 | This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Ntoskrnl.exe" – news ·newspapers ·books ·scholar ·JSTOR(April 2014) (Learn how and when to remove this message) |
ntoskrnl.exe (short forWindows NToperating systemkernelexecutable), also known as thekernel image, contains thekernel andexecutive layers of the MicrosoftWindows NT kernel, and is responsible forhardware abstraction,process handling, andmemory management. In addition to the kernel and executive layers, it contains thecache manager, security reference monitor, memory manager,scheduler (Dispatcher), andblue screen of death (the prose and portions of the code).[1]
x86 versions ofntoskrnl.exe depend onbootvid.dll,hal.dll andkdcom.dll (x64 variants ofntoskrnl.exe have these DLLs embedded in the kernel to improve performance). However, it is not anative application thus it is not linked againstntdll.dll. Instead,ntoskrnl.exe has its ownentry pointKiSystemStartup that calls thearchitecture-independent kernel initialization function. Because it requires a static copy of the C Runtime objects, the executable is usually about 10 MB in size.
InWindows XP and earlier, the Windows installation source ships four kernel image files to supportuniprocessor systems,symmetric multiprocessor (SMP) systems, CPUs withPAE, and CPUs without PAE. Windows setup decides whether the system is uniprocessor or multiprocessor, then, installs both the PAE and non-PAE variants of the kernel image for the decided kind. On a multiprocessor system, setup installsntkrnlmp.exe andntkrpamp.exe but renames them tontoskrnl.exe andntkrnlpa.exe respectively.
Starting with Windows Vista, Microsoft began unifying the kernel images asmulti-core CPUs took to the market and PAE became mandatory.
| 32-bit Windows | |||
| Filename | Supports SMP | Supports PAE | |
|---|---|---|---|
| 32-bit kernel | |||
ntoskrnl.exe | No | No | |
ntkrnlmp.exe | Yes | No | |
ntkrnlpa.exe | No | Yes | |
ntkrpamp.exe | Yes | Yes | |
| 64-bit kernel (x64 editions) | |||
| Filename | Supports SMP | Supports 57 bit VA | |
ntoskrnl.exe | No | No | |
ntkrnlmp.exe | Yes | No | |
ntkrla57.exe | Yes | Yes | |
The kernel's code uses prefixes to indicate their associated subsystem.
An example isIoCreateDevice andObReferenceObjectByHandle. Both functions have different prefix names to differentiate critical managers within the kernel code:Io being used forI/O Manager functions andOb forObject Manager functions.
Variations of these prefixes exist for internal functions that are not being exported by the kernel, such as adding ani after the first letter (e.g.,Ki for “Kernel Internal”) or appendingp to the full prefix (e.g.,Psp for “Process Support Internal”).
The following table lists some known prefixes.
| Export Prefix | Internal Prefix | Meaning |
|---|---|---|
Cc | Ccp | File system cache[2] |
Cm | Cmp | Configuration Manager, the kernel mode side ofWindows Registry |
Dbg | Dbg | Debugging aid functions, such as a software break point |
Dbgk | Dbgk | A set of debugging functions that are being exposed to user mode through ntdll.dll |
Ex | Exp | Windows executive, an "outer layer" ofntoskrnl.exe |
FsRtl | FsRtlp | File system runtime library[3] |
Io | Iop | I/O manager[4] |
Ke | Ki | Core kernel routines[5] |
| Kx | Interrupt handling, semaphores,spinlocks,multithreading andcontext switching related functions | |
| Ks | Kernel streaming | |
Ldr | Ldrp | NT'sPE Executables loader |
Lpc | Lpcp | Local Procedure Call, an internal, undocumented, interprocess or user/kernel message passing mechanism |
Lsa | Lsap | Local Security Authority |
Mm | Mi | Memory management |
Nls | Nls | Nls for Native Language Support (similar to code pages). |
Ob | Obp | Object Manager |
Po | Pop | Plug-and-play andpower management[6] |
Ps | Psp | Process andthread management (task management) |
Rtl | Rtlp | Runtime library, i.e., many utility functions that can be used by native applications, yet don't directly involve kernel support |
Se | Sep | Security Manager,access token for the Win32 API |
Vf | Vi | Driver Verifier |
Zw/Nt | Nt orZw are system calls declared inntdll.dll andntoskrnl.exe. When called fromntdll.dll in user mode, these groups are almost exactly the same; they trap into kernel mode and call the equivalent function inntoskrnl.exe via theSSDT. When calling the functions directly inntoskrnl.exe (only possible in kernel mode), theZw variants ensure kernel mode, whereas theNt variants do not.[7] |
When control is transferred to the kernel, it receives an informationrecord, known as the Loader Parameter Block, from thebootloader. The block contains information about the hardware, the path to the Windows Registry file, kernel parameters, path of the files loaded by the bootloader (SYSTEMRegistry hive,nls for character encoding conversion, andvga font).[8]: 818 The definition of this structure can be retrieved by using the kernel debugger.[8]: 819
In thex86 architecture, the kernel receives the system already inprotected mode, with theGDT,IDT andTSS ready.[further explanation needed].
The main entry point ofntoskrnl.exe first runs on the boot processor, where it initializes some systemwide kernel components and creates a system thread. After enablinginterrupts, the boot processor enters an idle loop. The system thread then starts up any remaining cores and initializes the rest of the system.[8]: 821–824
Modern operating systems use interrupts instead of I/O port polling to wait for information from devices.
In thex86 architecture, interrupts are handled through the Interrupt Dispatch Table (IDT). When a device triggers an interruptand theinterrupt flag (IF) in theFLAGS register is set, the processor's hardware looks for an interrupt handler in the table entry corresponding to the interrupt number to which in turn has been translated fromIRQ byPIC chips, or in more modern hardwares,APIC. Interrupt handlers usually save some subset of the state ofregisters before handling it and restore them back to their original values when done.
The interrupt table contains handlers for hardware interrupts, software interrupts, and exceptions. For someIA-32 versions of the kernel, one example of such a software interrupt handler (of which there are many) is in its IDT table entry 2E16 (hexadecimal; 46 indecimal), used inassembly language asINT 2EH forsystem calls. In the real implementation the entry points to an internalsubroutine named (as persymbol information published by Microsoft)KiSystemService. For newer versions, different mechanisms making use ofSYSENTERinstruction and inx86-64SYSCALL instruction are used instead.
One notable feature of NT's interrupt handling is that interrupts are usually conditionally masked based on their priority (called "IRQL"), instead of disabling all IRQs via the interrupt flag. This permits various kernel components to carry on critical operations without necessarily blocking services of peripherals and other devices.[9]
The entire physical memory (RAM) address range is broken into many small blocks also called pages, 4KB in size each, and mapped to virtual addresses. A few of the properties of each block are stored in structures calledpage table entries, which are managed by the OS and accessed by the processor's hardware. Page tables are organized into a tree structure, and the physical page number of the top-level table is stored in control register 3 (CR3).
Microsoft Windows dividesvirtual address space into two regions. The lower part, starting at zero, is instantiated separately for each process and is accessible from both user and kernel mode. Application programs run in processes and supply code that runs in user mode. The upper part is accessible only from kernel mode, and with some exceptions, is instantiated just once, system-wide.ntoskrnl.exe is mapped into this region, as are several other kernel mode components. This region also contains data used by kernel mode code, such as the kernel mode heaps and the file system cache.
| Arch | MmHighestUserAddress | MmSystemRangeStart |
|---|---|---|
| x86[a] | 0x7fffffff | 0x80000000 |
| ARM | ||
| x86-64 | 0x000007ff'ffffffff(until Windows 8.1 Update 2)0x00007fff'ffffffff(from Windows 8.1 Update 3) | 0xffff8000'00000000 |
Windows Registry is a repository for configuration and settings information for the operating system and for other software, such as applications. It can be thought of as a filesystem optimized for small files.[11] However, it is not accessed through file system-like semantics, but rather through a specialized set of APIs, implemented in kernel mode and exposed to user mode.
The registry is stored on disk as several different files called "hives." One, the System hive, is loaded early in the boot sequence and provides configuration information required at that time. Additional registry hives, providing software-specific and user-specific data, are loaded during later phases of system initialization and during user login, respectively.
The list of drivers to be loaded from the disk are retrieved from theServices key of the current control set's key in theSYSTEM registry hive. That key stores device drivers, kernel processes and user processes. They are all collectively called "services" and are all stored mixed on the same place.
During initialization or upon driver load request, the kernel traverses that tree looking for services tagged as kernel services.
/userva or/3gb switch.As mentioned inWindows Internals Book 7th edition, the boot-time optionincreaseuserva and corresponding header in executable image is required for this feature.
