Windows Internals

Interactive reference

Understand Windows from the inside out

Start with the map below — each block is a real part of the system. Click to learn what it does, then dive into topics, labs, and guided paths.

Guided paths for beginnersClickable schematicsHands-on labs (EVTX, ACL, DNS)
Click any block to see what it does, then jump into the matching topic in the tree.
Windows system architecturentdll syscalls — user/kernel boundaryUSER MODEKERNEL MODEDRIVERS & PLATFORMDesktop & shelluserApps & runtimeuserVirtualizationuserServices (SCM)userLogon & authuserSecurity policyuserRegistryuserDiagnostics & logsuserIPC (ALPC)userProcesses & threadskernelMemory managerkernelExecutive & objectskernelI/O ManagerkernelStorage & NTFSkernelNetwork stackkernelAccess checks (SRM)kernelDevice driversplatformHAL & platformplatformBoot & firmwareplatform
Follow the beginner pathBrowse all topicsSearch topicsOpen labs

Start here

A guided path for people who are new to Windows internals.

View full path
Step 1beginner

System architecture

Start here to build the mental map for the rest of the site.

Step 2beginner

Processes & threads

Once you know the OS layers, learn how Windows represents running work.

Step 3beginner

Memory management

Memory is the next core building block once processes make sense.

Deep-dive paths

Curated sequences that connect multiple topics into one concept journey.

Explore all topics

Diagnostics -> Event Log -> EVTX

Start from Windows telemetry, understand providers and channels, then move into EVTX structure and hands-on parsing.

Diagnostics & loggingWindows Event LogProviders & channelsEVTX file format

Processes -> Objects -> Scheduling

Learn how Windows represents running work, how handles and objects fit in, and how the scheduler actually decides what runs.

Processes & threadsKernel objectsSchedulingService hosts

Memory -> VAD -> Storage Cache

Move from private virtual address spaces into VADs, pools, and then the cache/storage layer that shapes real-world file I/O performance.

Memory managementVAD treePool & heapCache Manager

Startup -> Logon -> Auth -> Tokens

Follow the path from early session initialization into Winlogon, LSASS, authentication packages, and the tokens that processes actually use.

Session Manager, Winlogon, and the shellAuthentication & logonWinlogon, LogonUI, and session sign-inLSASS, SAM, and local security policyKerberos, NTLM, and authentication packagesAccess tokens

Processes -> PE -> Loader -> WOW64

Bridge the gap between a running process and the executable/runtime machinery that maps images, loads DLLs, and keeps 32-bit apps working on 64-bit Windows.

Processes & threadsExecutable loading & runtimePE formatDLL loader, PEB, and module listsWOW64 and cross-architecture compatibility

Security deep dive

From identity (tokens) to object policy (DACL/SACL), through kernel access checks (SRM), ending with UAC and integrity boundaries.

SecurityAccess tokensSecurity descriptors & ACLsAccess checks & Security Reference MonitorUAC, integrity levels, and secure desktop

Networking stack tour

Follow a connection from Winsock and DNS through TCP/IP, filtering (WFP/BFE), down to NDIS and the NIC.

NetworkingName resolution & DNS ClientWinsock, AFD, and kernel boundariesTCP/IP stackFiltering & firewallingWFP & BFE (deep dive)NDIS and network adapters

GUI & session UI

Understand sessions, window stations, desktops, USER/GDI objects, and the CSRSS/Win32k plumbing behind the shell.

GUI & windowingWindow stations & desktopsUSER & GDI objectsCSRSS, Win32k, and session UI plumbing

Memory deep dive

VADs, pools, paging, working sets, and how the cache uses RAM.

Memory managementVAD treePaging & page faultsWorking set & trimmingPool & heapCache Manager

I/O & drivers

From I/O Manager and IRPs through driver stacks and PnP power.

I/O systemI/O ManagerDrivers & device stacksPlug and Play & powerFile systems

Virtualization & VBS

Hyper-V partitions, enlightened I/O, and virtualization-based security.

VirtualizationHyper-V & partitionsVBS, HVCI & isolation

Authentication path

From Winlogon through LSASS to Kerberos/NTLM and crypto plumbing.

Authentication & logonWinlogon, LogonUI, and session sign-inLSASS, SAM, and local security policyKerberos, NTLM, and authentication packagesCNG, Schannel & crypto plumbingAccess tokens

Loader & runtime

PE images, DLL loading, and WOW64 on 64-bit Windows.

Executable loading & runtimePE formatDLL loader, PEB, and module listsWOW64 and cross-architecture compatibilityNtdll & the user/kernel boundary

Storage path

Volumes, NTFS, cache, and reparse points.

Storage & file systemsDisks, partitions, and volumesFile systemsCache ManagerReparse points & symlinks

Top-level themes

System architecture

How Windows separates user mode and kernel mode, and why the system is built in layers.

Processes & threads

How Windows represents work, isolates applications, and schedules execution.

Memory management

Virtual address spaces, paging, working sets, and how Windows tracks memory.

Diagnostics & logging

Where Windows records what happened: Event Log, ETW, and crash-oriented clues.

Security

Access tokens, privileges, integrity, and how Windows decides who can do what.

I/O system

How Windows turns API requests into IRPs, driver stack work, and device operations.

Services & background infrastructure

How Windows launches, groups, isolates, and supervises long-running background components.

Registry & configuration

How Windows stores system and application configuration in hierarchical hives.

Storage & file systems

Disks, volumes, cache, and the file-system layers that make persistence usable.

Networking

How Windows moves data through the TCP/IP stack, filtering layers, and endpoint APIs.

Startup & shutdown

How Windows goes from firmware to an interactive session, and how it tears systems down safely.

GUI & windowing

Sessions, desktops, USER/GDI objects, and the Windows-specific UI machinery above the core kernel.

IPC & component boundaries

How Windows components communicate across process boundaries using local RPC, named pipes, and other message channels.

Authentication & logon

How Windows turns credentials into authenticated sessions, security contexts, and usable access tokens.

Executable loading & runtime

PE images, DLL loading, runtime data structures, and compatibility layers such as WOW64.

Virtualization

Hypervisor layers, virtual machines, and how Windows isolates guests from the host.