Deeper into Windows Architecture

Let's dig deeper into the internal structure and the role each key operating system component plays. The figure below is more detailed diagram of the core Windows system architecture and components. Note that it still does not show all components (networking in particular).

First notice the line dividing the user-mode and kernel-mode parts of the Windows operating system. The boxes above the line represent user-mode processes, and the components below the line are kernel-mode operating system services.

User and kernel modes are two processor access modes, where a kernel mode refers to a mode of execution privilege that grants access to system memory and all CPU instructions.

User mode is a less privileged processor mode than kernel mode. It uses well-defined operating system application program interfaces (APIs) to request system services. A User mode process:

  • Have no direct access to hardware or kernel memory (Only kernel mode processes can access kernel resources as a way of protection).
  • Is limited to an assigned address space.
  • Can be paged out of physical memory into virtual RAM on a hard disk.
  • Process at a lower priority than kernel mode components (OS components). Which means that the OS does not slow down or have to wait while an application finishes processing.
  • Cannot access another user process address space (Unless opened a handle to the process, which means passing through security access check).

Before we continue let's just have a quick definition for virtual memory. Virtual memory , also known as virtual RAM, allows hard disk space to be used as if it were additional memory. In this manner, the user mode processes have access to more memory than is actually available to them.

Top right of the figure shows theenvironment subsystems . Environment subsystems provide exposed, documented interface between applications and Windows native APIs (undocumented APIs). The environment subsystem translates environment-specific instructions from an application into instructions that the Executive Services (First layer of the OS kernel) can carry out. Each subsystem can provide access to different subsets of the native services in Windows.

Environment subsystems include POSIX, OS/2 and Windows subsystems. The Windows subsystem major components consists of the environment subsystem process (Csrss.exe which you can see tuning in the task manager), the kernel-mode device driver (Win32k.sys), subsystem DLLs (such as Kernel32.dll, Advapi32.dll, User32.dll, and Gdi32.dll) and Graphics device drivers.

In the user mode and just above the line that divides the user and kernel modes is the Ntdll.dll. Ntdll.dll is a special system support library primarily for the use of subsystem DLLs.

Now let's move on to the kernel mode. Kernel mode is the privileged mode of operation in which the code has direct access to all hardware and all memory, including the address spaces of all user mode processes . Kernel mode components:

  • Can access hardware directly.
  • Can access all of the memory on the computer.
  • Are not moved to the virtual memory page file on the hard disk.
  • Process at a higher priority than user mode processes.

The kernel mode in Windows is comprised of the Windows Executive, which includes the Executive Services, the kernel, and the hardware abstraction layer (HAL).

The Windows executive is the upper layer of Ntoskrnl.exe. (The kernel is the lower layer.)The executive provides core OS services. The executive contains major components such as various modules that manage I/O, objects, security, processes, inter-process communications (IPC), virtual memory, and window and graphics management. It also includes device drivers (defined in previous post) functions.

The kernel consists of a set of functions in Ntoskrnl.exe provides the most basic operating system services, such as thread scheduling, first-level interrupt handling, and deferred procedure calls. The kernel resides between the Executive Services and HAL layers.

The other major job of the kernel is to abstract or isolate the executive and device drivers from variations between the hardware architectures supported by Windows.

One of the crucial elements of the Windows design is its portability across a variety of hardware platforms. The hardware abstraction layer (HAL) is a key part of making this portability possible. The HAL is a loadable kernel-mode module (Hal.dll) enables the same operating system to run on different platforms with different processors.

Also part of the kernel is the device drivers. Device drivers in Windows don't manipulate hardware directly, but rather they call functions in the HAL to interface with the hardware.