windows

Kernel

-Heart of the operating system, performing crucial tasks like running applications, managing memory, and controlling hardware devices.
-All tasks it performs must be fast and simple to keep the computer responsive and stable.

Windows API

Toolbox for applications

Windows API -Security

Isolates applications from unprivileged access each other and kernel

Windows API -Unified Interface

Translates application requests into system calls to perform a task

Windows API -Compatibility

Applications can work on different versions of Windows without needing to change their code.

Drivers

Software component that enables communication between hardware and the OS

User Mode Drivers

(Unprivileged)
Applications and drivers can’t directly access critical system resources

Kernel Mode Drivers

(Privileged) Where the operating system and most drivers run. It has full access to all system resources, allowing it to perform essential tasks.

File System Drivers

Manage file system operations (e.g. NTFS, FAT32)

Network Drivers

Handle Network communications (e.g. Wi-Fi, Ethernet)

Device Drivers

Control specific hardware devices (e.g. printers, graphic cards)

Bus Drivers

Manage communication between the computer and peripherals (e.g. mouse, keyboard, USB)

Virtual Device Drivers

Simulate Hardware for software-based tasks. (e.g. virtual network adapters, visual machines, emulators).

Boot Process

Initialize and configure the computer hardware and to load the operating system (OS) into the computer’s memory.

BIOS Boot Process

1.Initialization
2. MBR (Master Boot Record
3. Bootloader
4. Kernel
5. Operating System

Unified Extensible Firmware Interface (UEFI) Process

1. Initialization

2. GUID Partition Table

3. EFI Boot Manager

4. Kernel

5. Operating System

Initialization

Step in the BIOS Boot Process and UEFI which performs Power-On Self Test (POST) to check and initialize hardware components.

MBR (Master Boot Record)

Step in the BIOS Boot Process which searches for the MBR on default bootable device (or first discovered in case of failure).

Bootloader

Step in the BIOS Boot Process which loads the bootloader code from the MBR into memory and executes it.

Kernel

Step in the BIOS Boot Process Bootloader loads the operating System Kernel into memory.

Operating System

Step in the BIOS Boot Process and UEFI that initializes the operating system, and the OS takes control of the system.

GUID Partition Table (GPT)

Step in the Unified Extensible Firmware Interface (UEFI) Process. UEFI firmware scans storage devices to find the GPT. The GPT contains informations about the partitions on the disk, including the EFI System Partition (ESP)

EFI Boot Manager

Step in the BIOS Boot Process. The UEFI firmware invokes the EFI Boot Manager, which manages the bootloader options stored in the EFI System Partition (ESP) to choose from.

File System

Implemented by the OS designed to store and retrieve data when necessary.

Directories (also known as folders) can contain more directories or files.

Typically starting from a single point (root) and expanding out into a tree-like structure.

Partition

Logical divisions of a physical disk, used to organize data and support multiple operating systems.

File Allocation Table (FAT)

Frequently used on USB and SD cards due to its compatibility with a wide range of operating systems and devices.
Does NOT support file compression or security features (i.e. encryption)
All security permissions are removed if copied from an NTFS volume.

New Technology File System (NTFS)

The primary file system for Windows operating systems.

NTFS features

-Encrypting File System (EFS) - providing file/ folder encryption.

-User and Group permissions on files/folders

-Uses a change log which logs system changes before the changes are made; therefore, allowing a revert to functioning condition.

Registry

A central hierarchical database that stores necessary configuration information for the system to run.

Contains information that Windows continually reference during operation.

Accessed via typing regedit.exe into Windows bar

Structure of the Registry

Keys

Values

Data

Keys

Comparable to Folders in the File System

Values

Comparable to Files in the File System

Data

Content determined by the value’s type

Root Hive Keys

H_KEY_LOCAL MACHINE
H_KEY_USERS

H_KEY_LOCAL MACHINE

Configuration Information for the operating system

H_KEY_USERS

User profile information

Linked Hive Keys

HKEY_CLASSES_ROOT
HKEY_CURRENT_USER

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

Shortcut to: HKLM\SOFTWARE\Classes

HKEY_CURRENT_USER

Shortcut to: HKU\SID

HKEY_CURRENT_CONFIG

Shortcut to: HKLM\SYSTEM\CurrentControlSet\HardwareProfiles\Current

Security Identifier (SID)

Unique value of variable length used to identify user or group account

Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

This location shows user accounts with active profiles.

Three “Well-known” built-in accounts, and 2 user accounts.

Local System Accounts

Local System: S-1-5-18

Local Service S-1-5-19

Network Service S-1-5-20

Domain ID

A collection of computers, users, and other resources.
Unique to the Domain the SID was created in.

Relative ID

Unique to the user, group, or computer account the SID was generated for.

No other account or group in the domain has a SID with the same RID.

GUID

Unique number used to identify information in computer systems.

Commonly used to identify hardware and software versions

Google Chrome v88.0.4324.104

Software GUIDs can be evaluated to determine specific versions.

Run software when a user logs in

Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Key:HKU\Software\Microsoft\Windows\CurrentVersion\Run

Values can be named anything, the data is a file-path

-If the file path exists and is executable, the program will be executed with the permissions of the user.

Used legitimately by commercial software or maliciously for persistence.

Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

System Location - any user logging in will run

Key: HKLM\Software\Microsoft|Windows\CurrentVersion\Run

Only the specific user will run

Make the Windows Command Interpreter autorun a command when you start cmd.exe

Key: HKLM\Software\Microsoft\Command Processor

Value: Autorun

Data: command (that exists in PATH variable) or file path to a program

Remote Desktop Protocol

Normally enabled in Enterprise Environments for remote management purposes

Remote Desktop Protocol Key

HKLM/SYSTEM/CurrentControlSet/ControlTerminal Server
Value: fDenyTSConnections
Data: 0 = RDP Enabled
1 = RDP Disabled

Exclusion location for Windows Defender

Registry location to avoid Windows Defender Scans for malicious programs or files

Exclusion location for Windows Defender Key

HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

Value: Absolute Filepath to a folder

Data: REG_DWORD OxO