Windows 的停機(jī)機(jī)制在 <Microsoft Windows Internals, 4th> 一書(shū)中也只是很簡(jiǎn)單的描述了幾句
“如果已經(jīng)有人登錄到系統(tǒng)中,并且某個(gè)進(jìn)程通過(guò)調(diào)用 Windows 的 ExitWindowsEx函數(shù)發(fā)出了停機(jī)指令,
那么就會(huì)有一個(gè)消息被發(fā)送到Csrss, 指示它執(zhí)行停機(jī)處理”
windows 的關(guān)機(jī)流程
Windows關(guān)機(jī)步驟涉及到Windows多個(gè)組件和多個(gè)過(guò)程,簡(jiǎn)單的說(shuō),Windows的關(guān)機(jī)步驟不是大多數(shù)人認(rèn)為的那么簡(jiǎn)單。基本的過(guò)程是這樣的:
1. 用戶發(fā)起關(guān)機(jī)指令以后,發(fā)起關(guān)機(jī)指令的程序?qū)⒄{(diào)用系統(tǒng)函數(shù)庫(kù)user32.dll中的ExitWindwsEx函數(shù),此函數(shù)將會(huì)向Windows子系統(tǒng)CSRSS.EXE,CSRSS.EXE收到通知以后會(huì)和Winlogon.EXE做一個(gè)數(shù)據(jù)交換,winlogon.exe檢查請(qǐng)求者的權(quán)限,做好準(zhǔn)備,并給ExitWindowsEx發(fā)回準(zhǔn)備就緒信號(hào),接著由Winlogon.EXE通知CSRSS.EXE開(kāi)始關(guān)閉系統(tǒng)的流程 。
2. CSRSS.EXE收到Winlogon.EXE的通知以后,會(huì)依次查詢擁有頂層窗口的用戶進(jìn)程,循環(huán)給所有正在運(yùn)行的應(yīng)用程序發(fā)送WM_QUERYENDSESSION和WM_ENDSESSION消息,讓這些用戶進(jìn)程退出。如果某一個(gè)用戶進(jìn)程在一個(gè)默認(rèn)的超時(shí)時(shí)間5000毫秒(可以通過(guò)修改注冊(cè)表鍵值HKEY_CURRENT_USER\Cont rol Panel\Desktop\ HungAppTimeout設(shè)定超時(shí)時(shí)間)內(nèi)沒(méi)有退出的話,Windows會(huì)顯示一個(gè)結(jié)束任務(wù)對(duì)話框用于詢問(wèn)用戶是否結(jié)束這個(gè)任務(wù)。默認(rèn)情況下將顯示這個(gè)對(duì)話框并一直保持而不會(huì)自動(dòng)關(guān)閉。對(duì)于控制臺(tái)程序來(lái)說(shuō),基本情況類似,只不過(guò)Windows使用HK EY_CURRENT_USER\Control Panel\Desktop\ WaitToKillAppTimeout值來(lái)設(shè)置超時(shí)時(shí)間。
3. 接著是輪到終止系統(tǒng)進(jìn)程了,csrss.exe給所有的系統(tǒng)進(jìn)程發(fā)消息令他們退出。系統(tǒng)進(jìn)程包括SMSS.EXE、Winlogon.EXE、Lsass.EXE等。Windows在終止系統(tǒng)進(jìn)程的時(shí)候并不像終止用戶進(jìn)程那樣如果無(wú)法在規(guī)定時(shí)間內(nèi)終止則提示用戶,而是跳過(guò)這個(gè)進(jìn)程,去執(zhí)行下一個(gè)系統(tǒng)進(jìn)程的終止操作。使用的超時(shí)時(shí)間和第2步使用的時(shí)間相同。準(zhǔn)備工作完畢,winlogon.exe給smss.exe發(fā)出"InitiateSystemShutdown"請(qǐng)求,smss.exe命令釋放所有系統(tǒng)資源
上述3個(gè)步驟是整個(gè)Windows關(guān)機(jī)過(guò)程中最耗費(fèi)時(shí)間的一段,大多數(shù)關(guān)機(jī)緩慢的原因都是因?yàn)檫@3個(gè)步驟引起的。完成前3個(gè)步驟以后,進(jìn)入了關(guān)機(jī)操作的第4個(gè)階段,也是最后一個(gè)階段。
4. Winlogon.EXE調(diào)用一個(gè)原生API函數(shù)NtShutdownSystem()來(lái)命令系統(tǒng)執(zhí)行后面的掃尾工作。在這個(gè)階段里面,Windows執(zhí)行子系統(tǒng)會(huì)完成最后的關(guān)機(jī)操作,例如:設(shè)備驅(qū)動(dòng)在這個(gè)階段里面完成一些驅(qū)動(dòng)設(shè)定的特殊操作; 也是在這個(gè)階段,配置管理系統(tǒng)將被修改過(guò)的注冊(cè)表數(shù)據(jù)會(huì)寫(xiě)道磁盤(pán)里面。等除了電源管理以后的全部子系統(tǒng)完成退出以后,電源管理完成最后的操作:如重啟、關(guān)機(jī)等。
小試牛刀
kd>?!process?0?0
****?NT?ACTIVE?PROCESS?DUMP?****
PROCESS?81bbc830??SessionId:?none??Cid:?0004????Peb:?00000000??ParentCid:?0000
????DirBase:?00039000??ObjectTable:?e1001c58??HandleCount:?251.
????Image:?System
PROCESS?81a39178??SessionId:?none??Cid:?020c????Peb:?7ffda000??ParentCid:?0004
????DirBase:?077ad000??ObjectTable:?e13b7b78??HandleCount:??21.
????Image:?smss.exe
PROCESS?818e72c0??SessionId:?0??Cid:?024c????Peb:?7ffd9000??ParentCid:?020c
????DirBase:?082ae000??ObjectTable:?e14c2198??HandleCount:?303.
????Image:?csrss.exe
PROCESS?81a8caf8??SessionId:?0??Cid:?0264????Peb:?7ffdb000??ParentCid:?020c
????DirBase:?08673000??ObjectTable:?e14bb4c8??HandleCount:?498.
????Image:?winlogon.exe
PROCESS?81a12140??SessionId:?0??Cid:?0294????Peb:?7ffd7000??ParentCid:?0264
????DirBase:?089d8000??ObjectTable:?e17a0738??HandleCount:?257.
????Image:?services.exe
.
PROCESS?819cac08??SessionId:?0??Cid:?05b0????Peb:?7ffd8000??ParentCid:?0550
????DirBase:?0b91c000??ObjectTable:?e1bfeac0??HandleCount:?291.
????Image:?explorer.exe
kd>?.PROCESS?819cac08
Implicit?process?is?now?819cac08
WARNING:?.cache?forcedecodeuser?is?not?enabled
kd>?.reload
Connected?to?Windows?XP?2600?x86?compatible?target?at?(Wed?Nov??4?14:16:26.001?2009?(GMT+8)),?ptr64?FALSE
Loading?Kernel?Symbols
.
Loading?User?Symbols
Loading?unloaded?module?list
.
kd>?bp?USER32!ExitWindowsEx
kd>?g
StartMenu -> ShutDown
Breakpoint?0?hit
USER32!ExitWindowsEx:
001b:77d89e6d?8bff????????????mov?????edi,edi
kd>?kb
ChildEBP?RetAddr??Args?to?Child??????????????
01f1ff7c?7ca746cc?00000009?00000000?00000000?USER32!ExitWindowsEx
01f1ff9c?7ca74b80?00000000?00000000?011ef6d8?SHELL32!CommonRestart+0x59
01f1ffb4?7c80b50b?00124800?011ef6d8?7c90fb71?SHELL32!ShutdownThreadProc+0x72
01f1ffec?00000000?7ca74b0e?00124800?00000000?kernel32!BaseThreadStart+0x37
kd>?!thread
THREAD?819495d8??Cid?05b0.0374??Teb:?7ffd5000?Win32Thread:?e18bfeb0?RUNNING?on?processor?0
Not?impersonating
DeviceMap?????????????????e1525378
Owning?Process????????????0???????Image:?????????<Unknown>
Attached?Process??????????819cac08???????Image:?????????explorer.exe
Wait?Start?TickCount??????304321?????????Ticks:?0
Context?Switch?Count??????12?????????????????LargeStack
UserTime??????????????????00:00:00.000
KernelTime????????????????00:00:00.000
Win32?Start?Address?SHELL32!ShutdownThreadProc?(0x7ca74b0e)
Start?Address?kernel32!BaseThreadStartThunk?(0x7c810856)
Stack?Init?f6c7f000?Current?f6c7e768?Base?f6c7f000?Limit?f6c7b000?Call?0
Priority?11?BasePriority?8?PriorityDecrement?2?DecrementCount?16
ChildEBP?RetAddr??Args?to?Child??????????????
01f1ff7c?7ca746cc?00000009?00000000?00000000?USER32!ExitWindowsEx?(FPO:?[2,6,0])
01f1ff9c?7ca74b80?00000000?00000000?011ef6d8?SHELL32!CommonRestart+0x59?(FPO:?[2,1,4])
01f1ffb4?7c80b50b?00124800?011ef6d8?7c90fb71?SHELL32!ShutdownThreadProc+0x72?(FPO:?[1,0,0])
01f1ffec?00000000?7ca74b0e?00124800?00000000?kernel32!BaseThreadStart+0x37?(FPO:?[Non-Fpo])
kd>?!process
PROCESS?819cac08??SessionId:?0??Cid:?05b0????Peb:?7ffd8000??ParentCid:?0550
????DirBase:?0b91c000??ObjectTable:?e1bfeac0??HandleCount:?311.
????Image:?explorer.exe
????VadRoot?81aaa268?Vads?205?Clone?0?Private?2098.?Modified?1243.?Locked?0.
????DeviceMap?e1525378
????Token?????????????????????????????e179a030
????ElapsedTime???????????????????????01:22:09.593
????UserTime??????????????????????????00:00:02.406
????KernelTime????????????????????????00:00:17.812
????QuotaPoolUsage[PagedPool]?????????61892
????QuotaPoolUsage[NonPagedPool]??????9640
????Working?Set?Sizes?(now,min,max)??(4153,?50,?345)?(16612KB,?200KB,?1380KB)
????PeakWorkingSetSize????????????????4640
????VirtualSize???????????????????????65?Mb
????PeakVirtualSize???????????????????74?Mb
????PageFaultCount????????????????????6596
????MemoryPriority????????????????????BACKGROUND
????BasePriority??????????????????????8
????CommitCharge??????????????????????2634
????????THREAD?819ca990??Cid?05b0.05b4??Teb:?7ffdf000?Win32Thread:?e179a590?WAIT:?(WrUserRequest)?UserMode?Non-Alertable
????????????818e1420??SynchronizationEvent
????????THREAD?818fc7f8??Cid?05b0.05f4??Teb:?7ffdc000?Win32Thread:?e16e34f8?WAIT:?(WrUserRequest)?UserMode?Non-Alertable
????????????818fc560??SynchronizationEvent
????????THREAD?81a17a78??Cid?05b0.05fc??Teb:?7ffdb000?Win32Thread:?00000000?WAIT:?(DelayExecution)?UserMode?Alertable
????????????81a17b68??NotificationTimer
????????THREAD?81a17780??Cid?05b0.0600??Teb:?7ffda000?Win32Thread:?e1d91868?WAIT:?(WrQueue)?UserMode?Non-Alertable
????????????81a179f8??Unknown
????????????81a17870??NotificationTimer
????????THREAD?81a17410??Cid?05b0.0604??Teb:?7ffd9000?Win32Thread:?00000000?WAIT:?(UserRequest)?UserMode?Alertable
????????????81a17688??NotificationTimer
????????????81a1a958??SynchronizationEvent
????????????8193c208??NotificationEvent
????????THREAD?81993370??Cid?05b0.06a8??Teb:?7ffd7000?Win32Thread:?e18779f0?WAIT:?(UserRequest)?UserMode?Alertable
????????????819e27fc??NotificationEvent
????????????81783084??NotificationEvent
????????????81a7b454??NotificationEvent
????????????81a7a8cc??NotificationEvent
????????????81abc9f4??NotificationEvent
????????????81abc89c??NotificationEvent
????????????8178dbdc??NotificationEvent
????????????818e1550??SynchronizationEvent
????????THREAD?8176fda8??Cid?05b0.01b0??Teb:?7ffd6000?Win32Thread:?e1836368?WAIT:?(WrUserRequest)?UserMode?Non-Alertable
????????????819bbc68??SynchronizationEvent
????????THREAD?81a9d020??Cid?05b0.05a4??Teb:?7ffde000?Win32Thread:?e1884eb0?WAIT:?(WrLpcReceive)?UserMode?Non-Alertable
????????????8196da50??Semaphore?Limit?0x7fffffff
????????????81a9d110??NotificationTimer
????????THREAD?81940d80??Cid?05b0.0528??Teb:?7ffdd000?Win32Thread:?00000000?WAIT:?(WrLpcReceive)?UserMode?Non-Alertable
????????????8196da50??Semaphore?Limit?0x7fffffff
????????????81940e70??NotificationTimer
????????THREAD?81992d80??Cid?05b0.0678??Teb:?7ffd4000?Win32Thread:?00000000?WAIT:?(DelayExecution)?UserMode?Non-Alertable
????????????81992e70??NotificationTimer
????????THREAD?819495d8??Cid?05b0.0374??Teb:?7ffd5000?Win32Thread:?e18bfeb0?RUNNING?on?processor?0
重啟后再來(lái)一次,Start menu -> ShutDown此時(shí)屏幕為灰色,Ctrl + Break
kd>?bp?advapi32!AdjustTokenPrivileges
kd>?g
Breakpoint?0?hit
ADVAPI32!AdjustTokenPrivileges:
001b:77dfc534?8bff????????????mov?????edi,edi
kd>?kb
ChildEBP?RetAddr??Args?to?Child??????????????
01fbfe98?74ad168c?000004d4?00000000?01fbfecc?ADVAPI32!AdjustTokenPrivileges
01fbfee8?74ad1d2d?000004d4?00000002?01fbff08?POWRPROF!SetPrivilegeAttribute+0x8e
01fbff0c?74ad1cf1?00000004?00000000?00000000?POWRPROF!CallNtPowerInformation+0x2d
01fbff28?74ad399d?01fbff34?74ad0000?74ad3984?POWRPROF!GetPwrCapabilities+0x26
01fbff84?7ca74690?00000000?000e72d8?000e72d8?POWRPROF!IsPwrShutdownAllowed+0x19
01fbff9c?7ca74b80?00000001?00000000?011ef6d8?SHELL32!CommonRestart+0x1d
01fbffb4?7c80b50b?000e72d8?011ef6d8?7c90fb71?SHELL32!ShutdownThreadProc+0x72
01fbffec?00000000?7ca74b0e?000e72d8?00000000?kernel32!BaseThreadStart+0x37