Windows OS Fundamentals#
version numbers#
Windows NT 4 4.0
Windows 2000 5.0
Windows XP 5.1
Windows Server 2003, 2003 R2 5.2
Windows Vista, Server 2008 6.0
Windows 7, Server 2008 R2 6.1
Windows 8, Server 2012 6.2
Windows 8.1, Server 2012 R2 6.3
Windows 10, Server 2016, Server 2019 10.0
Powershell cmdlets#
Get-WmiObject -List
Get-WmiObject -Class Win32_Service
Get-WmiObject -Class Win32_Bios
Get-WmiObject -Class Win32_Process
Get-WmiObject -Class Win32_Bios
Get-WmiObject -Class win32_OperatingSystem
Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber
Get-WmiObject -Class Win32_OperatingSystem -ComputerName DC
Get-WmiObject -Class CIM_DataFile -Filter "Compressed = 'True'"
Get-WmiObject -Query "SELECT * FROM CIM_DataFile WHERE Compressed = 'True'"
Windows file structure#
Perflogs Can hold Windows performance logs but is empty by default.
Program Files On 32-bit systems, all 16-bit and 32-bit programs are installed here. On 64-bit systems, only 64-bit programs are installed here.
Program Files (x86) 32-bit and 16-bit programs are installed here on 64-bit editions of Windows.
ProgramData This is a hidden folder that contains data that is essential for certain installed programs to run. This data is accessible by the program no matter what user is running it.
Users This folder contains user profiles for each user that logs onto the system and contains the two folders Public and Default.
Default This is the default user profile template for all created users.
Whenever a new user is added to the system, their profile is based on the Default profile.
Public This folder is intended for computer users to share files and is accessible to all users by default. This folder is shared over the network by default but requires a valid network account to access.
AppData Per user application data and settings are stored in a hidden user subfolder (i.e., cliff.moore\AppData).
Each of these folders contains three subfolders. The Roaming folder contains machine-independent data that should follow the user's profile,
such as custom dictionaries. The Local folder is specific to the computer itself and is never synchronized across the network.
LocalLow is similar to the Local folder, but it has a lower data integrity level. Therefore it can be used, for example,
by a web browser set to protected or safe mode.
Windows The majority of the files required for the Windows operating system are contained here.
System, System32, SysWOW64 Contains all DLLs required for the core features of Windows and the Windows API.
WinSxS The Windows Component Store contains a copy of all Windows components, updates, and service packs.
NTFS Basic permissions#
Full Control Users are permitted to add, edit, move, delete files & folders as well as change NTFS permissions that apply to all allowed folders
Modify Users are permitted or denied permissions to view and modify files and folders. This includes adding or deleting files
Read & Execute Users are permitted or denied permissions to read the contents of files and execute programs
List folder contents Users are permitted or denied permissions to view a listing of files and subfolders
Read Users are permitted or denied permissions to read the contents of files
Write Users are permitted or denied permissions to write changes to a file and add new files to a folder
Special Permissions#
Full control Users are permitted or denied permissions to add, edit, move, delete files & folders as well as change
NTFS permissions that apply to all permitted folders
Traverse folder / execute file Users are permitted or denied permissions to access a subfolder within a directory structure even if the user
is denied access to contents at the parent folder level. Users may also permitted or denied permissions to execute programs
List folder/read data Users are permitted or denied permissions to view files and folders contained in the parent folder.
Users can also be permitted to open and view files
Read attributes Users are permitted or denied permissions to view basic attributes of a file or folder.
Examples of basic attributes: system, archive, read-only, and hidden
Read extended attributes Users are permitted or denied permissions to view extended attributes of a file or folder. Attributes differ depending on the program
Create files/write data Users are permitted or denied permissions to create files within a folder and make changes to a file
Create folders/append data Users are permitted or denied permissions to create subfolders within a folder. Data can be added to files but
pre-existing content cannot be overwritten
Write attributes Users are permitted or denied to change file attributes. This permission does not grant access to creating files or folders
Write extended attributes Users are permitted or denied permissions to change extended attributes on a file or folder. Attributes differ depending on the program
Delete subfolders and files Users are permitted or denied permissions to delete subfolders and files. Parent folders will not be deleted
Delete Users are permitted or denied permissions to delete parent folders, subfolders and files.
Read permissions Users are permitted or denied permissions to read permissions of a folder
Change permissions Users are permitted or denied permissions to change permissions of a file or folder
Take ownership Users are permitted or denied permission to take ownership of a file or folder.
The owner of a file has full permissions to change any permissions
Integrity Control Access Control List (icacls)#
inheritance levels
(CI): container inherit
(OI): object inherit
(IO): inherit only
(NP): do not propagate inherit
(I): permission inherited from parent container
Basic access permissions
F : full access
D : delete access
N : no access
M : modify access
RX : read and execute access
R : read-only access
W : write-only access
examples of icacls commands
icacls c:\Users
icacls c:\users /grant joe:f
icacls c:\users /remove joe
SCM - Service Control Manager#
SCM - Service Control Manager - Manages Windows services accessible via the services.msc MMC add-in.
Services#
Get-Service | ? {$_.Status -eq "Running"} | select -First 2 |fl
Critical System Services#
smss.exe Session Manager SubSystem. Responsible for handling sessions on the system.
csrss.exe Client Server Runtime Process. The user-mode portion of the Windows subsystem.
wininit.exe Starts the Wininit file .ini file that lists all of the changes to be made to Windows when the computer is restarted after installing a program.
logonui.exe Used for facilitating user login into a PC
lsass.exe The Local Security Authentication Server verifies the validity of user logons to a PC or server.
It generates the process responsible for authenticating users for the Winlogon service.
services.exe Manages the operation of starting and stopping services.
winlogon.exe Responsible for handling the secure attention sequence, loading a user profile on logon, and locking the computer when a screensaver is running.
System A background system process that runs the Windows kernel.
svchost.exe with RPCSS Manages system services that run from dynamic-link libraries (files with the extension .dll) such as "Automatic Updates,"
"Windows Firewall," and "Plug and Play." Uses the Remote Procedure Call (RPC) Service (RPCSS).
svchost.exe with Dcom/PnP Manages system services that run from dynamic-link libraries (files with the extension .dll) such as "Automatic Updates,"
"Windows Firewall," and "Plug and Play." Uses the Distributed Component Object Model (DCOM) and Plug and Play (PnP) services.
SysInternals Tools suite#
\\live.sysinternals.com\tools
\\live.sysinternals.com\tools\PSExec
\\live.sysinternals.com\tools\TCPView
\\live.sysinternals.com\tools\Process Monitor
\\live.sysinternals.com\tools\Process Explorer (taskmgr on steroids)
\\live.sysinternals.com\tools\procdump.exe -accepteula