“krfcommd” is a kernel which is started by executing “kthread_run()” function (https://elixir.bootlin.com/linux/latest/source/net/bluetooth/rfcomm/core.c#L2215). The kernel thread executes the “rfcomm_run()” function (https://elixir.bootlin.com/linux/latest/source/net/bluetooth/rfcomm/core.c#L2109). Thus, we can say that “krfcommd” is responsible for RFCOMM connections (https://stackoverflow.com/questions/57152408/what-is-the-internal-mechanics-of-socket-function).

“explorer.exe” is an executable which is the “Windows Explorer”. The executable is located at “%windir%\explorer.exe (On 64 bit systems there is also a 32 bit version located in %windir%\SysWOW64\explorer.exe). It is responsible for handling elements of the graphical user interface in Windows (including the taskbar, start menu, and desktop), the…

The kernel thread “kugepaged” is created using the “kthread_run()” function (https://elixir.bootlin.com/linux/latest/source/mm/khugepaged.c#L2551). It is responsible for the “Transparent Hugepage Support” (aka THP). “kugepaged” scans memory and collapses sequences of basic pages into huge pages (https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html). We can manage and configure TPH using sysfs (https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html#thp-sysfs) or by using the syscalls “madvise” (https://man7.org/linux/man-pages/man2/madvise.2.html)…

Due to the fact that each process in Windows has its memory address space we can’t pass pointers between threads in different processes and expect to see the same data in the same virtual address. It could be that the virtual address is not valid in one of the address…

When a Linux system is up and running, memory pages of different processes/tasks are scattered and thus are not physically-contiguous (even if they are contiguous in their virtual address). We can move to bigger pages size (like from 4K to 4M) but it still has its limitations like: waste of…

In the first part of the series we have talked generally about what are namespace and what we can do with them — in case you want to go over it you can use the following link https://medium.com/@boutnaru/linux-namespaces-part-1-dcee9c40fb68. Now we are going to deep dive into the mount namespace. The…

In the first part of the series we have talked generally about what are namespace and what we can do with them — in case you want to go over it you can use the following link https://medium.com/@boutnaru/linux-namespaces-part-1-dcee9c40fb68. …

“rdpclip.exe” (RDP Clipboard Monitor) is responsible for managing the shared clipboard between the local computer and the remote desktop which the user is interacting with (https://www.winosbite.com/rdpclip-exe/).The executable file is located at “%windir%\System32\rdpclip.exe” …

COM (Component Object Model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact with each other. COM is the foundation technology for Microsoft’s OLE (compound documents) and ActiveX (Internet-enabled components) technologies. These objects can be within a single process, in other processes, even on remote…