MSDN - Microsoft Developer Network

Documentation on Windows Architecture

Windows Operating System Architecture

Understanding the architecture of the Windows operating system is fundamental for developers aiming to build robust, efficient, and secure applications. Windows employs a complex, layered architecture designed to provide abstraction, manage system resources, and ensure stability.

This document provides an overview of the core components and their interactions, covering the user mode and kernel mode separation, key subsystems, and the role of the Windows kernel.

Modes of Operation: User Mode vs. Kernel Mode

Windows architecture is built around a crucial separation between user mode and kernel mode. This separation is a security and stability mechanism, preventing applications from directly accessing critical system hardware or memory that could destabilize the entire operating system.

User Mode

User mode is the environment where most applications and services run. Processes running in user mode have limited access to hardware and system resources. They must request these resources through the operating system's kernel via system calls. This isolation ensures that a crash in one application does not affect the entire system.

Kernel Mode

Kernel mode, also known as supervisor mode or privileged mode, has direct and unrestricted access to all hardware and memory. The Windows kernel (NTOSKRNL.EXE) and its drivers run in this mode. This includes core OS services like memory management, process and thread scheduling, I/O operations, and device driver management.

Diagram illustrating User Mode and Kernel Mode separation in Windows Architecture

Key Architectural Components

The Windows architecture is composed of several interconnected layers and components that work together to deliver the operating system's functionality.

Hardware Abstraction Layer (HAL)

The HAL (hal.dll) is a layer of software that abstracts the hardware-specific details from the rest of the Windows kernel. This allows Windows to run on a wide variety of hardware configurations without significant modifications to the kernel itself. It presents a consistent interface to the kernel regardless of the underlying processor, bus architecture, or devices.

Kernel Executive

The Windows kernel executive is the core of the kernel mode. It comprises several managers responsible for fundamental OS services:

  • I/O Manager: Manages all input and output operations, interacting with device drivers and the HAL.
  • Plug and Play Manager: Detects and configures hardware devices.
  • Power Manager: Manages system power states.
  • Object Manager: Manages kernel objects such as processes, threads, files, and events.
  • Process Manager: Creates and terminates processes and threads.
  • Virtual Memory Manager: Manages physical and virtual memory, including paging.
  • Security Reference Monitor: Enforces security policies.
  • Cache Manager: Optimizes file system I/O by caching data.

Kernel Layer

Beneath the executive sits the kernel layer, which includes:

  • Microkernel: Handles low-level thread scheduling, interrupt handling, and synchronization primitives.
  • Executive Dispatcher: Manages the flow of control between kernel components.

Device Drivers

Device drivers are kernel-mode components that translate generic I/O requests from the I/O Manager into hardware-specific commands. They are critical for enabling the OS to communicate with hardware devices like graphics cards, network adapters, and storage devices.

Environment Subsystems

These subsystems run in user mode and provide an API that applications use to interact with the operating system. Windows supports multiple environment subsystems, though the Win32 subsystem is the primary one for modern Windows applications.

  • Win32 Subsystem: The primary environment for Windows applications. It includes the Win32 API, graphical device interface (GDI), and the user interface.
  • Older subsystems like OS/2 and POSIX were supported in earlier versions but are largely deprecated.

System Processes

Several critical processes run in user mode, including:

  • csrss.exe (Client/Server Runtime Subsystem): Manages console windows, graphics, and certain Win32 processes.
  • smss.exe (Session Manager Subsystem): Manages user logins and session creation.
  • lsass.exe (Local Security Authority Subsystem Service): Handles security policy, user authentication, and access tokens.
  • services.exe (Service Control Manager): Manages background services.

System Calls and API Interaction

Applications in user mode interact with the kernel by making system calls. When an application needs to perform an operation that requires kernel privileges (e.g., reading a file, creating a process), it calls a function in a Win32 API library (like kernel32.dll or user32.dll).

These libraries then transition the processor from user mode to kernel mode, passing control to the kernel executive. The kernel performs the requested operation and returns the result to the application, transitioning back to user mode. This transition mechanism is often referred to as a "transition to kernel mode" or a "system call." 


// Example of a user-mode application calling a system service
HANDLE hFile = CreateFile("my_file.txt", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile != INVALID_HANDLE_VALUE) {
    // File opened successfully, further I/O operations can be performed
    CloseHandle(hFile);
}

Further Reading