Product Cover Image

Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, 7th Edition

By Pavel Yosifovich, Mark E. Russinovich, David A. Solomon, Alex Ionescu

Published by Microsoft Press

Published Date: May 5, 2017


The definitive guide–fully updated for Windows 10 and Windows Server 2016


Delve inside Windows architecture and internals, and see how core components work behind the scenes. Led by a team of internals experts, this classic guide has been fully updated for Windows 10 and Windows Server 2016.

Whether you are a developer or an IT professional, you’ll get critical, insider perspectives on how Windows operates. And through hands-on experiments, you’ll experience its internal behavior firsthand–knowledge you can apply to improve application design, debugging, system performance, and support.



This book will help you:

·        Understand the Window system architecture and its most important entities, such as processes and threads

·        Examine how processes manage resources and threads scheduled for execution inside processes

·        Observe how Windows manages virtual and physical memory

·        Dig into the Windows I/O system and see how device drivers work and integrate with the rest of the system

·        Go inside the Windows security model to see how it manages access, auditing, and authorization, and learn about the new mechanisms in Windows 10 and Server 2016

Table of Contents

Chapter 1: Concepts and tools       

Windows operating system versions                             

Foundation concepts and terms   

Digging into Windows internals     



Chapter 2:  System architecture     

Requirements and design goals     

Operating system model                        

Architecture overview                                

Virtualization-based security architecture overview                  

Key system components                          



Chapter 3: Processes and jobs        

Creating a process       

Process internals         

Protected processes 

Minimal and Pico processes               

Trustlets (secure processes)             

Flow of CreateProcess                                  

Terminating a process                              

Image loader                       




Chapter 4: Threads          

Creating threads          

Thread internals         

Examining thread activity                    

Thread scheduling    

Group-based scheduling                        

Worker factories (thread pools)       


Chapter 5: Memory management  

Introduction to the memory manager                        

Services provided by the memory manager          

Kernel-mode heaps (system memory pools)         

Heap manager                   

Virtual address space layouts          

Address translation 

Page fault handling    


Virtual address descriptors              


Section objects               

Working sets                      

Page frame number database            

Physical memory limits                           

Memory compression                                

Memory partitions   

Memory combining  

Memory enclaves         

Proactive memory management (SuperFetch)



Chapter 6: I/O system     

I/O system components                           

Interrupt Request Levels and Deferred Procedure Calls        

Device drivers                  

I/O processing                  

Driver Verifier                

The Plug and Play manager                  

General driver loading and installation                    

The Windows Driver Foundation 

The power manager   



Chapter 7: Security          

Security ratings            

Security system components           

Virtualization-based security         

Protecting objects      

The AuthZ API                

Account rights and privileges           

Access tokens of processes and threads                     

Security auditing        



User Account Control and virtualization                

Exploit mitigations   

Application Identification                    


Software Restriction Policies            

Kernel Patch Protection