Simplified Windows Architecture Overview
With this brief overview of the design and packaging of Windows, let's take a look at the key
system components that make up its architecture. A simplified version of this architecture is shown
in Figure 2-1. Keep in mind that this diagram is basic - it doesn't show everything. (For example,
the networking components and the various types of device driver layering are not shown.)
In Figure 2-1, first notice the line dividing the user-mode and kernel-mode parts of the Windows
operating system. The boxes above the line represent user-mode processes, and the components
below the line are kernel-mode operating system services. User-mode threads execute in a protected
process address space (although whikle they are executing in kernel mode, they have access to
system space). Thus, system support processes, service processes, user applications, and environment
subsystems each have their own private process address space.
The four basic types of user-mode processes are described as follows:
• Fixed (or hardwired) system support processes, such as the logon process and the Session
manager, that are not Windows services. (That is, they are not started by the service control control manager.
• Service processes that host Windows services, such as the task Scheduler and Print
Spooler services. Services generally have th requirement that they run independently of user logons.
Many Windows server applications, such as Microsoft SQL Server and Microsoft Exchange Server,
also include components that run as services.
• User applications, which can be one of the following types: 32-bit or 64-bit, Windows
3.1 16-bit, MS-DOS 16-bit, or POSIX 32-bit or 64-bit. Note that 16-bit applications can be run
only on 32-bit Windows.
• Environmental subsystem server processes, which implement part of the support for the
operating system environment, or personality, presented to the user and programmer. Windows
NT originally shipped with three environment subsystems: Windows, POSIX, and OS/2. However, the
POSIX and OS/2 subsystems last shipped with Windows 2000. The Ultimate and Enterprise editions of
Windows client as well as all server versions include support for an enhanced POSIX subsystem call
Subsystem for Unix-based Applications (SUA).
In Figure 2-1, notice the "Subsystem DLLs" box below the "Service processes" and the "User
applications" boxes. Under Windows, user applications don't call the native Windows operating
system services directly; rather, they go though one or more subsystem dynamic-link libraries
(DLLs). The role of the subsystem DLLs is to translate a documented function into the appropriate
internal (and generally undocumented) native system service calls. This translation might or
might not involve sending a message to the environment subsystem process that is serving the user application.
The kernel-mode components of Windows include the following:
• The Windows executive contains the base operating system services, such as memory
management, process and thread management, security, I/O, networking, and interprocess communication.
• The Windows kernel consists of low-level operating system functions, such as thread
scheduling, interrupt and exception dispatching, and multiprocessor synchronization. It also
provides a set of routines and basic objects that the rest of the executive uses to implement
• Device drivers include both hardware device drivers, which translate user I/O function
calls into specific hardware device I/O requests, as well as nonhardware device drivers such as
file system and network drivers.