Windows Internals

User-Mode Architecture in Windows

The user-mode is the environment where applications and most system services run. It is designed to provide isolation and protection, preventing applications from directly interfering with the operating system kernel or other applications. This isolation is a cornerstone of Windows stability and security.

Key Components and Concepts

• Processes: Each running application or service is typically executed within its own process. A process is an instance of a program in execution, comprising an address space, one or more threads, and system resources. User-mode processes are protected from each other by the operating system.
• Threads: Threads are the basic units of CPU utilization within a process. A process can have multiple threads that execute concurrently. Threads share the process's address space but have their own stack and registers.
• Virtual Address Space: Each user-mode process is given its own private virtual address space. This allows applications to operate as if they have a large, contiguous block of memory, even if the physical memory is fragmented or smaller. The Memory Management Unit (MMU) and the operating system's memory manager translate virtual addresses to physical addresses.
• System Calls: User-mode applications cannot directly access hardware or critical system resources. Instead, they must request these services from the kernel through a mechanism called system calls. When a user-mode program needs to perform a privileged operation (e.g., reading a file, creating a process), it makes a system call, which transitions execution to kernel mode.
• DLLs (Dynamic Link Libraries): Many common functionalities are provided by shared DLLs. These libraries contain code and data that can be loaded and used by multiple applications simultaneously, promoting code reuse and reducing memory footprint. Examples include the Windows API (kernel32.dll, user32.dll, gdi32.dll).
• APIs (Application Programming Interfaces): The Windows API provides a set of functions and structures that user-mode applications use to interact with the operating system and access its services. These APIs are the gateway to functionality provided by both user-mode libraries and kernel-mode drivers.

Isolation and Protection

The user-mode architecture is built around the principle of isolation. This is achieved through several mechanisms:

• Memory Protection: The virtual memory system ensures that one process cannot access the memory of another process. Any attempt to do so results in an access violation, typically leading to the termination of the offending process.
• Privilege Levels: User-mode code runs at a lower privilege level (Ring 3 on x86/x64 architectures) than kernel-mode code (Ring 0). This restricts user-mode applications from executing privileged instructions or directly accessing hardware.
• Inter-Process Communication (IPC): While processes are isolated, they often need to communicate with each other. Windows provides various IPC mechanisms, such as pipes, shared memory, COM objects, and message queues, allowing controlled data exchange between processes.

User-Mode Services

Many essential Windows functionalities are implemented as user-mode services. These include:

• Service Control Manager (SCM): Manages system services, allowing them to be started, stopped, and configured. Services themselves are often implemented as executables or DLLs that run within their own processes, potentially with elevated privileges.
• Graphical User Interface (GUI) Subsystem: Components like User32.dll and GDI32.dll are responsible for drawing windows, menus, controls, and handling user input (keyboard, mouse). These run in user mode.
• .NET Framework and Other Runtimes: Managed code environments and language runtimes typically operate in user mode, providing their own layers of abstraction and services.

Interaction with Kernel Mode

The boundary between user mode and kernel mode is critical. User-mode applications interact with the kernel through:

1. System Calls: As mentioned, these are the primary means for requesting kernel services. The operating system loader, Ntdll.dll, and the Native API stubs facilitate this transition.
2. Device Drivers: While drivers primarily run in kernel mode, user-mode applications interact with hardware through driver interfaces, often via I/O Control (IOCTL) requests.

Understanding the user-mode architecture is fundamental to comprehending how applications behave, how they are protected, and how they leverage the underlying operating system for their operations.