- Great Painters
- Accounting
- Fundamentals of Law
- Marketing
- Shorthand
- Concept Cars
- Videogames
- The World of Sports

- Blogs
- Free Software
- Google
- My Computer

- PHP Language and Applications
- Wikipedia
- Windows Vista

- Education
- Masterpieces of English Literature
- American English

- English Dictionaries
- The English Language

- Medical Emergencies
- The Theory of Memory
- The Beatles
- Dances
- Microphones
- Musical Notation
- Music Instruments
- Batteries
- Nanotechnology
- Cosmetics
- Diets
- Vegetarianism and Veganism
- Christmas Traditions
- Animals

- Fruits And Vegetables


  1. Architecture of Windows NT
  2. AutoPlay
  3. Bill Gates
  4. BitLocker Drive Encryption
  5. Calibri
  6. Cambria
  7. Candara
  8. Chess Titans
  9. ClearType
  10. Consolas
  11. Constantia
  12. Control Panel
  13. Corbel
  14. Criticism of Windows Vista
  15. Dashboard
  16. Desktop Window Manager
  17. Development of Windows Vista
  18. Digital locker
  19. Digital rights management
  20. Extensible Application Markup Language
  21. Features new to Windows Vista
  22. Graphical user interface
  23. Group Shot
  24. ImageX
  25. INI file
  26. Internet Explorer
  27. Internet Information Services
  28. Kernel Transaction Manager
  29. List of Microsoft software codenames
  30. List of Microsoft Windows components
  31. List of WPF applications
  32. Luna
  33. Mahjong Titans
  34. Meiryo
  35. Microsoft Assistance Markup Language
  36. Microsoft Expression Blend
  37. Microsoft Expression Design
  38. Microsoft Gadgets
  39. Microsoft Software Assurance
  40. Microsoft Virtual PC
  41. Microsoft Visual Studio
  42. Microsoft Windows
  43. Microsoft Windows Services for UNIX
  44. MS-DOS
  45. MSN
  46. MUI
  47. Object manager
  48. Operating system
  49. Original Equipment Manufacturer
  50. Outlook Express
  51. Peer Name Resolution Protocol
  52. Protected Video Path
  53. Purble Place
  54. ReadyBoost
  55. Recovery Console
  56. Remote Desktop Protocol
  57. Security and safety features of Windows Vista
  58. Segoe UI
  59. User Account Control
  60. WIM image format
  61. Windows Aero
  62. Windows Anytime Upgrade
  63. Windows Calendar
  64. Windows CE
  65. Windows Communication Foundation
  66. Windows Disk Defragmenter
  67. Windows DreamScene
  68. Windows DVD Maker
  69. Windows Explorer
  70. Windows Fax and Scan
  71. Windows Forms
  72. Windows Fundamentals for Legacy PCs
  73. Windows Hardware Engineering Conference
  74. Windows Live
  75. Windows Live Gallery
  76. Windows Live Mail Desktop
  77. Windows Mail
  78. Windows Media Center
  79. Windows Media Player
  80. Windows Meeting Space
  81. Windows Mobile
  82. Windows Movie Maker
  83. Windows Photo Gallery
  84. Windows Presentation Foundation
  85. Windows Registry
  86. Windows Rights Management Services
  87. Windows Security Center
  88. Windows Server Longhorn
  89. Windows Server System
  90. Windows SharePoint Services
  91. Windows Shell
  92. Windows Sidebar
  93. Windows SideShow
  94. Windows System Assessment Tool
  95. Windows System Recovery
  96. Windows Update
  97. Windows Vienna
  98. Windows Vista
  99. Windows Vista editions and pricing
  100. Windows Vista Startup Process
  101. Windows Workflow Foundation
  102. Windows XP
  103. Windows XP Media Center Edition
  104. XML Paper Specification
  105. Yahoo Widget Engine

This article is from:

All text is available under the terms of the GNU Free Documentation License: 

Architecture of Windows NT

From Wikipedia, the free encyclopedia


Windows Vista, Windows Server 2003, Windows XP, Windows 2000 and Windows NT are all part of the Windows NT family of Microsoft operating systems. They are all preemptive, reentrant operating systems, which have been designed to work with either uniprocessor- or symmetrical multi processor (SMP)-based computers. To process input/output (I/O) requests it uses packet-driven I/O which utilises I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began building in 64-bit support into their operating systems before this their operating systems were based on a 32-bit model. The architecture of Windows NT is highly modular, and consists of two main layers: a user mode and a kernel mode. Programs and subsystems in user mode are limited in terms of what system resources they have access to, while the kernel mode has unrestricted access to the system memory and external devices. The kernels of the operating systems in this line are all known as hybrid kernels - although it is worth noting that this term is disputed, with the claim that the kernel is essentially a monolithic kernel that is structured somewhat like a microkernel. The architecture is comprised of a hybrid kernel, Hardware Abstraction Layer (HAL), drivers, and Executive, which all exist in kernel mode [1]. The higher-level services are implemented by the executive.

Kernel mode in the Windows NT line is made of subsystems capable of passing I/O requests to the appropriate kernel mode software drivers by using the I/O manager. Two subsystems make up the user mode layer of Windows 2000: the Environment subsystem (runs applications written for many different types of operating systems), and the Integral subsystem (operates system specific functions on behalf of the environment subsystem). Kernel mode in Windows 2000 has full access to the hardware and system resources of the computer. The kernel mode stops user mode services and applications from accessing critical areas of the operating system that they should not have access to.

The Executive interfaces with all the user mode subsystems. It deals with I/O, object management, security and process management. The kernel sits between the Hardware Abstraction Layer and the Executive to provide multiprocessor synchronization, thread and interrupt scheduling and dispatching, and trap handling and exception dispatching. The kernel is also responsible for initialising device drivers at bootup. Kernel mode drivers exist in three levels: highest level drivers, intermediate drivers and low level drivers. Windows Driver Model (WDM) exists in the intermediate layer and was mainly designed to be binary and source compatible between Windows 98 and Windows 2000. The lowest level drivers are either legacy Windows NT device drivers that control a device directly or can be a PnP hardware bus.

User mode

The user mode is made up of subsystems which can pass I/O requests to the appropriate kernel mode drivers via the I/O manager (which exists in kernel mode). Two subsystems make up the user mode layer of Windows 2000: the Environment subsystem and the Integral subsystem.

The environment subsystem was designed to run applications written for many different types of operating systems. None of the environment subsystems can directly access hardware, and must request access to memory resources through the Virtual Memory Manager that runs in kernel mode. Also, applications run at a lower priority than kernel mode processes. Currently, there are three main environment subsystems: the Win32 subsystem, an OS/2 subsystem and a POSIX subsystem.

The Win32 environment subsystem can run 32-bit Windows applications. It contains the console as well as text window support, shutdown and hard-error handling for all other environment subsystems. It also supports Virtual DOS Machines (VDMs), which allow MS-DOS and 16-bit Windows 3.x (Win16) applications to run on Windows. There is a specific MS-DOS VDM which runs in its own address space and which emulates an Intel 80486 running MS-DOS 5. Win16 programs, however, run in a Win16 VDM. Each program, by default, runs in the same process, thus using the same address space, and the Win16 VDM gives each program its own thread to run on. However, Windows 2000 does allow users to run a Win16 program in a separate Win16 VDM, which allows the program to be preemptively multitasked as Windows 2000 will pre-empt the whole VDM process, which only contains one running application. The OS/2 environment subsystem supports 16-bit character-based OS/2 applications and emulates OS/2 1.x, but not 32-bit or graphical OS/2 applications as used with OS/2 2.x or later. The POSIX environment subsystem supports applications that are strictly written to either the POSIX.1 standard or the related ISO/IEC standards.

The integral subsystem looks after operating system specific functions on behalf of the environment subsystem. It consists of a security subsystem, a workstation service and a server service. The security subsystem deals with security tokens, grants or denies access to user accounts based on resource permissions, handles logon requests and initiates logon authentication, and determines which system resources need to be audited by Windows 2000. It also looks after Active Directory. The workstation service is an API to the network redirector, which provides the computer access to the network. The server service is an API that allows the computer to provide network services.

Kernel mode

Windows 2000 kernel mode has full access to the hardware and system resources of the computer and runs code in a protected memory area. It controls access to scheduling, thread prioritisation, memory management and the interaction with hardware. The kernel mode stops user mode services and applications from accessing critical areas of the operating system that they should not have access to as user mode processes ask the kernel mode to perform such operations on its behalf.

Kernel mode consists of executive services, which is itself made up on many modules that do specific tasks, kernel drivers, a kernel and a Hardware Abstraction Layer, or HAL.


The Executive interfaces with all the user mode subsystems. It deals with I/O, object management, security and process management. It's informally divided into several subsystems, among which Cache Manager, Configuration Manager, I/O Manager, Local Procedure Call (LPC), Memory Manager, Object Manager, Process Structure and Security Reference Monitor (SRM). Grouped together, the components can be called Executive services (internal name Ex). System Services (internal name Nt), i.e. system calls, are implemented at this level, too, except very few that call directly into the kernel layer for better performance.

Each object in Windows 2000 exists in a global namespace. This is a screenshot from SysInternals' WinObj
Each object in Windows 2000 exists in a global namespace. This is a screenshot from SysInternals' WinObj

The Object Manager (internal name Ob) is a special executive subsystem that all other executive subsystems, especially system calls, must pass through to gain access to Windows 2000 resources essentially making it a resource management infrastructure service.

The object manager is used to reduce the duplication of object resource management functionality in other executive subsystems, which could potentially lead to bugs and make development of Windows 2000 harder.[2] To the object manager, each resource is an object, whether that resource is a physical resource (such as a file system or peripheral) or a logical resource (such as a file). Each object has a structure or object type that the object manager must know about.

Object creation is a process in two phases, creation and insertion. Creation causes the allocation of an empty object and the reservation of any resources required by the object manager, such as an (optional) name in the namespace. If creation was successful, the subsystem responsible for the creation fills in the empty object.[3] Finally, if the subsystem deems the initialization successful, it instructs the object manager to insert the object, which makes it accessible through its (optional) name or a cookie called a handle. From then on, the lifetime of the object is handled by the object manager, and it's up to the subsystem to keep the object in a working condition until being signaled by the object manager to dispose of it.

Handles are similar in purpose to UNIX file descriptors, in that each represents a reference to a kernel resource through an opaque value. Similarly, opening an object through its name is subject to security checks, but acting through an existing, open handle is only limited to the level of access requested when the object was opened or created.

Object types define the object procedures and any data specific to the object. In this way, the object manager allows Windows 2000 to be an object oriented operating system, as object types can be thought of as polymorphic classes that define objects. Most subsystems, though, with a notable exception in the I/O Manager, rely on the default implementation for all object type procedures.

Each instance of an object that is created stores its name, parameters that are passed to the object creation function, security attributes and a pointer to its object type. The object also contains an object close procedure and a reference count to tell the object manager how many other objects in the system reference that object and thereby determines whether the object can be destroyed when a close request is sent to it.[4] Every named object exists in a hierarchical object namespace.

Further executive subsystems are the following:

  • Cache Controller (internal name Cc): closely coordinates with the Memory Manager, I/O Manager and I/O drivers to provide a common cache for regular file I/O. Uniquely, the Windows Cache Manager operates on file blocks (rather than device blocks), for consistent operation between local and remote files, and ensures a certain degree of coherency with memory-mapped views of files, since cache blocks are a special case of memory-mapped views and cache misses a special case of page faults.
A long-standing issue in the existing implementation is how it doesn't explicitely dispose of long-unused blocks, relying instead on the page allocation algorithm of the memory manager to eventually discard them from physical memory. As an effect, the cache sometimes grows indiscriminately, forcing other memory to be paged out, often preempting the very process that initiated the I/O, which ends up spending most of its running time serving page faults. This is most visible when copying large files
  • Configuration Manager (internal name Cm): implements the Windows registry.
  • I/O Manager (internal name Io): allows devices to communicate with user-mode subsystems. It translates user-mode read and write commands in read or write IRPs which it passes to device drivers. It accepts file system I/O requests and translates them into device specific calls, and can incorporate low-level device drivers that directly manipulate hardware to either read input or write output. It also includes a cache manager to improve disk performance by caching read requests and write to the disk in the background.
  • Local Procedure Call (LPC) (internal name Lpc): provides inter-process communication ports with connection semantics. LPC ports are used by user-mode subsystems to communicate with their clients, by Executive subsystems to communicate with user-mode subsystems, and as the basis for the local transport for MSRPC.
  • Memory Manager (internal name Mm): manages virtual memory, controlling memory protection and the paging of memory in and out of physical memory to secondary storage, and implements a general-purpose allocator of physical memory. It also implements a parser of PE executables that lets an executable be mapped or unmapped in a single, atomic step.
Starting from Windows NT Server 4.0, Terminal Server Edition, the memory manager implements a so-called session space, a range of kernel-mode memory that is subject to context switching just like user-mode memory. This lets multiple instances of the kernel-mode Win32 subsystem and GDI drivers run side-by-side, despite shortcomings in their initial design. Each session space is shared by several processes, collectively referred to as a "session".
To ensure a degree of isolation between sessions without introducing a new object type, the association between processes and sessions is handled by the Security Reference Monitor, as an attribute of a security subject (token), and it can only be changed while holding special privileges.
The relatively unsophisticated and ad-hoc nature of sessions is due to the fact they weren't part of the initial design, and had to be developed, with minimal disruption to the main line, by a third party (Citrix) as a prerequisite for their terminal server product for Windows NT, called WinFrame. Starting with Windows Vista, though, sessions finally became a proper aspect of the Windows architecture. No longer a memory manager construct that creeps into user mode indirectly through Win32, they were expanded into a pervasive abstraction affecting most Executive subsystems. As a matter of fact, regular use of Windows Vista always results in a multi-session environment.[5]
  • Process Structure (internal name Ps): handles process and thread creation and termination, and it implements the concept of Job, a group of processes that can be terminated as a whole, or be placed under shared restrictions (such a total maximum of allocated memory, or CPU time).
  • PnP Manager (internal name Pnp): handles Plug and Play and supports device detection and installation at boot time. It also has the responsibility to stop and start devices on demand this can happen when a bus (such as USB or FireWire) gains a new device and needs to have a device driver loaded to support it. Its bulk is actually implemented in user mode, in the Plug and Play Service, which handles the often complex tasks of installing the appropriate drivers, notifying services and applications of the arrival of new devices, and displaying GUI to the user.
  • Power Manager (internal name Po): deals with power events (power-off, stand-by, hibernate, etc.) and notifies affected drivers with special IRPs (Power IRPs).
  • Security Reference Monitor (SRM) (internal name Se): the primary authority for enforcing the security rules of the security integral subsystem.[6] It determines whether an object or resource can be accessed, via the use of access control lists (ACLs), which are themselves made up of access control entries (ACEs). ACEs contain a security identifier (SID) and a list of operations that the ACE gives a select group of trustees a user account, group account, or logon session[7] permission (allow, deny, or audit) to that resource.[8][9]



The kernel sits between the HAL and the Executive and provides multiprocessor synchronization, thread and interrupt scheduling and dispatching, and trap handling and exception dispatching; it is also responsible for initialising device drivers at bootup that are necessary to get the operating system up and running. That is, the kernel performs almost all the tasks of a traditional microkernel; the strict distinction between Executive and Kernel is the most prominent remain of the original microkernel design, and historical design documentation consistently refers to the kernel component as "the microkernel".

The kernel often interfaces with the process manager [10]. The level of abstraction is such that the kernel never calls into the process manager, only the other way around (save for a handful of corner cases, still never to the point of a functional dependence).

Kernel-mode drivers

Windows 2000 uses kernel-mode device drivers to enable it to interact with hardware devices. Each of the drivers has well defined system routines and internal routines that it exports to the rest of the operating system. All devices are seen by user mode code as a file object in the I/O manager, though to the I/O manager itself the devices are seen as device objects, which it defines as either file, device or driver objects. Kernel mode drivers exist in three levels: highest level drivers, intermediate drivers and low level drivers. The highest level drivers, such as file system drivers for FAT and NTFS, rely on intermediate drivers. Intermediate drivers consist of function drivers or main driver for a device that are optionally sandwiched between lower and higher level filter drivers. The function driver then relies on a bus driver or a driver that services a bus controller, adapter, or bridge which can have an optional bus filter driver that sits between itself and the function driver. Intermediate drivers rely on the lowest level drivers to function. The Windows Driver Model (WDM) exists in the intermediate layer. The lowest level drivers are either legacy Windows NT device drivers that control a device directly or can be a PnP hardware bus. These lower level drivers directly control hardware and do not rely on any other drivers.

Hardware abstraction layer

The Windows 2000 Hardware Abstraction Layer, or HAL, is a layer between the physical hardware of the computer and the rest of the operating system. It was designed to hide differences in hardware and therefore provide a consistent platform on which applications may run. The HAL includes hardware-specific code that controls I/O interfaces, interrupt controllers and multiple processors.

In particular, "hardware abstraction" does not involve abstracting the instruction set, which generally falls under the wider concept of portability. Abstracting the instruction set, when necessary (such as for handling the several revisions to the x86 instruction set, or emulating a missing math coprocessor), is performed by the kernel.

Despite its purpose and designated place within the architecture, though, the HAL isn't a layer that sits entirely below the kernel the way the kernel sits below the Executive: all known HAL implementations depend in some measure on the kernel, or even the Executive. In practice, this means kernel and HAL variants come in matching sets, specifically engineered to work together.

Notes & references

  1.   MCSE Exam 70-215, Microsoft Windows 2000 Server. Chapter 1, Introduction to Microsoft Windows 2000, pg 7-18.
  2.   Mark Russinovich (October 1997). Inside NT's Object Manager. Introduction.
  3.   Mark Russinovich (October 1997). Inside NT's Object Manager. "Object Types".
  4.   Mark Russinovich (October 1997). Inside NT's Object Manager. "Objects".
  5.   Microsoft. "Active Directory Data Storage".
  6.   MSDN. Trustee definition.
  7.   Siyan, Kanajit S., 2000.
  8.   MSDN. ACE definition.
  9.   Inside Microsoft Windows 2000 (Third Edition). Microsoft Press. Pages 543-551.
  10.   Microsoft. "Impact of Session 0 Isolation on Services and Drivers in Windows Vista".
  • Finnel, Lynn (2000). MCSE Exam 70-215, Microsoft Windows 2000 Server. Microsoft Press. ISBN 1-57231-903-8.
  • Russinovich, Mark. "Inside NT's Object Manager", Windows IT Pro, October 1997.
  • Microsoft. "Active Directory Data Storage". Retrieved May 9, 2005.
  • Salomon, David; & Russinovich, Mark E. (2000). Inside Microsoft Windows 2000 (Third Edition). Microsoft Press. ISBN 0-7356-1021-5. 
  • Siyan, Kanajit S. (2000). "Windows 2000 Professional Reference". New Riders. ISBN 0-7357-0952-1.

External links

  • Microsoft's official Windows 2000 site
  • Windows 2000 Plug and Play architecture
Retrieved from ""