Closer Look to WSL

The Background

Back in Windows 2000 time, Windows is shipped with a POSIX subsystem and even a OS/2 subsystem for software compatibility for those two OS’s. Below is a picture from the msdn of NT workstation.
POSIX and OS/2 subsystem

And the POSIX subsystem turns into SUA(Subsystem for Unix Application) as Microsoft released Windows Vista, and gets mature in Windows 7 / Windows Server 2008 (Picture from MSDN 2007)


WSL on Windows 10

A few terms on windows

Windows User Mode

A CPU mode that provides isolation and protection for normal application so that even if one program crashes, no other programs will be affect.

Windows Kernel Mode

The CPU mode used by core components of system kernel (like hardware drivers) for interaction with hardware.

Windows NT Kernel

NT kernel separates the APIs that program can call and the system kernel, so that Windows NT supports multiple subsystem (Win32, OS/2, POSIX).

Pico Process

Originally part of DrawBridge project. It provides a lightweight way to run an (linux) application in an isolated environment. No operating system kernel or service needed. All the system calls are handled by Pico driver.

How WSL works

When Windows 10 starts

It loads two more .sys file, lxss.sys and lxcore.sys, to NT kernel.

After user types bash.exe

The LX Session Manager Service starts. This service is essential for communicating between bash.exe and Linux Elf64 binary.

When a Linux program starts

The Linux process starts as a Pico process in Windows NT User Mode

LXSS System Calls

lxcore.sys and lxss.sys

These to system files are responsible for intercepting all linux syscalls and translating them to Windows NT kernel instructions.

# Simple Fork Bomb
import os
while 1:

There is no direct comparable call in Windows for Linux Fork(). So when the Linux process requires fork action, lxcore.sys intercept that call, prepare for the process replication and create multithread according to the program’s requirements using NT kernel API.


Epoll is a syscall for I/O event notification. Under WSL, it’s designed to merge into Win32 Event System for further handling.

file system

Windows provides VolFS for file compatibility with Linux file system. VolFS contains linux permission, symbolic link, case sensitive. DriveFS enables windows to read and write linux file system and also allow linux to see the windows volumn.

WSL Components, picture from MSDN

WSL Components

Leave a Reply