Collection of data operations to be performed. Provides
Can be associated with the registry and file I/O to make those operations part of the same larger operation.
Enlistment
Association between a resource manager and a transaction.
Register with a transaction to receive notifications on it. The enlistment can specify which notifications should be generated.
Resource Manager (RM)
Container for the transactions and the data on which they operate.
Provides an interface for clients to read and write the data, typically on a database.
Transaction Manager (TM)
Container of all transactions that are part of the associated resource managers. As an instance of a log, it knows about all transaction states but not their data.
Provides an infrastructure through which clients and resource managers can communicate, and provides and coordinates recovery operations after a crash. Clients use the TM for transactions; RMs use the TM for enlistments.
EXPERIMENT: Listing Transaction Managers
Windows ships with a built-in tool called Ktmutil.exe that allows you to see ongoing transactions as well as registered transaction managers on the system (and force the outcome of ongoing transactions). In this experiment, you’ll use it to display the transaction managers typically seen on a Windows machine.
Start an elevated command prompt and type:Ktmutil.exe tm list
Here’s an example of output on a typical Windows system:C:\Windows\system32>ktmutil tm list TmGuid TmLogPath -------------------------------------- ----------------------------------------- {fef0dc5f-0392-11de-979f-002219dd8c25} \Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog \$TxfLog::KtmLog {fef0dc63-0392-11de-979f-002219dd8c25} \Device\HarddiskVolume1\$Extend\$RmMetadata\$TxfLog \$TxfLog::KtmLog {5e68e4aa-129e-11e0-8635-806e6f6e6963} \Device\HarddiskVolume2\Windows\ServiceProfiles\ NetworkService\ntuser.dat{5e68e4a8-129e-11e0-8635-806e6f6e6963}.TM {5e68e4ae-129e-11e0-8635-005056c00008} \Device\HarddiskVolume2\Windows\ServiceProfiles\ LocalService\ntuser.dat{5e68e4ac-129e-11e0-8635-005056c00008}.TM {51ce23c9-0d6c-11e0-8afb-806e6f6e6963} \SystemRoot\System32\Config\TxR\{51ce23c7-0d6c- 11e0-8afb-806e6f6e6963}.TM {51ce23ee-0d6c-11e0-8afb-005056c00008} \Device\HarddiskVolume2\Users\markruss\ntuser. dat{51ce23ec-0d6c-11e0-8afb-005056c00008}.TM {51ce23f2-0d6c-11e0-8afb-005056c00008} \Device\HarddiskVolume2\Users\markruss\AppData\ Local\Microsoft\Windows\UsrClass.dat{51ce23f0-0d6c-11e0-8afb-005056c00008}.TM
Hotpatch Support
Rebooting a machine to apply the latest patches can mean significant downtime for a server, which is why Windows supports a run-time method of patching, called a
Operation
Meaning
Usage
Rename Image
Replacing a DLL that is on the disk and currently used by other applications, or replacing a driver that is on the disk and is currently loaded by the kernel
When an entire library in user mode needs to be replaced, the kernel can detect which processes and services are referencing it, unload them, and then update the DLL and restart the programs and services (which is done through the
Object Swap
Atomically renaming an object in the object directory namespace
When a file (typically a
Patch Function Code
Replacing the code of one or more functions inside an image file with another version
If a DLL or driver can’t be replaced or renamed during run time, functions in the image can be directly patched. A hotpatch DLL that contains the newer code is jumped to whenever an older function is called.
Refresh System DLL
Reload the memory mapped section object for Ntdll.dll
The system native library, Ntdll.dll, is loaded only once during boot-up and then simply duplicated into the address space of every new process. If it has been hotpatched, the system must refresh this section to load the newer version.
