Windows Under the Hood

Unitintro: ICT1001 Computer Systems 2009

1
Overview
• In this chapter, you will learn how to:
• Work with the Registry
• Understand and observe the Windows boot
process in detail
• Manage processes, services, and threads
• Explore Windows tools for programmers

Unitintro: ICT1001 Computer Systems 2009

2
Registry
• The Registry is a huge database that stores
everything about your PC.
• Hardware information
• Network information
• User preferences
• File types
• Application information
• Windows store the Registry files in:
• \%SystemRoot%\System32\config folder
Unitintro: ICT1001 Computer Systems 2009
3
Accessing the Registry
• Registry Editor gives direct access to the
Registry
• Enter regedit at a command prompt
• Or in the Start | Search bar

Unitintro: ICT1001 Computer Systems 2009

4
Registry Components
• The Registry is organized in a tree structure
similar to the folders in the PC.
• Once you open the Registry Editor in Windows,
you will see five main subgroups, or root keys:
• HKEY_CLASSES_ROOT
• HKEY_CURRENT_USER
• HKEY_USERS
• HKEY_LOCAL_MACHINE
• HKEY_CURRENT_CONFIG Unitintro: ICT1001 Computer Systems 2009
5
Registry Components (continued)

Figure 13.1 Typical Registry root keys, subkeys, and values

Unitintro: ICT1001 Computer Systems 2009
6
Registry Components (continued)
• Root keys are composed of subkeys.
• A subkey also can have other subkeys, or values.
• The Registry Editor shows only keys—root keys and
subkeys—on the left and values on the right.

Unitintro: ICT1001 Computer Systems 2009

7
Registry Components (continued)
• HKEY_CLASSES_ROOT
• Defines the standard class objects used by Windows
(i.e., file types and associations)
• HKEY_CURRENT_USER and HKEY_USERS
• Stores all of the personalized information for all users
on a PC
• HKEY_LOCAL_MACHINE
• System’s non-user-specific configurations
• HKEY_CURRENT_CONFIG
• Options currently being used

Unitintro: ICT1001 Computer Systems 2009

8
Talkin’ Registry
• Registry nomenclature uses a path type of
syntax.
• For example: HKLM\SOFTWARE\Blizzard
Technologies\World of Warcraft
• This nomenclature describes the location of a
specific registry value.
• Keys and subkeys can have more than one
value.
Unitintro: ICT1001 Computer Systems 2009
9
Talkin’ Registry (continued)

Figure 13.2 Editing the Registry to move World of Warcraft to a new drive
Unitintro: ICT1001 Computer Systems 2009
10
Talkin’ Registry (continued)
• Values must have a defined type of data they
store:
• String value: any form of data
• Binary value: long strings of ones and zeros
• DWORD value: Binary values limited to exactly 32
bits
• QWORD value: Binary values limited to exactly 64
bits
• There are other types of values, but these four
are used for most Registry entries. Unitintro: ICT1001 Computer Systems 2009
11
Manual Registry Edits
• Manually editing the Registry may break things
in Windows.
• Applications might not start; utilities might not
work; the computer might not boot.
• Always back up the Registry before you change
anything.
• Create a secure backup on different media (e.g.,
USB thumb drive).
• After editing, reboot system to see if the
changes you made had the desired result.
Unitintro: ICT1001 Computer Systems 2009
12
Manual Registry Edits (continued)
• Registry Editor’s Export feature enables you to:
• Save the full Registry
• Or save a single root key or subkey (including all
subkeys and values under it)

Unitintro: ICT1001 Computer Systems 2009

13
Manual Registry Edits (continued)

Figure 13.3 Mike’s Run subkey

Unitintro: ICT1001 Computer Systems 2009
14
Command-Line Registry Editing Tools
• reg command
• Full Registry editing tool
• View Registry keys and values
• Import and export some or all of a Registry
• Compare two different versions of a Registry
• Tailor a command to accomplish very tight Registry edits
• regsvr32 command
• Modifies the Registry in only one way—adding (or
registering) dynamic link library (DLL) files as
command components
Unitintro: ICT1001 Computer Systems 2009
15
The Boot Process
• Current Windows versions support both BIOS
and UEFI boot processes.
• BIOS-based system
• The BIOS uses its boot order to scan a hard drive for a
master boot record (MBR).
• MBR loads its boot sector, which contains code pointing
to the bootmgr file.
• The bootmgr loads winload.exe, which readies your
system to load the operating system kernel.
• UEFI system
Unitintro: ICT1001 Computer Systems 2009
• Bootmgr loads directly. 16
The Boot Process (continued)
• Bootmgr starts and reads data from a Boot
Configuration Data (BCD) file.
• BCD contains information about the various
operating systems installed on the system as well as
instructions for how to actually load (bootstrap)
them.
• Once an operating system is selected
(immediately, if only one is present), bootmgr
loads winload.exe.
• Readies your system to load the operating system
Unitintro: ICT1001 Computer Systems 2009

kernel. 17
The Boot Process (continued)
• Winload.exe loads:
• Hardware abstraction layer
• The system Registry
• Drivers for any boot devices into memory before
the operating system itself takes over
• Once the operating system process
(ntoskrnl.exe) takes over, it loads all of the
various processes and systems that comprise
Windows, and the Windows logo comes up.
Unitintro: ICT1001 Computer Systems 2009
18
Processes, Services, and Threads
• In Windows, programs are executable files
waiting on a mass storage device.
• When a program is started, Windows loads it
into RAM as a process.
• The CPU reads the process; the process tells
the CPU which bits of code to run.
• Windows is a multitasking operating system—it
runs many processes simultaneously.
Unitintro: ICT1001 Computer Systems 2009
19
Processes, Services, and Threads
(continued)
• Some processes are called applications; some
are called services.
• Applications run on screen or in the foreground.
• Services run in the background and perform
support tasks.

Unitintro: ICT1001 Computer Systems 2009

20
Task Manager
• Windows Task Manager is the one-stop-shop
for anything you need to do with applications,
processes, and services.
• To open Task Manager in Windows Vista/7:
• Press CTRL-SHIFT-ESC
• Start | Search and type taskmgr and press ENTER
• Press CTRL-ALT-DELETE and select Task Manager

Unitintro: ICT1001 Computer Systems 2009

21
Task Manager in Windows Vista/7
• The Applications tab shows all the running
applications on your system.
• Use if an application will not close normally to force
it to shut down.
• Switch To enables you to bring any program to the
front.
• New Task enables you to start any program you
wish, as long as you know the executable.

Unitintro: ICT1001 Computer Systems 2009

22
Task Manager in Windows Vista/7
(continued)
• The Processes tab shows you every running
process on your computer.
• A process is named after its executable file.
• Usually ends in .exe but can also end with other
extensions.
• All processes have a user name to identify who
started the process.
• A process started by Windows has the user name
System.

Unitintro: ICT1001 Computer Systems 2009

23
Task Manager in Windows Vista/7
(continued)
• All processes have a process identifier (PID).
• To identify a process, you use the PID, not the
process name.
• Task Manager doesn’t show the PID by default.
• Mark the checkbox under View to display the PID.

Unitintro: ICT1001 Computer Systems 2009

24
Task Manager in Windows Vista/7
(continued)

Figure 13.6 Processes tab in Windows 7

Unitintro: ICT1001 Computer Systems 2009
25
Task Manager in Windows Vista/7
(continued)

Figure 13.7 Processes tab showing the PID columnUnitintro:

in Windows 7 Systems 2009
ICT1001 Computer
26
Task Manager in Windows Vista/7
(continued)
• The Processes tab shows the amount of CPU
time (percentage) and the amount of RAM
(kilobytes) the process is using.
• By default, the Task Manager shows only processes
associated with the current user.
• Click on Show processes from all users to see every
process on the system.
• If you select a process and click the End Process
button, you’ll instantly end that process.
• If the process is an application, that application will
Unitintro: ICT1001 Computer Systems 2009

close. 27
Task Manager in Windows Vista/7
(continued)

Figure 13.9 Processes from all users in Windows 7

Unitintro: ICT1001 Computer Systems 2009
28
Task Manager in Windows Vista/7
(continued)
• Right-click on a process to display a number of
options:
• Open File Location, Debug, UAC Virtualization,
Dump files, Set priority, Set Affinity, and other
choices
• The Properties option offers options similar to
Windows Explorer.
• Go to Service(s) will move you to the Services
tab of the Task Manager, showing you all
Unitintro: ICT1001 Computer Systems 2009

services associated with the process.

29
Task Manager in Windows Vista/7
(continued)

Figure 13.10 Processes detail on right-click

Unitintro: ICT1001 Computer Systems 2009
30
Task Manager in Windows Vista/7
(continued)

Figure 13.11 Process priority Unitintro: ICT1001 Computer Systems 2009

31
Task Manager in Windows Vista/7
(continued)

Figure 13.12 Turning off affinity to the first Unitintro:

two cores ICT1001 Computer Systems 2009
32
Task Manager in Windows Vista/7
(continued)

Figure 13.14 Process Explorer

Unitintro: ICT1001 Computer Systems 2009
33
Task Manager in Windows Vista/7
(continued)
• Use the Services tab in the Task Manager to work
with services directly—they can be stopped or
started, and you can go to the associated process.
• The best way to work with services is to use the
Services Control Panel applet.
• Services don’t have their own window, so you use the
Services applet to start, stop, and configure them.
• You can see if a service is running by reading the Status
column.
• Accessed through run > services.msc
Unitintro: ICT1001 Computer Systems 2009
34
Task Manager in Windows Vista/7
(continued)

Unitintro: ICT1001 Computer Systems 2009

Figure 13.15 Services tab in Task
35Manager
Task Manager in Windows Vista/7
(continued)

Figure 13.16 Services applet Unitintro: ICT1001 Computer Systems 2009

36
Task Manager in Windows Vista/7
(continued)

Figure 13.17 Service Properties dialogUnitintro:

box ICT1001 Computer Systems 2009
37
Task Manager in Windows Vista/7
(continued)
• Performance
• Task Manager allows one to assess how hard RAM
and the CPU are working at any given moment and
why.
• Click the Performance tab to reveal a handy screen
with the most commonly used information:
• CPU usage, available physical memory, size of the disk
cache, commit charge (memory for programs), and
kernel memory (memory used by Windows).
• Task Manager also tells you what program is using
Unitintro: ICT1001 Computer Systems 2009
CPU and RAM resources. 38
Task Manager in Windows Vista/7
(continued)

Figure 13.18 Task Manager Performance tab ICT1001 Computer Systems 2009
Unitintro:
39
Task Manager in Windows Vista/7
(continued)

Figure 13.19 CPU usage

Unitintro: ICT1001 Computer Systems 2009

40
Task Manager in Windows Vista/7
(continued)
• Networking and users
• Remaining tabs in Task Manager enable you to see:
• Network use at a glance
• Which users’ accounts are currently logged on to the
local machine
• The Networking tab shows network traffic activity
and can help troubleshoot network performance
problems.
• The Users tab enables you to log off other users if
you have the proper permissions. Unitintro: ICT1001 Computer Systems 2009
41
Task Manager in
Windows 8/8.1/10
• Significantly updated
• New Fewer Details view with a simple interface
for seeing and terminating running programs.

Figure 13.20 Fewer details view

in Windows 8 Task Manager

Unitintro: ICT1001 Computer Systems 2009

42
Task Manager in
Windows 8/8.1/10 (continued)
• Processes
• In detailed mode, Processes is broken into three
sections: Apps, Background processes, and
Windows processes.
• By default, the Processes tab lists a process
description, its status, and its resource use,
including CPU, Memory, Disk I/O, and Network I/O.
• Most advanced options have moved to the context
menu of the Details tab.
Unitintro: ICT1001 Computer Systems 2009
43
Task Manager in
Windows 8/8.1/10 (continued)

Unitintro: ICT1001 Computer Systems 2009

Figure 13.22 Processes tab context menu in Windows
44 8 Task Manager
Task Manager in
Windows 8/8.1/10 (continued)
• Performance
• Networking and Disk I/O have been added to the
Performance tab.
• This provides one simple place to view all major
performance metrics.
• App history
• The App history tab collects recent statistics on CPU
time and network usage.
• These statistics help identify resource-hungry
programs. 45
Unitintro: ICT1001 Computer Systems 2009
Task Manager in
Windows 8/8.1/10 (continued)

Figure 13.23
Performance tab in
Windows 8 Task
Manager showing a
very active Disk 0

Unitintro: ICT1001 Computer Systems 2009

46
Task Manager in
Windows 8/8.1/10 (continued)
• Startup
• The Startup tab enables you to identify and disable rogue
startup programs.
• Users
• The Users tab shows programs running under a user’s
account and clearly indicates resource use.
• Details
• The Details tab inherits most of the functionality removed
from the old Processes tab.
• Services
• The Services tab is virtually unchanged.

Unitintro: ICT1001 Computer Systems 2009

47
Task Manager in
Windows 8/8.1/10 (continued)
• The tasklist and taskkill commands
• These commands enable you to work with tasks
from the command-line.
• The tasklist command enables you to view running
processes on a local or remote system.
• You can kill a process using the taskkill command,
using either the name or the PID.

Unitintro: ICT1001 Computer Systems 2009

48
Performance Tools
• Reliability and Performance Monitor (Windows
Vista) and Performance Monitor (Windows 7)
• These tools track metrics regarding resource usage.
• Objects and counters
• An object is a system component that is given a set
of characteristics and can be managed by the OS as
a single entity.
• A counter tracks specific information about an
object.
Unitintro: ICT1001 Computer Systems 2009
49
Performance Tools (continued)

Figure 13.29 Resource Overview in Windows Unitintro:

Vista ICT1001 Computer Systems 2009
50
Performance Tools (continued)

Figure 13.31 Initial Performance Monitor screen in Windows 7

Unitintro: ICT1001 Computer Systems 2009
51
Performance Tools (continued)
• Working with the tools
• Performance monitor gathers and displays
real-time data on objects such as memory, physical
disk, processor, and network.
• To add counters, open the Add Counters dialog box.
• Selecting a counter and pressing CTRL-H makes that
counter data stand out on the graph.

Unitintro: ICT1001 Computer Systems 2009

52
Performance Tools (continued)

Figure 13.33 Add Counters dialog box

Unitintro: ICT1001 Computer Systems 2009
53
Performance Tools (continued)

Figure 13.34 Pressing CTRL-H makes one set of dataUnitintro:

standICT1001
out.Computer Systems 2009
54
Performance Tools (continued)
• Data Collector Sets are groupings of counters
you can use to make reports.
• You can make your own Data Collector Sets (User
Defined) or use one of the predefined system sets.
• Data Collector Sets enable you not only to choose
counter objects to track but also to schedule when
you want them to run.

Unitintro: ICT1001 Computer Systems 2009

55
Performance Tools (continued)

Figure 13.35 Sample report Unitintro: ICT1001 Computer Systems 2009

56
Component Services
• Component services are tools to enable
programmers to share data objects (an element of
programs) between applications on a single
computer.
• Over time, this sharing was extended so that you
could share objects between computers on a
network.
• In almost all cases, sharing objects doesn’t require
you to do anything more than install an application
that uses these features.

Unitintro: ICT1001 Computer Systems 2009

57
Component Services (continued)
• Component Services is there for those very rare
times when something’s either wrong or a
programmer needs you to make manual
changes.

Unitintro: ICT1001 Computer Systems 2009

58
Component Services (continued)

Figure 13.36 Component Services in Windows 7 Computer Systems 2009

Unitintro: ICT1001
59
Data Sources
• Open Database Connectivity (ODBC)
• Coding standard that enables programmers to
write databases and the applications that use them
• Can query ODBC to see how to locate and access a
database without any concern about what application or
operating system is used

Unitintro: ICT1001 Computer Systems 2009

60
Data Sources (continued)
• Microsoft’s tool to configure ODBC is called
ODBC Data Source Administrator.
• Data Source Administrator enables you to create
and manage entries called Data Source Names
(DSNs) that point OBDC to a database.
• DSNs are used by ODBC-aware applications to
query ODBC to find their databases.
• You will rarely use Data Source Administrator unless
you’re making your own shared databases.
Unitintro: ICT1001 Computer Systems 2009
61
Data Sources (continued)

Figure 13.37 ODBC Data Source Administrator inUnitintro:

Windows ICT1001 Computer Systems 2009
8.1
62
Additional Topics
• System Restore
• You can create Restore Points to allow recovering
the system to an earlier point of time in the event
of system failure or instability
• Safe Mode
• Safe Mode starts Windows with a minimal set of
drivers and services. If a system cannot boot
normally, you can boot into Safe Mode to
troubleshoot and fix the issue
Unitintro: ICT1001 Computer Systems 2009
63