Kernel drivers are programs written against Windows NT’s native API (rather than the Win32 Subsystem’s API) and which execute in kernel mode on the underlying hardware. This means that a driver needs to be able to deal with switching virtual memory contexts between processes, and needs to be written to be incredibly stable — because kernel drivers run in kernel mode, if one crashes, it brings down the entire system. Kernel drivers are unsuitable for anything but hardware devices because they require administrative access to install or start, and because they remove the security the kernel normally provides to programs that crash — namely, that they crash themselves and not the entire system.
Long story short:
- Drivers use the native API rather than the Win32 API
- This means that drivers generally cannot display any UI.
- Drivers need to manage memory and how memory is paged explicitly — using things like paged pool and nonpaged pool.
- Drivers need to deal with process context switching and not depend on which process happens to have the page table while they’re running.
- Drivers cannot be installed into the kernel by limited users.
- Drivers run with privileged rights at the processor level.
- A fault in a user-level program results in termination of that program’s process. A fault in a driver brings down the system with a Blue Screen of Death.
- Drivers need to deal with low level hardware bits like Interrupts and Interrupt Request Levels (IRQLs).