BY DANCEFIRE: DANCEFIRE AT 263 DOT NET
2004/06/17
This is a little harvest today.
First, introduce
Everything always likes the roots of the roots, I have been asking yourself, asking if there is nothing to ask, and of course, I will ask myself to ask again. Because a software automatic update old problem, sometimes it cannot be automatically updated. After analysis, it is found that there is a problem when replacing the running program. I don't know how to analyze the method of replacing the program being running.
Although he said that he might asked in depth, it was actually going deep into a problem, and it was shallowed when it was analyzed to continue to analyze due to poor technology. But still hopes that this article will help someone think about this problem like me.
To be orthogonal, first, from XFOCUS's BGATE article "Replace the system files in Win2000 / XP," INPT ".
He studied the system file that replaced the in use and analyzed a tool ZAP of Microsoft. This tool can replace the system file. After analysis, this tool is actually moved to move the files in use to a temporary directory, then remove this file, but mark it when the next startup. At this time, the system file directory has already taken space so that new files can be moved.
Implement some code is shown below:
IF (SZFileTodel [1] == ') {sprintf (cTemppathname, "% C: //", SZFileTodel [0]);} else {getModuleFileName (null, cfilename, 0x100); sprintf (ctemppathname, "% C : // "CFILENAME [0]);
if (GetTempFileName (cTempPathName, "_ @", 0, cTempFileName) == 0) return FALSE; if (MoveFileEx (szFileToDel, cTempFileName, MOVEFILE_REPLACE_EXISTING) == 0) return FALSE; if (MoveFileEx (cTempFileName, NULL, MOVEFILE_DELAY_UNTIL_REBOOT) = = 0) Return False; IF (MoveFileEx (Szsrcfile, CTemppathname) == 0) Return False;
Where WinBase.h:
#define movefile_replace_existing 0x00000001 # Define MoveFile_copy_allowed 0x00000002 # Define MoveFile_Delay_until_reboot 0x00000004 # Define MoveFile_Write_through 0x00000008
Second, MOVEFILEEX analysis
In order to understand how MoveFileEx () is on the file movement of the file when restarted, I check the operating system source code. 1. Movefileex () is actually called MoveFileWithProgressW (), but NULL has two callback parameters. 2, MoveFileWithProgressw () For dwflag = movefile_delay_until_reboot, the basepMoveFileDelayed () function 3 is called 3. BasePMoveFileDelayed () is file operation when the operating system is restarted by modifying the registry. The key value it modifies is HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / SESSION Manager / PendingFileresOperation This is a key value of a REG_MULTI_SZ. The format is: szdstfile / 0/0
szsrcfile / 0szdstfile / 0/0
szsrcfile / 0! szdstfile / 0/0
Some of the source files and target files in some articles are in turn, which is not the most reasonable, although it is, the middle is unicode / 0, that is, 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000-00-00
Moreover, it should be noted that if the MoveFile_replace_existing property is specified, an exclamation is added before the target file.
This key value I found that this key value has been given in the original MSDN after analyzing the end source code.
Later, I opened my key value, I found a bunch inside, I haven't come to delete files, waiting for my next restart to delete it.
According to the explanation of MoveFile_Delay_until_reboot, the operating system will perform the specified file immediately after the system is restarted when the system is restarted, and immediately performs the specified file immediately before establishing any PageFile file. Moreover, make sure that the file to be operated can be operated by the localsystem or administrator group.
I also noticed another question I am not familiar with, which is why the file is moved, but the application can continue to execute, and the deletion is not. I have not considered this problem, but I feel that there is no change, such as some link. Although the location changes, the link is still able to track the location of the image, so all the operations pointing to the link is effective. But when deleting files, the link will be deleted, which will cause the operation to fail, in order to avoid this failure, so it is forbidden to delete the file being occupied.
Third, the operating system starts during the startup process
Pay attention to the NT startup process, want to know how the system is started, how to perform the movement or delete behavior mentioned above.
In the initialization kernel phase, Ntoskrnl.exe takes control from NTLDR, in the last step, Session Manager launches Windows XP's advanced subsystems and services, Session Manager launches the Win32 subsystem that controls all input, output devices, and access monitor screens And the Winlogon process, the internal core is completed.
Session Manager is actually smss.exe, and we can often see his figure in the memory process. When it is disassembled, the CPU with XP is considered in Sub_48584d01:
0 x861 MIPS2 Alpha3 PPC4 IA645 Alpha64other Unknown
I found PendingFileerenameOperation in smss.exe, which should be that this file is responsible for executing file mobile operations in booting. Unfortunately, I didn't find where to call PendingFileerenameOperations, and it is not good.
See a paragraph from Sysinternals.com About Session Manager calls PendingFileresOperations
[http://www.sysinternals.com/ntw2k/info/regboot.shtml]
After you pass the point in the log where boot and system driver initialization is complete you'll begin to see records created by the smss.exe process, which is called the Session Manager. Session Manager is the first user-mode process launched during a boot. you'll see it immediately check to see if there are any rename operations it should perform before the system is up and running by looking at the value HKLM / System / CurrentControlSet / Control / Session Manager / PendingFileRenameOperations. Next you'll see it determine what DOS device mappings it should create (eg COM1, LPT1), what environment variables are defined, what DLL's it "knows about" (standard DLLs in the system32 directory), and which protected subsystems it should start (eg OS / 2 POSIX).
Session Manager typically launches Chkdsk (autocheck.exe), which is specified in the Session Manager's BootExecute value along with direction to run other boot-time native applications. After Autocheck finishes Session Manager starts Winlogon and the Win32 subsystem (CSRSS.EXE). Both of these generate interleaved Registry accesses as they start up concurrently. Winlogon can be seen querying the .Default key's display settings, including colors and mouse settings under HKU / .Default / Control Panel. The .Default key's contents are user preferences that are active when No one is logged in, And Winlogon Uses Them for the screen on which it displays the logon dialog box.
However, this and Microsoft said AUTOCHK, then PndingFileerenameOperations, different.
From another document (http://freehost02.websamba.com/brittanyfoo/bootprocess.html), the initialization process issues are mentioned: SMSS's main thread is the following initialization steps:
1. Create a LPC port object (/ smApipiPort) and two threads waiting for the customer request. Customer requests include load a new subsystem or create a session.
2, for the MS-DOS device name, such as COM1 and LPT1 definition symbolic links.
3. If the Terminal Services is installed, create a / sessions directory in the namespace of the Object Manager.
4. Run HKLM / System / CurrentControlSet / Control / Session Manager / Bootexecute defined program, typically running Autochk (Chkdsk is booting the version).
5. Follow the instructions of the HKLM / System / CurrentControlSet / Control / Session Manager / PendingFilereseNameOperations for the delay file. Hanging files Delete in PendingFileerenameOperations2.
6. Open known DLL.
7. Create another paging file.
8. Initialize the registry. Configuration Manager refreshes the registry, loads the registration file for HKLM / SAM, HKLM / Security, and HKLM / Software Keywords. HKLM / System / CURRENTCONTROLSET / Control / HiveLIST searches for registry files on the hard disk, and the configuration manager is looking for in / Winnt / System32 / Config.
9. Create a system environment variable.
10, load the Win32 subsystem core mode portion (Win32k.sys). SMSS is looking for Win32k.sys and other paths to load components to determine their location. Initialization code in Win32k.sys uses a video driver, the resolution of the screen is converted to the value defined by the default profile file. Therefore, the VGA mode used by the screen from the boot video driver is transferred to the default resolution of the system selection.
11, the promoter process, including CSRSS.
12, start the landing process (Winlogon).
13. Creating an LPC port (DBGSSAPIPIPORT and DBGUIAPIPOPIPORT) for debugging event information, and creates a thread that listens to these ports.
This is the clearest description.
Fourth, summary
At this point, there is a preliminary understanding of the file that is in use.
Nothingfileexw -> MoveFileWithProgressw -> BasepmoveFileDelayed -> HKLM / System / CurrentControlSet / Control / Session Manager / PendingFileresEreOperations
Then, NTLDR boot, ntoskrnl.exe results guide, start SMSS.exe, after autochk, check PENDINGFileerenameOperations, and then execute the file replacement operation. Finally, SMSS launches the Winlogon process, allowing users to log in.
Therefore, this method can replace almost all system files, because SMSS is the process of the first usermode process. At this time, the file being used is very small, and it is impossible to have a file before it.
If you are replacing the system file, such as smss.exe, use Microsoft's way, first move smss.exe to the temporary folder, then put the new smss.exe in the correct directory. Move the SMSS.exe in the temporary file home to NULL and is MoveFile_Delay_until_reboot. This way if the system restarts, naturally uses new smss.exe, then it will remove the garbage in the temporary folder. In fact, it is not clear at this time. After waiting, it can be cleared, because there is no thing that is occupied in the temporary folder. If you replace a normal application, you only need to restart the application, because the things in the application directory have been new files. Restart is just to delete the garbage in the temporary folder.
