Each thread has a stack residing in kernel space, default 12KB. and 24KB on 64-bit system. A user mode thread has a seconds stack in its process user space address range.
Thread can expand its user mode stack by cuasing a exception of PAGE_GUARD and memory manager will remove the protection and commits the next page to allow us to write it.
A thread is initialized with smaller memory as (maybe a single page 4KB), with the rest stack being reserved. To be able to grow the stack, next page right after the committed part is marked with a specifial protection called PAGE_GUARD. The Memory Manager **will solve the exception and free the PAGE_GUARD.
a thread may perform system operatinos (Ex. opening a file, create another thread, Allocate memory.) The final hand-off to those operations are inside of the kernel.
A user-mode thread would use Win32API such as Kernel32!!CreateFile, and then jmp to Ntdll32!!NtCreateFile which is the edge between kernel & user-mode. Notice here the NtCreateFile is not an actual function located inside of the kernel space. It would then use the infamous instruction set mov eax, n ;syscall to call the predefined routine - System Service Dispatcher.
Which uses the EAX as an index to locate syscall itself inside of the Service Dispatch Table(SSDT). SSDT entry would then point to code for NtCreateFile in the I/O Manager.(kernel mode). This is done through the help of NtOskrnl.Exe
