Windows Internals
beginnerOpen lab →

Networking

How Windows moves data through the TCP/IP stack, filtering layers, and endpoint APIs.

In 30 seconds

Apps use Winsock; the kernel routes sockets through AFD and tcpip.sys, with filters (WFP/BFE) and NDIS adapters below.

You understand this if…

  • You can name the path from getaddrinfo to a TCP segment on the wire.
  • You know why DNS Client is a system service, not per-app.

Related labs

Hands-on exercises for this area — in the browser or on a Windows machine.

DNS resolution lab

Resolve names from the browser (DNS-over-HTTPS) and compare with how the Windows DNS client behaves.

Open lab
View all labs

Guided paths in this branch

Follow a short sequence step by step. Each path links to the first topic; use Read next on each page to continue.

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

Windows Sockets 2

learn.microsoft.com

Microsoft Learn

About Windows Filtering Platform

learn.microsoft.com

Why it matters

Modern Windows is network-heavy: authentication, updates, domain membership, cloud apps, and remote management all rely on the networking stack.

Mental model

Networking is another layered pipeline: app APIs at the top, protocol stack in the middle, adapters and drivers at the bottom.

Schematic

Click a highlighted zone to understand the layer and jump deeper into the tree.
Windows networking stackApps / WinsockAFD / WSKTCP/IP + DNSWFP / BFENDIS / NIC

Application / Winsock

User-mode apps use Winsock. System components can use Winsock Kernel (WSK) to avoid extra user/kernel transitions.

Open related topic

Windows building blocks

Names and paths you can look for in Task Manager, Explorer, or documentation.

  • Filetcpip.sys

    TCP/IP protocol driver

  • Fileafd.sys

    Ancillary Function Driver for Winsock

Go one level deeper

Extra detail for readers who want more precision before opening a child topic.

  • The dual-stack shares interfaces; loopback and vSwitch ports are special cases.
  • WFP callouts can inspect at multiple layers without replacing tcpip.sys.

How it works

  1. 1Applications use sockets and higher-level APIs to request network communication.
  2. 2The TCP/IP stack transforms those requests into protocol operations.
  3. 3Lower layers and drivers ultimately move packets through physical or virtual interfaces.

Key terms

Socket
An endpoint abstraction for network communication.
TCP/IP stack
The core Windows networking implementation for internet protocols.
WFP
Windows Filtering Platform used to inspect and control network traffic.

Connecting to a website

What looks like a simple browser action actually crosses DNS, sockets, TCP state, filtering, and adapter drivers.

Common misconception

Networking is not isolated from the rest of Windows; security, services, drivers, and user-mode APIs all participate.

Guided exercise

Use this topic to move from theory into practice.

Open lab
  • 1Resolve a hostname in DNS Lab (A and AAAA) and note TTL and latency.
  • 2Read the Windows client path checklist on the right of the lab.
  • 3On Windows, run Resolve-DnsName and ipconfig /displaydns to compare with the browser path.

Go deeper

TCP/IP stack

The core protocol machinery behind Windows network communication.

Name resolution & DNS Client

What happens when an app asks 'what IP is this name?'

Winsock, AFD, and kernel boundaries

How user-mode sockets relate to kernel-mode transport, and why AFD.sys matters.

NDIS and network adapters

The driver model that bridges protocol stacks and NIC hardware.

WFP & BFE (deep dive)

How filters are stored, enforced, and hooked into the packet path.

Filtering & firewalling

Where Windows observes and controls traffic with filtering layers.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

beginner

Name resolution & DNS Client

What happens when an app asks 'what IP is this name?'

Next step in your guided path

intermediate

Winsock, AFD, and kernel boundaries

How user-mode sockets relate to kernel-mode transport, and why AFD.sys matters.

Go deeper in this branch

expert

WFP & BFE (deep dive)

How filters are stored, enforced, and hooked into the packet path.

Go deeper in this branch

Related topics

Name resolution & DNS Client

What happens when an app asks 'what IP is this name?'

Winsock, AFD, and kernel boundaries

How user-mode sockets relate to kernel-mode transport, and why AFD.sys matters.

WFP & BFE (deep dive)

How filters are stored, enforced, and hooked into the packet path.

I/O system

How Windows turns API requests into IRPs, driver stack work, and device operations.

Security

Access tokens, privileges, integrity, and how Windows decides who can do what.

Services & background infrastructure

How Windows launches, groups, isolates, and supervises long-running background components.

Previous

Reparse points & symlinks

Junctions, symlinks, and filter-driver namespaces that redirect paths.

Next

TCP/IP stack

The core protocol machinery behind Windows network communication.