Skip to content

Windows Internals

Windows Internals is an umbrella term that refers to the architecture and it's back-end components that make up the Windows Operating System.

These internals cannot change without compromising how the operating system operates. Because of this, this architecture is also where the system is most vulnerable.

This can include processes, file formats, COM (Component Object Model), task scheduling, I/O System, etc.

Securable objects

At the lowest level, nearly everything in windows is a securable object. This means that all of these components that make up the internals architecutre are all able to have security descriptors attached to them: - It's owner - DACL (Discretionary Access Control List) - SACL (System Access Control List) - Permissions

These are managed through the Windows Security Model and enforced by the Object Manager in the Windows Kernel.

Eventually this could lead to insecure permissions: - Service executables - DLLs loaded by privileged processes - Registry keys with configurations settings - Named pipes - Process and thread objects - Service configurations - etc.

Tip

This is something we dove into when covering Windows Privesc.

Oversimplified Architectural overview

graph BT;
    subgraph Computer
    direction BT
        Hardware --> firmware["Firmware  (BIOS or UEFI)"]

        subgraph OS[Windows Operating System]
        direction BT
            bootldr[Windows bootloader]

            subgraph km[Kernel-mode]
            direction BT
                HAL["Kernel run-time
                &
                Hardware Abstraction Layer (HAL)"]
                Kernel
                dd[Device drivers]
                es["Executive (Subsystems)"]
                wg[Windowing and graphics]
            end

            subgraph um[User-mode]
                SDLL[Subsystem DLLs] --> NTDLL["NTDLL.DLL (run-time library)"]
                up[Processes] --> SDLL
                servp[Services] --> SDLL
                sysp[System processes] --> SDLL
                sysp --> NTDLL
                env[Environment subsystems] --> NTDLL
            end
        end
    end

    firmware -.-> bootldr
    bootldr -.-> HAL
    km <-.-> um