Security deep dive
From identity (tokens) to object policy (DACL/SACL), through kernel access checks (SRM), ending with UAC and integrity boundaries.
Follow pathExplore
Explore Windows Internals
Pick a theme from the tree, search for a term, or start with the beginner path below. Each page combines a mental model, key terms, a concrete example, and links to practice where relevant.
Search all topicsTopics
Coverage snapshot
16 top-level branches, 73 topics (21 beginner · 39 intermediate · 13 expert). 7 schematics, 26 with Windows building blocks listed.
Start here
Recommended order for beginners who want a guided sequence.
Step 1
System architecture
Start here to build the mental map for the rest of the site.
Step 2
Processes & threads
Once you know the OS layers, learn how Windows represents running work.
Step 3
Memory management
Memory is the next core building block once processes make sense.
Step 4
Diagnostics & logging
This is the best bridge between concepts and concrete evidence on a running system.
Branch guided paths
Short sequences per branch (security, memory, auth, I/O, and more).
Networking stack tour
Follow a connection from Winsock and DNS through TCP/IP, filtering (WFP/BFE), down to NDIS and the NIC.
Follow pathGUI & session UI
Understand sessions, window stations, desktops, USER/GDI objects, and the CSRSS/Win32k plumbing behind the shell.
Follow pathMemory deep dive
VADs, pools, paging, working sets, and how the cache uses RAM.
Follow pathI/O & drivers
From I/O Manager and IRPs through driver stacks and PnP power.
Follow pathVirtualization & VBS
Hyper-V partitions, enlightened I/O, and virtualization-based security.
Follow pathAuthentication path
From Winlogon through LSASS to Kerberos/NTLM and crypto plumbing.
Follow pathLoader & runtime
PE images, DLL loading, and WOW64 on 64-bit Windows.
Follow pathStorage path
Volumes, NTFS, cache, and reparse points.
Follow pathSystem architecture
How Windows separates user mode and kernel mode, and why the system is built in layers.
Processes & threads
How Windows represents work, isolates applications, and schedules execution.
Memory management
Virtual address spaces, paging, working sets, and how Windows tracks memory.
Diagnostics & logging
Where Windows records what happened: Event Log, ETW, and crash-oriented clues.
Security
Access tokens, privileges, integrity, and how Windows decides who can do what.
I/O system
How Windows turns API requests into IRPs, driver stack work, and device operations.
Services & background infrastructure
How Windows launches, groups, isolates, and supervises long-running background components.
Registry & configuration
How Windows stores system and application configuration in hierarchical hives.
Storage & file systems
Disks, volumes, cache, and the file-system layers that make persistence usable.
Networking
How Windows moves data through the TCP/IP stack, filtering layers, and endpoint APIs.
Startup & shutdown
How Windows goes from firmware to an interactive session, and how it tears systems down safely.
GUI & windowing
Sessions, desktops, USER/GDI objects, and the Windows-specific UI machinery above the core kernel.
IPC & component boundaries
How Windows components communicate across process boundaries using local RPC, named pipes, and other message channels.
Authentication & logon
How Windows turns credentials into authenticated sessions, security contexts, and usable access tokens.
Executable loading & runtime
PE images, DLL loading, runtime data structures, and compatibility layers such as WOW64.
Virtualization
Hypervisor layers, virtual machines, and how Windows isolates guests from the host.