*** Welcome to piglix ***

Ntoskrnl.exe


ntoskrnl.exe (Short for Windows NT operating system kernel,) also known as kernel image, provides the kernel and executive layers of the Windows NT kernel space, and is responsible for various system services such as hardware virtualization, process and memory management, thus making it a fundamental part of the system. It contains the cache manager, the executive, the kernel, the security reference monitor, the memory manager, and the scheduler.

This system binary is not a native application (in that it is not linked against ntdll.dll), instead containing a standard 'start' entry point, a function that calls the architecture-independent kernel initialization function. While ntoskrnl.exe is not linked against ntdll.dll, it is linked against bootvid.dll, hal.dll and kdcom.dll. Because it requires a static copy of C Runtime objects it depends on, the executable is usually about 2MB in size.

Overall, there are four kernel image files. Multiprocessor or uniprocessor files are selected at install time, and PAE or non-PAE files are selected by boot.ini or BCD option, according to the processor's features.

Windows kernel coding typically uses Hungarian notation for type names, but not for variable names.

Routines in ntoskrnl use prefixes on their names to indicate in which component of ntoskrnl they are defined. The following table lists some of them.

When the kernel receives control, it gets a pointer to a structure as parameter. This structure is passed by the bootloader and contains information about the hardware, the path to the registry file, kernel parameters containing boot preferences or options that change the behavior of the kernel, path of the files loaded by the bootloader (SYSTEM Registry hive, nls for character encoding conversion and vga font). The definition of this structure can be retrieved by using the kernel debugger or downloading it from the Microsoft symbol database.


...
Wikipedia

...