INT250 - Windows Internals Workshop

Our "flagship" Windows Internals seminar, covering more topics in more detail and with more hands-on time.

Level: Intermediate
Audience: Applications developers; systems software developers; device driver developers; system administrators; system integrators; hardware OEMs; I.T. support personnel.

This workshop-format seminar is similar in overall content and objectives to our Core Windows Internals seminar (INT201). However, it covers the material in greater detail and addresses several additional topics, particularly in the areas of user mode architecture, security, and system startup and login.

In this workshop the attendee will learn the organization, function, and interactions of the most important components of the Windows operating system. We closely examine several key parts of the system, including user-to-kernel mode transitions, internal synchronization mechanisms, thread scheduling, memory management, the I/O subsystem, and security. In many cases will examine these components' behavior and their interaction with each other by using the Windows Debugging Tools. 

Particular attention is paid to security and other features and enhancements that were added to Windows with Windows Vista and later.

  • Windows general architecture and components
    • General principles
    • 32- and 64-bit address spaces
    • Execution context: Processes, threads, and "others"
    • Windows services (background processes)
    • Kernel mode components
    • Tools for investigating and monitoring
    • Introduction to the Windows Debugging Tools
  • User mode architecture and components
    • Processes and address space
    • Executable file format
    • User mode memory management
    • Threads
    • Process and thread components and data structures
    • Program execution environment
    • User to kernel mode calls
    • Environment subsystems
    • Supporting the Windows GUI
    • Process and thread creation and deletion
    • Backwards compatibility
    • Process and thread creation and deletion
  • Kernel mode architecture and components
    • User to kernel mode calls, part 2 (system service dispatcher)
    • Objects and handles; object manager
    • Security: Discretionary access controls
    • The registry
    • Kernel mode execution environment
    • Interrupt-driven contexts
    • Deferred Procedure Calls (DPCs)
    • Kernel mode synchronization mechanisms
    • Kernel memory allocation
    • Thread scheduler
    • Virtual memory manager
    • I/O subsystem, device drivers, and file cache
  • Security architecture and components
    • Security concepts
    • Windows security features
    • Windows security components and implementation
    • BitLocker
    • Additional security and reliability mechanisms
  • Startup and login
    • Standard startup
    • Secure startup
    • Common startup
    • Login
Prerequisites: Experience using, administering, or developing for Windows, and familiarity with basic operating system concepts.
Operating systems supported: This seminar primarily addresses Windows 7 through Windows 10 and Windows Server 2012 R2. Most of the material is applicable to earlier versions of Windows. Earlier versions can be specifically addressed upon request.
Durations and formats: 5 days with labs
Labs: We follow nearly every discussion of key operating system mechanisms, principles, or concepts with  lab exercises. We have you exercise or manipulate the part of the system described, and then examine displays that confirm the expected results. We also have you look for interactions with, and effects on, the rest of the system. This seminar is only available with labs. For lecture-only versions of some of this material, please see the Windows Internals Essentials seminars (INT150, INT151). In the lecture-only version, the lab exercises are replaced with brief demonstrations by the instructor.
Additional information:

Short formats and Related Seminars

INT201, Windows Internals, covers much of this material but with less detail in many areas. In general we would recommend INT201 for device driver developers and those performing debugging-related tasks. We would recommend this seminar for user mode (application) developers, system administrators, and those interested in in-depth coverage of Windows security. We also offer INT205, Windows Internals Update, for those already familiar with Windows operating system internals from previous versions. SEC240, Windows Security, covers most of the security-related topics from this seminar, with additional information on various security features, including Windows cryptography.


Although there is certain core material that we feel is essential  for all attendees, some areas can be more or less emphasized according to the attendees' requirements, and certain material can be omitted completely.