Architecture of Windows NT


The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor -based computers. To process input/output requests, it uses packet-driven I/O, which utilizes I/O request packets and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.
Programs and subsystems in user mode are limited in terms of what system resources they have access to, while the kernel mode has unrestricted access to the system memory and external devices. Kernel mode in Windows NT has full access to the hardware and system resources of the computer. The Windows NT kernel is a hybrid kernel; the architecture comprises a [|simple kernel], hardware abstraction layer, drivers, and a range of services, which all exist in kernel mode.
User mode in Windows NT is made of subsystems capable of passing I/O requests to the appropriate kernel mode device drivers by using the I/O manager. The user mode layer of Windows NT is made up of the "Environment subsystems", which run applications written for many different types of operating systems, and the "Integral subsystem", which operates system-specific functions on behalf of environment subsystems. The kernel mode stops user mode services and applications from accessing critical areas of the operating system that they should not have access to.
The [|Executive] interfaces, with all the user mode subsystems, deal with I/O, object management, security and process management. The kernel sits between the hardware abstraction layer and the Executive to provide multiprocessor synchronization, thread and interrupt scheduling and dispatching, and trap handling and exception dispatching. The kernel is also responsible for initializing device drivers at bootup. Kernel mode drivers exist in three levels: highest level drivers, intermediate drivers and low-level drivers. Windows Driver Model exists in the intermediate layer and was mainly designed to be binary and source compatible between Windows 98 and Windows 2000. The lowest level drivers are either legacy Windows NT device drivers that control a device directly or can be a plug and play hardware bus.

User mode

User mode is made up of various system-defined processes and DLLs.
The interface between user mode applications and operating system kernel functions is called an "environment subsystem." Windows NT can have more than one of these, each implementing a different API set. This mechanism was designed to support applications written for many different types of operating systems. None of the environment subsystems can directly access hardware; access to hardware functions is done by calling into kernel mode routines.
There are three main environment subsystems: the Win32 subsystem, an OS/2 subsystem and a POSIX subsystem.

Win32 environment subsystem

The Win32 environment subsystem can run 32-bit Windows applications. It contains the console as well as text window support, shutdown and hard-error handling for all other environment subsystems. It also supports Virtual DOS Machines, which allow MS-DOS and 16-bit Windows applications to run on Windows NT. There is a specific MS-DOS VDM that runs in its own address space and which emulates an Intel 80486 running MS-DOS 5.0. Win16 programs, however, run in a Win16 VDM. Each program, by default, runs in the same process, thus using the same address space, and the Win16 VDM gives each program its own thread on which to run. However, Windows NT does allow users to run a Win16 program in a separate Win16 VDM, which allows the program to be preemptively multitasked, as Windows NT will pre-empt the whole VDM process, which only contains one running application. The Win32 environment subsystem process also includes the window management functionality, sometimes called a "window manager". It handles input events, then passes messages to the applications that need to receive this input. Each application is responsible for drawing or refreshing its own windows and menus, in response to these messages.

OS/2 environment subsystem

The OS/2 environment subsystem supports 16-bit character-based OS/2 applications and emulates OS/2 1.x, but not 32-bit or graphical OS/2 applications as used with OS/2 2.x or later, on x86 machines only. To run graphical OS/2 1.x programs, the Windows NT Add-On Subsystem for Presentation Manager must be installed. The last version of Windows NT to have an OS/2 subsystem was Windows 2000; it has been discontinued as of Windows XP.

POSIX environment subsystem

The POSIX environment subsystem supports applications that are strictly written to either the POSIX.1 standard or the related ISO/IEC standards. This subsystem has been replaced by Interix, which is a part of Windows Services for UNIX. This was in turn replaced by the Windows Subsystem for Linux.

Security subsystem

The security subsystem "manages operating system-specific functions on behalf of the environment system and consists of a security system process". This security system process is the Local Security Authority which manages security tokens, grants or denies access "to user accounts based on resource permissions, handles login requests and initiates login authentication, and determines which system resources need to be audit" by Windows NT. It also looks after Active Directory. The workstation service implements the network redirector, which is the client side of Windows file and print sharing; it implements local requests to remote files and printers by "redirecting" them to the appropriate servers on the network. Conversely, the server service allows other computers on the network to access file shares and shared printers offered by the local system.

Kernel mode

Windows NT kernel mode has full access to the hardware and system resources of the computer and runs code in a protected memory area. It controls access to scheduling, thread prioritization, memory management and the interaction with hardware. The kernel mode stops user mode services and applications from accessing critical areas of the operating system that they should not have access to; user mode processes must ask the kernel mode to perform such operations on their behalf.
While the x86 architecture supports four different privilege levels, only the two extreme privilege levels are used. Usermode programs are run with CPL 3, and the kernel runs with CPL 0. These two levels are often referred to as "ring 3" and "ring 0", respectively. Such a design decision had been done to achieve code portability to RISC platforms that only support two privilege levels, though this breaks compatibility with OS/2 applications that contain I/O privilege segments that attempt to directly access hardware.
Code running in kernel mode includes: the executive, which is itself made up of many modules that do specific tasks; the kernel, which provides low-level services used by the Executive; the Hardware Abstraction Layer ; and kernel drivers.

Executive

The Windows Executive services make up the low-level kernel-mode portion, and are contained in the file ntoskrnl.exe. It deals with I/O, object management, security and process management. These are divided into several subsystems, among which are Cache Manager, Configuration Manager, I/O Manager, Local Procedure Call , Memory Manager, Object Manager, Process Structure and Security Reference Monitor . Grouped together, the components can be called Executive services. System Services, i.e., system calls, are implemented at this level, too, except very few that call directly into the kernel layer for better performance.
The term "service" in this context generally refers to a callable routine, or set of callable routines. This is distinct from the concept of a "service process", which is a user mode component somewhat analogous to a daemon in Unix-like operating systems.
File:Object Manager screenshot.png|thumb|Each object in Windows NT exists in a global namespace. This is a screenshot from Sysinternals .
; Object Manager
;Cache Controller
;Configuration Manager
;I/O Manager
;Local Procedure Call
;Memory Manager
;Process Structure
;PnP Manager
;Power Manager
;Security Reference Monitor
;GDI

Kernel

The kernel sits between the HAL and the Executive and provides multiprocessor synchronization, thread and interrupt scheduling and dispatching, and trap handling and exception dispatching; it is also responsible for initializing device drivers at bootup that are necessary to get the operating system up and running. That is, the kernel performs almost all the tasks of a traditional microkernel; the strict distinction between Executive and Kernel is the most prominent remnant of the original microkernel design, and historical design documentation consistently refers to the kernel component as "the microkernel".
The kernel often interfaces with the process manager. The level of abstraction is such that the kernel never calls into the process manager, only the other way around.

Hybrid kernel design

The Windows NT design includes many of the same objectives as Mach, the archetypal microkernel system, one of the most important being its structure as a collection of modules that communicate via well-known interfaces, with a small microkernel limited to core functions such as first-level interrupt handling, thread scheduling and synchronization primitives. This allows for the possibility of using either direct procedure calls or interprocess communication to communicate between modules, and hence for the potential location of modules in different address spaces. Other design goals shared with Mach included support for diverse architectures, a kernel with abstractions general enough to allow multiple operating system personalities to be implemented on top of it and an object-oriented organisation.
The primary operating system personality on Windows is the Windows API, which is always present. The emulation subsystem which implements the Windows personality is called the Client/Server Runtime Subsystem. On versions of NT prior to 4.0, this subsystem process also contained the window manager, graphics device interface and graphics device drivers. For performance reasons, however, in version 4.0 and later, these modules run as a kernel-mode subsystem.
Applications that run on NT are written to one of the OS personalities, and not to the native NT API for which documentation is not publicly available. An OS personality is implemented via a set of user-mode DLLs, which are mapped into application processes' address spaces as required, together with an emulation subsystem server process. Applications access system services by calling into the OS personality DLLs mapped into their address spaces, which in turn call into the NT run-time library, also mapped into the process address space. The NT run-time library services these requests by trapping into kernel mode to either call kernel-mode Executive routines or make Local Procedure Calls to the appropriate user-mode subsystem server processes, which in turn use the NT API to communicate with application processes, the kernel-mode subsystems and each other.