Ntoskrnl.exe - what is this? Detailed description of the component

Operating systems of the Windows family are to some extent the standard in the whole world. However, with regard to our country, this circumstance is expressed even more clearly. Whatever it was, but for the majority of domestic users the expression "operating system" does not cause any other associations, except the appearance before the inner eye of the standard "windows".

The same is due to the fact that most of the problems that our users have to deal with one way or another are connected just with those or other characteristics of the "windows". Unfortunately, only a few users have any idea about the operating system with which they have to work every day. But this leads to the emergence of most of the very offensive problems. Do you know, for example, what is ntoskrnl.exe? But this is one of the fundamental components of Windows OS, without knowledge of the features of which you can face serious difficulties.

Definition

Simply put, under this unassuming name is hidden not something, but the core of NT systems. Of course, this is not all the core, but a significant part of it. This file is designed to start in protected mode. Of course, it is because of this that it is a fairly standard target of malicious programs when attacking the system.

Where is it located?

Knowing the location of the process in most cases is extremely useful, since it allows you to determine whether the item in the Task Manager is a virus. But in this case, this file is located in several places at once, which is quite justified step from the point of view of increasing the security of such an important structural element of the system.

So, with dangerous OS damage due to system or hardware failure, virus attacks or other troubles, the recovery procedure becomes much easier. However, let's conduct a standard search in all Windows directories. Since XP, you can find the file in subfolders at the address: c: \ windows \ system32 \ ntoskrnl.exe.

Different versions of the file

Specialists note that to date, on Windows systems , you can simultaneously find four versions of this file at once. Here they are:

• Ntoskrnl.exe can be a kernel component on single-processor system configurations ;
• Accordingly, it can also be part of the multiprocessor version of the OS;
• Uniprocessor mode provided that more than three gigabytes of RAM also requires its own version of this file for stable operation;
• Finally, a separate ntoskrnl.exe has multi-core systems with more than three gigabytes of RAM.

Participation in system load management

At the initial stage of loading, the bootloader (bootloader) of the system transfers control of the process to the system file Ntoskrnl. The latter initiates the detection of various devices, and significantly speeds up the preparation of the system environment to start working with various applications and utilities.

What is the significance of ntoskrnl.exe for new systems? Windows 7 (as well as Windows 8 and Vista) is even more dependent on it (in comparison with older versions of the OS), because in our time, the protection of the system from malicious programs is of particular importance. Today they have become much more "inventive", penetrating into the OS at the stage of its launch.

About the protection system

An extremely important component of this process is the level of hardware abstractions of the kernel - Hardware Abstraction Layer. This is important, since the ntoskrnl.exe process runs in the privileged mode of the CPU. This option is called a "zero protection ring" by experts (Ring 0). Simply put, the special access mode allows the process to directly access system components, bypassing even interrupt technology. This is done for the maximum speed of the kernel, its balance and independence from the external system shell. Alas, in practice everything can turn out a little differently.

Once Again About Malware

Not surprisingly, this process is a "tasty morsel" for the creators of malicious applications. After all, if you infect it, you can access the system at a low-level mode! If such an intervention is successful, then any antivirus running directly on Windows becomes completely useless.

However, recently this problem was solved. The very fact of the intervention in the system is successfully opened by simply comparing the hash sums of the file ntoskrnl.exe (which you already know) that hangs in the system processes, with a similar "reference" value provided by Microsoft.

Other protection methods

If you try to delete this file from its rightful place in the Windows folder, then in ten to twelve seconds it will again be in the same place! Where does he get there? Yes, just the system will copy it directly from the RAM.

The presence of this process in memory ensures that its copy on the disk will not be replaced by some harmful analogue. To provide full protection, modern systems of the Windows family repeatedly compare these files throughout their work.

How to verify the availability of the process?

Let's check if there really is ntoskrnl.exe in the list of system processes. What does it mean? First you need to start the "Task Manager" (by pressing the three buttons, as we mentioned above), and then mark the item "Display the processes of all users" there. After that, the process can be seen. Of course, it should be launched from the following location: windows \ system32 \ ntoskrnl.exe.

Possible problems

Alas, in practice, it's not so rare to meet the cases when system loading becomes impossible due to the missing file ntoskrnl.exe. The "blue screen of death" also often arises because of him.

Experts confidently say that in most cases this problem happens due to some malfunctions of the computer's hard drive. Often, users face this trouble after replacing the main system disk or connecting a new hard drive. Simply put, after any physical manipulation of hard drives.

Common causes of problems

Despite some vagueness of terminology, some basic reasons remain practically unchanged. Here they are:

• Cases of file system errors, which is especially common on XP and older operating systems (you can check and fix it with the chkdsk command).
• Due to hardware failures caused by a sudden power outage.
• When bad blocks appear on the hard disk surface (it is checked and corrected by the program called "Victoria").

Can I repair a corrupt file?

Yes, it is quite real. To perform this task, you will need the disk from which you or your friends installed the system. After downloading, you need to select "System Restore" in the appeared "Wizard" window, and start the command line mode from there. In it, you need to insert the following command: expand d: \ i386 \ ntoskrnl.ex_ c: \ windows \ system32. Note: instead of D, put the letter of your optical drive!

Press Enter. If everything was done correctly, you will be asked to agree to overwrite the system file. Press the button Y, press the Enter button again. The file will be copied from the optical disk and written instead of the damaged item in your system.

Important! To restore, use only the official installation discs. In any case, do not use all sorts of "assemblies" for this purpose, as a result you can get even bigger problems!