Keep Calm and Carry On

Windows-Internals-1-Concepts

Posted on Edited on
Windows Internals. Chapter 2 Foundation concepts and terms about Windows

2. Foundation concepts and terms

1. Windows API

2. Services , functions , and routines

3. Process

4. Threads

5. Jobs

6. Virtual memory

  1. Virtual memory provides a logical view of of memory that might not correspond to its physical layout.

7. Kernel mode vs. user mode

  1. Kernel mode(supervisor mode ): Execution in a processor that grants access to system memory and all CPU instructions;
  2. User mode(application mode):
  3. Windows uses ring 0 for kernel mode and ring 3 for user mode (only two levels).
  4. Windows marks pages containing data as non-Executable by enable Data Execution Prevention(DEP)
  5. Windows doesn’t provide any protection for private read/write system memory being used by components running in kernel mode.(once in kernel mode OS and device-driver code has complete access to system-space memory and can bypass Windows security to access objects).need to remain vigilant when loading a third-party device driver.
  6. A transition from kernel mode and user mode(and back) does not affect thread scheduling per se.A mode transition is not a context switch.

8. Hypervisor

  1. 9. firmware

10. Terminal service and multiple sessions

  1. Terminal service : the support in Windows for multiple interactive user sessions on a single system.

11. Objects and handles

  1. In Windows , a process is an instance of the process object type , a file in an instance of the file object type , and so on ;
  2. handle is the index of object (handle references to instances of an object).

12. Security

  1. Core security capabilities of Windows:
    1. Discretionary and mandatory protection for all shareable system objects ;
    2. Security auditing for accountability of subjects, for users, and the actions they initiate ;
    3. User authentication at logon ;
    4. The prevention of one user from accessing uninitialized resources, such as free memory or disk space , that another user has deallocated;
  2. 3 forms of access control in Windows :
    1. discretionary access control
    2. privileged access control
    3. mandatory access control

13. Registry

  1. registry :system database contains the information required to boot and configure the system, system-wide software settings that control the operation of Windows.(Important system database)

14. Unicode

3. Digging into Windows Internals

1. Performance Monitor and Resource Monitor

2. Kernel debugging

3. Windows Software Development Kit(SDK )

4. Windows driver kit

5. Sysinternals tools