Detecting Kernel-Mode Callbacks
Most of the code for the Windows operating system runs in kernel mode. The processor mode switches from user mode to kernel mode whenever an application thread calls a function from the Windows API that in turn calls an internal system function that must execute in kernel mode. The processor mode returns to user mode before control returns to the function so that the system data is protected.
If a thread is waiting for a kernel-mode callback to complete, the user-mode side of the thread will delay at a call to the ZwCallbackReturn function.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for