Windows Internals Fundamentals
Published by Pearson
Take a Deep Dive into the Windows 11 OS Internal Architecture
- Deep dive into the architecture of Windows and how its internal components really work – such as processes, memory management, system architecture, and more
- Apply the newly learned skills when designing and writing Kernel drivers and low-level OS applications
- Learn how the Hypervisor, and various services provided by the Secure Kernel, work in Windows 11
Millions of people use Windows, but only a few completely understand how the OS really works. In this course, Windows Internals author and expert Andrea Allievi provides an introduction to the internal architecture of the latest version of Windows 11. Exercises throughout the course help you understand how to interact with the core of the OS and how to create drivers or low-level applications that work more efficiently. Andrea also dives into the Windows Security model and the new advanced security techniques which are the basics of Windows 11 operating system.
What you’ll learn and how you can apply it
By the end of the live online course, you’ll understand:
- The basic concepts of how the entire Windows operating system works
- How the Windows Scheduler works and selects which thread to run, and for how long (threading, quantum, and priorities)
- What a Windows Process really is and how its address space is isolated from other processes
- How Virtualization works and why it is a game-changer for system security in Windows and Azure
- The basics of the Windows security model, as well as new, advanced security technologies
And you’ll be able to:
- Design better kernel-mode drivers by understanding how internal components of Windows work
- Understand the reasons why the OS crashes and what to do in those situations
- Design superior system-level user-mode applications and avoid hard-to-debug synchronization problems
This live event is for you because...
- You are a system level or kernel engineer or developer
- You are an IT professional who wants to better understand how Windows really works
- You are a Windows enthusiast looking to upskill
- You are new to Windows and want a deep dive on the Windows OS
Prerequisites
- Basic knowledge of what an operating system is
- Basic understanding of PC hardware components
- Basic understanding of the difference between user and kernel components
- Able to configure user-visible parts of Windows
- Knowledge of C/C++ or Assembler is helpful but not required
Course Set-up
- Having a laptop with Hyper-V installed and a Virtual machine running the latest version of Windows 11 is advised if you would like to follow along with the exercises but not required. The instructions to set-up the Virtual Machine are available in the Course GitHub repo: https://github.com/AaLl86/WindowsInternals
Recommended Preparation
- Watch: Microsoft Windows Operating System Fundamentals LiveLessons (Video Training) by Ed Liberman
- Read: Computer Architecture, 5th Edition by John L. Hennessy, David A. Patterson
- Watch: C++20 Fundamentals by Paul J. Deitel
Recommended Follow-up
- Read: Windows Internals Seventh Edition Part 1: System architecture, processes, threads, memory management, and more, Seventh Edition by Pavel Yosifovich, Alex Ionescu, Mark E. Russinovich, David A. Solomon
- Read: Windows Internals, Part 2, 7th Edition by Andrea Allievi, Alex Ionescu, David A. Solomon, Kate Chase, Mark E. Russinovich
Schedule
The time frames are only estimates and may vary according to how the class is progressing.
Segment 1: Introduction to Windows (NT), System Architecture, and Key System Components (35 minutes)
- Brief History
- NT architecture
- Windows API
- Address space and Virtual Memory
- Ring Protections
- Processes and Threads
- Object and Handles
- I/O and PNP manager
- Registry and Services
- Security
- The Windows Boot process
Segment 2: System Mechanisms (40 minutes)
- Processor execution model
- Trap dispatching
- High and Low IRQL Synchronization mechanisms
- The Windows Registry – an introduction (ALPC and WNF are just mentioned)
Exercise: Trap dispatching for an hardware interrupt
Q&A (5 minutes)
Break (10 minutes)
Segment 3: Process and Threads (30 minutes)
- Creating a process
- PPL, Trustlets, Minimal processes, Trusted Apps
- Terminating a process
- Image loader
- Thread internals
- Thread scheduling (the NT scheduler)
- Quantum and Priority (Priority Inversion / Autoboost)
- Jobs
Exercise: Understanding the basic process and thread data structures (User and Kernel) and watching the image loader
Segment 4: Memory Management (45 minutes)
- Main MM Components
- Virtual Address space (Address Translation, TLB)
- Page tables, page states and memory allocation, PTEs
- Working set, commit limit and memory counters
- Physical memory: the PFN database, managing physical memory
- Page files
- Sharing memory
Exercise: Viewing a PTE, looking at a Control Area, Analyzing PFNs
Q&A (5 minutes)
Break (10 minutes)
Segment 5: Virtualization Technologies (45 minutes)
- The Windows Hypervisor
- Partitions, HV processes and threads
- Isolation guarantees: the SLAT and the HV memory manager
- The Hyper-V schedulers
- Intercepts, Hypercalls and the TLFS
- The synthetic interrupt controller (SynIC)
- The Virtualization stack (Components)
- Virtual Hardware supports, VmBus
- Virtualization-based security (VBS)
- VBS components, Services provided and VTLs
- Hypervisor Enforced Code Integrity (HVCI)
- Isolated user mode
Exercise: Exploring the Virtualization state and services of your system. Anatomy of a Trustlet from a VTL 0 debugger
Segment 6: Security (45 minutes)
- Introduction: Windows Security Ratings
- Windows Security features & Security components
- The Windows logon process (Introduction)
- Protecting objects: Access control components
- SID data structure, Security Descriptors and Tokens
- Accounts rights and privileges
- Mandatory access control – Integrity levels
- Access Check
- Impersonation
Exercise: Understanding the access check: peeking into the token and security descriptor data structures.
Q&A (5 minutes)
Break (10 minutes)
Segment 7: Course wrap-up, next steps, and extra topics not analyzed (15 minutes)
- Startup and Shutdown (BIOS vs UEFI firmware)
- I/O manager
- The Power manager
- Windows registry
- WOW64 and the ARM64 emulation
- Hardware side channels attacks and mitigation
- Management mechanisms: Task Scheduling, WMI and ETW
- Caching and File Systems (NTFS and ReFS)
Your Instructor
Andrea Allievi
Andrea Allievi is a system-level developer and security research engineer with more than 15 years of experience. He graduated from the University of Milano-Bicocca in 2010 with a bachelor’s degree in computer science. For his thesis, he developed a Master Boot Record (MBR) Bootkit entirely in 64-bits, capable of defeating all the Windows 7 kernel-protections (PatchGuard and Driver Signing enforcement). Andrea is also a reverse engineer who specializes in operating systems internals, from kernel-level code all the way to user-mode code. He is the original designer of the first UEFI Bootkit (developed for research purposes and published in 2012), multiple PatchGuard bypasses, and many other research papers and articles. He is the author of multiple system tools and software used for removing malware and advanced persistent threads. In his career, he has worked in various computer security companies—Italian TgSoft, Saferbytes (now MalwareBytes), and Talos group of Cisco Systems Inc. He originally joined Microsoft in 2016 as a Security Research Engineer in the Microsoft Threat Intelligence Center (MSTIC) group. Since January 2018, Andrea has been a Senior Core OS engineer in the Kernel Security Core team of Microsoft, where he mainly maintains and develops new features (like Retpoline, Speculation Mitigations, Function Overrides and Trusted Apps) for the NT and Secure Kernel.
Andrea continues to be active in the security research community, authoring technical articles on new kernel features of Windows in the Microsoft Windows Internals blog, and speaking at multiple technical conferences, such as Recon and Microsoft BlueHat.