Search notes:
Windows Kernel Objects
The Windows Kernel abstracts the resources it manages into so-called kernel objects.
All requests related to such objects are ultimatly handled by the NT Object Manager.
The NT Object Manger organizes the kernel objects in a hierarchical structure similar to a file system.
An (opened?) kernel object is identified by a handle.
Kernel objects include
- Access tokens
- Change object
- Communication device
- Console input
- Console screen buffer
- Desktop
- Device objects
- Event log
- Heap
- File objects
- File mapping
- Find file
- Job (Apparently, a JOB object consists of multiple processes)
- Mailslot
- Module
- Mutex
- Pipe
- Semaphore
- Socket
- Symbolic links
- Registry keys
- Processes and threads
- Timer
- Timer queue
- Timer-queue timer
- Kernel dispatcher objects (such as event and mutex (and semaphore?) objects)
- Update resource
- Callback objects (?)
- Section objects (?)
- Window station
These objects are divided into
object types:
- executive (processes and threads)
- filesytem
- others (registry, devices)
The kernel-mode environment stores kernel objects in a (tree-like) virtual directory system which is referred to as object namespace.
Misc
Kernel objects are securable while the other two main categories of
objects, GDI-objects and User-Interface-objects are not.
See also
The object namespace can be shown with the Sysinternals tool
Winobj.
Alternatively, there's also the PowerShell module
NtObjectManager which allows to list these objects.