Reliability and robustness mean that the architecture must protect the operating system and its applications from damage. In Windows NT 4.0, as in earlier versions, applications run in their own processes and cannot read or write outside of their own address space. The operating system data is isolated from applications. Applications interact with the kernel indirectly using well-defined user-mode APIs. Each call requires a kernel mode thread transition that is managed by the Windows NT Executive.
Kernel-mode operations are now more vulnerable to failures in the graphic user interface. As a user mode process, the graphics subsystems could not bring down the operating system but, as components of the Windows NT Executive, they can. This is mainly an issue for servers and peer-to-peer workstations. If a single workstation interface no longer responds to the user, it hardly matters that the operating system is still up and running. In fact, the USER and GDI are so critical that Windows NT has always been designed to shut down if they fail.
A more serious concern is that the USER, GDI, and device drivers can potentially overwrite the data structures of core operating system components. However, this threat is not new. Hardware drivers, like video ports, network card drivers, and hard disk drivers, have always run in kernel-mode. Microsoft offers technical assistance to manufacturers to ensure that their drivers are reliable.