High Performance NT4 Optimization and Tuning:Appendix B Glossary

Appendix B
Glossary

access control entry (ACE): An entry in an access control list (ACL). Each access control entry defines the protection or auditing to be applied to a file or other object for a specific user or group of users.
access control list (ACL): The part of a security descriptor that enumerates both the protections to accessing and the auditing of that accessing that are applied to an object. The owner of an object has discretionary access control of the object and can change the object’s ACL to allow or disallow others access to the object. Access control lists are ordered lists of access control entries (ACEs).
access right: A permission granted to a process to manipulate a particular object in a particular way (for example, by calling a service). Different object types support different access rights, which are stored in an object’s access control list (ACL).
access token (or security token): An object that uniquely identifies a user who has logged on. An access token is attached to all the user’s processes and contains the user’s security identifier (SID), the SIDs of any groups to which the user belongs, any privileges that the user owns, the default owner of any objects that the user’s processes create, and the default access control list (ACL) to be applied to any objects that the user’s processes create. See also privilege and anonymous-level security token.
access violation: An attempt to carry out a memory operation that is not allowed by Windows NT memory management. An access violation has nothing to do with the Security Manager’s checking of user-mode access rights to objects.

There are four basic actions that can cause access violations:

• Attempting an invalid operation, such as writing to a read-only buffer.

• Attempting to access memory beyond the limit of the current program’s address space (also known as a length violation).

• Attempting to access a page to which the system forbids access. (For example, code is not allowed to run in the low-order 64K of the Windows NT user-mode address.)

• Attempting to access a page that is currently resident but dedicated to the use of an Executive component. (For example, user-mode code is not allowed access to a page that the kernel is using.)

address class: In the TCP/IP world, the address class definition describes the type of network subnet. These are divided into three address classes: class A (for example, 206.0.0.0), class B (for example, 206.170.0.0), and class C (for example, 206.170.127.0). Each higher class (from A through C) designates a lower granularity of IP addresses. A class C address can contain only 256 IP addresses (from .0 through .255), while a class B address can contain 65,536 IP addresses (0.0 through 255.255), and a class A address can contain 16,777,216 IP addresses (from 0.0.0 through 255.255.255).
address space (or virtual address space): The set of addresses available for a process’s threads to use. In Windows NT, every process has a unique address space of 4GB of which 2GB is reserved for the operating system and 2GB is reserved per process.
administrative alert: A message sent to a computer or user by the Alerter service to inform the user of a critical problem or low resource supply on a computer, such as a low disk-space warning.
alerter service: A Windows NT service designed to send alert messages. This service requires the Windows NT Messenger service to be running, in order to actually send an alert to a computer or user.
algorithm: In its most general sense, an algorithm is any set of instructions that can be followed to carry out a particular task. In computer usage, an algorithm is a set of instructions within a program. For example, in the Network option in Control Panel, if you encounter a message that states, “A binding algorithm failed,” it means that the program was unable to execute a set of instructions designed to bind together elements necessary for a functional network configuration.
allocation units: See clusters.
anonymous-level security token: The type of security token used when a server impersonates a client. If, when the client calls the server, the client specifies an anonymous impersonation mode, the server cannot access any of the client’s identification information, such as its security identifier (SID) or privileges. The server will have to use an anonymous-level security token when representing the client in successive operations. See also access token.
application programming interface (API): A set of routines that an application program uses to request and carry out lower-level services performed by the operating system.

For example, programming code is built using a series of function calls or routines that perform certain actions. Suppose that, on every workday, you get up at 7 A.M., shower, dress, fix and eat breakfast, brush your teeth, and then drive to work. If you were a computer and never deviated from this pattern, a programmer could write a program for you called DAILY_ROUTINE that would perform these actions automatically. So, instead of having to specify each action, the programmer could just write DAILY_ROUTINE in the code, and the actions would be carried out. Thus, in this example, DAILY_ROUTINE would constitute an API.

archive bit: An attribute stored on the disk to indicate that a directory or file has changed. Backup programs use this bit to determine whether to copy a file to a backup medium (such as a tape). Once a file has been copied, this bit will be reset. See also hidden bit, read-only bit, and system bit.
asymmetric multiprocessing (AMP): A multiprocessing methodology that utilizes one processor to execute the operating system and another processor to execute applications. See also symmetric multiprocessing.
audit: An ability to record information about object access. An object could be a file, directory, process, or other auditable object. This auditing information is stored in the security event log and can be viewed by an administrator using the Event Viewer.
audit policy: A set of rules that specifies the type of information to be audited. Many audit policies include user authentication (to know who has logged on to your system) and object access (to determine who is using what resources on your computer).
authentication package: A subsystem that verifies that the logon information supplied by a user matches the information stored in a security database.
AUTOEXEC.NT and CONFIG.NT files: Windows NT configures the MS-DOS environment by reading the AUTOEXEC.BAT file when you log on, and by reading the AUTOEXEC.NT and CONFIG.NT files when you start an application in a new command window. The AUTOEXEC.NT and CONFIG.NT files are the Windows NT versions of AUTOEXEC.BAT and CONFIG.SYS.

When you log on to Windows NT, the path and environment variables stored in the AUTOEXEC.BAT file are appended to the Windows NT path and environment settings. Because this portion of the operating environment is established at logon, the values set for the path and environment variables are available to each application you use. If you change these values, you must log off from and then log on to Windows NT again so that the changes take effect.

When you start an MS-DOS-based or a 16-bit Windows-based application in a new command window, Windows NT reads the CONFIG.NT and AUTOEXEC.NT files to configure the environment for the application. For example, if you change an application’s driver in the CONFIG.NT file, restarting the application puts the change into effect. You can edit these files just as you would CONFIG.SYS and AUTOEXEC.BAT. The files are located in the SystemRoot\SYSTEM32 directory, where SystemRoot is the root directory of your Windows NT installation (generally C:\WINNT).

backup domain controller (BDC): For a Windows NT Server domain, this refers to a server that contains a copy of the security policy and the master database for a domain and authenticates domain logons (along with the primary domain controller). See also primary domain controller (PDC).
bad-sector mapping: A technique used by the NTFS file system to handle write errors. When an error is detected, the file system takes a free block, writes the data to that block instead of to the bad block, and updates a bad-block map. A copy of this map is written to disk.
basic input output system (BIOS): A system component, generally a ROM or flash memory chip, used to contain processor instructions to operate a system peripheral, such as the disk controller, keyboard, or video controller. The BIOS is used as an intermediary device to provide device independence. An operating system can call a BIOS function rather than control the device directly. Windows NT, however, generally only makes use of the BIOS to boot the computer and requires a specific device driver to control the peripheral. See also read-only memory (ROM), read access memory (RAM), and flash memory.
batch file: A text file that contains commands to be noninteractively processed in a logical order. Your AUTOEXEC.NT file is an example of a batch file.
batch process: A process (application) that executes in the background without user intervention. The Windows NT Scheduler service can be used to initiate a batch process, such as a backup program, at a specified time.
bayonet nut connector: A T-shaped connector used in a thin Ethernet-based network to connect the network adapter to the network segment. The base of the connector attaches to the network adapter, and the input and output network cable attaches to the top of the connector.
binding: A series of bound paths from the upper-layer network services and protocols to the lowest layer of adapter card device drivers. Each network component can be bound to one or more network components above it or below it to make the component’s services available to any component that can benefit from the services.
boot partition: The boot partition for Windows NT is the volume formatted for a Windows NT file system (NTFS), file allocation table (FAT), or high-performance file system (HPFS) that has the Windows NT operating system and its support files. The boot partition can be (but does not have to be) the same as the system partition. It cannot be part of a striped set or volume set, but it can be part of a mirror set. See also system partition.
browse: A process of enumerating network resources, for example, a list of shared directories or printers. See also enumeration operation.
browser: See Web browser.
C2-level security: A standard implemented by the U.S. Government’s National Computer Security Council that requires discretionary access to computer resources and auditing.
circular dependency: A dependency in which an action that appears later in a chain is contingent on an earlier action. For example, three services (A, B, and C) are linked. A is dependent on B to start. B is dependent on C to start. And a circular dependency results when C is dependent on A to start. See also dependency.
client/server application: An application that is divided into two or more components at the API level. The application is commonly divided into a client application executed on a network client computer and a server application executed on a different computer. This distributes the load and can improve performance by utilizing a fast computer to run the server to process the data and a client computer to display the data.
clusters (or allocation units): In data storage, a cluster is a disk-storage unit consisting of a fixed number of sectors (storage segments on the disk) that the operating system uses to read or write information to. Typically, a cluster consists of two to eight sectors, each of which holds a certain number of bytes (characters).

A formatted disk is divided into sectors, and a cluster is a set of contiguous sectors allocated to files as a single unit. This clustering of sectors reduces disk fragmentation but can result in wasted space within the cluster.

Under both the NTFS and FAT file systems, the size of a cluster is based on the size of the partition. However, with NTFS, you can override this with a switch, which forces a smaller (or larger) cluster size. Under FAT, the size of a cluster cannot be changed. The larger the partition, the more sectors you will have per cluster. Therefore, under FAT, you can have 1, 2, 4, 8, 16, 32, and 64 sectors per cluster.

common gateway interface (CGI): An application interface used to customize the behavior of a Web page. A CGI application executes as a separate process. It is commonly used with Web-based forms to capture client information.
CONFIG.NT files: See AUTOEXEC.NT and CONFIG.NT files.
control set: All Windows NT startup-related data that is not computed during startup is saved in one of the registry hives. This startup data is organized into control sets, each of which contains a complete set of parameters for starting up devices and services. The registry always contains at least two control sets—the current control set and the LastKnownGood control set—which store information about the configurable options for the computer. See also LastKnown Good (LKG) control set and current control set.
cooperative multitasking: A multitasking methodology that can only halt the execution of a process and start the execution of another process at the discretion of the currently executing application. See also preemptive multitasking.
corrupted data: Data in memory or on disk that has been unintentionally changed, thereby altering or obliterating its meaning.
current control set: The control set that was used most recently to start the computer and that contains any changes made to the startup information during the current session. See also LastKnown Good (LKG) control set and control set.
cyclic redundancy check (CRC): A procedure used on disk drives to ensure that the data written to a sector is read correctly later.

This procedure is also used in checking for errors in data transmission. The procedure is known as a redundancy check because each data transmission includes not only data but extra (redundant) error-checking values. The sending device generates a number based on the data to be transmitted and sends its result along with the data to the receiving device. The receiving device repeats the same calculation after transmission. If both devices obtain the same result, it is assumed that the transmission is error-free.

deadlock condition: A runtime error condition that occurs when two threads of execution are blocked, each waiting to acquire a resource that the other holds, and both are unable to continue running.
debugger breakpoints: Set by the user of the kernel debugger (KD) before running the Windows NT Executive, a breakpoint is put into the Executive code at an instruction. Then, when the Executive is run, if and when the instruction is executed, execution is stopped, and the current values of registers and flags are displayed. KD breakpoints are “sticky” in the sense that they remain in the program until explicitly removed. It is possible for code to have breakpoints in it that are never explicitly removed. See also kernel debugger (KD), system debugger, and WINDBG.EXE.
default gateway: Specifies a host (a router or another computer) to forward TCP/IP packets outside of the local subnet. A gateway is generally a point where two networks interface. For example, you can have two subnets (called A and B). For these subnets to be accessible from each other, they would be joined together using a router. The IP address of this router would be used as the default gateway by network clients in subnets A and B.
dependency: A situation in which one action must take place before another can happen. For example, if action A does not occur, then action D cannot occur.

Some Windows NT drivers have dependencies on other drivers or groups of drivers. For example, driver A will not load unless some driver from the G group loads first. See also circular dependency.

device driver: A low-level (usually kernel-mode) operating system component used as an interface for accessing physical hardware. A device driver is an individual file that provides for easy replacement. Some device drivers (such as the 4mm DAT driver) can be loaded dynamically at any time by the operating system, while other device drivers can only be loaded at boot time (such as a disk controller driver). For example, the AHA174x.SYS device driver provides the software (operating system) interface to the hardware (I/O ports, registers, and so on) for my Adaptec 1742/a SCSI controller.
dial-up networking: The client side of a client/server service to provide network access to physically remote-network clients using modems, ISDN, and X.25 adapters. Generally, the dial-up networking client will use a modem and standard phone line to connect to the network. The modem will be used as a network adapter to transmit and receive network packets from the attached network (or Internet). The dial-up networking client supports the PPP and SLIP interfaces and the TCP/IP, IPX/SPX, and NetBEUI network transport protocols.
directory replicator service: A Windows NT service used to export or import a directory tree. Only a Windows NT server computer can act as a directory export server, although any Windows NT computer can act as a directory import partner. The most common use of this service is to replicate the logon scripts from one domain controller (not necessarily the primary domain controller) to the other domain controllers in the domain. See also export path and import path.
disk duplexing: A fault-tolerant capability provided with Windows NT Server that utilizes a second disk or partition on a physically separate disk controller to create a redundant copy of a disk or partition. If the primary disk controller or disk drive fails, then the second copy can be utilized to keep the system up and running.
disk mirroring: A fault-tolerant capability provided with Windows NT Server that utilizes a second disk or partition to make a redundant copy of a disk or partition in case of a failure of the primary disk or partition.
disk striping: See striped set and striped set with parity.
domain: For Windows NT Server, a collection of computers that shares a common accounts database and security policy. Each domain has a unique name.

A domain is set of servers and workstations grouped together for efficiency and security, and the basic administrative unit in Windows NT Server. A network can be divided, for example, into domains by department, workgroup, or building floor.

Domains keep large networks manageable. For example, users displaying a list of servers will see only the servers for their domain. But, they can still access resources on servers in any domain if they have been granted the necessary rights.

domain controller: See primary domain controller (PDC).
Domain For Windows NT Server: See domain.
domain name: A Unix-based operating system that defines a common name for a group of computers, very similar in concept to a Windows NT domain. A domain name is a mechanism used for address resolution. Your Web server might be known as www.yourdomainname.com, or your email address might be YourName@YourDomain.com. In both cases, the host name will be converted to a specific IP address to establish a connection.
domain name service: A Unix-based service for resolving NetBIOS computer names to IP addresses. A DNS server utilizes several host files, such as BOOT, which is an ASCII file that contains computer names and IP addresses. See also Dynamic Host Configuration Protocol (DHCP), Windows Internet Naming Service (WINS), and WINS Proxy Agent.
domain synchronization: A process used for keeping a consistent copy of the account database on all domain controllers. The primary domain controller contains the original copy of the account database and is responsible for copying these changes to the backup domain controllers. As a change is made, the domain controller will inform the backup domain controllers that an update has been made. Then, the backup domain controllers will request the updates to maintain a consistent copy of the account database. This will prevent a user from gaining access to the network based on stale data.
dongle: An adapter that connects to the parallel port and contains a software key. Protected software often uses this type of mechanism to prevent software piracy.
down level: A term that refers to earlier operating systems, such as Windows for Workgroups or LAN Manager, that can still interoperate with Windows NT Workstation or Windows NT Server.
Dynamic Host Configuration Protocol (DHCP): A client/server mechanism for automatically configuring IP addresses on networked client computers using the TCP/IP protocol. Windows NT Server includes the DHCP service, which is used to supply a TCP/IP address to a network client that includes a DHCP client, such as Windows NT Workstation, Windows NT Server, Windows 95, Windows for Workgroups, and MS-DOS clients utilizing the MS-DOS Connection. See also Windows Internet Naming Service (WINS).
dynamic-link library (DLL): A library of routines that user-mode applications access through ordinary procedure calls. The operating system automatically modifies the user’s executable image to point to DLL procedures at runtime. That way, the code for the procedures does not have to be included in the user’s executable image and can be shared with other executable images.
enumeration operation: The counting, accessing, or listing of an entire set of similar objects. When the last object in the set has been counted, accessed, or listed, the enumeration operation is complete. See also browse.
error logging: The process by which errors that cannot readily be corrected by the majority of end users are written to a file instead of being displayed on the screen. System administrators, support technicians, and users can use this log file to monitor the condition of the hardware in a Windows NT computer, to tune the configuration of the computer for better performance, and to debug problems as they occur.
exception: A synchronous error condition resulting from the execution of a particular computer instruction. Exceptions can be either hardware-detected errors, such as division by zero, or software-detected errors, such as a guard-page violation.
Executive: The Executive is the part of the Windows NT operating system that runs in kernel mode. Kernel mode is a privileged processor mode in which a thread has access to system memory and hardware. (In contrast, user mode is a nonprivileged processor mode in which a thread can only access system resources by calling system services.) The Windows NT Executive provides process structure, thread scheduling, interprocess communication, memory management, object management, object security, interrupt processing, I/O capabilities, and networking. See also kernel.
Executive messages: Two types of character-mode messages—STOP messages and hardware-malfunction messages—that occur when the Windows NT kernel detects an inconsistent condition from which it cannot recover.

Character-mode STOP messages are always displayed on a full character-mode screen rather than in a Windows-mode message box. They are also uniquely identified by a hexadecimal number and a symbolic string, as in the following example:

*** STOP—0x00000001
APC_INDEX_MISMATCH

The content of the symbolic string can suggest (to a trained technician) the part of the kernel that detected the condition from which there was no recourse but to stop. However, keep in mind that the cause could actually be in another part of the system.

Character-mode hardware-malfunction messages are caused by a hardware condition detected by the processor. The first one or two lines of a hardware-malfunction message can differ depending on which company manufactured the computer. However, these lines always convey the same idea, as shown in the following example for an x86-based computer:

Hardware malfunction—Call your hardware vendor for support.

The additional lines in each manufacturer’s message screen also differ in format and content.

The Executive displays a Windows-mode STATUS message box when it detects conditions within a process (generally, an application) that you should know about. STATUS messages can be divided into the following three types:

• System-information messages—All you need to do is read the information in the message box and choose the OK button. The kernel will continue running the process or thread.

• Warning messages—Some advise you to take an action that will enable the kernel to keep running the process or thread. Others warn you that, although the process or thread will continue running, the results might not be correct.

• Application-termination messages—These warn you that the kernel is about to terminate either a process or a thread.

export path: The local path on a Windows NT Server computer that contains the directories and files to copy to import partners. An import partner is a Windows NT computer that has an executing directory replicator service and has specifically been configured to copy the directories and files in the export path. See also directory replicator service and import path.
extended attribute: Windows NT FAT files have four basic parts: data, file system attributes (such as creation time and date, and FAT attributes), security descriptors, and extended attributes (EAs). EAs make up the set of extended information about a file and are structured as name/value pairs. Typical uses of Windows NT system EAs include storing the icon of an executable image or indicating that a file is a symbolic link.
extended partition: This is created from free space on a hard disk and can be partitioned into zero or more logical drives. The free space in an extended partition can also be used to create volume sets or other kinds of volumes for fault-tolerance purposes. Only one of the four partitions allowed per physical disk can be an extended partition, and no primary partition needs to be present to create an extended partition.
family set: A group of tapes that contain the same tape name and one or more backup sets created by NTBACKUP. A family set can be thought of as a single logical tape, even though it consists of more than one physical tape.
file control block (FCB): In MS-DOS, a 36-byte block of memory that contains all the information MS-DOS needs to know about an open file, such as the file name, what drive it is on, current file size, and date and time of creation.
File Transfer Protocol (FTP): A language used to send or receive files over the Internet using a client/server architecture.
flash memory: A set of memory chips installed on the computer used to store instructions for a computer to execute or data to be read by the processor. Flash memory is similar to ROM in that its purpose is to support read-only operations. However, flash memory can be written to by using a special program to change its contents. Flash memory is generally used to contain your system BIOS and is a better choice than ROM because it allows the user to upgrade the system BIOS. See also basic input output system (BIOS), random access memory (RAM), and read-only memory (ROM).
Fully Qualified Domain Name (FQDN): A host name with the domain name appended. For example, if your computer name is roadtrip and your domain name is nt-guru.com, your FQDN would be roadtrip.nt-guru.com.
gateway: See default gateway.
global group: A series of one or more user accounts logically grouped into a single unit and available domain wide. Global groups are only available on a Windows NT domain. See also local group.
globally unique identifier (GUID): See universally unique identifier (UUID).
guard-page protection: The Windows NT Virtual Memory Manager can put a guard page at the end of a data structure, such as a dynamic array, and generate a warning message when a user-mode thread accesses the guard-page memory. The user-mode process can respond appropriately, for example, by extending the array.
handle: In general, a unique identifier (often an integer) by which a client refers to an object in the Windows NT operating system. Clients call servers to get a handle to an object on which the client wants to operate. Then, the client sends requests for operations to the object, referring to the object by its handle. The server actually does the operation. This ensures that the client does not operate on the object directly.

In the registry, each of the first-level key names begins with HKEY_ to indicate to software developers that this is a handle that can be read by a program. A handle is a value used to provide a unique identifier for a resource so that a program can access it.

Hardware Abstraction Layer (HAL): This is the lowest layer of the Windows NT operating system and a part of the Executive. The HAL is used to provide platform independence. It is used to communicate directly with the expansion bus, motherboard cache, programmable interrupt controller, and other system-specific components. All that is needed to convert Windows NT from a uniprocessor (single CPU) to a multiprocessor version of Windows NT is to use a supported motherboard with two or more CPUs and a multiprocessor HAL and multiprocessor kernel. The rest of the operating system components will remain the same.
hexadecimal: A base-16 number system that consists of the digits 0 through 9 and the uppercase and lowercase letters A (equivalent to decimal 10) through F (equivalent to decimal 15).
hidden bit: An attribute stored on a disk to indicate that a directory or file should not be displayed. For example, Windows Explorer will not display hidden files unless the Show All Files option has been enabled. System files required for the operation of your computer are often hidden. For instance, the BOOT.INI file, which is required by Windows NT to determine the location of the operating system to boot, is normally hidden. See also archive bit, read-only bit, and system bit.
high memory area (HMA): A 64K memory block located just above the 1MB address in a virtual DOS machine (VDM). This memory becomes visible when the A20 address line is turned on, enabling 21-bit addressing in the VDM.
hive: The registry is divided into parts called hives, so named as an analogy to the cellular structure of a beehive. A hive is a part of the registry that maps to a file on your hard disk. Each user profile is a separate hive, which means that it is also a separate file. Therefore, an administrator can copy a user profile as a file, and view, repair, or copy entries using Registry Editor on another computer. See also registry.
home directory: A local or shared directory specified as the user’s default directory with User Manager.
hot key: In a user interface, hot keys provide an alternative to the mouse for manipulating interface objects. For example, instead of using the mouse, you can press the key combination ALT+F to open the File menu on the menu bar. ALT+F is a hot key.
Hypertext Markup Language (HTML): A set of rules that utilize ASCII-based tags to format text, display objects, and create links within a document or Web page.
Hypertext Transfer Protocol (HTTP): The common protocol, or language, used by World Wide Web (WWW) servers and Web browsers as the communication link between client and server.
Hypertext Transfer Protocol Secure (HTTPS): The protocol, or language, used by World Wide Web (WWW) servers and Web browsers as a secure communication link between client and server. This secure link is obtained through the use of data encryption.
impersonation: The ability of a thread in one process to take on the security identity of a thread in another process and to perform operations on the other thread’s behalf. Impersonation is used by the Windows NT environment subsystems and network services to access remote resources on behalf of client applications.
import path: The local path on a Windows NT Server computer that has an executing directory replicator service. The directories and files of the export partner will be copied to this relative path. See also directory replicator service and export path.
INF file: One of a set of files used by the Setup program during Windows NT installation, maintenance Setup, or both. An INF file generally contains a script for Setup to follow, along with configuration data that ends up in the registry.
input/output address: All peripherals connected to your expansion bus utilize one or more I/O ports to communicate with a device driver to control the physical device, transfer data to/from the system and the device, or both. For example, a communication port (COM1) has a base I/O address of 03F8h and has eight I/O ports for communicating with the device and to transfer data.
input/output control (IOCTL): An IOCTL command enables a program to communicate directly with a device driver. This is done, for example, by sending a string of control information recognized by the driver. None of the information passed from the program to the device driver is sent to the device itself (in other words, the control string sent to a printer driver is not displayed on the printer).
installable file system (IFS): A file system that can be loaded into the operating system dynamically. Windows NT can support multiple installable file systems at one time, including the file allocation table (FAT) file system, high-performance file system (HPFS), Windows NT file system (NTFS), and CD-ROM file system (CDFS). Windows NT automatically determines the format of a storage medium, and reads and writes files in the correct format.
Internet access provider (IAP): A company that provides you with a raw Internet connection. There are no associated services, such as those that could be provided by an ISP. See also Internet service provider (ISP).
Internet Database Connector: An Internet Information Service extension. The extension is an ISA application that provides a customizable interface to an ODBC database from an HTML document.
Internet Protocol (IP): A low-level network protocol designed to provide a means of identifying a particular host. Every host on the Internet requires a unique IP address.
Internet Server Application Programming Interface (ISAPI): A set of APIs used by developers to customize the behavior of the IIS WWW server. It is similar to the Common Gateway Interface (CGI) in purpose, with the exception that ISAPI applications execute within the same process as the Web server rather than as a separate process. This can provide a substantial performance increase over CGI applications.
Internet service provider (ISP): A company that provides you with your Internet connection and services. These services can include domain name registration, IP address allocation, WWW site hosting, and so on.
interrupt: An asynchronous operating system condition that disrupts normal execution and transfers control to an interrupt handler. Interrupts can be issued by both software and hardware devices requiring service from the processor. When software issues an interrupt, it calls an interrupt service routine (ISR). When hardware issues an interrupt, it signals an interrupt request (IRQ) line.
interrupt request level (IRQL): A ranking of interrupts by priority. A processor has an interrupt request level (IRQL) setting that threads can raise or lower. Interrupts that occur at or below the processor’s IRQL setting are masked, whereas interrupts that occur above the processor’s IRQL setting are not. Software interrupts are almost always lower priority than hardware interrupts.
I/O bus: A hardware path inside a computer that is used for transferring information to and from the processor and various input and output devices.
IP address: A 32-bit number represented as a series of numbers between 0 and 255 separated by periods. For example, the IP address for my server is 206.170.127.65.
ISA: Usually used to describe the Industry Standard Architecture I/O bus; however, it is also used to describe an Internet Server Application. An Internet Server Application is an ISAPI application that extends the functionality of an HTTP server.
Javascript: A programming language designed as part of the Microsoft ActiveX development efforts. Javascript applications are executable code embedded as an object within HTML documents. These applications can be used to provide interactive Web pages. Javascript is based on the Java language by Sun Microsystems, which is based on the C++ object model.
kernel: The Windows NT kernel is the part of the Windows NT Executive that manages the processor. It performs thread scheduling and dispatching, interrupt and exception handling, and multiprocessor synchronization. It also provides primitive objects to the Windows NT Executive, which uses them to create user-mode objects. See also Executive.
kernel debugger (KD): The Windows NT kernel debugger (KD) is a 32-bit application used to debug the kernel and device drivers, and to log the events leading up to a Windows NT Executive STOP, STATUS, or hardware-malfunction message.

The kernel debugger runs on another Windows NT host computer that is connected to your Windows NT target computer. The two computers send debugging (troubleshooting) information back and forth through a communications port that must be running at the same baud rate on each computer. See also debugger breakpoints, system debugger, and WINDBG.EXE.

kernel mode: See Executive.
keyword: A special type of command parameter that includes a value. For example, the syntax of the width keyword indicates a value as follows: width = 40.
LastKnown Good (LKG) control set: The most recent control set that correctly started the system and resulted in a successful startup. The control set is saved as the LKG control set when you have a successful logon.

A copy of the control set used to start the system is also stored as the Clone subkey in the registry. At startup time, the Service Control Manager copies the Clone subkey to the LastKnown Good control set before any new changes are made to the control set. This helps to ensure that the computer always contains a working control set. See also control set and current control set.

local area network (LAN): A group of computers physically located in a single area and connected to each other over a high-speed media to share resources. See also wide area network (WAN).
local group: A series of one or more user accounts logically grouped into a single unit and available domain wide on a domain, or available only on the local Windows NT Workstation. See also global group.
local procedure call (LPC): A local procedure call performs exactly like a remote procedure call except that it only is used on a single computer. It provides a means for building distributed applications and testing them on a single computer. To initiate an LPC call for a distributed application, change the computer name to a single period for the connection string. For example, use \\.\pipe\sql\query instead of \\computername\pipe\sql\query to use an SQL client application on the same computer as the SQL Server application to connect. See also remote procedure call (RPC).
local security authority (LSA): A component of the Windows NT security system that maintains all aspects of local security on a system. This collection of information is known as the local security policy. Among other statistics, the local security policy identifies the following: domains trusted to authenticate logon attempts, users who can access the system, how users can access the system (locally, from the network, or as a service), who is assigned privileges, and what security auditing is to be performed.
mandatory user profile: A user profile that cannot be changed by the user and, because of this, can be shared by multiple users. See also user profile.
mapped I/O (or mapped file I/O): A file I/O that is performed by reading and writing to virtual memory that is backed by a file.
memory control block (MCB): MS-DOS organizes available memory as a pool of blocks that are maintained as a chain (or linked list). The memory control block (MCB) occupies the bottom 16 bytes of each memory block and, among other things, points to the next memory block in the chain. If a memory control block is corrupted, MS-DOS cannot find the next block in the chain and does not know which memory blocks have been allocated and which have not.
mounting a volume: The process of finding a file system that recognizes the format of a volume and associating the file system with the volume. Windows NT does this automatically the first time a program accesses a volume (or, for other forms of removable media such as floppy disks or CD-ROMs, each time the user reinserts the floppy disk or CD into a drive and performs I/O on it). A volume must be mounted before I/O operations can be performed on it.
multihomed: A computer with more than one IP address assigned to it. A multihomed computer has more than one network adapter, with each network adapter assigned a unique IP address. A multihomed computer is often used to combine separate physical network segments into a single logical network by forwarding IP packets between the two segments.
multithreading: The ability to subdivide a process into one or more executable components. See also thread.
multiprocessing: The ability to execute more than one program at a time by dividing the processor cycles among several applications.
named pipe: An interprocess communication mechanism that enables one process to send data to another local or remote process. See also pipe.
NetBEUI: NetBIOS Extended User Interface (NetBEUI) is a network transport protocol supported by all Microsoft network operating systems and some IBM network operating systems. It has a maximum number of 255 simultaneous computer connections and has been superseded by the NetBEUI Frame (NBF) protocol, which does not have the 255 computer connection limit.
NetBIOS: Network Basic Input/Output System is a network API set, rather than a network transport protocol, and is defined for use by applications for utilization of network resources.
network control block (NCB): A block of sequential data of fixed length. This data includes an operation code that indicates the operation to be performed and elements that indicate the status of the operation. See also opcode.
Network News Transfer Protocol (NNTP): Specifies a network protocol used to support the online bulletin board system (BBS) functionality of Internet newsgroups.
network transport: This can be either a particular layer of the OSI reference model, between the Network Layer and the Session Layer, or a communications protocol, between two different computers on a network.
object: A single runtime instance of a Windows NT-defined object type. It contains data that can be manipulated only by using a set of services provided for objects of its type.

In Windows NT Performance Monitor (see Appendix A), an object is a standard mechanism for identifying and using a system resource. Objects are created to represent individual processes, sections of shared memory, and physical devices. Performance Monitor groups counters by object type. Each object type can also have several instances. For example, the Processor object type will have multiple instances if a system has multiple processors. The Physical Disk object type has two instances if a system has two disks. Some object types (such as Memory and Server) do not have instances.

opcode: Short for operation code, opcode is a code, usually a number, that specifies an operation to be performed. An opcode is often the first component in a contiguous block of data. It indicates how other data in the block should be interpreted. See also network control block.
Open Database Connectivity (ODBC): ODBC provides a logical mechanism to access an ODBC-aware database. An ODBC-aware database is any database (such as Microsoft SQL Server or Microsoft Access) that you create with an ODBC driver. The ODBC driver is used as a layer between your application and the database. This layer provides a uniform mechanism to access any ODBC database. This provides a means to build a database using Microsoft Access today and switch it to a Microsoft SQL Server database, just by building the SQL Server database and supplying a new definition for the Data Source Name (DSN). Your application would remain the same.
paging file (or swap file): A system file that contains the contents of virtual pages that have been temporarily removed from physical memory by the Virtual Memory Manager.

With virtual memory under Windows NT, some of the program code and other information is kept in RAM, while other information is temporarily swapped to a virtual-memory paging file. When that information is required again, Windows NT pulls it back into RAM and, if necessary, swaps other information to virtual memory. This activity is invisible, although you might notice that your hard disk is working. The resulting benefit is that you can run more programs at one time than your system’s RAM would usually allow. See also virtual memory.

parameter: Parameters are used in commands entered at the Windows NT command prompt to customize that particular use of the command. For example, the MS-DOS copy command has two parameters: the path to the file to copy and the path to where the copy will be stored. These two parameter values can be any valid path. By changing these each time you use the copy command, you are customizing the command.
parity: A mechanism used to ensure data integrity. The basic methodology combines (using an XOR algorithm) the binary values in an element and then sets a parity bit based on the result. This result bit is a 1 if the XOR result was a 1, or a 0 if the XOR result was 0. The parity bit can be used to determine the data changes.
partition: A portion of a physical disk that functions as though it is a physically separate unit. You can use a partitioning program, such as FDISK for the MS-DOS and OS/2 operating systems and Disk Administrator for Windows NT, to create these unformatted units. You must then use the format command (either from the command prompt or from within Disk Administrator) to format the partition for use with a specific file system. A partition is usually referred to as either a primary or an extended partition. See also volume.
partition table: A structure on a disk that the operating system uses to divide a disk into logical divisions called partitions, which can then be formatted to a specific file system. Primary partitions are defined by a data entry in the main partition table of a hard disk. Extended partitions are defined by a nondata entry in the main partition table.
permission: A rule associated with an object (usually a directory, file, or printer) in the form of a discretionary access control list (DACL) that is used to regulate which users or groups can have access to the object and in what manner. You can set file and directory permissions only on drives formatted to use the Windows NT File System (NTFS). See also right.
pipe: An interprocess communication (IPC) mechanism. Writing to and reading from a pipe is much like writing to and reading from a file, except that the two processes are actually using a shared memory segment to communicate data. An unnamed pipe is a local IPC methodology and can only be used among processes running on the same computer. See also named pipe.
Point-to-Point Protocol (PPP): A protocol definition used to link two networks (or individual computers) together. The Microsoft implementation supports PPP connections using TCP/IP, IPX/SPX, or NetBEUI network transport protocols.
preemptive multitasking: A multitasking methodology that can halt the execution of a process and start the execution of another process at the discretion of the operating system. Generally, a preemptive multitasking operating system, such as Windows NT, is based on a time slice where each process executes for a specific number of CPU cycles. See also cooperative multitasking.
primary domain controller (PDC): For a Windows NT Server domain, this refers to the server that maintains the original copy of the security policy and master database for a domain and, along with backup domain controllers, authenticates domain logons. Any changes made to the account policies and account database have to occur on the primary domain controller. These changes will then be replicated to the backup domain controllers. See also backup domain controller (BDC) and replication.
primary partition: A portion of a physical disk that can be marked as active for use by an operating system. Active means that the POST (power-on self-test) routine can locate a boot sector on the partition. There can be up to four primary partitions (or up to three if there is already an extended partition) per physical disk. A primary partition cannot be partitioned.
privilege: The representation of most user rights in access tokens. An example of one is the backup privilege. Holders of the backup privilege are allowed to bypass file-system security to back up and restore data on a disk. In a secure system, not all users will have that privilege. See also access token.
privileged instruction: Processor-privileged instructions have access to system memory and the hardware.
process: A logical division of labor in an operating system.

A Windows NT process is created when a program runs. A process can be either an application (such as Microsoft Word or Corel® Draw), a service (such as Event Log or Computer Browser), or a subsystem (such as POSIX). In Windows NT, it comprises a virtual address space, an executable program, one or more threads of execution, some portion of the user’s resource quotas, and the system resources that the operating system has allocated to the process’s threads. A process is implemented as an object. See also object.

random access memory (RAM): A set of memory chips installed in the computer and used to store computer instructions to be loaded and executed by the processor, or used to store data. RAM can be either read from or written to an unlimited number of times. See also flash memory and read-only memory (ROM).
read-only bit: An attribute stored on a disk to indicate that a directory or file can not be modified (i.e., written to). System files required for the operation of your computer are often marked as read-only. For instance, the NTLDR file, which is required by Windows NT to load the operating system to boot, is normally marked as read-only. See also archive bit, hidden bit, and system bit.
read-only memory (ROM): A set of memory chips installed on a computer used to store instructions for a computer to execute or data to be read by the processor. ROM cannot be written to; hence, the name read-only. ROM is generally used to contain boot instructions used by the processor to initialize and access a physical device. For example, your system ROM is used to boot the computer, but your video ROM is used to draw data on the computer screen. See also flash memory and random access memory (RAM).
registry: A secure, unified database that stores application configuration data, hardware configuration data (such as device-driver configuration data, and network protocol and adapter card settings), and user data in a hierarchical form for a Windows NT Workstation or Windows NT Server computer.
registry key: The configuration data in the registry is stored in a hierarchical form, and keys are the building blocks of this hierarchy. In the registry, there are four top-level keys that contain per-computer and per-user databases. Each key can contain data items, called value entries, and can also contain additional subkeys. In the registry structure, keys are analogous to directories, and the value entries are analogous to files. See also value entries.
Remote Access Software (RAS): The server side of a client/server service to provide network access to physically remote network clients using modems, ISDN, and X.25 adapters. The client side of the service is referred to as dial-up networking.
remote procedure call (RPC): A message-passing facility that enables a distributed application to call services available on various computers in a network without regard to their locations. Remote network operations are handled automatically. RPC provides a procedural rather than a transport-centered view of networked operations. See also local procedure call (LPC).
remote procedure call (RPC) binding: A logical connection between the client and server, or the process by which the client establishes a logical connection to the server.
remote procedure call (RPC) connection: A transport-level virtual circuit between the client and server. The RPC runtime establishes the circuit when the client binds to the server interface instance. Connections are not visible to the client. A client can have more than one connection to the server.
remote procedure call (RPC) endpoint: An endpoint identifies a specific server instance (or address space) on a host. The format of the endpoint depends on the transport protocol used. There are well-known endpoints and dynamic endpoints. Well-known endpoints are registered in the name service database. Dynamic endpoints are assigned to server instances at runtime.
remote procedure call (RPC) protocol sequence: A character string that identifies the network protocols used to establish a relationship between a client and a server. The protocol sequence contains a set of options that the RPC runtime must know about to establish a binding. These options include the RPC protocol, the format of the network address, and the transport protocol. For example, a protocol sequence string might be as follows: ncacn_ip_tcp.
remote procedure call (RPC) server: The program or computer that processes remote procedure calls from a client.
replication: The process of copying the original account policies, account database, and logon scripts from the primary domain controller to the backup domain controllers in a Windows NT domain. See also backup domain controller (BDC), directory replicator service, and primary domain controller (PDC).
Request For Comment (RFC): A document that defines a specification for interaction or functionality of a TCP/IP component.
revision level: A revision level is built into many Windows NT data structures, such as security descriptors and access control lists (ACLs). This enables the structure to be passed between systems or stored on disk even though it is expected to change in the future.
right: An access assignment that authorizes a user to perform certain actions on a system. In most situations, rights should be provided to a user by adding that user’s account to one of the built-in groups that possesses the needed rights rather than by administering the user-rights policy. Rights apply to the system as a whole and are different from permissions, which apply to specific objects. See also permission.
root directory: In a file system structured as a hierarchy of directories on a partition or volume, the root directory is the parent of the other directories. The root directory name in FAT, HPFS, and NTFS is a backslash (\).
route: When discussed in the presence of a network protocol, a route is the path used by the source computer to transmit information to the destination computer.
router: A hardware device used to combine two different network segments. Data addressed to a host outside the local segment will be passed to the intended recipient by the router. It is also possible to use software in combination with your server’s hardware to emulate a router. However, a dedicated router can support more users than a software emulation.
secrets: Encrypted pieces of information. Also, the title of a best-selling book series.
Secure Socket Layer (SSL): A network protocol enhancement used to provide a secure method to transfer data between a Web browser and Web server. A Web server that accepts credit card numbers would use SSL.
security accounts manager (SAM): A Windows NT-protected subsystem that maintains the security accounts database.
security descriptor: A data structure that houses the security information related to an object. It contains a discretionary access control list (DACL), a system access control list (SACL) that controls auditing on the object, an owner, and a primary group of the object.
security identifier (SID): A number that identifies a user, global group of users, local group of users, or domain within Windows NT.
security token: See access token.
semaphore: Generally, semaphores are signaling devices or mechanisms. However, in Windows NT, system semaphores are objects used to synchronize activities on an interprocess level. For example, when two or more processes share a common resource, such as a printer, video screen, or memory segment, semaphores are used to control access to those resources so that only one process can alter them at any particular time.
Serial Line Internet Protocol (SLIP): An older protocol definition used to link two networks (or individual computers) together using the TCP/IP network transport protocol.
server message block (SMB): A block of data that contains a work request from a workstation to a server or the response from the server to the workstation. SMBs are used for all communications that go through the server or workstation service, such as file I/O, creating and removing remote connections, or performing any other network function that the redirector needs to carry out.

Microsoft network redirectors use this structure to send remote requests or information over the network to a remote computer, which can be either a Windows NT Workstation, Windows NT Server, or other Microsoft Network-compatible computer.

sharepoint: A shared directory, printer, or other resource on a Windows NT computer that network clients can access.
Simple Mail Transfer Protocol (SMTP): Defines a protocol used to send or receive email messages to or from other SMTP mail servers. The SMTP protocol is used almost exclusively for providing Internet mail capabilities.
Simple Network Management Protocol (SNMP): Defines a protocol for reporting statistical information or configuring software and hardware components from an SNMP management console (like HP OpenView).
single system image (SSI): A domain that has the logon service running and that propagates its user accounts database throughout the domain.
standalone: A workstation or server that is not currently a member of a domain. Or, a workstation or server at which logon requests are not validated by a logon server.
striped set: A process of combining multiple physical disk drives into a single logical unit. This logical unit is divided into blocks that are split among the disk drives to increase disk throughput by reading or writing multiple blocks in a single operation.
striped set with parity: A fault tolerant implementation of a striped set that utilizes a single parity block per stripe to increase disk throughput and provide a means of protection from a single disk failure. If a single disk drive fails, the parity block can be exclusively combined (XOR) with the remaining data blocks to re-create the missing data block and provide access to the data with only a slight performance penalty.
Structured Query Language (SQL): A standardized programming language used to access data stored in an application database. Generally speaking, SQL is used to access SQL Server databases but can also be used by an application to access data stored in a proprietary database, such as a Microsoft Access database.
subnet: A subcomponent of a larger network component. In a TCP/IP-based network, a subnet is part of a larger subnet based on its class definition. For example, my class C address, 206.170.127.64, is a subnet of another class C address, 206.170.127.0. See also address class.
swap file: See paging file.
switch: A special type of command parameter that is denoted by a leading slash (/) or leading dash (-). Switches are normally used for parameters that are simple toggles (on/off switches). For example, in the chkdsk command, an optional parameter is the /f switch. If it is used, chkdsk attempts to fix any problems it finds on a disk. If it is not used, chkdsk only reports the problems and does not attempt to fix them.
symmetric multiprocessing (SMP): A multiprocessing methodology that uses all processors installed on a computer to execute the operating system and all applications. See also asymmetric multiprocessing (AMP).
syntax: The rules governing the structure and content of commands entered into the computer. For example, when you enter commands at the Windows NT command prompt, if the structure and content of a command violate the syntax rules, the Windows NT command processor cannot interpret the command and thereby generates a syntax error message.
system bit: An attribute stored on the disk to indicate that a directory or file is reserved for use by the operating system. For example, the NTDETECT.COM file, which is required by Windows NT to detect the hardware on your system as part of the operating system boot procedure, is normally marked as a system file. See also archive bit, hidden bit, and read-only bit.
system debugger: The Windows NT system debugger (NTSD) is a 32-bit application that supports the debugging of user-mode applications and dynamic-link libraries (DLLs). NTSD can also read and write paged and nonpaged memory, and it supports multiple-thread debugging and multiprocess debugging.

NTSD enables you to display and execute program code, set breakpoints that stop the execution of your program, and examine and change values in memory. NTSD also enables you to refer to data and instructions by name rather than by address. It can access program locations through addresses, global symbols, or line-number references, making it easy to locate and debug specific sections of code. You can debug C programs at the source-file level as well as at the machine-code level. You can also display the source statements of a program, the disassembled machine code of the program, or a combination of source statements and disassembled machine code.

In contrast to NTSD, the Windows NT kernel debugger (KD) supports the debugging of kernel-mode code. It cannot be used to set breakpoints in user-mode nor to read or write paged-out memory. KD also does not provide support for threads. However, it does support multiprocess debugging.

Therefore, you would use NTSD for debugging user-mode programs and KD for debugging the kernel and device drivers. See also kernel debugger (KD), debugger breakpoints, and WINDBG.EXE.

system files: Files used by either the operating system or the file system to store special system data. NTFS uses them to store special data on the file system.

Operating systems use system files to store information and programs used to start the computer and load the operating system. MS-DOS system files include IO.SYS, MSDOS.SYS, and COMMAND.COM. Windows NT system files include NTLDR, NTDETECT.COM, BOOT.INI, and several of the files in the SystemRoot\SYSTEM32 directory.

system partition: The system partition for Windows NT is the volume that has the hardware-specific files needed to load Windows NT. On x86-based computers, it must be a primary partition that has been marked as active for startup purposes and must be located on the disk that the computer accesses when starting up the system. There can be only one active system partition at a time, which is denoted on the screen by an asterisk. If you want to use another operating system, you must first mark its system partition as active before restarting the computer.

Partitions on a RISC-based computer are not marked active. Instead, they are configured by a hardware configuration program supplied by the manufacturer. On RISC-based computers, the system partition must be formatted for the FAT file system. On either type of computer, the system partition can never be part of a striped set or volume set, but it can be part of a mirror set. See also boot partition.

T connector: In network terminology, this type of connector reflects a physical attribute. The top of the T is considered the network segment, while the base of the T is the connection between the network segment and the network adapter. When this connection is viewed, it looks like the letter T.
TCP/IP: The combination of the Transmission Control Protocol with the Internet Protocol. In essence, TCP is concerned with the data, while IP is concerned with the delivery of the data from the source to destination computers. This is the most widely used combination of network protocols for connecting large networks or for connecting any network to the Internet.
terminated process: In Windows NT, a process object is a program invocation, including the address space and resources required to run the program. When the Windows NT Executive terminates a process, it quits running the program and returns the address space and resources to the system. From the user’s point of view, the application is no longer running.
thread: An executable entity that belongs to one (and only one) process. It comprises a program counter, a user-mode stack, a kernel-mode stack, and a set of register values. All threads in a process have equal access to the process’s address space, object handles, and other resources.

In Windows NT Performance Monitor, threads are objects within processes that execute program instructions. They allow concurrent operations within a process and enable one process to execute different parts of its program on different processors simultaneously. Each thread running on a system shows up as an instance for the Thread object type and is identified by association with its parent process. For example, if Print Manager has two active threads, Performance Monitor identifies them as Thread object instances Printman ==> 0 and Printman ==> 1.

time slice: An operating system algorithm used in process management. The basic mechanism assigns each process a time limit (usually in nanoseconds). When the time limit is reached, the active process is suspended, and an inactive process is resumed. When the time limit is up for this resumed process, it too will be suspended to allow the next inactive process to execute. When the last process executes and uses its time slice, the first process will be executed, and the loop restarted.
Transmission Control Protocol (TCP): A high-level network protocol designed to provide a reliable transmission pathway among hosts.
transport driver interface (TDI): A Windows NT interface for network redirectors and servers to use in sending network-bound requests to network transport drivers. This interface provides transport independence by abstracting transport-specific information.
trap: A processor’s mechanism for capturing an executing thread when an unusual event (such as an exception or interrupt) occurs, and then transferring control to a fixed location in memory where the handler code resides. The trap handler determines the type of condition and transfers control to an appropriate handling routine.
trust relationship: Trust relationships are links between domains that enable pass-through authentication, in which a user has only one user account in one domain yet can access the entire network. User accounts and global groups defined in a trusted domain can be given rights and resource permissions in a trusting domain, even though those accounts don’t exist in the trusting domain’s database. A trusting domain honors the logon authentications of a trusted domain.
universal naming convention (UNC) name: A name given to a device, computer, or resource to enable other users and applications to establish an explicit connection and access the resources over the network. Also known as the uniform naming convention. The following example shows the syntax of a UNC name:

\\<computername>\<sharename>\<filename>

universal resource identifier (URI): A unique identifier that indicates the type of resource to acquire and the protocol to use to acquire the resource. A Web page URL (like http://www.nt-guru.com) uses the HTTP URI, which specifies that the hypertext transfer protocol be used to retrieve the resource (the default HTML document for the www.nt-guru.com site). URIs come in many flavors, such as HTTP, for hypertext transfer protocol secure resources; FILE, for locally defined resources; MAILTO, for electronic mail; and so on.
universal resource locator (URL): A unique identifier to locate a resource on the Internet. The following example shows the syntax for the WWW server, FTP server, and Gopher server that are maintained on my server:

http://www.nt-guru.com

ftp://ftp.nt-guru.com

gopher://gopher-nt-guru.com

universally unique identifier (UUID): A unique identification string associated with the remote procedure call interface. Also known as a globally unique identifier (GUID).

These identifiers consist of 8 hexadecimal digits followed by a hyphen, 3 groups of 4 hexadecimal digits in which each group is followed by a hyphen, and, finally, by 12 hexadecimal digits. For example, 12345678-1234-1234-1234-123456789ABC is a syntactically correct identifier. The identifiers on the client and server must match for the client and server to bind.

User Datagram Protocol (UDP): A high-level network protocol designed to provide an unreliable (meaning no error recovery) transmission pathway between hosts. This method is fast but should only be used in low-error networks or when data coherency is not required.
user mode: See Executive.
user profile: A profile is a copy of the user environment (program manager groups, desktop settings, and application configuration information) that is stored both locally on the user’s computer and on a server in the domain if so configured in User Manager. A profile is initially created with the User Profile Editor and saved as a file on a server. See also mandatory user profile.
value entries: The value for a specific entry under a key or subkey in the registry. Value entries appear as a string with three components: name, type, and value. See also registry key.
virtual address space: See address space.
virtual device driver (VDD): This is an emulation of a physical device. While a device driver provides an interface control to a real physical device, a virtual device driver provides an interface to a logical (not physically present) device. For example, you use a virtual device driver every time you run a console application. While each application thinks it has an 80×24-character physical display screen assigned for its exclusive use, in reality, the application is writing to a virtual screen. This screen is wrapped up in a window frame provided by the operating system.
virtual DOS machine (VDM): Provides a complete MS-DOS environment and a character-based window in which to run an MS-DOS-based application. Any number of VDMs can run simultaneously.
virtual memory: A logical view of memory that does not necessarily correspond to the memory’s physical structure.

Normally, virtual memory is the space on your hard disk that Windows NT uses as if it were actually memory. Windows NT does this through the use of the paging file. However, virtual memory can also be unused address space that is allocated to a process but not yet in use. In this case, the memory will not physically exist anywhere until it is actually used (that is, until data or code is loaded into it).

The benefit of using virtual memory is that you can run more applications at one time than your system’s physical memory would otherwise allow. The drawbacks are the disk space required for the virtual-memory paging file and the decreased execution speed when swapping is required. See also paging file (or swap file).

Visual Basic Script: A programming language designed as part of the Microsoft ActiveX development efforts. Visual Basic Script applications are executable code embedded as an object within an HTML document. These applications can be used to provide interactive Web pages. Visual Basic Script is based on the Microsoft Visual Basic language.
volume: A file-based medium that has been initialized with a file system structure. For example, a volume can be a floppy disk, hard disk, tape reel, or partition on a hard disk. A volume can also be a disk partition (or collection of partitions) that has been formatted for use by a file system and that can be used as volume sets, striped sets, and mirror sets. See also partition.
Web browser: The client component of a client/server application that utilizes the HTTP protocol to communicate with a Web server. A Web browser is often a GUI application that provides an interface to Internet services, which can include the WWW, FTP, and Gopher services.
Web server: The server component of a client/server application used to display content on a Web browser using HTTP as the link between client and server. A Web server’s capabilities can be customized using application programming interfaces such as ISAPI, CGI, and ActiveX, and languages such as C/C++, Visual Basic, and Perl.
wide area network (WAN): A group of computers or LANs physically located in a separate area and connected to each other over a low-speed media to share resources. WANs generally use low-speed phone lines or leased lines to connect, although higher-speed lines are available. See also local area network (LAN).
WINDBG.EXE: The Windows NT debugger (WINDBG.EXE) is a 32-bit application that, along with a collection of DLLs, is used for debugging the kernel, device drivers, and applications. The same application can also be used on all hardware platforms, although there is a different build of it for each platform. WINDBG.EXE can be used for either remote or local debugging and can also be used in conjunction with the System Recovery option in Control Panel. See also kernel debugger and debugger breakpoints.
Windows Internet Naming Service (WINS): A client/server mechanism for resolving NetBIOS computer names for network clients using the TCP/IP protocol. WINS performs a similar service as DNS for Unix-based systems except that you do not have to manually modify a host file because WINS will automatically update its internal database of computer names to IP addresses. Windows NT Server includes the WINS service, which is the server side of the application and is used to supply an IP address to a network client that includes a WINS client when a request is made to access a computer by name rather than an IP address. Current WINS clients include Windows NT Workstation, Windows NT Server, Windows 95, Windows for Workgroups, and MS-DOS clients utilizing the MS-DOS Connection. See also domain name service (DNS), Dynamic Host Configuration Protocol (DHCP), and WINS Proxy Agent.
WINS Proxy Agent: A WINS Proxy Agent acts as an interpreter for computers using the TCP/IP protocol but do not support the WINS protocol. When a computer makes a request by computer name, the Proxy Agent will query the WINS server to obtain the IP address. This IP address will then be forwarded to the requesting computer. A WINS Proxy Agent can be a Windows NT server, Windows NT workstation, or Windows for Workgroups 3.11 computer.
working set: The set of virtual pages that are in physical memory at any moment for a particular process. In a virtual memory system like Windows NT, a memory management system provides a large address space to each process by mapping the virtual addresses into physical addresses as the threads use them. When physical memory becomes full, the memory management system swaps selected memory contents to disk, reloading them from disk on demand.

Table of Contents

Appendix BGlossary

Appendix B
Glossary