http://blogs.msdn.com/ce_base/archive/2006/02/02/Inside-Windows-CE-API-Calls.aspxPosted by: Sue Loh Windows CE APIs are implemented by a set of server processes. Besides the kernel (nk.exe) we have other server processes: filesys.exe, gwes.exe, device.exe, services.exe. When an application calls an API in one of these servers, theen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/ce_base/archive/2006/02/02/Inside-Windows-CE-API-Calls.aspx#528266Thu, 09 Feb 2006 07:57:31 GMT91d46819-8472-40ad-a661-2c78acb4018c:528266Dean RamsierGreat description of the thunking process, I always had a general idea of what was going on but never saw a real description. &nbsp; <br /> <br />One correction, I believe that kernel mode threads do not have access to any memory address they like, they can only access the memory for their slot plus the kernel memory. &nbsp;Other user processes are still protected. &nbsp;The kernel can't trash the memory of another process any easier than a user mode thread can. &nbsp; <br /> <br />Any process (including the kernel) that wants to access the memory of another process must call SetProcPermissions to gain access to the virtual addresses in the slot. &nbsp; <br /> <br />- Deanhttp://blogs.msdn.com/ce_base/archive/2006/02/02/Inside-Windows-CE-API-Calls.aspx#528298Thu, 09 Feb 2006 08:22:20 GMT91d46819-8472-40ad-a661-2c78acb4018c:528298Dean RamsierCorrection to the above - the kernel can trash all physical memory via kernel virtual addresses, since all physical memory is mapped into kernel virtual address space. &nbsp;It just can't arbitrarily access any virtual address in user space below 0x80000000. <br /> <br />- Deanhttp://blogs.msdn.com/ce_base/archive/2006/02/02/Inside-Windows-CE-API-Calls.aspx#528545Thu, 09 Feb 2006 16:56:09 GMT91d46819-8472-40ad-a661-2c78acb4018c:528545ce_baseThanks Dean, you're right, I was being inaccurate when I said that kernel mode threads can access any memory they want. &nbsp;There is still address space protection for user mode virtual addresses. &nbsp;I *think* (but don't know for sure) that kernel mode threads are allowed to access all of the kernel virtual address space (over 0x80000000). &nbsp;And yeah that would mean that kernel mode threads could access all user mode memory via the static-mapped kernel address space, though they'd have a tough time figuring out the mapping between user mode address and static-mapped kernel address. &nbsp;In reality, any thread that's allowed to run in KMODE will also be allowed to call SetProcPermissions and access the user mode address directly. &nbsp;In KMODE the address space protection is more to catch accidental mistakes than intentional abuses. &nbsp;But, thanks for keeping me honest! &nbsp;;-) <br /> <br />Suehttp://blogs.msdn.com/ce_base/archive/2006/02/02/Inside-Windows-CE-API-Calls.aspx#528690Thu, 09 Feb 2006 20:08:53 GMT91d46819-8472-40ad-a661-2c78acb4018c:528690Dean RamsierKernel mode threads can access all kernel memory, that over 0x80000000. &nbsp;That's all that kernel mode really means, from a user point of view. &nbsp;The other benefits are under the hood performance, which you've described here. <br /> <br />Most people don't realize the difference between kmode and trust. &nbsp;In order for a thread to call SetProcPermissions (or SetKMode, or one of any number of other trusted APIs) the thread has to be trusted, not necessarily in KMode. &nbsp;Unless the OEM has done something to implement a trusted environment, all threads will be trusted, and all threads can move themselves in and out of KMode and independently call SetProcPermissions. <br /> <br />As you said, any thread in KMode can call SetProcPermissions, but that is because it could only have gotten into KMode if it was already trusted. <br /> <br /> <br />Maybe a blog on this topic sometime? <br /> <br />Keep up the good work! <br /> <br />- Dean <br />http://blogs.msdn.com/ce_base/archive/2006/02/02/Inside-Windows-CE-API-Calls.aspx#528718Thu, 09 Feb 2006 20:34:50 GMT91d46819-8472-40ad-a661-2c78acb4018c:528718ce_baseGood points, Dean, thanks! <br /> <br />Suehttp://blogs.msdn.com/ce_base/archive/2006/02/02/Inside-Windows-CE-API-Calls.aspx#533741Fri, 17 Feb 2006 03:30:30 GMT91d46819-8472-40ad-a661-2c78acb4018c:533741CharlieIs generating an exception this way more efficient on ARM than a software interrupt? Or why was this method picked? Where can I learn more about the internals of Windows CE?http://blogs.msdn.com/ce_base/archive/2006/02/02/Inside-Windows-CE-API-Calls.aspx#534179Fri, 17 Feb 2006 20:06:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:534179ce_baseI don't know why this method was picked, actually. &nbsp;I think it's probably linked to the fact that we continue executing on the current thread rather than switch to a different thread inside the server process. <br> <br>The best description of Windows CE internals that I know of is the book &quot;Inside Microsoft Windows CE&quot; by John Murray. &nbsp;It's a little dated by now, but it lays out the groundwork of what you'd need to know to understand what's going on inside the OS. <br> <br>Suehttp://blogs.msdn.com/ce_base/archive/2006/02/02/Inside-Windows-CE-API-Calls.aspx#1454137Fri, 12 Jan 2007 09:02:37 GMT91d46819-8472-40ad-a661-2c78acb4018c:1454137Windows CE Base Team Blog<p>Posted by: Sue Loh I am occasionally asked whether I know any good books or other resources to help learn</p> http://blogs.msdn.com/ce_base/archive/2006/02/02/Inside-Windows-CE-API-Calls.aspx#1568423Thu, 01 Feb 2007 03:29:12 GMT91d46819-8472-40ad-a661-2c78acb4018c:1568423Windows CE Base Team Blog<p>Posted by: Sue Loh I've talked about this before but I want to really highlight it because I still see</p>