Job Objects

Previous page
Table of content
Next page
[Previous] [Next]

A job object is a nameable, securable, shareable kernel object that allows control of one or more processes as a group. A job object's basic function is to allow groups of processes to be managed and manipulated as a unit. A process can be a member of only one job object. By default, its association with the job object can't be broken and all processes created by the process and its descendents are associated with the same job object as well. The job object also records basic accounting information for all processes associated with the job and for all processes that were associated with the job but have since terminated. Table 6-20 lists the Win32 functions to create and manipulate job objects.

Table 6-20 Win32 API Functions for Jobs

Function Description
CreateJobObject Creates a job object (with an optional name)
OpenJobObject Opens an existing job object by name
AssignProcessToJobObject Adds a process to a job
TerminateJobObject Terminates all processes in a job
SetInformationJobObject Sets limits
QueryInformationJobObject Retrieves information about the job, such as CPU time, page fault count, number of processes, list of process IDs, quotas or limits, and security limits

The following are some of the CPU-related and memory-related limits you can specify for a job:

  • Maximum number of active processes Limits the number of concurrently executing processes in the job.

  • Jobwide user-mode CPU time limit Limits the maximum amount of user-mode CPU time that the processes in the job can consume (including processes that have run and exited). Once this limit is reached, by default all the processes in the job will be terminated with an error code and no new processes can be created in the job (unless the limit is reset). The job object is signaled, so any threads waiting on the job will be released. You can change this default behavior with a call to EndOfJobTimeAction.

  • Per-process user-mode CPU time limit Allows each process in the job to accumulate only a fixed maximum amount of user-mode CPU time. When the maximum is reached, the process terminates (with no chance to clean up).

  • Job scheduling class Sets the length of the time slice (or quantum) for threads in processes in the job. This setting applies only on systems running with long, fixed quantums (the default for Windows 2000 Server). The value of the job-scheduling class determines the quantum as shown here:

    • Scheduling Class Quantum Units
    0 6
    1 12
    2 18
    3 24
    4 30
    5 36
    6 42
    7 48
    8 54
    9 Infinite if real-time; 60 otherwise

  • Job processor affinity Sets the processor affinity mask for each process in the job. (Individual threads can alter their affinity to any subset of the job affinity, but processes can't alter their process affinity setting.)

  • Job process priority class Sets the priority class for each process in the job. Threads can't increase their priority relative to the class (as they normally can). Attempts to increase thread priority are ignored. (No error is returned on calls to SetThreadPriority, but the increase doesn't occur.)

  • Default working set minimum and maximum Defines the specified working set minimum and maximum for each process in the job. (This setting isn't jobwide—each process has its own working set with the same minimum and maximum values.)

  • Process and job committed virtual memory limit Defines the maximum amount of storage that can be committed by either a single process or the entire job.

Jobs can also be set to queue an entry to an I/O completion port object, which other threads might be waiting on with the Win32 GetQueuedCompletionStatus function.

You can also place security limits on processes in a job. You can set a job such that each process runs under the same jobwide access token. You can then create a job to restrict processes from impersonating or creating processes that have access tokens that contain the local administrator's group. In addition, you can apply security filters such that when threads in processes contained in a job impersonate client threads, certain privileges and security IDs (SIDs) can be eliminated from the impersonation token.

Finally, you can also place user interface limits on processes in a job. Such limits include being able to restrict processes from opening handles to windows owned by threads outside the job, reading and/or writing to the clipboard, and changing the many user interface system parameters via the Win32 SystemParametersInfo function.

Windows 2000 Datacenter Server has a tool called the Process Control Manager that allows an administrator to define job objects, the various quotas and limits that can be specified for a job, and which processes, if run, should be added to the job. A service component monitors process activity and adds the specified processes to the jobs.

EXPERIMENT
Viewing the Job Object

You can view named job objects with the Performance tool. (See the Job Object and Job Object Details performance objects.) To view unnamed job objects, you must use the kernel debugger !job command. Follow these steps to create and view an unnamed job object:

  1. From the command prompt, use the runas command to create a process running the command prompt (Cmd.exe). For example, type runas /user:<domain>\< username> cmd. You'll be prompted for your password. Enter your password, and a command prompt window will appear. The service behind the runas command creates an unnamed job to contain all processes (so that it can terminate these processes at logoff time).

  2. From the kernel debugger (such as LiveKd), display the process list with !process and find the recently created process running Cmd.exe. Then display the process block by using !process <process ID>, find the address of the job object, and finally display the job object with the !job command.

Here's some partial debugger output from the command sequence described in step 2:

 kd> !process 0 8 **** NT ACTIVE PROCESS DUMP ****  PROCESS 84eab6d0 SessionId: 0 Cid: 0478 Peb: 7ffdf000 ParentCid: 0240 DirBase: 03834000 ObjectTable: 8097ef88 TableSize: 42. Image: livekd.exe PROCESS 857e0d70 SessionId: 0 Cid: 0550 Peb: 7ffdf000 ParentCid: 00dc DirBase: 05337000 ObjectTable: 82273ac8 TableSize: 22. Image: cmd.exe PROCESS 83390710 SessionId: 0 Cid: 0100 Peb: 7ffdf000 ParentCid: 0478 DirBase: 05b3b000 ObjectTable: 81bb7e08 TableSize: 34. Image: i386kd.exe kd> !process 550 Searching for Process with Cid == 550 PROCESS 857e0d70 SessionId: 0 Cid: 0550 Peb: 7ffdf000 ParentCid: 00dc DirBase: 05337000 ObjectTable: 82273ac8 TableSize: 22. Image: cmd.exe  Job 85870970  kd> !job 85870970 7 Job at 85870970 TotalPageFaultCount 0 TotalProcesses 1 ActiveProcesses 1 TotalTerminatedProcesses 0 LimitFlags 0 MinimumWorkingSetSize 0 MaximumWorkingSetSize 0 ActiveProcessLimit 0 PriorityClass 0 UIRestrictionsClass 0 SecurityLimitFlags 0 Token 0 Processes assigned to this job: PROCESS 857e0d70 SessionId: 0 Cid: 0550 Peb: 7ffdf000 ParentCid: 00dc DirBase: 05337000 ObjectTable: 82273ac8 TableSize: 22. Image: cmd.exe


Previous page
Table of content
Next page
Inside Microsoft Windows 2000
Inside Microsoft Windows 2000, Third Edition (Microsoft Programming Series)
ISBN: 0735610215
EAN: 2147483647
Year: 2000
Pages: 121
Authors: David A. Solomon, Mark E. Russinovich
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
The CISSP and CAP Prep Guide: Platinum Edition
Building Web Applications with UML (2nd Edition)
An Introduction to Design Patterns in C++ with Qt 4
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy