Today we're starting a new series of posts focused on understanding the Windows System Architecture itself. In our first post, we're going to quickly review some basic Windows concepts and terms including a brief overview of the Windows API, Services and the difference between a Process and a Thread. Think of this as laying the groundwork for our future posts which will cover topics such as the Registry, Session Space and Desktop Heap. So, without further ado - let's start with an introduction to the Windows API ...
The Windows application programming interface (API) is the programming interface to the Microsoft Windows operating system family. It provides services used by all Windows-based applications to enable applications to provide a Graphical User Interface (GUI), access system resources, incorporate audio and much more. The API consists of thousands of documented, callable subroutines such as
. Major categories of Windows API functions include Base Services, Component Services, Graphics & Multimedia, Messaging, Networking and Web Services. There are hundreds of books and websites that cover programming using the Windows API - but let me just add the disclaimer that programming using the Windows API is by no means an "entry-level" type task! And with that, it's time to move on to Services ...
When examining services from a programming viewpoint, a Service could refer to a callable routine in the operating system, a device driver or a server process. However, from a user perspective, we consider a service as a process that is loaded by the OS in user-mode, independent of a logged-in user. The Services are controlled by the Windows Service Manager. Services can be loaded using the System account, or credentials that are assigned to that service specifically - either during the service installation, or through the properties page for that service. Some common services include the Spooler service which controls printing, the Server service which supports file, print and named-pipe sharing over the network and the DHCP client service which registers and updates IP addresses and DNS records.
Now, let's take a look at Programs, Processes and Threads. One of our Escalation Engineers uses a very simple analogy for explaining the difference between these three terms:
Think of a process as a room and a thread as a person in the room. A program is a set of instructions for the person in the room to carry out. Looking at it in this fashion, it is easy to see that the process itself doesn't do any work, but the thread does. A thread lives in a process, and executes the instructions of the program.
With that analogy in mind, a Windows process includes the following:
An executable program, consisting of initial code and data
A private virtual address space
System resources that are accessible to all threads in the process
A unique identifier, called a process ID
At least one thread of execution
A security context (also known as an access token)