Technical FAQs

Ask a Question

Why does Concept launch NTVDM.EXE and MSDOS.SYS

Goals and Symptoms
Why does Concept launch 'NTVDM.EXE' and MSDOS.SYS when it starts.

Facts and Change
Concept

Causes and Fixes 
NTVDM.EXE is process that belongs to the Windows 16-bit Virtual Machine. It provides an environment for a 16-bit process to execute on a 32-bit platform. The NTVDM module comes with 32-b it versions of Windows starting with Windows NT. 

Concept is a 16 bit DOS based application and it requires the NTVDM process in order to run.  The process will spawn a MSDOS.SYS (For more information, see the following excerpt taken from:  https://en.wikipedia.org/wiki/Virtual_DOS_machine)
 

NTVDM is a system component of all IA-32 editions of the Windows NT family which allows execution of 16-bit Windows and 16-bit / 32-bit DOS applications. It is not included with 64-bit versions. The Windows NT 32-bit user-mode executable which forms the basis for a single DOS (or Windows 3.x) environment is called ntvdm.exe.[1]

In order to execute DOS programs, NTVDM loads NTIO.SYS which in turn loads NTDOS.SYS, which executes a modified COMMAND.COM in order to run the application that was passed to NTVDM as command-line argument. The 16-bit real-mode system files are stripped down derivations of their MS-DOS 5.0 equivalents IO.SYSMSDOS.SYS and COMMAND.COM[1] with all hard-wired assumptions on the FAT file system removed and using the invalid opcode 0xC4 0xC4 to bop down into the 32-bit NTVDM to handle the requests.[1] Originally, NTDOS reported a DOS version of 30.00 to programs,[1] but this was soon changed to report a version of 5.00 at INT 21h/AH=30h and 5.50 at INT 21h/AX=3306h to allow more programs to run unmodified.[1] This holds true even in the newest releases of Windows; many additional MS-DOS functions and commands introduced in MS-DOS versions 6.x and in Windows 9x are missing.

16-bit applications all run in their own thread within a single preemptively multithreaded 32-bit NTVDM process. The 16-bit processes are by default cooperatively multitasked with respect to each other, unless the "Run in separate memory space" option is checked in the Run box or the application's shortcut file. NTVDM emulates BIOS calls and tables as well as the Windows 3.1 kernel and 16-bit API stubs.[6] The 32-bit WoW translation layer thunks 16-bit API routines.

32-bit DOS emulation is present for DOS Protected Mode Interface (DPMI) and 32-bit memory access. This layer converts the necessary extended and expanded memory calls for DOS functions into Windows NT memory calls. wowexec.exe is the emulation layer that emulates 16-bit Windows. Windows 2000 and Windows XP added Sound Blaster 2.0 emulation.[7] 16-bit virtual device drivers and DOS block device drivers (e.g., RAM disks) are not supported. Inter-process communication with other subsystems can take place through OLEDDE and named pipes.

Since virtual 8086 mode is not available on non-x86-based processors, NTVDM was instead implemented as a full emulator in these versions of NT.[1] Up to Windows NT 3.51, only 80286 emulation was available. With Windows NT 4.0486 emulation was added.[8]

Security issue[edit]

In January 2010, Google security researcher Tavis Ormandy revealed a serious security flaw in Windows NT's VDM implementation that allowed unprivileged users to escalate their privileges to SYSTEM level, noted as applicable to the security of all x86 versions of the Windows NT kernel since 1993. This included all 32-bit versions of Windows NT, 2000, XP, Server 2003, Vista, Server 2008, and Windows 7.[9] Ormandy did publish a proof-of-concept exploit for the vulnerability.[10] Prior to Microsoft's release of a security patch, the workaround for this issue was to turn off 16-bit application support, which prevented older programs (those written for DOS and Windows 3.1) from running. 64-bit versions of Windows were not affected since they do not include the NTVDM subsystem. Once the Microsoft security patches had been applied to the affected operating systems the VDM could be safely reenabled.[nb 1]

 

Was this helpful?
What can we do to improve the information ?