Accepting the Boot and Last Known Good

1
Accepting the Boot and Last Known Good
2
Accepting the Boot and Last Known Good

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet is
  the last known good control set
• ????????????
• The last known good control set works by keeping
  a backup control set of the last successful boot.
  The rules for determining if the last boot was
  successful, and therefore good.
• No system critical errors involving the failure
  of a driver or system file.
• A user can log onto the system at least once.

3
What is the Last Known Good Control Set Good For?

• You install a new device driver and restart
  Windows NT. The system stops responding (hangs)
  when you start (boot) the computer. The last
  known good control set will enable you to boot
  because it does not contain any reference to the
  new, faulty driver.

4
What is the Last Known Good Control Set Good For?

• You install a new video driver and are able to
  restart the system. However, you cannot see
  anything because the new video resolution is
  incompatible with your video adapter. In this
  case, do not try to log on by entering the
  correct keys. If you turn off and restart your
  computer, the last known good control set can be
  used.

5
What is the Last Known Good Control Set Good For?

• You accidentally disable a system critical device
  driver. Windows NT is not be able to boot, and
  reverts to the last known good control set.

6
What is the Last Known Good Control Set NOT Good
For?

• Any problem that is not related to changes in
  control set information will not be corrected by
  reverting to the last known good configuration.
• This includes information like user profiles and
  file permissions.

7
What is the Last Known Good Control Set NOT Good
For?

• Any change introduced more than one successful
  boot ago cannot be backed out, because the change
  will have been copied to the last known good
  control set on the first successful boot after
  the change was made.

8
What is the Last Known Good Control Set NOT Good
For?

• The last known good control set is a backup and
  restore facility for the Registry it does not
  support switching between configurations (docked
  and undocked laptops, for example).

9
What is the Last Known Good Control Set NOT Good
For?

• The following are three examples where the last
  known good control set is not helpful
• Boot failures caused by hardware failures or
  corrupted files.
• If you copy a new driver over the top of an old
  one, and the old one is already active, then the
  configuration will not change switching to the
  last known good control set will not undo
  anything.
• If Windows NT boots, a user logs on, and then
  Windows NT hangs(??,??), the last known good
  control set will not help because it has already
  been updated to the current control set.

10
HKEY_LOCAL_MACHINE\SYSTEM\Select
11

• It is a helpful recovery mechanisms.
• More detail -gt Chapter 5

12
Service Failures
13
Service Failures

• Optional registry key FailureActions
  FailureCommand
• When a sercie process terminates unexpectedly,
  the SCM determines which services ran and takes
  the recovery steps.

14
Once failure occurs, the SCM can

• Restart the service
• Run a program
• Reboot
• Or do nothing

15
You can manage the recovery actions through MMC
16
Service Shutdown
17
ExitWindowsEx function

• BOOL WINAPI ExitWindowsEx(
• __in UINT uFlags,
• __in DWORD dwReason
• )

18
ExitWindowsEx function

• Logs off the interactive user, shuts down the
  system, or shuts down and restarts the system. It
  sends the WM_QUERYENDSESSION message to all
  applications to determine if they can be
  terminated.
• Header Declared in Winuser.h include Windows.h.
• Library Use User32.lib.
• DLL Requires User32.dll

19
WM_QUERYENDSESSION Message

• The WM_QUERYENDSESSION message is sent when the
  user chooses to end the session or when an
  application calls one of the system shutdown
  functions.
• If any application returns zero, the session is
  not ended. The system stops sending
  WM_QUERYENDSESSION messages as soon as one
  application returns zero.

20
WM_QUERYENDSESSION Message

• A window receives this message through its
  WindowProc function.
• LRESULT CALLBACK WindowProc(
• HWND hwnd, // handle to window
• UINT uMsg, // message identifier
• WPARAM wParam, // not used
• LPARAM lParam // logoff option
• )

21
ExitWindowsEx function

• ExitWindowsEx sends a message to Csrss

22
Csrss

• csrss.exe
• Process name Microsoft Client/Server Runtime
  Server Subsystem
• For every system process except the SCM, Csrss
  waits up to the number of seconds for the process
  to exit before moving on to the next process.

23
HKEY_USERS\.DEFAULT\Control Panel\Desktop\WaitToKi
llAppTimeout
24
Csrss

• When Csrss encounters the SCM process, it employs
  a timeout specific to the SCM.
• Csrss recognizes the SCM using the PID(process
  ID).

25
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro
l\WaitToKillServiceTimeout
26
ScShutdownAllServices

• The SCM function
• Loops through the SCM services database searching
  for services which requesting shutdown and sends
  shutdown command.
• wait hint(a time slice)
• SCM waits either until
• one of the services it notified of shutdown exits
• The largest wait hint passes
• If wait hint expires, the SCM sees whether one of
  the services is progressing. If at least one made
  progress, SCM continues wait loop again,
  recursive.

27
If WaitToKillServiceTimeout time expires

• If Csrsss wait ends, but SCM havent exited,
  Csrss moves on(simply takes charge) shuting down
  processes .

28
Shared Service Processes
29
Share a process with other services

• One service, one process.
• Many service share one process.
• Shared process examples
• SCM process
• Event log service
• Plug and Play service
• LSASS process
• Security Accounts Manager service(SamSs)
• Net Logon service(Netlogon)
• IPSec Policy Agent service(PolicyAgent)

30
Service Host

• SvcHost contains multiple services
• \Windows\System32\Svchost.exe
• Svchost.exe is a generic host process name for
  services that run from dynamic-link libraries
  (DLLs).
• svchost.exe is used to load those .dll files into
  the memory so it can be called directly by other
  windows software that uses it.
• .dll libraries files cannot be loaded directly by
  just double clicking on them. It is not an
  executable file. Therefore Microsoft developed
  svchost.exe to load these .dll into memory.

31
Services run in SvcHost

• Example
• Telephony(TapiSrv)
• Remote Procedure Call(RpcSs)
• Remote Access Connection Manager(RasMan)
• Windows implement these sevices as DLLs and
  includes an ImagePath definition(SystemRoot\Syst
  em32\svchost.exe k netsvcs) in the services
  registry key.

32
tasklist /svc
33
Process Explorer v11.13
34
Process Explorer v11.13
35
SvcHost

• At startup, Svchost.exe checks the services part
  of the registry to construct a list of services
  that it must load.
• Multiple instances of Svchost.exe can run at the
  same time.
• Each Svchost.exe session can contain a grouping
  of services. Therefore, separate services can
  run, depending on how and where Svchost.exe is
  started.
• This grouping of services allows for better
  control and easier debugging. (I guess the
  services that in the same group have
  similarities.)

36
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Cu
rrentVersion\Svchost
37
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Cu
rrentVersion\Svchost

• Each value under this key represents a separate
  Svchost group and appears as a separate instance
  when you are viewing active processes.

38
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic
es\

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic
  es\ your service
• All services are here.
• Each Svchost group can contain one or more
  service names that are extracted from the
  registry key.

39
SvcHost

• When SCM encounters a SvcHost service with an
  ImagePath matching an entry it already has in the
  image database, it just sends a start command for
  the service to the SvcHost.
• The existing SvcHost process reads the ServiceDll
  parameter in the services registry key and loads
  the DLL into itself to start the service.

40
Service Control Program(SCP)

• SCPs are standard Windows application that use
  XSCM service management functions.
• Including
• CreateService
• OpenService
• StartService
• ControlService
• QueryServiceStatus
• DeleteService

41
Service Control Program(SCP)

• A service control program starts and controls
  services. It performs the following actions
• Starts a service or driver service, if the start
  type is SERVICE_DEMAND_START.
• Sends control requests to a running service.
• Queries the current status of a running service.
• These actions require an open handle to the
  service object. To obtain the handle, the service
  control program must
• Use the OpenSCManager function to obtain a handle
  to the SCM database on a specified machine.
• Use the OpenService or CreateService function to
  obtain a handle to the service object.

42
Security descriptor

• Security descriptor Security value
• Security descriptors can be associated with any
  named objects, including files, folders, registry
  keys and other resources, and contain information
  about the owner (creating user) of the object as
  well as which users can access the object, the
  type of access (read, read/write, execute, etc)
  on a per-user basis, among others.
• Command-line cacls

43
\WINDOWS\system32\sc.exe
44
\WINDOWS\system32\sc.exe

• In WINDOWS XP, sc.exe is the communication
  channel with the SCM.
• Command-line sc
• Example
• sc query
• Sc qc SMTPSVC

45

• The End
• Thank U for Ur attention?