|
== Internal components ==
HAL.DLL is a kernel-mode library file and it cannot be used by any user-mode program. NTDLL.DLL is only used by some programs, but it is a dependency of most Win32 libraries used by programs.
=== HAL.DLL ===
[[File:Windows_2000_architecture.svg|thumb|The Hardware Abstraction Layer in the [[architecture of Windows NT]]]]
The Windows [[Hardware Abstraction Layer]] (HAL) is implemented in '''hal.dll'''.<ref>{{cite book|author=Blunden, Bill|title=The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System|publisher=Jones & Bartlett Learning|year=2009|isbn=978-1-59822-061-2|page=101|url=https://books.google.com/books?id=DF5AhCOLFrgC&pg=PA101}}</ref> The HAL implements a number of functions that are implemented in different ways by different hardware platforms, which in this context, refers mostly to the [[chipset]]. Other components in the [[operating system]] can then call these functions in the same way on all platforms, without regard for the actual implementation.
For example, responding to an interrupt is quite different on a machine with an [[Advanced Programmable Interrupt Controller|Advanced Programmable Interrupt Controller (APIC)]] than on one without. The HAL provides a single function for this purpose that works with all kinds of interrupts by various chipsets, so that other components need not be concerned with the differences.
The HAL is loaded into kernel address space and runs in kernel mode, so routines in the HAL cannot be called directly by applications, and no user mode APIs correspond directly to HAL routines. Instead, the HAL provides services primarily to the Windows executive and kernel and to kernel mode device drivers. Although drivers for most hardware are contained in other files, commonly of file type [[.sys]], a few core drivers are compiled into '''hal.dll'''.
Kernel mode device drivers for devices on buses such as [[Conventional PCI|PCI]] and [[PCI Express]] directly call routines in the HAL to access [[I/O ports]] and registers of their devices. The drivers use HAL routines because different platforms may require different implementations of these operations. The HAL implements the operations appropriately for each platform, so the same driver executable file can be used on all platforms using the same [[CPU]] architecture, and the driver source file can be portable across all architectures.
On [[x86]] systems prior to [[Windows 8]], there are several different HAL files on the installation media. The Windows installation procedure determines which ones are appropriate for the current platform and copies it to the hard drive, renaming it to '''hal.dll''' if necessary. Among the criteria for this selection are: the presence of an [[ACPI]]-compatible BIOS, the presence of an [[Advanced Programmable Interrupt Controller|APIC]], and whether or not multiple processors are present and enabled. (The multiple cores of a [[multi-core CPU]], and even the "logical processors" implemented by a [[hyperthreading]] CPU, all count as "processors" for this purpose.) On [[x86-64]] and [[Itanium]] platforms there is just one possible '''hal.dll''' for each CPU architecture. On Windows 8 and later, the x86 version also only has one HAL.
HAL is merged (or statically linked) into ntoskrnl.exe<ref>{{cite tweet|number=1154442296391323651|user=PetrBenes|title=Did I miss something? Routines...|date=25 July 2019}}</ref> starting with version 2004 of Windows 10, and the dll only serves as a stub for backwards compatibility.
=== NTDLL.DLL ===
| 