|<Windows Process & Threads: C Run-Time 6 |Main |Windows Process & Threads Programming 2 >|Site Index |Download |







Part 1: Story And Program Examples





What do we have in this Module?

  1. The Basic Story

  2. Windows NT process

  3. Process Execution

  4. Basic of Process Creation

  5. Process Switching

  6. Context Switching

  7. Multithreading









My Training Period: yy hours. Before you begin, read someinstruction here.




The expected abilities in this session include:

  • Able to understand from zero ground about a process and thread implementation in Windows OSes.

  • Able to understand various terms used in the process and thread discussion.

  • Able to understand process scheduling and scheduler.

  • Able to use Windows Task Manager to view and control processes.

  • Able to understand Synchronization.

  • Able to understand various object used to synchronize multiple threads such as Mutex, Semaphore and Timer.

  • Able to understand and differentiate between multitasking and multithreading.

  • Able to understand various Inter-process communications among processes mechanisms such as Remote Procedure Call (RPC), Pipes and Windows Sockets.

The Basic Story


Let start from the most basic story.  The following Figure is a typical representation of operating System (OS) as a ring-structure that you may find in reference book mainly for UNIX OS. The outermost is the user ring and the innermost is the hardware. In operating system programming we do not deal a lot with the hardware (except the I/O and leave the hardware designer to do that works) so we normally reach at the kernel as the innermost. If comparing to the earth, the core or kernel should be the innermost.  From the Figure, there is no way the user can directly access other ring layer without going through the other ring layers so we need interfaces, for example, implemented as Application Programming Interfaces (APIs) etc. A supervisor, also a user but with higher privileges normally having the control of the operating system.


Windows process & thread: kernel

Figure 1: A general representation of Operating System as a ring-structure



And the following Figure shows Windows NT OS architecture in a layered structure.


Windows NT Operating System layered struture


Windows NT OS struture - legend

Figure 2: A layered structure of Windows NT OS


The previous Figure illustrates the overall structure of Windows NT.  Its highly modular structure gives Windows NT the flexibility. NT can execute on variety of hardware platforms and supports applications written for a variety of other OSes too. As virtually all OSes, NT separates application-oriented software from OS software.  The latter runs in what is generally referred to as privileged mode or kernel mode. Kernel-mode software has access to system data and to the hardware.  The remaining software, running in user mode, has limited access to system data.  The kernel-mode software is referred to as theNT executive. Whether it is running on a uniprocessor or multiprocessor, a CISC (Intel) or RISC (Motorola) system, most of NT sees the same view of the underlying hardware.  To achieve this independence, the OS system consists of four layers:


  1. HAL: Maps between generic hardware commands and responses and those unique to a specific platform such as Intel Pentium, a Motorola PowerPC or the defunct DEC Alpha processor. The HAL makes each machine’s system bus, DMA controller, interrupt controller, system timers and memory module look the same to the kernel. It also delivers the support needed for symmetric multiprocessing (multi processor).  Through the HAL NT system should be platform independent.

  2. Kernel: Consists of the most used and most fundamental components of the OS. The kernel manages scheduling andcontext switching, exception and interrupt handling, and multiprocessor synchronization.

  3. Subsystems: Include a variety of modules for specific functions, which make use of the basic services provided by the kernel.

  4. System services: Provide an interface to user-mode software.


From the Figure also we can see that the I/O Manager subsystem bypasses the HAL to interact directly with the hardware. This is necessary to achieve the efficiency and throughput required for I/O operation.  The protected subsystems are those parts of NT that interact with the end user. A protected subsystem provides a graphical or command-line user interface that defines the look and feel of the OS for a user. Additionally, each protected subsystem provides the application programming interface (API) for that particular operating environment. This means that applications created for a particular operating environment may run unchanged on NT because the OS interface that they see is the same as that for which they were written.  For example, OS/2 based applications may run under the NT OS without modification except may need recompilation.The way in which the executive, the protected subsystems and the applications are structured for NT is by using the client-server computing model which is a common model for distributed computing.


The Windows NT process


The following Figure shows the Windows NT process and its resources relationship.


Windows NT process and its resources

Figure 3: Windows NT process and its resources


Important characteristics of NT processes are the listed below.


  1. NT processes are implemented as objects.

  2. An executable process may contain one or more threads.

  3. Both process and thread objects have built-in synchronization capabilities.

  4. The NT kernel does not maintain any relationship among the processes that it creates, including parent-child relationship.


Figure 3 illustrates the way in which a process relates to the resources it controls or uses. The access token controls whether the process can change its own attributes.  In this case the process does not have a handle opened to its access token. If the process attempts to open such a handle, the security system determines whether this is permitted and therefore whether the process may change its own attributes.A series of blocks defines the virtual address space currently assigned to this process. The process cannot directly modify these structures but must rely on the virtual memory manager, which provides a memory-allocation service for the process. Finally the process includes an object table, which handles to other objects known to this process. One handle exists for each thread contained in this object.  In this figure, there is a single thread shown.  Additionally the process has access to a file object and to a section object that defines a section of shared memory.

Each NT process is represented by an object.  Each process is defined by a number of attributes and encapsulates a number of actions, or services, that it may perform. A process will perform a service upon receipt of the appropriate message. The only way to invoke such a service is by means of messages to a process object that provides that service. When NT creates a new process, it uses the object class, or type defined for the NT process as a template to generate a new object instance. At the time of creation, attributes values are assigned. An NT process must contain at least one thread to execute. The thread may then create other threads. In multiprocessor system, multiple threads from the same process may execute in parallel.Generally, a process, an abstraction of a running program is the most central concept in any OS.  From the OS general view a concept of process having the following two characteristics:


  1. Unit of resource ownership: A process is allocated a virtual address space to hold the process image and from time to time the process may be assigned main memory plus control of other resources such as I/O channels, I/O devices and files.

  2. Unit of dispatching: A process is an execution path (trace) through one or more programs.  This execution may be interleaved with other processes. Thus a process has an execution state (running, ready etc.) and a dispatching priority and it is the entity that is scheduled and dispatched by the OS.


These two characteristics are independent and could be treated independently by OS.  To distinguish the two characteristics, the unit of dispatching is usually referred to as a thread or lightweight process, whereas the unit of resource ownership is usually still referred to as a process or task.Windows NT support threads within processes.   Threads incorporate some of the functionality traditionally associated with processes.  The distinction refined from the previous list is:


  1. Threads: A dispatchable unit of work.  It is the thing that executes sequentially and is interruptible so that the processor can turn to another thread.  From the point of view of scheduling and dispatching, this concept is equivalent to that of a process on most other OSes.

  2. Process: A collection of one or more threads and associated system resources such as memory, open files and devices.  This corresponds closely to the concept of a program in execution.  By breaking a single application up into multiple threads, the programmer has great control over the modularity of the application and the timing of application-related events.  From the point of view of the job or application, this concept is equivalent to that of a process on most other OSes.


----------------------------------------------Process & Thread in COM-----------------------------------------


In Component Object Model (COM) of MSDN documentation the process and thread were told something like this: A process is a collection of virtual memory space, code, data, and system resources. Athread is code that is to be serially executed within a process. A processor executes threads, not processes, so each 32-bit application has at least one process, and a process always has at least one thread of execution, known as the primary thread. A process can have multiple threads in addition to the primary thread. Prior to the introduction of multiple threads of execution, applications were all designed to run on a single thread of execution. Processes communicate with one another through messages, using Microsoft's Remote Procedure Call (RPC) technology to pass information to one another. There is no difference to the caller between a call coming from a process on a remote machine and a call coming from another process on the same machine.

When a thread begins to execute, it continues until it is killed or until it is interrupted by a thread with higher priority (by a user action or the kernel's thread scheduler). Each thread can run separate sections of code, or multiple threads can execute the same section of code. Threads executing the same block of code maintain separate stacks. Each thread in a process shares that process's global variables and resources. The thread scheduler determines when and how often to execute a thread, according to a combination of the process's priority class attribute and the thread's base priority. You set a process's priority class attribute by calling the Win32® function SetPriorityClass(), and you set a thread's base priority with a call to SetThreadPriority().Multithreaded applications must avoid two threading problems: deadlocks and races. A deadlock occurs when each thread is waiting for the other to do something. A race condition occurs when one thread finishes before another on which it depends, causing the former to use a bogus value because the latter has not yet supplied a valid one.




The life of a process is bounded by its creation and termination.  When a new process is to be added to those that are currently being managed by the operating system, the operating system builds the data structures that are used to manage the process and allocates the address space to be used by the process.  These actions constitute the creation of a new process.  Some of the common events that lead to the creation of a process are listed in the following table.




New batch job

The OS is provided with a batch-job-control system, usually on tape or disk.  When the OS is prepared to take on new work, it will read the next sequence of job-control commands.  A process is created in response to the submission of a job.  The OS is responsible to create a new process.

Interactive logon

A user at the terminal logs on to the system.  The OS is responsible to create a new process.

Created by OS to provide a service

The OS can create a process to perform a function on behalf of a user program, without the user having to wait such as printing.

Spawned by existing process

For purposes of modularity or to exploit parallelism, a user program can dictate the creation of a number od processes.  For example a server process such as print, file and web server may create a new process for each request of another process.  Normally referred to as process spawning.  When one process spawns another process, the spawning process is referred to as the parent process and the spawned process is referred is referred to as the child process and normally these processes will need to communicate and cooperate with each other.


Table 1


And the typical reasons for process termination are listed in the following Table.




Normal task completion

The process executes an OS service call to indicate that it has completed running.

Memory unavailable

The process requires more memory than the system can provide.

Privileged instruction

The process attempts to use an instruction reserved for the operating system.

Bounds violation

The process tries to access memory location that it is not allowed to access.

Protection error

The process attempts to use a resource or a file that it is not allowed to use, or it tries to use it in an improper fashion, such as writing to a read-only file.

Arithmetic error

The process tries a prohibited computation, such as division by zero or tries to store numbers larger than the hardware can accommodate.

Time overrun

The process has waited longer than a specified maximum for a certain event to occur.

I/O failure

An error occurs in input or output such as inability to find a file, failure to read or write after a specified maximum number of tries (when, for example, a defective area is encountered on a tape or invalid operation such as reading from the line printer).

Invalid instruction

The process attempts to execute a nonexistent instruction (often a result of branching into a data area and attempting to execute the data).

Time limit exceeded

The process has run longer than the specified total time limit.  There are a number of possibilities for the type of time that is measured.  These include total elapsed time, amount of time spent executing and in case of an interactive process, the amount of time since the user last provided any input.

Data misuse

A piece of data is of the wrong type or is not initialized.

Operator or OS intervention

For some reason, the operator or the operating system has terminated the process (for example, if a deadlock exists.)

Parent termination

When a parent terminates, the operating system may be designed to automatically terminate all the offspring of that parent.

Parent request

A parent process typically has the authority to terminate any of its offspring.


Table 2


Generally, a process may be in the following state.  Keep in mind that for implementation specific, process may have other states defined as well.





The process that is currently being executed.


Processes that are prepared to execute when given the opportunity.


A process that cannot execute until some event occurs such as the completion of an I/O operation.


When all the processes in main memory are in Blocked state, the OS can suspend one process by putting it in the Suspend state and transferring it to disk.  This involves the swapping, which moves part or all of a process from main memory to disk (secondary memory).  Reasons for process suspension may be for:

Swapping – The OS needs to release sufficient main memory to bring in a process that is ready to execute.

OS reason – The OS may suspend a background or utility process or a process that is suspected of causing a problem.

Interactive user request – A user may wish to suspend execution of a program for purposes of debugging or in connection with the use of a resource.

Timing – A process may be executed periodically e.g. an accounting or system monitoring process and may be suspended while waiting for the next time interval.

Parent process request – A parent process may wish to suspend execution of a descendant to examine or modify the suspended process or to coordinate the activity of various descendants.


A process that has just been created but has not yet been admitted to the pool of executable processes by the OS.


A process that has been released from the pool of executable processes by the OS, either because it halted or because it aborted for some reason.


Table 3


An example of a process state transition diagram


Figure 4: An example of a process state transition diagram


Process Execution


Most processors that normally associated with the operating system and user programs support at least two modes of execution.  Certain instructions can be executed only in the more privileged mode.  These include reading or altering a control register, such as the program status word, primitive I/O instructions and instruction that relate to memory management.  Additionally certain regions of memory can be accessed only in the more privilege mode such as kernel or system memory area.The more privilege mode is referred to as the system mode/control mode/kernel mode.  This last term refers to the kernel of the operating system, which is a portion of the operating system that encompasses the important system functions.  The less privilege mode often referred to as the user mode because user programs typically execute in this mode.  From application point of view, in UNIX/Linux this privileged mode normally associated with the Root account and in Windows it is the Administrator account. The least privilege normally associated with normal user account.  Between the root and normal user account there are many more accounts that having privileges more than normal user but below the root account. The following table summarizes the tasks typically found in the kernel of an operating system.


 OS main tasks


Process Management

  1. Process creation and termination.

  2. Process scheduling and dispatching.

  3. Process switching.

  4. Process synchronization and support for inter-process communication.

  5. Management of the process control blocks.

Memory Management

  1. Allocation of address space to processes.

  2. Swapping.

  3. Page and segment management.

I/O management

  1. Buffer management.

  2. Allocation of I/O channels and devices to processes.

Support Functions.

  1. Interrupt handling.

  2. Accounting.

  3. Monitoring.


Table 4


In this and some other related Modules, we will just concentrate on the process management.  The reason for using two modes is to protect the operating system and key operating-system tables, such as process control blocks, from interference by user programs.  In the kernel mode, the software has complete control of the processor and all its instructions, registers (processor’s memory) and memory (system’s memory).  This level of control is not necessary and for operating system integrity and safety, is not desirable for user programs.


Basic of Process Creation


To create a process, an operating system generally will obey the following steps:


  1. Assign a unique process identifier (PID) to the new process. At this time, a new entry is added to the primary process table, which contains one entry per process.

  2. Allocate space for the process.  This includes all elements of the process image such as private user address space (program and data) and for user stack.  If any existing address space is to be shared by this new process, the appropriate linkages must be set up.  Finally space for a process control block must be allocated.

  3. The process control block must be initialized. This includes the initial process state, processor control information and priority.  Initially the process may own no resources such as I/O devices and files, unless there is an explicit request for these or unless they are inherited from the parent.

  4. The appropriate linkages must be set.  For example, if the operating system maintains each scheduling queue as a linked list, then the new process must be put in the Ready or Ready-suspend list.

  5. There may be other data structures to be created or expanded.  For example, the operating system may maintain an accounting file on each process to be used subsequently for billing and/or performance assessment purposes.


Process Switching


Process switching happens when a running process is interrupted and the operating system assigns another process to the Running state and turns control over to that process.  A process switching may happen any time that the operating system has gained control from the currently running process.  The following table lists the possible events that may give control to the operating system.





System Interrupt

External to the execution of the current instruction. This may be clock interrupt, I/O interrupt or memory fault.  Control is transferred to an interrupt handler which does some house keeping and then branches to an operating system routine that is concerned with the particular type of interrupt that has occurred.

Reaction to an asynchronous external event.

System Trap

Associated with the execution of the current instruction.  For example if the fatal error occurs, operating system will move the currently running process to the Exit state and process switch occurs and illegal attempt to access a file.

Handling of an error or an exception condition.

Supervisor call

Explicit request. It is a supervisor call from the program being executed.  For example currently running program call a routine that is part of the operating system code such as I/O request.

Call to an operating system function.


Table 5


Generally, the uses of a system call results in placing the user process in the Blocked state.


Context Switching


In the processor’s fetch-execute instruction there is an interrupt cycle. In this case computers provide a mechanism by which other modules such as I/O and memory may interrupt the normal processing order of the processor. Interrupt cycles are provided primarily as a way to improve processing efficiency. In the interrupt cycle, processor checks to see if any interrupts have occurred, which would be indicated by the presence of an interrupt signal.  If no interrupts are pending, the processor proceeds to the fetch cycle and fetches the next instruction of the current program in the current process else the processor does the following:


  1. It saves the context of the current program being executed.

  2. It sets the program counter to the starting address of an interrupt handler program.


The interrupt handler is typically a short program that performs a few basic tasks related to an interrupt. The processor now proceeds to the fetch cycle and fetches the first instruction of the interrupt handler program, which will service the interrupt. So the context switch happened here.  The context that is saved must include any information that may be altered by the execution of the interrupt handler and that will be needed to resume the program that was interrupted.  This information includes the program counter, other processor registers and stacks information.




Windows NT support concurrency among processes because threads in different processes may execute concurrently. Furthermore, multiple threads within the same process may be allocated to separate processors and execute concurrently.  A multithreaded process achieves concurrency without the overhead of using multiple processes. Threads within the same process can exchange information through shared memory and have access to the shared resources of the process.  The following Figure depicts a general concept of multithreading of server application. A single server process can service a number of clients.  Each client request triggers the creation of a new thread within the server.


An example of the Windows NT multithreaded server


Figure 5: An example of the Windows NT multithreaded server


An example of an application that could make use of threads is a server, such as a file server on a LAN. As each new file request comes in, a new thread could be spawned for the file-management program.  Because a server will handle many requests, many threads will be created and destroyed in a short period.  If the server is a multiprocessor, then multiple threads within the same task can be executing simultaneously on different processors.  The thread construct is also useful for single processor to simplify the structure of a program that is logically doing several different functions.








Further reading and digging:


  1. Microsoft C references, online MSDN.

  2. Microsoft Visual C++, online MSDN.

  3. ReactOS - Windows binary compatible OS - C/C++ source code repository, Doxygen.

  4. Linux Access Control Lists (ACL) info can be found atAccess Control Lists.

  5. For Multi bytes, Unicode characters and Localization please refer to Locale, wide characters & Unicode (Story) and Windows users & groups programming tutorials (Implementation).

  6. Structure, enum, union and typedef story can be found C/C++ struct, enum, union & typedef.

  7. Check the best selling C / C++ and Windows books at Amazon.com.


 |<Windows Process & Threads: C Run-Time 6 |Main |Windows Process & Threads Programming 2 >|Site Index |Download |