Blogs

Mark Russinovich video: Kernel Changes in Win7 and W2008R2

Image credit: Microsoft. Click through to watch the video at Microsoft's site. I try to catch Mark Russinovich’s stuff whenever I can. He has a thinking and presentation style which, along with his extreme familiarity with Windows internals, takes hard stuff and makes it a lot easier to understand. I wish every OS platform had a someone like Mark to explain its inner workings.

Today I took an hour and watched a session he gave at PDC09 which explains some of the many low level changes which went into Windows 7 and Windows 2008R2. A lot of people say that Win7 is really just Vista v2. After watching this video, I think that’s an overly simplistic view – major changes went into Win7.

Because I’m aware that it’s often hard to find an hour of uninterrupted time in a sysadmin’s busy schedule, I took notes with timestamps so that those of you who are interested could skip to the bits which interest you. If you start watching the video and notice it is somewhat blocky (as I did), notice the links just under the video for other quality levels. I watched at High Quality WMV (1280x720).

So without further ado, here are my notes. They are sketchy at best, and if they differ from what Mark says in the video, that’s solely my error. You owe it to yourself to pick at least one interesting segment and watch.

  • 0:00 - 1:05 Mark talks briefly about ProcDump and SDH. He’s answering questions from a prior segment, so this section is ok to skip.
  • 1:05 - 9:26 Mark talks about UAC. I think this section of the video is must-watch for anyone who has ever argued for or against UAC.
  • 1:48 "UAC's primary purpose in life is NOT anti-malware."
  • 2:05 He demonstrates how UAC can allow malware to run, no matter how vigilant you are.
  • 6:15 He gives a quick rundown of what the various UAC slider levels do, and why Win7 has a different set of presets than Vista did.
  • 9:26 Mark talks about service accounts. Why the original "all services ran as LocalSystem" approach was bad. XP's introduction of LocalService and NetworkService and its goals.
  • 10:35 Vista's introduction of ServiceSID which isolates each service into its own box.
  • 11:25 Win7's introduction of Virtual Service accounts, which are "for all intents and purposes are just like standard user accounts, except you don't have to manage their passwords." He demonstrates the creation of one, shows how it has its own profile. These are the new best practice for isolating services on standalone boxes.
  • 13:55 Managed Service Accounts. The equivalent of a virtual service account for domains. AD manages the passwords for these. These are the new best practice for AD services like Exchange, SQL, IIS, etc.
  • 15:24 BitLocker. First Mark clarifies that in Win7 since release, you always get a 100MB hidden system partition; the 200MB hidden system partition was specific to the beta versions of Win7. The hidden system partition is the set of unencrypted boot files. If you have these you're ready to go BitLocker in one step; if you don't, you'll have to repartition to get BitLocker.
  • 16:21 BitLocker To Go. Encryption for removable media (flash drives, USB drives, etc). He discusses the "clever trick" that enables it and allows it to work on downlevel systems.
  • 18:20 Windows Biometric Framework (WBF). Fingerprint, retina, facial recognition, etc.
  • 19:17 Auditing is now designed to help explain 'why did this person succeed or fail to access a specific object?' Enabled through auditpol. He fails at demonstrating this.
  • 22:30 AppLocker. Discusses why the old Software Restriction Policies were fragile and difficult. AppLocker adds more granularity and robustness.
  • 24:50 - VHD native support. "Makes the little propeller on top of my hat spin." MS are moving, wherever they can, to a single container format: VHD. Performance goals (within 10% of native disk) and architecture. He gives a quick demo of creating and using a VHD. Very cool. In a nifty little demonstration of how Mark's mind works, he showed what happens when you copy a VHD into itself.
  • 31:29 Boot from VHD. "From an enterprise management perspective, we'd love to get to a world where we have what we call single image servicing or golden image servicing." VHD size limit is 2 terabytes today but will probably increase in the future.
    "This whole presentation has been off of W2008R2 booted from a differenced VHD."
  • 36:50 "VHD's have nothing to do with virtualization. Nothing. It's purely just the ability of Windows to natively handle VHDs."
  • 37:00 Hyper-V. Performance and scaling improvements. Live migration (compare to Vmware VMotion) is now supported(as opposed to the old "Quick Migration", which wasn't very quick). Can move VMs between machines fast enough that TCP/IP sessions do not timeout.
  • 40:08 Animation/explanation showing how Live Migration memory transfer works.
  • After this point my attention wandered a bit; the presentation moved into areas where, at least right now, I don’t have a lot of interest. So the following timestamps have less commentary with them.
  • 40:40 High Available Storage and Virtualization. Clustered Shared Volumes.
  • 43:20 VM Memory Management.
  • 45:10 Scalability. CPU magic called "Distributed Timer Execution" to increase workloads and reduce BSODs.
  • 46:20 Simultaneous Multithreading. Making one CPU look like multiple ones. Migrating threads to the more idle core. Core Parking = try to keep processor cores idle if there's no perf reason to use multiple cores.
  • 49:25 Dynamic Fair Share Scheduling (DFSS). Better distribution of CPU resources among multiple users on a single terminal server.
  • 50:28 User Mode Scheduling. Mark only briefly addressed this slide because he has another session talking about it.
  • 51:15 Where do processor limits (number of CPUs supported) come from? And how has Win7/2008R2 added support for greater numbers of CPUs without sacrificing backward compatibility?
  • 54:30 Mark runs a short video showing someone driving processors on a 96-proc system to display a message in Task Manager. Hilarious.
  • 56:20 How removing certain kernel-level memory manager locks allows apps to scale to larger number of CPUs. It's interesting to note that Dave Cutler is still strongly in the loop on all CPU scheduling discussions. And: how Arun Kishan got the afternoon off after making a major breakthrough.
  • 62:47 End of session and wrap up. Mark promises a series of blog posts to explain these things in greater depths.
Syndicate content