try to log on by entering the correct keys. If you turn off and restart your computer, the last known good control set can be used.
What is the Last Known Good Control Set Good For? • You accidentally disable a system critical device driver.Windows NT is not be able to boot, and reverts to the last known good control set.
What is the Last Known Good Control Set NOT Good For? • Any problem that is not related to changes in control set information will not be corrected by reverting to the last known good configuration. • This includes information like user profiles and file permissions.
What is the Last Known Good Control Set NOT Good For? • Any change introduced more than one successful boot ago cannot be backed out, because the change will have been copied to the last known good control set on the first successful boot after the change was made.
What is the Last Known Good Control Set NOT Good For? • The last known good control set is a backup and restore facility for the Registry; it does not support switching between configurations (docked and undocked laptops, for example).
What is the Last Known Good Control Set NOT Good For? • The following are three examples where the last known good control set is not helpful: • Boot failures caused by hardware failures or corrupted files. • If you copy a new driver over the top of an old one, and the old one is already active, then the configuration will not change; switching to the last known good control set will not undo anything. • If Windows NT boots, a user logs on, and then Windows NT hangs(停住,當掉), the last known good control set will not help because it has already been updated to the current control set.
It is a helpful recovery mechanisms. • More detail -> Chapter 5
Service Failures • Optional registry key: FailureActions FailureCommand • When a sercie process terminates unexpectedly, the SCM determines which services ran and takes the recovery steps.
Once failure occurs, the SCM can… • Restart the service • Run a program • Reboot • Or do nothing
ExitWindowsEx function BOOL WINAPI ExitWindowsEx( __in UINT uFlags, __in DWORD dwReason );
ExitWindowsEx function • Logs off the interactive user, shuts down the system, or shuts down and restarts the system. It sends the WM_QUERYENDSESSION message to all applications to determine if they can be terminated. • Header :Declared in Winuser.h; include Windows.h. • Library :Use User32.lib. • DLL Requires :User32.dll
WM_QUERYENDSESSION Message • The WM_QUERYENDSESSION message is sent when the user chooses to end the session or when an application calls one of the system shutdown functions. • If any application returns zero, the session is not ended. The system stops sending WM_QUERYENDSESSION messages as soon as one application returns zero.
WM_QUERYENDSESSION Message • A window receives this message through its WindowProc function. LRESULT CALLBACK WindowProc( HWND hwnd, // handle to window UINT uMsg, // message identifier WPARAM wParam, // not used LPARAM lParam // logoff option );
ExitWindowsEx function • ExitWindowsEx sends a message to Csrss
Csrss • csrss.exe • Process name: Microsoft Client/Server Runtime Server Subsystem • For every system process except the SCM, Csrss waits up to the number of seconds for the process to exit before moving on to the next process.
HKEY_USERS\.DEFAULT\Control Panel\Desktop\WaitToKillAppTimeout
Csrss • When Csrss encounters the SCM process, it employs a timeout specific to the SCM. • Csrss recognizes the SCM using the PID(process ID).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WaitToKillServiceTimeoutHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WaitToKillServiceTimeout
ScShutdownAllServices • The SCM function • Loops through the SCM services database searching for services which requesting shutdown and sends shutdown command. • wait hint(a time slice) • SCM waits either until • one of the services it notified of shutdown exits • The largest wait hint passes • If wait hint expires, the SCM sees whether one of the services is progressing. If at least one made progress, SCM continues wait loop again, recursive.
If WaitToKillServiceTimeout time expires… • If Csrss’s wait ends, but SCM haven’t exited, Csrss moves on(simply takes charge) shuting down processes .
Share a process with other services • One service, one process. • Many service share one process. • Shared process examples: • SCM process: • Event log service • Plug and Play service • LSASS process: • Security Accounts Manager service(SamSs) • Net Logon service(Netlogon) • IPSec Policy Agent service(PolicyAgent)
Service Host • SvcHost contains multiple services • \Windows\System32\Svchost.exe • Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs). • svchost.exe is used to load those .dll files into the memory so it can be called directly by other windows software that uses it. • .dll libraries files cannot be loaded directly by just double clicking on them. It is not an executable file. Therefore Microsoft developed svchost.exe to load these .dll into memory.
Services run in SvcHost • Example: • Telephony(TapiSrv) • Remote Procedure Call(RpcSs) • Remote Access Connection Manager(RasMan) • Windows implement these sevices as DLLs and includes an ImagePath definition(“%SystemRoot\System32\svchost.exe –k netsvcs”) in the service’s registry key.
SvcHost • At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. • Multiple instances of Svchost.exe can run at the same time. • Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. • This grouping of services allows for better control and easier debugging. (I guess the services that in the same group have similarities.)
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SvchostHKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SvchostHKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost • Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ your service • All services are here. • Each Svchost group can contain one or more service names that are extracted from the registry key.
SvcHost • When SCM encounters a SvcHostservice with an ImagePath matching an entry it already has in the image database, it just sends a start command for the service to the SvcHost. • The existing SvcHost process reads the ServiceDll parameter in the service’s registry key and loads the DLL into itself to start the service.
Service Control Program(SCP) • SCPs are standard Windows application that use XSCM service management functions. • Including: • CreateService • OpenService • StartService • ControlService • QueryServiceStatus • DeleteService
Service Control Program(SCP) • A service control program starts and controls services. It performs the following actions: • Starts a service or driver service, if the start type is SERVICE_DEMAND_START. • Sends control requests to a running service. • Queries the current status of a running service. • These actions require an open handle to the service object. To obtain the handle, the service control program must: • Use the OpenSCManager function to obtain a handle to the SCM database on a specified machine. • Use the OpenService or CreateService function to obtain a handle to the service object.
Security descriptor • Security descriptor: Security value • Security descriptors can be associated with any named objects, including files, folders, registry keys and other resources, and contain information about the owner (creating user) of the object as well as which users can access the object, the type of access (read, read/write, execute, etc) on a per-user basis, among others. • Command-line: cacls
\WINDOWS\system32\sc.exe • In WINDOWS XP, sc.exe is the communication channel with the SCM. • Command-line: sc • Example: • sc query • Sc qc SMTPSVC
The End Thank U for Ur attention