Windows API Reference
Core Architecture
Understanding the Windows Core Architecture
The Windows operating system is built upon a complex and robust core architecture designed to provide a stable and efficient environment for applications and system processes. This section delves into the fundamental components that define how Windows manages resources, executes code, and provides services to applications.
Processes and Threads
At the heart of Windows multitasking are the concepts of processes and threads. A process is an instance of a running program, possessing its own independent address space, system resources (like file handles and security context), and at least one thread of execution. A thread is the smallest unit of execution within a process. Multiple threads can exist within a single process, sharing the process's resources but executing independently.
Process Management
Windows provides sophisticated mechanisms for creating, managing, and terminating processes. Each process is assigned a unique Process ID (PID). Key APIs for process management include:
| Function | Description |
|---|---|
CreateProcess |
Creates a new process and its primary thread. |
OpenProcess |
Opens an existing process object. |
TerminateProcess |
Terminates a process. |
GetProcessId |
Retrieves the process identifier of the specified process. |
Thread Management
Threads allow for concurrency within a single application, enabling tasks like responding to user input while performing background computations. Each thread has its own execution stack, program counter, and set of registers. Key APIs for thread management include:
| Function | Description |
|---|---|
CreateThread |
Creates a new thread to execute within the virtual address space of the calling process. |
OpenThread |
Opens an existing thread object. |
ExitThread |
Causes the calling thread to exit. |
GetThreadId |
Retrieves the thread identifier of the specified thread. |
Memory Management
Windows employs a virtual memory system that provides each process with its own large, contiguous address space. This virtual memory is mapped by the operating system to physical RAM and disk storage (paging file). This abstraction simplifies memory management for developers and protects processes from interfering with each other's memory.
Virtual Address Space
Each process has a 64-bit virtual address space (on 64-bit systems), which is divided into regions for code, data, heap, and stack. The Memory Manager component of the kernel handles the mapping between virtual and physical addresses.
Memory Allocation APIs
Developers interact with the memory manager through various APIs:
| Function | Description |
|---|---|
VirtualAlloc |
Reserves or commits a region of pages in the virtual address space of the calling process. |
VirtualFree |
Releases, decommits, or both, a whole region of pages. |
HeapAlloc |
Allocates a block of memory from a specified heap. |
GlobalAlloc / LocalAlloc |
Older APIs for global and local memory allocation (less common in modern development). |
new and delete, which typically leverage the underlying Windows memory management APIs.
Kernel Objects
The Windows kernel manages a variety of system resources through objects. These kernel objects represent entities such as processes, threads, events, mutexes, semaphores, files, and devices. Kernel objects are used for synchronization, inter-process communication, and resource management.
Object Handles
When an application requests access to a kernel object, the kernel returns a handle. A handle is an integer that acts as a reference to a specific kernel object. Handles are process-specific, meaning a handle valid in one process is not valid in another unless it's explicitly duplicated or inherited.
Common Kernel Objects and Their Uses
- Events: Used to signal occurrences between threads or processes.
- Mutexes (Mutual Exclusions): Used to protect shared resources from concurrent access by multiple threads.
- Semaphores: Used to control access to a resource that has a limited number of instances.
- Critical Sections: A lighter-weight mechanism than mutexes for synchronization within a single process.
Object Management APIs
APIs related to kernel objects often involve handle manipulation and synchronization primitives:
| Function | Description |
|---|---|
CreateEvent |
Creates or opens an event object. |
CreateMutex |
Creates or opens a mutex object. |
CreateSemaphore |
Creates or opens a semaphore object. |
WaitForSingleObject |
Waits until the specified object is in the signaled state or the time-out interval elapses. |
CloseHandle |
Closes an open object handle. |
System Calls
Applications interact with the Windows kernel and its services primarily through a set of documented functions called the Application Programming Interface (API). When an application calls an API function that requires kernel services (e.g., file I/O, process creation), a transition occurs from user mode to kernel mode, often referred to as a system call.
User Mode vs. Kernel Mode
Windows, like most modern operating systems, employs a security boundary between user mode and kernel mode. User mode is where applications and most system services run, with restricted access to hardware and memory. Kernel mode has privileged access to all system resources. This separation protects the operating system from crashing due to application errors.
The Native API
While developers commonly use the Win32 API (e.g., functions prefixed with 'W' or 'Nt' are often closer to the Native API), the lowest level of interaction with the kernel is through the Native API. Functions like NtCreateFile and NtWriteFile are part of the Native API, and the Win32 API functions often call these Native API functions.