Chapter 1: Windows Internals Overview 12
• Executive
The Executive is the upper layer of NtOskrnl.exe (the “kernel”). It hosts most of the code that is
in kernel mode. It includes mostly the various “managers”: Object Manager, Memory Manager,
I/O Manager, Plug & Play Manager, Power Manager, Configuration Manager, etc. It’s by far
larger than the lower Kernel layer.
• Kernel
The Kernel layer implements the most fundamental and time sensitive parts of kernel mode OS
code. This includes thread scheduling, interrupt and exception dispatching and implementation
of various kernel primitives such as mutex and semaphore. Some of the kernel code is written
in CPU-specific machine language for efficiency and for getting direct access to CPU-specific
details.
• Device Drivers
Device drivers are loadable kernel modules. Their code executes in kernel mode and so has the
full power of the kernel. This book is dedicated to writing certain types of kernel drivers.
• Win32k.sys
The “kernel mode component of the Windows subsystem”. Essentially this is a kernel module
(driver) that handles the user interface part of Windows and the classic Graphics Device Inter-
face (GDI) APIs. This means that all windowing operations (CreateWindowEx, GetMessage,
PostMessage, etc.) are handled by this component. The rest of the system has little-to-none
knowledge of UI.
• Hardware Abstraction Layer (HAL)
The HAL is an abstraction layer over the hardware closest to the CPU. It allows device drivers to
use APIs that do not require detailed and specific knowledge of things like Interrupt Controller
or DMA controller. Naturally, this layer is mostly useful for device drivers written to handle
hardware devices.
• System Processes
System processes is an umbrella term used to describe processes that are typically “just there”,
doing their thing where normally these processes are not communicated with directly. They are
important nonetheless, and some in fact, critical to the system’s well-being. Terminating some
of them is fatal and causes a system crash. Some of the system processes are native processes,
meaning they use the native API only (the API implemented by NTDLL). Example system
processes include Smss.exe, Lsass.exe, Winlogon.exe, Services.exe and others.
• Subsystem Process
The Windows subsystem process, running the image Csrss.exe, can be viewed as a helper to
the kernel for managing processes running under the Windows system. It is a critical process,
meaning if killed, the system would crash. There is normally one Csrss.exe instance per
session, so on a standard system two instances would exist – one for session 0 and one for the
logged-on user session (typically 1). Although Csrss.exe is the “manager” of the Windows
subsystem (the only one left these days), its importance goes beyond just this role.
• Hyper-V Hypervisor
(C)2019 Pavel Yosifovich