Index
Symbols
! (exclamation points), 40
64-bit address space layouts, 357–359
64-bit extended systems, 50
A
AAM (Admin Approval Mode), 729
access
access masks, 624
ACEs (access control entries). See ACEs
ACLs (access control lists). See ACLs
object access auditing, 679–681
access control entries. See ACEs
access control lists. See ACLs
access masks, 624
accounting (quantums), 233
accounts
Bypass Traverse Checking privilege, 675
User Account Control. See UAC
Owner Rights SIDs, 662
activation contexts, 163
64-bit address space layouts, 357–359
ARM address space layouts, 356–357
canonical addresses, 359
image bias, 368
setting address limits, 363–364
user address spaces. See user address spaces
viewing address usage, 361–363
x64 virtual address limitations, 359
x86 address space layouts, 349–352
x86 system address space layouts, 352–353
ARM virtual address translation, 381–382
overview, 371
x64 virtual address translation, 380–381
x86 virtual address translation, 371–375
Address Windowing Extensions (AWE), 22, 323–324
addresses, canonical, 359
Admin Approval Mode (AAM), 729
administrative rights (UAC), 729–732
advanced audit policy, 683–684
affinity manager, 336
extended affinity masks, 276–277
symmetric multiprocessing, 53
allocating
address spaces
API Sets (image loader), 173–176
APIs (application programming interfaces)
API Sets (image loader), 173–176
COM (component object model), 5
overview, 4
brokers, 709
lowboxes, defined, 134
overview, 684
security environment. See security environment
application programming interfaces. See APIs
applications. See also processes
APIs. See APIs
AppContainers. See AppContainers
classic apps, 103
desktop apps, 103
immersive apps, 103
large address spaces, 351
modern apps, 103
applying priority boosts, 249
architecture
ARM address space layouts, 356–357
ARM virtual address translation, 381–382
ASLR. See address spaces
compilers, 753
fast fail failure codes, 754–756
operating system, 753
assigning
assured authentication, 718–719
asymmetric multiprocessing, 51
asynchronous I/O, 511
attributes
AppContainer security, 695–697
trustlets, 125
advanced audit policy, 683–684
object access auditing, 679–681
authentication
policies (Credential Guard), 616–617
viewing active logon sessions, 715–717
Autoboost, 254
AWE (Address Windowing Extensions), 22, 323–324
B
balance set manager
priority boosts, 247
binary planting, 160
BNO isolation, 708
brokers (AppContainers), 709
buckets (heaps), 335
built-in trustlets, 125
bus drivers, 493
Bypass Traverse Checking Privilege, 675
C
caching files, 513
calculating load address, 368–369
cancelling I/O
overview, 537
thread termination, 539
canonical addresses, 359
catalog files (Plug and Play), 574
CBAC (Claims-Based Access Control), 667
CC (Common Criteria), 607
CFG (Control Flow Guard), 741
CFI (control flow integrity), 740
checked build (kernel debugging), 57–58
checking large address space support, 351
Claims-Based Access Control (CBAC), 667
class drivers, 494
classic apps, 103
classification, memory combining, 461
clients, memory limits, 447–449
clock interval, 232
clustered page faults, 387–388
collided page faults, 387
COM (component object model), 5
combining memory
classification, 461
combined pages release, 464–465
page combining, 462
searching, 460
command prompt windows, opening, 13
commands
! (exclamation points), 40
!address, 746
!cpuinfo, 233
!dbgprint, 58
!dd, 380
!devstack, 521
!dq, 379
!file, 408
!fileobj, 509
!heap, 338
!heap -s, 340
!irpfind, 521
!list, 167
!lookaside, 331
!memusage, 410
!numa, 270
!partition, 448
!pfn, 443
!poolused, 328
!popcaps, 597
!popolicy, 598
!prcb, 77s
!process, 109, 180–181, 197, 261, 518
!runas, 180
!sd, 655
!session, 353
!silo, 189
!smt, 268
!sysptes, 355
!thread, 109, 197–199, 201, 261, 518
!token, 637
!vad, 402
!verifier, 557
!vm, 307
!vm 4, 355
!wdfkd.wdfldr, 580
!wmiprint, 58
!wsle, 420
at, 8
AuditPol, 682
bang commands, 40
cron, 8
dd, 380
docker, 190
dump, 40
lm, 112
poolmon, 327
powercfg /a, 592
powercfg /h, 591
powercfg /list, 598
q, 43
runas, 101
schtacks, 8
u, 71
ver, 3
winver, 3
commit charge
memory manager, 313
page faults. See page faults
commit limit
memory manager, 313
committed pages (private pages), 310–313
Common Criteria (CC), 607
communication, secure, 614–615
compilers, assertions, 753
component object model (COM), 5
components
concurrency (threads), 542
configuring
Connected Standby, 594
consent elevation (UAC), 729
consoles, 67
container notification (I/O), 552
containers (silos)
ancillary functionality, 189–190
overview, 183
context switches, 215
contexts
activation contexts, 163
context switches, 215
directed context switch, 19
image loader, 163
threads, 18
Control Flow Guard. See CFG
control flow integrity (CFI), 740
controlling
converting attributes, 131–135
cores (threads), 52
authentication policies, 616–617
passwords, 613
UEFI, 616
credential providers (DLLs), 98
CSR_PROCESS data structure, 105, 111–112
CSR_THREAD data structure, 195, 205–206
D
DAC (Dynamic Access Control), 666
DACLs. See ACLs
data
Data Execution Protection (DEP), 319–321
processes
!process command, 109
DXGPROCESS, 105
ETHREAD, 105
threads
databases
loaded modules database, 164–168
deadline scheduling, 254
debuggers
debugging
DebugActiveProcess function, 39
DebugBreak function, 194
kernel debugging. See kernel debugging
Debugging Tools for Windows (kernel debugging), 38–42
user-mode debugging, 39
viewing type information, 41–42
Deferred Procedure Calls (DPCs)
stacks, 401
demand paging, 413
DEP (Data Execution Protection), 319–321
Dependency Walker
desktop apps, 103
determining access (ACLs), 659–665
bus drivers, 493
class drivers, 494
dispatch routines, 504, 517–518
Driver Verifier. See Driver Verifier
filter drivers, 493
function drivers, 493
IRPs
layered drivers
power manager, 596
Universal Windows Drivers, 85
WDF. See WDF
WDK (Windows Driver Kit), 43–44
device objects (device drivers), 500–507
devices
drivers. See device drivers
DFSS (dynamic fair share scheduling), 289–292
directed context switch, 19
device drivers, 504
dispatchers, 215
displaying. See viewing
DLLs
credential providers, 98
DllMain function, 154
image loader
safe DLL search mode, 160
viewing DLL load search order, 163–164
overview, 8
subsystem DLLs, 48
DPCs (Deferred Procedure Calls)
stacks, 401
driver objects (device drivers), 500–507
memory
IRQL checking, 557
low resources simulation, 557–558
drivers. See device drivers
dump command, 40
DXGPROCESS data structure, 105
Dynamic Access Control (DAC), 666
dynamic allocation (address spaces), 359–365
dynamic fair share scheduling (DFSS), 289–292
E
EMET (Enhanced Mitigation Experience Toolkit), 370
Enhanced Mitigation Experience Toolkit (EMET), 370
entries (PFN), 443
enumeration (devices), 561–563
environment (AppContainers security)
viewing security attributes, 695–697
EPROCESS data structure, 105–108
ETHREAD data structure, 105, 194–201
events
examining. See viewing
exclamation points (!), 40
executing initial thread, 148
executive process object, 138–143
executive resources (priority boosts), 242–243
exiting threads, 260
experiments
Bypass Traverse Checking Privilege, 675
calculating load address, 368–369
checking large address space support, 351
creating maximum number of threads, 399
debugging unkillable processes, 539–541
dumping
identifying trustlets, 129
launching programs at low integrity levels, 641–642
Performance Monitor kernel mode/user mode comparison, 26–27
setting address limits, 363–364
tracing process startup, 149–154
troubleshooting pool leaks, 329–330
using virtual service accounts, 647–650
viewing
access masks, 624
active logon sessions, 715–717
AppContainer atom table, 697–698
AppContainer capabilities, 701–703
AppContainer security attributes, 695–697
brokers, 709
clock cycles per quantum, 233–234
CSR_PROCESS structure, 112
CSR_THREAD structure, 206
DEP, 321
DLL load search order, 163–164
driver catalog files, 574
driver dispatch routines, 517–518
driver INF files, 573
driver power mappings, 596
EPROCESS data structure, 107–108
filtered admin tokens, 645–646
global audit policy, 682
I/O priority boosting/bumping, 551
I/O priority throughput, 549–551
kernel type information, 41–42
loaded modules database, 166–167
memory partitions, 458
MMCSS priority boosting, 252–253
object access auditing, 679–681
page priorities, 437
PFN entries, 443
power availability requests, 603
prefetch file reads and writes, 415–416
processes, data structures, 109
processes, process tree, 12–13
processes, Process Explorer, 16–18
services, 97
SRPs, 764
stacks, 521
swap files, 393
system power capabilities, 597–599
system service dispatcher, 70–71
threads, clock interval, 232
threads, kernel-mode debugger, 210–212
threads, protected processes, 213
threads, user-mode debugger, 209–210
trust SIDs, 658
virtual page files, 393
Windows edition enabled features, 56–57
assertions. See assertions
CFG. See CFG
control flow integrity, 740
overview, 735
process mitigation policies, 735–740
extended affinity masks, 276–277
F
facilities (Windows edition enabled features), 56–57
fast fail failure codes, 754–756
fault-tolerant heaps (FTH), 347–348
fibers, 19
file mapping objects, 20
file objects (device driv0ers), 507–510
files
caching, 513
catalog files, 574
file mapping objects, 20
INF files, 573
mapped-file I/O, 513
page files. See page files
filter drivers, 493
filtered admin tokens (SIDs), 645–646
filters (function drivers), 493
firmware, 29
frameworks
power management framework, 600–601
WBF (Windows Biometric Framework), 719–721
free pages
FTH (fault-tolerant heaps), 347–348
functions
AllocConsole, 63
AvTaskIndexYield, 254
ConvertThreadToFiber, 19
CreateFiber, 19
CreateFile, 34
CreateProcess, 101–104, 129–131, 134, 157
CreateProcessAsUser, 101–103, 139
CreateProcessInternal, 101–103
CreateProcessInternalW, 129, 131, 134–138, 146–147, 150
CreateProcessWithLogonW, 101–103
CreateProcessWithTokenW, 101–103
CreateRemoteThreadEx, 194, 206–207
CreateThread, 193–194, 199, 208
DbgUi, 72
DebugActiveProcess, 39
DebugBreak, 194
DeviceIoControl, 73
DgbPrintEx, 58
DllMain, 154
drivers, 493
Etw, 72
Ex, 73
ExitProcess, 154
GetQueueCompletionStatus, 176
GetSystemTimeAdjustment, 232
GetThreadContext, 18
GetVersionEx, 2
HeapAlloc, 332
HeapCreate, 332
HeapDestroy, 332
HeapFree, 332
HeapLock, 332
HeapReAlloc, 332
HeapUnlock, 332
HeapWalk, 332
Inbv, 73
Io, 73
IoCompleteRequest, 241
Iop, 73
Ke, 75
KeStartDynamicProcessor, 295
KiConvertDynamicHeteroPolicy, 287
KiDeferredReadyThread, 274, 284
KiDirectSwitchThread, 256
KiProcessDeferredReadyList, 274
KiSearchForNewThreadOnProcessor, 283
KiSelecthreadyThreadEx, 267
LdrApplyFileNameRedirection, 175
Mi, 73
MiZeroInParallel, 303
NtCreateThreadEx, 207
NtCreateUserProcess, 104
NtCreateWorkerFactory, 298
OpenProcess, 39
PopInitializeHeteroProcessors, 286
PsCreateSystemThread, 194
PspComputeQuantum, 235
PspCreatePicoProcess, 104
PspInitializeApiSetMap, 175
PsTerminateSystemThread, 194
QueryInformationJobObject, 179
ReadFile, 25
ReadProcessMemory, 20
ResumeThread, 264
Rtl, 72
RtlAssert, 58
RtlCreateUserProcess, 104
RtlGetVersion, 55
RtlUserThreadStart, 208
RtlVerifyVersionInfo, 55
secure system calls, 71
SetInformationJobObject, 275
SetPriorityClass, 218
SetProcessAffinityMask, 275
SetProcessWorkingSetSize, 222
SetThreadAffinityMask, 275
SetThreadIdealProcessor, 278
SetThreadSelectedCpuSets, 279
subsystem DLLs, 63
SuspendThread, 264
SwitchToFiber, 19
system services, 72
SystemParametersInfo, 178
TerminateJobObject, 179
TerminateProcess, 154
TermsrvGetWindowsDirectoryW, 170
TimeBeginPeriod, 232
TimeSetEvent, 232
TpAllocJobNotification, 176
UserHandleGrantAccess, 176
VirtualLock, 314
WaitForMultipleObjects, 256
WaitForSingleObject, 256
Wow64GetThreadContext, 19
WriteProcessMemory, 20
ZwUserGetMessage, 210
G
games (priority boosts), 251–254
groups
claims, 718
scheduling
GUI
threads (priority boosts), 245–246
H
HAL (hardware abstraction layer)
viewing image dependencies, 80–82
handles
hardware
firmware, 29
HAL. See HAL
hashes (AppContainer atom tables), 697–698
affinity manager, 336
buckets, 335
FTH (fault tolerant heaps), 347–348
HeapAlloc function, 332
HeapCreate function, 332
HeapDestroy function, 332
HeapFree function, 332
HeapLock function, 332
HeapReAlloc function, 332
HeapUnlock function, 332
HeapWalk function, 332
LFH (low-fragmentation heaps), 335–336
NT heaps, 334
non-paged pools, 325
paged pools, 325
poolmon command, 327
processes, 333
randomizing (user address spaces), 369
types, 334
heterogenous multiprocessing, 52
heterogenous scheduling, 286–287
hibernation, 475
hiding. See viewing
host (consoles), 67
hybrid jobs, 183
I
IBAC (Identity-Based Access Control), 667
ideal node, 278
identification
trustlets, 129
identities (trustlets), 125–126
Identity-Based Access Control (IBAC), 667
image bias, 368
activation contexts, 163
binary planting, 160
DLL load search order, 163–164
loaded modules database, 164–168
post-import process initialization, 170
safe DLL search mode, 160
images
image bias, 368
loading. See image loader
native images (subsystems), 72
randomizing (user address spaces), 367–369
immersive applications, 103
implementation (SAS), 712
INF files, 573
initial thread
executing, 148
initializing
processes
image loader, post-import process, 170
input. See I/O
installing drivers, 571–575, 577
integrity levels (SIDs), 628–631, 641–642
interfaces (APIs)
API Sets (image loader), 173–176
COM (component object model), 5
overview, 4
internal synchronization, 308
Interrupt Request Levels (IRQLs), 488–490, 557
inversion
I/O priorities, 549
priority boosts, 246
asynchronous, 511
cancelling
overview, 537
thread termination, 539
concurrency, 542
container notifications, 552
device drivers. See device drivers
file caching, 513
IRPs (I/O request packets). See IRPs (I/O request packets)
mapped-file I/O, 513
Plug and Play
catalog files, 574
driver support, 560–561, 569–571
INF files, 573
power manager
drivers, 596
performance states, 601
power availability requests, 602–603
power management framework, 600–601
power mappings, 595
priorities. See priorities
scatter/gather I/O, 513
synchronous, 511
WDF. See WDF
I/O request packets. See IRPs
IoCompletion object, 542
IRPs (I/O request packets), 513
cancelling 537–539
IRQLs (Interrupt Request Levels), 488–490, 557
J
hybrid jobs, 183
silos. See silos (jobs)
K
Kerberos
kernel
debugging
Debugging Tools for Windows, 38–42
LiveKd, 43
overview, 38
symbols, 38
user-mode debugging, 39
jobs. See jobs
kernel mode. See kernel mode
objects, 75
overview, 75
patches
processes
defined, 106
structure, 141
user address spaces, 369
user mode comparison, 23–27, 46
kernel processor control block (KPRCB), 76–78
kernel processor control region (KPCR), 76–78
KPCR (kernel processor control region), 76–78
KPRCB (kernel processor control block), 76–78
KPROCESS data structure, 106–107
KTHREAD data structure, 194–201
L
large address spaces, checking support, 351
large pages (memory manager), 303–304
launching programs at low integrity levels, 641–642
layered drivers
layouts
64-bit address space layouts, 357–359
ARM address space layouts, 356–357
x86 address space layouts, 349–352
x86 system address space layouts, 352–353
lazy evaluation, 323
Legacy Standby, 594
levels
SID integrity levels, 628–631, 641–642
LFH, 335–336 (low-fragmentation heaps), 335–336
lightweight threads, 19
lists
look-aside lists (pools), 331–332
minimum TCB list, 117
LiveKd, 43
load address (user address spaces), 368–369
loading
data (memory enclaves), 471–472
images. See image loader
load address (user address spaces), 368–369
locking/locks
memory, 314
priority boosts, 241
logical prefetcher (working sets), 413–416
assured authentication, 718–719
group claims, 718
SAS implementation, 712
viewing active logon sessions, 715–717
Windows Hello, 721
Winlogon initialization, 711–712
low resources simulation, 557–558
LowBox. See AppContainers
low-fragmentation heaps (LFH), 335–336
M
managing
power. See power manager
mandatory labels (SIDs), 630
mapped-file I/O, 513
mappings (power), 595
masks
access masks, 624
affinity masks. See affinity masks
memory
address spaces. See address spaces
address translation. See address translation
AWE (Address Windowing Extensions), 22, 323–324
Driver Verifier
IRQL checking, 557
low resources simulation, 557–558
heaps/pools. See heaps/pools
limits
Memory Compression process, 91
memory manager. See memory manager
NUMA (non-uniform memory architecture). See NUMA
page faults. See page faults
PFN. See PFN
stacks, 398
SuperFetch. See SuperFetch
VADs (virtual address descriptors). See VADs (virtual address descriptors)
working sets
Memory Compression process, 91
attaching to the process, 310
commit charge, 313
commit limit, 313
internal synchronization, 308
lazy evaluation, 323
locking memory, 314
NX page protection, 319
pages, defined, 304
shared memory, 315
minimum TCB list, 117
miscellaneous checks (Device Driver), 558–559
mitigating exploits. See exploit mitigation
mitigations (security), 370
MMCSS (Multimedia Class Scheduler Service), 239, 251–254
model (operating system), 46–47
modern apps, 103
Modern Standby, 594
modules (image loader), 164–168
MSV1_0 authentication, 713–714
Multimedia Class Scheduler Service (MMCSS), 239, 251–254
asymmetric, 51
extended affinity masks, 276–277
heterogenous, 52
ideal node, 278
overview, 268
processors
number per group, 273
state, 274
scheduler scalability, 274
multitasking (operating system), 51
N
native images, 72
native processes, 104
nodes
ideal node, 278
processors, 52
no-execute (NX) page protection, 319
non-paged pools, 325
non-uniform memory architecture. See NUMA
NT heaps, 334
NUMA (non-uniform memory architecture)
overview, 404
numbers
processors per group, 273
threads, creating maximum, 399
NX (no-execute) page protection, 319
O
objects
device drivers
driver objects
dispatch routines, 504
executive process object, 138–143
file mapping objects, 20
IoCompletion, 542
jobs. See jobs
kernel objects, 75
namespaces (AppContainers), 703–705
object access auditing, 679–681
security
ACEs. See ACEs
ACLs. See ACLs
DAC, 666
SIDs. See SIDs
virtual service accounts, 646–650
opening
command prompt windows, 13
operating system (OS)
assertions, 753
multitasking, 51
scalability, 53
OTS (over-the-shoulder ) elevation, 729
output. See I/O
over-the-shoulder (OTS) elevation, 729
Owner Rights SIDs, 662
P
packets. See IRPs
PAE (Physical Address Extension), 371
page directory entry (PDE), 374
page directory pointer entry (PDPE), 374
page directory pointer table (PDPT), 372
clustered page faults, 387–388
collided page faults, 387
commit charge
page files
virtual page files, 393
PTEs
soft page faults, 384
virtual page files, 393
page frame number. See PFN
page table entries. See PTEs
page tables, address translation, 375–376
paged pools, 325
pages
combining
memory combining, 462
defined, 304
faults. See page faults
files. See page files
page frame number. See PFN
page lists. See page lists
page tables, address translation, 375–376
paged pools, 325
PDE (page directory entry), 374
PDPE (page directory pointer entry), 374
PDPT (page directory pointer table), 372
PFN. See PFN
PTEs (page table entries). See PTEs
parameters, validating, 131–135
passwords (Credential Guard), 613
patches (kernel). See patches (kernels)
PCB (process control block), 106
PCR (processor control region), 260
PDE (page directory entry), 374
PDPE (page directory pointer entry), 374
PDPT (page directory pointer table), 372
PEB (Process Environmental Block), 105
overview, 105
setting up, 143
performance
Performance Monitor. See Performance Monitor
states, 601
kernel mode/user mode comparison, 26–27
entries, 443
page files (reservations), 443–446
Physical Address Extension (PAE), 371
physical memory limits, 446–447
creating processes, 104
placement policies (working sets), 416–417
Plug and Play (PnP)
devices
catalog files, 574
INF files, 573
policies
advanced audit policy, 683–684
authentication policies, 616–617
process mitigation policies, 735–740
SRPs (software restriction policies), 757, 762–764
Windows edition enabled features, 56–57
ports
Connected Standy, 594
drivers, 596
Legacy Standy, 594
Modern Standy, 594
performance states, 601
power availability requests, 602–603
power management framework, 600–601
power mapings, 595
PPL (Protected Processes Light), 115–120
prefetcher (working sets), 413–416
priorities. See also priority boosts
I/O
bandwidth reservation, 551–552
inversion, 549
overview, 546
threads
priority boosts. See also priorities
applying, 249
Autoboost, 254
balance set manager, 247
deadline scheduling, 254
locks, 241
priority inversion, 246
removing, 250
scheduling category, 251
private pages (committed pages), 310–313
privileges (accounts), 668–675
Bypass Traverse Checking privilege, 675
process control block (PCB), 106
Process Environmental Block (PEB), 105
overview, 105
setting up, 143
process reflection (SuperFetch), 480–482
processes. See also applications
access tokens, 677
attaching to the process, 310
console host, 67
creating
converting attributes, 131–135
executing initial thread, 148
executive process object, 138–143
initializing subsystem, 146–147
kernel process structure, 141
setting up EPROCESS object, 138–140
setting up PEB, 143
validating parameters, 131–135
data structures
!process command, 109
DXGPROCESS, 105
ETHREAD, 105
debugging unkillable processes, 539–541
heaps, 333
image loader. See image loader
jobs. See jobs
kernel processes, 106
minimum TCB list, 117
native processes, 104
PCB (process control block), 106
PEB (Process Environmental Block). See PEB (Process Environmental Block)
Pico. See Pico
protected processes. See protected processes
reflection (SuperFetch), 480–482
secure processes. See trustlets
system processes. See system processes
trustlets. See trustlets
viewing
DLL load search order, 163–164
image loader, 156–157, 163–164
Process Explorer, 14–18, 118–119
protected processes, 118–119, 212–213
processor control region (PCR), 260
processors
groups
number of processors per group, 273
scheduling (dynamic processors), 295–296
symmetric multiprocessing, 53
nodes, 52
multiprocessor systems. See multiprocessing/multiprocessor systems
PCR (processor control region), 260
state, 274
programs. See applications
Protected Process Light (PPL), 115–120
viewing
PspInsertProcess function, 104, 143
defined, 372
Q
accounting, 233
clock interval, 232
quotas (address spaces), 364–365
R
randomization (user address spaces)
heap, 369
stacks, 369
CC, 607
ReadyDrive, 480
real-time priorities (threads), 218–219
reflection (process reflection), 480–482
registry
viewing (security keys), 610
virtualization (UAC), 722–724, 727–728
releasing combined pages, 464–465
removing priority boosts, 250
requests. See IRPs
reserved pages (memory manager), 310–313
resources
low resources simulation, 557–558
restricted tokens (SIDs), 644–645
rotate VADs, 403
routines
dispatch routines. See dispatch routines
S
SACLs. See ACLs
safe DLL search mode, 160
sandboxes (lowboxes), 134
SAS implementation, 712
saturation values, 216
scalability
operating system, 53
scheulers, 274
scatter/gather I/O, 513
scenarios (SuperFetch), 475–476
schedulers (scalability), 274
scheduling
groups
priority boosts
deadline scheduling, 254
scheduling category, 251
schedulers (scalability), 274
threads
context switches, 215
dispatchers, 215
exiting, 260
terminating, 260
scheduling category, 251
SDK (software development kit), 43
searching
image loader, 160
memory combining, 460
safe DLL search mode, 160
secure communication (Credential Guard), 614–615
attributes, 125
built-in, 125
identifying, 129
system calls, 128
Secure System process, 91
security
access tokens. See access tokens
accounts
privileges, Bypass Traverse Checking privilege, 675
privileges, super privileges, 675–676
AppContainers. See AppContainers
auditing. See auditing (security)
CBAC, 667
Credential Guard. See Credential Guard
exploit mitigation. See exploit mitigation
IBAC, 667
kernel patches. See kernel patches
logon. See logon
mitigations (user address spaces), 370
objects
ACEs. See ACEs
ACLs. See ACLs
DAC, 666
security descriptors. See security descriptors, 650
virtual service accounts, 646–650
ratings. See ratings (security)
secure communication (Credential Guard), 614–615
secure processes. See secure processes (trustlets)
secure system calls (functions), 71
Secure System process, 91
security descriptors. See security descriptors
SIDs (security identifiers). See SIDs
trustlets. See trustlets
UAC (User Account Control). See UAC (User Account Control)
VBS (virtualization-based security). See VBS (virtualization-based security)
hypervisor, 28
viewing (registry keys), 610
virtualization
VSM. See VSB
security identifiers. See SIDs
selecting
server silos. See silos
Service Control Manager, 96
services
Service Control Manager, 96
system service dispatcher, 70–71
viewing, 97
Session Manager process, 92–95
sessions
Session Manager process, 92–95
setting
PEB, 143
shared memory, 315
showing. See viewing
filtered admin tokens, 645–646
integrity levels, 628–631, 641–642
mandatory labels, 630
Owner Rights SIDs, 662
ancillary functionality, 189–190
overview, 183
simulating low resources, 557–558
size
large address spaces, checking support, 351
page files
small pages (memory manager), 303–304
soft page faults, 384
software development kit (SDK), 43
software restriction policies (SRPs), 757, 762–764
SRPs (software restriction policies), 757, 762–764
stacks
DPC stacks, 401
overview, 398
randomizing, 369
user address spaces, 369
user stacks, 399
standby
SuperFetch, 475
states
processors, 274
storage (TLS), 18
strategies (I/O priorities), 547–548
structures
data structures. See data structures
kernel process structure, 141
console host, 67
native images, 72
subsystem DLLs, 48
fast user switching, 475
hibernation, 475
ReadyDrive, 480
standby, 475
support (Plug and Play), 560–561, 569–571
suspending threads, 264
swapper (working sets), 421–422
switches/switching
context switches/switching, 215, 255–256
directed context switch, 19
symbols
kernel debugging, 38
viewing kernel type information, 41–42
symmetric multiprocessing, 51–53
synchronization
internal synchronization, 308
memory, 308
synchronous I/O, 511
Sysinternals, 44
system address space layouts (x86), 352–353
System and Compressed Memory process, 90
system calls (trustlets), 128
system capabilities (power manager), 597–599
Memory Compression process, 91
Secure System process, 91
Service Control Manager, 96
Session Manager process, 92–95
System and Compressed Memory process, 90
Windows Initialization process, 95–96
system PTEs (page table entries)
defined, 372
system services (functions), 72
systems
PTEs (page table entries). See PTEs (page table entries)
subsystems. See subsystems
Sysinternals, 44
system address space layouts (x86), 352–353
System and Compressed Memory process, 90
system calls (trustlets), 128
system capabilities (power manager), 597–599
system processes. See system processes
system services (functions), 72
SystemParametersInfo function, 178
viewing (system service dispatcher), 70–71
T
tables (PTEs, page table entries)
defined, 372
minimum TCB list, 117
overview, 196
TCSEC (Trusted Computer System Evaluation Criteria), 605–607
TEB (thread environment block)
terminating
I/O, 539
TerminateJobObject function, 179
thread control block (TCB)
minimum TCB list, 117
overview, 196
thread environment block (TEB)
Thread Information Block (TIB), 201
thread local storage (TLS), 18
cancelling I/O, 539
concurrency, 542
context, 18
contexts, 18
cores, 52
creating, 193–194, 206–207, 399
data structures
directed context switch, 19
fibers, 19
file mapping objects, 20
group scheduling
initial thread, 144, 145–146, 148
maximum number, 399
multiprocessor systems. See multiprocessor systems
PCR, 260
priorities
priority boosts
applying, 249
Autoboost, 254
balance set manager, 247
deadline scheduling, 254
locks, 241
priority inversion, 246
removing, 250
scheduling category, 251
quantums. See quantums (threads)
saturation values, 216
scheduling
context switches, 215
dispatchers, 215
exiting, 260
terminating, 260
suspending, 264
TCB (thread control block). See TCB (thread control block)
TEB (thread environment block). See TEB (thread environment block)
terminating, 539
TIB (Thread Information Block), 201
TLS (thread local storage), 18
VADs (virtual address descriptors), 20
viewing
throughput (I/O priorities), 549–551
TIB (Thread Information Block), 201
TLB (translation look-aside buffer), 377–378
TLS (thread local storage), 18
tokens
access tokens, 677
BNO isolation, 708
tools
Debugging Tools for Windows (kernel debugging), 38–42
Windows, viewing internals, 35–36
tracing
tracking pools (Device Driver), 556–557
translating addresses
ARM virtual address translation, 381–382
overview, 371
x64 virtual address translation, 380–381
x86 virtual address translation, 371–375
translation look-aside buffer (TLB), 377–378
trees (Plug and Play), 561–563
troubleshooting pools, 329–330
Trusted Computer System Evaluation Criteria (TCSEC), 605–607
attributes, 125
built-in, 125
identifying, 129
system calls, 128
types
heaps, 334
U
elevation
Admin Approval Mode (AAM), 729
administrative rights, 729–732
consent, 729
over-the-shoulder (OTS), 729
overview, 729
overview, 722
virtualization
UEFI (Credential Guard), 616
UIPI (User Interface Privilege Isolation), 660–661
UMDF (WDF), 578, 580–581, 587–590
UMS threads (user mode scheduling threads), 19–20
Universal Windows Drivers, 85
unkillable processes, debugging, 539–541
updating Windows, 3
User Account Control. See UAC
calculating load address, 368–369
EMET, 370
heap randomization, 369
kernel, 369
security mitigations, 370
stack randomization, 369
viewing randomization support, 370–371
User Interface Privilege Isolation (UIPI), 660–661
user mode
kernel mode comparison, 23–27, 46
user-mode debugging
Debugging Tools for Windows, 39
user mode scheduling threads (UMS threads), 19–20
user stacks, 399
viewing active logon sessions, 715–717
SuperFetch, 475
UAC. See UAC
user address spaces. See user address spaces
using virtual service accounts, 647–650
V
VADs (virtual address descriptors)
rotate VADs, 403
validating parameters (processes), 131–135
values (saturation values), 216
VBS (virtualization-based security)
hypervisor, 28
versions (Windows)
updating, 3
access masks, 624
active logon sessions, 715–717
addresses
randomization support, 370–371
user address spaces, 366–367, 370–371
VADs (virtual address descriptors), 402–403
AppContainer
brokers, 709
CPU. See CPU
CSR_PROCESS data structure, 112
CSR_THREAD structure, 206
DEP, 321
DFSS (dynamic fair share scheduling), 290–292
catalog files, 574
INF files, 573
power mappings, 596
dumping. See dumping
EPROCESS data structure, 107–108
files
catalog files, 574
INF files, 573
prefetch file reads and writes, 415–416
swap files, 393
virtual page files, 393
global audit policy, 682
DLL load search order, 163–164
loaded modules database, 166–167
I/O
priority boosting/bumping, 551
kernel
KPRCB (kernel processor control block), 77–78
KPCR (kernel processor control region), 77–78
partitions, 458
object access auditing, 679–681
pages
PFN (Page Frame Number), 427–428, 443
priorities, 437
PTEs (page table entries), 355–356
virtual page files, 393
PEB (Process Environmental Block), 110–111
PFN (Page Frame Number), 427–428, 443
pools. See pools
power
availability requests, 603
driver power mappings, 596
prefetch file reads and writes, 415–416
priority boosts
bumping (I/O), 551
MMCSS (Multimedia Class Scheduler Service), 252–253
processes
data structures, 109
PEB (Process Environmental Block), 110–111
Process Explorer, 14–18, 118–119
protected processes, 118–119, 212–213
PTEs (page table entries), 355–356
security
registry keys, 610
SIDs (security identifiers), 626–627
trust SIDs, 658
services, 97
MMCSS (Multimedia Class Scheduler Service), 252–253
system service dispatcher, 70–71
SRPs (software restriction policies), 764
swap files, 393
systems
system service dispatcher, 70–71
threads
clock cycles per quantum, 233–234
clock interval, 232
protected processes, 118–119, 212–213
filtered admin tokens, 645–646
virtual page files, 393
Windows
virtual address descriptors (VADs). See VADs (virtual address descriptors)
virtual address spaces. See address spaces
virtual page files, 393
Virtual Secure Mode. See VBS
virtual service accounts, 646–650
Virtual Trust Levels (VTLs), 59–61
virtualization
security
authentication policies, 616–617
passwords, 613
UEFI, 616
VBS (virtualization-based security). See VBS (virtualization-based security)
virtualization-based security (VBS): See VBS (virtualization-based security)
VSM. See VBS
VTLs (Virtual Trust Levels), 59–61
W
W32PROCESS data structure, 105, 113
WBF (Windows Biometric Framework), 719–721
WDF (Windows Driver Foundation)
WDK (Windows Driver Kit), 43–44
WDM (Windows Driver Model), 83–84, 493–494
windows, opening command prompts, 13
Windows
editions
viewing enabled features, 56–57
SDK (software development kit), 43
versions
updating, 3
W32PROCESS data structure, 105, 113
WBF (Windows Biometric Framework), 719–721
WDF (Windows Driver Foundation). See WDF Windows Driver Foundation)
WDK (Windows Driver Kit), 43–44
WDM (Windows Driver Model), 83–84, 493–494
Windows API. See APIs
Windows Hello, 721
Windows Initialization process, 95–96
Winlogon initialization, 711–712
winver command, 3
WSRM (Windows System Resource Manager ), 222–223
Windows Biometric Framework (WBF), 719–721
Windows Driver Foundation (WDF)
Windows Driver Kit (WDK), 43–44
Windows Driver Model (WDM), 83–84, 493–494
Windows Hello, 721
Windows Initialization process, 95–96
Windows System Resource Manager (WSRM), 222–223
Winlogon initialization, 711–712
working sets
demand paging, 413
memory, 412
overview, 413
WSRM (Windows System Resource Manager), 222–223
X–Z
x64 systems, 50
x64 virtual address limitations, 359
x64 virtual address translation, 380–381
x86 address space layouts, 349–352
x86 system address space layouts, 352–353
x86 virtual address translation, 371–375