blank Skip to main content

User Mode and Kernel Mode in Cyber Security Technology Implementation

Technologies operating at the kernel level are extensively used in various cybersecurity, virtualization, system control, and monitoring solutions. At the same time, some projects do not really need a driver solution with its potential complexity – a user mode implementation, e.g. based on various hooks, meets all requirements.

We’d like to generalize and share our experience of building kernel level and user level technologies for advanced attack detection and data management projects and provide you with a list of advantages and disadvantages of both approaches for various tasks.

We’ve chosen various system monitoring and management technologies, which are frequently required e.g. for collecting endpoint data when building advanced threat hunting platforms.

Introduction: What Is the Kernel/User Mode?

The Windows operating system uses two different CPU modes to run software: user mode and kernel mode. What is the kernel mode and what is the user mode?

The main difference between user mode and kernel mode, from the software development standpoint, lies in the level of access to system resources.

Kernel mode in the operating system management is reserved for the Windows kernel and various hardware drivers. Software running at the kernel level has full access to hardware and system resources. All other software runs at the user level, where applications are isolated within separate processes and don’t have direct access to hardware memory. User mode to kernel mode switching (and vice-versa) occurs as necessary depending on the code that’s running.

Common Pros and Cons

Windows kernel mode development is necessary when you need to create a driver that will run at the kernel level. This approach works great for tasks that require broad access to the system, such as in-depth endpoint system process monitoring applied by next-geneneration antiviruses or APT detection systems.

However, kernel mode programming is very complex: you need to use specific techniques to test your drivers, and errors can be hard to detect. Issues that are detected are often complex and hard to reproduce, localize, and fix. Moreover, any error at the kernel level can result in a complete and unrecoverable crash of the whole system.

User mode, on the other hand, is easier to work with. Software running at the user level has minimal impact on system stability since it runs in isolation – in the worst-case scenario, the software itself crashes without affecting the stability of the system as a whole. This makes it easier to test solutions and find and reproduce issues.

Despite the convenience that user mode provides, however, its capabilities are limited when it comes to certain monitoring and system control tasks that require broad access to system resources.

The choice between kernel mode vs user mode should be informed by these differences, but should also take into consideration the experience and familiarity of the developer with each mode. If a developer has limited experience with driver architecture and has never worked on driver components before, then it can be rather risky to go with a kernel mode implementation, since it may take a lot of time for the developer to learn the ropes, avoid common pitfalls, and create a stable solution.

Related services

Windows Driver Development

Process Monitoring / Management

Technologies for monitoring and managing processes are an integral part of many cyber security and system management solutions. A number of advanced attack detection systems use detailed process monitoring as one of the important components. 

Process monitoring and management can be implemented by creating a driver or using AppCertDlls and other hooks. The pros and cons of each approach are listed below.


Kernel-mode implementation

See for example Process Monitoring and Management Tips

User-mode implementation

(AppCertDlls, other hooks)


  • Reliable, particularly when crossing with FS Filters + Registry Filters + NetFilters

(common on any user mode implementation)

Potential Problems

  • Can be hard to make additional FS checks when process starts
  • Not secure: users can remove hooks without administrator permission

File System Monitoring / Management

File system monitoring and management technologies open up a whole slew of possibilities in secure data access, malware file detection, virtualization, data management, and content delivery. Below, you’ll find a comparison of two file system monitoring and management implementations, one using a file system filter driver and the other heavily relying on hooks.


Kernel-mode implementation

(Filters, file systems)

See for example File System Virtualization

User-mode implementation

(Heavy use of user-mode hooks with a lot of functions from ntdll.dll and others)


  • Quick implementation
  • MMF support out-of-the-box
  • Paged IO support out-of-the-box
  • Can be used to monitor driver behavior, for example access to shared resources (srv* .sys)
  • Installation doesn’t require administrator permission

Potential Problems

(common for any driver implementation)

  • Very limited virtualization capabilities
  • Weak stability in the face of new OS updates
  • Requires good injection technique for running code within the address space of another process
  • Poor compatibility with antivirus software and protection suites
  • Not secure: users can remove hooks without administrator permission

Read also:
How to Overcome the Challenges of Developing a User Mode File System Driver

Network Monitoring and Management

Technology for monitoring and managing network activity has a wide range of applications in data management, network security, and network administration. In the comparison below, we list the major pros and cons of implementing network monitoring and management solutions in Windows using hooks versus using a custom driver.


Kernel-mode implementation

  • WPF monitoring
  • WPF + redirection + service
  • NDIS

User-mode implementation

  • Socket hooks


  • Only officially documented features used, which means good compatibility with future OS updates
  • Redirect-2-localhost architecture allows for easy porting to another OS
  • NDIS allows easy implementation of speed throttling or virtual adapters if necessary
  • Full context of a process/user/session call is always available
  • No conflict with other redirects
  • Possibility for performance tuning of separate processes

Potential Problems

  • Can have conflicts with other redirects and internet security software, as well as some network software (for example, Npcap Loopback Adapter)
  • Windows 7 and later requires different implementation than Windows XP or Vista
  • Memory requirements are much higher than in kernel mode
  • Driver is required for injecting in the process address space
  • Harder to implement than in kernel mode
  • Code cannot be ported to another OS
  • Conflicts with other hooks, Device Guard mode, future OS updates, as well as security software, including antivirus software and protection suites
  • Not secure: users can remove hooks without administrator permission

You can find a detailed research and comparison of driver-based and user mode implementation of network management tasks with source code in our article.

Read also:
Comparison of User Mode and Kernel Mode Applications for Modifying HTTP Traffic

Keyboard / Keystroke Monitoring

Keystroke monitoring is a vital feature often employed in DLP and user monitoring solutions. It can be used for the purposes of investigation, compliance, and analysis of user behavior.

One implementation of keystroke monitoring in Windows involves the keyboard filter driver, while another uses the WH_KEYBOARD_LL hook. Check out the advantages and disadvantages of both approaches in the table below.


Kernel-mode implementation

(Keyboard filter)

User-mode implementation



  • More reliable message delivery
  • Easy implementation
  • Message can easily be matched with receiving window

Potential Problems

  • Achieving compatibility with different types of keyboards (RDP, USB, PS/2, etc.) can require additional effort
  • Can be hard to match a message with a receiving window
  • Monitoring is possible only within current session

Looking for a pro kernel programming team? Let us know!

Have a question?

Ask our expert!

Tell us about your project

Send us a request for proposal! We’ll get back to you with details and estimations.

By clicking Send you give consent to processing your data

Book an Exploratory Call

Do not have any specific task for us in mind but our skills seem interesting?

Get a quick Apriorit intro to better understand our team capabilities.

Book time slot

Contact us