Windows Kernel Thread List
List of threads created by the Windows 8 Kernel and a brief description of the functionality they provide. While most of these threads were present in earlier versions on Windows, there are quite a few new ones in Windows 8.
| Thread Top Level Function | Description |
|---|---|
| nt!Phase1Initialization | Initializes the kernel, zeros out pages in the free page list and moves them to the zero page list. |
| nt!PopIrpWorkerControl | Creates power worker threads (i.e. PopIrpWorker()) by calling the function PopCreateDynamicIrpWorker() at run time. |
| nt!PopIrpWorker | Power Manager worker threads that dispatch power IRPs to drivers. This function is also used for dynamically created power manager worker threads. Number of PopIrpWorker threads is in nt!PopIrpWorkerCount. |
| nt!PopFxEmergencyWorker | Processes work items from the WorkQueue field in the structure POP_FX_PLUGIN. The function PoFxRegisterPluginEx allocates and initializes the POP_FX_PLUGIN structure and creates the PopFxEmergencyWorker() thread. |
| nt!ExpWorkerThreadBalanceManager | Creates executive worker threads dynamically and performs worker queue deadlock detection. There is one such thread per NUMA node. |
| nt!KiExecuteDpc | Executes threaded DPC routines at PASSIVE_LEVEL. There is one such thread per CPU in the system. |
| nt!MiDereferenceSegmentThread | Frees system cache virtual address space, removes unused segments, frees prototype PTEs from subsections, frees prototype PTEs used to clone (fork) processes, trims physical pages from the initial non-paged pool etc. |
| nt!MiModifiedPageWriter | Writes out modified pages to the system paging files. |
| nt!KeBalanceSetManager | Adjusts depth of lookaside lists, adjusts number of ETW trace buffers, enforces process execution time limits, trims process and system working sets etc. |
| nt!KeSwapProcessOrStack | Swaps process address space and thread stacks in and out of memory. |
| nt!CcQueueLazyWriteScanThread | Cache Manager worker thread that posts work items into cache manager work queues CcRegularWorkQueue and CcFastTeardownWorkQueue. These work items are processed by the worker routine function CcWorkerThread(). |
| nt!FsRtlWorkerThread | Two such threads in the system execute work items queued in the FsRtlWorkerQueues by FsRtlPost[PagingFile]StackOverflow(). Work items are queued to this thread to handle kernel mode thread stack depletion during paging operations. |
| nt!EtwpLogger | Event Tracing For Windows (ETW) worker threads. These threads log message to in memory buffers when ETW is enabled with tools like XPERF. |
| nt!MiMappedPageWriter | Writes out modified pages to memory mapped files. |
| nt!IopPassiveInterruptRealtimeWorker | Supports the new PASSIVE_LEVEL Interrupt Service Routines (ISRs) in Windows 8 registered via IoConnectinterruptEx() with IO_CONNECT_INTERRUPT_PARAMETERS fields Irql and SynchronizationIrql set to PASSIVE_LEVEL. |
| nt!ExpWorkerThread | Worker threads that execute work items queued in the Delayed, Critical, Hypercritical, Normal, Background, RealTime and SuperCritical work queues by functions like IoQueueWorkItemEx(). |
| nt!SepRmCommandServerThread | Listens for commands from LSASS.exe on the LPC Port (SeRmCommandPort), dispatches them to functions in the array nt!SepRmCommandDispatch and replies to the LPC messages. |
| nt!CmpLazyFlushWorker | Configuration Manager worker thread to perform lazy writing of registry hives. |
| nt!PfTLoggingWorker | Super-fetch logger thread that records memory manager's page access patterns. |