[WinXP SP2]mag ntoskrnl.exe met het internet connecten?

ntoskrnl.exe is, as far as I know, an abridged form of "Network Terminal ('NT', this being Windows NT [duh], 2000, XP, and 2003) Operating System Kernel". A kernel is the little hard bit in popcorn, right? Well, it's like that. I imagine the reason it's being blocked even though it's set to Allow is because Sygate is blocking people trying to access File and Printer sharing over the Internet.

I might be wrong, maybe that's handled by another process. It's nothing to worry about, anyway — and it's not really something you're likely to want connected to the 'net, is it?

Generally speaking, you guys are on the right track here with your thoughts about the function of ntoskrnl in the Windows architecture.

To tie it together a little better:

All modern operating systems (and many apps for that matter) have a highly modularized design architecture in order to make it easier to design, impliment, and maintain.

As a result, there needs to be a process which provides for overall execution control and resource allocation.

In operating systems, the role is provided by the "kernel". All MS operating systems have an executeable or dll for this.

One of the reasons (there are others) you periodically see the "kernel" get blocked in Windows, is that since 98 came out, MS has increasingly tied internet based functionality into all aspects of the operating system.

What happens in many cases, is you will have been running an application which makes use of some native Windows internet functionality, and then have moved on to something else. When the app closes out, it releases its links to the various modules it was using and Windows returns the freed resources to the "general" pool.

However, There is one last thing which needs to happen which is to properly shutdown the TCP connection which was established. If the the originating app doesn't handle this itself or has exited before the connection is shut down completely, the kernel takes over the role of monitoring for the "handshake" traffic from the port reset, since the allocated socket can't be left "abandoned".

You can see this in operation using a tool like Netmon for example (you will see a dying connection shown in the "time wait" state). If the timeout expires the connection will close at your end, regardless if the expected reponse was received.

At this point, if there is no firewall, the kernel would send a "reset/ack" packet back to inform the sender the connection is closed. If you have blocked the kernel, you get the popup, and no response is sent back.

Another possibility, again due to the tight integration of internet functionality, is if traffic (both internal or external) arrives which the running apps don't know what to do with, it will be directed back to the kernel to try and figure out what's going on, which can lead to popups depending on the circumstances.

As Jarmo has suggested, since MS Networking housekeeping traffic is handled by the kernel, it is possible to have the kernel get blocked, even if you have explicitly allowed it as an "app", due to a violation of one of the security options (NetBIOS protection for example), or an advanced rule due the order of processing in SPF.

HTH,

Alinator