User Mode vs Kernel Mode: Privilege Rings and the Boundary
Objective: Understand the architectural separation between user mode (Ring 3) and kernel mode (Ring 0) on Windows — how Intel hardware enforces it, how the Windows OS layers process isolation and the system call dispatch path on top, and why this boundary is the central battleground for rootkits, EDR, and modern kernel hardening.
1. Why Rings Exist — The Hardware Contract
Intel x86/x64 CPUs define four hardware privilege levels — called rings — numbered 0 (most privileged) through 3 (least privileged). The currently executing privilege level is encoded in the low two bits of the CS segment register and is referred to as the Current Privilege Level (CPL). Every memory access, every instruction fetch, and every attempt at a privileged instruction is checked against this value by the CPU itself, before any OS code runs.
Windows collapses Intel’s four rings into two:
| Feature | User Mode | Kernel Mode |
|---|---|---|
| Ring / CPL | Ring 3 (CPL = 3) | Ring 0 (CPL = 0) |
| Memory access | User VA only | Full kernel + user VA |
| Privileged instructions | Faults with #GP | Allowed |
| Address space isolation | Per-process private | Single shared VA across all drivers |
| Crash blast radius | Process termination | Bug check (BSOD) |
| Entry mechanism | Native execution | SYSCALL / interrupt / exception |
Rings 1 and 2 exist in hardware but are unused by Windows — using only Ring 0 and Ring 3 maps cleanly to the “supervisor vs. user” model and is portable to architectures (ARM64, older RISC) that don’t expose intermediate levels. The instant Ring 3 code attempts to execute LGDT, LIDT, RDMSR, WRMSR, HLT, CLI, STI, or any I/O instruction outside its IOPB, the CPU raises a General Protection Fault (#GP) and the kernel terminates the offending thread.
This single hardware guarantee — CPL is checked by silicon, not software — is what makes the user/kernel boundary trustworthy in the first place.
2. User Mode: The Sandboxed World
When Windows launches an application, it creates a process with its own private virtual address space, its own handle table, and a security token. On x64, the user-mode half of the address space spans 0x0000000000000000 – 0x00007FFFFFFFFFFF (128 TB). Anything above that canonical boundary is kernel territory and is unmapped from user mode page tables (especially under KVA Shadow).
User-mode code can:
- Allocate memory in its own VA via
VirtualAlloc. - Open handles to kernel objects through documented APIs.
- Spawn threads and processes via the Win32 subsystem (
csrss.exe).
User-mode code cannot:
- Read or write another process’s memory without explicit handle access.
- Touch kernel VA, modify page tables, or read MSRs directly.
- Service interrupts, install drivers, or hook the IDT/GDT.
Every meaningful operation that touches hardware, files, networking, or kernel objects must therefore traverse the user/kernel boundary through a system call.
3. Kernel Mode: The Shared Kingdom
In contrast to user mode’s per-process isolation, all kernel-mode code shares a single virtual address space. ntoskrnl.exe, the HAL, file system drivers, network stack drivers, and every third-party driver loaded on the system all coexist in the same address space, on the same privilege level, with no memory protection between them.
| Region | Purpose |
|---|---|
| Non-paged pool | Kernel allocations that must remain resident (DPC/ISR code, kernel objects) |
| Paged pool | Kernel allocations that can be paged out |
| System PTE region | Kernel-managed page table entries for I/O mapping |
| HAL / driver image range | Loaded driver .text/.data sections |
A buggy driver writing to the wrong pointer can corrupt another driver’s structures or the kernel’s own state. A crash in any kernel component triggers a bug check (BSOD) because, unlike user mode, there is no isolation boundary to contain the damage. This is also exactly why attackers want Ring 0: once executing in kernel mode, malicious code has the same authority over the OS as the OS itself.
4. Crossing the Boundary — The SYSCALL Path
Every Win32 API that touches the kernel eventually reaches an ntdll.dll stub. On x64 those stubs all have the same shape:
; ntdll!NtReadFile (representative)
mov r10, rcx ; preserve arg1 (RCX is clobbered by SYSCALL)
mov eax, 0x06 ; syscall number (build-specific; illustrative)
syscall ; user -> kernel transition
retThe SYSCALL instruction is the choreography of the boundary crossing. The CPU performs all of the following atomically:
| Step | CPU action |
|---|---|
| 1 | Saves user RIP into RCX |
| 2 | Saves user RFLAGS into R11 |
| 3 | Masks RFLAGS per IA32_FMASK (MSR 0xC0000084) — clears IF so interrupts are off at kernel entry |
| 4 | Loads new CS/SS selectors from IA32_STAR (MSR 0xC0000081) |
| 5 | Loads RIP from IA32_LSTAR (MSR 0xC0000082) — points to nt!KiSystemCall64 |
| 6 | Transitions CPL from 3 to 0 |
From here, control is in Windows. The kernel-side dispatch chain is:
| Function | Role |
|---|---|
nt!KiSystemCall64 | Entry point loaded from IA32_LSTAR. Executes swapgs to swap user GS for kernel GS, switches to the kernel stack, allocates and populates a _KTRAP_FRAME with the saved user-mode register state. With KVA Shadow (KPTI) enabled, the variant KiSystemCall64Shadow is used to swap page tables first. |
nt!KiSystemServiceUser | Locates the current _KTHREAD via GS:[0x188] and sets KTHREAD.PreviousMode = UserMode (1) so the kernel knows arguments came from Ring 3 and must be probed. |
nt!KiSystemServiceStart | Splits the syscall number in EAX into a table identifier (high bits) and a service index (low bits). |
nt!KiSystemServiceRepeat | Selects KeServiceDescriptorTable (Nt* executive calls) or KeServiceDescriptorTableShadow (Win32k GUI calls), validates the argument count, and dispatches. |
Service routine (e.g. nt!NtReadFile) | Validates user pointers (ProbeForRead / ProbeForWrite) and performs the work. |
SYSRET | Restores RIP from RCX, RFLAGS from R11, transitions CPL from 0 back to 3, and the caller returns from ntdll. |
The key takeaway for defenders: every user-mode action eventually appears in EAX as a syscall number — and EDR products that hook only in user space (in ntdll) can be bypassed by re-implementing this exact stub in attacker code (direct/indirect syscalls).
5. The SSDT — Routing Calls Inside the Kernel
The System Service Descriptor Table (SSDT) is the array of function pointers that turns EAX into a kernel routine address.
| Symbol | Description |
|---|---|
KeServiceDescriptorTable | Exported; primary SSDT for Nt* executive system calls |
KeServiceDescriptorTableShadow | Not exported; adds the Win32k.sys GUI calls used by threads with a Win32 subsystem context |
ServiceTable | Field inside each descriptor — pointer to an array of encoded function offsets (on x64 these are relative offsets right-shifted by 4) |
NumberOfServices | Count of valid entries |
Patching SSDT entries to redirect kernel calls was the classic 32-bit rootkit technique (and the canonical kernel hook for early HIPS products). On x64, PatchGuard (KPP) periodically verifies the SSDT and several other critical structures; modification triggers Bug Check 0x109 — CRITICAL_STRUCTURE_CORRUPTION.
6. Key Kernel Structures at the Boundary
The kernel maintains per-CPU and per-thread state that defenders inspect to understand mode transitions.
// Conceptual layout — verify offsets against your build's symbols.
typedef struct _KPCR {
// ...
struct _KPRCB Prcb; // at +0x180 on x64; embedded
} KPCR, *PKPCR;
typedef struct _KPRCB {
// ...
struct _KTHREAD *CurrentThread; // GS:[0x188] in kernel mode
} KPRCB, *PKPRCB;
typedef struct _KTHREAD {
// ...
UCHAR PreviousMode; // 0 = KernelMode, 1 = UserMode
PKTRAP_FRAME TrapFrame; // saved register state from SYSCALL
} KTHREAD, *PKTHREAD;PreviousMode is one of the most consequential bytes in the system: kernel routines branch on it to decide whether to probe and capture caller-supplied pointers (user mode) or trust them directly (kernel mode). Bugs in that check have been the root cause of multiple Windows LPE CVEs.
Inspect any of these live in WinDbg on a kernel debug target:
0: kd> rdmsr 0xC0000082 ; IA32_LSTAR -> KiSystemCall64
0: kd> dg cs ; show CS selector + CPL
0: kd> dt nt!_KPCR @$pcr
0: kd> dt nt!_KTHREAD @$thread PreviousMode TrapFrame
0: kd> dt nt!_KTRAP_FRAME @$thread->TrapFrame
0: kd> dps KeServiceDescriptorTable L47. Hardening the Boundary
Microsoft has spent two decades hardening the user/kernel boundary in layers. Each mechanism closes a class of attacks against Ring 0.
| Mechanism | What it enforces |
|---|---|
| PatchGuard (KPP) | Periodic integrity checks on SSDT, IDT, GDT, KPCR, MSRs, and kernel code sections. Tampering triggers Bug Check 0x109. |
| Driver Signature Enforcement (DSE) | All kernel drivers must be signed. Enforced by ci.dll. Disabling DSE (bcdedit /set testsigning on) is a strong adversary indicator. |
| Secure Boot | UEFI-rooted trust chain prevents unsigned bootloaders/drivers from loading before Windows starts. |
| HVCI (Memory Integrity) | A VTL1 hypervisor enforces W^X on kernel pages — unsigned code cannot execute even from Ring 0. |
| KVA Shadow (KPTI) | User page tables contain only minimal kernel mappings; full mapping is installed only while CPL = 0. Mitigates Meltdown-class speculative leaks. |
| Microsoft Vulnerable Driver Blocklist | Maintained list of known-abused drivers; enforced by HVCI/CI. |
Together these turn Ring 0 from “anything goes once you’re in” into a far more constrained environment — and explain why modern attackers gravitate toward Bring Your Own Vulnerable Driver (BYOVD) as their cleanest path to kernel code execution.
8. Common Attacker Techniques
The boundary is a target precisely because Ring 0 sits underneath every defensive product. Attackers care about three categories of abuse:
| Technique | Description |
|---|---|
| Direct / indirect syscalls | Rebuild the ntdll stub (mov r10, rcx; mov eax, <N>; syscall) inside the implant to bypass user-mode hooks placed by EDR. |
| BYOVD | Load a legitimately signed but vulnerable driver, then exploit it to gain arbitrary Ring 0 read/write — used to disable EDR, blank tokens, or clear callbacks. |
| Kernel exploitation (LPE) | Exploit a kernel vulnerability (write-what-where, type confusion, double-fetch on user pointers when PreviousMode == UserMode) to escalate Ring 3 → Ring 0. |
| SSDT hooking (legacy) | Patch entries in KeServiceDescriptorTable to intercept syscalls — blocked on x64 by PatchGuard but still relevant for 32-bit forensics. |
| DKOM (Direct Kernel Object Manipulation) | Unlink _EPROCESS entries from ActiveProcessLinks to hide processes; clear PsActiveProcessHead linkages. |
| Callback removal | Walk PsSetCreateProcessNotifyRoutine / PsSetLoadImageNotifyRoutine arrays and null EDR callbacks. |
PreviousMode overwrite | Set KTHREAD.PreviousMode = KernelMode (0) to make subsequent Nt* calls skip user-pointer validation. |
9. Defensive Strategies & Detection
The fact that all roads cross the boundary is a defender’s leverage: even attackers using direct syscalls leave telemetry at driver load, privilege use, and kernel object access layers.
Sysmon coverage
| Event ID | Name | Relevance |
|---|---|---|
1 | Process Create | Parent/child + command line; catches bcdedit, sc.exe create … type= kernel |
6 | Driver Loaded | Fires on every kernel driver load; fields include ImageLoaded, Hashes, Signed, Signature — primary BYOVD signal |
7 | Image Loaded | DLL loads; detect ntdll.dll loaded from non-standard paths |
10 | Process Access | Cross-process handle opens with sensitive GrantedAccess masks (precursor to injection) |
255 | Sysmon Error | Tampering with the Sysmon kernel driver may surface here |
Windows audit policies
| Policy | Event IDs | Detects |
|---|---|---|
Audit Sensitive Privilege Use | 4673 | Use of SeLoadDriverPrivilege — required to load any kernel driver |
Audit Security System Extension | 4697, 7045 | New service / kernel driver installed |
Audit Kernel Object | 4656, 4663 | Access to kernel objects via SACL-tagged handles |
Audit Policy Change | 4719 | Audit-policy tampering (a common pre-attack step) |
High-value ETW providers
Microsoft-Windows-Kernel-Process— process/thread/image events at the kernel boundary.Microsoft-Windows-Kernel-File/Microsoft-Windows-Kernel-Registry— kernel-side file and registry ops, useful for catching driver-stage persistence.Microsoft-Windows-Threat-Intelligence(ETWTI) — emits high-fidelity events forReadProcessMemory,WriteProcessMemory,MapViewOfSection,QueueUserApc. Consumption requires a PPL or kernel consumer; verify provider availability on your build withlogman query providers.
Sigma — BYOVD pattern
title: Suspicious Kernel Driver Load - BYOVD Pattern
logsource:
product: windows
category: driver_load
detection:
selection:
EventID: 6
Signed: 'false'
filter_legit_path:
ImageLoaded|startswith:
- 'C:\Windows\System32\drivers\'
- 'C:\Windows\SysWOW64\drivers\'
condition: selection and not filter_legit_path
fields:
- ImageLoaded
- Hashes
- Signature
- SignatureStatus
level: highSigma — SeLoadDriverPrivilege exercised by non-system principal
title: SeLoadDriverPrivilege Use by Non-System Account
logsource:
product: windows
service: security
detection:
selection:
EventID: 4673
PrivilegeList|contains: 'SeLoadDriverPrivilege'
filter_machine_accounts:
SubjectUserName|endswith: '$'
condition: selection and not filter_machine_accounts
level: mediumHardening checklist
- Enable HVCI / Memory Integrity (
HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard). - Enable Secure Boot in UEFI.
- Apply the Microsoft Vulnerable Driver Blocklist (HVCI-enforced).
- Verify Meltdown mitigations / KVA Shadow via
Get-SpeculationControlSettings. - Alert on
bcdedit /set testsigning onand on driver loads whereSigned=falseor hashes matchloldrivers.io. - Enable Kernel DMA Protection for laptops with Thunderbolt/USB4.
- Limit
SeLoadDriverPrivilegeassignment and monitor every use via Event4673.
10. Tools for Boundary Analysis
| Tool | Description | Link |
|---|---|---|
| WinDbg | Kernel debugger; inspect _KPCR, _KTHREAD, _KTRAP_FRAME, MSRs, SSDT | aka.ms/windbg |
| Sysmon | Process/driver/handle telemetry — EIDs 1/6/7/10 | sysinternals.com |
| Process Hacker | View loaded drivers, handles, tokens, KPP-safe inspection | processhacker.sourceforge.io |
| Process Monitor | File/registry/thread activity at the boundary | sysinternals.com |
| Volatility 3 | Memory forensics; walk _EPROCESS, hidden processes via DKOM | volatilityfoundation.org |
| DriverView / DriverQuery | Enumerate loaded kernel drivers and signing state | nirsoft.net |
ETW / logman | Enumerate and capture kernel-mode ETW providers | built-in |
| loldrivers.io | Catalog of known-vulnerable signed drivers | loldrivers.io |
11. MITRE ATT&CK Mapping
| Technique | MITRE ID | Detection |
|---|---|---|
| Rootkit | T1014 | Volatility scans for unlinked _EPROCESS; PatchGuard bug checks 0x109 |
| Process Injection | T1055 | Sysmon EID 8/10; ETWTI WriteProcessMemory / QueueUserApc |
| Exploitation for Privilege Escalation | T1068 | Bug check telemetry, unusual PreviousMode transitions, EDR kernel callbacks |
| Create or Modify System Process: Service | T1543.003 | Security EID 4697, System EID 7045, Sysmon EID 6 |
| Impair Defenses | T1562.001 | Driver loads correlated with subsequent loss of EDR telemetry; EID 4673 with SeLoadDriverPrivilege |
| Exploitation for Defense Evasion (BYOVD) | T1211 | Sysmon EID 6 with unsigned driver or known-vulnerable hash; loldrivers.io match |
Summary
- The user/kernel boundary is enforced by silicon —
CPLinCS— not by software, which is what makes it trustworthy. - Windows uses only Ring 0 and Ring 3; user mode runs in a per-process private VA, kernel mode runs in a single shared VA where any bug is a BSOD.
- Every user→kernel transition flows through
SYSCALL→IA32_LSTAR→KiSystemCall64→ SSDT dispatch, leavingEAXandKTHREAD.PreviousModeas the canonical fingerprints. - Modern hardening — PatchGuard, DSE, HVCI, KVA Shadow, and the vulnerable driver blocklist — has pushed attackers toward BYOVD and direct syscalls.
- Defenders watch the boundary through Sysmon EID 6, Security EID 4673 (
SeLoadDriverPrivilege), ETWTI, and kernel-callback EDR telemetry — every Ring 0 attack eventually touches one of them.
Related Tutorials
- System Calls and SSDT: How User Mode Reaches the Kernel
- Fibers: User-Mode Cooperative Threads
- Access Tokens and Privileges: The Kernel’s Security Context
- HAL and Ntoskrnl: The Kernel Core Components
- SIDs and Security Descriptors: Identity in Windows Security
References
- User Mode and Kernel Mode – Windows Drivers | Microsoft Learn
- Kernel-Mode Driver Architecture Design Guide – Windows Drivers | Microsoft Learn
- Exploitation for Privilege Escalation, Technique T1068 – Enterprise | MITRE ATT&CK®
- Privilege Escalation, Tactic TA0004 – Enterprise | MITRE ATT&CK®
- CPU Rings, Privilege, and Protection | Many But Finite (Gustavo Duarte)