Long description

The figure starts with a block labeled program process which is pointing downward with an arrow to the next block labeled subsystem libraries. The third block is labeled Subsystem run-time library (CreateProcess hook). An arrow is pointing downward from the first block to the third block and from the second block to the third block. The third block is subdivided into two blocks which are labeled subsystem process and Native NT API, C slash C plus plus run-time. The fourth block is labeled Native NT system services, Local procedure call (L P C), subsystem kernel support, N T O S executive. A dotted line is placed in between the third and fourth block which is marked user mode on top of the dotted line and kernel mode below the dotted line.