Terminate and Stay Resident - Using TSR

Using TSR

The original call, INT 27H, is called 'terminate but stay resident', hence the name 'TSR'. Using this call, a program can make up to 64KB of its memory resident. MS-DOS version 2.0 introduced an improved call, INT 21H/function 31H ('Keep Process'), which removed this limitation and let the program return an exit code. Before making this call, the program can install one or several interrupt handlers pointing into itself, so that it can be called again. Installing a hardware interrupt vector allows such a program to react to hardware events. Installing a software interrupt vector allows it to be called by the currently running program. Installing a timer interrupt handler allows a TSR to run periodically (see ISA and programmable interval timer, especially the section "IBM PC compatible").

The typical method of utilizing an interrupt vector involves reading its present value (the address), storing it within the memory space of the TSR, and installing a pointer to its own code. The stored address is called after the TSR has received the interrupt and has finished its processing, in effect forming a singly linked list of interrupt handlers, also called interrupt service routines, or ISRs. This procedure of installing ISRs is called chaining or hooking an interrupt or an interrupt vector.

By chaining the interrupt vectors TSR programs could take complete control of the computer. A TSR could have one of two behaviors:

• Take complete control of an interrupt by not calling other TSRs that had previously altered the same interrupt vector.
• Cascade with other TSRs by calling the old interrupt vector. This could be done before or after they executed their actual code. This way TSRs could form a chain of programs where each one calls the next one.

The 'terminate and stay resident' method was used by most MS-DOS viruses which could either take control of the PC or stay in the background. Viruses would react to disk I/O or execution events by infecting executable (.EXE or .COM) files when they were run and data files when they were opened.

Parts of DOS itself, especially in DOS versions 5.0 and later, used this same technique to perform useful functions, such as the DOSKEY command-line editor and various other installable utilities which were installed by running them at the command line (manually or from AUTOEXEC.BAT) rather than as drivers through CONFIG.SYS.

A TSR program can be loaded at any time; sometimes, they are loaded immediately after the operating system's boot, by being explicitly loaded in the AUTOEXEC.BAT batch program, or alternatively at the user's request (for example, Borland's SideKick and Turbo Debugger or Quicken's QuickPay). These programs will, as 'TSR' implies, stay resident in memory while other programs are executing. Most of them do not have an option for unloading themselves from memory, so calling TSR means the program will remain in memory until a reboot. However unloading is possible externally, using utilities like the MARK.EXE/RELEASE.EXE combo by TurboPower Software or soft reboot TSRs which will catch a specific key combination and release all TSRs loaded after them. As the chain of ISRs is singly linked, there is no provision for discovering the previous handler's address, or to inform its predecessor that it needs to update its "next address to which to jump" not to point to the TSR which desires to remove itself. This gave rise to TSR cooperation frameworks such as TesSeRact and AMIS.