Windows 10 OS has tons of System files that are part of the core OS. Many times end users get to see them running in the Task manager or when they face Blue Screen of Death. Today, we are explaining about three such system files — Ntoskrnl.exe, Ntkrnlpa.exe, and Win32k.sys.
Ntoskrnl.exe, Ntkrnlpa.exe, Win32k.sys are system files that help in the running of the Windows operating system
1] What is ntoskrnl.exe
NT-OS-Kernel = Ntoskrnl.exe.
It is the kernel of the operating system which does and controls almost everything.
Windows will not work without it or if it gets into panic mode where it thinks the system is in a problem. Interesting to note that this file is picked up last in the Windows 10 Boot Process. It will load Registry settings, additional drivers, and then passes the control to the system manager process.
It is responsible for hardware virtualization, process, and memory management. If you have seen BSOD where there is mention of Ntoskrnl.exe and is related to memory. Apart from this file, there are three more kernel files that work along with ntoskrnl.exe. They are ntkrnlmp.exe, ntkrnlpa.exe and ntkrpamp.exe.
2] What is ntkrnlpa.exe
New Technology Kernel Process Allocator = NTKrnlPA.
Similar to Ntoskrnl.exe, Ntkrnlpa.exe is part of the Kernel file list. When Windows starts, these programs are loaded into RAM to start boot execution.
It is related to process allocation. It has access to system resources, computer hardware, and memory area, which is restricted to other programs.
3] What is win32k.sys
Win32 subsystem = win32k.sys.
Once the boot process is complete, and drivers are loaded, Windows start the Session Manager to move into user mode. There is a Session Manager Subsystem that loads the kernel-mode side of the Win32 subsystem, aka win32k.sys. It consists of Win32 API DLLs (kernel32.dll, user32.dll, gdi32.dll) and the Win32 subsystem process (csrss.exe).
- kernel32.dll: Dynamic link library for Windows
- user32.dll: It contains Windows API functions related to the Windows user interface
- gdi32.dll: It houses functions for the Windows GDI (Graphical Device Interface)
- csrss.exe: Client Server Runtime Process
All these files, Ntoskrnl.exe, Ntkrnlpa.exe, Win32k.sys files are located in the System32 folder. If you have 64-bit OS, they may be available in the SysWOW64 directory. If you find them located in some other location as well, it is best to run your antivirus scan.
Want to know about these processes, files or file types?
Hal.dll, Kernel32.dll, User32.dll | CompatTelRunner.exe | Ntdll.dll, Advapi32.dll, Gdi32.dll | Windows.edb files | csrss.exe | Rundll32.exe | Thumbs.db files | NFO and DIZ files | Index.dat file | Swapfile.sys, Hiberfil.sys & Pagefile.sys | Nvxdsync.exe | Svchost.exe | RuntimeBroker.exe | TrustedInstaller.exe | DLL or OCX files | StorDiag.exe | MOM.exe | Host Process for Windows Tasks | ApplicationFrameHost.exe | ShellExperienceHost.exe | winlogon.exe | atieclxx.exe | Conhost.exe | JUCheck.exe | vssvc.exe | wab.exe | utcsvc.exe | ctfmon.exe | LSASS.exe | csrss.exe.
- Tags: Process