Windows操作系统由各种各样的文件和程序组成。其中一些始终运行,而其他一些则仅由操作系统偶尔调用。
几乎所有的核心Windows操作系统文件都存储在文件夹C:\Windows\System和C:\Windows\System32中(在您的计算机上,驱动器号可能不同)。Windows文件夹本身也包含许多重要文件。
安装在您计算机上的所有程序通常都具有存储在C:\Program Files或C:\Program Files (x86)中的可执行文件和相关文件。
通常,您永远不想修改、删除或移动位于这些目录中的任何Windows系统文件。(Windows)但是,有一些文件是操作系统功能的核心。如果这些文件被删除或损坏,您需要恢复Windows操作系统。
Ntoskrnl.exe
该可执行文件是内核映像。这意味着它本质上是使操作系统正常工作的核心代码(执行程序)。
此代码处理硬件、系统进程和内存管理的管理。它也是调度哪些应用程序可以访问系统处理器以及分配给它们使用多少内存(和内存地址)的代码。
此可执行文件显示在任务管理器(Task Manager)中,名称为System and Registry。这是一个受到严格保护的文件,因此任何应用程序(如恶意软件)都很难破坏或删除该文件。
在旧版本的Windows中,如果您打开大量应用程序,Ntoskrnl.exe将开始消耗大量内存。从Windows 10开始,Ntoskrnl.exe现在压缩未使用的页面,而不是将它们存储到内存中。这会减少内存消耗,但如果您同时运行大量应用程序,可能会增加CPU使用率。(CPU)
Ntkrnlpa.exe
此进程是Microsoft Windows内核和系统代码的核心软件组件。该名称代表新技术内核进程分配器(New Technology Kernel Process Allocator)。除了 Ntoskrnl.exe 之外(Alongside Ntoskrnl.exe),它还控制调度和内存管理。
它还可以防止非核心应用程序和服务访问操作系统的核心区域,从而使操作系统在系统内存的受保护区域中安全运行。
由于Ntkrnlpa.exe负责阻止应用程序访问受保护的系统内存,因此许多用户通常认为是Ntkrnlpa.exe导致了Windows系统故障。这是因为Ntkrnlpa.exe是返回错误的进程。
通常,造成这种情况的原因实际上是某种形式的恶意软件试图导致受保护的系统内存,从而引发Ntkrnlpa.exe错误。
哈尔.dll(Hal.dll)
另一个与系统内核和核心系统相关的核心文件是Hal.dll。此DLL文件的名称代表硬件抽象层。(Hardware Abstraction Layer.)
该文件包含核心代码,允许应用程序使用简单的程序功能而不是复杂的机器代码与计算机硬件进行交互。
恰当地命名,它消除了与计算机硬件通信和控制的抽象。
该可执行文件在RAM内存中运行,位于System32目录中。
Hal.dll通常不会导致计算机出现任何问题,但是一些恶意软件应用程序会尝试通过赋予它们相同的名称来隐藏它们的可执行文件。但是,当它位于与System32不同的文件夹中时,您可以将其识别为假冒应用程序。
永远不要停止Hal.dll任务,因为这将使您的系统无法运行,并可能迫使您必须恢复Windows操作系统。
Win32k.sys
该文件就是所谓的多用户 Win32(Multi-User Win32)驱动程序文件,最初是作为Windows XP操作系统的一部分发布的。它已通过每个新的Windows(Windows)版本进行升级,包括Windows 10。
它是一个图形驱动程序接口,用于管理将图形发送到显示器和其他输出设备。该代码由Windows 10 上 的gdi32.dll执行。(gdi32.dll)
不幸的是,由于Win32k.sys长期以来一直是Windows操作系统的核心部分,并且由于它驻留在通常不像System32文件夹那样受到保护的文件夹 ( (System32)Program Files ) 中,因此恶意软件通常以该文件为目标为腐败。
此外,它也是恶意软件为其自己的文件选择的通用名称,因此用户不会怀疑该文件是计算机感染的一部分。
ntdll.dll
此文件位于System和System32系统目录中。该文件的描述是NT 层 DLL(NT Layer DLL)。它本质上是一个包含核心 NT 内核函数的DLL文件。(DLL)
这意味着它包含允许核心操作系统正常运行的机器代码。核心内核程序访问Ntdll.dll包含的函数,该文件处理这些机器级函数。
如果您看到来自Ntdll.dll进程的任何错误消息,这通常是由损坏的Ntdll.dll文件或计算机上导致进程崩溃的硬件问题引起的。
通常,重新安装导致错误的硬件驱动程序通常可以解决错误。如果问题是损坏的Ntdll.dll文件,则防病毒软件能够修复该问题。如果不能,可能需要进行Windows还原。(Windows)
内核32.dll(Kernel32.dll)
此DLL文件是另一个作为Windows操作系统内核的一部分找到的文件。它管理内存,包括内存中断。它还管理所有输入和输出操作。
Kernel32.dll是另一个被加载到普通用户应用程序无法运行的受保护内存空间的文件。
如果您看到与Kernel32.dll相关的错误,通常是由于恶意软件或损坏的硬件驱动程序(或故障硬件)试图写入Kernel32.dll所在的受保护内存。通常重新安装硬件驱动程序或新硬件可以解决这些错误。
Advapi32.dll
此DLL文件是Windows操作系统的另一个核心组件。它的名字代表高级应用程序编程接口(Advanced Application Programming Interface),或高级 API(Advanced API)。它处理系统安全调用和针对系统注册表的调用。
此DLL管理启动和关闭Windows,管理Windows注册表,处理用户帐户和帐户安全,以及管理Windows服务。
虽然Windows(Windows)正常启动不需要此文件,但大多数应用程序和硬件的正常运行都需要此文件。如果此Windows系统文件被删除或损坏,任何访问系统注册表或安全性的应用程序API调用都将失败,并且您将看到许多错误消息。(API)
User32.dll
另一个核心DLL,这个Windows系统文件包含大多数核心Windows API,供用户应用程序与操作系统进行通信。它处理Windows(Windows)应用程序显示的大多数本机窗口和控件。
任何具有图形用户界面的应用程序通常使用由User32.dll文件提供的组件。
然而,在大多数情况下,Windows应用程序利用内置于Windows .NET框架中的库,而后者又管理与User32.dll的通信。
在任何一种情况下,User32.dll都会将常见的、易于理解的应用程序代码转换为Windows操作系统所需的机器级命令。
Gdi32.dll
与User32.dll(User32.dll)非常相似,Gdi32.dll包含允许应用程序在监视器上创建图形用户界面的函数。
Gdi32.dll包含让应用程序在屏幕上创建二维对象的函数。它接受来自Windows应用程序或服务的代码,并执行所需的机器代码以在监视器上显示可视对象。
虽然即使此DLL已损坏或删除, (DLL)Windows操作系统也可能启动,但操作系统显示将无法正常工作。
其他重要的 Windows 系统文件(Other Important Windows System Files)
虽然这些是Windows操作系统正常运行所需的核心Windows系统文件和可执行文件,但计算机系统的非关键功能需要一些额外的文件才能正常工作。
- Pagefile.sys:帮助操作系统管理RAM内存空间并提高系统性能。
- Swapfile.sys:这是一个较新的系统文件,有助于在现代Windows应用程序处于休眠状态时将其移动到硬盘驱动器。
- Crss.exe:这是一个客户端服务器运行时进程,用于处理控制台窗口和Windows关闭进程。
- Shell32.dll:包含Windows shell API函数,允许 Web 浏览器和其他应用程序正确显示操作系统的元素,如任务栏、桌面和开始(Start)菜单。
- Smss.exe:会话管理器子系统处理用户会话,包括Windows登录和用户系统设置。
- Sxs.dll :这是处理清单文件的(Sxs.dll)Windows操作系统的重要组件。这些文件告诉Windows在启动时如何处理软件应用程序。
虽然作为Windows(Windows)操作系统的一部分,有更多不太重要的系统文件,但上面列出的那些是最常见的一些。因此,它们经常成为恶意软件的目标,以诱骗用户认为恶意软件文件是合法的。
大多数防病毒应用程序都能够识别伪造的Windows系统文件,并且通常会在您知道它们存在之前从您的系统中清除它们。
Obscure Windows System Files and Why You Should Know About Them
The Windows оperating system is made up of a large assortment of files and programs. Some of these run all the time, while others are called by the operating system оnlу occasiоnally.
Nearly all of the core Windows operating system files are stored in the folders C:\Windows\System and C:\Windows\System32 (on your computer, the drive letter could be different). The Windows folder itself also holds a number of essential files.
All of the programs that are installed on your computer typically have executable and related files stored in C:\Program Files or C:\Program Files (x86).
In general, you never want to modify, delete, or move any of the Windows system files that are located in any of these directories. However, there are a few files that are core to the function of the operating system. If these files get deleted or otherwise corrupted, you’ll need to restore your Windows operating system.
Ntoskrnl.exe
This executable is the kernel image. This means it’s essentially the core code (the executive) that makes the operating system work properly.
This code handles management of hardware, system processes, and memory management. It’s also the code that schedules what applications have access to the system processor and how much memory (and memory addresses) they’re allocated to use.
This executable shows up in Task Manager with the name System and Registry. It is a heavily protected file, so it’s difficult for any application like malware to corrupt or delete the file.
In older versions of Windows, if you opened up a large number of applications, Ntoskrnl.exe would start consuming a large amount of memory. Starting with Windows 10, the Ntoskrnl.exe now compresses unused pages rather than storing them to memory. This reduces memory consumption, but can increase CPU usage if you run a lot of applications at once.
Ntkrnlpa.exe
This process is a core software component of the Microsoft Windows kernel and system code. The name stands for New Technology Kernel Process Allocator. Alongside Ntoskrnl.exe, it controls scheduling and memory management.
It also prevents non-core applications and services from accessing the core areas of the operating system, which keeps the OS safely running in a protected area of system memory.
Since Ntkrnlpa.exe is responsible for blocking applications from accessing protected system memory, many users often think it’s Ntkrnlpa.exe that’s causing a Windows system failure. This is because Ntkrnlpa.exe is the process that returns the error.
Usually the cause of this is actually some form of malware attempting to cause protected system memory, kicking off the Ntkrnlpa.exe errors.
Hal.dll
Another core file related to the system kernel and core system is Hal.dll. The name of this DLL file stands for Hardware Abstraction Layer.
This file contains core code that allows applications to interact with computer hardware using simple program functions rather than complicated machine code.
Aptly named, it removes the abstraction from communicating with and controlling computer hardware.
This executable runs inside RAM memory and is located in the System32 directory.
Hal.dll typically doesn’t cause any issues with the computer, however some malware applications attempt to cloak their executables by giving them the same name. However, you can identify it as a counterfeit application when it’s located in a different folder than System32.
Never stop the Hal.dll task as this will make your system non-functional and could force you to have to restore the Windows operating system.
Win32k.sys
This file is what’s known as the Multi-User Win32 driver file, originally released as part of the Windows XP operating system. It’s been upgraded through each new Windows release, including Windows 10.
It’s a graphics driver interface that manages sending graphics to monitors and other output devices. The code is executed by gdi32.dll on Windows 10.
Unfortunately, because Win32k.sys has been such a long-time core piece of the Windows operating system, and because it resides in a folder (Program Files) that isn’t usually as well protected as the System32 folder, malware often targets this file for corruption.
Additionally, it’s also a common name chosen by malware for its own files, so that users don’t suspect the file as part of a computer infection.
Ntdll.dll
This file is located in the System and System32 system directories. The description of the file is NT Layer DLL. It’s essentially a DLL file that contains core NT kernel functions.
This means it contains the machine code that allows the core operating system to function properly. The core kernel program accesses functions contained by Ntdll.dll, and this file processes those machine level functions.
If you see any error messages coming from the Ntdll.dll process, this is usually caused by either a corrupt Ntdll.dll file, or hardware problems on your computer that are causing the process to crash.
Usually, reinstalling the hardware driver causing the error usually resolves the error. If the issue is a corrupt Ntdll.dll file, antivirus software is capable of repairing the issue. If it can’t, a Windows restore may be required.
Kernel32.dll
This DLL file is another found as part of the Windows operating system kernel. It manages memory, including memory interrupts. It also manages all input and output operations.
Kernel32.dll is another file that gets loaded into protected memory space where regular user applications can’t operate.
If you ever see an error related to Kernel32.dll, it’s usually due to either malware or corrupt hardware drivers (or faulty hardware) attempting to write to the protected memory where Kernel32.dll resides. Usually reinstalling hardware drivers or new hardware resolves these errors.
Advapi32.dll
This DLL file is another core component of the Windows operating system. Its name stands for Advanced Application Programming Interface, or Advanced API. It handles system security calls and calls against the system registry.
This DLL manages starting and shutting down Windows, manages the Windows registry, handling user accounts and account security, and the management of Windows services.
While this file isn’t required for Windows to boot properly, it is required for the proper operation of most applications and hardware. If this Windows system file is deleted or corrupted, any application API calls to access the system registry or security will fail and you’ll see a number of error messages.
User32.dll
Another core DLL, this Windows system file contains most of the core Windows API for user applications to communicate with the operating system. It handles most of the native windows and controls that are displayed by Windows applications.
Any application that has a graphical user interface typically uses components offered by the User32.dll file.
However, in most cases, Windows applications utilize libraries built into the Windows .NET framework, which in turn manages communication with the User32.dll.
In either case, the User32.dll translates common, easy-to-understand application code into the machine level commands that are required by the Windows operating system.
Gdi32.dll
Much like User32.dll, Gdi32.dll contains functions that allow applications to create graphical user interfaces on the monitor.
Gdi32.dll contains functions that let applications create 2-dimensional objects on the screen. It accepts code either from a Windows application or service and executes the required machine code to display the visual objects on the monitor.
While a Windows operating system may boot even when this DLL is corrupt or deleted, the operating system display won’t work properly.
Other Important Windows System Files
While those are the core Windows system files and executables required for the proper functioning of the Windows operating system, there are a few additional files required for non-critical functions of the computer system to work properly.
- Pagefile.sys: Helps the operating system manage RAM memory space and improve system performance.
- Swapfile.sys: This is a newer system file that helps with moving modern Windows apps to the hard drive when they’re in a hibernation state.
- Crss.exe: This is a client server runtime process that handles console windows and the Windows shutdown process.
- Shell32.dll: Contains Windows shell API functions that allow web browsers and other applications to display elements of the operating system like the taskbar, desktop, and Start menu properly.
- Smss.exe: The session manager subsystem handles user sessions, including Windows logon and user system settings.
- Sxs.dll: This is an important component of the Windows operating system that handles manifest files. These are files that tell Windows how to handle a software application when it’s launched.
While there are many more less critical system files as part of the Windows operating system, those listed above are some of the most common. Because of this they often are targeted by malware to trick users into thinking malware files are legitimate.
Most antivirus applications are capable of identifying a counterfeit Windows system file and will typically clean those from your system before you ever know they exist.