home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
WindowsWare 2 the Maxx
/
winmaxx.zip
/
winmaxx
/
WIN_NT
/
KMGLOS.ZIP
/
GLOS.TTY
< prev
next >
Wrap
Text File
|
1993-01-29
|
120KB
|
3,499 lines
Glossary of Terms and Acronyms Glossary of Terms and Acronyms
access violation access violation
An attempt to carry out a memory operation that is not
allowed by the underlying page protection. See also probe
and SEH.
There are four basic kinds of actions that can cause
access violations:
1 Attempting an invalid operation, such as writing to a
read-only buffer.
2 Attempting to access memory beyond the limit of the
current program's address space (a.k.a. "length
violation").
3 Attempting to access a page to which the system
forbids access. For example, code is not allowed to
run in the low-order 64K of the NT user-mode address
space in order to simplify the detection of NULL
pointer references.
4 Attempting to access a page that is currently
resident but dedicated to the use of an executive
component. For example, user-mode code is not allowed
access a page that the Kernel is using.
Note that this term pertains to memory operations. It has
nothing to do with the Security Manager's checking of
user-mode access rights to objects. See security
violation, ACE, and ACL.
ACE ACE
(1) Access control entry
An ACE is an individual entry in an ACL. An ACE contains
an SID and describes the access rights that a particular
user or group of users has to a system resource. The set
of all ACEs on the object are used to determine whether
an access request to the object is granted. See also
security descriptor.
(2) Advanced computing environment
A consortium of hardware and software companies formed to
promote an open computing environment. NT is one of the
original ACE operating systems.
access right access right
A permission granted to a process to manipulate a particular
object in a particular way (by calling a service). Different
NT object types support different access rights, which are
stored in an object's ACL.
G-2 Kernel-mode Driver Design Guide G-2 Kernel-mode Driver Design Guide
ACL ACL
Access control list
An ordered list of ACEs.
adapter object adapter object
A kernel-mode-only object type, defined by the I/O Manager
and supported by the HAL component. An adapter object
represents a hardware bus adapter or DMA controller channel.
Adapter objects "connect" different kinds of devices on the
bus or DMA controller, each device (or kind of device) with
its own driver.
affinity affinity
A programmer-defined attribute of a process and/or thread on
a multiprocessor platform:
n For a process, its affinity is the programmer-determined n
set of processors on which its threads are permitted to
run.
n For a thread, its default affinity is identical to that n
of the process to which it belongs; otherwise, its
affinity must be a proper subset of the process's.
alert alert
A Boolean that provides a way to break into a thread's
execution at a point where either of the following
conditions is met:
n The thread is in an alertable wait state (as specified n
when the wait service was called).
n The thread polls the alerted flag. n
APC APC
Asynchronous procedure call
An APC is a Kernel-defined control object representing a
procedure that is called asynchronously. APCs are thread-
context dependent; that is, they are queued to a
particular thread for execution.
There are three different kinds of APCs in NT:
1 User APCs - These APCs are used by certain _________
asynchronous NT system services to allow users to
synchronize the execution of a thread with the
completion of an operation or the occurrence of an
event such as a timer's expiration. User APCs are, by
default, disabled. That is, they are queued to the
user's thread, but they are not executed except at
well-defined points in the user's program.
Specifically, they can only be executed when the user
has called a wait service and has enabled alerts to
Glossary of Terms and Acronyms G-3 Glossary of Terms and Acronyms G-3
occur, or if the user has called the test-alert
service.
G-4 Kernel-mode Driver Design Guide G-4 Kernel-mode Driver Design Guide
2 Kernel APCs - These APCs are normal kernel-mode APCs. ___________
They are much like a normal user APC except that they
are executable by default. That is, they are enabled
except when the thread is already executing a Kernel
APC. (Note that a special Kernel APC always preempts
these.)
3 Special Kernel APCs - These APCs cannot be blocked ___________________
except by running at a raised IRQL. They are executed
at APC_LEVEL IRQL (see IDT), in kernel mode. These
types of APCs are used by the system to force a
thread to execute a procedure in the thread's
context. An example of this is I/O completion: the
I/O Manager needs to get back into the context of the
original requestor of the I/O operation so that it
can copy buffers, etc. In order to do this, the I/O
Manager must be able to access the virtual address
space of the thread/process, and the most efficient
way to complete the operation is to be in the calling
thread's context.
ARC ARC
(1) The NT executive runs on top of ARC-compliant machines,
including both RISC- and CISC-based platforms that supply
the following components to the OS loader:
n In MIPS-based platforms, a set of machine firmware that n
supports bootstrap loading and execution as an
"abstracted" set of ARC routines and ARC devices.
n In x86-based platforms, a hardware recognizer (Ntdetect) n
that finds devices necessary to bootstrap the system by
querying the ROM BIOS and builds a hardware database that
emulates the RISC-based ARC firmware.
n In both kinds of platforms, a HAL that interfaces between n
the hardware and NT.
Later in the load process, the driver of the disk, CD-ROM,
or floppy device from which the system booted creates an
alias between the name of its device object and the
corresponding ARC device name by calling IoAssignArcName. IoAssignArcName
(2) Advanced RISC computing
Refers to a RISC-based computer architecture standard,
associated with the ACE consortium.
associated IRP associated IRP
One of a set of IRPs, created by the highest-level driver in
a chain of layered drivers, that specifies some part of an
I/O request to be sent on to a lower-level driver. When all
associated IRPs in the set have been processed, the highest-
level driver completes the original request. See also IRP.
Glossary of Terms and Acronyms G-5 Glossary of Terms and Acronyms G-5
asynchronous I/O asynchronous I/O
A model for I/O in which the operations carried out to
satisfy I/O requests do not necessarily occur in sequence.
The application that originally made the request can
continue executing (rather than waiting for its I/O to
complete), the I/O Manager or a high-level driver can
reorder I/O requests as they are received, and a low-level
driver can start an I/O operation on a device before it has
completed the preceding request, particularly in a
multiprocessor machine.
backing store backing store
A mass storage medium, such as a disk, that serves as backup
"memory" for paging when physical memory becomes full. See
also paging file.
balance set balance set
The set of processes currently in the system, in particular,
processes whose threads are eligible for execution. See also
dispatch state and working set.
At any given moment, the balance set depends on the
availability of physical memory (pages) to back the
virtual address space associated with each active
process. If a physical memory shortage occurs, the NT
Memory Manager first trims the working set of each active
process to its minimum, then (if necessary) removes
processes from the balance set.
based section based section
A section allocated at the same virtual address for each
process that has a view of the section. See also section and
view.
BCB BCB
Buffer control block
An opaque Cache Manager structure, used to maintain state
as a file system pins and releases data (for example, its
volume structure) in the cache.
big-endian big-endian
Refers to a memory architecture in which the byte layout is
as follows:
n Byte N is the most significant (and, in conventional n
layout diagrams, the "leftmost") byte of:
n A word composed of bytes N and (N + 1). n
n A double word composed of bytes N, (N + 1), (N + 2), n
and (N + 3).
G-6 Kernel-mode Driver Design Guide G-6 Kernel-mode Driver Design Guide
n A K-byte memory entity composed of bytes N, (N + n
1),...,(N + K - 1).
n The address of the preceding word, double word, or K-byte n
entity is its most significant byte, N.
Glossary of Terms and Acronyms G-7 Glossary of Terms and Acronyms G-7
A MIPS machine can be configured for either big-endian or
little-endian byte addressing. For a big-endian
configuration, the most significant bit of a 16-bit short short
value is the "leftmost" bit at byte N, while the least
significant bit is the "rightmost" bit of byte (N + 1). See
also little-endian.
The terms "big-endian" and "little-endian" are derived
from Jonathan Swift's Gulliver's Travels. __________________
Cache Manager Cache Manager
An executive component that provides file caching support
for NT file system drivers.
CCB CCB
Context control block
An internal NT-defined file system structure, in which a
file system maintains per file object state for an open
instance of a file. See also FCB and DCB.
CDB CDB
Command descriptor block
A structure, defined by the SCSI-II standard, used to
communicate requests to a target device on the SCSI bus.
CDFS CDFS
CD-ROM file system
CD-ROM CD-ROM
Compact disk, read-only memory
chase chase
To follow a linked list, queue, or other software-defined
path. For example, when a file system encounters a symbolic
link file within a path specification, it "chases the
symbolic link" to redirect operations to the target file.
See also symbolic link.
G-8 Kernel-mode Driver Design Guide G-8 Kernel-mode Driver Design Guide
child process child process
When a new NT-native process is created by calling a system
service, the caller must specify a "parent" process from
which the new process inherits its token, quota, and base
priority. The new process can optionally inherit any or all
of the following from the specified parent process:
n A copy of the parent's virtual address space. n
n All object handles that were opened with the inheritance n
attribute.
n Debugging and exception handling ports. n
However, an NT user-mode process becomes a wholly
independent peer to its so-called parent process as soon as
it has been created. After process creation, any process-to-
process dependencies become the responsibility of a
protected subsystem (such as the Win32TM or POSIX
subsystem).
A kernel-mode-only (a.k.a. "system") process has no "parent"
when it is created.
CID CID
Client identifier
A unique value that identifies a thread.
class driver class driver
a.k.a. "type driver"
(1) An intermediate driver for a physical device, which
is connected to a so-called "intelligent controller" such
as a SCSI HBA, or to an adapter bus. Such a class driver
communicates with the corresponding port driver according
to an established protocol, such NT-defined SRBs. The
system-supplied SCSI disk, CD-ROM, and tape class drivers
are examples of this type of class driver.
(2) An intermediate driver that provides system-required
but hardware-independent support for a given class of
physical devices. Such a class driver communicates with a
corresponding hardware-dependent port driver, using a set
of system-defined device I/O control requests, possibly
with additional driver defined internal device I/O
control requests. The system-supplied keyboard and mouse
class drivers are examples of this type of class driver.
client/server model client/server model
A model for structuring applications or operating systems
such that the system is divided into processes (servers),
each of which provides a set of specialized services to
other processes (clients).
Glossary of Terms and Acronyms G-9 Glossary of Terms and Acronyms G-9
collided page fault collided page fault
A page fault caused by one thread while an in-page I/O
operation for another thread is being done on the same page.
commitment commitment
The NT Memory Manager's current value for paging file usage.
context context
The execution state of a thread at any given moment:
n For a user-mode thread, the platform-dependent register n
state, kernel stack, TEB, and user stack in the address
space of the process to which the thread belongs.
n For a kernel-mode thread, the platform-dependent register n
state and kernel stack.
Kernel-mode threads have neither a TEB nor a user-mode
context, but they must have an associated process. See
also process object.
Most NT device drivers do not have a context in this
sense. Unless a driver (such as an FSD) creates its own
process and/or thread(s), it does not have its own stack
space or register state. For each driver, the set of
objects it owns and the IRPs that it can access via a
device queue object associated with its device object can
be considered all or part of its context.
context record context record
A system-defined structure, containing the current register
state for an exception handler. See also SEH.
control objects control objects
A class of Kernel-defined object types, used to manage all
kernel-mode operations except dispatching and
synchronization. See also dispatcher objects.
Control objects include: APC, DPC, device queue,
interrupt and process objects. Note that all control
object types except processes are kernel-mode-only
objects, invisible to user-mode code. User-mode APC
objects are also "invisible" in the sense that they look
more like user-supplied routines to be called on return
from certain system services (such as a request to read a
file) than like objects.
controller object controller object
A kernel-mode-only object type, defined by the I/O Manager.
A controller object represents a hardware controller or
channel. The driver calls IoAllocateController to carry out IoAllocateController
synchronized I/O on attached devices. Controller objects
G-10 Kernel-mode Driver Design Guide G-10 Kernel-mode Driver Design Guide
"connect" a set of similar devices attached to a controller
with a single driver.
critical section critical section
A piece of code that accesses a nonsharable resource, such
as device-state data stored in a device extension to which
access must be synchronized among some number of driver
routines.
DACL DACL
Discretionary access control list
A discretionary ACL is part of the security descriptor
for an object. It can be applied to a newly created
object in order to constrain access to the object. See
also ACE, access right, ACL and security descriptor.
DCB DCB
Directory control block
An internal FS structure in which a file system maintains
state for an open instance of a directory file.
deadlock deadlock
A runtime error condition that occurs when two threads of
execution are blocked, each waiting to acquire a resource
that the other holds, and both unable to continue running.
device extension device extension
A part of a device object whose size is determined when a
driver creates the device object and whose internal
structure is driver-defined. For many NT drivers, a device
extension is the driver's major (and only) data storage
area, used to maintain device state and to contain any
system-defined objects and other data that the driver writer
decides to use.
device object device object
A kernel-mode-only, I/O Manager-defined object type, used to
represent a physical, logical, or virtual device whose
driver has been loaded into the system. Each driver calls
IoCreateDevice to initialize a device object for each device IoCreateDevice
that driver services. See also driver object.
Devices are "visible" to end users as named file objects,
stored in a directory protected against careless or
malicious user-mode access. User-mode code (protected
subsystems) must access any device through the opaque handle
returned by the system service that opens the file object
that represents the device to user-mode code.
Glossary of Terms and Acronyms G-11 Glossary of Terms and Acronyms G-11
device queue object device queue object
A kernel-mode-only, Kernel-defined control object type, used
to record the Boolean state (Busy or Not_Busy) of a device
and to queue I/O requests for subsequent processing. A
device queue object has an associated executive spin lock.
An I/O request, called a "queue entry," is not actually
placed in the device queue unless the state is already
Busy:
n On the transition from Not_Busy to Busy, the driver n
is expected to service the queue entry immediately.
n Subsequent requests while the state is Busy are n
queued in FIFO or key-sorted order.
n An attempt to remove a queue entry from an empty n
queue causes the transition from Busy to Not_Busy.
n An attempt to remove a queue entry from an empty n
queue when the device is Not_Busy causes the system
to "bugcheck" (i.e., crash).
directory file directory file
A file that points to or lists a set of named file objects.
Note that on-disk directory files are represented in NT
as file objects, not as object directory objects.
directory object directory object
See object directory object.
DIRQL DIRQL
Device interrupt request level
See also IRQL and IDT - This particular IRQL refers to
the IRQL at which a given device interrupts.
dispatch state dispatch state
For a thread at any given moment, one of the following:
n Initialized. n ____________
n Ready - queued and eligible for dispatch to a processor. n _____
n Standby - ready and selected to execute, but a context n _______
switch to the thread has not yet occurred.
n Running. n _______
n Waiting - suspended until a particular dispatcher object n _______
is set to the Signaled state.
n Terminated. n __________
dispatcher objects dispatcher objects
A class of Kernel-defined object types, used to manage
dispatching and synchronization. See also control objects.
Dispatcher objects have a Boolean state (Signaled or Not-
Signaled), and are arguments to the wait services or
G-12 Kernel-mode Driver Design Guide G-12 Kernel-mode Driver Design Guide
Kernel wait routines. Dispatcher objects include:
events, (kernel-mode-only) mutexes, semaphores, threads,
and timers.
Kernel-mode threads synchronize their operations by
waiting on one or more dispatcher objects, or by waiting
on other objects, such as user-mode file objects,
that contain "hidden" kernel-mode dispatcher objects.
Note that it is a fatal error to wait on a dispatcher
object at IRQL > APC_LEVEL.
DMA DMA
Direct memory access
(No different from any other OS.)
DPC DPC
Deferred procedure call
A DPC is a Kernel-defined control object type,
representing a procedure that is to be called later. DPCs
are executed in kernel mode at IRQL DISPATCH_LEVEL (see
IDT and IRQL).
A DPC is primarily used when an interrupt service routine
(e.g., device driver or clock interrupt service routine)
needs to perform more work but should do so at a lower
IRQL than the one at which an ISR executes. (Note that
getting the IRQL lowered back down quickly is important
for overall system response time.) The ISR, then, can
request that a procedure be executed at a lower IRQL at a
later time.
driver object driver object
A kernel-mode-only object representing an NT driver's load
image, used by the I/O Manager to locate the driver's entry
points.
EA EA
Extended attribute
Files have basically four different parts:
1 Data
2 File system attributes (such as creation time, other
times, FAT attributes, etc.)
3 Security descriptor
4 EAs
EAs are the set of extended information about a file. An
EA is viewed as an untyped name-value pair that is
defined by the user. Typical system uses are to store the
icon for an image, to indicate that the file is a
symbolic link, etc.
Glossary of Terms and Acronyms G-13 Glossary of Terms and Acronyms G-13
EFU EFU
Error format utility
A utility, supplied by the system, that reads error
entries out of an error log file and displays them.
Drivers call IoAllocateErrorLogEntry and IoAllocateErrorLogEntry
IoWriteErrorLogEntry to transfer errors to an error log IoWriteErrorLogEntry
file; they can supply error buffer translation routines
to format entries for display by the EFU.
EISA EISA
Extended industry standard architecture
Also, a standard that defines the architecture of (and
interface to) the extended PC bus. See also ISA.
event object event object
A user-mode object upon which one or more threads can wait
until the event is set to the Signaled state. Every user-
mode event object is implemented through the use of a
kernel-mode event object.
A kernel-mode event object is an instance of a Kernel-
defined dispatcher object type. Each kernel-mode event can
be classified as either of the following:
1 When a synchronization event (a.k.a. "autoclearing _____________________
event") is set to the Signaled state, a single thread
that was waiting on the event is released (its dispatch
state transitions from waiting to ready, standby, or
running), and an autoreset to Not-Signaled occurs.
2 When a notification event is set to the Signaled state, __________________
all threads that were waiting on the event are released,
and the event remains in the Signaled state until an
explicit reset to Not-Signaled occurs.
exception exception
A synchronous error condition, resulting from the execution
of a particular machine instruction. See also SEH.
G-14 Kernel-mode Driver Design Guide G-14 Kernel-mode Driver Design Guide
executive executive
The collection of components that form the base NT operating
system. Executive components include the Executive Support,
Kernel, Memory Manager, Cache Manager, Process Structure,
Interprocess Communication (LPC and RPC), Object Manager,
I/O Manager, Configuration Manager, Hardware Abstraction
Layer, and Security Reference Monitor. Each executive
component except the Executive Support, Cache Manager, and
Hardware Abstraction Layer supplies a specialized set of
native user-mode system services, and every executive
component exports a set of kernel-mode functions for use by
other executive components.
NT drivers also call kernel-mode functions supplied by
executive components, including (but not limited to)
functions beginning with the prefix "Ex" for Ex(ecutive) Ex
Support. Other kernel-mode functions of interest to
drivers begin with the prefixes: Hal, Ke(rnel), Ps (for Hal Ke Ps
Process Structure), Ob(ject), Io, Mm (for Memory Ob Io Mm _ _ _
Manager), Cc (for Cache Manager), Se(curity) and FsRtl Cc Se FsRtl _ _ _
(for File System Run-time Library). See also Zw routines. _ _ _ _ __
Note that NT drivers, including kernel-mode device,
intermediate, and file system drivers, are considered part
of the NT executive after they are loaded. The "operating
system" visible to end users is actually a protected
subsystem that runs in user mode on top of the NT executive;
the executive is hidden from end users by a subsystem-
supplied interface that emulates Windows, POSIX, or some
other operating system.
FAT FAT
File allocation table
(adjective: an NT-installable file system that was native
to DOS; also, a type of disk partition)
fault tolerance fault tolerance
An optional feature of the Windows NT operating system
environment, which includes the end-user-visible Windows
DiskMan utility supported by an NT-supplied intermediate
driver that handles disk partition mirroring, striping, and
volume set management.
FCB FCB
File control block
An internal FS structure in which a file system maintains
state for an open file.
Glossary of Terms and Acronyms G-15 Glossary of Terms and Acronyms G-15
file object file object
A user-mode object that represents an open instance of a
file, device, directory, or volume that is accessed through
the file handle returned by a protected subsystem's function
that calls down to a system service that opens (or creates)
a file object . Every file handle contains a "hidden"
kernel-mode event object, so that callers of the I/O system
services can wait on a file handle.
At any given moment, several file objects can be associated
with a single, shared data file, but each such file object
has a unique handle and maintains an object-specific value
for the current file pointer.
A file object is sometimes called a "persistent object"
because the (file, device, directory, or volume) entity
that backs any run-time set of file objects is retained
across system boots.
FS FS
File system
An FS is a file system driver that registers itself with
the NT I/O Manager as an active file system. Unlike many
other operating systems, NT does not have a particular
must-be-resident file system, and several NT file systems
can be active at the same time. NT file systems are
dynamically located when a volume is mounted or when a
remote name is being resolved: the I/O Manager calls the
registered FSs in turn until one file system "recognizes"
the volume structure or remote name.
Examples of NT-supplied file systems are FAT, HPFS, NTFS,
CDFS, the LAN Manager redirector, NPFS (named pipe file
system), and RAW.
FSD FSD
File system driver
The FSD refers to the portion of a driver that executes
in the context of the caller, to which an I/O request is
dispatched when the request is originally made. The FSD
has no process virtual address space and no particular
thread context because it operates in the context of
whoever happens to call it.
An FSD also executes in the context of the lower-level
(intermediate or mass storage device) driver's DPC
routine when the I/O operation is being completed if the
FSD indicated that it should be called upon completion of
the IRP.
The term FSD normally refers to the DD (device driver)
part of a file system driver only when the driver also
G-16 Kernel-mode Driver Design Guide G-16 Kernel-mode Driver Design Guide
has an FSP associated with it; otherwise, it's called
simply a device driver.
Glossary of Terms and Acronyms G-17 Glossary of Terms and Acronyms G-17
FSP FSP
File system process
The FSP usually refers to a set of device-dedicated or
system worker threads that aid a file system driver (FSD)
in getting work done, but can also refer to a kernel-mode
process set up by an FSD. FSP threads are generally used
when a file system driver needs a thread context in which
to work. An example is when the driver needs to be able
to wait without tying up the calling thread. An FSP
kernel-mode process is used only when an FSD must have a
driver-specific process address space in which its
device-dedicated threads execute. (Most NT file system
drivers conserve system memory by not creating their own ___
kernel-mode processes.)
Communication between the FSD and the FSP threads is
performed through the use of a communication region. This
region is generally allocated in a device object's device
extension and consists of an interlocked queue and a
synchronization event. See also device object, device
extension, and event object.
Note that any NT driver (not just file systems) can
create one or more device-dedicated threads or use system
worker threads. In particular, an NT driver should create
a thread for I/O operations that use synchronization
mechanisms (such as events, timers, semaphores, mutexes,
etc.) other than spin locks. Such a driver's thread can
wait for an indefinite, nonzero interval on a Kernel-
defined dispatcher object, but context switches to the
thread slow down the driver's I/O operations.
GUID GUID
Globally unique identifier
See SID.
HAL HAL
Hardware abstraction layer
An NT executive component that provides platform-specific
support for the NT Kernel, I/O Manager, kernel-mode
debuggers, and lowest-level device drivers. The HAL
exports routines that abstract platform-specific hardware
details about caches, I/O buses, interrupts, etc. and
provides an interface between the platform's hardware and
the system software. For example, the HAL implements a
routine to map each device driver's bus-relative device
interrupt vector to a system-assigned vector with a
corresponding platform-specific hardware priority
G-18 Kernel-mode Driver Design Guide G-18 Kernel-mode Driver Design Guide
(DIRQL), as well as several routines that provide DMA-
transfer support.
hardware exception hardware exception
See SEH.
Glossary of Terms and Acronyms G-19 Glossary of Terms and Acronyms G-19
HBA HBA
Host bus adapter
A hardware device that "connects" NT and a SCSI bus. A
SCSI HBA driver usually manages the lower layers of the
SCSI-II protocol. See miniport driver; see also port
driver, class driver, and SCSI.
HPFS HPFS
High performance file system
An NT-supplied installable file system
hyperspace hyperspace
A block of virtual memory somewhere in kernel space,
dedicated to the use of the NT Memory Manager. Every
instance of a user-mode virtual address space has an
associated hyperspace area where the Memory Manager
maintains internal data (such as page table pages and WSLs)
for the current process. See also kernel space and user
space.
IDB IDB
Interrupt dispatch block
An internal structure used by the NT Kernel.
G-20 Kernel-mode Driver Design Guide G-20 Kernel-mode Driver Design Guide
IDT IDT
Interrupt dispatch table
A Kernel-defined call table with a platform-dependent
number of first-level entries (some for DIRQL ISRs) and
second-level entries for interrupt transfer routines
(dependent on a first-level ISR). For symmetric
multiprocessor platforms, the Kernel sets up an IDT for
each processor. See also multiprocessor machine.
The NT Kernel reserves eight first-level entries per IDT
for its own use; the remaining first-level entries can be
connected to a platform-specific bus interrupt by the HAL
or to a device interrupt. The Kernel's reserved entries
(in low-to-high IRQL priority) are defined by the
following constants:
n PASSIVE_LEVEL - execute thread. n
n APC_LEVEL - execute special Kernel APC. n
n DISPATCH_LEVEL - dispatch (execute DPC). n
n WAKE_LEVEL - debugger execution. n
n CLOCK2_LEVEL - interval-timer execution. n
n REQUEST_LEVEL - interprocessor request. n
n POWER_LEVEL - power failure notification. n
n HIGH_LEVEL - machine checks or bus errors. n
The set of software and hardware interrupt vectors mapped
to these constants is platform-dependent, but none can be
connected to a driver's interrupt object. Note that the
constants PASSIVE_LEVEL through DISPATCH_LEVEL and
WAKE_LEVEL correspond to software interrupt vectors.
DIRQLs for device drivers usually have IRQL priority
higher than DISPATCH_LEVEL but lower than CLOCK2_LEVEL.
IFS IFS
Installable file system
See FS.
integral subsystem integral subsystem
A protected subsystem (server) that performs an essential
operating system task. For NT, this group includes the Local
Security Authority, the Security Accounts Manager, the
Session Manager, and the network server. See also protected
subsystem.
Glossary of Terms and Acronyms G-21 Glossary of Terms and Acronyms G-21
intermediate driver intermediate driver
An intermediate driver processes I/O requests "between" the
highest-level driver (frequently an FS) and the lowest-level
driver that controls the hardware device for which the
request is bound. See also layered driver.
Examples of intermediate drivers include the NT ftdisk
driver, which supports fault tolerance, and many class
drivers.
interrupt interrupt
An asynchronous hardware signal, usually indicating that a
peripheral device needs service, that is detected by the
processor. An interrupt causes the processor to save state,
to branch to a fixed location, and to resume execution at
that location. See also IDT.
interrupt object interrupt object
A kernel-mode-only, Kernel-defined control object type, used
to connect a hardware interrupt source (see DIRQL) and an
ISR to an IDT entry, or to connect an ISR and an interrupt
transfer routine (dependent on the ISR at its IRQL) to a
second-level IDT entry.
Each interrupt object:
n Can be associated with a single IDT entry (and, n
therefore, with a single processor in a multiprocessor
machine).
n Is either LevelSensitive or Latched, depending on the n
platform or device.
n Can be one of several interrupt objects associated with a n
given IDT entry if and only if every interrupt object for
that entry is of a single type (LevelSensitive or
Latched).
For a second-level IDT entry, an ISR (e.g., for a bus
adapter) associated with a first-level IRQL routes the
interrupt to the (device-specific) interrupt transfer
routine for service via its entry in the IDT.
When more than one set of interrupt objects are connected to
the same first-level IDT entry, the corresponding ISRs are
called in the same order in which they were connected.
invalid page invalid page
A page-sized range of virtual addresses for which a page
fault occurs when any address in the range is referenced.
For NT drivers, referencing an invalid page causes a fatal
page fault unless the driver is running at an IRQL <
DISPATCH_LEVEL when the reference occurs.
G-22 Kernel-mode Driver Design Guide G-22 Kernel-mode Driver Design Guide
I/O stack location I/O stack location
a.k.a. "stack location"
An I/O stack location refers to the part of an IRP that
is allocated for each driver in a chain of layered
drivers. Each driver owns one of the stack locations in
the packet and obtains driver-specific information about
what I/O operation to carry out on the target device,
using the supplied arguments. It is also used to store
context about the driver during I/O completion so that
the driver's I/O completion routine can perform its
cleanup operations.
I/O status block I/O status block
An I/O status block is a data structure that is part of each
IRP. An I/O status block serves two purposes:
1 For asynchronous system calls, it provides the user (or a
higher-level driver's IoCompletion routine) a way of
determining whether or not the service worked when the
IRP is completed.
2 It also provides more information about why the service
either worked or did not work.
The type definition of an I/O status block is as follows:
typedef struct _IO_STATUS_BLOCK {
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
Upon completion of a system service, the Information member
supplies the caller with more information about what
actually occurred. For example, this member contains the
number of bytes actually read from a file after a read
operation.
Glossary of Terms and Acronyms G-23 Glossary of Terms and Acronyms G-23
IPC IPC
Interprocess communication
In addition to synchronization primitives, the NT system
has two defined, message-passing mechanisms for IPC:
1 LPC, defining the port object type with a server
process that supplies system (port) services to local
(using the same physical memory on a single system)
client processes.
2 RPC, with an NT-supplied runtime library that
implements such RPC capabilities as binding a client
process in one address space with a server process in
another address space and sending necessary messages
to make a remote procedure call possible.
The system-supplied named pipe file system supports LPC.
The NT LAN Manager redirector also implements named pipes
as a transport layer to connect clients to application
servers (RPC).
IRP IRP
I/O request packet
An IRP is the basic I/O Manager structure used to
communicate with drivers and to allow drivers to
communicate with each other. A packet consists of two
different parts:
1 Header, or fixed portion of the packet - This is used ______ ___________________________
by the I/O Manager to store information about the
original request, such as the caller's parameters,
the address of the device object upon which the file
is open, etc. It is also used by drivers for storing
such information as the final status of the request.
See also I/O status block and device object.
2 I/O stack locations - Following the header is a set ___________________
of I/O stack locations, one per driver in the chain
of layered drivers for which the request is bound.
Each stack location contains the parameters, function
codes, and context used by the corresponding driver
to determine what it is supposed to be doing.
IRQ IRQ
A hardware line over which a peripheral device, bus
controller, other processor, or the Kernel signals a request
for service to the microprocessor. (IRQ is a common
abbreviation for "interrupt request lines.") See interrupt.
G-24 Kernel-mode Driver Design Guide G-24 Kernel-mode Driver Design Guide
IRQL IRQL
Interrupt request level
The hardware priority level at which a given kernel-mode
routine runs, thereby "masking off" interrupts with
equivalent and lower IRQL on the processor. Note that
such a routine can be preempted by any interrupt with a
higher IRQL. Note also that running at IRQL
DISPATCH_LEVEL or higher prevents threads (even those
with the highest real-time priority level) from running
on the same processor until the current kernel-mode
routine lowers IRQL. However, running at raised IRQL on a
given processor has no effect on the IRQL priority of any
other processor in a symmetric multiprocessor machine.
See also IDT, interrupt object, IRQ, ISR, multiprocessor
machine, and priority.
ISA ISA
Industry standard architecture
Also, a standard defining the architecture of the PC bus
(a.k.a. "AT bus standard").
ISR ISR
Interrupt service routine
A routine whose function is to service a device when it
generates an interrupt.
An NT driver's ISR executes at raised IRQL, usually at
the DIRQL of the interrupt object(s) set up for its
device (i.e., drivers connected to second-level IDT
entries execute at the IRQL of the first-level entry they
connect to). Every NT driver's ISR should execute as
quickly as possible, doing only what is necessary to save
sufficient state, to make the device stop generating
interrupts, and to queue a DPC that completes interrupt
processing at a lower IRQL.
kernel mode kernel mode
The privileged processor mode in which NT executive code
runs. A driver or thread running in kernel mode has access
to system memory and hardware. See also user mode.
kernel space kernel space
(a.k.a. "system space")
A block of virtual memory, dedicated to the use of
kernel-mode code. Generally, the NT kernel space is a
range of high-order virtual addresses around one gigabyte
in size. See also hyperspace, pool memory, and user
space.
Glossary of Terms and Acronyms G-25 Glossary of Terms and Acronyms G-25
key object key object
A NT object type defined by the Configuration Manager that
represents an entry in the configuration registry database.
See also Registry.
latched interrupt latched interrupt
(a.k.a. "edge-triggered interrupt")
An interrupt that occurs at the transition from
deasserted to asserted on the IRQ line.
layered driver layered driver
One of a collection of drivers that respond to the same
IRPs. See also I/O stack location.
The term "layered driver" describes the highest-level and
lowest-level drivers in a chain of layered drivers that
process the same IRPs, along with all intermediate
drivers in the chain.
LBN LBN
Logical block number
A logical block number identifies a physical block on a
disk, using a logical address rather than physical disk
values (for cylinder, track, and sector). For a disk with
N blocks (a.k.a. "sectors"), the corresponding LBNs are 0
through (N - 1). See also MCB and VBN.
level-sensitive interrupt level-sensitive interrupt
An interrupt that occurs when the signal is asserted on the
IRQ line.
LPC LPC
Local procedure call
See also IPC and port object.
G-26 Kernel-mode Driver Design Guide G-26 Kernel-mode Driver Design Guide
little-endian little-endian
Refers to a memory architecture in which the byte layout is
as follows:
n Byte N is the least significant (and, in conventional n
layout diagrams, the "rightmost") byte of:
n A word composed of bytes N and (N + 1). n
n A double word composed of bytes N, (N + 1), (N + 2), n
and (N + 3).
n A K-byte memory entity composed of bytes N, (N + n
1),...,(N + K - 1).
n The address of the preceding word, double word, or K-byte n
entity is its least significant byte, N.
Intel microprocessors always support little-endian
addressing. A MIPS-based machine can be configured for
either big-endian or little-endian addressing. For a little-
endian configuration, the least significant bit of a 16-bit
short value is the "rightmost" bit at byte N, while the most short
significant bit is the "leftmost" bit of byte (N + 1). See
also big-endian.
LSA LSA
Local Security Authority
LU LU
Logical unit
From a SCSI-II HBA driver's point of view, a physical or
virtual peripheral device, addressable through a TID,
attached to a SCSI bus.
LUID LUID
Locally unique identifier
See SID.
MACL MACL
Mandatory access control list
A part of the security descriptor for each object in a
system with a B1 or higher security rating from the U.S.
National Computer Security Center.
map map
(1) To translate a virtual or logical address into a
physical address. See also MDL.
(2) To alias a bus-relative interrupt vector to a system-
assigned interrupt vector. See also HAL.
Glossary of Terms and Acronyms G-27 Glossary of Terms and Acronyms G-27
MCB MCB
Map control block
An MCB is a structure provided by the FsRtl (File System FsRtl _ _
Run-time Library) package to aid NT file systems in _ _ _
mapping the VBNs for a file to the corresponding LBNs on
the disk.
MDL MDL
Memory descriptor list
A memory descriptor list uses an array of physical page
frame numbers (PFNs) to describe the pages that back a
virtual memory range.
method method
A routine supplied with an NT object type that handles
standard operations (such as open, close, delete, parse,
dump, and read or reset security attributes) on every
instance of the object type.
MIDI MIDI
Musical instrument digital interface
miniport driver miniport driver
(1) An HBA-specific driver, linked against the NT-supplied
SCSI port driver, that drives a SCSI bus.
(2) A video-adapter-specific driver, linked against the NT-
supplied video port driver.
mirror driver mirror driver
a.k.a. "shadow driver"
An intermediate (layered somewhere between an FSD and a
disk DD) device driver whose responsibility is to keep a
duplicate of a disk partition.
mount mount
Operation that requests a file system to make a volume
useable by the I/O Manager. This is done by filling in the
information in a VPB which indicates the serial number and
label of the volume, as well as by filling in the pointer to
the file system's device object that represents the "volume"
mounted on the real device.
G-28 Kernel-mode Driver Design Guide G-28 Kernel-mode Driver Design Guide
multiprocessor machine multiprocessor machine
A platform with more than one CPU. NT is designed to run on
multiprocessor machines, usually configured to be:
n Homogenous - all CPUs are identical, and either all have n __________
identical coprocessors or none has a coprocessor.
n Closely coupled - all CPUs share memory and have uniform n _______________
access to memory.
n Symmetric - every CPU can access memory, handle any n _________
interrupt, and access I/O control registers just like
every other CPU in the system. Note that any version of
NT that runs on a symmetric multiprocessor machine also
runs unchanged on a uniprocessor machine based on the _________
same CPU.
While NT can run on asymmetric platforms, configured with __________
a master CPU that handles all IRQs and one or more slave
CPUs as long as the platform is both homogenous and
closely coupled, the system has been designed to run
primarily on symmetric multiprocessor platforms because
SMP machines have better performance characteristics,
particularly for I/O.
mutex object mutex object
A kernel-mode-only, Kernel-defined dispatcher object type,
used to provide mutually-exclusive, deadlock-free access to
a resource.
A mutex owner (thread) must run exclusively in kernel
mode while it retains ownership; an attempt to switch to
user mode while holding a mutex causes a system crash.
Ownership of a mutex by a given thread has the following
effects:
n Prevents the owning thread's process from leaving the n
balance set.
n Raises the owning thread's priority to the the lowest n
real-time priority value if the owning thread's
priority is not already higher.
n Prevents the delivery of normal kernel-mode APCs. n
Each mutex object has an associated level value, and a
given thread may acquire ownership of a mutex if and only
if:
n The requested mutex is currently unowned. n
n The requesting thread does not already own a mutex of n ___
a (numerically) higher level.
These requirements, and the requirement that a mutex
owner run exclusively in kernel mode, prevent deadlocks.
Note that recursive ownership of a mutex is possible.
However, any thread that claims a mutex N times must
Glossary of Terms and Acronyms G-29 Glossary of Terms and Acronyms G-29
explicitly release that mutex N times in order to set the
mutex to the Signaled state.
G-30 Kernel-mode Driver Design Guide G-30 Kernel-mode Driver Design Guide
native services native services
See system services.
NLS NLS
National language support
A set of routines that give applications access to
locale-specific information. See also Unicode.
nonpaged pool nonpaged pool
See pool memory.
NTFS NTFS
NT file system
A file system, native to NT, that supports file system
and file data recovery, extremely large storage media,
and various other features.
object object
A single, run-time instance of a system-defined object type.
Objects visible in user mode include process, thread,
section, file, event, semaphore, key, timer, port, object
directory, symbolic link, and token objects.
Many user-mode objects are implemented through the use of a
corresponding kernel-mode object, including processes,
threads, events, semaphores, and timers. Other user-mode
objects contain "hidden" kernel-mode objects, such as the
event associated with each file object.
Kernel-mode-only objects include APC, DPC, device queue,
interrupt, mutex, driver, device, adapter, controller,
and stream file objects.
object directory object object directory object
A type defined by the Object Manager and used to implement
hierarchical object names.
Note that file system directories are implemented as NT
file objects, not as object directory objects.
Glossary of Terms and Acronyms G-31 Glossary of Terms and Acronyms G-31
object type object type
An opaque data structure that defines a protected entity
implemented and manipulated by the operating system. See
also opaque.
Every user-visible object has:
n A type (whose name must be unique). n
n Two parts: n
1 A header operated on by the NT Object Manager. ______
2 A body operated on by type-specific system ____
services. For example, the system service that
reads a file operates on an open file object.
n A set of standardized rules for object creation, n
deletion, protection, access, management, and naming.
User-visible objects can contain "hidden" kernel-mode
objects. For example, a user-mode thread can wait on a
file handle because it contains a hidden, kernel-mode
event object.
Kernel-mode objects are visible to (and directly
accessible only by) the executive component that defined
a given object type. They are are indirectly accessible
to other kernel-mode code through the type-specific
functions exported by the defining component (e.g.,
KeInitializeDeviceQueue operates on device queue KeInitializeDeviceQueue
objects).
opaque opaque
Pertains to any data structure (including NT objects)
defined with a deliberately hidden internal structure that
is known only to the executive component that defined the
type. However, the defining component supplies system
services and, usually, kernel-mode functions to manipulate
opaque objects. User-mode data types can also be opaque.
paging file paging file
A system file containing the contents of virtual pages that
have been paged out of memory. See also backing store.
page frame page frame
A block of contiguous physical addresses used to store the
contents of a virtual page. Note that the virtual page size
and page frame size are usually identical, but that a page
frame size is actually microprocessor-dependent.
paged pool paged pool
See pool memory.
G-32 Kernel-mode Driver Design Guide G-32 Kernel-mode Driver Design Guide
PCR PCR
Processor control registers
An internal data structure in which the Kernel stores
per-processor information.
PEB PEB
Process environment block
PFN PFN
Page frame number
Also, the database in which the NT Memory Manager
maintains information about every physical page in the
system. Each PFN is an index for a physical page in the
array of records that makes up the PFN database. See also
PTE.
PIO PIO
Programmed I/O
polling polling
A pernicious, but sometimes necessary, coding technique that
wastes CPU cycles in a driver until the physical device
updates its registers. NT device drivers should never
implement polling loops and should minimize the interval
they specify in calls to KeStallExecutionProcessor (no KeStallExecutionProcessor
longer than 50 microseconds) if they must poll their
devices.
Glossary of Terms and Acronyms G-33 Glossary of Terms and Acronyms G-33
pool memory pool memory
Regions located in kernel space from which memory blocks can
be allocated and deallocated dynamically (some other systems
call this "heap memory"). The NT Memory Manager creates two
kinds of pools for system use and for use by drivers via
Ex(ecutive) Support function calls: Ex
1 Paged pool is a based region that can be paged in and out __________
of a process's working set. Each process has its own set
of PTEs that map paged pool into its address space.
Touching a page in this pool can cause a page fault at
any time, so drivers should allocate only those data
structures accessed exclusively at IRQL PASSIVE_LEVEL or
APC_LEVEL (see IDT) from paged pool.
2 Nonpaged pool is a based region for which all processes _____________
share a set of PTEs. The NT Memory Manager guarantees
that nonpaged pool is resident in physical memory at all
times; therefore, this region can be accessed from any
process's address space without causing a page fault.
However, nonpaged pool is a limited system resource.
Drivers should allocate from paged pool for entities that
are accessed exclusively at or below IRQL APC_LEVEL. They
should minimize their usage of nonpaged pool by "saving" it
for data that must be accessed at or above IRQL
DISPATCH_LEVEL. Allocations of contiguous or noncached
memory come from nonpaged pool.
The Memory Manager allocates entities from both pools using
a buddy scheme. See also kernel space.
port object port object
An instance of an object type representing a conduit for
messages between local (server/client) processes. It is used
in the LPC (Local Procedure Call) model of NT as an object _ _ _
accessible to user-mode processes through system services.
The server (callee) process defines a named connection port
object and sets up two (unnamed) communication port objects
when a client (caller) process connects to the named port.
G-34 Kernel-mode Driver Design Guide G-34 Kernel-mode Driver Design Guide
port driver port driver
(1) An NT-supplied SCSI driver that supports a set of class
drivers above it and one or more HBA-specific miniport
drivers, which link themselves to the NT-dependent port
driver (implemented as a dynamic-link library) and call its
ScsiPortXxx routines. ScsiPort ___
(2) An NT-supplied video adapter driver that supports a
user-level display driver and one or more adapter-specific
miniport drivers, which link themselves to the OS-dependent
port driver (implemented as a dynamic-link library) and call
its VideoPortXxx routines. VideoPort ___
(3) A lowest-level device driver whose device is a so-called
"intelligent controller" or a bus adapter. A port driver
communicates with one or more class drivers according to an
established protocol and synchronizes access to the
controller or bus.
(4) A lowest-level physical device driver that responds to a
set of system-defined device I/O control requests (and,
possibly an additional set of driver-defined internal I/O
control requests) sent down by a corresponding class driver.
See also class driver and miniport driver.
POSIX POSIX
Portable operating system for (UN)IX
PRCB PRCB
Processor control block __ _ _
An extension of the PCR.
priority priority
An attribute of a thread that determines when and how often
it is scheduled to run. For a running thread, its priority
falls into either of two classes, each class with 16 levels:
1 Variable priority class has values in the range 0 to 15. ________ ______________
This class is used by most threads.
Threads with variable priority are always preemptible
(scheduled to run round-robin with other threads at the
same level). In general, the Kernel manages a variable-
priority thread as follows: when the thread is
interactive with a user, its priority is high (given a
boost); otherwise, its priority decays (by one level per
quantum the thread runs) until it reaches its original
(programmer-defined) base level.
2 Real-time priority class has values in the range 16 to ________________________
31. This class is used by time-critical threads, making
such a thread preemptible only by a thread with higher
priority. Note that a thread running at the highest real-
Glossary of Terms and Acronyms G-35 Glossary of Terms and Acronyms G-35
time priority level could be preempted by a special
Kernel APC if an APC_LEVEL interrupt occurs.
G-36 Kernel-mode Driver Design Guide G-36 Kernel-mode Driver Design Guide
priority boosts priority boosts
A set of system-defined constant values, supplied when
certain device drivers complete an IRP. In general, drivers
for interactive devices call IoCompleteRequest with a IoCompleteRequest
device-type-specific priority boost value. The boost is
added to the priority of the user-mode thread that
originally requested the I/O operation, in order to
compensate for that thread's assumed wait on the I/O.
probe probe
To check whether a memory access of a particular kind (e.g.,
read) to data (e.g., a handle for an object or a buffer) is
allowed without causing an access violation. Note that user-
supplied argument values are always probed and captured (on
the system stack) before an NT system service gets control
in kernel mode. The system service is responsible for
probing whatever a captured pointer accesses.
process object process object
A Kernel-defined control object type, representing the
virtual address space and control information necessary for
the execution of a set of thread objects. A user-mode
process object defines the base priority, default affinity,
and directory table base value for its threads and for any
child processes it creates. Every user-visible process
object is implemented through the use of an embedded kernel-
mode process object.
A kernel-mode-only process object must be initialized
before any thread objects that belong to the process.
At any given moment, a process is either part of the
balance set (Included) or not (Excluded). A kernel-mode
process must remain in the balance set as long as any of
its threads owns a mutex object. Each thread owning one
or more mutexes continues to run until it releases its
last mutex, when the thread is suspended. The process is
not removed from the balance set until every thread has ___
released all mutexes.
protected subsystem protected subsystem
A server that performs operating system functions or that
emulates another operating system, such as WindowsTM or
POSIX, on top of the NT executive. See also integral
subsystem.
PTE PTE
Page table entry
Glossary of Terms and Acronyms G-37 Glossary of Terms and Acronyms G-37
The Memory Manager uses a PTE to represent the state of a
virtual page.
G-38 Kernel-mode Driver Design Guide G-38 Kernel-mode Driver Design Guide
pulse pulse
To set an event to the Signaled state, satisfy as many
waiters on the event as possible, and to reset the event to
the Not-Signaled state.
quantum quantum
a.k.a. "time slice"
A brief period of time during which a given thread
executes in a multitasking operating system.
quota quota
For each process, NT sets a limit on certain system
resources the process's threads can use, including quotas
for paging-file, paged-pool, and nonpaged-pool usage, as
well as for CPU time. As the process's threads run, the
Kernel subtracts the CPU time used from the quota. The
Memory Manager "charges quota" against the process as its
threads use page-file, paged-pool, or nonpaged-pool memory;
it also updates these values when threads release memory.
raise an exception raise an exception
A deliberate transfer of control to an exception handler
when an exception occurs. A kernel-mode component, including
any NT driver, cannot raise an exeception while running at
IRQL > APC_LEVEL without bringing down the system. See also
SEH.
range range
A finite and discrete sequence of values. Note that a
virtual address range can be backed by a set of
discontiguous physical pages or by a file stored in
discontiguous sectors on disk.
RAW RAW
An NT-supplied file system that is the "last resort" for all
NT I/O requests requiring file system support. When the I/O
Manager calls active NT file systems to mount a volume, RAW
file system driver is always called last, because it
recognizes all disk and tape media. However, RAW supplies
very primitive file handling capabilities. For example, it
treats the whole disk as a single file and supplies
physical-disk-level VBN access to the disk.
RAW is not an acronym.
redirector redirector
An NT (network) file system driver that provides access to
files on remote machines.
Glossary of Terms and Acronyms G-39 Glossary of Terms and Acronyms G-39
region region
A range of virtual addresses.
When a user-mode caller creates a section or maps a view,
it must specify a region. The NT Memory Manager rounds
the specified region's starting address down to the
nearest host-alignment boundary and rounds its size in
bytes up to the next host-page-size boundary.
registry registry
a.k.a. "configuration registry"
A database containing configuration and control data for
the system, including which file systems and drivers to
load at system boot. The NT Configuration Manager exports
system services to manipulate registry key objects
contained in the database.
resource resource
An entity (such as a device object, file object, section
object, variable, structure, or buffer) visible to one or
more processes.
In kernel mode, a shared resource is a multiprocessor-
safe synchronization mechanism, rather like a gating
semaphore with a dynamic limit value. Drivers can use
system-supplied Ex(ecutive) Support and/or Rtl (Runtime Ex Rtl _ _
Library) functions to control access to a memory entity, _
such as a file or database, on a multiple-reader (shared
access), single-writer (exclusive access) basis.
RPC RPC
Remote procedure call
A call from one process's thread (client) to another's
(server) that exists in a different address space,
usually on another (networked) machine. See also IPC.
Rtl functions Rtl functions
There are two general sets of (C) Runtime Library functions _ _ _
supplied with the NT system, one each for user mode and for
kernel mode. All NT drivers can call the kernel-mode Rtl Rtl
functions. An NT (highest-level) driver cannot call a user-
mode Rtl function unless it is executing in the context of Rtl
the user-mode thread that requested the driver's current I/O
operation.
G-40 Kernel-mode Driver Design Guide G-40 Kernel-mode Driver Design Guide
run run
verb: to execute on a processor.
noun: (1) within an MCB, a contiguous range of VBNs mapped
to a contiguous range of LBNs (a.k.a. "extent"); (2) slang
for a quantum, as in "when the thread is given the run..."
runtime priority inversion runtime priority inversion
A condition that can occur when threads with mismatched
priority attributes share resources or when a higher
priority thread waits for a lower priority thread to
complete some action. Such an inversion occurs whenever:
n A high priority thread is blocked, waiting for a lower n
priority thread to release a shared resource or to
complete an action (and probably to set a dispatcher
object to the Signaled state).
n This lower priority thread is also blocked, because many n
other higher priority threads are ready for execution, so
they will be run first.
Under these circumstances, the waiting high priority thread
undergoes a runtime priority inversion, because one or more
lower priority threads will run before it does. Note that
two threads with mismatched priorities must be very careful
to avoid deadlocks if they "share" a resource in a mutually
exclusive manner (that is, only one thread at a given time
can access the resource). Such a pair of threads should not
attempt to use a spin lock. See also thread object,
priority, resource, and deadlock.
SACL SACL
System access control list
A part of the NT security descriptor for an object, used
to maintain per object auditing information. See also
security descriptor, ACE, and ACL.
SAM SAM
Security Account Manager
An integral subsystem that maintains a database of
information on user accounts, including passwords, any
account groups a given user belongs to, the access rights
each user is allowed, and any special privileges a given
user has.
SCSI SCSI
Small computer standard interface (pronunciation: "scuzzy")
NT SCSI drivers are assumed to comply with the ANSI SCSI-
II standard. In addition, NT supplies an OS-dependent
SCSI port driver, implemented as a dynamic-link library,
Glossary of Terms and Acronyms G-41 Glossary of Terms and Acronyms G-41
and several device-type-specific class drivers, together
with system-defined interfaces to HBA-specific SCSI
miniport drivers and additional class drivers.
section object section object
A user-mode object type, representing a memory entity that
can be mapped onto a range of virtual addresses in a
process's address space. Note that creating or opening a
section object does not allocate physical memory. See also
view.
An opened section object can be either:
1 File-backed - The original entity resides as a file on a ___________
disk.
2 Page-backed - The original entity resides either in a ___________
paging file controlled by the Memory Manager or (wholly
or partially) in physical memory where storage is page-
granular and the page size is microprocessor-dependent.
Unnamed sections are not sharable, but a view into an
unnamed section can be mapped through the creating
process's handle. Named sections are shareable. All
sections are inheritable by child processes.
security descriptor security descriptor
A data structure used to hold per-object security
information, including the object's owner, group, protection
attributes, and audit information. See also ACE, ACL, SACL
and SID.
security violation security violation
A user-mode attempt to access an object (by passing its
handle to a system service) without having the correct,
granted access rights for the requested operation. See also
ACE and ACL.
Note that the Security component does not check the
access rights on object handles used by kernel-mode code.
However, the I/O Manager and network server driver can
force a security access check on object handles.
G-42 Kernel-mode Driver Design Guide G-42 Kernel-mode Driver Design Guide
SEH SEH
Structured exception handling
A feature of the NT system, which supports control
transfers to exception handlers when certain runtime
exceptions occur. The system traps the following general
kinds of exceptions:
1 Hardware-defined faults or traps, such as,
n Access violations (see also access violation). n
n Data-type misalignments (such as a 16-bit entity n
aligned on an odd-byte boundary).
n Illegal and privileged instructions. n
n Invalid lock sequences (attempting to execute an n
invalid sequence of instructions within an
interlocked section of code).
n Integer divides by zero and overflows. n
n Floating-point divides by zero, overflows, n
underflows, and reserved operands.
n Breakpoints and single steps (to support n
debuggers).
2 System software-defined exceptions, such as,
n Guard-page violations (attempting to load or store n
data from or to a location within a guard page).
n Page read errors (attempting to read a page into n
memory and encountering a concurrent I/O error).
n Paging file quota exceeded (attempting to commit n
backing store for a page currently being removed
from a process's working set).
NT supplies standard exception handlers for data-type
alignment faults and for ANSI/IEEE Std 754-1985 floating-
point faults.
Both user-mode and kernel-mode code can set up custom
exception handlers using the except, try, and finally except try finally
constructs currently supplied by NT-compatible C
compilers and supported by NT-supplied Rtl (Run-time Rtl _ _
Library) functions. An exception handler can be _
associated with each call frame in the function-call
hierarchy of a program. A CONTEXT record contains the
register state for each exception handler.
Glossary of Terms and Acronyms G-43 Glossary of Terms and Acronyms G-43
semaphore object semaphore object
A user-mode semaphore gates access to resources, allowing
some maximum number of threads (as specified when the
semaphore object was created) to access the resources
protected by the semaphore.
Each user-mode semaphore also has an associated current
count, representing how many additional threads can acquire
the semaphore. When the current count is zero, a thread
attempting to acquire the semaphore waits (i.e., blocks)
until the count is incremented (another thread has released
that semaphore). Every user-mode semaphore object is
implemented through the use of a kernel-mode semaphore
object.
A kernel-mode semaphore is an instance of a Kernel-defined
dispatcher object type. It has either of two uses:
1 A counting semaphore gates access to a resource by __________________
allowing some number of threads (up to a specified limit)
to access the resource while the semaphore is set to the
Signaled state (semaphore count is nonzero).
2 A binary semaphore gates access to a single resource, if ________________
and only if the limit is set to 1 and it is not possible
for the semaphore to be over-Signaled (set to the
Signaled state when it is already in the Signaled state).
A binary semaphore gates exclusive access to a resource.
However, using a semaphore with a limit of 1 to gate
access is not the same thing as using a mutex: ___
semaphores have no ownership, deadlocks are possible, and
the owner's priority is unaffected.
server server
(1) A process with one or more threads that accept requests
from client processes. See also client/server.
(2) An NT-supplied file system driver that provides remote
access to files, named pipes, comm devices, and print
devices. It implements the LAN Manager 2.1 SMB (server
message block) protocol, along with NT-specific extensions.
Session Manager Session Manager
An integral subsystem that starts and keeps track of NT
logon sessions and serves as an intermediary between the
Windows NT and other protected subsystems.
G-44 Kernel-mode Driver Design Guide G-44 Kernel-mode Driver Design Guide
SFD SFD
SCSI filter driver
An add-on driver for a SCSI class device that is layered
between the system-supplied class driver and the NT SCSI
port driver. An SFD intercepts requests for a particular
SCSI peripheral device that has special features (not
shared by other SCSI devices of its class), or that does
not accept standard SCSI-II CDBs, in order to set up
device-specific requests. For other devices of the same
class on the same bus, an SFD simply passes requests sent
down from the system-supplied class driver on to the NT
SCSI port driver.
SID SID
Security identifier
A value, unique across time and space, that identifies a
process in the Security system. SIDs can either identify
an individual process, usually containing a user's logon
identifier, or a group of processes.
Signaled Signaled
An attribute of Kernel-defined dispatcher objects that
support synchronization. When the Kernel sets such an object
to the Signaled state, any threads waiting on the object are
released from their wait and become elgible for execution.
single-byte coding scheme single-byte coding scheme
A character encoding scheme, such as ASCII, that uses a byte
to represent each character. See also Unicode.
SMP SMP
Symmetric multiprocessor machine
See multiprocessor machine.
spin lock spin lock
A spin lock is a low-level, synchronization mechanism
defined by the NT Kernel. A driver or any other kernel-mode
component can use a spin lock to synchronize access to a
shared resource, particularly in a multiprocessor machine.
When one routine holds a particular spin lock, a second
routine running on another processor cannot access the
resource protected by that spin lock until it acquires the
lock. While a routine attempts to acquire a spin lock, it
cannot carry out other operations (it spins) until the lock _____
has been acquired.
Note that operations involving system-defined spin locks are
IRQL-specific to help prevent deadlocks: an interrupt spin ______________
Glossary of Terms and Acronyms G-45 Glossary of Terms and Acronyms G-45
lock can only be acquired while executing at a DIRQL of the ____
associated interrupt object; an executive spin lock can only ___________________
be acquired while executing at DISPATCH_LEVEL IRQL.
SRB SRB
SCSI request block
An NT-defined structure, used to communicate I/O requests
from a SCSI class driver to the NT-dependent port driver,
which relays such request to appropriate HBA-specific
miniport drivers.
stream file object stream file object
A virtual file representing on-disk data associated with
a file, some of which might not be part of the physical
file that backs a file object. For example, a stream file
object makes it possible to cache the EAs or ACL for a
file object together with the file's data. See also
volume file.
stripe driver stripe driver
(a.k.a. "striper")
An intermediate driver whose job is to get better
performance for file accesses than the underlying disk
driver can. A stripe driver is layered between the FSD
and a disk device driver (or between a mirror driver and
the disk driver). It distributes pieces of each file over
a set of partitions concurrently, thereby cutting down on
synchronous read/write time for the file.
subject subject
The combination of a (security) token and of an associated
program that may use system services. See also token.
symbolic link symbolic link
(1) An instance of the symbolic link object type,
representing a "soft alias" that equates one name to another
within the NT Object Manager's name space.
(2) A file object with special properties. A symbolic link
file is recognized as having the following three attributes:
1 Its FILE_ATTRIBUTE_CONTROL bit is set.
2 It has an EA whose name is .FAMILY_IDs and whose 128-bit
binary value is 42 (decimal).
3 It has an EA whose name is .SYMBOLIC_LINK_VALUE and whose
value is the fully qualified pathname of the target file.
When a special file of this type is encountered as a
component of a pathname, rather than opening the file
itself, the file system is redirected to the target file.
G-46 Kernel-mode Driver Design Guide G-46 Kernel-mode Driver Design Guide
Note that the I/O Manager does not actually use a
symbolic link object to implement symbolic link files; it
uses a file object.
Glossary of Terms and Acronyms G-47 Glossary of Terms and Acronyms G-47
symbolic link object symbolic link object
An instance of a type defined by the Object Manager, used to
translate a reference to one named object into a different
name.
system services system services
The set of native, user-mode routines exported by the NT
executive. Each system service has a name of the form
TwoLettersXxxYyy where: ________________
n TwoLetters is the prefix for all system services. n __________
n Xxx is usually a verb, describing the operation of a n ___
given service.
n Yyy is generally the object type the service operates on. n ___
system space system space
See kernel space.
system worker threads system worker threads
A set of kernel-mode threads provided by the NT Executive
Support component that NT drivers, particularly FSDs, use to
get work done within a nonarbitrary thread context. Such a
driver sets up a work queue item with a driver-supplied
callback routine that is queued to be run when a system
worker thread is dispatched for execution by the Kernel. See
also FSP and thread object.
TB TB
Translation buffer
See TLB.
TEB TEB
Thread environment block
G-48 Kernel-mode Driver Design Guide G-48 Kernel-mode Driver Design Guide
thread object thread object
A user-mode thread object represents a path of execution
within the current process. Every user-mode thread object is
implemented through the use of an embedded kernel-mode
thread object.
A kernel-mode thread is an instance of a Kernel-defined
dispatcher object type. It is the basic schedulable entity
in the NT system.
A thread object:
n Is dispatched for execution by the Kernel. n
n Has the following properties at any given moment: n
1 Dispatch state
2 Priority
3 Context
4 Execution mode (kernel or user)
5 Affinity
n Is "owned by" a process object but can attach itself to n
another process's address space.
Note that most NT drivers usually execute in the context of
the currently running thread, that is, in an arbitrary
thread context. While an NT file system driver can create an
independent process for its own device-dedicated threads,
FSDs usually avoid setting up a driver-created process in
order to conserve system memory. FSDs (and other NT drivers)
can set up device-dedicated (system-process) threads and/or
FSDs can use system worker threads if they need a driver-
specific thread context in which to execute. NT drivers use
kernel-mode Ps (Process Structure) functions to create Ps _ _
processes and/or device-dedicated threads, not the Ke(rnel) Ke ___
thread functions. FSDs call routines supplied by the NT
Executive Support component to use system worker threads. Ex
TID TID
Target identifier
One of up to eight target controllers on a SCSI-II bus
through which peripheral devices are addressable, either
as numbered TIDs or as logical units (LUs) subordinate to
a particular TID.
Glossary of Terms and Acronyms G-49 Glossary of Terms and Acronyms G-49
timer object timer object
A timer object is an instance of a Kernel-defined dispatcher
object type. User-mode timer objects can be used to
synchronize the execution of specific actions, optionally an
APC, with time. Kernel-mode timer objects are used to
synchronize the execution of specific actions, in particular
a DPC, with time.
When set to a specified interval:
n The timer's state is reset to Not-Signaled. n
n The timer is placed in a queue that is ordered n
according to expiration time.
Any thread that waits on the timer is suspended until the
timer is set to the Signaled state when its interval
expires.
Expiration of the specified interval does not determine
the end of a wait; the Signaled state does. Then, the
Kernel attempts to satisfy as many waiters as possible.
The I/O Manager also supplies timer functions for drivers to
use.
TLB TLB
Translation lookaside buffer
(Not directly accessible by system software for the i386;
otherwise, an on-chip virtual-to-page address translation
cache for the i486 and MIPS microprocessors.)
toaster device toaster device
slang: A SCSI peripheral device of an unknown class.
token object token object
A security object type, representing an authenticated user
process. Every process has an assigned token, which becomes
the default token for each of that process's threads.
However, an individual thread can be assigned a token that
overrides this default.
trap handler trap handler
A body of code in the Kernel to which the processor
transfers control when an interrupt or exception occurs. The
trap handler determines the type of condition that caused
the interrupt or exception and transfers control to an ISR
or exception handler.
Unicode Unicode
A fixed-width, 16-bit character encoding standard that NT
uses to provide NLS support for locale-specific natural
languages. See also NLS.
G-50 Kernel-mode Driver Design Guide G-50 Kernel-mode Driver Design Guide
user mode user mode
The nonprivileged processor mode in which application code,
including protected subsystem code, executes. User-mode
threads can only gain access to system data by calling
system services. See also kernel mode.
valid page valid page
A virtual page that is currently in physical memory. See
also invalid page.
user space user space
A block of virtual memory, dedicated to the use of the
current user-mode process. Generally, the NT user space is a
range of low-order virtual addresses around two gigabytes in
size. See also hyperspace, kernel space, section object, and
view.
VBN VBN
Virtual block number
A virtual block number identifies a block (a.k.a.
"sector") relative to the start of a file. For a file
with N blocks of data, the corresponding VBNs are 0
through (N - 1).
VCB VCB
Volume control block
An internal NT file system structure in which a file
system maintains state about a mounted volume.
VDM VDM
Virtual DOS machines
A protected subsystem that emulates DOS and Windows
(earlier versions than Windows NT) on top of NT.
view view
A whole or partial mapping of a section object, always
allocated on a 64K boundary, in the virtual address space of
a process. Note that mapping a view of a section that is
backed by an executable image file, in effect, "loads" the
image. (Except during the system boot process, NT uses
memory-mapped I/O, rather than a loader, to start program
execution.)
Glossary of Terms and Acronyms G-51 Glossary of Terms and Acronyms G-51
virtual memory virtual memory
A logical view of memory that does not necessarily
correspond to the underlying physical memory structure. For
example, a given range of virtual addresses might be mapped
to (and backed by) some number of discontiguous physical
pages, even though the corresponding virtual pages could be
accessed as a single, contiguous range.
VMCB VMCB
Volume map control block
An opaque structure that stores VBN-to-LBN mappings for a
volume file. FSDs can use a set of FsRtl routines to FsRtl
maintain a VMCB for each mounted volume.
volume file volume file
A virtual file, maintained by certain NT file systems,
whose contents map ancillary structures of the on-disk
file system. A volume file is a type of stream file.
VPB VPB
Volume parameter block
A VPB is a structure that connects a file system's device
object to the device upon which the volume is mounted.
The file system's device object is actually used to
represent the volume (VPB) mounted on the actual device
(physical device object). Device objects for physical
disks, tapes, CD ROMs, and RAM disks have associated
VPBs.
VRP VRP
Video request packet
A structure used to communicate device I/O control
requests from a Windows NT display driver to its
corresponding adapter-specific miniport driver. The NT
I/O Manager sets up an IRP in response to a user-mode
display driver's I/O control request and calls the NT-
supplied video port driver with the IRP. The video port
driver uses the IRP to set up a VRP and calls the
miniport driver's StartIo entry point with the VRP.
window turn window turn
Turning a window refers to the process of filling an MCB
with the appropriate retrieval pointers in order to map a
VBN for a file to an LBN for a disk.
G-52 Kernel-mode Driver Design Guide G-52 Kernel-mode Driver Design Guide
working set working set
The set of physical pages that are resident for a given
process while it has one or more running threads. See also
balance set and quota.
The size of each process's working set is bounded by a
minimum number of pages (that the NT Memory Manager
guarantees to be resident while the process has one
running thread) and by a maximum. However, NT does not
necessarily constrain a process's working set to its
maximum if many free pages are available.
WORM WORM
Write-once, read many
WSL WSL
Working set list
The set of WSLEs for the current process.
WSLE WSLE
Working set list entry
zone zone
A block of dynamically allocatable and deallocatable storage
of a specified and fixed size within a block of equivalent
zones. Each zone within such a block is aligned on a
platform-dependent boundary, determined by the processor's
data cache line size. Callers of the Ex(ecutive) Support Ex
zone functions must synchronize their allocation and
deallocation of zones within the block.
For example, the I/O Manager uses zones to implement
lookaside lists for fast allocation and deallocation of
IRPs and MDLs.
Zw routines Zw routines
A set of entry points parallel to the NT executive's system
services. A call to a ZwXxx entry point from kernel-mode Zw ___
code (including calls from other system services or NT
drivers) supplies the corresponding system service, except
the caller's access rights and the arguments to the Zw Zw
"alias" are not checked for validity, and the call does not
cause the previous mode to be set to user mode. It is the
responsibility of a kernel-mode caller to check all user-
supplied arguments for validity before such a caller passes
them on to a ZwXxx entry point. See also system services, Zw ___
probe, and SEH.