« previous next »
Pages: [1]

Author Topic: Ntoskrnl.exe, Ntkrnlpa.exe, Win32k.sys files explained  (Read 103 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35171
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Ntoskrnl.exe, Ntkrnlpa.exe, Win32k.sys files explained
« on: November 17, 2019, 05:07:17 PM »
Windows 10 OS has tons of System files that are part of the core OS. Many times end users get to see them running in the Task manager or when they face Blue Screen of Death. Today, we are explaining about three such system files — Ntoskrnl.exe, Ntkrnlpa.exe, and Win32k.sys.



Ntoskrnl.exe, Ntkrnlpa.exe, Win32k.sys are system files that help in the running of the Windows operating system

1. What is ntoskrnl.exe

NT-OS-Kernel = Ntoskrnl.exe

It is the kernel of the operating system which does and controls almost everything.

Windows will not work without it or if it gets into panic mode where it thinks the system is in a problem. Interesting to note that this file is picked up last in the Windows 10 Boot Process.  It will load Registry settings, additional drivers, and then passes the control to the system manager process.

It is responsible for hardware virtualization, process, and memory management. If you have seen BSOD where there is mention of Ntoskrnl.exe and is related to memory. Apart from this file, there are three more kernel files that work along with ntoskrnl.exe. They are ntkrnlmp.exe, ntkrnlpa.exe and ntkrpamp.exe.

2. What is ntkrnlpa.exe

New Technology Kernel Process Allocator = NTKrnlPA

Similar to Ntoskrnl.exe, Ntkrnlpa.exe is part of the Kernel file list. When Windows starts, these programs are loaded into RAM to start boot execution.

It is related to process allocation. It has access to system resources, computer hardware, and memory area, which is restricted to other programs.

3. What is win32k.sys

Win32 subsystem = win32k.sys

Once the boot process is complete, and drivers are loaded, Windows start the Session Manager to move into user mode. There is a Session Manager Subsystem that loads the kernel-mode side of the Win32 subsystem, aka win32k.sys. It consists of  Win32 API DLLs (kernel32.dll, user32.dll, gdi32.dll ) and the Win32 subsystem process (csrss.exe).

   • kernel32.dll: Dynamic link library for Windows

   • user32.dll: It contains Windows API functions related to the Windows user interface

   • gdi32.dll: It houses functions for the Windows GDI (Graphical Device Interface)

   • csrss.exe: Client Server Runtime Process

All these files, Ntoskrnl.exe, Ntkrnlpa.exe, Win32k. Sys files are located in the System32 folder. If you find them located in some other location as well, it is best to run your antivirus scan.

source
Logged

Pages: [1]
« previous next »