By "modern OSes" here, are we talking GNU/Linux, which is older than NT and modeled after a system designed in the 60s? Or maybe macOS os iOS, whose foundations are found in FreeBSD, released in the same year as NT and with a direct lineage to that system from the 60s, plus a kernel from 1985? Using the word "modern" to describe Linux and the BSDs but not Windows NT strikes me as odd...
Now I use and like Linux and macOS and iOS, and I strongly dislike Windows. But I don't think I would find it difficult to find advantages to NT's approaches to certain problems over the UNIX-style approach to the same problems. For example, the idea that pipes send structured objects rather than text is interesting and has definitive advantages (and disadvantages) compared to UNIX's text-based pipe model. Its filesystem permissions layer is also way more flexible than UNIX's, with hooks for arbitrary programs to inspect file accesses, which has advantages (and disadvantages). And its GUI-first approach to everything, where everything is primarily configured through some GUI rather than a command line or text file, has obvious advantages (and disadvantages). And although I don't understand it very well (again, not a Windows user), what I hear from HyperV is pretty cool.
NT is super interesting as the only serious alternative to UNIX-style systems. There is value in studying it, even if I find the overall experience provided by Windows to be much, much worse than my Fedora desktop or my macOS laptop.
NT has no notion of pipes that send structured objects, but it does have Unix-like pipes.
Maybe you are thinking about Powershell. Powershell is interesting (although in practice I find it not very practical to use), but is quite another subject than NT. It's really also its own segregated world, that relies on dotnet, that is really another platform than NT (although in the first place implemented on top of it, and of course there are some integrations)
Windows ACL are powerful in theory but hard to manage in practice. Look at this fine textual representation for example: "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)". Hum; at least ugo+-rwx you can remember it, and actually POSIX ACL are also easier to remember than Windows ACL.
Windows NT is not even that much GUI first. There are tons of things that you just can't access through a GUI, let alone a user friendly GUI. Funny example: ACLs on tasks from the Task Scheduler: no GUI access at all. It would probably not even be too hard for MS to plug their standard permission Window so that you can access them with the GUI, but they never did it. So much for the GUI first. Oh, I'm not even sure it has a command line interface to set the ACL there. Maybe just the Win32 API.
I also don't think there is an integrated Windows tool to view for examples the processes in a tree, even less to show Win32 jobs.
HyperV by itself has nothing revolutionary but there are a few interesting ideas that it can bring when integrated in a few Windows component (some security related sadly reserved to Entreprise version, because it is well known that in 2024 making good security architecture unreachable from the general public and SME is a brilliant idea). But compared to Qubes OS for example, it is very little. Oh there are also no Windows GUI to show HyperV states for these integration (as opposed with regular full system VMs)
Now I still think there are a few good ideas in NT, but the low level layers are actually not that far from Unix systems. It's closer than Cutler would admit. (In particular, there are not so much differences between "everything is a "file"" and "everything is an "object"", at least when you look at what Linux as done about "everything is a "file"" -- this is quite ironic because Cutler particularly disliked the "everything is a "file"" idea)
NT kernel is IMO pretty good. Here’s a few points.
ABI for device drivers allows to add support for new hardware without recompiling the kernel.
First-class support for multithreading, Vista even added thread pool to the userland API.
Efficient asynchronous APIs for IO including files, pipes, and everything else. Linux only got this recently with io_uring, NT implemented IOCP decades go in version 3.5.
NT security descriptors with these access control lists and nested security groups are better than just 3 roles user/group/root in Linux. This makes launching new processes and opening files more expensive due to the overhead of access checks, but with good multithreading support it’s IMO a reasonable tradeoff.
Related to the above, CreateRestrictedToken kernel call for implementing strong sandboxes.
Good GPU support, Direct3D being a part of the kernel in dxgkrnl.sys. This enables good multimedia support in MediaFoundation framework because it allows applications to easily manipulate textures in VRAM without the complications of dma-buf in Linux.
Related to the above, GPU-centric 2D graphics (Direct2D) and text rendering (DirectWrite) in the userland API.
> NT security descriptors with these access control lists and nested security groups are better than just 3 roles user/group/root in Linux.
I’ll bite. POSIX permissions are lousy, and NT permissions are mostly worse. It’s way too easy to mess up, and it’s way too hard to specify a sensible policy like “only a specific user can access such—and-such path”. At least NT can restrict directory traversal.
S3 got it right when they deprecated object-level ACLs.
> This makes launching new processes and opening files more expensive due to the overhead of access checks,
fork() is terrible and slow. CreateProcess is overcomplicated, but creating a process directly is a vastly better design IMO.
> but with good multithreading support it’s IMO a reasonable tradeoff.
Huh? Linux has had proper multithreading support since NPTL, which was a long time ago. Windows, in contrast, didn’t have reasonable support for multithreading on systems with >64 CPUs until Windows 11:
I assume this is related to the way that Windows leaks all kinds of bizarre threading details into the user ABI.
I will grant that Linux’s original threading was an abomination.
> Related to the above, CreateRestrictedToken kernel call for implementing strong sandboxes.
Eww. The Windows sandboxing scheme is IMO an overcomplicated mess. Seccomp is not particularly friendly, but it does exactly what it says on the tin, and I would be far more comfortable running untrusted user code under seccomp than under Windows restrictions from token, jobs, integrity, etc.
NT has ACLs for everything. Each handle (read: descriptor) has associated ACLs.
Also, each handle can be waited ("selected") with same system call. No select()/epoll() vs wait() distinctions. Nw Linux has timerfd and procfd and others, but NT had these from birth.
In some way NT is more UNIX ("everything is a file") than UNIX itself.
Hm which things are protected by ACLs on NT but not on Linux? Even though the "everything is a file" thing breaks down quite quickly on Linux, with lots of drivers just using ioctls for everything, you still have to open pretty much everything through their device node in /dev, which is affected by ACLs AFAIK. The only real exception I can think of is network sockets. But I'm probably thinking in a very UNIX-centric way, so there may be classes of things I'm missing
Here’s some of the Windows things which have these ACLs applied, except obvious ones i.e. files and sockets.
• Disk volumes and physical disks
• Pipes
• Registry keys
• Processes and threads
• Inter-process synchronization primitives like mutexes, semaphores, and mailslots
• Shared memory sections
• Desktops; you need to pass access check before interacting with a desktop. The OS has multiple of them, used for fast user switching, concurrent remote desktop sessions, UAC prompt, logon screen.
• Other, more exotic things like job objects, windows stations, and ALPC ports.
To be fair, some of them are protected with ACLs on Linux because they are mapped into the file system. For example, physical disks are visible in the file system and the kernel does apply these security things to them.
> consider SDL/Pango/Cairo the counterparts for DWrite/DDraw
I’m not sure Cairo is comparable to Direct2D, the ecosystem is too different.
On Windows, Direct3D 11.0 is guaranteed to be available. Even on computers without any GPU (like most cloud VMs) the OS uses a decently performing software emulation called WARP. For this reason, Direct2D is designed from the ground up to use these shaders as much as possible, and it shows because hardware GPUs deliver way more gigaflops than CPUs. For example, on my computer D2D implements anti-aliasing on top of MSAA hardware.
Cairo is cross-platform, and Linux doesn’t have a universally available GPU API. Some Linux computers have GL 4.5+, some have GLES 3.1+ (both GPU APIs have approximate feature parity with D3D11) some others have none of them. For this reason, Cairo renders vector graphics on CPU. Some computers, with slow CPUs and high resolution displays, don’t have the performance to render complicated 2D scenes in realtime on CPU.
This may change some day once Vulkan support on Linux is ubiquitous, but that day is yet to come.
These days, MESA provides llvmpipe as a fallback software implementation of OpenGL. But your point absolutely stands, the various graphics APIs are much less consistently available on Linux than DirectX is on Windows, and the split between OpenGL and OpenGL ES hurts a lot, with a lot of systems (especially ARM Mali based ones) only providing OpenGL ES drivers.
> a lot of systems (especially ARM Mali based ones) only providing OpenGL ES drivers
And sometimes minor hardware revision of these Mali GPUs change the internal API between user mode and kernel mode halves of these Linux GLES drivers.
The kernel handled it pretty well as it supported both hardware revisions. But my user mode app failed because the new hardware required a different version of that libmali-midgard*.so DLL.
Unlikely to happen on Windows because the GPU driver installs both kernel/user mode halves of the driver in one transaction. Linux doesn’t have ABI for drivers, all kernel mode drivers are pre-compiled into the kernel.
ARM it's a crapshoot, but on X86 once you get the libraries right everything runs.
That's why free software should be a requeriment at least for drivers.
I remember the -fake Intel- GMA500/3000 fiasco. My old GL 2.1 based n270 netbook it's still supported and with a small ~/.drirc it fixes some quirks as it MESA misdetects it as a GL 1.4 device, but overall it's tons better than the PowerVR chipset with an Intel coat.
Like NT? It is in fact the UNIX-likes that are compelled into a fairly ancient stream-of-bytes model; NT (and Windows atop it) understands that data needs to have structure, and imposes structure on that data at an OS level; everything is a manipulable handle, rather than an opaque block of memory to be written to/read from, arbitrarily.
NT/VMS offers no immediately quantifiable advantage, but rather a different philosophy than Unix where everything-is-a-file-even-when-it-isnt-really. It's more of a batteries included system where the high-level and low-level parts combine to form a coherent whole. The HAL, dynamically loadable drivers, the registry, services, API personalities. It's a shame that all the good stuff about the design of NT takes a backseat to the modern Microsoft shenanigans.
But in NT everything is a handle in much more consistent way than UNIX's everything is a file.
Each handle has security descriptor/ACLs, not only a files, and format is the same. Each handle can be waited for fr with same system call, and you could mix and match file, socket and process handles in same call.
Yeah. NT used to be so fast even through remote desktop, now it is so slow because of the bloat. Also I've read somewhere NT suffers from young developers wanting to rewrite parts in higher level languages, avoiding old winapi. But the Kernel is fast and nice...
A fair amount of my work is done via remote desktop, via VPN even, and it doesn't strike me as a particularly slow. I guess the question is, compared to what? On what hardware and network infrastructure?
I still find NT very fast when using through RDP, especially compared with any FLOSS solution that exist in the GNU/Linux world. I've not tried proprietary graphic remoting solution for GNU/Linux systems though.
Those proprietary just use compression. RDP is genially invented, passing messages/calls efficiently. X also has a ton of messages, but compressing them is not sufficient
Now I use and like Linux and macOS and iOS, and I strongly dislike Windows. But I don't think I would find it difficult to find advantages to NT's approaches to certain problems over the UNIX-style approach to the same problems. For example, the idea that pipes send structured objects rather than text is interesting and has definitive advantages (and disadvantages) compared to UNIX's text-based pipe model. Its filesystem permissions layer is also way more flexible than UNIX's, with hooks for arbitrary programs to inspect file accesses, which has advantages (and disadvantages). And its GUI-first approach to everything, where everything is primarily configured through some GUI rather than a command line or text file, has obvious advantages (and disadvantages). And although I don't understand it very well (again, not a Windows user), what I hear from HyperV is pretty cool.
NT is super interesting as the only serious alternative to UNIX-style systems. There is value in studying it, even if I find the overall experience provided by Windows to be much, much worse than my Fedora desktop or my macOS laptop.