nt-part2_12
Analysis of the Security of Windows NT
1 March 1999
12
3.3 Executive
The executive is the only part of the system that executes in kernel mode, and is
divided into three levels. The lowest level is called HAL, which provides an abstract
view of the underlying machine architecture. The motive for having this layer is to
make the system (more) portable.
FIGURE 1. NT system overview
Above HAL is the microkernel. This is responsible for low-level support for execution,
interrupts and exception handling, and synchronization [43].
The top-most layer in the executive consists of a number of components (modules)
implementing basic OS services, such as: virtual memory management, object man-
agement, process and thread management, I/O management, Interprocess Communica-
tion (IPC), and security reference monitoring. Communication between these
components works through a set of well defined functions in each component.
ADMINISTRATOR TOOLS
PROTECTED SERVERS
WinLogon
LSA
SAM
Session
Manager
Service
Controller
Win32
Print
Spooler
Event
Logger
Started By Service Controller
User mode
Kernel mode
Security
Reference
Monitor
Process
Manager
Executive
Object
Services
LPC
Facility
VDM
Control
(x86 only)
Object
ManagerConfigu-ration
Manager
Memory
Manager
I/O Subsystem
I/O Manager
Cache Manager
File Systems
Device Drivers
Microkernel
Hardware Abstraction Layer
HARDWARE
EXECUTIVE
Indicates Hardware Dependability
Window
Manager
Graphics
Device
Interface
Graphics
Device
Drivers