Windows 的停機機制在 <Microsoft Windows Internals, 4th> 一書中也只是很簡單的描述了幾句
“如果已經有人登錄到系統中,并且某個進程通過調用 Windows 的 ExitWindowsEx函數發出了停機指令,
那么就會有一個消息被發送到Csrss, 指示它執行停機處理”
windows 的關機流程
Windows關機步驟涉及到Windows多個組件和多個過程,簡單的說,Windows的關機步驟不是大多數人認為的那么簡單。基本的過程是這樣的:
1. 用戶發起關機指令以后,發起關機指令的程序將調用系統函數庫user32.dll中的ExitWindwsEx函數,此函數將會向Windows子系統CSRSS.EXE,CSRSS.EXE收到通知以后會和Winlogon.EXE做一個數據交換,winlogon.exe檢查請求者的權限,做好準備,并給ExitWindowsEx發回準備就緒信號,接著由Winlogon.EXE通知CSRSS.EXE開始關閉系統的流程 。
2. CSRSS.EXE收到Winlogon.EXE的通知以后,會依次查詢擁有頂層窗口的用戶進程,循環給所有正在運行的應用程序發送WM_QUERYENDSESSION和WM_ENDSESSION消息,讓這些用戶進程退出。如果某一個用戶進程在一個默認的超時時間5000毫秒(可以通過修改注冊表鍵值HKEY_CURRENT_USER\Cont rol Panel\Desktop\ HungAppTimeout設定超時時間)內沒有退出的話,Windows會顯示一個結束任務對話框用于詢問用戶是否結束這個任務。默認情況下將顯示這個對話框并一直保持而不會自動關閉。對于控制臺程序來說,基本情況類似,只不過Windows使用HK EY_CURRENT_USER\Control Panel\Desktop\ WaitToKillAppTimeout值來設置超時時間。
3. 接著是輪到終止系統進程了,csrss.exe給所有的系統進程發消息令他們退出。系統進程包括SMSS.EXE、Winlogon.EXE、Lsass.EXE等。Windows在終止系統進程的時候并不像終止用戶進程那樣如果無法在規定時間內終止則提示用戶,而是跳過這個進程,去執行下一個系統進程的終止操作。使用的超時時間和第2步使用的時間相同。準備工作完畢,winlogon.exe給smss.exe發出"InitiateSystemShutdown"請求,smss.exe命令釋放所有系統資源
上述3個步驟是整個Windows關機過程中最耗費時間的一段,大多數關機緩慢的原因都是因為這3個步驟引起的。完成前3個步驟以后,進入了關機操作的第4個階段,也是最后一個階段。
4. Winlogon.EXE調用一個原生API函數NtShutdownSystem()來命令系統執行后面的掃尾工作。在這個階段里面,Windows執行子系統會完成最后的關機操作,例如:設備驅動在這個階段里面完成一些驅動設定的特殊操作; 也是在這個階段,配置管理系統將被修改過的注冊表數據會寫道磁盤里面。等除了電源管理以后的全部子系統完成退出以后,電源管理完成最后的操作:如重啟、關機等。
小試牛刀
kd>?!process?0?0
****?NT?ACTIVE?PROCESS?DUMP?****
PROCESS?81bbc830??SessionId:?none??Cid:?0004????Peb:?00000000??ParentCid:?0000
????DirBase:?00039000??ObjectTable:?e1001c58??HandleCount:?251.
????Image:?System
PROCESS?81a39178??SessionId:?none??Cid:?020c????Peb:?7ffda000??ParentCid:?0004
????DirBase:?077ad000??ObjectTable:?e13b7b78??HandleCount:??21.
????Image:?smss.exe
PROCESS?818e72c0??SessionId:?0??Cid:?024c????Peb:?7ffd9000??ParentCid:?020c
????DirBase:?082ae000??ObjectTable:?e14c2198??HandleCount:?303.
????Image:?csrss.exe
PROCESS?81a8caf8??SessionId:?0??Cid:?0264????Peb:?7ffdb000??ParentCid:?020c
????DirBase:?08673000??ObjectTable:?e14bb4c8??HandleCount:?498.
????Image:?winlogon.exe
PROCESS?81a12140??SessionId:?0??Cid:?0294????Peb:?7ffd7000??ParentCid:?0264
????DirBase:?089d8000??ObjectTable:?e17a0738??HandleCount:?257.
????Image:?services.exe
.
PROCESS?819cac08??SessionId:?0??Cid:?05b0????Peb:?7ffd8000??ParentCid:?0550
????DirBase:?0b91c000??ObjectTable:?e1bfeac0??HandleCount:?291.
????Image:?explorer.exe
kd>?.PROCESS?819cac08
Implicit?process?is?now?819cac08
WARNING:?.cache?forcedecodeuser?is?not?enabled
kd>?.reload
Connected?to?Windows?XP?2600?x86?compatible?target?at?(Wed?Nov??4?14:16:26.001?2009?(GMT+8)),?ptr64?FALSE
Loading?Kernel?Symbols
.
Loading?User?Symbols
Loading?unloaded?module?list
.
kd>?bp?USER32!ExitWindowsEx
kd>?g
StartMenu -> ShutDown
Breakpoint?0?hit
USER32!ExitWindowsEx:
001b:77d89e6d?8bff????????????mov?????edi,edi
kd>?kb
ChildEBP?RetAddr??Args?to?Child??????????????
01f1ff7c?7ca746cc?00000009?00000000?00000000?USER32!ExitWindowsEx
01f1ff9c?7ca74b80?00000000?00000000?011ef6d8?SHELL32!CommonRestart+0x59
01f1ffb4?7c80b50b?00124800?011ef6d8?7c90fb71?SHELL32!ShutdownThreadProc+0x72
01f1ffec?00000000?7ca74b0e?00124800?00000000?kernel32!BaseThreadStart+0x37
kd>?!thread
THREAD?819495d8??Cid?05b0.0374??Teb:?7ffd5000?Win32Thread:?e18bfeb0?RUNNING?on?processor?0
Not?impersonating
DeviceMap?????????????????e1525378
Owning?Process????????????0???????Image:?????????<Unknown>
Attached?Process??????????819cac08???????Image:?????????explorer.exe
Wait?Start?TickCount??????304321?????????Ticks:?0
Context?Switch?Count??????12?????????????????LargeStack
UserTime??????????????????00:00:00.000
KernelTime????????????????00:00:00.000
Win32?Start?Address?SHELL32!ShutdownThreadProc?(0x7ca74b0e)
Start?Address?kernel32!BaseThreadStartThunk?(0x7c810856)
Stack?Init?f6c7f000?Current?f6c7e768?Base?f6c7f000?Limit?f6c7b000?Call?0
Priority?11?BasePriority?8?PriorityDecrement?2?DecrementCount?16
ChildEBP?RetAddr??Args?to?Child??????????????
01f1ff7c?7ca746cc?00000009?00000000?00000000?USER32!ExitWindowsEx?(FPO:?[2,6,0])
01f1ff9c?7ca74b80?00000000?00000000?011ef6d8?SHELL32!CommonRestart+0x59?(FPO:?[2,1,4])
01f1ffb4?7c80b50b?00124800?011ef6d8?7c90fb71?SHELL32!ShutdownThreadProc+0x72?(FPO:?[1,0,0])
01f1ffec?00000000?7ca74b0e?00124800?00000000?kernel32!BaseThreadStart+0x37?(FPO:?[Non-Fpo])
kd>?!process
PROCESS?819cac08??SessionId:?0??Cid:?05b0????Peb:?7ffd8000??ParentCid:?0550
????DirBase:?0b91c000??ObjectTable:?e1bfeac0??HandleCount:?311.
????Image:?explorer.exe
????VadRoot?81aaa268?Vads?205?Clone?0?Private?2098.?Modified?1243.?Locked?0.
????DeviceMap?e1525378
????Token?????????????????????????????e179a030
????ElapsedTime???????????????????????01:22:09.593
????UserTime??????????????????????????00:00:02.406
????KernelTime????????????????????????00:00:17.812
????QuotaPoolUsage[PagedPool]?????????61892
????QuotaPoolUsage[NonPagedPool]??????9640
????Working?Set?Sizes?(now,min,max)??(4153,?50,?345)?(16612KB,?200KB,?1380KB)
????PeakWorkingSetSize????????????????4640
????VirtualSize???????????????????????65?Mb
????PeakVirtualSize???????????????????74?Mb
????PageFaultCount????????????????????6596
????MemoryPriority????????????????????BACKGROUND
????BasePriority??????????????????????8
????CommitCharge??????????????????????2634
????????THREAD?819ca990??Cid?05b0.05b4??Teb:?7ffdf000?Win32Thread:?e179a590?WAIT:?(WrUserRequest)?UserMode?Non-Alertable
????????????818e1420??SynchronizationEvent
????????THREAD?818fc7f8??Cid?05b0.05f4??Teb:?7ffdc000?Win32Thread:?e16e34f8?WAIT:?(WrUserRequest)?UserMode?Non-Alertable
????????????818fc560??SynchronizationEvent
????????THREAD?81a17a78??Cid?05b0.05fc??Teb:?7ffdb000?Win32Thread:?00000000?WAIT:?(DelayExecution)?UserMode?Alertable
????????????81a17b68??NotificationTimer
????????THREAD?81a17780??Cid?05b0.0600??Teb:?7ffda000?Win32Thread:?e1d91868?WAIT:?(WrQueue)?UserMode?Non-Alertable
????????????81a179f8??Unknown
????????????81a17870??NotificationTimer
????????THREAD?81a17410??Cid?05b0.0604??Teb:?7ffd9000?Win32Thread:?00000000?WAIT:?(UserRequest)?UserMode?Alertable
????????????81a17688??NotificationTimer
????????????81a1a958??SynchronizationEvent
????????????8193c208??NotificationEvent
????????THREAD?81993370??Cid?05b0.06a8??Teb:?7ffd7000?Win32Thread:?e18779f0?WAIT:?(UserRequest)?UserMode?Alertable
????????????819e27fc??NotificationEvent
????????????81783084??NotificationEvent
????????????81a7b454??NotificationEvent
????????????81a7a8cc??NotificationEvent
????????????81abc9f4??NotificationEvent
????????????81abc89c??NotificationEvent
????????????8178dbdc??NotificationEvent
????????????818e1550??SynchronizationEvent
????????THREAD?8176fda8??Cid?05b0.01b0??Teb:?7ffd6000?Win32Thread:?e1836368?WAIT:?(WrUserRequest)?UserMode?Non-Alertable
????????????819bbc68??SynchronizationEvent
????????THREAD?81a9d020??Cid?05b0.05a4??Teb:?7ffde000?Win32Thread:?e1884eb0?WAIT:?(WrLpcReceive)?UserMode?Non-Alertable
????????????8196da50??Semaphore?Limit?0x7fffffff
????????????81a9d110??NotificationTimer
????????THREAD?81940d80??Cid?05b0.0528??Teb:?7ffdd000?Win32Thread:?00000000?WAIT:?(WrLpcReceive)?UserMode?Non-Alertable
????????????8196da50??Semaphore?Limit?0x7fffffff
????????????81940e70??NotificationTimer
????????THREAD?81992d80??Cid?05b0.0678??Teb:?7ffd4000?Win32Thread:?00000000?WAIT:?(DelayExecution)?UserMode?Non-Alertable
????????????81992e70??NotificationTimer
????????THREAD?819495d8??Cid?05b0.0374??Teb:?7ffd5000?Win32Thread:?e18bfeb0?RUNNING?on?processor?0
重啟后再來一次,Start menu -> ShutDown此時屏幕為灰色,Ctrl + Break
kd>?bp?advapi32!AdjustTokenPrivileges
kd>?g
Breakpoint?0?hit
ADVAPI32!AdjustTokenPrivileges:
001b:77dfc534?8bff????????????mov?????edi,edi
kd>?kb
ChildEBP?RetAddr??Args?to?Child??????????????
01fbfe98?74ad168c?000004d4?00000000?01fbfecc?ADVAPI32!AdjustTokenPrivileges
01fbfee8?74ad1d2d?000004d4?00000002?01fbff08?POWRPROF!SetPrivilegeAttribute+0x8e
01fbff0c?74ad1cf1?00000004?00000000?00000000?POWRPROF!CallNtPowerInformation+0x2d
01fbff28?74ad399d?01fbff34?74ad0000?74ad3984?POWRPROF!GetPwrCapabilities+0x26
01fbff84?7ca74690?00000000?000e72d8?000e72d8?POWRPROF!IsPwrShutdownAllowed+0x19
01fbff9c?7ca74b80?00000001?00000000?011ef6d8?SHELL32!CommonRestart+0x1d
01fbffb4?7c80b50b?000e72d8?011ef6d8?7c90fb71?SHELL32!ShutdownThreadProc+0x72
01fbffec?00000000?7ca74b0e?000e72d8?00000000?kernel32!BaseThreadStart+0x37