Search notes:
Windows Kernel Objects
The Windows Kernel abstracts the resources it manages into so-called kernel objects.
All requests related to such objects are ultimatly handled by the NT Object Manager.
The NT Object Manager organizes the kernel objects in a hierarchical structure similar to a file system.
An (opened?) kernel object is identified by a handle.
Kernel objects include
- Access tokens
- Change object
- Communication device
- Console input
- Console screen buffer
- Desktop
- Device objects
- Event log
- Heap
- File objects
- File mapping
- Find file
- Job (Apparently, a JOB object consists of multiple processes)
- Mailslot
- Module
- Mutex
- Pipe
- Semaphore
- Socket
- Symbolic links
- Registry keys
- Processes and threads
- Timer
- Timer queue
- Timer-queue timer
- Kernel dispatcher objects (such as event and mutex (and semaphore?) objects)
- Update resource
- Callback objects (?)
- Section objects (?)
- Window station
These objects are divided into
object types:
- executive (processes and threads)
- filesytem
- others (registry, devices)
The kernel-mode environment stores kernel objects in a (tree-like) virtual directory system which is referred to as object namespace.
Security
Kernel objects can be assigned a security descriptor.
Such a descriptor restricts the set of users and type of access they have on the object.
The other two main categories of
objects, GDI-objects and User-Interface-objects, are not.
Misc
While in Unix, everything is a file, in Windows, everything seems to be an object.
See also
The object namespace can be shown with the Sysinternals tool
Winobj.
Alternatively, there's also the PowerShell module
NtObjectManager which allows to list these objects.