07
- August
2021
Posted By : Michele Pariani
Microsoft Paint: Kernel Mode vs. User Mode

In this blog post, I test how much time Microsoft Paint spends in kernel mode versus user mode.

While reading Windows Internals, Part 1, 7th edition, I came across the topic Kernel Mode vs User Mode. After a lengthy explanation of what these modes are and why they exist, the authors stated that graphics-intensive applications, such as Microsoft Paint, spend more of their time in kernel mode than in user mode, because the bulk of the graphics and windowing system runs in kernel mode. With a bit of healthy distrust, I decided to test if this is true by visualizing this behavior with Performance Monitor. Before starting with the test, I will shortly explain why Windows uses two processor modes.

Theory

Windows uses two processor modes in order to protect user applications from accessing and/or modifying critical OS data. User application code runs in user mode, whereas OS code – such as system services and device drivers – runs in kernel mode. Concretely, kernel mode refers to a mode of execution in a processor that grants access to all system memory and all CPU instructions. All in all, user applications run in user mode so that they can’t disrupt the stability of the system as a whole even when they misbehave.

Experiment setup and execution

  1. Run MS Paint
  2. Run Performance Monitor
  3. In Performance Monitor, right click on User Defined under Data Collector Sets in the tree on the left side
  4. Click New, click Data Collector Set
  5. Enter “ms paint monitoring” under Name, select Create Manually, select Next
  6. Select Create Data Logs and Performance Counter, select Next
  7. Click Add
  8. Expand the Process counter session, select both % Privileged Time and % User Time
  9. Under Instances of selected object, select mspaint
  10. Click Add, click OK.
  11. Set Sample Interval to 1 second, select Next
  12. Choose Desktop as Root Directory, select Next
  13. Select Finish
  14. Select “ms paint monitoring” under Data Collector Sets > User Defined in the tree on the left side
  15. Click Play on the toolbar in Performance Monitor
  16. In MS Paint, write “test kernel vs. user mode” with the brush
  17. Click Stop on the toolbar in Performance Monitor
  18. Go to desktop, open the newly created folder, open the BLG file

Analysis and conclusion

My trace is 33 seconds long and has 66 data points (one data point for each second for each mode). After opening the BLG file, the default view should be the Line View, where the red line represents the percentage of time that the threads in the Paint process have run in kernel mode (which is labeled Privileged Time), whereas the green line represents the percentage of time that the threads in the Paint process have run in user mode (which is labeled User Time). You can also change to the Report View to display the average time percentage for each mode.

Line View of the 33-second long trace
Report View of the 33-second long trace

The Report View shows that MS Paint run on average 15% of the time in kernel mode and 8.8% of the time in user mode1. This is also confirmed by the Line View in which the data points for kernel mode are mainly bigger than those for user mode. All in all, this test confirms that Microsoft Paint spends more of its time in kernel mode than in user mode.

I hope you liked this post. If you have any questions, feel free to leave a comment in the comment section. Never stop learning!

  1. The sum of Privileged Time and User Time gives the Processor Time for the process.

Comments

  • Only JUST ran across that part (Started reading it myself) and curious if you ever found out WHY it’s in Kernel mode so much. In THEORY I understand that it’s probably related to how the OS talks to DWM as a GUESS but I’m not 100% on that

Leave a Reply