Search topics
Full-text search across titles, summaries, key terms, and synonym acronyms. Filter by depth, labs, and schematics.
73 result(s)
- beginnerschematic
System architecture
How Windows separates user mode and kernel mode, and why the system is built in layers.
- intermediate
HAL & boot
Hardware abstraction and the path from firmware to the running kernel.
- intermediate
Executive & subsystems
Core OS services and the user-mode environments that sit on top of them.
- expert
Kernel mechanisms (IRQL, DPC, interrupts)
Low-level execution rules that explain driver bugs, lost interrupts, and why some code cannot sleep.
- beginnerschematiclab
Processes & threads
How Windows represents work, isolates applications, and schedules execution.
- intermediatelab
Kernel objects
Handles, object manager, names, and reference counting basics.
- expertlab
Scheduling
Dispatcher queues, priorities, and how Windows decides what runs next.
- intermediatelab
Job objects
Grouping processes with shared limits, UI restrictions, and teardown rules.
- intermediatelab
Ntdll & the user/kernel boundary
How user-mode code reaches native system services through ntdll and syscalls.
- beginnerschematiclab
Memory management
Virtual address spaces, paging, working sets, and how Windows tracks memory.
- intermediatelab
VAD tree
How Windows tracks ranges of virtual memory for a process.
- expertlab
Pool & heap
Kernel pool tags and user-mode heaps as different allocation worlds.
- intermediatelab
Paging & page faults
How Windows brings pages in from disk and when the page file is used.
- intermediatelab
Working set & trimming
Which pages stay resident for a process and how Windows reclaims memory under pressure.
- beginnerschematiclab
Diagnostics & logging
Where Windows records what happened: Event Log, ETW, and crash-oriented clues.
- beginnerlab
Windows Event Log
Providers publish structured events; the Event Log service stores them in durable channels.
- intermediatelab
EVTX file format
64 KB chunks, binary XML, templates, and the durable storage layout behind Event Viewer.
- beginnerlab
Providers & channels
Who emits events and where those records are routed inside Windows logging.
- intermediatelab
ETW tracing
Real-time sessions, controllers, and consumers for higher-volume tracing.
- intermediatelab
WMI & CIM
The management instrumentation layer behind many admin tools and scripts.
- beginnerschematiclab
Security
Access tokens, privileges, integrity, and how Windows decides who can do what.
- intermediatelab
Access tokens
SIDs, privileges, impersonation, and the identity payload every process carries.
- intermediatelab
Security descriptors & ACLs
Owners, DACL/SACL, ACE ordering, and the object-side policy Windows enforces.
- expertlab
Access checks & Security Reference Monitor
How Windows actually decides allow/deny using tokens, descriptors, and SRM routines.
- intermediatelab
UAC, integrity levels, and secure desktop
Why elevation prompts exist, what filtered tokens are, and how MIC constrains writes.
- intermediatelab
Privileges (Se*)
Special capabilities in a token beyond normal DACL rights.
- expertlab
AppContainers & capabilities
Modern app isolation using AppContainer SIDs and capability grants.
- beginner
I/O system
How Windows turns API requests into IRPs, driver stack work, and device operations.
- intermediate
I/O Manager
The kernel component that builds, routes, and completes I/O requests.
- intermediate
Drivers & device stacks
Function, filter, bus, class, and miniport drivers in layered request handling.
- expert
Plug and Play & power
How devices appear, initialize, and change power state without manual kernel bookkeeping.
- beginner
Services & background infrastructure
How Windows launches, groups, isolates, and supervises long-running background components.
- intermediate
Service Control Manager
The boot-time and runtime orchestrator for services and drivers.
- intermediate
Service hosts
How Windows groups services inside host processes such as svchost.exe.
- beginner
Registry & configuration
How Windows stores system and application configuration in hierarchical hives.
- beginner
Hives, keys, and values
The data model behind HKLM, HKCU, and the registry editor view.
- expert
Configuration Manager
The kernel component that implements registry storage, caching, and access.
- beginner
Storage & file systems
Disks, volumes, cache, and the file-system layers that make persistence usable.
- intermediate
Disks, partitions, and volumes
How physical or virtual disk space becomes manageable logical storage.
- intermediate
File systems
NTFS and friends translating raw storage into directories, files, and metadata.
- expert
Cache Manager
How Windows speeds file access by coordinating cached file data with memory.
- intermediate
Reparse points & symlinks
Junctions, symlinks, and filter-driver namespaces that redirect paths.
- beginnerschematiclab
Networking
How Windows moves data through the TCP/IP stack, filtering layers, and endpoint APIs.
- intermediatelab
TCP/IP stack
The core protocol machinery behind Windows network communication.
- beginnerlab
Name resolution & DNS Client
What happens when an app asks 'what IP is this name?'
- intermediatelab
Winsock, AFD, and kernel boundaries
How user-mode sockets relate to kernel-mode transport, and why AFD.sys matters.
- intermediatelab
NDIS and network adapters
The driver model that bridges protocol stacks and NIC hardware.
- expertlab
WFP & BFE (deep dive)
How filters are stored, enforced, and hooked into the packet path.
- intermediatelab
Filtering & firewalling
Where Windows observes and controls traffic with filtering layers.
- beginnerlab
Startup & shutdown
How Windows goes from firmware to an interactive session, and how it tears systems down safely.
- intermediate
Boot loader to kernel handoff
The transition from firmware and boot manager into Windows kernel initialization.
- intermediatelab
Session Manager, Winlogon, and the shell
The early user-mode path from system process creation to an interactive desktop.
- intermediate
Secure Boot & measured boot
How firmware and boot policy establish trust before Windows starts.
- beginnerschematic
GUI & windowing
Sessions, desktops, USER/GDI objects, and the Windows-specific UI machinery above the core kernel.
- intermediate
Window stations & desktops
The session-side objects that organize visible desktops, input, and GUI isolation.
- intermediate
USER & GDI objects
Windows, menus, cursors, device contexts, fonts, bitmaps, and the resource model behind the GUI.
- expert
CSRSS, Win32k, and session UI plumbing
How user-mode session infrastructure and kernel-side windowing pieces cooperate.
- beginner
IPC & component boundaries
How Windows components communicate across process boundaries using local RPC, named pipes, and other message channels.
- expert
ALPC & local RPC
Fast local message passing used under the hood by several Windows components on the same machine.
- intermediate
RPC & COM foundations
Procedure-style communication between components, locally or across the network.
- beginner
Named pipes
A durable named endpoint for client/server communication on the same machine or across the network.
- beginner
Authentication & logon
How Windows turns credentials into authenticated sessions, security contexts, and usable access tokens.
- intermediate
Winlogon, LogonUI, and session sign-in
The visible and semi-visible path from secure attention to a fully signed-in session.
- intermediate
LSASS, SAM, and local security policy
The protected security process and data stores behind local accounts and policy decisions.
- intermediate
Kerberos, NTLM, and authentication packages
How Windows chooses and uses protocol packages to validate identities.
- intermediate
CNG, Schannel & crypto plumbing
How Windows centralizes algorithms, keys, and TLS for services and applications.
- beginner
Executable loading & runtime
PE images, DLL loading, runtime data structures, and compatibility layers such as WOW64.
- intermediate
PE format
Headers, sections, imports, relocations, and the on-disk structure of Windows images.
- intermediate
DLL loader, PEB, and module lists
How Windows loads shared libraries and tracks runtime module state.
- expert
WOW64 and cross-architecture compatibility
How 32-bit user-mode applications run on a 64-bit Windows system.
- beginner
Virtualization
Hypervisor layers, virtual machines, and how Windows isolates guests from the host.
- intermediate
Hyper-V & partitions
Root vs child partitions, vCPUs, and synthetic devices.
- expert
VBS, HVCI & isolation
Virtualization-based security features that protect credentials and kernel code.