What are types of kernel objects?
Several types of kernel objects, such as access token
objects, event objects, file objects, file-mapping
objects, I/O completion port objects, job objects, mailslot objects, mutex objects, pipe objects, process
objects, semaphore objects, thread objects, and waitable
What is a kernel object?
Each kernel object is simply a memory block allocated by
the kernel and is accessible only by the kernel. This
memory block is a data structure whose members maintain
information about the object. Some members (security
descriptor, usage count, and so on) are the same across
all object types, but most are specific to a particular
object type. For example, a process object has a process
ID, a base priority, and an exit code, whereas a file
object has a byte offset, a sharing mode, and an open
User can access these kernel objects structures?
Kernel object data structures are accessible only by the
If we cannot alter these Kernel Object structures
directly, how do our applications manipulate these
The answer is that Windows offers a set of functions
that manipulate these structures in well-defined ways.
These kernel objects are always accessible via these
functions. When you call a function that creates a
kernel object, the function returns a handle that
identifies the object.
How owns the Kernel Object?
Kernel objects are owned by the kernel, not by a process
How does the kernel object outlive the process that
If your process calls a function that creates a kernel
object and then your process terminates, the kernel
object is not necessarily destroyed. Under most
circumstances, the object will be destroyed; but if
another process is using the kernel object your process
created, the kernel knows not to destroy the object
until the other process has stopped using it
Which is the data member common to all the kernel object
and what is the use of it?
The usage count is one of the data members common to all
kernel object types
How to identify the difference between the kernel object
and user object?
The easiest way to determine whether an object is a
kernel object is to examine the function that creates
the object. Almost all functions that create kernel
objects have a parameter that allows you to specify
security attribute information.
What is the purpose of Process Handle Table?
When a process is initialized, the system allocates a
handle table for it. This handle table is used only for
kernel objects, not for User objects or GDI objects.
When a process first initializes, its handle table is
empty. Then when a thread in the process calls a
function that creates a kernel object, such as
CreateFileMapping , the kernel allocates a block of
memory for the object and initializes it; the kernel
then scans the processís handle table for an empty entry
Name few functions that create Kernel Objects?
HANDLE CreateThread(Ö),HANDLE CreateFile(..),HANDLE
functions that create kernel objects return
process-relative handles that can be used successfully
by any and all threads that are running in the same
What is handle?
Handle value is actually the index into the processís
handle table that identifies where the kernel objectís
information is stored.
How the handle helps in manipulating the kernel objects?
Whenever you call a function that accepts a kernel
object handle as an argument, you pass the value
returned by one of the Create* functions. Internally,
the function looks in your processís handle table to get
the address of the kernel object you want to manipulate
and then manipulates the objectís data structure in a