Windows Architecture - The Basics
Published Mar 15 2019 05:05 PM 30.8K Views
First published on TECHNET on Apr 10, 2007

Today we're starting a new series of posts focused on understanding the Windows System Architecture itself.  In our first post, we're going to quickly review some basic Windows concepts and terms including a brief overview of the Windows API, Services and the difference between a Process and a Thread.  Think of this as laying the groundwork for our future posts which will cover topics such as the Registry, Session Space and Desktop Heap.  So, without further ado - let's start with an introduction to the Windows API ...

The Windows application programming interface (API) is the programming interface to the Microsoft Windows operating system family.  It provides services used by all Windows-based applications to enable applications to provide a Graphical User Interface (GUI), access system resources, incorporate audio and much more.  The API consists of thousands of documented, callable subroutines such as CreateProcess and CreateFile .  Major categories of Windows API functions include Base Services, Component Services, Graphics & Multimedia, Messaging, Networking and Web Services.  There are hundreds of books and websites that cover programming using the Windows API - but let me just add the disclaimer that programming using the Windows API is by no means an "entry-level" type task!  And with that, it's time to move on to Services ...

When examining services from a programming viewpoint, a Service could refer to a callable routine in the operating system, a device driver or a server process.  However, from a user perspective, we consider a service as a process that is loaded by the OS in user-mode, independent of a logged-in user.  The Services are controlled by the Windows Service Manager.  Services can be loaded using the System account, or credentials that are assigned to that service specifically - either during the service installation, or through the properties page for that service.  Some common services include the Spooler service which controls printing, the Server service which supports file, print and named-pipe sharing over the network and the DHCP client service which registers and updates IP addresses and DNS records.

Now, let's take a look at Programs, Processes and Threads.  One of our Escalation Engineers uses a very simple analogy for explaining the difference between these three terms:

Think of a process as a room and a thread as a person in the room.  A program is a set of instructions for the person in the room to carry out.  Looking at it in this fashion, it is easy to see that the process itself doesn't do any work, but the thread does.  A thread lives in a process, and executes the instructions of the program.

With that analogy in mind, a Windows process includes the following:

  1. An executable program, consisting of initial code and data
  2. A private virtual address space
  3. System resources that are accessible to all threads in the process
  4. A unique identifier, called a process ID
  5. At least one thread of execution
  6. A security context (also known as an access token)

The diagram below which is in the Windows Internals book shows how the components interact

The thread is what Windows schedules for execution within a process.  Without threads, the program used by the process cannot run.  Threads consist of the following components:

  1. The contents of the registers representing the state of the processor
  2. Two stacks - one for the thread to use when executing kernel-mode instructions, and one for user-mode
  3. A private storage area used by the subsystems, run-time libraries and DLL's
  4. A unique identifier, called a thread ID

And that brings us to the end of our Windows Architecture 101 post.  Stay tuned for more ...

Additional Resources:

- CC Hameed

Version history
Last update:
‎Mar 15 2019 05:05 PM
Updated by: