How does Windows protect transition into kernel mode?

Question

How does Windows protect against a user-mode thread from arbitrarily transitioning the CPU to kernel-mode?

I understand these things are true:

1. User-mode th

Answer 1

It's probably fair to say that it does it in a (relatively) similar way to what Linux does. In both cases it's going to be CPU-specific, but on x86 probably either a software interrupt with the INT instruction, or via SYSENTER instruction.

The advantage of looking at how Linux does it is that you can do so without a Windows source licence.

The userspace source part is here here at LXR and the kernel space bit - look at entry_32.S and entry_64.S

Under Linux on x86 there are three different mechanisms, int 0x80, syscall and sysenter.

A library which is built at runtime by the kernel called vdso is called by the C library to implement the syscall function, which uses a different mechanism depending on the CPU and which system call it is. The kernel then has handlers for those mechanisms (if they exist on the specific CPU variant).