4.4 User Mode and Kernel Mode
and keep it in mind while you read about the different user-mode and kernel-
mode elements.
Kernel-Mode Components
Just above the hardware is the Windows hardware abstraction layer (HAL).
The HAL is intended to help insulate the operating system from the hardware
it's running on by wrapping machine-specific details (e.g., managing interrupt
controllers) with an API that's implemented by the HAL DLL. Kernel-mode
device drivers that are "well-behaved" will invoke HAL routines rather than
interface to hardware directly, presumably to help make them more portable.
The actual DLL file that represents the HAL will vary depending upon the
hardware that Windows is running on. For instance, the HAL that 64-bit
machines use is deployed as a file named hal .dll. For 32-bit computers that
provide an advanced configuration and power interface (ACPI), the HAL is
implemented by a file named halacpi.dll. 32-bit ACPI machines that have
multiple processors use a HAL implemented by a file named halmacpi .dl 1 ,
Because we're targeting desktop machines, the HAL will generally be realĀ¬
ized as some file named hal *. dll located in the %wi ndi r%\sy stem32 folder.
You can use the Im kernel debugger command to see specifically which HAL
version is being used:
kd> Im n
start
end
module name
00510000
00572000
kd
kd,exe
54f00000
65286000
dbgeng
dbgeng.dl1
6C700000
6C821000
dbghelp
dbghelp.dl1
6ebl0000
6eb58000
symsrv
symsrv.dll
74d20000
74d29000
VERSION
VERSION.dll
75ad0000
75bla000
KERNELBASE KERNELBASE.dll
75bc0000
75bd9000
sechost
sechost.dl1
75cd0000
75d70000
ADVAPI32
ADVAPI32.dll
76ec0000
75f61000
RPCRT4
RPCRT4.dl1
76f70000
7701COOO
msvcrt
msvcrt.dl1
77280000
77354000
kernel 32
kernel 32.dl1
776d0000
7780COOO
ntdl 1
ntdl1 .dll
80ba5000
SObadOOO
kdcom
kdcom.dl1
82805000
82C05000
nt
ntkrnlmp.exe
82C05000
82c2d000
hal
halacpi.dl1
Down at the very bottom, sitting next to the HAL is the BOOTVID.DLL file,
which offers very primitive VGA graphics support during the boot phase.
Parti I 139