Understanding Kernel Mode and User Mode using Perfmon

Post category:Microsoft / VMware
Post published:November 29, 2019
Post last modified:January 6, 2020

Introduction

When the Operating System is designed, it is designed in such a way that the Components/Drivers (Kernel Mode Process) which are associated with the heart of the Operating system should run separately from the optional components (User Mode Process) which were installed on the OS. These Optional Components could be Software like Excel, adobe reader, etc.

This is how Kernel Mode and User Mode looks like:

For these System core applications to run separately operating system has to processor access Modes. User application code can run un User Mode and the Operating System Code ( such as Device drivers and system services) can run in Kernel Mode. Please note that there is no physical allocation given to these Kernel Mode and User Mode, it’s just a mode of execution on the processor.

More information on this case be found on Wiki: P rotection ring

Although all the Windows Processes has its own private memory space in the Virtual memory. The Kernel Mode Processes get tagged which is used to indicate the access mode of the Processor while running these codes. Pages in system space can be accessed only from kernel mode, whereas all pages in the user address space are accessible from user mode. Read-only pages (such as those that contain static data) are not writable from any mode. Additionally, on processors that support no-execute memory protection, Windows marks pages containing data as nonexecutable, thus preventing inadvertent or malicious code execution in data areas.

Experiment:

You can use the Performance Monitor to see how much time your system spends executing in kernel mode and user mode.

Run the Performance Monitor
1. Type Win+R and Type Perfmon:

2. Select Performance Monitor:
3. Click the Add button (+) on the toolbar.
4. Expand the Processor counter section, click the % Privileged Time counter and, while holding down the Ctrl key, click the % User Time counter.

5. Click Add, and then click OK.

6. You can now run any program or just even run CHKDSK in read-only mode using Command Prompt. You can see the chart below:

For more Understanding of WIndows Processes please follow: https://knowitlikepro.com/understanding-windows-process-layer-using-procmon-part-1/

Ashutosh Dixit

I am currently working as a Senior Technical Support Engineer with VMware Premier Services for Telco. Before this, I worked as a Technical Lead with Microsoft Enterprise Platform Support for Production and Premier Support. I am an expert in High-Availability, Deployments, and VMware Core technology along with Tanzu and Horizon.