Windows Internals, Part 1

Pavel Yosifovich is a developer, trainer, and author specializing in Microsoft technologies and tools. He is a Microsoft MVP and a Pluralsight author, and loves all things software. Pavel has been around since the days of 8-bit machines and still looks back fondly on his programming days on his Commodore 64. Alex Ionescu is Vice President of EDR Strategy at CrowdStrike and an internationally recognized expert in low-level system software, operating system research and kernel development, security training, and reverse engineering. He teaches Windows Internals courses around the world and is active in the security research community through conference talks and bug bounty programs. Mark Russinovich is Chief Technology Officer for Microsoft Azure, Microsoft's global enterprise-grade cloud platform. Mark is a widely recognized expert in distributed systems and operating systems. He co-founded Winternals Software and joined Microsoft in 2006 when it was acquired. He is the primary author of the Sysinternals tools and website, which include dozens of popular Windows administration and diagnostic utilities. David Solomon (retired) taught Windows kernel internals for 20 years to developers and IT professionals worldwide, including at Microsoft. His first book was Windows NT for OpenVMS Professionals. He then authored Inside Windows NT, 2nd edition, and later, with Mark Russinovich, coauthored the 3rd, 4th, 5th, and 6th editions of the Windows Internals series. David has spoken at many Microsoft conferences and was a recipient of the 1993 and 2005 Microsoft Support Most Valuable Professional (MVP) award.

Chapter 1: Concepts and tools



Windows operating system versions

Foundation concepts and terms

Digging into Windows internals

Conclusion





Chapter 2: System architecture



Requirements and design goals

Operating system model

Architecture overview

Virtualization-based security architecture overview

Key system components

Conclusion





Chapter 3: Processes and jobs



Creating a process

Process internals

Protected processes

Minimal and Pico processes

Trustlets (secure processes)

Flow of CreateProcess

Terminating a process

Image loader

Jobs

Conclusion





Chapter 4: Threads



Creating threads

Thread internals

Examining thread activity

Thread scheduling

Group-based scheduling

Worker factories (thread pools)

Conclusion






Chapter 5: Memory management



Introduction to the memory manager

Services provided by the memory manager

Kernel-mode heaps (system memory pools)

Heap manager

Virtual address space layouts

Address translation

Page fault handling

Stacks

Virtual address descriptors

NUMA

Section objects

Working sets

Page frame number database

Physical memory limits

Memory compression

Memory partitions

Memory combining

Memory enclaves

Proactive memory management (SuperFetch)

Conclusion





Chapter 6: I/O system



I/O system components

Interrupt Request Levels and Deferred Procedure Calls

Device drivers

I/O processing

Driver Verifier

The Plug and Play manager

General driver loading and installation

The Windows Driver Foundation

The power manager

Conclusion





Chapter 7: Security



Security ratings

Security system components

Virtualization-based security

Protecting objects

The AuthZ API

Account rights and privileges

Access tokens of processes and threads

Security auditing

AppContainers

Logon

User Account Control and virtualization

Exploit mitigations

Application Identification

AppLocker

Software Restriction Policies

Kernel Patch Protection

PatchGuard

HyperGuard

Conclusion