Wednesday, October 14, 2015

Windows Networking Internals

The Crux of the Windows networking subsystem is implemented in the form of device drivers and this article assumes the reader is adequately acquainted with the fundamental concepts of the Windows device drivers. If not, reading the article An Insight into the Windows device driver infrastructure is highly recommended.

computer network
It is said that any evolved whole is greater than the sum of its parts, and that no single thing can be fully understood in isolation from its extended context. The above holds specially good when it comes to the implementation of networking in Microsoft Windows operating system.

Several websites are available which cover the fundamental concepts and theories pertaining to computer networking. Also, various websites including the Microsoft websites Technet and MSDN have an in depth coverage on the various networking technologies used in Microsoft Windows operating system. However, what an amateur techie finds lacking is how the theories and the technologies converge to form the ecosystem of the Windows networking.

The following is the birds eye view on how the conceptual whole of the Windows Networking is created which is greater than the sum of the parts - the technologies that build up the computer networking subsystem in the Microsoft Windows operating system.

Network Components

In Windows the networking is implemented by four primary types of Network Components represented by their generic Network Device Setup Classes.

Network Component Device Class Class GUID Description
Network Adapter Net {4D36E972-E325-11CE-BFC1-08002BE10318} A device that allows computers to communicate over a network.
Network Protocol NetTrans {4D36E975-E325-11CE-BFC1-08002BE10318} A set of rules that governs the communications between computers on a network.
Network Client NetClient {4D36E973-E325-11CE-BFC1-08002BE10318} Provides network services to the user applications.
Network Service NetService {4D36E974-E325-11CE-BFC1-08002BE10318} Provides some functionality for members or users of the network.

The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network enumerates the various networking components installed on a computer under the respective Network classes sub keys.

Network Adapter. A network adapter is a physical or a logical device that allows computers to communicate over a physical network like LAN or a virtual network like VPN. This Network class includes NDIS miniport drivers (excluding Fast-IR miniport drivers), NDIS intermediate drivers (which export virtual network adapters).

Network interface cards (NICs) are the physical devices by which computers connect to the networks for e.g. Ethernet, Wireless, Infrared.

A few network adapters are purely software packages that simulate the functions of a network card. A virtual network adapter is a program (instead of a physical network adapter) that allows a computer to connect to a network. These so-called virtual adapters are especially common in virtual private networking (VPN), which is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A virtual network adapter can also be used to connect all the computers on a local area network (LAN) to a larger network such as the Internet or a collection of LANs.

Network Protocol Network protocols serve as a language of communication among computing devices. A network protocol facilitates device identification and data transfer. Specifies a network protocol, such as TCP/IP, IPX, a connection-oriented client, or a connection-oriented call manager. This class includes NDIS protocols CoNDIS stand-alone call managers, and CoNDIS clients, in addition to higher level drivers in transport stacks.

Layer 2 Tunneling Protocol
NDIS Usermode I/O Protocol
Internet Protocol (TCP/IP)
Point to Point Protocol Over Ethernet
Remote Access NDIS WAN Driver
Message-oriented TCP/IP Protocol (SMB session)
Point to Point Tunneling Protocol
WINS Client(TCP/IP) Protoco

Network Client NetClient components are considered to be network providers because they provide network services to user applications such as the Microsoft Client for Networks or the NetWare Client. If it provides print services over the network, it is also considered to be a print provider.

Network provider: A network provider is a DLL that supports a specific network protocol and enables the Windows operating system to interact with several types of networks without knowing their network-specific implementation details. The network provider wraps the network-specific functionality in a DLL, which exposes a standard interface to Windows. This enables it to interact with the Windows operating system to receive standard network requests, such as connection or disconnection requests. To handle these requests, the network provider then calls the network-specific API that is appropriate to the network protocol the network provider supports.

  • Webclient: Enables Windows-based programs to create, access, and modify Internet-based files.
  • LanmanWorkstation (Client for Microsoft Networks): Creates and maintains client network connections to remote servers.

Print provider: Print providers are responsible for directing print jobs to local or remote print devices. They are also responsible for print queue management operations, such as starting, stopping, and enumerating a server's print queues. Print providers define a high-level, machine-independent, operating system-independent view of a print server. Microsoft provides the following print providers with Windows 2000 and later:

  • Local print provider. (Handles all print jobs directed to printers that are managed from the local server. Localspl.dll
  • Windows network print provider. Handles print jobs directed to remote Win32 (NT-based-operating system or Windows for Workgroups) servers. When the job arrives at the remote server, it is passed to the server's local print provider.Win32spl.dll
  • Novell NetWare print provider. Handles print jobs directed to Novell NetWare print servers.Nwprovau.dll
  • HTTP print provider. Handles print jobs sent to a URL.Inetpp.dll

Network Service: A network service is a service hosted on a computer network and provide some functionality for members or users of the network. Network services are hosted by servers to provide shared resources to client computers. examples of a network services would include Domain Name System(DNS),DHCP, NetBIOS, HTTP, E-mail, printing, network file sharing services.

Network Connections

Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Netman {27AF75ED-20D9-11D1-B1CE-00805FC1270E}
Network Connections Manager Network Connections
You can use Connection Manager to connect to remote networks by using profiles configured and provided by your network administrator. Most of the required configuration that you need to connect is contained in the profile; you supply your network credentials. Connection Manager also supports virtual private network (VPN) connections over the Internet by using your broadband network connection or a dial-up modem. For dial-up users, the administrator can provide a phone book with a list of available numbers, allowing you to simply select the best phone number for your current location.
LAN Connection Manager Class {BA126AD3-2166-11D1-B1D0-00805FC1270E}
WAN Connection Manager Class {BA126AD5-2166-11D1-B1D0-00805FC1270E}
Inbound Connection Manager Class {BA126ADD-2166-11D1-B1D0-00805FC1270E}
Shared Access Connection Manager Class {BA126AE0-2166-11D1-B1D0-00805FC1270E}
The virtual folder that represents Network Connections, that contains network and dial-up connections.
NWLink Configuration Notify Object netcfgx.dll

Correlation with OSI model

Correlation with OSI model
In comparison to the seven-layer OSI model of computer networking, in windows operating system the functionality of the Logical Link Control(LLC) sublayer, which is the upper sublayer of the OSI data link layer(layer 2) is implemented through Network Driver Interface Specification (NDIS). Therefore, the NDIS acts as the interface between the Media Access Control (MAC) sublayer, which is the lower sublayer of the data link layer, and the network layer (layer 3).

NDIS specifies a standard interface between kernel-mode network drivers and the operating system. NDIS also specifies a standard interface between layered network drivers, thereby abstracting lower-level drivers that manage hardware from upper-level drivers, such as network transports. NDIS also maintains state information and parameters for network drivers, including pointers to functions, handles, and parameter blocks for linkage, and other system values.

NDIS Driver Model

NDIS Driver Model
NDIS supports the following primary types of network drivers:

A miniport driver is a driver that connects hardware devices to the protocol stack. The miniport driver is connected to an intermediate or protocol driver and a hardware device. A miniport driver handles the hardware-specific operations necessary to manage a network adapter or other hardware device.

Intermediate drivers are typically layered between miniport drivers and transport protocol drivers in the network protocol stack. Intermediate drivers are used to translate between different network media and balance packet transmission across more than one NIC. A load balancing driver exposes one virtual adapter to overlying transport protocols and distributes send packets across more than one NIC.

Filter drivers perform special operations (such as compression, encryption and tracing) on packets being transported through them.

A protocol driver, which is the highest driver in the NDIS hierarchy of drivers, is often used as the lowest-level driver in a transport driver that implements a transport protocol stack, such as a TCP/IP stack. At its lower edge, a protocol driver interfaces with intermediate network drivers and miniport drivers. At its upper edge, a transport protocol driver has a private interface to a higher-level driver in the protocol stack.

A network protocol, which is the highest driver in the NDIS hierarchy of drivers, is often used as the lowest-level driver in a transport driver that implements a transport protocol stack, such as a TCP/IP stack. A transport protocol driver allocates packets, copies data from the sending application into the packet, and sends the packets to the lower-level driver by calling NDIS functions. A protocol driver also provides a protocol interface to receive incoming packets from the next lower-level driver. A transport protocol driver transfers received data to the appropriate client application.

At its lower edge, a protocol driver interfaces with intermediate network drivers and miniport drivers.
A miniport adapter is an adapter instance of an NDIS miniport driver or intermediate driver.
A filter module is an instance of a filter driver.
A protocol binding is a binding instance of a protocol driver. A protocol binding binds an NDIS protocol driver to a miniport adapter.
network interface

To support the management information base (MIB), NDIS manages a collection of network interface information for the local computer. NDIS interface providers provide information about some network interfaces to NDIS. NDIS provides a proxy interface provider that registers interfaces and handles interface provider requests for miniport adapters and filter modules. Therefore, no NDIS drivers are required to be network interface providers.

However, all NDIS network driver types can register as interface providers. Such drivers register network interfaces and provide callback functions to respond to interface OID requests. NDIS interface providers typically provide information about interfaces that are not directly accessible to NDIS and are not supported by the NDIS proxy interface provider. For example, a MUX intermediate driver can have internal interfaces between its virtual miniports and underlying adapters.

For each network component that it installs, a network INF file must specify the upper and lower binding interfaces for the component by adding the Interfaces key to the Ndi key.

The Interfaces key has at least two values:
  • UpperRange A REG_SZ value that defines the interfaces to which the component can bind at its top edge.
  • LowerRange A REG_SZ value that defines the interfaces to which the component can bind at its lower edge. For physical adapters, this interface should always be the network media, such as Ethernet, to which the adapter connects.

Network Class Installer

Network components are installed by the network class installer. A class installer is a dynamic-link library (DLL) that installs, configures, or removes devices of a particular class in the system. If the network class installer does not provide all the features that a vendor requires, a vendor can customize the installation process by writing a device co-installer. Each network component must have an information (INF) file that the network class installer uses to install the component.

A vendor supplies one or more drivers for the device, which typically consists of a driver image (.sys) file and a driver library (.dll) file. A vendor may also supply an optional driver catalog file. A vendor gets a digital signature by submitting its driver package to the Windows Hardware Quality Lab (WHQL) for testing and signing. WHQL returns the package with a catalog (.cat) file. The vendor must list the catalog file in the INF file for the device.

A software component, such as a network protocol, client, or service, can have a notify object. A notify object can display a user interface, notify the component of binding events so that the component can exercise some control over the binding process, and conditionally install or remove software components.A network adapter cannot have a notify object. It can have co-installers.

The hw-id (also known as the device, hardware, or component ID) for a network adapter must match the hardware ID supplied by the adapter to the PnP manager. The hw-id for a network software component should consist of a provider name, followed by an underscore, and a manufacturer name or the product name

Each DDInstall section in a network INF file must have a Characteristics entry one or more of the following values:

Hex value Name Description
0x1 NCF_VIRTUAL Component is a virtual adapter. The device is not on a physical bus, such as the PCI bus or USB, but is on the root bus.
0x2 NCF_SOFTWARE_ENUMERATED Component is a software-enumerated adapter.
0x4 NCF_PHYSICAL Component is a physical adapter that the driver communicates with directly (for example, through the PCI bus) or indirectly (for example, through USB).
0x8 NCF_HIDDEN Component should not be shown in any user interface.
0x10 NCF_NO_SERVICE Component does not have an associated service (device driver).
0x20 NCF_NOT_USER_REMOVABLE Component cannot be removed by the user (for example, through Control Panel or Device Manager).
0x40 NCF_MULTIPORT_INSTANCED_ADAPTER Component has multiple ports, each of which is installed as a separate device. Each port has its own hw-id (component ID) and can be individually installed. This is applicable only to EISA adapters. Windows XP and later operating systems do not support EISA adapters.
0x80 NCF_HAS_UI Component supports a user interface (for example, the Advanced Page or a custom properties sheet).
0x400 NCF_FILTER Component is a filter.
0x4000 NCF_NDIS_PROTOCOL Component requires the unload event that is provided by the binding engine to the NetTrans device setup class (typically used by filter Intermediate drivers which use the NetService device setup class).


Address Resolution Protocol (ARP) is a required TCP/IP standard defined in RFC 826, which resolves IP addresses used by TCP/IP-based software to media access control addresses used by LAN hardware. ARP provides the following protocol services to hosts located on the same physical network.

Media access control addresses are obtained by using a network broadcast request. When an ARP request is answered, both the sender of the ARP reply and the original ARP requester record each other's IP address and media access control address as an entry in a local table called the ARP cache for future reference. Address Resolution Protocol (ARP) cache contains one or more tables that are used to store IP addresses and their resolved Ethernet physical addresses. There is a separate ARP cache for each network adapter. The ARP cache can contain both dynamic and static entries. Static entries are useful for hosts that are frequently used and remain in the cache until the computer is restarted. Dynamic entries are added and removed automatically over time.

IP to MAC address resolution process

When both the source and destination hosts are located on the same physical network, based on the contents of the routing table on Host A, IP determines the forwarding IP address to be used to reach Host B. Host A then checks its own local ARP cache for a matching hardware address for Host B. If Host A finds no mapping in the cache, it broadcasts an ARP request frame to all hosts on the local network which contains both IP and MAC address of Host-A. Each host on the local network receives the ARP request and checks for a match to its own IP address and the Host B sends an ARP reply message containing its hardware address directly back to Host A and also adds a hardware/software address mapping for Host A to its local ARP cache. When Host A receives the ARP reply message from Host B, it updates its ARP cache with a hardware/software address mapping for Host B.

When both the source and destination hosts are located on different physical network, ARP resolves the media access control address of the default gateway on the local network from the IP address. The router then forwards the traffic to Host B through the same ARP process.


Domain Name System (DNS) is a system for naming computers and network services that is organized into a hierarchy of domains. DNS naming is used in TCP/IP networks, such as the Internet, to locate computers and services through user-friendly names by resolving the name to other information associated with the name, such as an IP address.

A name query begins at a client computer and is passed to a resolver, the DNS Client service, for resolution. If the queried name can be resolved, the query is answered and the process is completed. The local resolver cache can include name information obtained from a Hosts file configured locally Resource records obtained in answered responses from previous DNS queries are added to the cache and kept for a period of time (Time to Live). If the query does not match an entry in the cache, the resolution process continues with the client querying the preferred DNS server to resolve the name. If no preferred DNS servers are available, then alternate DNS servers are used.

The DNS server checks to see if it can answer the query authoritatively based on resource record information contained in a locally configured zone on the server or if no zone information exists for the queried name, using locally cached information from previous queries. Otherwise the DNS server tries to resolve the name with the help of other DNS servers that are authoritative for the root of the DNS domain namespace tree called root hints either directly or through a specific DNS server on the network designated as a forwarder.

A DNS database consists of one or more zone files used by the DNS server which is a collection of structured resource records.

Host address (A) record. Maps a DNS domain name to a single 32-bit IP version 4 address. (RFC 1035)

Alias record. Indicates an alternate or alias DNS domain name for a name already specified in other resource record types used in this zone. The record is also known as the canonical name (CNAME) record type. (RFC 1035)

Host address (AAAA) record for IPv6 hosts. Maps a DNS domain name to a single 128-bit IPv6 address. (RFC 1886)

Mail exchanger (MX) record. Provides message routing to a specified mail exchange host that is acting as a mail exchanger for a specified DNS domain name.

Pointer (PTR) record. Points to a location in the domain name space. PTR records are typically used in special domains to perform reverse lookups of address-to-name mappings. Each record provides simple data that points to some other location in the domain name space (usually a forward lookup zone). Where PTR records are used, no additional section processing is implied or caused by their presence. (RFC 1035)

By default, computers that are statically configured for TCP/IP attempt to dynamically register host (A) and pointer (PTR) resource records (RRs) for IP addresses configured and used by their installed network connections. By default, all computers register records based on their fully qualified domain name (FQDN) which is generated by appending the location of the host in the domain namespace tree called the primary DNS suffix to its host name.

Service Display Name: DNS Client

Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache
ServiceDll: %SystemRoot%\System32\dnsrslvr.dll

Resolves and caches Domain Name System (DNS) names for this computer.


Dynamic Host Configuration Protocol (DHCP) is an IP standard for the use of DHCP servers as a way to manage dynamic allocation of IP addresses and other related configuration details for DHCP-enabled clients on your network.

The server database includes the following:
Valid configuration parameters for all clients on the network.
Valid IP addresses maintained in a pool for assignment to clients, plus reserved addresses for manual assignment.
Duration of a lease offered by the server. The lease defines the length of time for which the assigned IP address can be used.

With a DHCP server installed and configured on your network, DHCP-enabled clients can obtain their IP address and related configuration parameters dynamically each time they start and join your network. DHCP servers provide this configuration in the form of an address-lease offer to requesting clients.

On each DHCP server full consecutive range of possible IP addresses for a network is maintained called Scope. Pooled addresses are eligible for dynamic assignment by the server to DHCP clients on your network. Scopes also provide the primary way for the server to manage distribution and assignment of IP addresses and any related configuration parameters to clients on the network. The client computer can use an assigned IP address for a period of time called lease specified in DHCP server.Before the lease expires, the client typically needs to renew its address lease assignment with the server. A lease becomes inactive when it expires or is deleted at the server. The duration for a lease determines when it will expire and how often the client needs to renew it with the server. You use a reservation to create a permanent address lease assignment by the DHCP server. Reservations assure that a specified hardware device on the subnet can always use the same IP address.

DHCP Client

Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp
ServiceDll: %SystemRoot%\System32\dhcpcsvc.dll
Dependent on AFD Networking Support Environment

Computer Browser

The browser service maintains a list of the domain name or workgroup name the computer is in, and the protocol being used for each computer on the network segment being served by the computer running the browser service. On each network segment, a master browser is elected from the group of computers located on the segment that are running the browser service. The primary function of the browser service is to provide a list of computers sharing resources in a client's domain along with a list of other domain and workgroup names across the wide-area network (WAN).

The master browser is responsible for collecting host or server announcements, which are sent as datagrams every 12 minutes by each server on the network segment of the master browser. The master browser instructs the potential browsers for each network segment to become backup browsers. The backup browser on a given network segment provides a browse list to the client computers located in the same segment. On a given network segment, there is only one master browser. All domain controllers other than the PDC are designated as backup browsers. Additionally, one backup browser is allocated for every 32 computers on the network segment.

In pure Active Directory environments, Active Directory itself can display information about available network resources.In versions of Windows that support Computer Browser service, the operating system assigns tasks to specific computers on the network to provide browse services. Any networked computer that can collect, maintain, and distribute a browse list can be a browse server. Computers that are designated as browse servers work together to provide a centralized browse list, which contains a list of all known domains, workgroups, and the set of file servers in the domain to which the computer belongs.

Browse clients on the network access the browse list when users want to view the list of workgroups and domains or the list of servers in a workgroup or domain. When an individual server starts, it announces its presence by sending a broadcast datagram called a host announcement on the subnet. The announcement is received by a master browse server for the workgroup or domain. When the master browse server receives a host announcement from a computer, it adds that computer to the browse list.

Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained.


C:\WINDOWS\system32\svchost.exe -k netsvcs
ServiceDll: %SystemRoot%\System32\browser.dll

No comments:

Post a Comment