Our training courses not only cover Windows user-mode and kernel-mode developer topics, such as scheduling and memory management, but also architectural topics such as x64 page table translation, x86 segmentation, and I/O APIC redirection. For security-minded organizations, our courses are tailored to include examples of past exploits at both the software and hardware level, as well as future possibilities and architectural weaknesses.
Classes include deep analysis of multiple Windows OS and Intel CPU mitigations and features, such as usage of Intel VT-x/Virtualization & Mode-Based Execution Control (MBEC), Supervisor Mode Execution Prevention (SMEP) vs. Restricted User Mode (RUM), Isolated User Mode (IUM) vs. Software Guard Extensions (SGX), Non-Privileged Instruction Execution Prevention (NPIEP) vs. User-Mode Instruction Prevention (UMIP), Return Flow Guard (RFG) vs. Control-flow Enforcement Technology (CET), Control Flow Guard (CFG) and more.
Updated once every quarter, courses always include the latest developments in OS and CPU architecture, including Windows 10 “Redstone 1” / Anniversary Update, the upcoming “Redstone 2” / Creator’s Update & Intel Kaby Lake Microarchitecture, as well as the new “Redstone 3” Insider Previews.
Windows Internals (Developer/Security)
Offered in two tracks (one geared towards security experts, and one for developers), this thorough course on the Windows kernel (both from a functional and programmatic view) and its related system components is available in either a 4-day or 5-day hands-on version.
Windows Internals Advanced
Offered exclusively as an add-on to the developer track of the Windows Internals course, this 5-day hands-on course integrates all of the concepts from the security track, adds additional security-related material, while also going deeper into developer-focused topics.
Windows Filter Drivers for PSP, Endpoint & AV
This entirely hands-on course, available in 5 days, covers the end-to-end development of a Windows driver that acts as a Process, Thread, Registry, Object, File System and Network filter driver, plus a section for AV Vendors dealing with AMSI, Secure ETW, and Windows Security Center.
“Modern” Windows Internals Update
This special 3-day course is available to organizations that completed a Windows Internals course with us in the past (or potentially a different training organization) and who specifically require an updated “refresher” course to cover changes made in Windows 8 and Windows 8.1, as well as the four updates released for Windows 10 (“Threshold” TH1 and TH2, and “Redstone” RS1 and RS2).
Windows UEFI & ACPI Development
This course is a hands-on 5-day course (also available as a 3-day lecture only) on the end-to-end development and debugging of a UEFI Secure Boot Application and Runtime Driver in an UEFI OVMF Environment, including mechanisms that cover the interaction with the Windows Boot Architecture (such as chain-loading Bootmgr and/or hooking Winload) and the ACPI Standard.
Custom Add-On Content Modules
Not an individual course, but rather a number of additional course modules available in customized offerings on a case-by-case basis with individual customers, our add-on modules cover things such as Crash Dump Analysis and Troubleshooting, Hyper-V, TCP/IP and NTFS Forensics, Low-Level Platform Security (SMM, ME, SGX), Advanced Exploitation Techniques and Counter-Mitigations & more.
Alex Ionescu, which is the sole instructor for these courses, has been conducting Windows internals training for a decade, including at Microsoft itself. He is also the coauthor of the Windows Internals books. Alex is not a career teacher/trainer — he has 5 years experience developing on the iOS and macOS kernels at Apple, and worked for almost two decades in various lead kernel & system development roles.
With our instructor’s deep knowledge of NT since version 3.1, as well as Linux and OS X experience, you’re not just getting an enumeration of Windows features and behaviors — you’ll learn why Windows does certain things, how decisions changed over each release, and how other architectures and systems do the same tasks (and why sometimes they do so differently).
Our first two courses are a selection of our large catalog of Windows internals topics that we consider the most critical to cover in up to 5 days. Whether your interests lie in NTFS, SMM, TXT, or other kernel, microarchitecture, or platform technologies, we probably have additional material we can customize to accommodate you.
Winsider does not run these courses at fixed locations in the US. Instead, we come to you, (almost) anywhere in the world, and train your individual team, group, or organization in a private setting of your choosing.