3328:
32:
3339:
1132:
The registry is stored on disk as several different files called "hives." One, the System hive, is loaded early in the boot sequence and provides configuration information required at that time. Additional registry hives, providing software-specific and user-specific data, are loaded during later
1128:
Windows
Registry is a repository for configuration and settings information for the operating system and for other software, such as applications. It can be thought of as a filesystem optimized for small files. However, it is not accessed through file system-like semantics, but rather through a
1025:
One notable feature of NT's interrupt handling is that interrupts are usually conditionally masked based on their priority (called "IRQL"), instead of disabling all IRQs via the interrupt flag. This permits various kernel components to carry on critical operations without necessarily blocking
1054:
into two regions. The lower part, starting at zero, is instantiated separately for each process and is accessible from both user and kernel mode. Application programs run in processes and supply code that runs in user mode. The upper part is accessible only from kernel mode, and with some
1055:
exceptions, is instantiated just once, system-wide. Ntoskrnl.exe is mapped into this region, as are several other kernel mode components. This region also contains data used by kernel mode code, such as the kernel mode heaps and the file system cache.
874:. The pointer's destination contains information about the hardware, the path to the Windows Registry file, kernel parameters containing boot preferences or options that change the behavior of the kernel, path of the files loaded by the bootloader (
247:, and CPUs without PAE. Windows setup decides whether the system is uniprocessor or multiprocessor, then, installs both the PAE and non-PAE variants of the kernel image for the decided kind. On a multiprocessor system, Setup installs
1627:
1041:
The entire physical memory (RAM) address range is broken into many small blocks also called pages, 4KB in size each, and mapped to virtual addresses. A few of the properties of each block are stored in structures called
1046:
entries, which are managed by the OS and accessed by the processor's hardware. Page tables are organized into a tree structure, and the physical page number of the top-level table is stored in control register 3 (CR3).
1607:
1155:
registry hive. That key stores device drivers, kernel processes and user processes. They are all collectively called "services" and are all stored mixed on the same place.
949:
is set, the processor's hardware looks for an interrupt handler in the table entry corresponding to the interrupt number to which in turn has been translated from
2343:
915:
The main entry point of ntoskrnl.exe performs some system dependent initialization then calls a system independent initialization then enters an idle loop.
2358:
2523:
1600:
958:
678:
228:-independent kernel initialization function. Because it requires a static copy of the C Runtime objects, the executable is usually about 10 MB in size.
1575:
2180:
615:
3214:
1593:
889:
font). The definition of this structure can be retrieved by using the kernel debugger or downloading it from the
Microsoft symbol database.
3343:
1616:
1233:
2593:
2233:
1817:
1652:
416:
Windows kernel's architecture is structured so that everything is easy to understand. Functions and global variables use the, so called
2765:
2674:
2190:
1822:
1554:
1531:
1498:
1448:
954:
662:
436:
115:
1158:
During initialization or upon driver load request, the kernel traverses that tree looking for services tagged as kernel services.
2513:
2493:
2456:
2418:
2403:
1465:
972:
versions of the kernel, one example of such a software interrupt handler (of which there are many) is in its IDT table entry 2E
844:
212:
1570:
3259:
2841:
2368:
53:
1580:
96:
19:
This article is about a computer file that contains a part of the
Windows NT kernel. For the Windows NT kernel itself, see
2383:
49:
68:
3224:
3093:
2780:
2770:
2644:
2548:
2408:
1765:
1720:
1012:
839:
in user mode, these groups are almost exactly the same; they trap into kernel mode and call the equivalent function in
450:
Variations of these prefixes exist for internal functions that are not being exported by the kernel, such as adding an
3332:
2700:
2659:
2558:
2413:
2210:
1925:
1875:
75:
3364:
2922:
2802:
2508:
2007:
1647:
1640:
1635:
1172:
1167:
901:
296:
244:
206:(x64 variants of ntoskrnl.exe have these dlls embedded in the kernel to improve performance). However, it is not a
20:
776:, i.e., many utility functions that can be used by native applications, yet don't directly involve kernel support
42:
3254:
3219:
2649:
2639:
2578:
2488:
2378:
2348:
1997:
1695:
374:
289:
240:
149:
138:
2619:
2563:
2543:
2388:
2157:
2042:
909:
444:
1932:
82:
1208:
968:
The interrupt table contains handlers for hardware interrupts, software interrupts, and exceptions. For some
3204:
3199:
3043:
3038:
2998:
2958:
2908:
2654:
2398:
2393:
2268:
2243:
2205:
2175:
2125:
1937:
1860:
1785:
1705:
1680:
897:
3369:
3184:
3148:
2760:
2745:
2503:
2461:
2353:
2283:
2200:
2185:
1780:
930:
Modern operating systems use interrupts instead of I/O port polling to wait for information from devices.
177:
1419:
937:, interrupts are handled through the Interrupt Dispatch Table (IDT). When a device triggers an interrupt
64:
3313:
3133:
3078:
3018:
3003:
2812:
2483:
2438:
2295:
2248:
1523:
1469:
1369:
1361:
1341:
1333:
1313:
1305:
1285:
1277:
1257:
1249:
1051:
431:. Both functions have different prefix names to differentiate critical managers within the kernel code:
908:
ready. But since it does not know the address of each one, it has to load them one by one to fill the
3298:
3293:
3138:
3108:
3073:
2963:
2669:
2664:
2568:
2518:
2476:
2446:
2333:
1920:
1885:
1832:
1770:
267:
181:
161:
3239:
3098:
3053:
3028:
2983:
2929:
2728:
2583:
2466:
1915:
1900:
1840:
1760:
1730:
753:
646:
420:
formatting with special (additional) prefixes in their names to differentiate parts of the kernel.
236:
165:
3244:
3194:
2968:
2887:
2873:
2792:
2498:
2338:
2305:
2278:
2273:
1947:
1850:
1845:
1745:
1001:
962:
924:
905:
757:
607:
3308:
3234:
3189:
3088:
3083:
3058:
3013:
2978:
2848:
2152:
1962:
1795:
1550:
1546:
1543:
Practical
Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation
1527:
1494:
1444:
1035:
985:
950:
173:
169:
157:
153:
3249:
3158:
2993:
2936:
2894:
2755:
2723:
2679:
2634:
2553:
2313:
2110:
1987:
1977:
1740:
1735:
1123:
934:
893:
738:
517:
225:
135:
3285:
3168:
3143:
3128:
3118:
3068:
3063:
2817:
2451:
2167:
2032:
2022:
1967:
1952:
1810:
1700:
806:
773:
89:
1365:
1337:
1309:
1281:
1253:
2775:
2318:
2130:
2120:
2105:
2037:
1905:
1880:
1855:
1805:
1775:
1685:
946:
942:
719:
619:
381:
1441:
Practical
Reverse Engineering Using X86, X64, Arm, Windows Kernel, and Reversing Tools
235:
and earlier, the
Windows installation source ships four kernel image files to support
3358:
3264:
3123:
3023:
2363:
2323:
2100:
2075:
2067:
2002:
1870:
1670:
1142:
878:
734:
3033:
2988:
2915:
2880:
2588:
2328:
2080:
2027:
1992:
1910:
1890:
1710:
1690:
1390:
923:
This article is about NT implementation of interrupt handlers. For other uses, see
790:
665:, an internal, undocumented, interprocess or user/kernel message passing mechanism
545:
A set of debugging functions that are being exposed to user mode through ntdll.dll
1034:
This article is about NT implementation of a memory manager. For other uses, see
3103:
3048:
2953:
2807:
2695:
2573:
2428:
2220:
2195:
1790:
993:
977:
417:
217:
31:
1585:
3008:
2832:
2373:
2263:
2137:
2057:
1982:
1800:
1493:(3rd ed.). Upper Saddle River, N.J.: Pearson Prentice Hall. p. 829.
1129:
specialized set of APIs, implemented in kernel mode and exposed to user mode.
1043:
997:
871:
232:
207:
141:
132:
965:
before handling it and restore them back to their original values when done.
2629:
2624:
2258:
2147:
2095:
1865:
266:
Starting with
Windows Vista, Microsoft began unifying the kernel images as
1215:
and corresponding header in executable image is required for this feature.
3209:
3113:
2973:
2733:
2598:
2228:
2085:
1972:
1957:
1895:
1755:
1715:
611:
3229:
3163:
2901:
2787:
2750:
2738:
2423:
2142:
2115:
2090:
2052:
1750:
1675:
1466:"What is IRQL and why is it important? | Ask the Performance Team Blog"
981:
198:
1147:
The list of drivers to be loaded from the disk are retrieved from the
3303:
3153:
2822:
2603:
2528:
1133:
phases of system initialization and during user login, respectively.
1016:
896:, the kernel receives the system already in protected mode, with the
870:
When the kernel receives control, it gets a struct-type pointer from
361:
3269:
2705:
2533:
2238:
2012:
1725:
969:
172:. In addition to the kernel and executive layers, it contains the
2797:
2471:
2290:
2253:
1589:
2715:
2047:
2017:
1942:
961:. Interrupt handlers usually save some subset of the state of
25:
996:. In the real implementation the entry points to an internal
1008:. For newer versions, different mechanisms making use of
706:
Nls for Native
Language Support (similar to code pages).
532:
Debugging aid functions, such as a software break point
1541:
Bruce Dang; Alexandre Gazet; Elias
Bachaalany (2014).
176:
manager, security reference monitor, memory manager,
558:
Windows executive, an "outer layer" of
Ntoskrnl.exe
3282:
3177:
2946:
2865:
2858:
2831:
2714:
2688:
2612:
2437:
2304:
2219:
2166:
2066:
1831:
1661:
1435:
1433:
56:. Unsourced material may be challenged and removed.
1581:Driver Development Part 1: Introduction to Drivers
1571:Inside the Windows Vista Kernel (TechNet Magazine)
1391:"Nt vs. Zw - Clearing Confusion On The Native API"
516:Configuration Manager, the kernel mode side of
1601:
270:took to the market and PAE became mandatory.
8:
1151:key of the current control set's key in the
1026:services of peripherals and other devices.
3338:
2862:
1608:
1594:
1586:
1522:(3rd ed.). Upper Saddle River, N.J.:
472:
272:
855:variants ensure kernel mode, whereas the
847:. When calling the functions directly in
116:Learn how and when to remove this message
1057:
470:The following table lists all prefixes.
1225:
1184:
885:for character encoding conversion, and
192:x86 versions of ntoskrnl.exe depend on
1338:"Core Kernel Library Support Routines"
1282:"File System Runtime Library Routines"
184:(the prose and portions of the code).
3215:Next-Generation Secure Computing Base
7:
1004:information published by Microsoft)
957:chips, or in more modern hardwares,
851:(only possible in kernel mode), the
458:for “Kernel Internal”) or appending
216:. Instead, ntoskrnl.exe has its own
54:adding citations to reliable sources
2344:Distributed Transaction Coordinator
1443:. John Wiley & Sons Inc. 2014.
2675:User Interface Privilege Isolation
1389:The NT Insider (August 27, 2003).
1209:Windows Internals Book 7th edition
14:
1234:Systems Internals Tips and Trivia
466:for “Process Support Internal”).
3337:
3327:
3326:
30:
2404:Remote Differential Compression
1420:"struct LOADER_PARAMETER_BLOCK"
1401:(4). OSR Open Systems Resources
41:needs additional citations for
3260:Windows System Assessment Tool
1464:CC Hameed (January 22, 2008).
1059:Virtual Address Space Layouts
1022:instruction are used instead.
454:after the first letter (e.g.,
241:symmetric multiprocessor (SMP)
210:thus it is not linked against
1:
1576:struct LOADER_PARAMETER_BLOCK
1518:Tanenbaum, Andrew S. (2008).
1489:Tanenbaum, Andrew S. (2008).
827:are system calls declared in
760:management (task management)
2549:Open XML Paper Specification
2409:Remote Installation Services
1617:Microsoft Windows components
1101:(until Windows 8.1 Update 2)
571:File system runtime library
2701:Windows Subsystem for Linux
2660:Mandatory Integrity Control
2414:Windows Deployment Services
2211:Wireless Zero Configuration
1106:(from Windows 8.1 Update 3)
3386:
2803:Universal Windows Platform
2509:Kernel Transaction Manager
2494:Hardware Abstraction Layer
2191:Multimedia Class Scheduler
1173:Windows NT Startup Process
1168:Architecture of Windows NT
1140:
1121:
1050:Microsoft Windows divides
1033:
922:
462:to the full prefix (e.g.,
21:Architecture of Windows NT
18:
3322:
3255:Windows Services for UNIX
2640:Data Execution Prevention
2489:Graphics Device Interface
2379:Network Access Protection
1998:Remote Desktop Connection
1623:
1082:
1077:
429:ObReferenceObjectByHandle
359:
302:
278:
160:, and is responsible for
2620:Security and Maintenance
2564:Security Account Manager
2158:Windows XP visual styles
1520:Modern Operating Systems
1491:Modern operating systems
1366:"Power Manager Routines"
1254:"Cache Manager Routines"
1238:SysInternals Information
679:Local Security Authority
156:layers of the Microsoft
3205:Media Control Interface
3039:Help and Support Center
2655:Kernel Patch Protection
2419:System Resource Manager
2399:Remote Desktop Services
2394:Print Services for UNIX
2176:Service Control Manager
1786:Windows Error Reporting
1706:DirectX Diagnostic Tool
1211:, the boot-time option
274:Kernel image filenames
16:Windows NT kernel image
3185:Desktop Cleanup Wizard
2761:COM Structured storage
2462:Desktop Window Manager
2354:Windows Media Services
1310:"I/O Manager Routines"
2813:Windows Mixed Reality
2484:Enhanced Write Filter
2334:Roaming user profiles
1524:Pearson Prentice Hall
1470:Microsoft Corporation
1370:Microsoft Corporation
1362:Microsoft Corporation
1342:Microsoft Corporation
1334:Microsoft Corporation
1314:Microsoft Corporation
1306:Microsoft Corporation
1286:Microsoft Corporation
1278:Microsoft Corporation
1258:Microsoft Corporation
1250:Microsoft Corporation
1141:Further information:
1122:Further information:
1067:MmHighestUserAddress
1052:virtual address space
597:Core kernel routines
475:NT favorable prefixes
144:), also known as the
3094:Mobile Device Center
3044:Health & Fitness
2842:Solitaire Collection
2670:User Account Control
2665:Protected Media Path
2569:Server Message Block
2519:Logical Disk Manager
1771:System Policy Editor
1756:System Configuration
663:Local Procedure Call
255:but renames them to
237:uniprocessor systems
182:blue screen of death
162:hardware abstraction
50:improve this article
3240:Virtual DOS machine
2584:System Idle Process
2559:Resource Protection
2467:Portable Executable
2359:Active DRM Services
1761:System File Checker
1731:Performance Monitor
1110:0xffff8000'00000000
1104:0x00007fff'ffffffff
1099:0x000007ff'ffffffff
1070:MmSystemRangeStart
1060:
835:. When called from
477:
275:
243:systems, CPUs with
3245:Windows on Windows
2969:Backup and Restore
2781:Transaction Server
2499:I/O request packet
2339:Folder redirection
2008:Speech Recognition
1766:System Information
1721:Management Console
1058:
925:Interrupt handling
919:Interrupt handling
793:for the Win32 API
789:Security Manager,
693:Memory management
622:related functions
608:Interrupt handling
503:File system cache
473:
273:
208:native application
180:(Dispatcher), and
3365:Windows NT kernel
3352:
3351:
3278:
3277:
3235:Video for Windows
3190:Games for Windows
3059:Internet Explorer
2153:Windows Spotlight
1796:Windows Installer
1216:
1115:
1114:
1036:memory management
986:assembly language
863:
862:
859:variants do not.
632:Kernel streaming
620:context switching
413:
412:
224:" that calls the
170:memory management
158:Windows NT kernel
126:
125:
118:
100:
3377:
3341:
3340:
3330:
3329:
3250:Windows SideShow
3029:Food & Drink
2923:Spider Solitaire
2863:
2756:ActiveX Document
2724:Active Scripting
2680:Windows Firewall
2635:Credential Guard
2314:Active Directory
2111:Indexing Service
1741:Resource Monitor
1736:Recovery Console
1610:
1603:
1596:
1587:
1560:
1537:
1505:
1504:
1486:
1480:
1479:
1477:
1476:
1461:
1455:
1454:
1437:
1428:
1427:
1416:
1410:
1409:
1407:
1406:
1386:
1380:
1379:
1377:
1376:
1358:
1352:
1351:
1349:
1348:
1330:
1324:
1323:
1321:
1320:
1302:
1296:
1295:
1293:
1292:
1274:
1268:
1267:
1265:
1264:
1246:
1240:
1232:Russinovich, M:
1230:
1214:
1207:As mentioned in
1206:
1200:
1198:
1194:
1189:
1154:
1150:
1124:Windows Registry
1111:
1105:
1100:
1085:
1080:
1061:
1021:
1011:
1007:
991:
935:x86 architecture
894:x86 architecture
888:
884:
877:
858:
854:
850:
842:
838:
834:
830:
826:
822:
815:
800:
783:
767:
747:
739:power management
728:
713:
700:
687:
672:
656:
639:
591:
578:
565:
552:
539:
526:
518:Windows Registry
510:
497:
487:Internal Prefix
478:
465:
457:
403:
390:
349:
336:
323:
310:
276:
262:
258:
254:
250:
215:
205:
201:
195:
136:operating system
121:
114:
110:
107:
101:
99:
58:
34:
26:
3385:
3384:
3380:
3379:
3378:
3376:
3375:
3374:
3355:
3354:
3353:
3348:
3318:
3286:Microsoft Store
3284:
3274:
3220:POSIX subsystem
3200:File Protection
3173:
3144:Program Manager
3129:Phone Companion
3119:Outlook Express
3069:Make Compatible
2999:Desktop Gadgets
2959:Anytime Upgrade
2942:
2854:
2827:
2818:Windows Runtime
2710:
2684:
2650:Family features
2608:
2433:
2389:DFS Replication
2300:
2215:
2206:Error Reporting
2162:
2062:
1938:Mobility Center
1933:Movies & TV
1827:
1811:Windows Insider
1701:Driver Verifier
1696:Drive Optimizer
1663:
1657:
1648:Booting process
1619:
1614:
1567:
1557:
1549:. p. 384.
1540:
1534:
1526:. p. 829.
1517:
1514:
1512:Further reading
1509:
1508:
1501:
1488:
1487:
1483:
1474:
1472:
1463:
1462:
1458:
1451:
1439:
1438:
1431:
1424:www.nirsoft.net
1418:
1417:
1413:
1404:
1402:
1388:
1387:
1383:
1374:
1372:
1360:
1359:
1355:
1346:
1344:
1332:
1331:
1327:
1318:
1316:
1304:
1303:
1299:
1290:
1288:
1276:
1275:
1271:
1262:
1260:
1248:
1247:
1243:
1231:
1227:
1222:
1212:
1204:
1203:
1196:
1192:
1190:
1186:
1181:
1164:
1152:
1148:
1145:
1139:
1126:
1120:
1109:
1103:
1102:
1098:
1083:
1078:
1039:
1032:
1019:
1009:
1006:KiSystemService
1005:
989:
975:
928:
921:
886:
882:
875:
868:
856:
852:
848:
840:
836:
832:
828:
824:
820:
813:
807:Driver Verifier
798:
781:
774:Runtime library
765:
745:
726:
711:
698:
685:
670:
654:
637:
589:
576:
563:
550:
537:
524:
508:
495:
469:
463:
455:
435:being used for
415:
401:
388:
380:
373:
360:64-bit kernel (
347:
334:
321:
308:
295:
288:
279:32-bit Windows
268:multi-core CPUs
260:
256:
252:
248:
222:KiSystemStartup
211:
203:
197:
193:
190:
148:, contains the
122:
111:
105:
102:
59:
57:
47:
35:
24:
17:
12:
11:
5:
3383:
3381:
3373:
3372:
3367:
3357:
3356:
3350:
3349:
3347:
3346:
3335:
3323:
3320:
3319:
3317:
3316:
3311:
3306:
3301:
3296:
3290:
3288:
3280:
3279:
3276:
3275:
3273:
3272:
3267:
3262:
3257:
3252:
3247:
3242:
3237:
3232:
3227:
3222:
3217:
3212:
3207:
3202:
3197:
3192:
3187:
3181:
3179:
3175:
3174:
3172:
3171:
3166:
3161:
3156:
3151:
3149:Steps Recorder
3146:
3141:
3136:
3131:
3126:
3121:
3116:
3111:
3106:
3101:
3096:
3091:
3086:
3081:
3076:
3071:
3066:
3061:
3056:
3051:
3046:
3041:
3036:
3031:
3026:
3021:
3016:
3011:
3006:
3001:
2996:
2991:
2986:
2981:
2976:
2971:
2966:
2961:
2956:
2950:
2948:
2944:
2943:
2941:
2940:
2933:
2926:
2919:
2912:
2905:
2898:
2891:
2884:
2877:
2869:
2867:
2860:
2856:
2855:
2853:
2852:
2845:
2837:
2835:
2829:
2828:
2826:
2825:
2820:
2815:
2810:
2805:
2800:
2795:
2790:
2785:
2784:
2783:
2778:
2776:OLE Automation
2773:
2768:
2763:
2758:
2753:
2743:
2742:
2741:
2736:
2731:
2720:
2718:
2712:
2711:
2709:
2708:
2703:
2698:
2692:
2690:
2686:
2685:
2683:
2682:
2677:
2672:
2667:
2662:
2657:
2652:
2647:
2642:
2637:
2632:
2627:
2622:
2616:
2614:
2610:
2609:
2607:
2606:
2601:
2596:
2591:
2586:
2581:
2576:
2571:
2566:
2561:
2556:
2551:
2546:
2544:Object Manager
2541:
2536:
2531:
2526:
2521:
2516:
2511:
2506:
2504:Imaging Format
2501:
2496:
2491:
2486:
2481:
2480:
2479:
2474:
2464:
2459:
2454:
2449:
2443:
2441:
2435:
2434:
2432:
2431:
2426:
2421:
2416:
2411:
2406:
2401:
2396:
2391:
2386:
2381:
2376:
2371:
2366:
2361:
2356:
2351:
2346:
2341:
2336:
2331:
2326:
2321:
2316:
2310:
2308:
2302:
2301:
2299:
2298:
2293:
2288:
2287:
2286:
2281:
2276:
2271:
2266:
2261:
2251:
2246:
2241:
2236:
2231:
2225:
2223:
2217:
2216:
2214:
2213:
2208:
2203:
2201:Task Scheduler
2198:
2193:
2188:
2183:
2178:
2172:
2170:
2164:
2163:
2161:
2160:
2155:
2150:
2145:
2140:
2135:
2134:
2133:
2131:Special folder
2128:
2123:
2118:
2113:
2103:
2098:
2093:
2088:
2083:
2078:
2072:
2070:
2064:
2063:
2061:
2060:
2055:
2050:
2045:
2043:Voice Recorder
2040:
2035:
2030:
2025:
2020:
2015:
2010:
2005:
2000:
1995:
1990:
1985:
1980:
1975:
1970:
1965:
1960:
1955:
1950:
1945:
1940:
1935:
1930:
1929:
1928:
1918:
1913:
1908:
1903:
1898:
1893:
1888:
1883:
1878:
1873:
1868:
1863:
1858:
1853:
1848:
1843:
1837:
1835:
1829:
1828:
1826:
1825:
1820:
1815:
1814:
1813:
1806:Windows Update
1803:
1798:
1793:
1788:
1783:
1778:
1776:System Restore
1773:
1768:
1763:
1758:
1753:
1748:
1743:
1738:
1733:
1728:
1723:
1718:
1713:
1708:
1703:
1698:
1693:
1688:
1686:Device Manager
1683:
1678:
1676:Command Prompt
1673:
1667:
1665:
1659:
1658:
1656:
1655:
1650:
1645:
1644:
1643:
1638:
1630:
1624:
1621:
1620:
1615:
1613:
1612:
1605:
1598:
1590:
1584:
1583:
1578:
1573:
1566:
1565:External links
1563:
1562:
1561:
1556:978-1118787311
1555:
1538:
1533:978-0136006633
1532:
1513:
1510:
1507:
1506:
1500:978-0136006633
1499:
1481:
1456:
1450:978-1118787311
1449:
1429:
1411:
1381:
1353:
1325:
1297:
1269:
1241:
1224:
1223:
1221:
1218:
1213:increaseuserva
1202:
1201:
1183:
1182:
1180:
1177:
1176:
1175:
1170:
1163:
1160:
1138:
1135:
1119:
1116:
1113:
1112:
1107:
1096:
1092:
1091:
1087:
1086:
1081:
1076:
1072:
1071:
1068:
1065:
1031:
1030:Memory manager
1028:
1000:named (as per
973:
947:FLAGS register
943:interrupt flag
920:
917:
867:
866:Initialization
864:
861:
860:
818:
816:
810:
809:
804:
801:
795:
794:
787:
784:
778:
777:
771:
768:
762:
761:
751:
748:
742:
741:
732:
729:
723:
722:
720:Object Manager
717:
714:
708:
707:
704:
701:
695:
694:
691:
688:
682:
681:
676:
673:
667:
666:
660:
657:
651:
650:
647:PE Executables
643:
640:
634:
633:
630:
627:
624:
623:
616:multithreading
610:, semaphores,
605:
602:
599:
598:
595:
592:
586:
585:
582:
579:
573:
572:
569:
566:
560:
559:
556:
553:
547:
546:
543:
540:
534:
533:
530:
527:
521:
520:
514:
511:
505:
504:
501:
498:
492:
491:
488:
485:
445:Object Manager
439:functions and
425:IoCreateDevice
423:An example is
411:
410:
407:
404:
398:
397:
394:
391:
385:
384:
377:
370:
366:
365:
357:
356:
353:
350:
344:
343:
340:
337:
331:
330:
327:
324:
318:
317:
314:
311:
305:
304:
303:32-bit kernel
300:
299:
292:
285:
281:
280:
263:respectively.
189:
186:
168:handling, and
124:
123:
65:"Ntoskrnl.exe"
38:
36:
29:
15:
13:
10:
9:
6:
4:
3:
2:
3382:
3371:
3370:Windows files
3368:
3366:
3363:
3362:
3360:
3345:
3336:
3334:
3325:
3324:
3321:
3315:
3312:
3310:
3307:
3305:
3302:
3300:
3297:
3295:
3292:
3291:
3289:
3287:
3281:
3271:
3268:
3266:
3265:Windows To Go
3263:
3261:
3258:
3256:
3253:
3251:
3248:
3246:
3243:
3241:
3238:
3236:
3233:
3231:
3228:
3226:
3223:
3221:
3218:
3216:
3213:
3211:
3208:
3206:
3203:
3201:
3198:
3196:
3193:
3191:
3188:
3186:
3183:
3182:
3180:
3176:
3170:
3167:
3165:
3162:
3160:
3157:
3155:
3152:
3150:
3147:
3145:
3142:
3140:
3137:
3135:
3134:Photo Gallery
3132:
3130:
3127:
3125:
3122:
3120:
3117:
3115:
3112:
3110:
3107:
3105:
3102:
3100:
3097:
3095:
3092:
3090:
3087:
3085:
3082:
3080:
3079:Meeting Space
3077:
3075:
3072:
3070:
3067:
3065:
3062:
3060:
3057:
3055:
3052:
3050:
3049:HyperTerminal
3047:
3045:
3042:
3040:
3037:
3035:
3032:
3030:
3027:
3025:
3022:
3020:
3019:Easy Transfer
3017:
3015:
3012:
3010:
3007:
3005:
3002:
3000:
2997:
2995:
2992:
2990:
2987:
2985:
2982:
2980:
2977:
2975:
2972:
2970:
2967:
2965:
2962:
2960:
2957:
2955:
2952:
2951:
2949:
2945:
2939:
2938:
2934:
2932:
2931:
2927:
2925:
2924:
2920:
2918:
2917:
2913:
2911:
2910:
2906:
2904:
2903:
2899:
2897:
2896:
2892:
2890:
2889:
2885:
2883:
2882:
2878:
2876:
2875:
2871:
2870:
2868:
2864:
2861:
2857:
2851:
2850:
2846:
2844:
2843:
2839:
2838:
2836:
2834:
2830:
2824:
2821:
2819:
2816:
2814:
2811:
2809:
2806:
2804:
2801:
2799:
2796:
2794:
2791:
2789:
2786:
2782:
2779:
2777:
2774:
2772:
2769:
2767:
2764:
2762:
2759:
2757:
2754:
2752:
2749:
2748:
2747:
2744:
2740:
2737:
2735:
2732:
2730:
2727:
2726:
2725:
2722:
2721:
2719:
2717:
2713:
2707:
2704:
2702:
2699:
2697:
2694:
2693:
2691:
2689:Compatibility
2687:
2681:
2678:
2676:
2673:
2671:
2668:
2666:
2663:
2661:
2658:
2656:
2653:
2651:
2648:
2646:
2643:
2641:
2638:
2636:
2633:
2631:
2628:
2626:
2623:
2621:
2618:
2617:
2615:
2611:
2605:
2602:
2600:
2597:
2595:
2592:
2590:
2587:
2585:
2582:
2580:
2577:
2575:
2572:
2570:
2567:
2565:
2562:
2560:
2557:
2555:
2552:
2550:
2547:
2545:
2542:
2540:
2537:
2535:
2532:
2530:
2527:
2525:
2522:
2520:
2517:
2515:
2514:Library files
2512:
2510:
2507:
2505:
2502:
2500:
2497:
2495:
2492:
2490:
2487:
2485:
2482:
2478:
2475:
2473:
2470:
2469:
2468:
2465:
2463:
2460:
2458:
2455:
2453:
2450:
2448:
2445:
2444:
2442:
2440:
2436:
2430:
2427:
2425:
2422:
2420:
2417:
2415:
2412:
2410:
2407:
2405:
2402:
2400:
2397:
2395:
2392:
2390:
2387:
2385:
2382:
2380:
2377:
2375:
2372:
2370:
2367:
2365:
2362:
2360:
2357:
2355:
2352:
2350:
2347:
2345:
2342:
2340:
2337:
2335:
2332:
2330:
2327:
2325:
2322:
2320:
2317:
2315:
2312:
2311:
2309:
2307:
2303:
2297:
2294:
2292:
2289:
2285:
2282:
2280:
2277:
2275:
2274:Reparse point
2272:
2270:
2267:
2265:
2262:
2260:
2257:
2256:
2255:
2252:
2250:
2247:
2245:
2242:
2240:
2237:
2235:
2232:
2230:
2227:
2226:
2224:
2222:
2218:
2212:
2209:
2207:
2204:
2202:
2199:
2197:
2194:
2192:
2189:
2187:
2184:
2182:
2179:
2177:
2174:
2173:
2171:
2169:
2165:
2159:
2156:
2154:
2151:
2149:
2146:
2144:
2141:
2139:
2136:
2132:
2129:
2127:
2124:
2122:
2119:
2117:
2114:
2112:
2109:
2108:
2107:
2104:
2102:
2099:
2097:
2094:
2092:
2089:
2087:
2084:
2082:
2079:
2077:
2076:Action Center
2074:
2073:
2071:
2069:
2065:
2059:
2056:
2054:
2051:
2049:
2046:
2044:
2041:
2039:
2036:
2034:
2031:
2029:
2026:
2024:
2021:
2019:
2016:
2014:
2011:
2009:
2006:
2004:
2003:Snipping Tool
2001:
1999:
1996:
1994:
1991:
1989:
1986:
1984:
1981:
1979:
1976:
1974:
1971:
1969:
1966:
1964:
1961:
1959:
1956:
1954:
1951:
1949:
1946:
1944:
1941:
1939:
1936:
1934:
1931:
1927:
1924:
1923:
1922:
1919:
1917:
1914:
1912:
1909:
1907:
1904:
1902:
1899:
1897:
1894:
1892:
1889:
1887:
1884:
1882:
1879:
1877:
1874:
1872:
1869:
1867:
1864:
1862:
1861:Character Map
1859:
1857:
1854:
1852:
1849:
1847:
1844:
1842:
1839:
1838:
1836:
1834:
1830:
1824:
1821:
1819:
1816:
1812:
1809:
1808:
1807:
1804:
1802:
1799:
1797:
1794:
1792:
1789:
1787:
1784:
1782:
1779:
1777:
1774:
1772:
1769:
1767:
1764:
1762:
1759:
1757:
1754:
1752:
1749:
1747:
1744:
1742:
1739:
1737:
1734:
1732:
1729:
1727:
1724:
1722:
1719:
1717:
1714:
1712:
1709:
1707:
1704:
1702:
1699:
1697:
1694:
1692:
1689:
1687:
1684:
1682:
1681:Control Panel
1679:
1677:
1674:
1672:
1671:App Installer
1669:
1668:
1666:
1660:
1654:
1651:
1649:
1646:
1642:
1639:
1637:
1634:
1633:
1632:Architecture
1631:
1629:
1626:
1625:
1622:
1618:
1611:
1606:
1604:
1599:
1597:
1592:
1591:
1588:
1582:
1579:
1577:
1574:
1572:
1569:
1568:
1564:
1558:
1552:
1548:
1544:
1539:
1535:
1529:
1525:
1521:
1516:
1515:
1511:
1502:
1496:
1492:
1485:
1482:
1471:
1467:
1460:
1457:
1452:
1446:
1442:
1436:
1434:
1430:
1425:
1421:
1415:
1412:
1400:
1396:
1392:
1385:
1382:
1371:
1367:
1363:
1357:
1354:
1343:
1339:
1335:
1329:
1326:
1315:
1311:
1307:
1301:
1298:
1287:
1283:
1279:
1273:
1270:
1259:
1255:
1251:
1245:
1242:
1239:
1235:
1229:
1226:
1219:
1217:
1210:
1188:
1185:
1178:
1174:
1171:
1169:
1166:
1165:
1161:
1159:
1156:
1144:
1143:Device driver
1136:
1134:
1130:
1125:
1117:
1108:
1097:
1094:
1093:
1089:
1088:
1074:
1073:
1069:
1066:
1063:
1062:
1056:
1053:
1048:
1045:
1037:
1029:
1027:
1023:
1018:
1014:
1003:
999:
995:
987:
983:
979:
971:
966:
964:
960:
956:
952:
948:
944:
940:
936:
931:
926:
918:
916:
913:
911:
907:
903:
899:
895:
890:
880:
879:Registry hive
873:
865:
846:
819:
817:
812:
811:
808:
805:
802:
797:
796:
792:
788:
785:
780:
779:
775:
772:
769:
764:
763:
759:
755:
752:
749:
744:
743:
740:
736:
735:Plug-and-play
733:
730:
725:
724:
721:
718:
715:
710:
709:
705:
702:
697:
696:
692:
689:
684:
683:
680:
677:
674:
669:
668:
664:
661:
658:
653:
652:
648:
644:
641:
636:
635:
631:
628:
626:
625:
621:
617:
613:
609:
606:
603:
601:
600:
596:
593:
588:
587:
583:
580:
575:
574:
570:
567:
562:
561:
557:
554:
549:
548:
544:
541:
536:
535:
531:
528:
523:
522:
519:
515:
512:
507:
506:
502:
499:
494:
493:
489:
486:
484:
480:
479:
476:
471:
467:
461:
453:
448:
446:
442:
438:
434:
430:
426:
421:
419:
408:
405:
400:
399:
395:
392:
387:
386:
383:
378:
376:
371:
368:
367:
363:
358:
354:
351:
346:
345:
341:
338:
333:
332:
328:
325:
320:
319:
315:
312:
307:
306:
301:
298:
293:
291:
286:
283:
282:
277:
271:
269:
264:
246:
242:
238:
234:
229:
227:
223:
219:
214:
209:
200:
187:
185:
183:
179:
175:
171:
167:
163:
159:
155:
151:
147:
143:
140:
137:
134:
130:
120:
117:
109:
98:
95:
91:
88:
84:
81:
77:
74:
70:
67: –
66:
62:
61:Find sources:
55:
51:
45:
44:
39:This article
37:
33:
28:
27:
22:
3299:File Manager
3139:Photo Viewer
3074:Media Center
3034:Groove Music
2964:Address Book
2935:
2928:
2921:
2916:Purble Place
2914:
2907:
2900:
2893:
2886:
2881:Chess Titans
2879:
2872:
2859:Discontinued
2847:
2840:
2539:Ntoskrnl.exe
2538:
2447:Boot Manager
2439:Architecture
2329:Group Policy
2221:File systems
2121:Saved search
2028:Sticky Notes
1993:Quick Assist
1921:Media Player
1891:Feedback Hub
1886:Fax and Scan
1781:Task Manager
1711:Event Viewer
1691:Disk Cleanup
1542:
1519:
1490:
1484:
1473:. Retrieved
1459:
1440:
1423:
1414:
1403:. Retrieved
1398:
1394:
1384:
1373:. Retrieved
1356:
1345:. Retrieved
1328:
1317:. Retrieved
1300:
1289:. Retrieved
1272:
1261:. Retrieved
1244:
1237:
1228:
1205:
1191:Tunable via
1187:
1157:
1146:
1131:
1127:
1049:
1040:
1024:
994:system calls
967:
945:(IF) in the
938:
932:
929:
914:
891:
869:
849:ntoskrnl.exe
841:ntoskrnl.exe
833:ntoskrnl.exe
791:access token
584:I/O manager
482:
474:
468:
459:
451:
449:
440:
432:
428:
424:
422:
414:
402:ntkrla57.exe
389:ntkrnlmp.exe
348:ntkrpamp.exe
335:ntkrnlpa.exe
322:ntkrnlmp.exe
309:ntoskrnl.exe
265:
261:ntkrnlpa.exe
257:ntoskrnl.exe
253:ntkrpamp.exe
249:ntkrnlmp.exe
230:
226:architecture
221:
191:
146:kernel image
145:
129:ntoskrnl.exe
128:
127:
112:
103:
93:
86:
79:
72:
60:
48:Please help
43:verification
40:
3314:Minesweeper
3283:Spun off to
3104:MSN Dial-up
3099:Movie Maker
3004:Diagnostics
2954:ActiveMovie
2696:COMMAND.COM
2574:Shadow Copy
2429:Server Core
2269:Mount Point
2196:Shadow Copy
1791:Windows Ink
1013:instruction
984:), used in
978:hexadecimal
912:structure.
447:functions.
437:I/O Manager
418:Pascal Case
218:entry point
194:bootvid.dll
131:(short for
3359:Categories
3294:DVD Player
3109:NetMeeting
3009:DriveSpace
2874:3D Pinball
2374:SharePoint
2138:Start menu
1983:Phone Link
1846:Calculator
1801:PowerShell
1662:Management
1475:2018-11-11
1405:2013-09-16
1395:OSR Online
1375:2009-06-13
1347:2009-06-13
1319:2009-06-13
1291:2009-06-13
1263:2009-06-13
1220:References
1084:0x80000000
1079:0x7fffffff
1044:page table
998:subroutine
872:bootloader
364:editions)
233:Windows XP
142:executable
133:Windows NT
106:April 2014
76:newspapers
3089:Messenger
3084:Messaging
3014:DVD Maker
2984:CD Player
2979:CardSpace
2930:Solitaire
2630:BitLocker
2625:AppLocker
2259:Hard link
2148:Task View
2126:Namespace
2096:ClearType
1916:Messaging
1901:Magnifier
1866:Clipchamp
1841:3D Viewer
963:registers
837:ntdll.dll
829:ntdll.dll
612:spinlocks
382:57 bit VA
369:Filename
284:Filename
213:ntdll.dll
204:kdcom.dll
178:scheduler
154:executive
3333:Category
3210:MS-DOS 7
3195:ScanDisk
3114:NTBackup
2994:Contacts
2974:Cardfile
2909:Hold 'Em
2888:FreeCell
2734:VBScript
2645:Defender
2613:Security
2599:Winlogon
2554:Registry
2168:Services
2101:Explorer
2086:AutoPlay
1973:Paint 3D
1958:OneDrive
1948:Narrator
1896:Get Help
1851:Calendar
1746:Settings
1716:IExpress
1364:(2009).
1336:(2009).
1308:(2009).
1280:(2009).
1252:(2009).
1162:See also
1149:Services
1118:Registry
1010:SYSENTER
980:; 46 in
843:via the
490:Meaning
379:Supports
372:Supports
294:Supports
287:Supports
188:Overview
3309:Mahjong
3230:Interix
3164:WinHelp
3064:Journal
3054:Imaging
2902:InkBall
2788:DirectX
2751:ActiveX
2739:JScript
2452:Console
2424:Hyper-V
2319:Domains
2143:Taskbar
2116:IFilter
2091:AutoRun
2053:WordPad
2048:Weather
1963:OneNote
1953:Notepad
1876:Cortana
1751:Sysprep
1199:switch.
1193:/userva
1137:Drivers
1020:SYSCALL
1015:and in
990:INT 2EH
982:decimal
933:In the
892:In the
754:Process
649:loader
483:Prefix
481:Export
199:hal.dll
166:process
90:scholar
3342:
3331:
3304:Hover!
3178:Others
3159:Travel
3154:Syskey
2937:Tinker
2895:Hearts
2823:WinUSB
2808:WinAPI
2793:Native
2604:WinUSB
2529:MinWin
2306:Server
2106:Search
2018:Sports
1988:Photos
1978:People
1856:Camera
1553:
1530:
1497:
1447:
1153:SYSTEM
1095:x86-64
1017:x86-64
1002:symbol
876:SYSTEM
758:thread
568:FsRtlp
150:kernel
139:kernel
92:
85:
78:
71:
63:
3270:WinFS
3169:Write
2866:Games
2833:Games
2706:WoW64
2534:NTLDR
2524:LSASS
2457:CSRSS
2264:links
2239:exFAT
2068:Shell
2033:Store
2023:Start
2013:Skype
1968:Paint
1943:Money
1871:Clock
1818:WinRE
1726:Netsh
1664:tools
1653:Games
1547:Wiley
1179:Notes
1064:Arch
970:IA-32
814:Zw/Nt
645:NT's
564:FsRtl
542:Dbgk
174:cache
97:JSTOR
83:books
3344:List
3225:HPFS
2989:Chat
2947:Apps
2849:Surf
2798:.NET
2766:DCOM
2594:WHEA
2589:USER
2579:SMSS
2369:WSUS
2349:MSMQ
2291:ReFS
2254:NTFS
2229:CDFS
2186:CLFS
2181:BITS
2081:Aero
2058:Xbox
2038:Tips
1926:2022
1911:Maps
1906:Mail
1881:Edge
1833:Apps
1628:APIs
1551:ISBN
1528:ISBN
1495:ISBN
1445:ISBN
1197:/3gb
1090:ARM
992:for
959:APIC
941:the
904:and
845:SSDT
831:and
770:Rtlp
756:and
737:and
675:Lsap
659:Lpcp
642:Ldrp
618:and
538:Dbgk
443:for
427:and
409:Yes
406:Yes
393:Yes
355:Yes
352:Yes
342:Yes
326:Yes
259:and
251:and
202:and
152:and
69:news
3124:Pay
3024:Fax
2771:OLE
2746:COM
2729:WSH
2716:API
2477:DLL
2472:EXE
2384:PWS
2364:IIS
2324:DNS
2296:UDF
2284:EFS
2279:TxF
2249:FAT
2244:IFS
2234:DFS
1823:WMI
1195:or
1075:x86
988:as
955:PIC
953:by
951:IRQ
939:and
910:PCR
906:TSS
902:IDT
898:GDT
887:vga
883:nls
823:or
786:Sep
766:Rtl
750:Psp
731:Pop
716:Obp
703:Nls
699:Nls
671:Lsa
655:Lpc
638:Ldr
581:Iop
555:Exp
529:Dbg
525:Dbg
513:Cmp
500:Ccp
464:Psp
396:No
375:SMP
362:x64
339:No
329:No
316:No
313:No
297:PAE
290:SMP
245:PAE
231:In
52:by
3361::
1641:NT
1636:9x
1545:.
1468:.
1432:^
1422:.
1399:10
1397:.
1393:.
1368:.
1340:.
1312:.
1284:.
1256:.
1236:,
974:16
900:,
881:,
857:Nt
853:Zw
825:Zw
821:Nt
803:Vi
799:Vf
782:Se
746:Ps
727:Po
712:Ob
690:Mi
686:Mm
629:Ks
614:,
604:Kx
594:Ki
590:Ke
577:Io
551:Ex
509:Cm
496:Cc
456:Ki
441:Ob
433:Io
239:,
196:,
164:,
1609:e
1602:t
1595:v
1559:.
1536:.
1503:.
1478:.
1453:.
1426:.
1408:.
1378:.
1350:.
1322:.
1294:.
1266:.
1038:.
976:(
927:.
460:p
452:i
220:"
119:)
113:(
108:)
104:(
94:·
87:·
80:·
73:·
46:.
23:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
