
Windows OS Ecosystem
Application
↓
Win32 API
↓
ntdll.dll
↓
System Call (syscall)
↓
Kernel (ntoskrnl.exe)
↓
Drivers
↓
Hardware
This path explains most Windows behavior.
User Mode Components
| Component | Purpose | Examples |
|---|---|---|
| Applications | Perform user tasks | Chrome, Outlook, Word |
| Processes | Running instances of programs | chrome.exe |
| Threads | Units of execution | Browser tab thread |
| DLLs | Shared functionality | kernel32.dll |
| Win32 API | Operating system interface | CreateFile(), CreateProcess() |
| .NET Runtime | Managed execution environment | C# applications |
| COM | Component communication | Office automation |
| Services (User Mode) | Background functionality | Windows Update |
| Subsystems | Compatibility layers | WSL |
User Mode DLL Hierarchy
Application
↓
user32.dll
kernel32.dll
advapi32.dll
ws2_32.dll
↓
ntdll.dll
↓
Kernel
Common DLLs
| DLL | Purpose |
|---|---|
| kernel32.dll | Process, memory, file operations |
| user32.dll | GUI |
| gdi32.dll | Graphics |
| advapi32.dll | Security, Registry |
| ws2_32.dll | Networking |
| crypt32.dll | Cryptography |
| ntdll.dll | Native API + Syscalls |
Native API Layer
Most Win32 functions eventually reach:
ntdll.dll
Examples:
| Win32 API | Native API |
|---|---|
| CreateFile() | NtCreateFile() |
| CreateProcess() | NtCreateUserProcess() |
| VirtualAlloc() | NtAllocateVirtualMemory() |
| OpenProcess() | NtOpenProcess() |
This is where many EDR hooks live.
Kernel Executive Components
| Component | Responsibility |
|---|---|
| Process Manager | Processes and threads |
| Memory Manager | Virtual memory (RAM) |
| I/O Manager | Device communication |
| Security Reference Monitor | Access control, permissions |
| Object Manager | Named kernel objects |
| Configuration Manager | Registry |
| Plug and Play Manager | Device detection |
| Power Manager | Sleep, hibernate |
Core Kernel Responsibilities
| Component | Purpose |
|---|---|
| Scheduler | Chooses running thread |
| Dispatcher | Context switching |
| Interrupt Handling | Hardware events |
| Exception Handling | Faults/crashes |
| APC | Deferred execution |
| DPC | High-priority deferred work |
Memory Management
| Concept | Description |
|---|---|
| Virtual Memory | Process sees private address space |
| Paging | Memory swapped to disk |
| Page Tables | VA → PA mapping |
| Working Set | Active memory pages |
| Pool Memory | Kernel allocations |
| Page Cache | Cached file data |
Windows Object Model
Everything is an object.
| Object | Example |
|---|---|
| Process | notepad.exe |
| Thread | Worker thread |
| File | C:\test.txt |
| Registry Key | HKLM\Software |
| Event | Synchronization object |
| Mutex | Synchronization object |
| Token | Security context |
Access is controlled by handles.
Object
↓
Handle
↓
Access Rights
Security Architecture
Security Identifier (SID)
User
↓
SID
↓
Access Check
Example:
S-1-5-18
Local SYSTEM
Access Token
Contains:
- User SID
- Group SIDs
- Privileges
- Integrity Level
Examples:
| Token | Description |
|---|---|
| User | Normal user |
| Administrator | Elevated user |
| SYSTEM | Highest local privilege |
Integrity Levels
| Level | Typical Use |
|---|---|
| Low | Sandbox |
| Medium | Normal user |
| High | Administrator |
| System | SYSTEM |
Driver Architecture
| Driver Type | Example |
|---|---|
| File System Driver | NTFS |
| Network Driver | TCP/IP |
| USB Driver | USB stack |
| Storage Driver | NVMe |
| Graphics Driver | GPU driver |
| Filter Driver | AV/EDR |
Hardware Abstraction Layer (HAL)
Purpose:
Kernel
↓
HAL
↓
Hardware
HAL hides hardware differences from Windows.
Without HAL every CPU and motherboard would require separate kernel code.
Interrupt Flow
Keyboard Key Press
↓
Interrupt
↓
HAL
↓
Kernel ISR
↓
Driver
↓
Input Subsystem
↓
Application
Process Creation
User Clicks EXE
↓
CreateProcess()
↓
NtCreateUserProcess()
↓
Kernel
↓
EPROCESS Created
↓
Thread Created
↓
Image Loaded
↓
Execution Begins
File Access
Application
↓
CreateFile()
↓
NtCreateFile()
↓
I/O Manager
↓
File System Driver
↓
Storage Driver
↓
Disk
Network Access
Application
↓
Winsock
↓
TCP/IP Stack
↓
Network Driver
↓
NIC
↓
Network
Important DFIR Artifacts
| Area | Examples |
|---|---|
| Execution | Prefetch |
| Persistence | Run Keys |
| Authentication | Security Log |
| Networking | SRUM |
| Timeline | MFT |
| User Activity | Jump Lists |
| Application Activity | Amcache |
| PowerShell | ScriptBlock Logs |
Important Offensive Targets
| Target | Why |
|---|---|
| Access Tokens | Privilege escalation |
| LSASS | Credentials |
| Services | Persistence |
| Scheduled Tasks | Persistence |
| Registry | Configuration |
| COM | Lateral movement |
| Drivers | Kernel access |
| WMI | Execution |
| ETW | Detection visibility |
| AMSI | Script inspection |
Windows Mental Model for Operators
User Mode
↓
APIs
↓
Native APIs
↓
System Calls
↓
Kernel
↓
Drivers
↓
Hardware
Everything in Windows eventually becomes one of four things:
- CPU execution
- Memory access
- File I/O
- Network I/O
Every attack, defense, forensic artifact, and operating system feature ultimately manipulates one or more of these four resources.