“Modern” Windows Internals Update

Course Description

Duration: 3 Days

Specially designed for attendees that have already attended a Windows Internals training course more than five years ago, this course provides a thorough review of all the new features that have been added since Windows 8 and later, up to the very latest Windows 11 “Germanium” releases, such as Version 24H2 as well as “Selenium” Version 25H2 / Windows Server 2025. Attendees will first be presented the significant improvements in the Windows Debugger, including support for NatVis/LINQ, JavaScript, Time Travel Debugging (TTD), and the new Symbol Composition capabilities. Then, updates in Windows fundamentals such as how system calls are made, interrupts, security assertions & more will follow, to be continued with platform security changes to Secure Boot, Control-flow Enforcement Technology (CET) / Shadow Stacks, and an introduction to Flexible Return & Event Delivery (FRED).

Next, the course continues with changes in the executive such as Object Manager Footers, Extended Object Types & Parse/Close Callbacks, Handle Usage References, as well as improvements to the User-Mode Loader. New notification and extension mechanisms such as the Windows Notification Facility (WNF) and Extension Hosts are introduced.

Following a in-depth update on the Process Manager (which includes a description of Protected Process Light, VTL 1 Secure Processes and VBS Enclaves, as well as new Job Object Capabilities), attendees will learn about changes in the Thread Scheduler such as the Desktop Activity Monitor (DAM), Priority Inheritance, Quantum Donation & Directed Switch, plus the move to a Shared Ready Queue for scalable thread selection. Finally, this section will cover the new Windows Container, Centennial/UWP and Win32 App Isolation support through the App & Server Silo features.

The course finishes with an entire day on all the new security-related changes to Windows, including the addition of over 45 new mitigations, Virtualization-Based Security such as Device Guard & Credential Guard, Application Sandboxing through AppContainer, changes to the basic authentication security model through Attribute-Based Access Control (ABAC) & Centralized Access Protection (CAP) with Dynamic Access Control (DAC), and finally the implementation DRTM Secure Launch, Measured Boot, FAST, new Kernel-Mode Code Signing (KMCS) Signing Policies & Hypervisor-Based Code Integrity (HVCI), and anti-malware extensions such as Early Launch Anti Malware (ELAM), Anti Malware Scan Interface (AMSI), Secure ETW, and Image Signature Callbacks. 

Refresher Course Outline

  • Introduction
  • Modern Windows Debugging 
  • Updated OS Fundamentals 
  • New Executive Features 
  • Platform Security & Integrity Improvements 
  • Process Sandboxing Technologies
  • Exploit Mitigations

In-Depth Topics

The following topics and concepts are covered in the first days of the course:

Forensics & Analysis

WinDBG Network Debugging, NatVis Support, Language-Integrated Natural Query (LINQ), Modern Scripting with JavaScript ES 6, Time Travel Debugging (TTD), Symbol Composition.

System Architecture

Heterogeneous Processors, Process-Dedicated CPU Sets, Changes to Interrupt Dispatching, Interrupt-Based System Calls, CET, FRED, SGX

Executive Components

MinWin Dependency Decoupling, Memory Layout Changes, Memory Partitions, Object Manager Private Namespaces, Object Footers, and Extended Types, Handle Table Changes, Win32k Refactoring & Isolation, Windows Notification Facility (WNF), Extension Hosts

Processes, Threads, and Jobs

Minimal & Pico Processes, Windows Containers, Network & I/O Rate Control, Shared Ready Queue, Directed Switch, Desktop Activity Manager (DAM)

With a heavy focus on security changes during the last day:

System Fundamentals

Security Assertion Calls, Hypervisor-aware , I/O APIC, ELAM, AMSI, Signature Callbacks, Secured ETW

System Security

UEFI Secure Boot, Signing Policies, User Mode Code Integrity (UMCI), Hypervisor-Based Code Integrity, Device Guard, PatchGuard, HyperGuard, System Guard Runtime Assertions

Process Sandboxing & Protection

User-mode Loader & Protected Policies, AppContainer, Protected Process Light (PPL), Secure Processes (Trustlets), VBS Enclaves, App & Server Silos

Exploit Mitigations

Arbitrary Code Guard (ACG), Control Flow Guard (CFG), Shadow Stacks, Context Validation, KASAN User-Mode Font Loading, Code Integrity Guard (CIG), Hypervisor Page Table Protection (HVPT/HLAT).