Windows 8 Kernel Thread List


List of threads created by the Windows 8 Kernel and a brief description of the functionality they provide. While most of these threads were present in earlier versions on Windows, there are quite a few new ones in Windows 8.

Thread Top Level Function Description
nt!Phase1InitializationInitializes the kernel, zeros out pages in the free page list and moves them to the zero page list.
nt!PopIrpWorkerControlCreates power worker threads (i.e. PopIrpWorker()) by calling the function PopCreateDynamicIrpWorker() at run time.
nt!PopIrpWorkerPower Manager worker threads that dispatch power IRPs to drivers. This function is also used for dynamically created power manager worker threads. Number of PopIrpWorker threads is in nt!PopIrpWorkerCount.
nt!PopFxEmergencyWorkerProcesses work items from the WorkQueue field in the structure POP_FX_PLUGIN. The function PoFxRegisterPluginEx allocates and initializes the POP_FX_PLUGIN structure and creates the PopFxEmergencyWorker() thread.
nt!ExpWorkerThreadBalanceManagerCreates executive worker threads dynamically and performs worker queue deadlock detection. There is one such thread per NUMA node.
nt!KiExecuteDpcExecutes threaded DPC routines at PASSIVE_LEVEL. There is one such thread per CPU in the system.
nt!MiDereferenceSegmentThreadFrees system cache virtual address space, removes unused segments, frees prototype PTEs from subsections, frees prototype PTEs used to clone (fork) processes, trims physical pages from the initial non-paged pool etc.
nt!MiModifiedPageWriterWrites out modified pages to the system paging files.
nt!KeBalanceSetManagerAdjusts depth of lookaside lists, adjusts number of ETW trace buffers, enforces process execution time limits, trims process and system working sets etc.
nt!KeSwapProcessOrStackSwaps process address space and thread stacks in and out of memory.
nt!CcQueueLazyWriteScanThreadCache Manager worker thread that posts work items into cache manager work queues CcRegularWorkQueue and CcFastTeardownWorkQueue. These work items are processed by the worker routine function CcWorkerThread().
nt!FsRtlWorkerThreadTwo such threads in the system execute work items queued in the FsRtlWorkerQueues by FsRtlPost[PagingFile]StackOverflow(). Work items are queued to this thread to handle kernel mode thread stack depletion during paging operations.
nt!EtwpLoggerEvent Tracing For Windows (ETW) worker threads. These threads log message to in memory buffers when ETW is enabled with tools like XPERF.
nt!MiMappedPageWriterWrites out modified pages to memory mapped files.
nt!IopPassiveInterruptRealtimeWorkerSupports the new PASSIVE_LEVEL Interrupt Service Routines (ISRs) in Windows 8 registered via IoConnectinterruptEx() with IO_CONNECT_INTERRUPT_PARAMETERS fields Irql and SynchronizationIrql set to PASSIVE_LEVEL.
nt!ExpWorkerThreadWorker threads that execute work items queued in the Delayed, Critical, Hypercritical, Normal, Background, RealTime and SuperCritical work queues by functions like IoQueueWorkItemEx().
nt!SepRmCommandServerThreadListens for commands from LSASS.exe on the LPC Port (SeRmCommandPort), dispatches them to functions in the array nt!SepRmCommandDispatch and replies to the LPC messages.
nt!CmpLazyFlushWorkerConfiguration Manager worker thread to perform lazy writing of registry hives.
nt!PfTLoggingWorkerSuper-fetch logger thread that records memory manager's page access patterns.