page-173

4.4 User Mode and Kernel Mode

The interface that the Windows subsystem exposes to user applications (i.e.,

the Windows API) looks a lot like the Win32 API and is implemented as a

collection of DLLs (e.g., kernel32.dl 1, Advapi32.dll, Llseir32.dl 1, Gdi .dl 1,

shell32.dl 1, rpcrt4.dl 1, etc.). If a Windows API cannot be implemented en¬

tirely in user space and needs to access services provided by the executive, it

will invoke code in the ntdll .dl1 library to re-route program control to code

in the executive. In the next section, we'll spell out the gory details of this

whole process.

As in kernel tnode, we can get an idea of how these user-mode components

are related using the dumpbi n. exe tool (see Table 4.6). For the sake of keeping

Figure 4.6 relatively simple, I displayed only a limited subset of the Windows

API DLLs. So you'll see files referenced in Table 4.6 that you won't see in

Figure 4.6.

Table 4.6 User-Mode Imports

Component

Imports

Advapi32.dll

msvcrtdll, ntdll.dll, kernelbase.dll, api*.dll, kernel32.dll, rpcrt4,dll, cryptsp.

dll, wintrust.dll, sspicli.dll, user32.dll, bcrypt.dll, pcwum.dll

User32.dll

ntdll.dll, gdi32.dll, kernel32.dll, advapi32.dll, cfgmgr32.dll, msimg32.dll,

powrprof.dll, winsta.dll

GDI32.dll

ntdll.dll, api*.dll, kernel32.dll, user32.dll, Ipk.dll

Csrss.exe

Nt*.exe, Gsrsrv.dll

Kernel32.dll

ntdll.dll, kernelbase.dll, api*.dll

Ntdll.dll

None

One last thing that might be confusing: In Figure 4.6, you might notice

the presence of user-mode "Services," in the box located at the top of the

diagram. From the previous discussion, you might have the impression that

the operating system running in kernel mode is the only entity that should be

offering services. This confusion is a matter of semantics more than anything

else.

A user-mode service is really just a user-mode application that runs in the

background, requiring little or no user interaction. As such, it is launched

and managed through another user-mode program called the Service Control

Manager (SCM), which is implemented by the services.exe file located in the

%systemroot%\system32 directory. To facilitate management through the SCM,

a user-mode service must conform to an API whose functions are declared

Parti I 143