ntoskrnl.exe

This is an old revision of this page, as edited by Jeh (talk | contribs) at 15:37, 29 April 2014 (rm sentence that is not about the subject of this article. WP articles do not attempt to justify their existence or encourage readership). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Revision as of 15:37, 29 April 2014 by Jeh (talk | contribs) (rm sentence that is not about the subject of this article. WP articles do not attempt to justify their existence or encourage readership)(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

This article or section is in a state of significant expansion or restructuring. You are welcome to assist in its construction by editing it as well. If this article or section has not been edited in several days, please remove this template.
If you are the editor who added this template and you are actively editing, please be sure to replace this template with {{in use}} during the active editing session. Click on the link for template parameters to use. This article was last edited by Jeh (talk | contribs) 10 years ago. (Update timer)

This article is about the Windows NT kernel image. For the Windows NT kernel, see Windows NT kernel.

ntoskrnl.exe (Short for Windows NT Operating System Kernel, and ntkrnlpa.exe on systems with Physical Address Extension support) is the kernel image for the family of Microsoft Windows NT operating systems. It provides the kernel and executive layers of the Windows NT kernel space, and is responsible for various system services such as hardware virtualization, process and memory management, etc., thus making it a fundamental part of the system. It contains the cache manager, the executive, the kernel, the security reference monitor, the memory manager, and the scheduler, among other things.

Overview

This system binary is not a native application (in that it is not linked against ntdll.dll), instead containing a standard 'start' entry point, a function that calls the arch-independent kernel initialization function.

/*
 * NTOS kernel entry point
 */
void __attribute__((stdcall)) KiSystemStartup(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
{
  /* perform arch independent initialization */
  KiInitializeKernel();
}

While ntoskrnl.exe is not linked against ntdll.dll, it is linked against bootvid.dll, hal.dll and kdcom.dll. Because it requires a static copy of C Runtime objects it depends on, the executable is usually about 2MB in size.

Kernel image filenames

MP or UP files are selected at install time, and PAE or non-PAE files are selected by boot.ini or BCD option. The kernel image is chosen according to the processor's features.

Kernel image filenames
Filename	SMP	PAE
NTOSKRNL.EXE	No	No
NTKRNLMP.EXE	Yes	No
NTKRNLPA.EXE	No	Yes
NTKRPAMP.EXE	Yes	Yes

Coding style

Typical Windows coding uses Hungarian notation for variable names. The kernel API also uses prefixes for functions.

The table below is not an exhaustive listing of all prefixes. There are other undocumented prefixes.

NT function prefixes
Prefix	Meaning
Cc	cache controller
Csr	Csr are client-server functions that are used to communicate with the Win32 subsystem process, csrss.exe (csrss stands for client/server runtime sub-system).
Dbg	Dbg are debugging aid functions such as a software break point.
Ex	Windows Executive
FsRtl	file system runtime
Io	I/O manager
Ke	core kernel routines
Ki	Ki are upcalls from kernel-mode for things like APC dispatching.
Ks	kernel streaming
Ldr	Ldr are loader functions for PE file handling and starting of new processes.
Lpc	Local Procedure Call
Lsa	Local Security Authority
Mm	memory management
Nls	Nls for Native Language Support (similar to code pages).
Ob	Object Manager
Pfx	Pfx for prefix handling.
Po	power management
Ps	Process management
Rtl	Rtl is the second largest group of ntdll calls. These comprise the (extended) C Run-Time Library, which includes many utility functions that can be used by native applications, yet don't directly involve kernel support.
Se	security
Zw	Nt or Zw are system calls declared in ntdll.dll and ntoskrnl.exe. When called from ntdll.dll in user mode, these groups are almost exactly the same; they trap into kernel mode and call the equivalent function in ntoskrnl.exe via the SSDT. When calling the functions directly in ntoskrnl.exe (only possible in kernel mode), the Zw variants ensure kernel mode, whereas the Nt variants do not. The Zw prefix does not stand for anything.

Initialization

When the kernel receives control, it gets a pointer to a structure as parameter. This structure is passed by the boot loader and contain information about the hardware, the path to the registry file, kernel parameters containing boot preferences or options that change the behaviour of the kernel, path of the files loaded by the bootloader (SYSTEM registry hive, nls for character encoding conversion and vga font). The definition of this structure can be retrieved by using the kernel debugger or downloading it from the Microsoft symbol database.

In the x86 architecture, the kernel receives the system already in protected mode, with the GDT, IDT and TSS ready. But since it does not know the address of each one, it has to load them one by one to fill the PCR structure.

The main entry point of ntoskrnl.exe performs some system dependent initialization then calls a system independent initialization then enters an idle loop.

Interrupt Handling

This article is about NT implementation of interrupt handlers. For other uses, see Interrupt handling.

Modern operating systems use interrupts instead of I/O port polling to wait for information from devices.

In the x86 architecture, interrupts are handled by using the Interrupt Vector Table (IVT). When a device triggers an interrupt, or interrupt request (IRQ), the interrupt flag (IF) in the flags register is set and the processor's hardware looks for a interrupt handler on the table. Interrupt handlers usually save the state of all or some registers before handling it and restore the registers when done.

The interrupt table contains handlers both for IRQs and soft interrupts. The location of the soft interrupt handler is 0x2e. It points to the KiSystemService.

Memory manager

This article is about NT implementation of a memory manager. For other uses, see memory management.

The kernel of Microsoft Windows divides the memory in two segments using paging. The lower part, starting at zero, is used by user-land programs and the upper part is used by the kernel.

Start and end of segments by access privilege
Arch	MmHighestUserAddress	MmSystemRangeStart
x86	0x7fffffff	0x80000000
ARM	0x7fffffff	0x80000000
x86-64	0x000007ff‘ffffffff	0xffff0800‘00000000

In the x86 architecture, the memory manager (mm) of an operating system separates each address space using paging. The entire physical memory (RAM) address range is broken into many small (usualy 4 KiB) blocks. The properties of each block is stored in the page directory that is managed directly by the processor's hardware. The base address of this table is stored in the control register #3 (CR3) and paging.

Object Manager

Main article: Object Manager (Windows)

The Object Manager (OM) is the virtual filesystem (VFS) used by the NTOS kernel that is similar to the proc and sys filesystems. It is exposed to the user-land programs but it is not used by the default shell directly neither is shown to the user, except when using special tools such as the Winobj by Sysinternals.

The root of OM is not a disk filesystem nor a ramdrive. It contains node that corresponds to the mounted filesystem. The name of these nodes are of the form PartitionXX. It stores volatile data. Data that should be nonvolatile is stored in the registry.

Explorer does not use them directly but use some symlinks that point to the actual NT nodes. The name of each of these nodes is a DOS partition letter. They were created for campatibility with old MS-DOS-based Windows releases.

These nodes are not created by the kernel but by the filesystem driver. The filesystem driver must comply with the IFS API. It uses the IoCreateDevice and IoCreateSymbolicLink api calls to do it.

Registry hives

Main article: Windows Registry

A registry hive, or simply a registry, is a filesystem optimized for small files. Although sometimes referred as a database it does not include feature characteristic to databases such as indexing. It is loaded as early in the bootloader. Additional registry hives are mounted during system boot and login.

Drivers

This article is about NT specific drivers. For other uses, see device driver.

The list of drives to be loaded from the disk are retrieved from the Services key in the SYSTEM registry hive. That key stores device drivers, kernel processes and user processes. They are all collectively called "services" and are all stored mixed on the same place.

During initialization or upon driver load request, the kernel transverses that tree looking for services tagged as kernel services.

References

Russinovich, M: Systems Internals Tips and Trivia, SysInternals Information
^ Raymond Chen (2009). "The Old New Thing : What does the "Zw" prefix mean?". Microsoft Corporation. Retrieved 2009-06-13.
Microsoft Corporation (2009). "I/O Manager Routines". Microsoft Corporation. Retrieved 2009-06-13.
Microsoft Corporation (2009). "Cache Manager Routines". Microsoft Corporation. Retrieved 2009-06-13.
Microsoft Corporation (2009). "Power Manager Routines". Microsoft Corporation. Retrieved 2009-06-13.
Microsoft Corporation (2009). "Core Kernel Library Support Routines". Microsoft Corporation. Retrieved 2009-06-13.
Microsoft Corporation (2009). "File System Runtime Library Routines". Microsoft Corporation. Retrieved 2009-06-13.
The NT Insider (August 27, 2003). "Nt vs. Zw - Clearing Confusion On The Native API". OSR Online. 10 (4). OSR Open Systems Resources. Retrieved 2013-09-16.
windows internals
http://www.nirsoft.net/kernel_struct/vista/LOADER_PARAMETER_BLOCK.html
^ Cite error: The named reference practical rev eng was invoked but never defined (see the help page).
"IoCreateDevice routine". MSDN. Microsoft Corporation. Retrieved 28 April 2014.
"IoCreateSymbolicLink routine". MSDN. Microsoft Corporation. Retrieved 28 April 2014.
Tanenbaum, Andrew S. (2008). Modern operating systems (3rd ed. ed.). Upper Saddle River, N.J.: Pearson Prentice Hall. p. 829. ISBN 978-0136006633. {{cite book}}: |edition= has extra text (help)

External links

Microsoft Windows components

APIs
Architecture
- 9x
- NT
Booting process
Games

Management
tools

CDFS
DFS
exFAT
FAT
IFS
NTFS
- EFS
- Hard link
- links
- Mount Point
- Reparse point
- TxF
ReFS
UDF

Server

Architecture

Security

Compatibility

API

Games

Solitaire Collection
Surf

Discontinued

Games	3D Pinball Chess Titans FreeCell Hearts Hold 'Em InkBall Purble Place Solitaire Spider Solitaire Tinker
Apps	ActiveMovie Address Book Anytime Upgrade Backup and Restore Cardfile CardSpace CD Player Chat Contacts Cortana Desktop Gadgets Diagnostics DriveSpace DVD Maker Easy Transfer Edge Legacy Fax Food & Drink Groove Music Health & Fitness Help and Support Center HyperTerminal Imaging Internet Explorer Journal Make Compatible Media Center Meeting Space Messaging Messenger Mobile Device Center Movie Maker MSN Dial-up NetMeeting NTBackup Outlook Express Paint 3D Pay Phone Companion Photo Gallery Photo Viewer Program Manager Steps Recorder Syskey Travel WinHelp WordPad Write
Others	Desktop Cleanup Wizard File Protection Games for Windows HPFS Interix Media Control Interface MS-DOS 7 Next-Generation Secure Computing Base POSIX subsystem ScanDisk Video for Windows Virtual DOS machine Windows on Windows Windows Services for UNIX Windows SideShow Windows System Assessment Tool Windows To Go WinFS