This seminar provides a comprehensive, in-depth study of the internal design, operation, and key features of the Windows operating system, with emphasis on enhancements added in Windows Vista and later.

Level

Intermediate

Audience

Applications developers; systems software developers; device driver developers; system administrators; system integrators; hardware OEMs; I.T. support personnel

Description

This workshop-format seminar is similar in overall content and objectives to our Windows Internals seminar (INT201). However, it covers the material in greater detail and addresses several additional topics, particularly in the areas of user mode architecture, security, and system startup and login. It is very similar to WSC250, Windows Source Code Workshop, except of course that source code is not examined.

In this workshop the attendee will learn the organization, function, and interactions of the most important components of the Windows operating system. We closely examine several key parts of the system, including user-to-kernel mode transitions, internal synchronization mechanisms, thread scheduling, memory management, the I/O subsystem, and security.

Particular attention is paid to security and other features and enhancements that were added to Windows with Windows Vista and later.  

Topics

• Windows general architecture and components

  • General principles
    

  • 32- and 64-bit address spaces

  • Execution context: Processes, threads, and "others"

  • Windows services (background processes)

  • Kernel mode components
    

  • Tools for investigating and monitoring
    

  • Introduction to the Windows Debugging Tools
    

• User mode architecture and components
  

  • Processes and address space
    

  • Executable file format
    

  • User mode memory management
    

  • Threads
    

  • Process and thread components and data structures
    

  • Program execution environment

  • User to kernel mode calls

  • Environment subsystems

  • Supporting the Windows GUI

  • Process and thread creation and deletion

  • Backwards compatibility
    

  • Process and thread creation and deletion
    

• Kernel mode architecture and components
  

  • User to kernel mode calls, part 2 (system service dispatcher)

  • Objects and handles; object manager

  • Security: Discretionary access controls
    

  • The registry
    

  • Kernel mode execution environment

  • Interrupt-driven contexts

  • Deferred Procedure Calls (DPCs)

  • Kernel mode synchronization mechanisms

  • Kernel memory allocation
    

  • Thread scheduler
    

  • Virtual memory manager
    

  • I/O subsystem, device drivers, and file cache
    

• Security architecture and components
  

  • Security concepts

  • Windows security features
    

  • Windows security components and implementation

  • BitLocker

  • Additional security and reliability mechanisms

• Startup and login
  

  • Standard startup

  • Secure startup

  • Common startup

  • Login

Prerequisites

Experience using, administering, or developing for Windows, and familiarity with basic operating system concepts

Windows versions

All Windows versions; with emphasis is on Windows Vista, Windows Server 2008, and Windows 7

Duration and formats

4 days with labs
3 days lecture only

Short formats and related seminars

INT201, Windows Internals, covers about two thirds of this material. In general we would recommend INT201 for device driver developers and those performing debugging-related tasks. We would recommend this seminar for user mode (application) developers, system administrators, and those interested in in-depth coverage of Windows security.

We also offer INT205, Windows Internals Update, for those already familiar with Windows operating system internals from previous versions.

SEC240, Windows Security, covers the security-related topics from this seminar, with additional information on Windows cryptography.

Customizations

Although there is certain core material that we feel is essential  for all attendees, some areas can be more or less emphasized according to the attendees' requirements, and certain material can be omitted completely.

Labs

For this seminar, we follow nearly every point discussion of an operating system mechanism, principle, or concept with a lab exercise. We have you exercise or manipulate the part of the system described, and then examine displays that confirm the expected results. We also have you look for interactions with, and effects on, the rest of the system.

In the lecture-only version, the lab exercises are replaced with brief demonstrations by the instructor.