Security deep dive
From identity (tokens) to object policy (DACL/SACL), through kernel access checks (SRM), ending with UAC and integrity boundaries.
Follow pathBeginner path
Start here if Windows internals is new to you
This path builds the mental model first, then moves from running processes to memory, diagnostics, and security. Each step is short enough to browse in one sitting, but concrete enough to be useful later in the EVTX lab.
Step 1beginner
System architecture
How Windows separates user mode and kernel mode, and why the system is built in layers.
Start here to build the mental map for the rest of the site.
Step 2beginner
Processes & threads
How Windows represents work, isolates applications, and schedules execution.
Once you know the OS layers, learn how Windows represents running work.
Step 3beginner
Memory management
Virtual address spaces, paging, working sets, and how Windows tracks memory.
Memory is the next core building block once processes make sense.
Step 4beginner
Diagnostics & logging
Where Windows records what happened: Event Log, ETW, and crash-oriented clues.
This is the best bridge between concepts and concrete evidence on a running system.
Step 5beginner
Windows Event Log
Providers publish structured events; the Event Log service stores them in durable channels.
This is the first hands-on diagnostic system worth learning end-to-end.
Step 6intermediate
EVTX file format
64 KB chunks, binary XML, templates, and the durable storage layout behind Event Viewer.
This is the ideal bridge from theory to the EVTX lab.
Step 7beginner
Security
Access tokens, privileges, integrity, and how Windows decides who can do what.
Finish the beginner path with identity and access, since many logs and process behaviors depend on it.
Branch paths (security, networking, GUI)
Shorter guided sequences inside a single theme. Use Follow path, then Continue on each topic page.
Networking stack tour
Follow a connection from Winsock and DNS through TCP/IP, filtering (WFP/BFE), down to NDIS and the NIC.
Follow pathGUI & session UI
Understand sessions, window stations, desktops, USER/GDI objects, and the CSRSS/Win32k plumbing behind the shell.
Follow pathMemory deep dive
VADs, pools, paging, working sets, and how the cache uses RAM.
Follow pathI/O & drivers
From I/O Manager and IRPs through driver stacks and PnP power.
Follow pathVirtualization & VBS
Hyper-V partitions, enlightened I/O, and virtualization-based security.
Follow pathAuthentication path
From Winlogon through LSASS to Kerberos/NTLM and crypto plumbing.
Follow pathLoader & runtime
PE images, DLL loading, and WOW64 on 64-bit Windows.
Follow pathStorage path
Volumes, NTFS, cache, and reparse points.
Follow pathThen go deeper
After the beginner path, continue with one of these longer cross-theme sequences.
Diagnostics -> Event Log -> EVTX
Start from Windows telemetry, understand providers and channels, then move into EVTX structure and hands-on parsing.
Processes -> Objects -> Scheduling
Learn how Windows represents running work, how handles and objects fit in, and how the scheduler actually decides what runs.
Memory -> VAD -> Storage Cache
Move from private virtual address spaces into VADs, pools, and then the cache/storage layer that shapes real-world file I/O performance.
Startup -> Logon -> Auth -> Tokens
Follow the path from early session initialization into Winlogon, LSASS, authentication packages, and the tokens that processes actually use.
Processes -> PE -> Loader -> WOW64
Bridge the gap between a running process and the executable/runtime machinery that maps images, loads DLLs, and keeps 32-bit apps working on 64-bit Windows.