Leanpub Header

Skip to main content

Windows Internals: Architecture of Modern Microsoft Operating Systems

From Boot to Shutdown — Kernel Design, Security, Virtualization, and Debugging in Windows 10, 11, and Server

This book is 100% completeLast updated on 2026-07-09

Discover how Windows really works beneath the desktop. From boot to shutdown, this book provides a practical, in-depth exploration of the Windows NT kernel, covering architecture, memory management, security, virtualization, debugging, and more for developers, security professionals, and advanced students.

Minimum price

$19.00

$29.00

You pay

Author earns

$

Also available for 1 book credit with a Reader Membership

PDF
EPUB
WEB
APP
About

About

About the Book

Modern Windows is the most widely deployed desktop operating system in the world, yet its internals remain opaque to all but a small community of kernel developers, security researchers, and systems programmers. This book bridges that gap. It provides a comprehensive, technically rigorous treatment of the Windows NT kernel architecture from power-on through shutdown, covering the boot process, kernel initialization, memory management, process and thread scheduling, I/O subsystem, file systems, security architecture, virtualization technologies, debugging tools, and modern exploit mitigations. Every chapter includes annotated code snippets, data structure layouts, WinDbg debugging sessions, practical experiments, and comparisons with Linux where illuminating. This book is intended as a graduate-level textbook and professional reference for operating system developers, systems programmers, security researchers, reverse engineers, malware analysts, digital forensics practitioners, and advanced computer science students.

Bundle

Bundles that include this book

Author

About the Author

Steve T. Publications

Steve T. is a cybersecurity leader, researcher, and engineer with more than 20 years of experience across application security, infrastructure security, vulnerability management, software development, and secure engineering practices. Having built his career alongside the growth of the modern internet, he has worked through multiple generations of technology, evolving security threats, and changing development methodologies.

He is currently part of the advanced research organization at a leading cybersecurity company, where he focuses on emerging threats, security innovation, and the practical application of research. His work involves investigating new attack techniques, evaluating emerging technologies, conducting deep technical analysis, and helping organizations better understand and manage complex security risks.

In addition to his research responsibilities, Steve leads a team of senior engineers and subject matter experts who create technical books, training programs, and educational resources for security professionals. Through this work, he helps engineers, developers, architects, and security practitioners strengthen their skills and build more secure systems.

Steve's technical expertise spans software development, reverse engineering, web application security, penetration testing, security architecture, incident response, vulnerability research, operating system internals, and secure software development. His ability to analyze systems at both the source code and binary levels enables him to bridge the worlds of software engineering, security research, and practical defense.

Over the course of his career, Steve has worked with organizations across a wide range of industries, helping them identify, assess, and remediate security weaknesses in critical applications and infrastructure. He is recognized for combining deep technical expertise with a pragmatic approach to security, focusing on solutions that are effective, sustainable, and aligned with business goals.

Through his work in research, engineering, leadership, and education, Steve continues to contribute to the advancement of cybersecurity and the development of secure, resilient technology systems.

Contents

Table of Contents

From Boot to Shutdown — Kernel Design, Security, Virtualization, and Debugging in Windows 10, 11, and Server

Introduction

Chapter 1: The Windows Boot Process — From Power-On to Desktop

  1. UEFI Firmware and the Handoff to Bootmgr
  2. Boot Configuration Data (BCD) and Dual-Boot Architecture
  3. Kernel Loading: winload.efi, Registry Hives, and Driver Initialization
  4. Session Manager Subsystem (smss.exe) and the First User-Mode Process
  5. Winlogon, Services Control Manager, and Desktop Startup
  6. Common Boot Failures and Recovery Mechanisms

Chapter 2: The Windows Kernel Architecture — Kernel, Executive, and HAL

  1. Historical Context: OS/2, NT 1.0, and the Hybrid Microkernel Design
  2. The Kernel Proper (ntoskrnl.exe): Threads, Synchronization, IPC, Interrupts
  3. The Executive Subsystems: Object Manager, I/O Manager, Security Reference Monitor, Memory Manager, Process/Thread Manager, Cache Manager, Configuration Manager, Power Manager
  4. Hardware Abstraction Layer (HAL): ACPI, Multiprocessor Support, and Abstracted Hardware Interfaces
  5. Kernel Mode vs. User Mode: Privilege Levels, Ring 0/Ring 3, and the Transition Boundary

Chapter 3: System Calls, Interrupts, and Exception Handling

  1. The System Call Interface: Nt* API Functions and the syscall Instruction
  2. System Call Dispatch: KiSystemService, Fast Calls, and Argument Copying
  3. Hardware Interrupt Processing: IDT, ISR/DPC Model, and Interrupt DPCs
  4. Software Exceptions: Structured Exception Handling (SEH), Vectorized EH, and Exception Propagation
  5. Debug Exceptions and the Kernel Debugger Interface
  6. Comparison with Linux syscalls and interrupt handling

Chapter 4: Process and Thread Management

  1. EPROCESS and ETHREAD Internal Structures
  2. Process Creation: NtCreateProcess, PEB/TEB, and DLL Loading
  3. Thread Creation and the Thread Environment Block (TEB)
  4. Context Switching: KTHREAD, Save/Restore, and Stack Management
  5. Job Objects and Process Groups
  6. Comparison with Linux task_struct, fork/exec Model

Chapter 5: The Windows Scheduler — Preemption, Priority, and Quantum Management

  1. Priority Levels and Priority Classes (Idle, Below Normal, Normal, Above Normal, High, Real-Time)
  2. Time Quantum Allocation and Dynamic Priority Boosting
  3. Multiprocessor Scheduling: Processor Affinity, NUMA Awareness, and the Ready Queue
  4. I/O Completion Ports and Asynchronous I/O Scheduling
  5. Real-Time Threads and Starvation Prevention
  6. Comparison with Linux CFS Scheduler

Chapter 6: Virtual Memory Management — Address Spaces, Paging, and Physical Memory

  1. Virtual Address Space Layout: User Mode vs. Kernel Mode Split
  2. Page Tables: CR3, PML4/PDP/Directory/Page Table Hierarchy, and Hardware Support
  3. Page Fault Handling: Demand Paging, Copy-on-Write, and Hard/Soft Faults
  4. Working Set Management: Eviction, Trimming, and the Standby List
  5. Physical Memory Manager: PFN Database, Memory Partitions, and NUMA Nodes
  6. Shared Sections, Mapped Files, and Section Objects

Chapter 7: Synchronization Primitives and Interprocess Communication

  1. Kernel Synchronization: Mutexes, Semaphores, Events, and Critical Sections
  2. Wait Mechanisms: KeWaitForSingleObject, Alertable Waits, and Timeout Handling
  3. Interlocked Operations and Atomic Instructions (CMPXCHG, LOCK prefix)
  4. Interprocess Communication: Mailslots, Named Pipes, LPC/ALPC, Shared Memory
  5. Reader/Writer Locks, Slim Reader/Writer (SRW), and Spinlocks
  6. Deadlock Detection, Debugging Synchronization Issues

Chapter 8: The I/O Manager and Driver Architecture

  1. I/O Request Packets (IRP): Structure, Stack Locations, and Completion Routines
  2. The Driver Object and Device Object Model
  3. Dispatch Routines: Major Function Codes and IOCTL Handling
  4. Filter Drivers: Upper/Lower Filters and Stream Inspectors
  5. Plug and Play Manager: Device Enumeration, Power Management, and Resource Assignment
  6. Windows Driver Kit (WDK): KMDF, UMDF, and Modern Driver Development

Chapter 9: Storage Stack, File Systems, and NTFS Internals

  1. The Storage Stack: Classpnp, Disk.sys, Storport, and SCSI/Storage Miniport Drivers
  2. Filter Manager and Volume Snapshots (VSS)
  3. NTFS File System Architecture: MFT, B-Trees, Resident vs. Non-Resident Attributes
  4. NTFS Data Structures: Boot Sector, Master File Table, Attribute Lists, Security Descriptors
  5. ReFS, FAT32, exFAT, and the File System Filter Framework
  6. Storage Spaces, Tiered Storage, and DirectStorage

Chapter 10: Networking Stack — From TCP/IP to Winsock

  1. The TCP/IP Protocol Stack: Tcpip.sys, NDIS, and Protocol Drivers
  2. Network Driver Interface Specification (NDIS): Miniport Drivers and Filter Drivers
  3. Winsock 2 API: Socket Implementation, Overlapped I/O, and IOCP Integration
  4. TCP Connection State Machine and Performance Tuning
  5. Windows Filtering Platform (WFP) and Firewall Architecture
  6. SDN, Hyper-V Virtual Switch, and Container Networking

Chapter 11: Security Architecture — Tokens, Privileges, Authentication, and Mitigations

  1. Access Tokens: Structure, Privileges, Mandatory Levels, and Impersonation
  2. Security Reference Monitor (SRM): ACL Evaluation, Object Security Descriptors, and Access Checks
  3. Local Security Authority (LSASS): Authentication Packages, Kerberos, NTLM, and Credential Management
  4. Integrity Levels and Mandatory Integrity Control (MIC)
  5. Modern Exploit Mitigations: DEP, ASLR, CFG, Stack Cookies, and Guard Pages
  6. Kernel Exploit Mitigations: PatchGuard, KASLR, and Pool Vulnerability Protection

Chapter 12: Virtualization — Hyper-V, Containers, and WSL

  1. Hyper-V Architecture: Root Partition, Child Partitions, Virtual Processor Scheduling, and vGPU
  2. Hardware Virtualization: Intel VT-x/AMD-V, Nested Paging/EPT, and Direct Execution
  3. Windows Containers: Process Isolation, Hyper-V Isolation, and the Container Runtime
  4. Windows Subsystem for Linux (WSL): WSL1 Translation Layer, WSL2 Lightweight VM, and Interop
  5. Device Emulation, Paravirtualization, and SR-IOV

Chapter 13: Debugging, Performance Analysis, and Crash Dump Forensics

  1. WinDbg Fundamentals: Breakpoints, Symbol Loading, Extension Commands (exts), and Debugger Scripts
  2. Kernel Debugging: Serial/1394/USB/Network Debugging and Live Kernel Dump
  3. Event Tracing for Windows (ETW): Providers, Sessions, Manifests, and Analysis with PerfView/Xperf
  4. Crash Dump Analysis: Full/Memory/Hiberfil Dumps, Analyzing BSODs, and Common Bug Checks
  5. Performance Counters, Sampling Profilers, and Memory Leak Detection
  6. Practical Case Studies: Real Debugging Scenarios and Forensic Investigations

Chapter 14: Modern Security — VBS, HVCI, Credential Guard, and the Future

  1. Virtualization-Based Security (VBS): Isolated Memory Regions and Secure Launch
  2. Hypervisor-Protected Code Integrity (HVCI): Kernel Mode Signing Enforcement and DMA Protection
  3. Credential Guard: Protected LSASS, Secure Boot Chain, and Identity Protection
  4. Windows Defender Application Control (WDAC) and Attack Surface Reduction Rules
  5. Secure Boot, TPM Integration, and Measured Boot
  6. Future Directions: Confined Virtualization, Pluton SoC, and Zero Trust Architecture

Conclusion

References

Get the free sample chapters

Click the buttons to get the free sample in PDF or EPUB, or read the sample online here

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $15 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub