Obviously, then, they cannot simply modify the kernal in a conventional way. Instead, they create a patch system. The Linux kernal code is never changed; it gets placed in a directory and gets write-protected, and is inaccessible to the developers to make changes to. When the Microsoft programmer wants to add a hook, he opens his patching program and adds a line to the code. Note this patching function is invisible to the user, the developer just adds a line in his special editor. (It doesn't matter to me if he adds the patch by hand.)