Overview

The Windows kernel is the core component of the operating system, providing essential services such as process management, memory management, hardware abstraction, and security enforcement. It runs in privileged mode (ring‑0) and interacts directly with hardware and low‑level system components.

Kernel Architecture

Windows employs a layered architecture that separates concerns between the kernel and user‑mode components.

• Executive – High‑level services (Object Manager, I/O Manager, etc.)
• Kernel Mode (NTOSKRNL) – Scheduler, dispatcher, low‑level memory manager.
• Hal (Hardware Abstraction Layer) – Provides a uniform interface to underlying hardware platforms.

Synchronization Primitives

The kernel provides several mechanisms to coordinate access to shared resources:

Memory Management

Windows employs a virtual memory system where each process has its own address space. Key components include:

• Paged Pool – Memory that may be paged to disk.
• Non‑paged Pool – Memory that must remain resident.
• System Page Table – Maps virtual to physical pages.
• PFN Database – Tracks the state of each physical page.

// Example: Allocating non‑paged pool memory in a driver
PVOID buffer = ExAllocatePoolWithTag(NonPagedPoolNx, 256, 'dKnM');
if (buffer) {
    RtlZeroMemory(buffer, 256);
    // use buffer
    ExFreePoolWithTag(buffer, 'dKnM');
}

I/O Request Packets (IRPs)

IRPs are the primary mechanism for communication between the I/O manager and drivers. An IRP contains a stack of IO_STACK_LOCATION structures, each representing a driver’s view of the request.

NTSTATUS
MyDriver_DispatchRead(
    _In_ PDEVICE_OBJECT DeviceObject,
    _Inout_ PIRP Irp
    )
{
    UNREFERENCED_PARAMETER(DeviceObject);
    Irp->IoStatus.Status = STATUS_SUCCESS;
    Irp->IoStatus.Information = 0;
    IoCompleteRequest(Irp, IO_NO_INCREMENT);
    return STATUS_SUCCESS;
}

Further Reading

• Windows Driver Development – Kernel
• NTIFS API Reference
• Windows Kernel Architecture Overview