Alex Ionescu wrote:
I view this as a "misunderstanding with some design choices", if not even a "misunderstanding of NT Subsystem design".
Subsystem design is subtle. Cutler is not an ordinary person. Also the subsystem design was conceived in another era, in CS terms. Cutler and his group designed it when the OS (beginning-to-ruin) myth was CM Mach (at the same time, RMS invented Hurd; recently Apple could sell it rebranded as Mac OS X...).
The design choice, in short, is the rôle of the "Client/Server Runtime SubSystem" (CSR=CSRSS.EXE+CSRSRV.DLL) in the design of the "O.S. Personality" code, that is the emulation code that manages processes of the same operating system in user mode, making them belive to run on the emulated O.S.
The Client/Server Runtime SubSystem, which is unfortunately incorrectly named by Microsoft,
It is funny to note now that what you say here is a thought that spinned around in my mind for years in the past. My personal answer was exactly yours.
is actually the Win32 Personality.
Later I discovered a theologian and philosopher - W. Ockam (1295/1300-1349) - that today most of us (don't) know is the father of the KIS(S) principle. Do not invent an hypothesis if it *not needed*. I used to say "Those developers at MS are really eccentric! Why did they call the Win32 subsystem server CSRSS.EXE? They are really dumb!".
The unnecessary assumption is, of course, that they *incorrectly named* it.
It manages Win32 processes in user-mode, and allows them to access kernel features which would pollute the native-mode ntdll.dll, would they have been included there. Only Win32 processes use csrss and registration is done in kernel32. Console windows, another Win32-ism also use csrss.
This is what we observe today in a live system of the NT family. But, if you see a man that wears a black suit, are you sure he's a priest? It could be a MiB, or a punk, or simply an old fashioned gentleman.
For instance, everybody here knows that the dynamic library NTDLL.DLL exposes the so called "native API", the NT real API. But even you are diverted by that sweet assonance and commit the mistake of saying it has the native-mode mark. Indeed its subsystem ID is 3.
When I discovered it, I had a shock, a few years ago.
Does it fit in you picture?
Because NT was designed with a set of universal native APIs, this was necessary so that routines useful to only one personality wouldn't be exported as native APIs. For example, fork() is a POSIX-only API, not Windows 32. Therefore, it was not included in ntdll.dll, even though the kernel supports it. Instead, it's used by the POSIX subsystem. The same goes for Console windows and their APIs, which are usable only in Win32. Access to the video hardware is done in kernel-mode, but the functions are called through CSRSS.
A very good example, but a less precise description. NtCreateProcess is an API that is more abstract than Win32 CreateProcess and than POSIX fork/exec. As it is more abstract, the respective less general semantics can be implemented using it. As Casper pointed out, more general, more abstract, means more complex.
Now, CSRSS is in a way a Client/Server Subsystem, because it's merely a 4KB host to CSR Servers, which implement parts of the Win32 behaviour. The 3 servers currently used are: basesrv.dll, which handles SxS (Side by Side assemblies, a Windows XP feature), VDM (16-bit emulation) and stuff like Process/Thread creation, winsrv.dll, which handles some graphical things and windowmessage-related functionality (such as hardware event dispatching) plus all the Console code (winsrv is internally split into 2 CSR Servers). I think a big problem here is that ea believes that CSRSS is the place where you would add a POSIX subsystem. This isn't the case. CSRSS is reserved for Win32 CSR Servers.
Of course, not in the instance where basesrv.dll and winsrv.dll are loaded. I think the csrss.exe + csrsrv.dll (the core) were the original CSR. Of course the os2ss and psxss MS sold us don't use it. They couldn't, because the current CSR core was intentionally "polluted" to support only basesrv.dll and winsrv.dll. But it is not our fault.
Also I dont think the Win32 server should run in more than one instance. When you look at the process list, in a TS machine, those many csrss.exe you see are (but one) μSessions of the Win32 server (the mother is the one with lowest PID). Imagine Linus' face if you propose to load a new instance of the Linux kernel each time you login... well it is exactly what happens when you connect from a TS client (win32k.sys is loaded again). I don't know how you define that way of programming: perhaps, in a sentence, "Does it compile? Let's sell it!". Well, two.
Now, let's move on...what actually loads CSRSS? This is called SMSS, the Session Manager SubSystem. The Session Manager handles all the subsystems that are installed on an NT Machine. By default, this means CSRSS, the Win32 subsystem. If you install SFU 3.5, or are using Windows Server 2003 R2, you will also get psxss.exe.
The original PSXSS.EXE was, as you know, a nice trick. MS had to show that NT was POSIX 1003.1 compliant, to get DOD contracts. But, of course, it should do it fast and could not show "too much". This decency shows how they got two prizes with one shot. PSX is not a vertical subsystem, but a side subsystem, or a second-level personality. In fact it requires the Win32 subsystem running to work. The first prize is that you show NT is a POSIX system. The second prize is that you can not drop Win32 to run your POSIX system. Market and market, not computer science.
This recalls me that recently MS was sentenced, because it is impossible to remove IE from Windows. A recurring trick.
On older Windows, you can also have os2ss.exe. These are the POSIX and OS/2 subsystems.
Once again, let's look back. OS/2 was the original user mode API Cutler was sked by MS to make available on top of the NT core. As Windows 3.0 was a worldwide success and the alliance with IBM broke, they had to switch to Win32. As there was a common ancestor, do you think they rewrote the CSR from ground up? It is more likely that they freezed the CSR used by OS/2 and, after a lazy copy & paste, extended it ("polluted it") to build what we today say it should be named w32ss.exe.
They have nothing to do with CSR at all, and they are actually, in themselves, CSRSSes for their own subsystems.
This is by design, an evil design... ;) Would have MS shown how easy is writing your own subsystem in a moment when they had to face IBM OS/2 rival API? My friends, close every gate, every window, every hole and harmour the Win32 server!
This is the naming mistake I was talking about; Microsoft should have named csrss as w32ss.exe.
Ockam! ;)
So, SMSS is the first process that will load, and it will then load the subsystems, say csrss psxss and os2ss. These subsystems will then load server dlls which expose functionality that can be called from user-mode processes.
SM is a super server. But then, if it is so super, why does it humble itself in defining DOS devices, in loading a process of one of its controlled children (I refer to WINLOGON.EXE)... If that is not "pollution", maybe a nuclear bomb exploded somewhere in the vicinity. :(
As I'm writing this, my Win2K3 machine is running posix grep and working perfectly. It's not touchign CSRSS at all, nor should it have to. CSRSS is a win32 subsystem.
CSRSS.EXE+CSRSRV.DLL, as they load BASESRV.DLL and WINSRV.DLL, *are* the Win32 personality subsystem server.
Think about it like the program run by the Architect in Matrix: when you double click on Microsoft Word's icon and the process is created, it happily belives to run under Windows, it can see the familiar libraries, it can call CreateFile and get back a reasonable file. In fact, CreateFile calls NtCreateFile and so on. Microsoft Word lives in a fake World. ;)
The two opposite directions the CSR can turn for are:
- be a process totally bound to the Windows personality
Which it's -supposed- to be. CSR is W32SS.
If we clone Windows NT, this is correct. But dumping is illegal.
- be a general purpose process, a facility for any kind of personality
Other personalities don't need CSR! They have PSX and OS2 and VMS and etc...
The pieces of code MS sold us match this definition. I ask myself: is this a technical limitation, or imposed by market staff?
As Gunnar saw, probably there is a common set of facilities you need every time you write a personality server. I would like to write it once for them all (If I could, but you showed you are much more skilled than me!). Casper, as already noted, pointed out it is a complex piece of code to write. You are required to write the equivalent of the abstract NtCreateProcess, to be called by the Windows personality server and by the POSIX personality server and by the OS/2 server and by the...
My question is: is it worth writing such a live run-time code? (DLLs are "dead code", because they live un the context of the process that loads them; vice versa, a subsystem is a "live DLL", because it lives before the process that will use it; if you like biology, there is the same difference between a virus and a bacterium).
More on demand.
Another issue which ea has brought up is that NT is somehow to "connected" to Win32.
Well, Alex, I repeatedly used the adjective "polluted", which does not mean "connected". I meant they put helper pieces of code, here and there, to make the Win32 server's life easier. If you want a more technical equivalent of "polluted", read it "less general, less abstract". Casper is definitely right!
I beg to differ. I've spent a week working on a sample native application. It currently can display running processes, drivers, create a new process and create/delete/list files. Here are some screenshots:
http://members.tripod.com/WinAlOS/rtlcli.png http://members.tripod.com/WinAlOS/rtlcli2.png http://members.tripod.com/WinAlOS/rtlcli3.png
Note that there is no CSR, no win32k.sys loaded. NT is running in its rawest form. You need less then 16MB of memory (notice that the processes are using <1MB, the rest is up to the drivers, which you can disable) and about the same amount of diskspace. This works perfectly in Windows 2003 without any need to "separate win32".
I actually didn't understand if Russinovich was paid by MS to show that, or if he actually could get there alone, the real NT hacker! Because, if you look at what that really means, you get a strange feeling.
First, the rumors that pollution (Win32/Win64 infiltration) is gone to a point where the old NT-designed core is less stable, are immediatley silenced. Russinovich, indipendently (and with the naive "Oooh" by some MS engineers...), showed it!
Second, in a hidden and really smart way, you promote the equivalence CSR=Windows: "Note that there is no CSR, no win32k.sys loaded.". Bill is a genius! I love him.
With best regards,