What is Windows Kernel (OS Kernel)?

1. Download Restoro PC Repair Tool that comes with Patented Technologies (patent available here).
2. Click Start Scan to find Windows issues that could be causing PC problems.
3. Click Repair All to fix issues affecting your computer’s security and performance

• Restoro has been downloaded by 0 readers this month.

Windows, as an operating system, relies on a key program called kernel that controls all the processes running on the system. The Windows kernel is the link between all the hardware and software components of your computer. The kernel usually loads after the bootloader and then controls and coordinates all the other start-up processes.You can think of the kernel connects as being your computer’s translator as it takes requests from software and then converts them into instructions for the CPU.

Here are some examples of tasks overseen by the kernel: the tool manages internal and external hardware devices, launches and ends processes, allocates memory, and more.

As long as the kernel works properly, your computer works as expected as well. However, when the kernel is affected by various technical issues, your computer becomes practically unusable and it displays various BSOD error codes.

Windows Kernel-Mode Process and Thread Manager

A process is a software program that is currently running in Windows. Every process has an ID, a number that identifies it. A thread is an object that identifies which part of the program is running. Each thread has an ID, a number that identifies it.

A process may have more than one thread. The purpose of a thread is to allocate processor time. On a machine with one processor, more than one thread can be allocated, but only one thread can run at a time. Each thread only runs a short time and then the execution is passed on to the next thread, giving the user the illusion that more than one thing is happening at once. On a machine with more than one processor, true multi-threading can take place. If an application has multiple threads, the threads can run simultaneously on different processors.

The Windows kernel-mode process and thread manager handles the execution of all threads in a process. Whether you have one processor or more, great care must be taken in driver programming to make sure that all threads of your process are designed so that no matter what order the threads are handled, your driver will operate properly.

If threads from different processes attempt to use the same resource at the same time, problems can occur. Windows provides several techniques to avoid this problem. The technique of making sure that threads from different processes do not touch the same resource is called synchronization. For more information about synchronization, see Synchronization Techniques.

Routines that provide a direct interface to the process and thread manager are usually prefixed with the letters «Ps«; for example, PsCreateSystemThread. For a list of kernel DDIs, see Windows kernel.

This set of guidelines applies to these callback routines:

• Keep routines short and simple.
• Do not make calls into a user mode service to validate the process, thread, or image.
• Do not make registry calls.
• Do not make blocking and/or Interprocess Communication (IPC) function calls.
• Do not synchronize with other threads because it can lead to reentrancy deadlocks.
• Use System Worker Threads to queue work especially work involving:
  • Slow API’s or API’s that call into other process.
  • Any blocking behavior which could interrupt threads in core services.
• If you use System Worker Threads do not wait on the work to complete. Doing so defeats the purpose of queuing the work to be completed asynchronously.
• Be considerate of best practices for kernel mode stack usage. For examples, see How do I keep my driver from running out of kernel-mode stack? and Key Driver Concepts and Tips.

Subsystem Processes

Starting in WindowsВ 10, the Windows Subsystem for Linux (WSL) enables a user to run native Linux ELF64 binaries on Windows, alongside other Windows applications. For information about WSL architecture and the user-mode and kernel-mode components that are required to run the binaries, see the posts on the Windows Subsystem for Linux blog.

One of the components is a subsystem process that hosts the unmodified user-mode Linux binary, such as /bin/bash. Subsystem processes do not contain data structures associated with Win32 processes, such as Process Environment Block (PEB) and Thread Environment Block (TEB). For a subsystem process, system calls and user mode exceptions are dispatched to a paired driver.

Here are the changes to the Process and Thread Manager Routines in order to support subsystem processes:

• The WSL type is indicated by the SubsystemInformationTypeWSL value in the SUBSYSTEM_INFORMATION_TYPE enumeration. Drivers can call NtQueryInformationProcess and NtQueryInformationThread to determine the underlying subsystem. Those calls return SubsystemInformationTypeWSL for WSL.
• Other kernel mode drivers can get notified about subsystem process creation/deletion by registering their callback routine through the PsSetCreateProcessNotifyRoutineEx2 call. To get notifications about thread creation/deletion, drivers can call PsSetCreateThreadNotifyRoutineEx, and specify PsCreateThreadNotifySubsystems as the type of notification.
• The PS_CREATE_NOTIFY_INFO structure has been extended to include a IsSubsystemProcess member that indicates a subsystem other than Win32. Other members such as FileObject, ImageFileName, CommandLine indicate additional information about the subsystem process. For information about the behavior of those members, see SUBSYSTEM_INFORMATION_TYPE.

—>

What is a Kernel in OS? What are the types of Kernel?

Every operating system- whether it is Windows, Mac, Linux, or Android, has a core program called a Kernel which acts as the ‘boss’ for the whole system. It is the heart of the OS! The Kernel is nothing but a computer program which controls everything else. Anything that happens on the computer goes through it. In this post, we will discuss what is a Kernel in an OS, and the different types of Kernels.

What is a Kernel in OS

Now that we know that its a core program in the OS, one should also know it is also the first program that loads after the bootloader. It then does all the talking between the hardware and the software or applications. So if you launch a program, the user interface sends a request to Kernel. The Kernel then sends a request to CPU, Memory to assign processing power, memory, and other things so the application can run smoothly in the front end.

You can imagine Kernel as a translator. It converts input/output requests from software into an instruction set for the CPU and GPU. In simple words, its a layer between the software and the hardware which makes everything possible. The kernel manages the following:

1. CPU/GPU
2. Memory
3. Input/Output or IO devices
4. Resource management
5. Memory management
6. Device management
7. System calls.

User processes can access kernel-space only through the use of system calls. If a program tries to access directly, it will result in a fault.

Kernel Security & Protection

The kernel also protects the hardware. If there is no protection, any program will be able to carry out any task on the computer, including crashing your computer, corrupting data, etc.

In modern-day computers, security is implemented on the hardware level. For example, Windows will not load drivers which are not from a trusted source and certified using signature. Secure Boot and Trusted Boot are classic examples.

Secure Boot: It is a security standard developed by members of the PC industry. It helps you protect your system from malicious programs by not allowing any unauthorized applications to run during the system start-up process. The feature makes sure that your PC boots using only software that is trusted by the PC manufacturer. So, whenever your PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are verified, the PC boots and the firmware gives control to the operating system.

Trusted Boot: It uses the Virtual Trusted Platform Module (VTPM) to verify the digital signature of the Windows 10 kernel before loading it. In turn, it confirms every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been altered or changed to any extent, the bootloader detects it and refuses to load it by recognizing it as the corrupted component. In short, it provides a chain of trust for all the elements during boot.

What are the types of Kernel

The Kernel can also talk to hardware on a secure line. So companies can develop a Kernel which can talk to their hardware through a set of buttons. Take the washing machine for an example. Depending on the knobs you move, and time you set – a basic level of Kernel should be enough. That said, Kernel themselves grow complicated with time, which results in types of Kernel.

1. Monolithic Kernel: Here, the OS and Kernel both run in the same memory space and suitable where security is not a significant concern. It results in faster access, but if there is a bug in the device driver, the entire system crashes.
2. Microkernel: Its a stripped-down version of Monolithic Kernel where the Kernel itself can do most of the job done, and there is no need of an extra GUI. They should be used where security and the crashing system isn’t or will not happen.
3. Hybrid Kernel: This Kernel is what we see most. Windows, Apple’s macOS. They are a mix of Monolithic Kernel and Microkernel. It moves out drivers but keeps system services inside the Kernel – similar to how drivers are loaded when Windows Starts the bootup process.
4. Nano Kernel: If you need to have a kernel, but its majority of function is set up outside, then this comes into the picture.
5. Exo Kernel: This kernel only offers process protection and resource handling. However it is mostly used when you are testing out an inhouse project, and you upgrade to a better Kernel type.

There is a lot more to a Kernel than what we have talked about. As you dig deeper, the definition of Kernel gets broader and more profound.

We hope the post was easy to understand and helps you get through the basic.

Windows Kernel Drivers — Стандартные ошибки – IRQL

Данная статья нацелена на тех, кто только недавно начал разрабатывать kernel-драйвера под ОС Windows. В 100-ый раз видишь ненавистную надпись IRQL_NOT_LESS_OR_EQUAL и этот грустный смайлик? Тогда прошу пройти под кат.

Одной из основных ошибок, которую я и сам совершал, является жонглирование IRQL так, как душе угодно, и неполное понимание внутреннего устройства работы приоритетов потоков в ядре Windows.

К примеру, у вас есть кусок кода, который генерирует какое-либо событие по PID-процесса.

Внутри данного кода, используются разделяемые данные, синхронизация которых, обеспечивается спинлоком. Также нам нужно получить имя процесса, чтобы залогировать событие.

Уже увидели ошибку в данном фрагменте?

PsLookupProcessByProcessId() – требует соблюдения условия: IRQL

И вот дальше, начинается самое интересное. Первое решение, которое придёт в голову новичкам, будет менять уровень IRQL перед вызовом данной функции так, чтобы условие соблюдалось.

То есть, переписать код — вот так:

Вот теперь то, всё работает достаточно стабильно. Но, на самом деле это не так. Данный код только хорошо маскирует проблему, снижая шансы её проявления до минимума, но в 1 из 1000 случаев, она всё же всплывёт, а вы будет рвать на себе волосы, пытаясь понять в чём же ошибка.

И тут нужно вспомнить одно из правил написания драйверов, а именно:
«Понижать IRQL можно только в том случае, если вы его собственноручно повышали, и только до его предыдущего значения!»

Если какой-либо код вызвал вашу функцию на IRQL = APC_LEVEL, то вы не имеете права опустить его ниже данного уровня. Вы можете поднять IRQL до DISPATCH_LEVEL, потом опустить обратно до APC_LEVEL, но не ниже.

Таким образом, более приемлемым вариантом кода, будет:

А вспомогательные функции по типу SetIrql() из 2-го примера, в принципе не являются адекватными с точки зрения интерфейса, т.к. при проектировании отдельных методов в вашем драйвере, важно продумывать ограничения накладываемые на предусловия вызова вашей функции.

Для описания данных предусловий, удобно использовать аннотации SAL, их список вы можете посмотреть тут:

Также Microsoft предоставляет небольшой whitepaper(в самом низу статьи) по управлению приоритетами потоков в ядре, и более подробно рассказывает некоторые тонкости по работе с ними:

Если же, вам всё-таки нужно каким-либо образом вызвать какое-либо Api, требующее более низких значений IRQL, то одним из вариантов решения данной проблемы могут стать WorkItem’ы. Но о них, я расскажу уже в другой статье.

What kind of kernel does MS Windows have?

I saw a question on Linux Kernel. While reading that I had this doubt.

3 Answers 3

The Windows NT branch of windows has a Hybrid Kernel. It’s neither a monolithic kernel where all services run in kernel mode or a Micro kernel where everything runs in user space. This provides a balance between the protection gained from a microkernel and the performance that can be seen in a monolithis kernel (as there are fewer user/kernel mode context switches).

As an example, device drivers and the Hardware Abstraction layer run in kernel node but the Workstation service runs in user mode. The wikipedia article on Hybrid Kernels has a good overview.

The Windows Internals book gives an explanation for the hybrid approach

. The Carnegie Mellon University Mach operating system, a contemporary example of a microkernel architecture, implements a minimal kernel that comprises thread scheduling, message passing, virtual memory, and device drivers. Everything else, including various APIs, file systems, and networking, runs in user mode. However, commercial implementations of the Mach microkernel operating system typically run at least all file system, networking, and memory management code in kernel mode. The reason is simple: the pure microkernel design is commercially impractical because it’s too inefficient.