Windows computers use many different types of hardware. The operating system can be installed on a purchased computer or a computer that is assembled by the user. When the operating system is installed, it must be isolated from differences in hardware. In this article, I will talk about what you need to know about Windows architecture and operation. Follow me as we will look at that in this article.
The figure shows the basic windows architecture with the applications at the top, the User-Mode Drivers and Windows API below them, Other Kernel-Mode Drivers, Operating System Kernel, and File System Drivers below them, the Hardware Abstraction Layer below them, and at the bottom, the Hardware.
A hardware abstraction layer (HAL) is software that handles all of the communication between the hardware and the kernel. The kernel is the core of the operating system and has control over the entire computer. It handles all of the input and output requests, memory, and all of the peripherals connected to the computer.
In some instances, the kernel still communicates with the hardware directly, so it is not completely independent of the HAL. The HAL also needs the kernel to perform some functions.
User Mode and Kernel Mode
As identified in the figure, there are two different modes in which a CPU operates when the computer has Windows installed: the user mode and the kernel mode.
This figure is the same as the previous article but shows that the Applications, User-Mode Drivers and Windows API make up the User Mode while the Other Kernel-Mode Drivers, Operating System Kernel, and File System Drivers, the Hardware Abstraction Layer, and the Hardware make up the Kernel Mode.
Installed applications run in user mode, and operating system code runs in kernel mode. Code that is executing in kernel mode has unrestricted access to the underlying hardware and is capable of executing any CPU instruction. Kernel mode code also can reference any memory address directly. Generally reserved for the most trusted functions of the OS, crashes in code running in kernel mode stop the operation of the entire computer. Conversely, programs such as user applications, run in user mode and have no direct access to hardware or memory locations.
User mode code must go through the operating system to access hardware resources. Because of the isolation provided by user mode, crashes in user mode are restricted to the application only and are recoverable. Most of the programs in Windows run in user mode. Device drivers, pieces of software that allow the operating system and a device to communicate, may run in either kernel or user mode, depending on the driver.
All of the code that runs in kernel mode uses the same address space. Kernel-mode drivers have no isolation from the operating system. If an error occurs with the driver running in kernel mode, and it writes to the wrong address space, the operating system or another kernel-mode driver could be adversely affected. In this respect, the driver might crash, causing the entire operating system to crash.
When user mode code runs, it is granted its own restricted address space by the kernel, along with a process created specifically for the application. The reason for this functionality is mainly to prevent applications from changing operating system code that is running at the same time. By having its own process, that application has its own private address space, rendering other applications unable to modify the data in it. This also helps to prevent the operating system and other applications from crashing if that application crashes.
Windows File Systems
A file system is how information is organized on storage media. Some file systems may be a better choice to use than others, depending on the type of media that will be used. The table lists the file systems that Windows supports.
|Windows File System||Description|
|Hierarchical File System Plus (HFS+)||
|Extended File System (EXT)||
|New Technology File System (NTFS)||
NTFS is the most widely used file system for Windows for many reasons. NTFS supports very large files and partitions and it is very compatible with other operating systems. NTFS is also very reliable and supports recovery features. Most importantly, it supports many security features. Data access control is achieved through security descriptors.
These security descriptors contain file ownership and permissions all the way down to the file level. NTFS also tracks many timestamps to track file activity. Sometimes referred to as MACE, the timestamps Modify, Access, Create, and Entry Modified is often used in forensic investigations to determine the history of a file or folder. NTFS also supports file system encryption to secure the entire storage media.
Before a storage device such as a disk can be used, it must be formatted with a file system. In turn, before a file system can be put into place on a storage device, the device needs to be partitioned. A hard drive is divided into areas called partitions. Each partition is a logical storage unit that can be formatted to store information, such as data files or applications. During the installation process, most operating systems automatically partition and format the available drive space with a file system such as NTFS.
NTFS formatting creates important structures on the disk for file storage, and tables for recording the locations of files:
- Partition Boot Sector – This is the first 16 sectors of the drive. It contains the location of the Master File Table (MFT). The last 16 sectors contain a copy of the boot sector.
- Master File Table (MFT) – This table contains the locations of all the files and directories on the partition, including file attributes such as security information and timestamps.
- System Files – These are hidden files that store information about other volumes and file attributes.
- File Area – The main area of the partition where files and directories are stored.
Note: When formatting a partition, the previous data may still be recoverable because not all the data is completely removed. The free space can be examined, and files can be retrieved which can compromise security. It is recommended to perform a secure wipe on a drive that is being reused. The secure wipe will write data to the entire drive multiple times to ensure there is no remaining data.
Alternate Data Streams
NTFS stores files as a series of attributes, such as the name of the file, or a timestamp. The data which the file contains is stored in the attribute $DATA, and is known as a data stream. By using NTFS, you can connect Alternate Data Streams (ADSs) to the file. This is sometimes used by applications that are storing additional information about the file. The ADS is an important factor when discussing malware. This is because it is easy to hide data in an ADS. An attacker could store malicious code within an ADS that can then be called from a different file.
In the NTFS file system, a file with an ADS is identified after the filename and a colon, for example, Testfile.txt:ADS. This filename indicates an ADS called ADS is associated with the file called Testfile.txt. An example of ADS is shown in the command output.
C:\ADS> echo "Alternate Data Here" > Testfile.txt:ADS C:\ADS> dir Volume in drive C is Windows Volume Serial Number is A606-CB1B Directory of C:\ADS 2020-04-28 04:01 PM <DIR> . 2020-04-28 04:01 PM <DIR> .. 2020-04-28 04:01 PM 0 Testfile.txt 1 File(s) 0 bytes 2 Dir(s) 43,509,571,584 bytes free C:\ADS> more < Testfile.txt:ADS "Alternate Data Here" C:\ADS> dir /r Volume in drive C is Windows Volume Serial Number is A606-CB1B Directory of C:\ADS 2020-04-28 04:01 PM <DIR> . 2020-04-28 04:01 PM <DIR> .. 2020-04-28 04:01 PM 0 Testfile.txt 24 Testfile.txt:ADS:$DATA 1 File(s) 0 bytes 2 Dir(s) 43,509,624,832 bytes free C:\ADS>
In the output:
- The first command places the text “Alternate Data Here” into an ADS of the file Testfile.txt called “ADS”.
- After that, dir, shows that the file was created, but the ADS is not visible.
- The next command shows that there is data in the Testfile.txt:ADS data stream.
- The last command shows the ADS of the Testfile.txt file because the r switch was used with the dir command.
Windows Boot Process
Many actions occur between the time that the computer power button is pressed and Windows is fully loaded, as shown in the figure. This is known as the Windows Boot process.
The figure shows a flowchart of the windows boot process. The process starts with either BIOS initialization or UEFI Initialization. In the case of BIOS initialization, the next step is the POST, followed by the MBR. In the case of UEFI initialization, the next step is the EFI Files. The next steps for both paths are the Boot m g r dot e x e, followed by the B C D. If the computer is resuming from hibernation, the next step is the win resume dot e x e, followed by hiberfil dot s y s, and then to the logon. From a cold boot, after B C D, the next steps are win load dot e x e, K M C S, n t o s k r n l dot e x e, H A L, S M S S, and finally, logon.
Two types of computer firmware exist:
- Basic Input-Output System (BIOS) – BIOS firmware was created in the early 1980s and works in the same way it did when it was created. As computers evolved, it became difficult for BIOS firmware to support all the new features requested by users.
- Unified Extensible Firmware Interface (UEFI) – UEFI was designed to replace BIOS and support the new features.
In BIOS firmware, the process begins with the BIOS initialization phase. This is when hardware devices are initialized and a power on self-test (POST) is performed to make sure all of these devices are communicating. When the system disk is discovered, the POST ends. The last instruction in the POST is to look for the master boot record (MBR).
The MBR contains a small program that is responsible for locating and loading the operating system. The BIOS executes this code and the operating system starts to load.
In contrast to BIOS firmware, UEFI firmware has a lot of visibility into the boot process. UEFI boots by loading EFI program files, stored as .efi files in a special disk partition, known as the EFI System Partition (ESP).
Note: A computer that uses UEFI stores boot code in the firmware. This helps to increase the security of the computer at boot time because the computer goes directly into protected mode.
Whether the firmware is BIOS or UEFI, after a valid Windows installation is located, the Bootmgr.exe file is run. Bootmgr.exe switches the system from real mode to protected mode so that all of the system memory can be used.
Bootmgr.exe reads the Boot Configuration Database (BCD). The BCD contains any additional code needed to start the computer, along with an indication of whether the computer is coming out of hibernation, or if this is a cold start. If the computer is coming out of hibernation, the boot process continues with Winresume.exe. This allows the computer to read the Hiberfil.sys file which contains the state of the computer when it was put into hibernation.
If the computer is being booted from a cold start, then the Winload.exe file is loaded. The Winload.exe file creates a record of the hardware configuration in the registry. The registry is a record of all of the settings, options, hardware, and software the computer has. The registry will be explored in depth later in this chapter. Winload.exe also uses Kernel Mode Code Signing (KMCS) to make sure that all drivers are digitally signed. This ensures that the drivers are safe to load as the computer starts.
After the drivers have been examined, Winload.exe runs Ntoskrnl.exe which starts the Windows kernel and sets up the HAL. Finally, the Session Manager Subsystem (SMSS) reads the registry to create the user environment, start the Winlogon service, and prepare each user’s desktop as they log on.
There are two important registry items that are used to automatically start applications and services:
- HKEY_LOCAL_MACHINE – Several aspects of Windows configuration are stored in this key, including information about services that start with each boot.
- HKEY_CURRENT_USER – Several aspects related to the logged in user are stored in this key, including information about services that start only when the user logs on to the computer.
The registry will be discussed later in this topic.
Different entries in these registry locations define which services and applications will start, as indicated by their entry type. These types include Run, RunOnce, RunServices, RunServicesOnce, and Userinit. These entries can be manually entered into the registry, but it is much safer to use the Msconfig.exe tool. This tool is used to view and change all of the start-up options for the computer. Use the search box to find and open the Msconfig tool.
The Msconfig tool opens the System Configuration window. There are five tabs which contain the configuration options.
Three different startup types can be chosen here. Normal loads all drivers and services. Diagnostic loads only basic drivers and services. Selective allows the user to choose what to load on startup.
It is always best to perform a proper shutdown to turn off the computer. Files that are left open, services that are closed out of order, and applications that hang can all be damaged if the power is turned off without first informing the operating system. The computer needs time to close each application, shut down each service, and record any configuration changes before power is lost.
During shutdown, the computer will close user mode applications first, followed by kernel mode processes. If a user mode process does not respond within a certain amount of time, the OS will display notification and allow the user to wait for the application to respond, or forcibly end the process. If a kernel mode process does not respond, the shutdown will appear to hang, and it may be necessary to shut down the computer with the power button.
There are several ways to shut down a Windows computer: Start menu power options, the command line command shutdown, and using Ctrl+Alt+Delete and clicking the power icon. There are three different options from which to choose when shutting down the computer:
- Shutdown – Turns the computer off (power off).
- Restart – Re-boots the computer (power off and power on).
- Hibernate – Records the current state of the computer and user environment and stores it in a file. Hibernation allows the user to pick up right where they left off very quickly with all their files and programs still open.
Processes, Threads, and Services
A Windows application is made up of processes. The application can have one or many processes dedicated to it. A process is any program that is currently executing. Each process that runs is made up of at least one thread. A thread is a part of the process that can be executed. The processor performs calculations on the thread. To configure Windows processes, search for Task Manager. The Processes tab of the Task Manager is shown in the figure.
All of the threads dedicated to a process are contained within the same address space. This means that these threads may not access the address space of any other process. This prevents corruption of other processes. Because Windows multitasks, multiple threads can be executed at the same time. The amount of threads that can be executed at the same time is dependent on the number of the computer’s processors.
Some of the processes that Windows runs are services. These are programs that run in the background to support the operating system and applications. They can be set to start automatically when Windows boots or they can be started manually. They can also be stopped, restarted, or disabled.
Services provide long-running functionality, such as wireless or access to an FTP server. To configure Windows Services, search for services. The Windows Services control panel applet is shown in the figure.
Be very careful when manipulating the settings of these services. Some programs rely on one or more services to operate properly. Shutting down a service may adversely affect applications or other services.
Memory Allocation and Handles
A computer works by storing instructions in RAM until the CPU processes them. The virtual address space for a process is the set of virtual addresses that the process can use. The virtual address is not the actual physical location in memory, but an entry in a page table that is used to translate the virtual address into the physical address.
Each process in a 32-bit Windows computer supports a virtual address space that enables addressing up to 4 gigabytes. Each process in a 64-bit Windows computer supports a virtual address space of 8 terabytes.
Each user space process runs in a private address space, separate from other user space processes. When the user space process needs to access kernel resources, it must use a process handle. This is because the user space process is not allowed to directly access these kernel resources. The process handle provides the access needed by the user space process without a direct connection to it.
A powerful tool for viewing memory allocation is RAMMap, which is shown in the figure. RAMMap is part of the Windows Sysinternals Suite of tools. It can be downloaded from Microsoft. RAMMap provides a wealth of information regarding how Windows has allocated system memory to the kernel, processes, drivers, and applications.
The Windows Registry
Windows stores all of the information about hardware, applications, users, and system settings in a large database known as the registry. The ways that these objects interact are also recorded, such as what files an application opens and all of the property details of folders and applications. The registry is a hierarchical database where the highest level is known as a hive, below that there are keys, followed by subkeys. Values store data and are stored in the keys and subkeys. A registry key can be up to 512 levels deep.
The table lists the five hives of the Windows registry.
|HKEY_CURRENT_USER (HKCU)||Holds information concerning the currently logged in user.|
|HKEY_USERS (HKU)||Holds information concerning all the user accounts on the host.|
|HKEY_CLASSES_ROOT (HKCR)||Holds information about object linking and embedding (OLE) registrations. OLE allows users to embed objects from other applications (like a spreadsheet) into a single document (like a Word document.|
|HKEY_LOCAL_MACHINE (HKLM)||Holds system-related information.|
|HKEY_CURRENT_CONFIG (HKCC)||Holds information about the current hardware profile.|
New hives cannot be created. The registry keys and values in the hives can be created, modified, or deleted by an account with administrative privileges. As shown in the figure, the tool regedit.exe is used to modify the registry. Be very careful when using this tool. Minor changes to the registry can have massive or even catastrophic effects.
Navigation in the registry is very similar to Windows file explorer. Use the left panel to navigate the hives and the structure below it and use the right panel to see the contents of the highlighted item in the left panel. With so many keys and subkeys, the key path can become very long. The path is displayed at the bottom of the window for reference. Because each key and subkey is essentially a container, the path is represented much like a folder in a file system. The backslash (\) is used to differentiate the hierarchy of the database.
Registry keys can contain either a subkey or a value. The different values that keys can contain are as follows:
- REG_BINARY – Numbers or Boolean values
- REG_DWORD – Numbers greater than 32 bits or raw data
- REG_SZ – String values
Because the registry holds almost all the operating system and user information, it is critical to make sure that it does not become compromised. Potentially malicious applications can add registry keys so that they start when the computer is started. During a normal boot, the user will not see the program start because the entry is in the registry and the application displays no windows or indication of starting when the computer boots. A keylogger, for example, would be devastating to the security of a computer if it were to start at boot without the user’s knowledge or consent. When performing normal security audits, or remediating an infected system, review the application startup locations within the registry to ensure that each item is known and safe to run.
The registry also contains the activity that a user performs during normal day-to-day computer use. This includes the history of hardware devices, including all devices that have been connected to the computer including the name, manufacturer and serial number. Other information, such as what documents a user and program have opened, where they are located, and when they were accessed is stored in the registry. This is all very useful information when a forensics investigation needs to be performed.
Lab – Exploring Processes, Threads, Handles, and Windows Registry
In this lab, you will explore the processes, threads, and handles using Process Explorer in Sysinternals Suite. You will also use the Windows Registry to change a setting.