Windows OS Architecture
π‘ Goal: Understand how Windows is built under the hood β from User Mode to Kernel Mode, system layers, and what makes it tick. This is foundational for everything from malware development to EDR evasion.
Contents
π§ What is an Operating System?
An OS acts as a middleman between:
- You (the user / programs) and
- Hardware (CPU, RAM, Disk, etc.)
It:
- Manages processes and memory
- Handles file I/O
- Provides APIs to run apps
- Controls devices through drivers
𧩠Key Components Breakdown
πΉ User Mode
- Apps like
notepad.exe,chrome.exe - Canβt directly talk to hardware or manage memory
- Must ask Kernel Mode via System Calls
- Hosts subsystems (e.g., Win32, POSIX, WOW64)
πΈ Subsystems
- Win32: Main API for GUI apps
- WOW64: Lets 32-bit apps run on 64-bit Windows
- POSIX: Legacy support for Unix-style tools
πΈ Kernel Mode
- Has full access to memory, devices, drivers
- Runs privileged code (Ring 0)
- Includes the Kernel, Executive, Drivers, and HAL
𧱠Executive (NTOS)
Think of it as the “brains” of the kernel
Includes:
- Object Manager (handles Windows objects like files, processes)
- Memory Manager (allocates and pages memory)
- Process Manager (creates, manages threads/processes)
- Security Reference Monitor (permission enforcement)
βοΈ Kernel (Core)
- Deals with low-level threading, interrupt handling, synchronization
π¦ Device Drivers
.sysfiles likedisk.sys,kbdclass.sys- Run in kernel mode and interact directly with hardware
𧬠HAL (Hardware Abstraction Layer)
- Allows Windows to run on different hardware by abstracting CPU/IO differences
- File:
hal.dll
π User Mode vs Kernel Mode
| Feature | User Mode | Kernel Mode |
|---|---|---|
| Privilege Level | Ring 3 (low) | Ring 0 (high) |
| Memory Access | Own virtual memory | Full system memory |
| Crash Impact | Just the app | Whole system (BSOD) |
| Direct Hardware Access | β No | β Yes |
| Example | explorer.exe | ntoskrnl.exe, disk.sys |
βοΈ System Call Flow (Behind the Scenes)
When you run calc.exe, here’s what happens:
- You click a shortcut
- Explorer.exe launches
calc.exeusingCreateProcess CreateProcessβ Win32 API- Win32 API β System Call (like
NtCreateProcess) - Kernel validates permissions, allocates memory
- Kernel returns handle, app runs
β‘οΈ Every “simple” action is backed by 100+ low-level operations.
π§ͺ Hands-On Practice
Want to see the layers in action? Try these:
# On Windows PowerShell
Get-Process | Select-Object Name, Path, Id
# Peek into ntoskrnl usage
Get-WmiObject -Query "Select * from Win32_OperatingSystem"
# View loaded drivers (kernel-mode)
driverquery /v
Use Process Hacker or WinDbg to see threads, handles, and kernel objects live.
π§ Summary
- Windows is a hybrid kernel OS with clear User Mode and Kernel Mode
- User Mode apps can’t touch hardware directly β they rely on System Calls
- Kernel Mode contains the brain (
ntoskrnl.exe), drivers, and HAL - Everything you do β launching apps, copying files β goes through this architecture
Great Detailed