What does a thread do when switching from user to kernel mode under WindowsNT (recent x86 versions, Vista and Win7)?

3
votes

From what I understand, a thread that executes in user mode can eventually enter code that switches to kernel mode (using sysenter). But how can a thread that's been emanating from user code execute kernel code?

Eg: I'm calling CreateFile(), it then delegates to NtCreateFile(), which in turn calls ZwCreateFile(), than ZiFastSystemCall()... than sysenter... profit, kernel access?

Edit This question: How does Windows protect transition into kernel mode has an answer that helped me understand, see quote: "The user mode thread is causing an exception that's caught by the Ring 0 code. The user mode thread is halted and the CPU switches to a kernel/ring 0 thread, which can then inspect the context (e.g., call stack & registers) of the user mode thread to figure out what to do." Also see this blog post, very informative: http://duartes.org/gustavo/blog/post/cpu-rings-privilege-and-protection

1
winapioperating-system
There is a user -> kernel mode transition. What exactly do you want to know here? What problem are you attempting to solve?Cody Gray
I'm very new to system programming and I'm not trying to solve any particular problem. I'm just wondering how a thread that is spawned from user mode (which, from my understanding, is a kernel object) can just eventually execute kernel code (which I thought that it'd be prevented to do so)? I've been reading some books (Windows Internals and some about x86 assembly) but none explain this concept well enough for me to understand.user2715951
There are a fixed set of entrypoints, and they perform security checks. Your thread isn't supplying code to be executed in kernel mode, only arguments.Ben Voigt

1 Answers

1
votes

The short answer is that it can't.

What happens is that when you create a user-mode thread, the kernel creates a matching kernel mode thread. When "your" thread needs to execute some code in kernel mode, it's actually executed in the matching kernel mode thread.

Disclaimer: The last time I really looked closely at this was probably with Win2K or maybe even NT4 -- but I doubt much has changed in this respect.