WSC250 - Windows Internals Workshop for Code Center Premium

This seminar provides a comprehensive guided tour through, and analysis of, the internal design, implementation, and operation of the major components of the Windows operating system, with a corresponding tour of the Windows source code.

Level: Intermediate

Microsoft Code Center Premium licensees for Microsoft Windows source code for all Windows versions, Windows 2000 and later.

This workshop is for authorized source code licensees, as determined by Microsoft. If you have any questions about whether you are an authorized licensee, please contact the Windows Source Licensing Team.

For information on obtaining source access, please visit the Microsoft Shared Source site.


In this workshop the attendee will learn the organization, function, and interactions of the most important components of the Windows operating system, and where to find those components in the source code tree. We closely examine several key parts of the system, including user-to-kernel mode transitions, internal synchronization mechanisms, thread scheduling, memory management, the I/O subsystem, and security. Particular attention is paid to security and other features and enhancements that were added to Windows with Windows Vista and later.

While discussing each area or component of the operating system, we visit the corresponding branches of the source tree, identifying the most important source files and the key or "top level" routines and data structures. Many such routines are studied in detail.

Since the Windows source tree is very large, the code examined in the seminar must of necessity represent only a tiny fraction of what is available. Our purpose is to show the overall structure of the code; to illustrate certain concepts and implementation details which we feel are both non-obvious and essential to understand; and to enable you to find and understand the code in which you are interested after the seminar. We also show how we used the search facilities of Code Center Premium to find the source code files under discussion.

We will show you how to analyze a running Windows operating system or a memory dump file and find the Windows source code corresponding to each Windows-supplied executable, DLL, device driver, or other component in the system.

Finally, we address the use of the source code via Code Center Premium with the Windows Debugging Tools. Several memory dump analysis and "live" system debugging scenarios are presented in the form of lab problems.

  • Code Center Premium
    • General description
    • Installing and connecting (demonstration)
    • Troubleshooting connection issues
    • First look at directory tree structures
    • Search tools, strategies, and techniques
  • Windows general architecture, components, and source tree structure
    • General principles
    • 32- and 64-bit address spaces
    • Execution context: Processes, threads, and "others"
    • Windows services (background processes)
    • Finding source code for Windows processes
    • Kernel mode components
    • Tools for investigating and monitoring
    • Introduction to the Windows Debugger
  • User mode architecture and components
    • Processes and address space
    • Executable file format
    • User mode memory management
    • Threads
    • Process and thread components and data structures
    • Program execution environment
    • User to kernel mode calls
    • Environment subsystems
    • Supporting the Windows GUI
    • Process and thread creation and deletion
    • Backwards compatibility
    • Explorer and Internet Explorer
    • .NET
  • Kernel mode architecture and components
    • User to kernel mode calls, part 2 (system service dispatcher)
    • Objects and handles; object manager
    • Discretionary access controls
    • The registry
    • Kernel mode execution environment
    • Interrupt-driven contexts
    • Deferred Procedure Calls (DPCs)
    • Kernel mode synchronization mechanisms (IRQLs, spinlocks, resources)
    • Kernel memory allocation
    • Thread scheduler 
    • Virtual memory manager
    • I/O subsystem, device drivers, and file cache
  • Security architecture and components
    • Security concepts
    • Windows security features
    • Windows security components and implementation (WinLogon, LSASS, Security Reference Monitor)
    • BitLocker
    • Additional security and reliability mechanisms
  • Startup and login
    • Standard startup
    • Secure startup
    • Common startup
    • Login
  • Memory dump analysis and live debugging
    • Debugging with source code access
    • Compiler optimizations
    • Relating assembly language to source
    • Debugging with incomplete or older sources
    • Understanding bugcheck codes and stack traces
    • The debugger as source analysis tool
  • Experience with Windows at at least the "power user" or administrator level; and
  • Familiarity with basic operating system concepts; and
  • Reading familiarity with the C programming language; and
  • Access to Windows source code via Code Center Premium.
Operating systems supported: Windows 2000 through Windows 10/Windows Server 2012 R2
Durations and formats: 5 days with labs

This seminar is presented in a mixed lecture, demonstration, and lab format. The seminar leader will frequently use various utilities (including the Windows Debugger) to demonstrate key points, and students will be encouraged to perform the same exercises on their systems. In some topic areas, particularly debugging, there are distinct lab periods with problems for the attendees to solve.

All attendees must be approved Code Center Premium users.