OS Internals — Processes: Theory & Practice 2-Hour Lecture Plan | Windows & Linux

OPERATING SYSTEMS
PROCESSES — THEORY & PRACTICE
2-Hour Lecture Plan | Windows & Linux | Sysinternals · WinDbg · procfs · strace

📋 Lecture Overview

Duration 120 minutes (4 × 25-min segments + 2 × 5-min breaks)

Level Intermediate — students know basic OS concepts
Goal Deep understanding of process lifecycle, structure, and debugging on both Windows
and Linux
Windows Tools Task Manager, Process Explorer, Process Monitor, WinDbg, ProcDump, Handle,
VMMap
Linux Tools ps, top, htop, /proc, pstree, strace, lsof, gdb, perf, systemd-cgtop
Prerequisites Basic C/C++ knowledge, comfort with CLI, VM or dual-boot environment
recommended
Deliverables Working demo scripts (Windows + Linux), lab worksheet, cheat-sheet handout

⏱ SEGMENT 1 | 0:00 – 0:25 | Process Fundamentals

🧠 Segment 1: What Is a Process? (25 min)

1.1 Lecture — Core Concepts (10 min)
A process is a program in execution — an active entity with its own virtual address space, handles/file descriptors,
security context, and at least one thread of execution.

Key Components of a Process

Component Windows Linux

Address Space Virtual address space (user 0-7FFF... / Virtual memory map (text, data, heap,
kernel) stack, mmap)

Identifier PID (Process ID) + parent PID PID + PPID (parent PID)

Security Context Token (SID, privileges, integrity level) UID, GID, capabilities, namespaces

Resources Handles (files, registry, events, mutexes) File descriptors, sockets, pipes

Execution Threads (minimum 1 main thread) Tasks/threads (clone() / pthread)

State Running, Ready, Waiting, Suspended, Running (R), Sleeping (S/D), Stopped
Terminated (T), Zombie (Z)

Tools: Process Explorer · Process Monitor · WinDbg · procfs · strace · gdb | Page Page
OS Internals — Processes: Theory & Practice 2-Hour Lecture Plan | Windows & Linux

Process Lifecycle — Both Platforms

Phase Windows API Linux Syscall

Creation CreateProcess() / NtCreateProcess() fork() + exec() / clone()

Ready THREAD_STATE: Ready (scheduler State: R — in run queue

queue)

Running THREAD_STATE: Running (CPU State: R — on CPU

assigned)

Waiting THREAD_STATE: Waiting (I/O, sync) State: S (interruptible) / D

(uninterruptible)

Termination ExitProcess() / TerminateProcess() exit() / kill() SIGKILL

Zombie Object stays until handle count → 0 Zombie until parent calls wait()

1.2 DEMO — Observing Processes (10 min)

🪟 Windows Demo
• Open Task Manager (Ctrl+Shift+Esc) → Details tab → observe PID, CPU, Memory, Status columns
• Launch Process Explorer (Sysinternals) — note tree view showing parent-child relationships
• Right-click any process → Properties → show Image, Performance, Threads, TCP/IP, Security tabs
• Click a process → lower pane shows DLLs or Handles (toggle View → Lower Pane)

# PowerShell: enumerate processes with parent PID

Get-Process | Select-Object Name, Id, @{N='ParentPID';E={(gwmi Win32_Process -
Filter "ProcessId=$($_.Id)").ParentProcessId}} | Sort Id | Format-Table -
AutoSize

# WMI deep-dive
Get-WmiObject Win32_Process | Select Name,ProcessId,ParentProcessId,CommandLine
| Out-GridView

🐧 Linux Demo
• Run: ps aux — show all processes with USER, PID, %CPU, %MEM, STAT, COMMAND
• Run: pstree -p — visualize parent-child hierarchy
• Run: ls /proc — every directory is a PID; explore /proc/self

# Show process tree with PIDs

pstree -p $$

# Inspect current shell process

ls /proc/$$/
cat /proc/$$/status # human-readable attributes
cat /proc/$$/cmdline | tr '\0' ' ' # command line
cat /proc/$$/maps # virtual memory map

Tools: Process Explorer · Process Monitor · WinDbg · procfs · strace · gdb | Page Page
OS Internals — Processes: Theory & Practice 2-Hour Lecture Plan | Windows & Linux

1.3 Knowledge Check Q&A (5 min)

• What is the difference between a program and a process?
• On Linux, what syscall creates a new process? What does it return to parent vs child?
• What are zombie processes and why are they dangerous?
• Where does Windows store process information accessible from user space?

☕ 5-MINUTE BREAK (0:25 – 0:30)

⏱ SEGMENT 2 | 0:30 – 0:55 | Process Internals & Memory

🔬 Segment 2: Inside a Process — Memory & Handles (25 min)

2.1 Lecture — Virtual Address Space (8 min)
Every process runs in its own virtual address space. The OS maps virtual addresses to physical RAM using page
tables managed by the CPU MMU. This provides isolation and allows each process to believe it owns all memory.

Region Windows (64-bit) Linux (64-bit)

Null / Reserved 0x0000000000000000 0x0 – unmapped (SIGSEGV on

access)

Text (code) PE sections: .text, .rdata ELF: .text segment (r-x)

Data / BSS .data, .bss sections ELF: .data, .bss (rw-)

Heap Private heap (HeapAlloc/VirtualAlloc) Grows via brk() / mmap()

Stack (main) Default 1 MB; grows down Default 8 MB; grows down

DLLs / shared libs DLL mapped into VA space .so files mapped via mmap()

Kernel space Upper half (not accessible) Upper half (not accessible,
vsyscall/vdso)

2.2 DEMO — Memory Analysis (12 min)

🪟 Windows: VMMap & WinDbg
• Open VMMap (Sysinternals) → select target process → color-coded regions: Private Data, Image, Mapped,
Stack, Heap
• Note: committed vs. reserved pages; working set vs. private bytes

# WinDbg: attach to a process (run as Admin)

[Link] -p <PID>

# Inside WinDbg — explore address space

!address -summary ; summary of all VA regions
!address ; full region map
!peb ; Process Environment Block
dt ntdll!_PEB @$peb ; dump PEB structure

Tools: Process Explorer · Process Monitor · WinDbg · procfs · strace · gdb | Page Page
OS Internals — Processes: Theory & Practice 2-Hour Lecture Plan | Windows & Linux

# View loaded modules

lm ; list modules
!dlls ; DLL list with load addresses

# Inspect heap
!heap -s ; heap summary
!heap -a <heap_handle> ; detailed heap blocks

🐧 Linux: /proc/maps & pmap

# Inspect memory map of any process
cat /proc/<PID>/maps
# or use pmap for a cleaner view
pmap -x <PID>

# Example output columns: Address Kbytes RSS Dirty Mode Mapping

# smaps gives per-region RSS, PSS, Shared stats

cat /proc/<PID>/smaps | head -60

# Find highest memory consumers

grep -i 'VmRSS\|VmSize' /proc/*/status 2>/dev/null | sort -t: -k3 -n | tail -20

2.3 DEMO — Handles & File Descriptors (5 min)

🪟 [Link] + Process Explorer
# List all handles for a process (Sysinternals Handle)
[Link] -p <PID>
[Link] -p notepad

# Identify which process has a file locked

[Link] C:\path\to\locked_file.txt

🐧 /proc/fd & lsof

# List file descriptors for a process
ls -la /proc/<PID>/fd

# lsof: list open files

lsof -p <PID>

# Find which process is using a file

lsof /path/to/file

Tools: Process Explorer · Process Monitor · WinDbg · procfs · strace · gdb | Page Page
OS Internals — Processes: Theory & Practice 2-Hour Lecture Plan | Windows & Linux

# Find process listening on a port

lsof -i :8080
ss -tulnp | grep 8080

☕ 5-MINUTE BREAK (0:55 – 1:00)

⏱ SEGMENT 3 | 1:00 – 1:30 | Monitoring, Tracing & Debugging

🔭 Segment 3: Process Monitoring & Tracing (30 min)

3.1 Process Monitoring — Behavioral Analysis (10 min)
🪟 Process Monitor (ProcMon)
Process Monitor captures real-time file system, registry, network, and process activity with full call stacks. Ideal for
malware analysis, application debugging, and understanding OS internals.

# Launch ProcMon — immediately starts capturing

[Link]

# Key Filter Tips (Filter → Filter...)

# Process Name is [Link] → Include
# Operation is WriteFile → Include
# Result is ACCESS DENIED → Include

# Exercise: capture Notepad saving a file

# 1. Clear capture (Ctrl+X)
# 2. Open Notepad, type text, File → Save
# 3. Stop capture (Ctrl+E)
# 4. Filter: Process Name = [Link]
# 5. Observe: CreateFile → WriteFile → CloseFile sequence

🐧 strace — System Call Tracer

# Trace all syscalls of a command
strace ls /tmp

# Trace a running process by PID

strace -p <PID>

# Trace specific syscalls only (e.g., file-related)

strace -e trace=openat,read,write,close ls /tmp

Tools: Process Explorer · Process Monitor · WinDbg · procfs · strace · gdb | Page Page
OS Internals — Processes: Theory & Practice 2-Hour Lecture Plan | Windows & Linux

# Count syscalls with timing

strace -c ls /tmp

# Follow child processes (fork)

strace -f -e trace=process bash -c 'ls; ps'

# Save to file for analysis

strace -o /tmp/[Link] -p <PID>

3.2 Live Debugging with WinDbg (10 min)

WinDbg is Microsoft's primary debugger for both user-mode and kernel-mode debugging. It understands Windows
data structures natively through the !analyze and dt commands.

# ── LIVE PROCESS DEBUGGING ──────────────────────────────

# Attach to running process
[Link] -p <PID>

# Or launch and debug from start

[Link] [Link]

# Inside WinDbg:
g ; Go (continue execution)
~ ; List all threads
~0s ; Switch to thread 0
k ; Stack trace (current thread)
~*k ; Stack traces ALL threads

# Inspect process structures

!process 0 0 ; list all processes (kernel ctx)
!process <EPROCESS> 7 ; full detail on one process

# Breakpoints
bp kernel32!CreateFileW ; break on CreateFile
bl ; list breakpoints
bc 0 ; clear breakpoint 0

# Crash dump analysis

windbg -z C:\dumps\[Link]
!analyze -v ; auto-analyze crash

Tools: Process Explorer · Process Monitor · WinDbg · procfs · strace · gdb | Page Page
OS Internals — Processes: Theory & Practice 2-Hour Lecture Plan | Windows & Linux

3.3 Linux Debugging with gdb & perf (10 min)

# ── GDB PROCESS DEBUGGING ───────────────────────────────
# Attach to running process
gdb -p <PID>

# Or debug from launch

gdb ./my_program
(gdb) run arg1 arg2

# Inside gdb:
(gdb) info proc ; show process info
(gdb) info threads ; list all threads
(gdb) thread 2 ; switch to thread 2
(gdb) bt ; backtrace (call stack)
(gdb) frame 3 ; inspect specific frame

# Breakpoints
(gdb) break main ; break at main()
(gdb) break *0x400560 ; break at address
(gdb) watch g_counter ; hardware watchpoint

# Memory inspection
(gdb) x/20xw 0x601020 ; 20 hex words from address
(gdb) info maps ; memory map

# ── PERF — PERFORMANCE ANALYSIS ─────────────────────────

# CPU profiling
perf stat ./my_program
perf record -g ./my_program && perf report

# Monitor running process

perf top -p <PID>

⏱ SEGMENT 4 | 1:30 – 2:00 | Hands-On Lab & Advanced Topics

🛠 Segment 4: Advanced Topics & Hands-On Lab (30 min)

4.1 Process Creation Deep-Dive (8 min)
🪟 Windows — CreateProcess Internals
// Demo: CreateProcess with I/O redirection

Tools: Process Explorer · Process Monitor · WinDbg · procfs · strace · gdb | Page Page
OS Internals — Processes: Theory & Practice 2-Hour Lecture Plan | Windows & Linux

STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi;
[Link] = STARTF_USESTDHANDLES;
[Link] = hWritePipe; // redirect stdout to pipe

CreateProcess(
NULL, // application name
"cmd /c dir", // command line
NULL, NULL, // process/thread security attrs
TRUE, // inherit handles
CREATE_NO_WINDOW, // creation flags
NULL, // environment
NULL, // working directory
&si, &pi);

WaitForSingleObject([Link], INFINITE);
CloseHandle([Link]); CloseHandle([Link]);

# ProcDump: create dump on crash / high CPU

[Link] -ma -e 1 [Link]
[Link] -ma -c 90 -s 5 [Link] # dump if CPU > 90% for 5s

🐧 Linux — fork/exec Pattern

// Classic fork-exec in C
#include <unistd.h>
#include <sys/wait.h>

pid_t pid = fork();

if (pid == 0) {
// Child process
execl("/bin/ls", "ls", "-la", NULL);
_exit(1); // only reached if execl fails
} else if (pid > 0) {
// Parent waits
int status;
waitpid(pid, &status, 0);
} else {
perror("fork");
}

# Observe fork in real-time with strace

Tools: Process Explorer · Process Monitor · WinDbg · procfs · strace · gdb | Page Page
OS Internals — Processes: Theory & Practice 2-Hour Lecture Plan | Windows & Linux

strace -f -e trace=clone,execve,wait4 bash -c 'ls -la'

4.2 Process Security & Isolation (7 min)

Security Feature Windows Linux

Privilege model Access Token (SID, privileges, IL) UID/GID + capabilities

Least privilege Integrity Levels (Low/Med/High/System) drop_privileges() / seccomp

Isolation Job Objects, Silos, AppContainers Namespaces (pid/net/mnt/user)

Sandboxing AppContainer, LPAC, Win32k lockdown seccomp-bpf, cgroups

Audit ProcMon, ETW / Security Event Log auditd, /proc/*/status

# Windows — check token of a process

whoami /priv # current token privileges
# In WinDbg:
!token # dump current thread token
!process 0 1 [Link] # inspect lsass token

# Linux — check capabilities

cat /proc/<PID>/status | grep Cap
capsh --decode=<hex_value>

# Show namespaces for a process

ls -la /proc/<PID>/ns/
lsns -p <PID>

4.3 Hands-On Lab Exercises (15 min)

Students work independently or in pairs. Instructor circulates to assist.

# 🪟 Windows Task 🐧 Linux Task

1 Use Process Explorer to find the parent of Use pstree -p to map your login session's process
[Link]. Then use [Link] to see what tree. Find your shell's PID and explore
files/keys it has open. /proc/$$/maps.

2 Open ProcMon, filter for [Link]. Open Run: strace -c cat /etc/passwd. Which syscall is
Notepad, save a file. Trace the exact sequence of called most? Now use: strace -e trace=openat,read
CreateFile/WriteFile calls. Note which temp file is cat /etc/passwd to see file access.
written first.

3 Attach WinDbg to [Link]. Run ~*k to see all Write a small C program with an infinite loop.
thread stacks. Identify which thread is waiting for Compile, run, then attach gdb: gdb -p <PID>. Inspect
user input. Set a breakpoint on WriteFile. the stack, set a watchpoint on a variable, observe it
trigger.

4 BONUS: Use VMMap to compare memory of two BONUS: Run perf stat sleep 1 and compare to perf
★ Chrome tabs. Which regions account for most stat dd if=/dev/zero of=/dev/null count=1M. Explain
private bytes? Use procdump to create a minidump the difference in cache-misses and branch
of notepad. instructions.

Tools: Process Explorer · Process Monitor · WinDbg · procfs · strace · gdb | Page Page
OS Internals — Processes: Theory & Practice 2-Hour Lecture Plan | Windows & Linux

🧰 Tools Quick Reference

Windows Tools
Tool Primary Use Key Commands / Features
Process Explorer Process tree, DLLs, handles, CPU Right-click → Properties; View →
graph Handles; Find Handle or DLL

Process Monitor File/Registry/Network activity Filter by process name, result,

capture operation; stack view

VMMap Virtual memory visualization Color-coded regions; Export CSV; diff

snapshots

WinDbg / WinDbg Debugger (user + kernel mode) !analyze -v; !process; dt; k; ~*k; bp
Preview
[Link] List/find open handles handle -p PID; handle locked_file.txt

ProcDump Dump creation on trigger -ma full dump; -e on exception; -c on

CPU%

Listdlls DLLs loaded per process [Link] notepad; -u unsigned

DLLs

TCPView Network connections per process Real-time TCP/UDP; right-click to

kill connection

Linux Tools
Tool Primary Use Key Commands
ps / pstree List processes & hierarchy ps aux; ps -eo pid,ppid,cmd; pstree -p $$

/proc Per-process kernel data /proc/PID/{status,maps,fd,cmdline,environ}

strace Syscall tracer strace -p PID; strace -c cmd; strace -f

(follow forks)

lsof Open files & network lsof -p PID; lsof -i :PORT; lsof
/path/file

gdb GNU debugger gdb -p PID; bt; info threads; watch var

perf Performance profiler perf stat; perf record -g; perf top -p PID

htop Interactive process viewer F5 tree view; F9 send signal; F10 quit

systemd-cgls cgroup hierarchy systemd-cgls; systemd-cgtop for live stats

⏱ 2-Hour Timeline at a Glance

Time Duration Topic Mode
0:00–0:10 10 min Core concepts: What is a process? Lecture
Components, lifecycle
0:10–0:20 10 min DEMO: Process Explorer, ps, pstree, /proc Live Demo
tour
0:20–0:25 5 min Q&A + concept check Interactive
0:25–0:30 5 min ☕ Break —

Tools: Process Explorer · Process Monitor · WinDbg · procfs · strace · gdb | Page Page
OS Internals — Processes: Theory & Practice 2-Hour Lecture Plan | Windows & Linux

Time Duration Topic Mode

0:30–0:38 8 min Virtual address space — regions, page Lecture
tables, isolation
0:38–0:50 12 min DEMO: VMMap, WinDbg !address, Live Demo
/proc/maps, pmap, smaps
0:50–0:55 5 min DEMO: [Link] vs lsof — file descriptor Live Demo
inspection
0:55–1:00 5 min ☕ Break —
1:00–1:10 10 min DEMO: ProcMon — trace Notepad save Live Demo
event sequence
1:10–1:20 10 min DEMO: strace — syscall tracing, counting, Live Demo
filtering
1:20–1:30 10 min DEMO: WinDbg attach + gdb attach, stack Live Demo
traces, breakpoints
1:30–1:38 8 min CreateProcess vs fork/exec internals; Lecture + Demo
ProcDump usage
1:38–1:45 7 min Process security: tokens, capabilities, Lecture
namespaces, cgroups
1:45–2:00 15 min Hands-on Lab: 4 exercises (students work Lab
independently)

📝 Instructor Notes & Setup Checklist

🪟 Windows Setup 🐧 Linux Setup

• Download Sysinternals Suite from Microsoft • Install: strace lsof htop pstree sysstat gdb perf
• Install WinDbg Preview from Microsoft Store • Install gcc for lab C code compilation
• Run as Administrator for kernel visibility • Verify /proc is mounted (mount | grep proc)
• Set _NT_SYMBOL_PATH for WinDbg symbol • Enable ptrace_scope=0 for gdb attach (optional)
resolution • Prepare a C program that busy-loops for gdb
• Pre-open ProcMon with [Link] filter demo
saved • Have a terminal with sudo pre-authenticated
• Disable Windows Defender for demo VMs if
needed

📚 Further Reading & Resources

🪟 Windows References 🐧 Linux References

• Windows Internals 7th Ed. — Russinovich et • The Linux Programming Interface — Michael
al. Kerrisk
• Sysinternals Live: [Link] • Linux Kernel Development — Robert Love
• WinDbg docs: • man 5 proc — /proc filesystem reference
[Link]/en-us/windows- • Brendan Gregg's perf examples:
hardware/drivers/debugger [Link]/[Link]
• ETW Deep-Dive: Channel 9 / Bruce Dawson
blog

Tools: Process Explorer · Process Monitor · WinDbg · procfs · strace · gdb | Page Page
OS Internals — Processes: Theory & Practice 2-Hour Lecture Plan | Windows & Linux

Tools: Process Explorer · Process Monitor · WinDbg · procfs · strace · gdb | Page Page