AFD
Ancillary Function Driver for Winsock, a kernel-mode driver involved in sockets.
Reference
Windows internals glossary
A compact dictionary for the terms that tend to block beginners when reading about Windows internals for the first time.
ALPC
Advanced Local Procedure Call, the asynchronous local message mechanism used by Windows.
AppContainer
A sandbox identity used for modern application isolation.
Authentication package
A protocol or provider such as Kerberos or NTLM used to validate identity.
AuthzAccessCheck
User-mode access-check API mirroring the core decision logic.
BCD
Boot Configuration Data; the configuration store used during startup.
BFE
Base Filtering Engine service coordinating WFP configuration and security.
Boot loader
The component that prepares Windows to enter kernel execution.
Breakaway
Whether a child process may escape the job.
Bus driver
A driver responsible for enumeration and management of devices on a bus.
BXML
Binary XML used to encode event structure compactly.
Cache Manager
The subsystem that accelerates file I/O through cached mappings.
Callout
A filter-driven extension point used to inspect or alter traffic.
Capability SID
A grant that allows a specific class of access for an AppContainer.
Channel
A logical event log destination such as Application, Security, or System.
Chunk
A fixed-size EVTX storage unit that groups records and metadata.
CIM
Common Information Model; schema used by modern WMI access.
CNG
Cryptography Next Generation; modern Windows crypto API set.
Completion
The phase where results and status codes flow back to the request origin.
Configuration Manager
The kernel subsystem responsible for registry internals.
Consumer
A tool or component that reads ETW output.
CSRSS
Client/Server Runtime Subsystem, a foundational user-mode process for each session.
D-state
A device power state used to describe how active a device currently is.
DACL
Discretionary ACL controlling allow/deny for access rights.
Dependency
A service or driver that must be available before another can run.
Desktop
A logical display and input surface that contains windows, menus, and hooks.
Device object
The kernel object representing a device instance inside the I/O system.
Dispatch routine
The driver entry point for a given I/O request type.
Dispatcher
The scheduler component that tracks runnable threads and dispatch decisions.
DllMain
The optional DLL entry point called during attach and detach transitions.
DNS cache
Local cached answers that reduce repeated lookups.
DPC
Deferred Procedure Call; runs after ISR at DISPATCH_LEVEL.
Driver stack
The ordered set of drivers that cooperate to handle a device request.
Endpoint
A communication endpoint represented in kernel and user mode.
Enlightened I/O
Guest I/O path optimized via VMBus instead of full emulation.
EPROCESS
Kernel structure that represents a process.
ETHREAD
Kernel structure that represents a thread.
ETW session
A configured tracing session that collects events from providers.
Event ID
A provider-defined numeric identifier for a kind of event.
EventData
The payload fields attached to the event record.
EVTX
The file format used by the Windows Event Log service.
Executive
The set of kernel services for memory, objects, I/O, security, and process management.
Explorer
The Windows shell process that provides the desktop and taskbar experience.
Filter
A rule attached to a layer, possibly invoking callouts or permitting/blocking.
Filter driver
A driver that inspects or changes I/O passing through a stack.
Firewall policy
The rule set that decides what traffic is permitted.
GDI object
A graphics resource such as a brush, font, bitmap, or device context.
HAL
Hardware Abstraction Layer used to hide platform-specific details.
Handle
An indirect reference to a kernel object owned through a process handle table.
Heap
A dynamic allocation arena typically used by user-mode applications.
Hive
A top-level registry data store backed by files and memory structures.
HKCU
HKEY_CURRENT_USER, the logical root for the active user context.
HKLM
HKEY_LOCAL_MACHINE, the logical root for machine-wide configuration.
Hosted service
A service implemented inside a generic service host process.
HVCI
Hypervisor-protected Code Integrity; restricts executable kernel pages.
Hypervisor
Software layer that schedules virtual CPUs and isolates guest memory.
Impersonation
A thread temporarily acting under another security context.
Import
A dependency on a symbol exported by another module.
Input desktop
The currently active desktop that receives user input.
Integrity level
A mechanism used by Windows to restrict interactions across trust boundaries.
IPC
Inter-process communication between components running in separate processes.
IRP
I/O Request Packet; the main kernel structure representing an I/O operation.
IRQL
Interrupt Request Level; governs which kernel APIs are legal.
Isolation
Separating services to reduce blast radius and improve diagnosability.
ISR
Interrupt Service Routine; first handler for a hardware interrupt.
Job object
A kernel object that groups processes under shared policy.
Journal
A mechanism that records metadata intent to improve recovery and consistency.
Kerberos ticket
Credential material proving identity and access within a Kerberos realm.
Kernel mode
The privileged execution mode that can access hardware and core OS state.
Key
A container node in the registry hierarchy.
Layer
A WFP classification point in the networking stack.
Lazy writer
A mechanism that flushes cached file data back to disk asynchronously.
LogonUI
The sign-in user interface that renders credential provider tiles and prompts.
LSA
The Local Security Authority, the subsystem responsible for local security policy and sign-in decisions.
LSASS
Local Security Authority Subsystem Service, the protected process that enforces local security policy and authentication.
Mapped view
A memory-backed representation of file content used for fast access.
MFT
Master File Table; a core NTFS metadata structure.
MIC
Mandatory Integrity Control, integrity-based restrictions beyond DACLs.
Miniport
NDIS driver that controls a network adapter and provides send/receive primitives.
Mount point
A junction that redirects a directory to another volume path.
Native API
Undocumented-but-stable Nt* family implemented by ntdll.
ncalrpc
The RPC protocol sequence for efficient same-machine RPC.
NTFS
The primary Windows file system for general-purpose storage.
Object Manager
The executive service that standardizes named kernel objects and handles.
Page fault
A trap taken when a referenced page is not resident.
Page file
Disk-backed storage used when memory content is paged out.
Partition
A defined region on a disk used to organize storage.
PE
Portable Executable, the image format used by Windows executables and DLLs.
PEB
Process Environment Block, runtime process metadata maintained in user mode.
PEB_LDR_DATA
Loader-related data in the PEB that tracks loaded modules.
Pipe instance
One connected server/client communication channel under a shared pipe name.
PnP
Plug and Play; the infrastructure for discovering and managing hardware dynamically.
Pool tag
A short identifier attached to kernel allocations for debugging and analysis.
Primary token
The token attached to a process as its main identity.
Privilege
A special capability inside a token that enables sensitive operations.
Privilege enablement
A privilege must often be enabled on the thread before use.
Protocol sequence
The RPC transport selection, such as ncalrpc or ncacn_np.
Protocol state
The tracked lifecycle state of a connection or transport interaction.
Provider
A component that emits Windows events or tracing data.
Provider name
The identity of the component emitting the event.
Quantum
A time slice given to a running thread before it may be preempted.
Reference count
The count of active references keeping an object alive.
Relocation
Metadata used when the image cannot be loaded at its preferred base address.
Reparse point
A file system object marked for special interpretation.
Resolver
The component that resolves names to addresses, often via DNS queries.
Root partition
The management OS partition with direct hardware access.
RPC
Remote Procedure Call, a framework for invoking functionality in another process or machine.
SACL
System ACL controlling audit rules written to the security log.
SAM
Security Accounts Manager, the local account database for machine-local identities.
SAM database
The local database holding machine-local account information.
Schannel
Security Support Provider implementing TLS for Windows components.
SCM
Service Control Manager; the central service orchestrator in Windows.
SeAccessCheck
Kernel access-check routine used by drivers and kernel components.
Section
A named region of a PE image such as code, data, or resources.
Secure Boot
Firmware policy that allows only signed boot software.
Secure desktop
A protected desktop used for elevation prompts and sensitive UI.
Security descriptor
The security metadata attached to a securable object.
SeDebugPrivilege
Allows debugging and opening handles to processes you might not otherwise access.
Session 0
The isolated session where services run, separate from interactive desktop sessions.
SID
Security Identifier representing a user, group, or principal.
SMSS
Session Manager Subsystem; one of the earliest user-mode processes.
Socket
An endpoint abstraction for network communication.
Soft fault
Fault resolved without disk I/O (e.g. demand-zero or already in memory elsewhere).
SRM
Security Reference Monitor, the kernel-mode enforcer of access control.
SSPI
Security Support Provider Interface, the API layer for Windows integrated authentication.
Startup type
The policy controlling when a service should start.
Stub
Generated code that marshals and unmarshals parameters for RPC.
Subsystem
A user-mode environment that exposes APIs on top of core Windows services.
svchost
A shared host process that can run one or more Windows services.
Syscall
Controlled transition from user mode to kernel mode.
TCP/IP stack
The core Windows networking implementation for internet protocols.
Template
A reusable event shape that helps render structured records.
Thunk
A translation layer that adapts a call or data structure between boundaries.
TPM PCR
Platform Configuration Register storing boot measurements.
Trim
Removing pages from a working set to free physical memory.
UAC
User Account Control, the elevation/consent system for admin operations.
User mode
The least-privileged execution mode used by apps and most services.
USER object
A GUI resource such as a window, menu, cursor, or desktop.
USER/GDI
Core GUI object families for interface elements and graphics resources in Windows.
VAD
Virtual Address Descriptor; a node describing a region of process virtual memory.
Value
A named piece of typed data stored under a key.
VBS
Virtualization-Based Security; hypervisor-enforced security features.
Virtual address space
The private logical address map a process uses.
VMBus
High-speed channel between Hyper-V guest and host services.
Volume
A logical storage unit presented to the OS for I/O.
Volume GUID path
A stable namespace path Windows can use for a volume independent of drive letters.
WFP
Windows Filtering Platform used to inspect and control network traffic.
Win32k
Kernel-side windowing and graphics implementation used by the Win32 subsystem.
Window station
A securable object containing desktops plus shared GUI resources like the clipboard and atom table.
Winload
The Windows loader responsible for preparing the OS kernel and boot environment.
Winlogon
The process responsible for secure logon and user session bring-up.
Winsock
The primary Windows sockets API used by applications.
Winsta0
The interactive window station for a logged-on session.
WMI provider
Component that supplies WMI classes and answers queries.
Working set
The set of pages currently resident in physical memory for a process.
WOW64
The compatibility layer for running 32-bit user-mode code on 64-bit Windows.
WSK
Winsock Kernel, a kernel-mode socket interface for system components.