PDA

View Full Version : NTOSKRNL.EXE



GrahamB
31-12-2006, 05:55 PM
I am running Windows XP Pro.

This programme is consistently trying to access the internet, and is blocked by my Firewall.

Should I allow it access?

Or do i have a deeper problem?

TFYH

GrahamB

trinsic
31-12-2006, 06:09 PM
In operating systems, the role is provided by the "kernel". All MS operating systems have an executeable or dll for this.

One of the reasons (there are others) you periodically see the "kernel" get blocked in Windows, is that since 98 came out, MS has increasingly tied internet based functionality into all aspects of the operating system.

What happens in many cases, is you will have been running an application which makes use of some native Windows internet functionality, and then have moved on to something else. When the app closes out, it releases its links to the various modules it was using and Windows returns the freed resources to the "general" pool.

However, There is one last thing which needs to happen which is to properly shutdown the TCP connection which was established. If the the originating app doesn't handle this itself or has exited before the connection is shut down completely, the kernel takes over the role of monitoring for the "handshake" traffic from the port reset, since the allocated socket can't be left "abandoned".

You can see this in operation using a tool like Netmon for example (you will see a dying connection shown in the "time wait" state). If the timeout expires the connection will close at your end, regardless if the expected reponse was received.

At this point, if there is no firewall, the kernel would send a "reset/ack" packet back to inform the sender the connection is closed. If you have blocked the kernel, you get the popup, and no response is sent back.

Another possibility, again due to the tight integration of internet functionality, is if traffic (both internal or external) arrives which the running apps don't know what to do with, it will be directed back to the kernel to try and figure out what's going on, which can lead to popups depending on the circumstances.

So after all that yes allow it to go through :waughh:

Shortcircuit
31-12-2006, 06:44 PM
Luv it all... especially the last line :D :D :D (actually not joking- beautifully worded!)

It can also be 'hi-jacked' by a trojan Graham, but fairly unlikely. My advice would be deny it access for a while and see if anything goes pear-shaped or not. Maybe also update your AV and run a scan just to be safe.

bk T
31-12-2006, 10:26 PM
trinsic, excellent reply and explanation! One of the best replies before the year ends.

Well Done! :) :)

i-gordon
01-01-2007, 04:18 PM
Nice reply Trinsic
This came off a Sygate Forum. Nothing wrong with that except you should give credit where its due.:nerd:
Ian