There are commonly two types of rootkits: user-mode and kernel-mode.
User-mode rootkits work within the environment and security context of a user on the system. For instance, if you were logged into your workstation as the user John and did not have administrative privileges, the rootkit will filter and give backdoor access to all applications running under the John account.
Usually, most user accounts also have administrative privileges so a user-mode rootkit can also stop system-level processes such as Windows services from being affected by its stealth functionality.
Kernel-mode rootkits run within the operating system at the same level as drivers for hardware such as your graphics card, network card, or mouse. Developing a rootkit for use within the kernel of an operating system is much more complex than developing a user-mode rootkit and needs a much higher skill set from the attacker to implement.
Moreover, since multiple operating systems change parts of their kernel with updates and new versions, kernel rootkits don’t operate for all versions of Windows. Since the rootkit works like a driver do in the kernel, it also has the ability to enhance the instability of the operating system. Usually, this is how most people find out they have a rootkit running on their system, as they see a slowdown in performance, the appearance of blue screens, or other failures that cause the system to reboot automatically.
