Process Environment Block
   HOME

TheInfoList



Click Here for Items Related To - Process Environment Block
OR:
Process Environment Block on:   [Wikipedia]   [Google]   [Amazon]

In
computing Computing is any goal-oriented activity requiring, benefiting from, or creating computing machinery. It includes the study and experimentation of algorithmic processes, and development of both hardware and software. Computing has scientific, ...
the Process Environment Block (abbreviated PEB) is a data structure in the
Windows NT Windows NT is a proprietary graphical operating system produced by Microsoft, the first version of which was released on July 27, 1993. It is a processor-independent, multiprocessing and multi-user operating system. The first version of Win ...
operating system family. It is an opaque data structure that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system. Microsoft notes, in its
MSDN Library Microsoft Developer Network (MSDN) was the division of Microsoft responsible for managing the firm's relationship with developers and testers, such as hardware developers interested in the operating system (OS), and software developers developing ...
documentation — which documents only a few of the fields — that the structure "may be altered in future versions of Windows". The PEB contains data structures that apply across a whole
process A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management *Business process, activities that produce a specific se ...
, including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide
mutual exclusion In computer science, mutual exclusion is a property of concurrency control, which is instituted for the purpose of preventing race conditions. It is the requirement that one thread of execution never enters a critical section while a concurrent ...
for process-wide data structures. The PEB is closely associated with the
kernel mode In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (by improving fault tolerance) and malicious behavior (by providing computer security). Compute ...
EPROCESS data structure, as well as with per-process data structures managed within the address space of the Client-Server Runtime Sub-System process. However, (like the CSRSS data structures) the PEB is not a kernel mode data structure itself. It resides in the application mode address space of the process that it relates to. This is because it is designed to be used by the application-mode code in the operating system libraries, such as NTDLL, that executes outside of kernel mode, such as the code for the program image loader and the heap manager. In
WinDbg WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation ...
, the command that dumps the contents of a PEB is the !peb command, which is passed the address of the PEB within a process' application address space. That information, in turn, is obtained by the !process command, which displays the information from the EPROCESS data structure, one of whose fields is the address of the PEB. The contents of the PEB are initialized by the NtCreateUserProcess() system call, the
Native API The Native API is a lightweight application programming interface (API) used by Windows NT and user mode applications. This API is used in the early stages of Windows NT startup process, when other components and APIs are still unavailable. Ther ...
function that implements part of, and underpins, the Win32 CreateProcess(), CreateProcessAsUser(), CreateProcessWithTokenW(), and CreateProcessWithLogonW() library functions that are in the kernel32.dll and advapi32.dll libraries as well as underpinning the fork() function in the Windows NT POSIX library, posix.dll. For Windows NT POSIX processes, the contents of a new process' PEB are initialized by NtCreateUserProcess() as simply a direct copy of the parent process' PEB, in line with how the fork() function operates. For Win32 processes, the initial contents of a new process' PEB are mainly taken from global variables maintained within the kernel. However, several fields may instead be taken from information provided within the process' image file, in particular information provided in the IMAGE_OPTIONAL_HEADER32 data structure within the PE file format (PE+ or PE32+ in 64 bit executable images). The
WineHQ Wine (formerly a recursive backronym for ''Wine Is Not an Emulator'', now just "Wine") is a free and open-source compatibility layer that aims to allow application software and computer games developed for Microsoft Windows to run on Unix-like ...
project provides a fuller PEB definition in its version of winternl.h. Later versions of Windows have adjusted the number and purpose of some fields.


References

{{cite book, title=Windows internals, series=Microsoft Press Series, author= Mark E. Russinovich, David A. Solomon, and Alex Ionescu, edition=5th, publisher=Microsoft Press, year=2009, isbn=9780735625303, pages=335–336,341–342,348,357–358


External links


PEB definitions for various Windows versions
Windows NT architecture Data structures by computing platform