Windows Internals, Part 1

PDF
Brian Catlin
 Windows Internals, Part 1
Explore the Inner Workings of Windows User Mode
Architecture.
Written by Bookey
Check more about Windows Internals, Part 1 Summary
Listen Windows Internals, Part 1 Audiobook
About the book
Explore the intricate architecture and inner workings of
Windows with this comprehensive guide, now fully updated
for Windows 8.1 and Windows Server 2012 R2. Organized
into three volumes—User Mode, Kernel Mode, and Device
Driver Models—Book 1 focuses on essential Windows
fundamentals that apply across diverse platforms, including
desktops, tablets, phones, and Xbox. This volume provides
high-level insights into various components and features that
interact with user mode applications, alongside an examination
of management mechanisms and operating system components
running in user mode, such as service processes. Gain
invaluable insider knowledge on Windows operations and
engage in hands-on experiments that reveal the system's
internal behaviors, empowering you to enhance application
design, debugging, system performance, and support. Planned
chapters cover a range of topics, including System
Architecture, Application Support, User Mode Memory
Management, Security, Networking, and more.
About the author
Brian Catlin is a seasoned expert in computer science and
software engineering, renowned for his deep knowledge of
Windows architecture and internals. With a rich background in
system programming and operating systems, Catlin has
contributed extensively to the understanding of Windows
environments through his writing and practical experience. His
work combines a passion for technology with a commitment
to educating others, making complex concepts accessible to
both beginners and seasoned professionals alike. As a
co-author of "Windows Internals, Part 1," he brings a wealth
of insights and practical understanding that reflects his years
of hands-on experience in the field, providing readers with a
comprehensive view of the inner workings of Windows
operating systems.
Summary Content List
Chapter 1 : Concepts and tools

Chapter 2 : System architecture

Chapter 3 : Processes and jobs

Chapter 4 : Threads

Chapter 5 : Memory management

Chapter 6 : I/O system

Chapter 7 : Security
Chapter 1 Summary : Concepts and tools

Chapter 1: Concepts and Tools

This chapter introduces essential concepts and terminology

related to the Microsoft Windows operating system (OS),
including the Windows API, processes, threads, virtual
memory, kernel mode versus user mode, objects, handles,
security, and the registry. It also discusses various tools for
exploring Windows internals, such as the kernel debugger,
Performance Monitor, and Sysinternals tools, while
emphasizing the importance of understanding this
foundational information for future readings.

Windows Operating System Versions

The book addresses Windows 10 and Windows Server 2012
R2, detailing version naming conventions. It explains why
version numbers deviate from anticipated patterns and how
Microsoft aims for compatibility through specialized APIs.
Users can view OS version information via command-line
tools or the graphical winver application.

Windows 10 and Future Versions

Windows 10 introduces a new update cadence and continues

the evolution of OS versions without a new “Windows 11.”
The convergence of platforms under the OneCore model
allows various devices to run a shared codebase. Users can
expect differences in features based on devices, emphasizing
unified kernel support.

Foundation Concepts and Terms

Key foundational concepts of Windows, such as the

Windows API, which comprises both 32-bit and 64-bit
programming interfaces, are outlined. The chapter touches on
distinctions between the Win32 API and newer interfaces
like the Windows Runtime (WinRT) for app development.
Processes and Threads

Processes serve as execution containers for resources,

whereas threads are execution entities within processes. The
chapter contrasts static programs with dynamic processes,
emphasizing tools like Task Manager and Process Explorer to
view and manage process information, including handles,
threads, and their hierarchy.

Virtual Memory

The Windows virtual memory system creates a private

address space for each process. It employs paging to manage
memory resources, ensuring efficient performance and
preventing process interference. The specifics of memory
management, page sizes, and address space layouts are
further discussed, highlighting distinctions between 32-bit
and 64-bit systems.

Kernel Mode vs. User Mode

The chapter elaborates on the distinct operating modes in

Windows, highlighting how user applications run in a less
privileged user mode whereas the OS and device drivers
operate in kernel mode. This protective measure is designed
to maintain system stability.

Hypervisor and Virtualization

Modern OS environments use hypervisors to facilitate

virtualization, with Windows 10 employing Hyper-V for
various security services. This section illustrates how virtual
trust can enhance system security and the growing need for
efficient resource management in cloud and IoT contexts.

Security

Windows security mechanisms encompass access control

methodologies, emphasizing discretionary control, privileged
access control, and mandatory integrity controls. The focus
on AppContainers provides an innovative approach to
sandboxing applications within Windows.

Registry

The Windows registry acts as the system's central database

for configuration settings and operational parameters. Care is
advised when directly modifying the registry due to its
potential to affect system stability and functionality.

Conclusion

This chapter concludes with a summary of key concepts and

tools that are vital for understanding Windows internals,
setting the stage for the deeper exploration of system
architecture and components in the following chapters.
Example
Key Point:Understanding key concepts and tools is
foundational for mastering Windows internals.
Example:Imagine you are about to troubleshoot a
complex issue in Windows. Knowing the Windows API,
processes, threads, and memory management equips
you with the necessary tools to navigate through system
anomalies effectively. For instance, when opening Task
Manager to view running processes, you recognize that
each process represents a container of resources, where
threads are hardworking entities executing tasks. Armed
with this knowledge, whether you are debugging an
application or enhancing system performance, your
approach becomes focused and informed, significantly
reducing the guesswork and leading you to a resolution.
Chapter 2 Summary : System
architecture

Chapter 2. System Architecture

This chapter explores the internal design and architecture of

the Microsoft Windows operating system, detailing its
fundamental components and their interactions, as well as the
design goals and requirements established during the creation
of Windows NT in 1989.

Requirements and Design Goals

The design of Windows NT was guided by various

requirements, including:
- A true 32-bit, preemptive, reentrant, virtual memory
operating system.
- Compatibility with multiple hardware architectures and
platforms.
- Support for symmetric multiprocessing (SMP).
- Functionality as a distributed computing platform.
- Compatibility with existing 16-bit MS-DOS and Windows
3.1 applications.
- Compliance with government POSIX standards and
security requirements.
- Global market adaptability through Unicode support.
To meet these requirements, the design team focused on
several goals:
-
Extensibility
: The system's code must accommodate growth and changes.
-
Portability
: The OS should function across various hardware platforms.
-
Reliability and Robustness
: The system must protect against malfunctions and external
threats, ensuring applications do not negatively impact the
OS.
-
Compatibility
: New technologies should retain compatibility with previous
Windows versions and other operating systems.
-
Performance
: The OS should function efficiently within the design
constraints.

Operating System Model

Windows operates in two distinct processor modes:

-
Kernel Mode
: OS kernel code runs here with full hardware access.
-
User Mode
: Application code runs here with limited access, making
direct system calls to switch to kernel mode for operations
requiring elevated privileges.
Windows employs a monolithic architecture, wherein critical
OS and driver functionalities share the same kernel-memory
space, enabling potential data corruption between
components. However, safeguards like the Windows
Hardware Quality Labs (WHQL) certification and kernel
protection technologies (e.g., virtualization-based security)
are implemented to address these vulnerabilities.

Architecture Overview

The Windows architecture is split into user-mode and

kernel-mode components. Key elements include:
-
User Processes
: Various types such as Windows, MS-DOS, and legacy
applications.
-
Service Processes
: Host Windows services independently of user logons.
-
System Processes
: Fixed processes integral to system functionality, like logon
processes.
-
Environment Subsystems
: Manage different OS personalities (e.g., Windows and
POSIX).
In kernel mode, components are further categorized:
-
Executive
: Core services like memory and process management.
-
Kernel
: Low-level operations such as scheduling and
synchronization.
-
Device Drivers
: Translate I/O operations into respective hardware requests.
-
Hardware Abstraction Layer (HAL)
: Abstracts hardware differences for portability.
-
Windowing and Graphics System
: Implements GUI functions.
-
Hypervisor Layer
: Manages virtual machines.

Key System Components

1.
Portability
: Achieved through a layered design and mostly C language
coding.
2.
Symmetric Multiprocessing
: Allows multiple threads to run simultaneously across
processors.
3.
Architecture
: Windows supports various architectures (x86, x64, ARM)
and models.
4.
Scalability
: Adaptable to various multiprocessor systems and
workloads.
5.
Different Versions
: Client and server versions of Windows differ in memory
and CPU support.

Experimentation and Tools

The chapter outlines experiments to examine features

enabled by licensing policy, checked build versions, and
commands that allow for viewing installed drivers and
services. Tools such as SlPolicy, Process Explorer, and
Dependency Walker are recommended for further exploration
of system behaviors.

Conclusion

The chapter provides a comprehensive review of the

Windows system architecture, setting the stage for a deeper
examination of processes in the next chapter.
Example
Key Point:Understanding the Dual Operating Modes
Example:Imagine you're working on a complex
software application that requires high-speed operations
and secure interactions with the operating system.
Windows significantly enhances this experience with its
dual operating modes—Kernel Mode and User Mode.
As you develop, your application runs in User Mode,
ensuring safety by limiting direct hardware access,
while seamlessly transitioning to Kernel Mode when it
needs to perform sensitive operations, like accessing
memory or controlling hardware devices. This
architecture not only secures your environment from
potential crashes or vulnerabilities but also optimizes
the performance of your application by allowing it to
leverage the full capabilities of the operating system
when necessary.
Critical Thinking
Key Point:Monolithic architecture's advantages and
risks
Critical Interpretation:The chapter's discussion on the
monolithic architecture of Windows highlights its
capacity for high performance and tight integration.
However, one must recognize the inherent risks of such
a design, including potential for systemic vulnerabilities
and data corruption that may arise from shared
kernel-memory space. It's essential to consider that
while the author emphasizes benefits like performance,
there are alternative architectures, such as microkernels,
that prioritize fault isolation and security (see 'Operating
Systems: Three Easy Pieces' by Remzi Arpaci-Dusseau
for contrasting perspectives). Thus, the notion that
monolithic structures are superior in all respects is
debatable.
 Chapter 3 Summary : Processes and jobs
Section Summary

Chapter Title Chapter 3: Processes and Jobs

Overview Explores data structures and algorithms related to processes and jobs in Windows, including process
creation and job management.

Creating a Process Windows API functions like CreateProcess, CreateProcessAsUser, and ShellExecute facilitate process
creation, with CreateProcessInternal performing the actual creation.

Process Creation Arguments for CreateProcess include token specification, executable path, command-line options,
Functions security attributes, handle inheritance, and creation flags.

Protected Processes Restrict actions of other processes on them, even for admins, introduced for digital rights
management. Examples include Audio Device Graph and System process.

Creating Modern and Requires enhanced attributes; minimal processes call kernel functions like NtCreateUserProcess
Other Processes directly.

Process Internals Focuses on the EPROCESS structure, which holds data about attributes, threads, and memory
management of each process.

Process Creation Involves parameter validation, opening the executable, creating the process object, initializing address
Flow space, setting up the PEB, and starting the initial thread.

Terminating a Can be terminated gracefully using ExitProcess, or ungracefully using TerminateProcess, which does
Process not allow for cleanup.

Image Loader Resides in [Link], responsible for initializing application state, managing dependencies, and loading
necessary DLLs.

Jobs Securable objects that enable management of processes collectively, with resource limits and process
grouping for system management.

Conclusion Provides an understanding of processes and jobs in Windows, laying the groundwork for the next
chapter on threads.

Chapter 3: Processes and Jobs

In this chapter, we explore the data structures and algorithms

related to processes and jobs in Windows. The focus
encompasses process creation, internal structures of
processes, the differences between protected and
non-protected processes, the steps involved in creating a
process, and an overview of jobs.

Creating a Process

The Windows API offers numerous functions for creating

processes, the most straightforward being CreateProcess.
Variants like CreateProcessAsUser and
CreateProcessWithLogonW cater to different token
requirements. Functions like ShellExecute facilitate running
files based on their extensions and will ultimately call
CreateProcessInternal to perform the actual process creation.

Process Creation Functions

The arguments for the CreateProcess functions include

specifying a token, executable path, command-line
arguments, security attributes, handle inheritance flags, and
various creation flags like CREATE_SUSPENDED or
DEBUG_PROCESS.

InstallProcesses
Protected Bookey App to Unlock Full Text and
Audio
Introduced in response to digital rights management needs,
Chapter 4 Summary : Threads

Chapter 4: Threads

Overview

This chapter discusses the data structures and algorithms that

manage threads and thread scheduling in Windows. It covers
thread creation, internal management, scheduling
mechanisms, and thread pools.

Creating Threads

-
CreateThread
: The primary API function to create threads, allowing
specification of security attributes, stack size, function
pointer, optional arguments, and flags (such as starting a
thread suspended).
-
CreateRemoteThread
: An extended version that allows thread creation in another
process, useful for debugging and obtaining information.
-
CreateRemoteThreadEx
: A superset of the previous functions, providing additional
features like attribute lists for processor affinity.
-
Kernel-Mode Creation
: Achieved through `PsCreateSystemThread`, primarily used
by drivers.

Thread Internals

-
ETHREAD and KTHREAD Structures
: The thread representation, with ETHREAD encapsulating
the KTHREAD structure, used by the operating system for
thread management.
-
Thread Environment Block (TEB)
: Exists in user space and holds important thread-specific
information.
-
CSR_THREAD and W32THREAD Structures
: Maintain thread-specific data for Windows subsystem
applications and graphical subsystem operations.

Exiting and Terminating Threads

- Exiting threads does not automatically destroy their thread

objects; explicit termination calls are necessary in kernel
mode.

Process and Thread Management

- The kernel manages thread and process information

dynamically through dispatcher databases, ensuring that
scheduling decisions are efficient and scalable across
multiple processors.

Thread Scheduling

-
Preemptive, Priority-based System
: Windows uses priority-driven preemptive scheduling where
higher-priority threads can preempt lower-priority ones.
-
Scheduler Operations
: Functions like `KiSelectNextThread` and
`KiSelectReadyThreadEx` handle thread selection based on
various conditions, including quantum exhaustion and wait
states.

Quantum and Scheduling Policies

-
Quantum
: The time slice allocated to a thread before being preempted.
Various conditions can affect how long a thread runs.
-
Dynamic and Fixed Quantums
: Both server and client configurations define either variable
or fixed quantum intervals based on workload.

Processor Affinity and Group Scheduling

- Threads can be assigned processor affinity, determining

which processors they can run on. Extended affinity masks
support multiple processor groups beyond the original
limitations.
-
Group Scheduling
: Implemented to handle resources across different users
efficiently, preventing one user from monopolizing CPU
time.

Thread Pools and Worker Factories

- The kernel manages user-mode thread pools via worker

factories, allowing dynamic thread creation based on
workload. Functions to create and manage worker factories
provide new performance optimizations.

Dynamic Processor Management

- Windows supports adding or replacing processors without

downtime, allowing for dynamic efficiency adjustments
based on workload demands.

Conclusion

This chapter provides a detailed understanding of threads

within the Windows operating system, their management,
and the scheduling mechanisms involved. The next chapter
will delve into memory management.
Chapter 5 Summary : Memory
management

Chapter 5: Memory Management

Overview

This chapter delves into how Windows manages virtual

memory and the physical memory subset within the
operating system. Key aspects include the structure and
components of the memory manager, its various functions
and services, and core concepts like working sets, paging,
and memory types.

Memory Manager Introduction

- Default virtual address space on 32-bit Windows is

typically 2 GB but can be extended to 3 GB with specific
settings.
- On 64-bit Windows, the address spaces can reach up to 128
TB.
- The memory manager translates process virtual addresses
into physical memory and manages paging when necessary.
- Key services provided include memory-mapped files and
the allocation of physical memory.

Components of the Memory Manager

- The memory manager, existing in `[Link]`, manages

virtual memory allocations and deallocations.
- It includes various threads handling balance set
management, page writing, segment dereferencing, and zero
page management.
- Memory is handled in pages, which can be small or large,
with advantages for large pages relating to speed and
efficiency.

Memory Usage Examination

- Tools like Task Manager, Sysinternals’ Process Explorer,

VMMap, and RAMMap assist in analyzing memory usage.
- Different utilities may show varying details, emphasizing
the need for clarity in terminology around memory metrics.

Physical Memory Management

- Windows operates with dynamic physical memory
management. The memory manager maintains a Page Frame
Number (PFN) database detailing the state of every physical
memory page available.
- Multiple states exist: Free, Modified, Standby,
Active/Valid, etc.

Working Sets

- A working set encompasses pages currently in use by

processes, which can grow or shrink based on memory
demands. The balance set manager and working set manager
collaborate to ensure efficient physical memory utilization.

SuperFetch and Memory Management

Enhancements

- SuperFetch enhances memory efficiency by predicting and

loading pages into RAM based on historical usage,
optimizing performance during system and application
startups.
- It includes mechanisms to manage page priorities for
efficient resource allocation and includes a context-aware
system for proactive memory management.

Memory Compression and ReadyBoost

- Memory compression reduces physical memory usage by

compressing pages currently not in use while ReadyBoost
leverages flash memory devices to enhance system
performance.

Conclusion

In conclusion, Windows employs an intricate system of

virtual and physical memory management, including features
for memory compression, prefetching, and working set
management to provide efficient multitasking and resource
allocation across various applications and system needs. The
chapter sets the foundation for understanding I/O
management in the following chapter.
Chapter 6 Summary : I/O system

Chapter 6: I/O System

Overview

The Windows I/O system comprises various executive

components that manage hardware devices and interface with
applications and the system. This chapter outlines the design
goals, components, I/O request processing, driver types, and
device management in the I/O system. It specifically
discusses the I/O manager, Plug and Play (PnP) manager, and
power manager, as well as the procedures for device
detection, driver installation, and power management.

I/O System Components

The design goals of the Windows I/O system include:

- Device abstraction (hardware and software)
- Uniform security and naming
- High-performance asynchronous I/O
- Scalability for drivers written in high-level languages
- Layering and extensibility of drivers
- Device driver dynamic loading/unloading
- Plug and Play support
- Power management capabilities
- Support for multiple file systems
- Windows Management Instrumentation (WMI) support

Key Components

1.
I/O Manager
: Connects applications to devices, manages I/O requests, and
provides functionality shared among drivers.
2.
Device Drivers
: Software modules interpreting high-level commands into
device-specific actions.
3.
Plug and Play Manager
: Detects devices and allocates hardware resources,
coordinating driver loading.
4. Install Bookey App to Unlock Full Text and
Power Manager Audio
: Guides the system and drivers through power state
Chapter 7 Summary : Security

Chapter 7 Summary: Security

Introduction to Security

- Security is crucial for preventing unauthorized access to

sensitive data in environments with multiple users.
- Windows security encompasses various mechanisms,
including accounts, passwords, file protection, and
protections against unauthorized actions.

Security Ratings

- Software can be evaluated against established standards,

notably the Common Criteria (CC) and the Trusted Computer
System Evaluation Criteria (TCSEC).
- The TCSEC ratings, known as the Orange Book, classify
operating systems based on protection levels, with C2 as a
practical standard for general-purpose OS security.

Key Security Features in Windows

-
Secure Logon
: Unique user identification and authentication.
-
Discretionary Access Control
: Resource owners manage access permissions.
-
Security Auditing
: Records security-related events and unauthorized actions.
-
Object Reuse Protection
: Prevents access to deleted user data or released memory.

Common Criteria and Windows Certification

- Jointly developed CC focuses on IT product evaluations

and incorporates assurance levels.
- Windows versions like Windows 2000, XP, and later
achieved certification under the Controlled Access Protection
Profile (CAPP) with Evaluation Assurance Level (EAL) 4+,
indicating solid security mechanisms.

Security System Components

-
Security Reference Monitor (SRM)
: Manages access tokens, security audits, and privilege
controls.
-
Local Security Authority (LSA)
: Enforces system security policies and manages
authentication.
-
Active Directory
: Stores information about users, groups, and devices in
networked environments.
-
AppLocker
: Allows administrators to define which applications users
can run and is integrated with the security subsystem.

Authentication and Credential Guard

-
Credential Guard
: Protects user credentials using isolated memory. Only
allowed under specific configurations.
-
Password Protection
: Supports secure password storage and retrieval
mechanisms.

User Account Control (UAC) and Virtualization

- UAC helps prevent unauthorized operations by running

applications in standard user mode by default.
- Virtualization of the file system and registry allows legacy
applications to function without administrative rights.

Exploit Mitigations

- Includes technologies like Control Flow Guard (CFG) and

Kernel Patch Protection (KPP) to enhance security against
exploits targeting kernel vulnerabilities.
- Newer technologies like HyperGuard provide additional
layers of protection by leveraging virtualization-based
security.

Dynamic Access Control and Application

Identification
-
Dynamic Access Control (DAC)
enables more granular control over file accesses based on
user and device claims.
- AppID provides a unified method to recognize and manage
applications for security purposes.

AppLocker and Software Restriction Policies (SRPs)

- AppLocker aids in preventing unapproved applications

from running through a flexible rule-setting mechanism.
- SRPs enforce execution policies in user and administrative
contexts.

Conclusion

- Windows security infrastructure comprises many

components, focusing on preventing unauthorized access
through various sophisticated mechanisms, detailed logging,
and constant updates to counter emerging threats.
This summary encapsulates the core themes and focal points
of Chapter 7 in "Windows Internals, Part 1", highlighting the
significance and multifaceted nature of Windows security
systems.
Critical Thinking
Key Point:Multi-faceted approach to Windows
Security
Critical Interpretation:The chapter emphasizes that the
Windows security architecture comprises various
mechanisms aimed at preventing unauthorized access to
sensitive data, which is vital in multi-user environments.
However, while the author highlights these protective
measures, readers should critically evaluate whether
these systems sufficiently address the evolving threats in
cybersecurity or if they inadvertently introduce
complexities and vulnerabilities. It's essential to
consider studies such as those by Symantec and
Ponemon Institute that indicate despite extensive
security protocols, breaches still occur, reflecting
potential inadequacies in these systems.
Best Quotes from Windows Internals,
Part 1 by Brian Catlin with Page
Numbers
View on Bookey Website and Generate Beautiful Quote Images

Chapter 1 | Quotes From Pages -64

[Link] sure that you understand everything in this
chapter; the remainder of the book is written
assuming that you do.
[Link] version numbers seem to have strayed from a
well-defined path starting with Windows 7.
[Link] book delves into the internals of the OneCore kernel,
on whatever device it’s running on.
[Link] although programs and processes appear similar
on the surface, they are fundamentally different.
[Link] is because the Windows subsystem implements
object-based security in the same way the OS does:
protecting shared Windows objects from unauthorized
access by placing Windows security descriptors on them.
[Link] provides an extension to the process model called
 a job.
Chapter 2 | Quotes From Pages -120
[Link] The code must be written to
comfortably grow and change as market
requirements change.
[Link] and robustness The system should protect itself
from both internal malfunction and external tampering.
[Link] The system must be able to run on multiple
hardware architectures and must be able to move with
relative ease to new ones as market demands dictate.
[Link] Within the constraints of the other design
goals, the system should be as fast and responsive as
possible on each hardware platform.
[Link] Although Windows NT should extend
existing technology, its user interface and APIs should be
compatible with older versions of Windows and with
MS-DOS.
[Link] architectural decisions were guided carefully to ensure
that all OS components are fully protected from errant
 applications because they purposely do not have direct
access to the privileged code and data of the OS.
[Link] achieves portability across hardware
architectures and platforms in two primary ways: By using
a layered design... By using C.
[Link] is a symmetric multiprocessing (SMP) OS. There
is no master processor—the OS as well as user threads can
be scheduled to run on any processor.
[Link] incorporates several features that are crucial to its
success as a multiprocessor OS: The ability to run OS code
on any available processor and on multiple processors at
the same time.
[Link] treats legacy applications to see only their current
group... for convenience and efficiency, Windows does
keep track of processors... in a bitmask.
Chapter 3 | Quotes From Pages -210
[Link] a modern application process requires
more than just calling CreateProcess with the
correct executable path.
[Link] play a significant role in a number of system
mechanisms... The Desktop Activity Moderator (DAM)
manages throttling, timer virtualization, timer freezing, and
other idle-inducing behaviors for Win32 applications and
services.
3.A process cannot accidentally write arbitrary bytes on
another process’s memory. That would require explicit call
to a function such as WriteProcessMemory.
[Link] processes exist alongside normal Windows
processes, but they add significant constraints to the access
rights that other processes on the system can request.
[Link] loader behaves just like standard code that is part of a
DLL, and it is subject to the same restrictions in terms of
memory access and security rights.
Chapter 4 | Quotes From Pages -317
[Link] implements a priority-driven,
preemptive scheduling system.
2.A thread’s life cycle starts when a process... creates a new
thread.
[Link] a thread in kernel mode is achieved with the
PsCreateSystemThread function.
[Link] can be suspended and resumed explicitly with the
SuspendThread and ResumeThread API functions,
respectively.
[Link] switch: A thread might voluntarily relinquish use
of the processor by entering a wait state on some object...
[Link] a dispatch event occurs, the KiExitDispatcher
routine is called.
7.A thread can be selected to run next and be preempted
before even beginning its quantum!
[Link] make CreateRemoteThread work, the process handle
must have been obtained with enough access rights to
allow such operation.
Chapter 5 | Quotes From Pages -503
[Link] the virtual address space might be larger
or smaller than the physical memory on the
machine, the memory manager has two primary
tasks: Translating, or mapping, a process’s virtual
address space into physical memory...
[Link] memory manager uses lazy evaluation not only to
bring pages into memory but also to construct the page
tables required to describe new pages.
[Link] sets are described by the memory manager that
manages pages referenced by threads within a single
process...
[Link] balance set manager waits for two different event
objects: an event that is signaled when a periodic timer set
to fire once per second expires and an internal working set
manager event that the memory manager signals at various
points...
[Link] attempts to speed the boot process and
application startup by monitoring the data and code
 accessed by boot and application startups and using that
information...
[Link] provides a way for user-mode processes and
kernel-mode drivers to be notified when physical memory,
paged pool, non-paged pool, and commit charge are low
and/or plentiful.
[Link] PFN database consists of an array of structures that
represent each physical page of memory on the system.
[Link] combining... assigns pages with the same contents
and combines them into one, thus removing the rest of the
duplicates.
[Link] pages, which are said to be robusted, essentially
become reprioritized to priority 2.
[Link] such containers is difficult, as it would require
kernel drivers that perform some form of virtualization...
Chapter 6 | Quotes From Pages -630
[Link] security and naming across devices to
protect shareable resources.
[Link]-performance asynchronous packet-based I/O to allow
 for the implementation of scalable applications.
[Link] loading and unloading of device drivers so that
drivers can be loaded on demand and not consume system
resources when unneeded.
[Link] for Power Management so that the system or
individual devices can enter low-power states.
[Link] and extensibility to allow for the addition of
drivers that transparently modify the behavior of other
drivers or devices, without requiring any changes to the
driver whose behavior or device is modified.
[Link] Management Instrumentation (WMI) support and
diagnosability so that drivers can be managed and
monitored through WMI applications and scripts.
[Link] I/O system consists of several executive
components as well as device drivers.
[Link] I/O manager is the heart of the I/O system.
[Link] drivers receive commands routed to them by the
I/O manager that are directed at the devices they manage,
and they inform the I/O manager when those commands
 are complete.
[Link] PnP manager works closely with the I/O manager and
guides the allocation of hardware resources as well as to
detect and respond to the arrival and removal of hardware
devices.
Chapter 7 | Quotes From Pages -805
[Link] unauthorized access to sensitive data is
essential in any environment in which multiple
users have access to the same physical or network
resources.
[Link] operating system, as well as individual users, must be
able to protect files, memory, and configuration settings
from unwanted viewing and modification.
[Link] understand the security capabilities designed into
Windows, however, it's useful to know the history of the
security ratings system that influenced the design of
Windows.
[Link] requirements for a C2 security rating are still
considered the core requirements for any secure operating
system.
[Link] auditing...affords the ability to detect and record
security-related events or any attempts to create, access, or
delete system resources.
[Link] path functionality...ensures that user credentials
 cannot be intercepted during logon procedures.
7.A secure logon facility requires that users be uniquely
identified and that they must be granted access to the
computer only after they have been authenticated in some
way.
[Link] allows an administrator to lock down a system
to prevent unauthorized programs from being run.
[Link] on behalf of end users ensures compliance
requirements can be met without compromising security or
usability.
[Link] the end of the day, however, all secure systems have
failure points, all code has bugs, and attackers leverage
increasingly complex attacks to exploit them.
Windows Internals, Part 1 Questions
View on Bookey Website

Chapter 1 | Concepts and tools| Q&A

[Link]
What are the fundamental concepts introduced in
Chapter 1 of 'Windows Internals, Part 1'?
Answer:The fundamental concepts include the
Windows API, processes, threads, virtual memory,
kernel mode, user mode, objects, handles, security,
and the registry.

[Link]
Why is it important to understand the material in
Chapter 1 before proceeding to the rest of the book?
Answer:Understanding the material in Chapter 1 is crucial
because the remainder of the book builds on these concepts,
assuming a foundational knowledge of them.

[Link]
What is the significance of the Windows application
programming interface (API)?
Answer:The Windows API provides a user-mode system
programming interface that allows developers to interact with
the Windows operating system, enabling them to create
applications that leverage OS services.

[Link]
How has the Windows versioning system changed from
previous versions to Windows 10?
Answer:With Windows 10, Microsoft updated the version
number to 10.0, moving away from the confusing versioning
patterns established since Windows Vista, where version
numbers did not directly correspond to the product name.

[Link]
What role does the Windows Driver Kit (WDK) play for
developers?
Answer:The Windows Driver Kit provides resources for
writing, testing, and debugging Windows drivers, including
tools and documentation about the Windows internals
relevant to driver development.

[Link]
What are the key differences between user mode and
kernel mode in Windows?
Answer:User mode restricts access to system resources and
memory to protect the integrity of the OS, while kernel mode
grants unrestricted access, allowing the OS to directly
manage hardware and system resources.

[Link]
What is the purpose of the Windows registry?
Answer:The Windows registry serves as a central database
for system-wide configuration settings, software settings, and
security information, essential for booting and operating the
system.

[Link]
Why has Microsoft converged the kernels of its various
devices into one platform known as OneCore?
Answer:Microsoft converged the kernels to simplify
maintenance and support across different device types,
enhancing development efficiency and consistency in
features across devices.

[Link]
What benefits do the tools from Sysinternals provide to
users exploring Windows internals?
Answer:Sysinternals tools, such as Process Explorer and
Performance Monitor, offer in-depth insights into system
processes, resource usage, and performance metrics,
facilitating better understanding and troubleshooting of the
Windows OS.

[Link]
Why is an 'AppContainer' used in Windows 8 and later
for hosting Windows Apps?
Answer:An AppContainer provides isolation and enhanced
security for Windows Apps, ensuring they cannot interfere
with each other or the system, which helps protect against
malicious activity.
Chapter 2 | System architecture| Q&A
[Link]
What were the key design goals adopted by the Windows
NT design team in 1989 that shaped the system
architecture?
Answer:The key design goals were extensibility,
portability, reliability and robustness, compatibility,
and performance, allowing Windows to adapt to
changing market requirements and to interoperate
with other systems while ensuring that applications
could not harm the OS or other applications.

[Link]
How does Windows manage the separation between user
mode and kernel mode for secure operation?
Answer:Windows separates user mode and kernel mode to
protect the OS from errant applications. Code running in
kernel mode has full access to the system, while user mode
lacks direct hardware access and interacts with the OS
through limited interfaces, thereby preventing crashes and
security breaches.

[Link]
In what ways does the architecture of Windows support
symmetric multiprocessing (SMP) systems?
Answer:Windows supports SMP by allowing the OS and
user threads to run on any available processor without a
master processor. It uses fine-grained synchronization and
allows multiple threads to execute simultaneously across
processors, enhancing performance and scalability.

[Link]
What are the core components of the Windows OS listed
in the chapter, and what roles do they play?
Answer:The core components include the executive
(managing services like memory, processes, security, etc.),
the kernel (providing fundamental OS mechanisms), device
drivers (allowing interaction with hardware), and the
Hardware Abstraction Layer (HAL, which isolates hardware
differences). Each plays a critical role in ensuring the
stability and performance of the system.

[Link]
What role does the hardware abstraction layer (HAL)
play in making Windows portable across different
hardware architectures?
Answer:The HAL provides a consistent interface for the OS
and device drivers to interact with hardware, hiding
architecture-specific details. This design isolates low-level
hardware differences, allowing Windows to run on various
platforms without needing substantial changes to the
upper-layer code.

[Link]
How does Windows ensure compatibility with legacy
software while integrating new technologies?
Answer:Windows maintains compatibility through its
subsystem architecture, allowing older applications (like
16-bit MS-DOS apps) to run alongside modern programs.
This is achieved while integrating new technologies like
virtualization-based security, ensuring a stable experience for
users.

[Link]
What is the function of the Session Manager ([Link]) in
the Windows initialization process?
Answer:The Session Manager is the first user-mode process
created and is responsible for initializing various system
functions, creating sessions, handling memory management
tasks, and launching crucial services needed for the system to
operate correctly.

[Link]
Why is the concept of virtualization-based security (VBS)
important in modern Windows architecture?
Answer:VBS enhances the security posture of the OS by
isolating sensitive processes under different trust levels
(VTLs) to prevent unauthorized access, even from potentially
compromised kernel-mode code, thereby protecting critical
system resources.

[Link]
How are the principles of object-oriented design reflected
in the Windows kernel architecture despite being
primarily written in C?
Answer:Windows uses object-oriented principles by ensuring
that kernel components interact through defined interfaces
rather than directly accessing each other's data. This
encapsulation allows for modularity and better resource
management within the system.

[Link]
What challenges does Windows face in maintaining
performance while ensuring security across its
architecture?
Answer:Windows must balance the need for robust security
measures, such as VBS and strict user/kernel separation, with
the need for performance optimizations across various
hardware platforms and multitasking environments, ensuring
that security enhancements do not impede responsiveness.
Chapter 3 | Processes and jobs| Q&A
[Link]
What are the key differences between protected processes
and normal processes in Windows?
Answer:Protected processes are designed to secure
high-value media and are created from digitally
signed images with specific Windows Media
Certificates. They restrict access rights significantly,
denying certain actions even to administrators. For
example, while normal processes can be debugged or
have memory read/write permissions altered by any
process with the necessary privileges, protected
processes only allow limited access rights such as PR
OCESS_QUERY/SET_LIMITED_INFORMATION
and cannot be interacted with using standard
user-mode tools like Process Explorer.

[Link]
What role do jobs play in process management on
Windows?
Answer:Jobs allow for collective management of a group of
processes, enabling controls like resource limits (CPU,
memory, etc.), process priority settings, and management of
child processes. A process can belong to multiple jobs,
creating a hierarchy that helps in resource allocation and
monitoring.

[Link]
How does Windows ensure that process creation remains
secure, particularly in relation to user-mode and
kernel-mode operations?
Answer:Windows implements a multi-layered approach
where the actual process creation is initiated in user-mode
but transitions into kernel-mode for execution to minimize
risks of code injection and other vulnerabilities. The use of
structured data such as EPROCESS and job objects provides
a controlled environment for resource allocation and process
management.

[Link]
Can you explain the concept of 'jobs' and their impact on
modern application management in Windows?
Answer:Jobs serve as a container for processes, providing
security and resource management capabilities. Every
modern app in Windows runs under a job object, which
ensures that limits on CPU usage, memory, and I/O can be
enforced collectively, thus preventing a single application
from exhausting system resources.

[Link]
What is the significance of the CreateProcess API in
relation to process creation in Windows?
Answer:The CreateProcess API is the primary function used
to initiate a new process. It encapsulates the complexity of
process creation, including setting up security parameters,
process attributes, and the necessary environment for the new
process to execute effectively. It handles different conditions
and can initiate processes under specific user contexts,
contributing to the security and functionality of the operating
system.

[Link]
Describe how the Windows subsystem manages
interactions and behavior between processes.
Answer:The Windows subsystem acts as the intermediary
between user-mode applications and the kernel. It manages
user interactions like input/output, sets up process
environments, and ensures seamless execution of
applications by converting API calls appropriately into
kernel-level operations. Moreover, it handles graphics
rendering and user input which are vital for modern
applications.

[Link]
How do container technologies like Docker operate within
the Windows environment based on the chapter's
content?
Answer:Container technologies like Docker on Windows
leverage job objects to enforce isolation for applications by
creating server silos. These silos contain their own
namespaces and can manipulate system resources without
impacting the host environment. The use of a job object
allows containers to apply specific security and resource
limitations, creating a controlled and isolated environment
for applications.

[Link]
What is the process by which the kernel transitions from
user-mode to kernel-mode during process creation?
Answer:The transition occurs when a user-mode application
calls the CreateProcess function, which is implemented in the
user-mode library ([Link]). This function then calls the
kernel via a system call interface (such as
NtCreateUserProcess), at which point the necessary data
structures are populated, and kernel-level tasks are executed
to set up the new process environment, involving extensive
validation, resource allocation, and accessibility checks.
Chapter 4 | Threads| Q&A
[Link]
What is the significance of the CreateThread function in
Windows thread management?
Answer:The CreateThread function is pivotal as it
initiates the creation of a thread within a process. It
allows developers to specify security attributes,
stack size, entry point, and optional parameters.
This sets the groundwork for concurrent execution
and multitasking in Windows applications,
demonstrating how threads can be dynamically
managed as part of a process's lifecycle.

[Link]
Why is the distinction between user-mode and
kernel-mode threads important?
Answer:The distinction is critical because it affects how
threads are scheduled and executed. User-mode threads
operate within user applications with limited privileges,
while kernel-mode threads run under the OS's control with
full access to system resources, facilitating essential
system-level operations and performance optimizations.

[Link]
What internal structures does Windows use to manage
threads, and what roles do they play?
Answer:Windows utilizes various internal structures like the
ETHREAD and KTHREAD, which encapsulate
thread-specific data and control information. The ETHREAD
structure manages execution context, dependencies, and
security attributes, while KTHREAD caters to low-level
scheduling, synchronization, and performance metrics,
crucial for efficient thread management.

[Link]
How does Windows ensure fairness in CPU time
allocation among threads?
Answer:Windows implements a priority-driven, preemptive
scheduling system that allows it to allocate CPU time based
on thread priority levels. By using mechanisms such as
quantum time slices, priority boosts, and the balance-set
manager for starving threads, Windows seeks to avoid
starvation and ensure responsive applications.

[Link]
What is the impact of thread pools on application
performance, according to the chapter?
Answer:Thread pools enhance application performance by
reusing threads efficiently for multiple tasks, thus reducing
the overhead of frequent thread creation and destruction. This
optimizes resource usage and improves responsiveness,
particularly in high-load scenarios, by managing worker
threads through established kernel interfaces.

[Link]
What are the general states a thread can exist in during
its lifecycle?
Answer:A thread can exist in several states: Ready (waiting
to run), Running (currently executing), Waiting (blocked by
I/O or other synchronization objects), Deferred Ready,
Standby, Terminated, and Initialized. Each state represents
specific conditions in the thread's lifecycle and influences
scheduling decisions.

[Link]
How does Windows handle dynamic processor addition
and its effects on thread scheduling?
Answer:Windows dynamically adjusts its scheduling
algorithms when new processors are added. This involves
reinitializing thread affinity and ensuring that existing
processes can make use of the added CPUs. Applications can
then exploit these additional resources without requiring
system downtime.

[Link]
What is the role of the balance-set manager in CPU
scheduling?
Answer:The balance-set manager is responsible for
identifying threads that have been waiting and boosting their
priorities to prevent starvation. This mechanism ensures that
all threads receive fair CPU time, particularly in scenarios
where lower-priority threads may have to wait excessively
due to high-priority threads dominating CPU resources.
[Link]
Can you explain the concept of quantum in thread
scheduling as described in the chapter?
Answer:Quantum refers to the time slice allocated for a
thread to execute before the scheduler checks if another
thread should run. This ensures threads receive a fair
opportunity to execute while managing responsiveness and
performance. The quantum varies between client and server
systems, optimizing each OS variant's performance
characteristics.
Chapter 5 | Memory management| Q&A
[Link]
What is the purpose of Windows Memory Management?
Answer:Windows Memory Management is designed
to implement virtual memory, translating process
virtual addresses into physical memory addresses,
managing the working sets of processes, and
providing services such as memory-mapped files,
copy-on-write memory, and support for applications
utilizing large memory spaces.

[Link]
How does Windows determine the initial virtual address
space size for processes?
Answer:By default, the virtual size of a process on 32-bit
Windows is 2 GB, but if the image is marked as large address
space-aware and specific boot options are set, it can expand
to 3 GB on 32-bit and up to 4 GB on 64-bit systems.

[Link]
What are key data structures used by the Memory
Manager to manage memory?
Answer:The key data structures include page tables, page
directory entries, working sets, Virtual Address Descriptors
(VADs), and the Page Frame Number (PFN) database, which
collectively track the allocation and management of both
virtual and physical memory.

[Link]
What is the difference between reserved memory and
committed memory?
Answer:Reserved memory represents a range of virtual
addresses set aside for future use, consuming negligible
system resources, while committed memory is virtual
memory that has been allocated and is backed by physical
memory, requiring actual system resources.

[Link]
How does the memory manager handle page faults?
Answer:When a page fault occurs, the memory manager uses
the PFN database to determine the reason for the fault,
checks if the page can be loaded from a page file or another
source, and then updates page tables and caches accordingly.

[Link]
What role does the zero page thread play in memory
management?
Answer:The zero page thread creates zero-initialized pages
when they are needed, ensuring that there is a supply of
pages initialized to zero, ready for new memory allocations
to prevent sensitive data exposure.

[Link]
Explain the significance of working sets. Why are they
important?
Answer:Working sets contain the set of pages in physical
memory that a process is actively using, which optimizes
memory access speed and system performance by reducing
the need to read pages from slow disk storage.

[Link]
How are large pages utilized in Windows memory
management?
Answer:Large pages, which are bigger than the standard
small pages, are used to improve address translation speed
and memory access efficiency. They can be allocated by
applications to optimize performance for large data sets.

[Link]
What is memory compression and how does it work in
Windows 10?
Answer:Memory compression allows Windows to store
modified pages in a compressed format in memory to reduce
the overall amount of RAM used. Compressed pages are
maintained in a separate memory area and can be quickly
accessed or decompressed when needed.
[Link]
How does SuperFetch enhance memory management in
Windows?
Answer:SuperFetch proactively manages memory by
preloading frequently used applications' data into RAM
based on historical access patterns, thus minimizing hard
faults and improving user experience during application
launches.

[Link]
What distinguishes memory partitions from traditional
memory management?
Answer:Memory partitions are designed to isolate memory
management structures and resources for different processes
or groups of processes, providing better control and
performance in environments with multiple applications
running concurrently.

[Link]
Describe the process of creating and using an enclave in
Windows.
Answer:Creating an enclave involves calling the API to
specify enclave configuration, populating the enclave with
data, and initializing it for execution while maintaining strict
security and isolation from other processes.

[Link]
What challenges does memory combining address?
Answer:Memory combining addresses memory waste by
identifying and merging duplicate pages in RAM, thus
optimizing physical memory usage without compromising
accessibility and performance.

[Link]
Why can SuperFetch's effectiveness vary with different
user behaviors?
Answer:SuperFetch builds its efficiency based on historical
patterns of application usage; erratic or unpredictable user
behaviors can lead to suboptimal prefetching and potential
cache pollution, requiring SuperFetch to adapt to new
patterns.

[Link]
What is the relationship between commit charge and
commit limit?
Answer:The commit charge is the total amount of virtual
memory that has been committed (allocated) and may reside
in RAM or page files, while the commit limit is the
maximum amount of memory that can be committed without
exceeding physical memory plus available page file space.
Chapter 6 | I/O system| Q&A
[Link]
What is the primary purpose of the Windows I/O system?
Answer:To manage hardware devices and provide
interfaces for applications and the system to interact
with those devices.

[Link]
How does the I/O manager facilitate communication
between applications and device drivers?
Answer:The I/O manager connects applications to virtual,
logical, and physical devices, and orchestrates I/O request
processing through I/O request packets (IRPs).

[Link]
What are the key design goals of the Windows I/O
system?
Answer:To provide device abstraction, uniform security,
high-performance asynchronous I/O, dynamic driver loading,
support for Plug and Play, power management, and
flexibility in file systems.

[Link]
Explain the role of the Plug and Play (PnP) manager in
the Windows I/O system. Why is it important?
Answer:The PnP manager enables the detection and
installation of hardware devices, managing hardware
resources and supporting the dynamic addition and removal
of devices. It is important for user-friendly hardware
management.

[Link]
What are IRPs, and what is their significance in the I/O
system?
Answer:IRPs (I/O Request Packets) are data structures that
represent I/O operations. They contain all necessary
information to process the request and are central to how
requests are handled throughout the I/O system.
[Link]
How does the concept of layering benefit the Windows
I/O system's design?
Answer:Layering allows multiple drivers to work together to
manage a single hardware device, making the system
modular and reducing code duplication, thus simplifying
updates and maintenance.

[Link]
What is the hardware abstraction layer (HAL), and how
does it contribute to device driver development?
Answer:The HAL provides a set of APIs that insulate drivers
from hardware specifics, allowing them to interact with
hardware in a platform-independent way, enhancing
portability and ease of development.

[Link]
Describe how the I/O manager supports asynchronous
I/O operations and their advantages for applications.
Answer:Asynchronous I/O allows applications to continue
executing while I/O operations are in progress, improving
throughput and responsiveness, particularly for applications
that perform multiple I/O operations.

[Link]
Discuss the importance of driver signing and how it
impacts system security.
Answer:Driver signing ensures that only tested and verified
drivers can be installed, reducing the risk of malicious or
unstable code affecting system stability and security.

[Link]
What are the implications of a driver failing to handle
power management correctly?
Answer:If a driver doesn't respond appropriately to power
management requests, it can prevent the system from
entering low-power states, leading to higher power
consumption and reduced battery life.

[Link]
Explain the concept of device power states and their role
in power management.
Answer:Device power states (D0 to D3) define how much
power a device consumes, ranging from fully on (D0) to off
(D3) states. Effective management of these states is crucial
for energy conservation and system performance.

[Link]
How does the Windows power manager decide on system
power transitions?
Answer:The power manager evaluates system activity levels,
power availability, user requests, and device capabilities to
determine when to transition the system between different
power states.

[Link]
Can you explain what I/O completion ports are and how
they enhance server application performance?
Answer:I/O completion ports provide a mechanism for
handling multiple I/O requests with minimal context
switching by allowing threads to wait for notification of
completed I/Os, thus enhancing scalability and throughput.

[Link]
What role does Driver Verifier play in improving driver
quality?
Answer:Driver Verifier helps identify bugs and ensure
compliance with standards during driver development,
reducing crash risks and improving overall driver stability in
Windows.

[Link]
Summarize how the power management framework in
Windows has evolved and its benefits.
Answer:The power management framework helps drivers
manage power states effectively, allowing for individual
component power management, improving energy efficiency,
and enhancing battery life on portable devices.

[Link]
What are the key responsibilities of a function driver in
the context of the Windows I/O system?
Answer:A function driver manages operation interfaces for a
specific device type, handles I/O requests, and communicates
with other drivers in a device stack to facilitate complete
device functionality.
Chapter 7 | Security| Q&A
[Link]
Why is security important in a multi-user environment?
Answer:Security is vital in multi-user environments
to protect sensitive data from unauthorized access
and modifications by other users who may share the
same resources. Each user must be identified,
authenticated, and granted specific rights to ensure
data integrity and confidentiality.

[Link]
What are the core requirements for a secure operating
system according to the C2 security rating?
Answer:The core requirements for a C2 security rating
include: a secure logon facility, discretionary access control
allowing resource owners to manage access, security auditing
to track events, and object reuse protection to ensure
previously deleted data cannot be accessed.

[Link]
How does Windows ensure that unauthorized programs
cannot intercept user credentials during logon?
Answer:Windows implements a trusted path functionality,
such as the Ctrl+Alt+Delete keystroke sequence, which
reliably activates the task manager and ensures that any
logon dialogues presented are legitimate and controlled by
the system.

[Link]
What is the significance of the Common Criteria in
software security?
Answer:The Common Criteria provides a standardized
framework for evaluating and certifying the security
capabilities of software, including operating systems, helping
users and organizations understand the level of security
protections offered.

[Link]
What role does the Local Security Authority (LSA) play
in Windows security?
Answer:The LSA is responsible for enforcing security
policies, user authentication, and managing logon sessions. It
handles the creation and management of access tokens that
represent user credentials and permissions in the system.

[Link]
How does Credential Guard enhance security in
Windows?
Answer:Credential Guard uses virtualization-based security
to protect user credentials by isolating them from potential
attacks. It stores sensitive authentication information in a
secure environment that is not accessible to regular
processes, thereby mitigating the risk of credential theft.

[Link]
What is the purpose of virtualization-based security
(VBS) in Windows?
Answer:VBS provides an additional protection layer to
prevent attacks on the kernel by isolating key security
components and operations from untrusted applications and
processes running in user mode, establishing a 'Virtual Trust
Level' that fortifies security enforcement.

[Link]
Can you explain the concept of User Account Control
(UAC) and its importance?
Answer:User Account Control (UAC) allows Windows users
to run with standard user privileges while still enabling
elevation of permissions when necessary. This mitigates risks
associated with malware and helps prevent unauthorized
changes to system settings.

[Link]
What are some exploit mitigations provided by Windows,
and how do they protect the system?
Answer:Windows provides several exploit mitigations like
Control Flow Guard (CFG), Data Execution Prevention
(DEP), and Kernel Patch Protection (KPP). These mitigate
various attack vectors by preventing unauthorized control
flow alterations, restricting memory access for executables,
and detecting and terminating unsanctioned kernel
modifications.

[Link]
How do AppContainer SIDs enhance application security
in Windows?
Answer:AppContainer SIDs establish a unique identity for
applications that limits their ability to access system
resources, thus enhancing security by ensuring that
applications can only interact with resources explicitly
allowed by their capabilities defined in their manifests.
Windows Internals, Part 1 Quiz and Test
Check the Correct Answer on Bookey Website

Chapter 1 | Concepts and tools| Quiz and Test

[Link] Windows API includes both 32-bit and 64-bit
programming interfaces.
[Link] 10 has a significant version change called
Windows 11 that introduces a new user interface.
[Link] Windows, user applications operate in kernel mode for
enhanced system stability.
Chapter 2 | System architecture| Quiz and Test
[Link] NT is a 32-bit preemptive operating
system designed to be compatible with various
hardware architectures.
[Link] NT's architecture is completely monolithic with
no layers or abstractions for hardware differences.
[Link] kernel mode in Windows has limited access to
hardware compared to user mode.
Chapter 3 | Processes and jobs| Quiz and Test
[Link] CreateProcess function is the only method
 available for creating processes in Windows.
[Link] processes restrict actions that other processes can
perform on them, even for administrators.
[Link] EPROCESS structure contains limited information
about a Windows process and does not relate to memory
management.
Chapter 4 | Threads| Quiz and Test
[Link] primary API function to create threads in
Windows is CreateThread.
[Link] objects are automatically destroyed when a thread
exits.
[Link] uses a priority-driven preemptive scheduling
system for managing threads.
Chapter 5 | Memory management| Quiz and Test
[Link] default virtual address space on 32-bit
Windows is 2 GB.
[Link] 64-bit Windows, the address space can reach up to 256
TB.
[Link] predicts and loads pages into RAM based on
historical usage to optimize performance.
Chapter 6 | I/O system| Quiz and Test
[Link] Windows I/O system does not support power
management capabilities.
[Link] I/O Manager is responsible for connecting applications
to devices and managing I/O requests.
[Link] drivers can be categorized exclusively as Plug and
Play drivers.
Chapter 7 | Security| Quiz and Test
[Link] is only important in single user
environments to prevent unauthorized access.
[Link] TCSEC ratings, also known as the Orange Book,
classify operating systems based on protection levels, with
C2 as a practical standard for general-purpose OS security.
[Link] Account Control (UAC) solely relies on
administrative credentials to allow application execution.