Search notes:

Windows kernel

The first process that is started by the kernel is the Windows Session Manager (smss.exe).

Components running in kernel mode

Components that run in kernel mode (as opposed to user mode) include

Function prefixes

Alpc Advanced Local Inter-Process Communication
Cc Cache manager (Common Cache)
Ci Code integrity
Cm Configuration Manager (Registry implementation, compare with Hyp)
Csr Client Server support functions (LPC; related: `CSRSS.EXE)
Dbg Debugger support
Dbgk Debugging Framework for User-Mode
Em Errata manager
Etw Extended tracing
Ex Executive
Fs File system support
FsRtl File System driver Run-Time Library
Hal Hardware abstraction layer
Hv Hive library
Hvl Hypervisor library
Inbv Something like: _In_itial _B_oot _V_ideo functions (???)
Io I/O. Functionality is provided through device drivers (set get-childItem ntObject:\driver)
Kd Kernel debugger
Ke Exported functions
Ki Kernel interrupt support functions (???)
Kse Kernel shim engine
Ldr PE image loader support
Lpc LPC support
Lsa Local security authority
Mm Memory management
Nls Native language support
Nt Native API - syscall implementations (Compare with Zw)
Ob Object manager
Pf Name prefix support functions (Prefetcher)
Po Power management
Ppm Processor Power Manager
Ps Process management
Rtl Runtime library (would apparently also work in user mode)
Rtlp Private runtime library
Se Security reference monitor (SRM). Implementation of the security mechanisms that restrict which users can access which resources.
Sm Store Manager
Tm Transaction manager
Ttm Terminal timeout manager
Vf Driver Verification
Whea Windows Hardware Error Architecture
Wdi Windows Diagnostic Infrastructure
Wmi Windows management instrumentation
Zw Similar to NT, but sets access mode to Kernel, which in turn eliminates any parameter validation.
In user mode NTDLL, Nt and Zw are synonymous. However, if code executing in the kernel calls Zw functions, security access is changed.

Object manager

The object manages manages objects' memory allocation (but see also Mm), lifetimes etc.
Objects managed by the object manager include files, processes, threads etc.

Object types

Object types can be queried with the get-ntType powershell cmdlet (requires the NtObjectManager module): 
PS:> get-ntType | sort

Name
----
ActivationObject
ActivityReference
Adapter
ALPC Port
Callback
Composition
Controller
CoreMessaging
CoverageSampler
CrossVmEvent
CrossVmMutant
DebugObject
Desktop
Device
Directory
DmaAdapter
Driver
DxgkCompositionObject
DxgkCurrentDxgThreadObject
DxgkDisplayManagerObject
DxgkSharedBundleObject
DxgkSharedKeyedMutexObject
DxgkSharedProtectedSessionObject
DxgkSharedResource
DxgkSharedSwapChainObject
DxgkSharedSyncObject
EnergyTracker
EtwConsumer
EtwRegistration
EtwSessionDemuxEntry
Event
File
FilterCommunicationPort
FilterConnectionPort
IoCompletion
IoCompletionReserve
IRTimer
Job
Key
KeyedEvent
Mutant
NdisCmState
Partition
PcwObject
PowerRequest
Process
Profile
PsSiloContextNonPaged
PsSiloContextPaged
RawInputManager
RegistryTransaction
Section
Semaphore
Session
SymbolicLink
Thread
Timer
TmEn
TmRm
TmTm
TmTx
Token
TpWorkerFactory
Type
UserApcReserve
VRegConfigurationContext
WaitCompletionPacket
WindowStation
WmiGuid

Object manager namespace (OMNS)

PS:\> get-childItem ntObject:\
PS:\> get-childItem ntObject:\KernelObjects
PS:\> get-childItem ntObject:\KernelObjects  | where-object typename -eq Session
PS:\> get-childItem ntObject:\KernelObjects  | where-object typename -eq Event
PS:\> get-childItem ntObject:\Sessions
PS:\> get-childItem ntObject:\REGISTRY\USER\.DEFAULT\
PS:\> get-childItem ntObject:\REGISTRY\MACHINE\SAM\SAM
PS:\> get-childItem NtObject:\KnownDlls\
PS:\> get-childItem NtObject:\PowerPort
BaseNamedObjects (BNO)
By convention, \BaseNamedObjects is the directory into which users can create named kernel objects and thus share resources with other users in the system. (Note that users can choose other directories also). 
PS:\> get-childItem ntObject:\BaseNamedObjects
GLOBAL??
\GLOBAL?? is the global directory for symbolic links, including drive mappings. 
PS:\> get-childItem NtObject:\Global??\* | sort
Windows
Objects related to the Window Manager: 
PS:\> get-childItem NtObject:\Windows

Symbolic links and their targets

PS: get-childItem ntObject:\DriverData | select-object symbolicLinkTarget

SymbolicLinkTarget
------------------
\SystemRoot\System32\Drivers\DriverData

LSA

Among the tasks of the LSA is the conversion between SIDs and names.

SRM

The SRM manages the access tokens of which one is assigned to each process.
In an access check, the SRM compares a resource's security descriptor with the access token and then grants or denies access to the resource.
If enabled, the SRM also generates audit events.

Drivers

Device drivers run in the same privilege level as the kernel itself.

See also

ntoskrnl.exe
kd.exe is the Windows Kernel Debugger.
ntdll.dll provides the native API to the kernel.
kernel objects
Kernel Patch Protection

Index

Fatal error: Uncaught PDOException: SQLSTATE[HY000]: General error: 8 attempt to write a readonly database in /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php:78 Stack trace: #0 /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php(78): PDOStatement->execute(Array) #1 /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php(30): insert_webrequest_('/notes/Windows/...', 1740452689, '3.136.23.220', 'Mozilla/5.0 App...', NULL) #2 /home/httpd/vhosts/renenyffenegger.ch/httpsdocs/notes/Windows/kernel/index(261): insert_webrequest() #3 {main} thrown in /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php on line 78