TBone
February 4th, 2008, 19:10
On another (non-reversing) forum, someone was asking about the difference between a DOS application and a Win32 console application. I answered his question, but also kind of sidetracked into the history of Windows environment subsystems and the support (or lack thereof) that Windows has/had for POSIX and OS/2. This lead me to take a deeper look at the Subsystem field in the PE optional header. I consulted the PECOFF Specification v8.0 (dated May 16, 2006), which as far as I know is the latest version. It gives the following decimal values for this field:
An old copy of the Win32 SDK that I have also lists:
MSDN confirms that and also adds:
Apparently that's a Vista thing.
Several web pages also listed:
I can't find any information to support that assertion, though. As far as I know, VXD files are always in LE format, not PE. And real-mode drivers for Win 9x are DOS MZ format.
My question -- purely for historical curiosity -- is what the values 4, 6, and 8 were used for, if anything. And for that matter, 15. It looks like they skipped it recently, but I'm not sure why. If 2 is Windows GUI and 3 is Windows CUI, I would speculate that 4 might have been reserved for OS/2 GUI and 6 might be POSIX GUI. I can't find any document that claims to know what these values would indicate.
Using them causes Windows to display "The <binary> application cannot be run in Win32 mode", which is what it does for pretty much anything other than 2 or 3. Amusingly, if you set the value to 7 (POSIX CUI), Windows will tell you that the executable file doesn't exist!
Code:
IMAGE_SUBSYSTEM_UNKNOWN 0 An unknown subsystem
IMAGE_SUBSYSTEM_NATIVE 1 Device drivers and native Windows processes
IMAGE_SUBSYSTEM_WINDOWS_GUI 2 The Windows graphical user interface (GUI) subsystem
IMAGE_SUBSYSTEM_WINDOWS_CUI 3 The Windows character subsystem
IMAGE_SUBSYSTEM_POSIX_CUI 7 The Posix character subsystem
IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 Windows CE
IMAGE_SUBSYSTEM_EFI_APPLICATION 10 An Extensible Firmware Interface (EFI) application
IMAGE_SUBSYSTEM_EFI_BOOT_ SERVICE_DRIVER 11 An EFI driver with boot services
IMAGE_SUBSYSTEM_EFI_RUNTIME_ DRIVER 12 An EFI driver with run-time services
IMAGE_SUBSYSTEM_EFI_ROM 13 An EFI ROM image
IMAGE_SUBSYSTEM_XBOX 14 XBOX
An old copy of the Win32 SDK that I have also lists:
Code:
IMAGE_SUBSYSTEM_OS2_CUI 5 OS/2 CUI subsystem
MSDN confirms that and also adds:
Code:
IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16 Boot application
Apparently that's a Vista thing.
Several web pages also listed:
Code:
IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 Native Windows 9x Driver
I can't find any information to support that assertion, though. As far as I know, VXD files are always in LE format, not PE. And real-mode drivers for Win 9x are DOS MZ format.
My question -- purely for historical curiosity -- is what the values 4, 6, and 8 were used for, if anything. And for that matter, 15. It looks like they skipped it recently, but I'm not sure why. If 2 is Windows GUI and 3 is Windows CUI, I would speculate that 4 might have been reserved for OS/2 GUI and 6 might be POSIX GUI. I can't find any document that claims to know what these values would indicate.
Using them causes Windows to display "The <binary> application cannot be run in Win32 mode", which is what it does for pretty much anything other than 2 or 3. Amusingly, if you set the value to 7 (POSIX CUI), Windows will tell you that the executable file doesn't exist!
.