Session Manager Subsystem

Last updated

The Session Manager Subsystem, or smss.exe, is a component of the Microsoft Windows NT family of operating systems, starting in Windows NT 3.1. It is executed during the startup process of those operating systems.

Contents

Session initialization

The Session Manager Subsystem is the first user-mode process started by the kernel. Once started it creates additional paging files with configuration data from HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management, [1] the environment variables located at the registry entry HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment, and DOS device mappings (e.g. CON:, NUL:, AUX:, COM1:, COM2:, COM3:, COM4:, PRN:, LPT1:, LPT2:, LPT3:, and drive letters) listed at the HKLM\System\CurrentControlSet\Control\Session Manager\DOS Devices registry key. This can be used to create permanent subst drives.

The manager is responsible for starting the kernel and user modes of the Win32 subsystem. This subsystem includes win32k.sys (kernel-mode), winsrv.dll (user-mode), and csrss.exe (user-mode). [2] Any other subsystems listed in the Required value of the HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems Registry key are also started.

The manager is also responsible for doing any operations that are requested to be done at the start of a session. Commands listed in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute, such as autochk and convert, are executed. These commands are run before services are loaded by later steps of the booting process. [3] Any rename operations queued at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations. This is used to allow previously in-use files (e.g. drivers) to be replaced as part of a reboot. [4]

Starting with Windows Vista, the Session Manager Subsystem creates a temporary instance of itself that launches the Windows Startup Application (wininit.exe) and a second Client/Server Runtime Subsystem (csrss.exe) for Session 0, a session dedicated to system processes. From here, the Windows Startup Application starts the Service Control Manager (services.exe), which starts all the Windows services that are set to "Auto-Start". [4] The application also starts the Local Security Authority Subsystem Service (lsass.exe). Before Windows Vista, these processes where started by Windows Logon instead of the Windows Startup Application. [5]

Once the session is configured, the Session Manager Subsystem starts Winlogon (Windows Logon Application), which is responsible for handling interactive logons to a Windows system, either local or remote. [5]

Operation

After the boot process is finished, the program resides in memory and can be seen running in the Windows Task Manager. It then waits for either winlogon.exe or csrss.exe to end, at which point Windows will shut down. If the processes do not end in an expected fashion, smss.exe may hang the system, or a bugcheck will occur. [6] It also initiates new user sessions when needed.

The Local Session Manager Service (lsm.exe) sends requests to SMSS through the Asynchronous Local Inter-Process Communication (ALPC) port SmSsWinStationApiPort to start new sessions.

Each time a user logs onto the system, the initial Session Manager creates a new instance of itself to configure a new session. This new process starts a Win32 subsystem and Winlogon process for the new session. This allows for multiple users to logon at the same time on Windows Server systems. [5]

See also

Related Research Articles

NTLDR is the boot loader for all releases of Windows NT operating system from 1993 with the release of Windows NT 3.1 up until Windows XP and Windows Server 2003. From Windows Vista onwards it was replaced by the BOOTMGR bootloader. NTLDR is typically run from the primary storage device, but it can also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk. NTLDR can also load a non NT-based operating system given the appropriate boot sector in a file.

<span class="mw-page-title-main">Windows 9x</span> Series of Microsoft Windows computer operating systems

Windows 9x is a generic term referring to a series of Microsoft Windows computer operating systems produced from 1995 to 2000, which were based on the Windows 95 kernel and its underlying foundation of MS-DOS, both of which were updated in subsequent versions. The first version in the 9x series was Windows 95, which was succeeded by Windows 98 and then Windows Me, which was the third and last version of Windows on the 9x line, until the series was superseded by Windows XP.

<span class="mw-page-title-main">Windows Registry</span> Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

<span class="mw-page-title-main">Architecture of Windows NT</span> Overview of the architecture of the Microsoft Windows NT line of operating systems

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, they use packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

The graphical identification and authentication (GINA) is a component of Windows NT 3.51, Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 that provides secure authentication and interactive logon services. GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of Winlogon when the machine is started. It is responsible for handling the secure attention sequence, typically Control-Alt-Delete, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user (such as the Windows Shell) when they first log on. GINA is discontinued in Windows Vista.

<span class="mw-page-title-main">Winlogon</span> Component of Microsoft Windows operating systems

Winlogon is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, creates the desktops for the window station, and optionally locking the computer when a screensaver is running. In Windows Vista and later operating systems, the roles and responsibilities of Winlogon have changed significantly.

The Local Inter-Process Communication is an internal, undocumented inter-process communication facility provided by the Microsoft Windows NT kernel for lightweight IPC between processes on the same computer. As of Windows Vista, LPC has been rewritten as Asynchronous Local Inter-Process Communication in order to provide a high-speed scalable communication mechanism required to efficiently implement User-Mode Driver Framework (UMDF), whose user-mode parts require an efficient communication channel with UMDF's components in the executive.

In computing, SUBST is a command on the DOS, IBM OS/2, Microsoft Windows and ReactOS operating systems used for substituting paths on physical and logical drives as virtual drives.

The booting process of Windows NT is the process run to start Windows NT. The process has been changed between releases, with the biggest changes being made with Windows Vista. In versions before Vista, the booting process begins when the BIOS loads the Windows NT bootloader, NTLDR. Starting with Vista, the booting process begins with either the BIOS or UEFI load the Windows Boot Manager, which replaces NTLDR as the bootloader. Next, the bootloader starts the kernel, which starts the session manager, which begins the login process. Once the user is logged in, File Explorer, the graphical user interface used by Windows NT, is started.

The Native API is a lightweight application programming interface (API) used by Windows NT and user mode applications. This API is used in the early stages of Windows NT startup process, when other components and APIs are still unavailable. Therefore, a few Windows components, such as the Client/Server Runtime Subsystem (CSRSS), are implemented using the Native API. The Native API is also used by subroutines such as those in kernel32.dll that implement the Windows API, the API based on which most of the Windows components are created.

ntoskrnl.exe, also known as the kernel image, contains the kernel and executive layers of the Microsoft Windows NT kernel, and is responsible for hardware abstraction, process handling, and memory management. In addition to the kernel and executive mentioned earlier, it contains the cache manager, security reference monitor, memory manager, scheduler (Dispatcher), and blue screen of death.

A hybrid kernel is an operating system kernel architecture that attempts to combine aspects and benefits of microkernel and monolithic kernel architectures used in operating systems.

In computing, a login session is the period of activity between a user logging in and logging out of a (multi-user) system.

The Microsoft Windows operating system supports a form of shared libraries known as "dynamic-link libraries", which are code libraries that can be used by multiple processes while only one copy is loaded into memory. This article provides an overview of the core libraries that are included with every modern Windows installation, on top of which most Windows applications are built.

<span class="mw-page-title-main">Windows Boot Manager</span> Boot process used in modern Windows NT-based products

The Windows Boot Manager (BOOTMGR) is the bootloader provided by Microsoft for Windows NT versions starting with Windows Vista. It is the first program launched by the BIOS or UEFI of the computer and is responsible for loading the rest of Windows. It replaced the NTLDR present in older versions of Windows.

Client Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem and is included in Windows NT 3.1 and later. Because most of the Win32 subsystem operations have been moved to kernel mode drivers in Windows NT 4 and later, CSRSS is mainly responsible for Win32 console handling and GUI shutdown. It is critical to system operation; therefore, terminating this process will result in system failure. Under normal circumstances, CSRSS cannot be terminated with the taskkill command or with Windows Task Manager, although it is possible in Windows Vista if the Task Manager is run in Administrator mode. On Windows 7 and later, Task Manager will inform the user that terminating the process may result in system failure, and prompt if they want to continue. In Windows NT 4.0 however, terminating CSRSS without the Session Manager Subsystem (SMSS) watching will not crash the system. However, in Windows XP, terminating CSRSS without SMSS watching will crash the system due to the critical bit being set in RAM for csrss.exe.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

The booting process of Microsoft Windows varies between different releases.

Windows Vista has many significant new features compared with previous Microsoft Windows versions, covering most aspects of the operating system.

Service Control Manager (SCM) is a special system process under the Windows NT family of operating systems, which starts, stops and interacts with Windows service processes. It is located in the %SystemRoot%\System32\services.exe executable. Service processes interact with SCM through a well-defined API, and the same API is used internally by the interactive Windows service management tools such as the MMC snap-in Services.msc and the command-line Service Control utility sc.exe. Terminating this file is used as a method of causing the Blue Screen of Death.

References

  1. "Troubleshooting the Startup Process". Windows XP Resource Kit. Microsoft Technet. November 3, 2005. Retrieved October 24, 2011.
  2. Matt Pietrek (1996). "Poking Around Under the Hood: A Programmer's View of Windows NT 4.0". Microsoft Systems Journal. Archived from the original on November 18, 2012.
  3. "Troubleshooting the Startup Process". Windows XP Resource Kit. Microsoft Technet. November 3, 2005. Retrieved October 24, 2011.
  4. 1 2 Ionescu, Alex; Russinovich, Mark; Solomon, David A. (2012). Windows internals, Part 2 (6th ed.). Redmond, Wash.: Microsoft. pp. 522–527. ISBN   978-0735665873.
  5. 1 2 3 Archiveddocs. "Windows Administration: Inside the Windows Vista Kernel: Part 2". learn.microsoft.com. Retrieved 2023-05-13.
  6. Microsoft Corporation (2007). "Default Processes in Windows 2000". Microsoft Corporation. Retrieved 2009-06-14.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.