Chapter 4/ System Briefing

Wondershare

Not all of the constituents of ntoskrnl .exe in Figure 4.15 are full-blown

executive subsystems. Some areas merely represent groups of related sup¬

port functions. In some instances, I've indicated this exphcitly by quahfy-

ing certain executive components in Figure 4.15'd� facilities or simply a set

of routines. Likewise, official subsystems have been labeled as managers.

Although I've tried to arrange some elements to indicate their functional role

in the greater scheme of things, most of the executive components have been

arranged alphabetically from left to right and from top to bottom.

To make the association between these system-level routines and the role

that they play more apparent, Microsoft has established a naming scheme for

system-level functions (not just routines exported by ntoskrnl .exe). Specifi¬

cally, the following convention has been adopted for identifiers:

Prefix-Operation-Object

The first few characters of the name consist of a prefix that denotes which

subsystem or general domain of functionality the routine belongs to. The

last few characters usually (but not always) specify an object that is being

manipulated. Sandwiched between the prefix and object name is a verb that

indicates what action is being taken. For example, ntoskrnl .exe file exports a

routine named MmPageEntI reDri ver() that's implemented within the memory

manager and causes all of a driver's code and data to be made pageable.

Table 4.11 provides a partial list of function prefixes and their associated

kernel-mode components.

Table 4.11 Kernel-Mode Routine Prefixes

Prefix

Kernel-Mode Component

Description

Alpc

Advanced LPC routines

Passes local messages betv�een client and

server software

Cc

Cache manager

Implements caching for all file system drivers

Cm

Configuration manager

Implements the Windows registry

Dbg

Debugging facilities

Implements break points, symbol loading, and

debug output

Em

Errata manager

Offers a way to accommodate noncompliant

hardware

Etw

Event tracing facilities

Helper routines for tracing events system-wide

Ex

Executive support facilities

Synchronization services and heap management

FsRtI

File system runtime library

Used by file system drivers and file system filter

drivers

170 I Parti