System architecture
How Windows separates user mode and kernel mode, and why the system is built in layers.
In 30 seconds
Windows splits user apps from kernel code; everything sensitive goes through kernel services and drivers.
You understand this if…
- ✓You can name what runs in user mode vs kernel mode.
- ✓You can describe the boot chain in five words or fewer per stage.
Official Microsoft docs
Closest official references related to this topic on Microsoft Learn.
Why it matters
This is the map that makes every other Windows concept easier. If you know where code runs and who owns what, topics like processes, memory, and security stop feeling abstract.
Mental model
Think of Windows as a stack of contracts: firmware starts the machine, the boot loader starts the kernel, and the kernel exposes services that higher layers build on.
Schematic
Firmware
The platform starts here. Firmware initializes hardware and hands control to the boot manager.
Windows building blocks
Names and paths you can look for in Task Manager, Explorer, or documentation.
- Filentoskrnl.exe
%SystemRoot%\System32
Windows kernel image
- Filehal.dll
%SystemRoot%\System32
Hardware abstraction layer
Go one level deeper
Extra detail for readers who want more precision before opening a child topic.
- User mode is where most applications and subsystems run; kernel mode is required for scheduling, memory, I/O dispatch, and security enforcement.
- Syscalls are the controlled gates between these modes—there is no supported shortcut around them for normal apps.
How it works
- 1Firmware hands control to the Windows boot manager.
- 2The loader prepares the kernel image, drivers, and core memory structures.
- 3The kernel and executive initialize system services before user-mode subsystems start.
- 4User applications then talk to Windows through stable APIs instead of touching hardware directly.
Key terms
- User mode
- The least-privileged execution mode used by apps and most services.
- Kernel mode
- The privileged execution mode that can access hardware and core OS state.
- Executive
- The set of kernel services for memory, objects, I/O, security, and process management.
Launching a desktop app
When you open an application, you see a user-mode program, but under the hood Windows relies on kernel services for handles, memory mappings, scheduling, and security checks.
Common misconception
Beginners often treat the kernel as a single monolith. In practice, Windows is layered: kernel primitives, executive services, drivers, and user-mode subsystems all play different roles.
Go deeper
HAL & boot
Hardware abstraction and the path from firmware to the running kernel.
Executive & subsystems
Core OS services and the user-mode environments that sit on top of them.
Kernel mechanisms (IRQL, DPC, interrupts)
Low-level execution rules that explain driver bugs, lost interrupts, and why some code cannot sleep.
You should read next
Ranked from your current topic, related links, branch depth, and any active guided path.
intermediate
HAL & boot
Hardware abstraction and the path from firmware to the running kernel.
Go deeper in this branch
intermediate
Executive & subsystems
Core OS services and the user-mode environments that sit on top of them.
Go deeper in this branch
expert
Kernel mechanisms (IRQL, DPC, interrupts)
Low-level execution rules that explain driver bugs, lost interrupts, and why some code cannot sleep.
Go deeper in this branch