Page 1 of 1

What Is the Kernel Filter Manager?

PostPosted: Thu Sep 26, 2013 9:59 pm
by admin
The kernel of a computer operating system is its core, the heart that controls everything around it. Microsoft based early versions of the Windows OS on the DOS operating system, but switched to a kernel-based system for Windows NT and 2000. The NT kernel has been the basis for subsequent OS versions. The kernel filter manager enables Windows' two modes, kernel mode and user mode, to communicate

When a central processing unit operates in kernel mode, whatever code the CPU runs has direct access to the system's underlying hardware and memory. In user mode, code can only gain access to the inner workings by going through an application programming interface. The CPU hardware keeps the two modes distinct. When they need to share information, the filter manager connects them through communication ports, allowing for a fast exchange of data between them.

Filter Manager

The filter manager works on more than just the kernel: It works with the entire file system, creating minifilters to act as drivers, programs that let software interact with hardware. The manager assigns minifilters to work at a particular point in the input/output memory space or stack. When the user mode and kernel mode need to communicate, a minifilter opens a port, specifies a security level and listens for connection attempts. If the user-mode caller has sufficient security, the filter manager allows the connection. When communication ends, the filter manager closes the connection.

Kernel Stack

The stack for the kernel mode has a limited amount of memory space. The amount is determined by the operating system and can't be modified. Because the stack is limited, Microsoft recommends users conserve as much space in the stack as possible. The filter manager helps; Microsoft has optimized it to use the least amount of stack space and recursive calls -- ones that reference more than one program -- made through the filter manager don't place as heavy a demand on the stack as when made by other methods.


Another advantage to employing a filter manager is that it comes with support routines that help with common computer functions, such as kernel and user mode communications. This simplifies filtering requests. Most filter-manager drivers run in user mode because it's safer for the computer. If a driver crashes in kernel mode, the result can take down the entire system. In user mode, the only thing that crashes is whatever software the user employs at the time.