http://blogs.msdn.com/ce_base/archive/2007/01/29/What-is-kernel-mode.aspxPosted by: Sue Loh I've talked about this before but I want to really highlight it because I still see people wrestling with it. In Windows CE 5.0 and earlier, "kernel mode" is an access level attached to a thread. If a thread is "in kernel mode" it canen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/ce_base/archive/2007/01/29/What-is-kernel-mode.aspx#1571671Thu, 01 Feb 2007 13:13:43 GMT91d46819-8472-40ad-a661-2c78acb4018c:1571671Mukesh Modi<p>Nice article</p> <p>thank you very much loh</p> http://blogs.msdn.com/ce_base/archive/2007/01/29/What-is-kernel-mode.aspx#1580928Fri, 02 Feb 2007 11:14:05 GMT91d46819-8472-40ad-a661-2c78acb4018c:1580928TM Ningen<p>I actually have a question about the safety of 5.0 kernel mode. It looks like when an (untrusted) app makes a system call, e.g., FS_CreateFileW, the thread will execute in kernel mode (or with the premission of a priviledged process) but still uses the user stack. I presume the user stack is writable by the user code, since it lives in the application's &quot;memory slot&quot;.</p> <p>Wouldn't it be possible for the user application to corrupt the stack (using another concurrent user thread) while one of its threads is in a system call? This seems quite scary to me. If you manage to modify a return address, you can start executing in kernel mode (or at least with the permissions of filesys.exe, in the case of FS_CreateFileW).</p> http://blogs.msdn.com/ce_base/archive/2007/01/29/What-is-kernel-mode.aspx#1583920Fri, 02 Feb 2007 20:40:53 GMT91d46819-8472-40ad-a661-2c78acb4018c:1583920ce_base<p>Excellent question!</p> <p>I haven't actually mentioned this fact before, but when a thread &quot;jumps&quot; into a system process to call an API, the kernel actually allocates a new stack inside the system process in order to execute the API call. &nbsp;To prevent the caller from tampering with the stack asynchronously during the API call. &nbsp;It switches back to the caller's stack when the API call returns.</p> <p>This was not always true. &nbsp;I had to ask Bor-Ming, our primary kernel developer, about it, and he tells me that this stack-switching was added in Windows CE 4.0.</p> <p>Sue</p> http://blogs.msdn.com/ce_base/archive/2007/01/29/What-is-kernel-mode.aspx#1629525Thu, 08 Feb 2007 23:31:13 GMT91d46819-8472-40ad-a661-2c78acb4018c:1629525Dean Ramsier<p>Actually, in CE kernel mode threads do run with elevated processor privileges although you're correct in saying that's not how the term is normally used in CE.</p> <p>Exactly how kernel mode is implemented is processor architecture dependent. &nbsp;On ARM processors, all processor modes except for the user mode are privileged. &nbsp;The different privileged modes are not more or less privileged than the others, they are just different modes that allow fast switching between different contexts (interrupts, exceptions etc). &nbsp;The privileged modes allow the caller to execute instructions that aren't valid in the normal user mode.</p> <p>The vast majority of the time we are correct in saying that &quot;kernel mode&quot; just means having privileges in the upper 2GB of memory space, but there really is more to it than that and the differences are cpu architecture specific. &nbsp;</p> <p>Regards,</p> <p>Dean</p> http://blogs.msdn.com/ce_base/archive/2007/01/29/What-is-kernel-mode.aspx#1629786Fri, 09 Feb 2007 00:07:54 GMT91d46819-8472-40ad-a661-2c78acb4018c:1629786ce_base<p>Fair enough, thanks for the correction Dean!</p> <p>Sue</p>