Windows subsystem follows a multi layer architecture. Windows subsystem is vast and there are lots of software components involved. Let's understand these subsystem components one by one. We run an application in windows desktop or run in dos terminal. The application comes in EXE and runs at the top level of the subsystem.

The application executable immediately depends on libraries. An application written using C/VC++ programming immediately depends on Microsoft Visual C++ run time library (msvcrtxx.dll). The application can call Windows subsystem Win32 API functions and MSVCRT also calls these APIs at the lower layer.

Windows Subsystem

Windows Subsystem at a glance

  • Application: Application .EXE
  • C language runtime: msvcrt.dll
  • Win32 DLLs: Kernel32.dll, User32.dll, Gdi32.dll ....
  • System DLL: Ntdll.dll, kernelbase.dll
  • Windows OS: NtOsKrnl.EXE + hal.dll + Device drivers
  • Hardware

DLL stands for Dynamic Link Library, which is a file that contains code and data that can be used by more than one program at the same time. DLLs are a way of implementing shared libraries in Windows operating systems, which means that they can provide common functionality for different applications, such as dialog boxes, file operations, device drivers, etc. DLLs can also be updated individually without affecting the whole program.

DLLs are similar to EXEs in that they are based on the Portable Executable (PE) file format, but they are not directly executable. Instead, they are loaded into memory by an EXE or another DLL when they are needed. A program can use the Win32 API functions LoadLibrary and GetProcAddress to load a DLL and access its functions or resources. Alternatively, a program can use an import library (.lib) file to link to a DLL at compile time.

There are many types of DLLs in Windows operating systems, each providing different functionality for various applications and scenarios. Some of the basic DLLs present in Windows and their functionality are:

  • User32.dll: This DLL provides user interface components, such as windows, menus, controls, messages, etc. It handles the interaction between the user and the program.
  • Kernel32.dll: This DLL provides core functionality of the Windows operating system, such as memory management, process and thread creation, synchronization, file and device I/O, etc2. It is the base of the Windows API and is used by almost every program.
  • Gdi32.dll: This DLL provides graphics device interface (GDI) functions for outputting graphics to monitors and printers. It handles drawing operations such as lines, shapes, fonts, colors, etc.
  • Advapi32.dll: This DLL provides advanced API functions for security, registry access, service management, etc. It handles tasks such as authentication, encryption, access control, event logging, etc.
  • Shell32.dll: This DLL provides shell functionality, such as file operations, icons, context menus, etc. It handles tasks such as copying, moving, deleting files and folders; displaying icons and thumbnails; creating shortcuts; launching programs; etc.
  • Ole32.dll: This DLL provides object linking and embedding (OLE) functionality for creating and manipulating compound documents. It handles tasks such as embedding objects from other applications; activating objects; transferring data between objects; etc.
  • Ws2_32.dll: This DLL provides Windows sockets API functions for network communication. It handles tasks such as creating and closing sockets; sending and receiving data; resolving host names; etc.
  • Comdlg32.dll: This DLL performs common dialog box related functions, such as open, save, print, etc. It allows programs to use standard Windows dialogs for user input and output.

Application / Windows component DLLs are the part of user layer that ends at the ntdll.dll. This DLL implements the lowest level system call for Windows. NTDLL and Kernelbase DLL are called system DLL and they interface directly to Windows kernel. After this layer CPU switches the context and the execution enters into Windows kernel mode layers.

Windows kernel or ntoskrnl.exe binary is the lowest level of Windows OS. This part of the execution happens kernel mode. Windows kernel talks to Device driver component and further Hardware Abstraction Layer(HAL) DLL for talking to the hardware components.

About our authors: Team EQA

Further readings

Where is WinMain() function in MFC application ?

MFC hides WinMain in its framework and includes source file on WinMain(). This explains how framework calls global CWinApp::Initinstance() from entry WinMain.

What is the utility of CWinApp class?

This is constructed during global C++ objects are constructed and is already available when Windows calls the WinMain function, which is supplied by the ...

Basic steps in Win32 GUI Application with source code.

Define a custom Window class structure, Register the class name, CreateWindow, Show windows and write message get and dispatch loop statements. Define the Window CallBack procedure and write the handlers.

What is a Window CallBack procedure and what is its utility?

DispatchMessage() is a API which indirectly triggers the Window CallBack procedure. Message structure members from this function are passed to the CallBack procedure. CallBack procedure should implement event handlers depending on the need of the application.

What are LPARAM and WPARAM in window proc function?

LPARAM and WPARAM are the two parameters in Window CallBack procedure. They signifies parameters of various events. They are used in handing individual events.

What are the basic steps of a typical MFC based application?

We need to write WinMain and need to follow all these in a Win32 application. However we need not to write much if we are writing an application with MFC ...