Ever crack open your laptop and wonder, like, what's really going on in there?
Yeah?
Most people just click and go right right, But today we're going deeper into Windows internals. Our guide this beast of.
A book, Windows Internals, Part two, seventh edition, Heavy stuff.
Literally Yeah, by Mark Rosinovinch, David Solomon.
And Andrea Olivi, the trio.
Who know Windows inside out, Like this is the bible for anyone.
Who wants to know how the OS really ticks.
But don't worry, we'll keep it fun. Promise. Get ready for some aha moments.
About your computer's memory, how it handles security, even what.
Happens when things crash. Stuff most folks never think about, but.
It's happening every time you hit the power button. Fascinating stuff.
Okay, before we get too deep, tell us about these authors, not your average tech writers.
Oh no, no, it starts with Mark Rassinovitch legend in the Windows world. He envisioned a book that really dug into Windows.
Empty hardcore from the start.
But then David Solomon, another expert, publishes a book covering similar ground. You'd think rivalry.
Right, competition time.
Nope, Mark reaches out to David suggests the ten up for the next edition, talk about collaboration and get this. He even offered to include his entire c's internal's toolkit.
Those are like power tools for Cissigmin's exactly super valuable.
Then later on they bring in Andrea Olivi.
Who actually worked inside Microsoft.
Ye, that insider perspective is gold. It's this blend that makes the book so insightful, like.
Having all sides of the story.
Speaking of insights, let's dive into the core stuff CPUs, cash and how it all ties into security.
CPUs. I know they're important, but honestly a bit fuzzy on what they do exactly.
Think of it like this. Your CPU has different access levels, almost like security clearances. There's kernel mode, the VIP area where critical stuff.
Happens pop secret operation.
And then user mode where your everyday apps run. This protected mode segmentation keep those worlds separate so a.
Rogue program can't just mess with the important stuff.
Exactly. It's like having a bank vault separate from the lobby. And this segmentation also helps the CPU quickly grab important data, things like the thread environment block or TAVE.
Sounds technical, it's basically.
The CPU's cheat sheet for the running program and the kernel process or control region or KPCR. That's the CPU's own status report.
Gotta keep those sandy absolutely.
Now, cpu cashes. Ever, Notice how some things on your computer are just instant.
Oh yeah, like opening certain files.
Or exactly, that's the cash working. Think of it like your desk versus going to the filing cabinet. Cash holds the data your CPU's most likely to need.
Next, t Oh, it's all about speed.
Speed is key. But here's where it gets tricky, this whole cash system, it can actually be a security risk.
Wait what how See, modern.
CPUs are clever. They try to predict what data you'll need and prefetch it into the cash. Great for performance, but attackers can actually manipulate these predictions, tricking the CPU into accessing data it shouldn't. That's how those specter and meltdown vulnerabilities work.
So my CPU trying to be HLPFL is actually a weakness. It's a delicate balance. Windows has ways to mitigate the risk though. Think of it like security checks, but optimized so they're not constantly slowing you down.
Like a superfficient airport security line.
Exactly. Now, let's move on to interrupts dpcs outphasis what are those?
Imagine you're focused on work and suddenly fire alarm. You got to drop everything.
And handle that right priority.
That's an interrupt for your computer, an urgent request that can't wait. And just like alarms, there are levels of urgency. That's where irqls come in, interrupt request levels.
So fire alarm versus.
Doorbell precisely make sure the most critical stuff gets handled first. But what happens after the fire's out? You still got to deal with the mess, but not right then.
Clean up time.
That's where deferred procedure calls come in, or dpcs, like leaving yourself a note to deal with the less urgent stuff later.
So you don't get totally sidetracked exactly.
And the book even shows you how to watch these dpcs happening on your own computer real time.
Pretty neat, like seeing the gears turning. Okay, we've got interrupts dpcs. What about APCs.
Asynchronous procedure calls? Those are more like scheduled deliveries. They happen at specific times or when certain conditions are.
Met, so more organized chaos in a way.
Yes, some are for system tasks, others deliver messages to applications. All about keeping things running smoothly.
Like a well oiled machine. But so much going on we never see.
That's the beauty of it. And believe me, we're just scratching the surface.
So much happening behind the scenes. And Windows before we jumped into this, we were digging into objects, handles, name spaces, like the lego bricks of the OS exactly.
But you need more than bricks to build something complex, right, You need a way to make sure everything works together smoothly.
Like an orchestra, all the instruments in sync.
Perfect analogy. That's where synchronization comes in. Especially with multi core CPUs, things can get chaotic fast without coordination to make cooks in the kitchen exactly. Windows has ways to make sure different parts of the system aren't fighting over the same resources. One basic tool spin locks.
Spin locks sounds like a workout class kind.
Of imagine a revolving door, only one person through at a time. When a CPU needs to access some shared data, it grabs the spin lock, saying mine, now, other's.
Got to wait, first come, first serve for CPUs. But what if the wait is long? Isn't that inefficient?
It can be. That's why there are acute spin locks, like a more organized line. No more CPUs constantly checking if the door's.
Free, so polite waiting in line exactly.
Then there are reader writer spin locks. They give a library. Many people can read a book at once, but only one can check it out to write in it.
Ah, So multiple CPUs can read data but only one writes at a time.
Makes sense, right, optimize for different use cases, and sometimes spinlocks aren't the best tool, especially for long waits. That's where low irc rol synchronization comes in.
Lo my arcle will of getting a bit technical.
Now it is, but think of it like this. Instead of constantly checking the door spin lock, you get a signal when it's your turn. Dispatch your objects handle that like traffic signals for CPUs, So.
Choosing the right tool depending on the situation.
Efficiency is key. And speaking of efficient, let's talk ALPC Advanced Local Procedure.
Call another acronym. What's that do?
It's the super highway for different processes on your computer to talk to each other, like internal messaging but fast.
So departments within Windows sending memos back and forth.
Good way to put it, and a key feature is handle passing sounds official. Imagine you've got a key to a safe deposit box. You want to give someone access, but not the actual key, so you give them a temporary pass, limited time.
Only, delegating access without giving full control. Clever.
That's handle passing and ALPC is optimized to the max. It uses things like completion lists to avoid unnecessary waiting around, like an express lane for data.
All about speed, so much going on, we never realize it's true.
Now for something a bit different, WNF Windows Notification.
Facility sounds like a news channel for Windows kind of.
It's a published subscribe system. You subscribe to what interests you and get notified about changes. Different parts of Windows use this to stay in sync.
So no need to constantly check for updates. You just get them right.
And there are different state names like categories for the info, permanent ones for core stuff, persistent ones that survive restarts, and temporary ones for quick.
Announcements like breaking news versus scheduled programming.
Good analogy. One use of WNF is the System Events Broker. It tells those modern UWP apps about what's happening in the.
System, keeping everyone in the loop. Okay, Switching gears a bit debugging.
Ah yes, debucking the art of finding and fixing those nasty bugs that sneak into software, like being a detective for code.
Always wondered how that works.
The basics are simple. You attach a special tool, a debugger, to the program and lets you pause the program, look at its memory, go line by.
Line, and putting it under a microscope.
Exactly. And in Windows user mode debugging is a team effort, part of the OS a helper in NTDL specific APIs all working.
Together, coordinated effort. The book mentioned debug events too, What are those.
Like trip wires telling the debugger something happened, process created, threads started, DLL loaded. You get notified so you can investigate.
Staying informed makes sense.
And there's a special case for Windows air reporting or WHIRR, that thing that pops up when an app crashes asking to send a report.
Oh yeah, see that all the time. Always wonder what it does.
Well, we're uses our friend ALPC to talk to the crashed process, even if it's badly damaged, gathers info about what went wrong.
ALPC always showing up.
It's versatile. Now for a topic everyone's heard of, but maybe don't fully get the registry Oh yeah.
The registry bit intimidating, if I'm.
Honest, understandable. It's got a reputation, but at its core it's just a database storing settings for everything in Windows, like.
A giant settings file for the whole OS exactly.
Hardware, user preferences, software, it's all in there, the central nervous system, you could say.
And it's organized right with those h KEY things. What are they all about?
Think different branches of government, HKE, local Machine or HKLM. That's system wide settings affecting everyone federal level.
Okay, big picture stuff.
Then you've got hkey users for each user's specific settings like state level control.
So changing something in HKLM affects everyone on the computer, but in HQ users it's just my account precisely.
In those modern UWP apps, they use application hids to store their settings separate from the rest.
Keeps things tidy, I guess it does.
And the registry is built to be tough uses transactions, so changes are all or nothing. No partial updates that could mess things up.
Take a safety net for your settings exactly.
The book even shows how to use process monitor to watch the age registry changes in real time. Pretty cool if you're into that level of detail, I.
Might have to check that out. Okay, shifting focus a bit, Windows services, What are those all about?
The unsung heroes of the OS background processes doing all sorts of work, usually without you noticing.
Like the stage crew making sure the show goes.
On precisely, handling network stuff, printing updates, tons of things. And the Service Control Manager or SEM is like the conductor.
Keeping the orchestra in tune.
You got it, make sure services start stop, don't conflict. And it uses the registry as it's cheat sheet.
So each service has its instructions in.
The registry YEP path to the program file, how it starts, dependencies all in there like a blueprint for the SEM.
Very organized. And what about service accounts?
AH that determines the security context to service runs under. Could be the local system account, a specific user, or special ones like local service or network.
Service like different levels of access.
Exactly important for security. Making sure a service only has the permissions it needs. And the book gets into how services are isolated from your user session for safety. That's why they don't usually pop up Windows on your desktop for example.
Makes sense, things could get messy otherwise, Okay, one more system to explore, the Windows Task scheduler. I use it to automate stuff, but never thought about how it.
Works past schedulers. Like a personal assistant for your computer, tells things when a run based on time or events.
Handy. The book mentioned different types of tasks, including hosted tasks, which are calm objects. What's that all about?
Hosted tasks are the power users more complex, can do a wider range of actions, and being calm objects, they can be controlled in specific ways.
Like a scripting language within the scheduler.
You got it, more flexibility. The book even shows an example the process Memory Diagnostic Events task and how to find the calm object behind it.
Getting into the weeds now, but it is fascinating.
It is okay. Ready for another powerful tool WMI. Windows Management Instrumentation.
WMI sounds a bit scary.
It's not once you get it. Think of it as a universal language for managing and monitoring almost anything in Windows.
So different parts of the system and even different systems, can talk about management tasks exactly.
And at the heart of it are providers providers of what think of them like translators. They bridge the gap between WMI and the actual resources like a provider for the registry of the filesystem, network adapters, you name it.
So if I want info on my network settings through WMI, I talk to the network adapter provider and it figures out how to get that info from the actual hardware.
Exactly different types too, once for getting info, ones for doing things, ones that notify you about events.
Super versatile. The book even has a script showing how to use WMI to track process creation events.
It does practical example. Now to go even deeper into monitoring ETW event tracing.
For Windows sounds intense.
It's powerful. ETW is a high performance tracing system capturing detailed logs of events and performance data. Windows itself uses it a latti, and so do many apps and.
Drivers, like a flight recorder for your computer.
Exactly great for troubleshooting, finding performance bottlenecks, seeing how everything interacts.
Lots of uses. The book talked about providers, sessions, loggers, consumers. What are all those?
Okay, think of it like a news organization. Providers are the reporters creating the news. Events Sessions are like specific news programs grouping related events together.
Okay, I'm following.
Loggers are the cameras and recording equipment capturing the news, and consumers are the viewers analyzing the broadcasts.
So providers make the events, sessions organize them, loggers capture them, consumers analyze them.
Got it in one and like news. Different types of providers kernel mode for OS stuff, user mode for applications, specialized ones for things like networking.
Covers all the The book had an experiment about tracing TCPIP traffic using the kernel logger and performance monitor.
Right yep, hands on way to see how EQW can help with network troubleshooting.
Definitely got to try that. Okay, last, but not least, Windows error reporting or WHIRR gets a bad wrap sometimes, but it's.
There to help. Where's the crash investigator handling those unfortunate moments when an app goes belly up gathering evidence precisely collects info about the crash. Let's you send a report to Microsoft?
And the book explained how where uses our friend ALPC to talk to the crash process even if it's barely.
Functioning, right, robust system making sure at least some information is salvaged, like a black box recorder, but for software.
Pretty amazing stuff. So there we have it a whirlwind tour of Windows internals.
We covered a lot CPUs, registry threads, debugging, error reporting.
It makes you realize how much is happening every time you click something, and how much clever engineering is behind it all.
Absolutely, if you're e I'm a little bit curious about how computers really work, Windows internals is worth checking out. Challenging, but yes, so rewarding.
And we'll be right back after a quick break to wrap up this deep dive and leave you with some final thoughts.
We're back wrapping up our Windows Internals deep dive. It's been a lot.
It has CPUs to the registry, threads, dancing around, debugging magic.
It's amazing how it all comes together. This OS we use every day.
Right, powerful and surprisingly resilient when you see what's going on under the hood.
For me, the big takeaway is the sheer optimization of it all.
Oh, Absolutely, every little thing, from caching data to how processes talk to each other designed for speed, like a finely tuned engine.
It's true, and that's what makes Windows internals so fascinating, not just how it works, but the cleverness behind it right.
The attention to detail is incredible. If you're at all curious about tech, about what really makes computers tick, this book is a must read. Challenging, yeah, but worth it. Like getting a peek behind the curtain of your own machine.
It makes you realize how much we take for granted, clicking away.
On the surface, and it leaves you wanting to learn more. What's next for you? In terms of Windows knowledge any rabbit holes calling your name?
You know what always gets me is how operating systems EVLVE Windows has come a long way and it's not stopping. I'm really curious to see how things like cloud computing AI, how those shape the future of Windows.
That's a great point. Exciting times ahead. Who knows what we'll see, But that drive to explore, to keep learning, that's key, right.
Absolutely, There's always more to uncover. It never ends.
So to everyone listening out there, keep that curiosity alive. Don't be afraid to dig deeper, ask questions, explore.
The more you learn, the more you realize how much there is to know.
And that's what makes the world of tech so endlessly fascinating. Until next time, happy exploring, everyone,