What is User Mode vs Kernel Mode in Windows?

You may have heard of applications that run in “kernel” or “user” mode. It all comes down to how operating systems work when they do their jobs. Once you understand that, it’s easy to understand the difference between user mode and kernel mode.

Understanding what an operating system does

A computer is made up of hardware, the electronic components and software, the computer code that is executed by that hardware. But what may be less clear is how they work together.

The most essential element of a computer is the bit or “binary digit”. Everything a computer does is represented as ones and zeros. Different computer components represent bits in different ways. In a CPU, microscopic transistors represent ones and zeros by being on or off. Those transistors are arranged in logic structures called logic gates.

In electronic computer memory, bits are represented by memory cells with a charge above or below a certain threshold. On a mechanical hard drive, bits are represented as magnetic fluctuations measured on a rotating plate. On optical discs, pits and lands that may or may not reflect laser light do the same job.

Regardless of how the physical representation of binary code is achieved, you can ultimately reduce all consumer computer components to this raw machine code.

So how do you go from the human-friendly interface of a computer to the raw, low-level processes in the computer itself? That’s where the operating system comes in. It directly controls the hardware of the computer.

This software translates everything that applications (and thus the user) want into machine code instructions that understand the CPU and other components. The most critical piece of software in this process is the kernel.

What is the core?

The kernel, as the name suggests, is the core of the operating system. The kernel is software that resides in RAM and controls everything the computer does. When something is written into memory, it is the kernel that directs the execution.

The kernel knows how to interact with hardware such as GPUs and network cards, but it may not know how to use them optimally because it relies on generic standards in the computer industry.

The hardware drivers come into play here. Drivers tell your operating system how to work with specific components, so you need different drivers for Nvidia and AMD GPUs, for example.

Equipped with the right drivers, the kernel is the ultimate authority within the computer, including things that can destroy catastrophic data.

The Role of Application Programming Interfaces (APIs)

In the days of MS-DOS, software developers had to write their software specifically for the user’s hardware. The most infamous example of this on MS-DOS systems was sound card drivers.

A given video game should support the most popular cards (Sound Blaster, Ad-lib, Gravis Ultrasound, etc.) and hope that most players were covered. Today things work very differently, thanks to APIs.

Wolf3D’s sound card selection screen

Microsoft DirectX is a good example. If you want an in-depth explanation, check out What is DirectX and why is it important? The most important thing to know, however, is that the API provides a standard way for software developers to query hardware resources from components such as the GPU. In addition, hardware makers only need to ensure that their products are DirectX compliant to ensure full compatibility with similarly compatible software.

APIs provide a translation layer between software applications and the low-level kernel with its hardware drivers. Yes, this comes with a small performance penalty. Still, on modern computers this is negligible, and it has some advantages, which is where we eventually get to user mode and kernel mode.

User Mode vs Kernel Mode

Modern operating systems run hundreds or thousands of “processes” simultaneously, dynamically giving them CPU time as needed based on their priorities and computing power requirements.

When you start an application, it generates processes and the CPU can run them in user mode or kernel mode.

A Windows process running in user mode can only access its own private virtual memory address space and handle table. The software uses these tables to store data in RAM and query resources. There is no direct access to memory or other hardware, and it is up to the operating system to allocate those virtual spaces to the actual hardware of the computer.

This is good for many reasons, but the most crucial advantage is that the application cannot overwrite or modify data outside of the virtual memory address space. In addition, certain functions are off limits to user-mode processes, especially those that can crash the system or destroy data.

When a process is started or raised to kernel mode, it has full access to system resources, even those reserved for the operating system. So in theory it could overwrite crucial data that the operating system needs to run properly.

Traps and exceptions

It is important to understand that these two modes are enforced at the hardware level by the CPU itself. If an application running in user mode tries to do something that requires kernel mode access, it throws a “trap” or “exception”. The operating system will then handle the application, usually by closing it and generating a crash log so that the developers can see what happened in memory when things went off track.

The Perils of Kernel Mode: The Blue Screen of Death

If you’ve ever experienced a Blue Screen of Death (who hasn’t?) that forced your computer to shut down or restart, chances are it was a kernel mode process.

When a kernel-mode process does something it shouldn’t, the operating system can’t recover from it and the whole computer shuts down. When a user mode process goes haywire, only the application crashes and the rest of the software and operating system can continue without a hitch.

This is an area where APIs play a vital role, as it is the API that asks for kernel mode privileges. User mode applications essentially delegate requests that would have required kernel mode privileges to the API.

This is why kernel mode is usually granted only to low-level system processes that need to access the computer’s hardware directly. Usually this right is extended to a process because it needs more performance than the user mode can provide. Some CPU instructions only work in kernel mode, so if a process needs to use those functions, it needs to be incremented.

If you’re having trouble with Blue Screen of Death, be sure to read our Blue Screen of Death troubleshooting guide for Windows 10!

Leave a Reply

Your email address will not be published.