Windows OS Architecture
Goal: Understand how Windows is built under the hood — from User Mode to Kernel Mode, system layers, and what makes it tick. This is foundational for everything from malware development to EDR evasion.
Contents
What is an Operating System?
An OS acts as a middleman between:
- You (the user / programs) and
- Hardware (CPU, RAM, Disk, etc.)
It:
- Manages processes and memory
- Handles file I/O
- Provides APIs to run apps
- Controls devices through drivers
Key Components Breakdown
User Mode
- Apps like
notepad.exe,chrome.exe - Can’t directly talk to hardware or manage memory
- Must ask Kernel Mode via System Calls
- Hosts subsystems (e.g., Win32, POSIX, WOW64)
Subsystems
- Win32: Main API for GUI apps
- WOW64: Lets 32-bit apps run on 64-bit Windows
- POSIX: Legacy support for Unix-style tools
Kernel Mode
- Has full access to memory, devices, drivers
- Runs privileged code (Ring 0)
- Includes the Kernel, Executive, Drivers, and HAL
Executive (NTOS)
Think of it as the “brains” of the kernel
Includes:
- Object Manager (handles Windows objects like files, processes)
- Memory Manager (allocates and pages memory)
- Process Manager (creates, manages threads/processes)
- Security Reference Monitor (permission enforcement)
Kernel (Core)
- Deals with low-level threading, interrupt handling, synchronization
Device Drivers
.sysfiles likedisk.sys,kbdclass.sys- Run in kernel mode and interact directly with hardware
HAL (Hardware Abstraction Layer)
- Allows Windows to run on different hardware by abstracting CPU/IO differences
- File:
hal.dll
User Mode vs Kernel Mode
| Feature | User Mode | Kernel Mode |
|---|---|---|
| Privilege Level | Ring 3 (low) | Ring 0 (high) |
| Memory Access | Own virtual memory | Full system memory |
| Crash Impact | Just the app | Whole system (BSOD) |
| Direct Hardware Access | No | Yes |
| Example | explorer.exe | ntoskrnl.exe, disk.sys |
System Call Flow (Behind the Scenes)
When you run calc.exe, here’s what happens:
- You click a shortcut
- Explorer.exe launches
calc.exeusingCreateProcess CreateProcess→ Win32 API- Win32 API → System Call (like
NtCreateProcess) - Kernel validates permissions, allocates memory
- Kernel returns handle, app runs
Every “simple” action is backed by 100+ low-level operations.
Hands-On Practice
Want to see the layers in action? Try these:
# On Windows PowerShell
Get-Process | Select-Object Name, Path, Id
# Peek into ntoskrnl usage
Get-WmiObject -Query "Select * from Win32_OperatingSystem"
# View loaded drivers (kernel-mode)
driverquery /vUse Process Hacker or WinDbg to see threads, handles, and kernel objects live.
Summary
- Windows is a hybrid kernel OS with clear User Mode and Kernel Mode
- User Mode apps can’t touch hardware directly — they rely on System Calls
- Kernel Mode contains the brain (
ntoskrnl.exe), drivers, and HAL - Everything you do — launching apps, copying files — goes through this architecture
Related Tutorials
- Access Tokens and Privileges: The Kernel’s Security Context
- SIDs and Security Descriptors: Identity in Windows Security
- Fibers: User-Mode Cooperative Threads
- Jobs and Silos: Process Grouping and Resource Limits
- Windows Scheduler Internals: Priority Levels, Quantum, and Thread Selection
References
- Windows Internals Book – Sysinternals | Microsoft Learn
- Kernel-Mode Driver Architecture Design Guide – Windows Drivers | Microsoft Learn
- Windows Kernel DDI Reference – Windows Drivers | Microsoft Learn
- MITRE ATT&CK – Process Injection (T1055) | Enterprise Technique
- MITRE ATT&CK – Windows Enterprise Matrix
- Windows Kernel Architecture Internals – Dave Probert, Microsoft Corporation (2008)
Get new drops in your inbox
Windows internals, exploit dev, and red-team write-ups — no spam, unsubscribe anytime.