Windows Kernel Processes - MSDN Documentation

Understanding Windows Processes

A process is an instance of an executing program. It is the fundamental unit of resource allocation and execution within the Windows operating system. Each process has its own independent virtual address space, handles to system resources, and security context.

Process Structure

The Windows kernel represents a process using the Executive Process Block (EPROCESS) structure. This structure contains information about the process, including:

Process ID (PID)
Parent Process ID
Image name
Virtual address space
Handle table
Security token
List of threads belonging to the process
Exit status

Process Creation

Processes are typically created using the CreateProcess API function. This function:

Allocates memory for the new process's address space.
Creates the primary thread for the process.
Loads the executable image into the process's address space.
Initializes the process environment.
Returns a handle to the new process and its primary thread.

The kernel manages the creation and destruction of processes, ensuring proper resource allocation and cleanup.

Process Termination

A process can terminate in several ways:

It exits voluntarily by calling the ExitProcess API.
Another process terminates it using functions like TerminateProcess.
The system terminates it due to an unhandled exception or error.

When a process terminates, the kernel reclaims all its resources, including memory, handles, and I/O buffers.

Inter-Process Communication (IPC)

Processes can communicate with each other through various mechanisms, collectively known as Inter-Process Communication (IPC):

Pipes: Anonymous or named communication channels.
Memory-Mapped Files: Sharing memory regions between processes.
Sockets: Network communication.
Remote Procedure Calls (RPC): Invoking functions in another process.
Windows Messages: Sending messages between application windows.

Important Note: Each process operates in its own isolated memory space, preventing direct memory corruption between unrelated applications. Security is a primary concern, and mechanisms like the Security Reference Monitor (SRM) ensure that processes only access resources they are authorized to use.

Kernel-Level Details

At the kernel level, process management is handled by the Object Manager and the Process Manager components. The scheduler assigns CPU time to threads within processes, and memory management ensures that each process has a contiguous view of its own virtual address space.

For more in-depth information on specific kernel structures and APIs related to process management, refer to the following: