NT-Architecture: What is.. Kernel- and User-Mode

Most operatingsystems have programs for displaying CPU utilization. In Windows this program is “Task Manager”.

The CPU-utilisation is generally displayed as a simple percentage of CPU time spent on non-idle-tasks. But this is just a simplification. The CPU spends time in two very distinct modes in every modern operating-system:

1. Kernel-Mode

The executing code in Kernel-Mode has unrestricted access at the Hardware. This code is able to execute every CPU-instruction and has fully access to every memory address. Kernel mode is reserved for lowest-level, most trusted functions of the operating system. But a crash in kernel-mode is catastrophic because it will halt the PC.

2. User-Mode

The excecuting code in User-Mode is not able to directly access memory or other hardware. Code in user mode must use system APIs to access the systems hardware and memory. Crashes in User-Mode are recoverable due to the protection by the isolation. Most code is executed in user-mode.

It is possible to display the kernel-time in Windows Task Manager (as I did in the picture above). The green line represents the total CPU time and the red line represents the Kernel time. The difference between this lines show the User-time.

These two modes aren't mere labels; they're enforced by the CPU hardware. If code executing in User mode attempts to do something outside its purview-- like, say, accessing a privileged CPU instruction or modifying memory that it has no access to -- a trappable exception is thrown. Instead of your entire system crashing, only that particular application crashes.

x86-CPU-Hardware has 4 protection rings: 0, 1, 2, and 3. Typically just 1 and 3 are used.

If we're only using two isolation rings, it's a bit unclear where device drivers should go-- the code that allows us to use our video cards, keyboards, mice, printers, and so forth. Do these drivers run in Kernel mode, for maximum performance, or do they run in User mode, for maximum stability? In Windows, at least, the answer is it depends. Device drivers can run in either user or kernel mode. Most drivers are shunted to the User side of the fence these days, with the notable exception of video card drivers, which need bare-knuckle Kernel mode performance. But even that is changing; in Windows Vista, video drivers are segmented into User and Kernel sections. Perhaps that's why gamers complain that Vista performs about 10 percent slower in games.

The exact border between these modes is still somewhat unclear. What code should run in User mode? What code should run in Kernel mode? Or maybe we'll just redefine the floor as the basement-- the rise of virtualization drove the creation of a new ring below all the others, Ring -1, which we now know as x86 hardware virtualization.

The User-Modus is clearly helpful, but not without disadvantage: Transitioning between the two modes is really slow.

The CPU's strict segregation of code between User and Kernel mode is completely transparent to most of us, but it is the difference whether the computer crashes or programs crash most of the time.