Windows Architecture
okay let me go through it straight forward
windows internally is divided into system components like kernel, services, processes, registry, users, permissions etc.
understanding these is important because almost all attacks or security issues come from misconfigured services, weak permissions, or exposed shares.
lame language definition:
windows is layers of background programs + settings + user accounts working together
formal definition:
Windows OS is a multitasking operating system built on the NT architecture, consisting of the kernel, system services, user mode processes, the registry database, and a security subsystem enforcing authentication and authorization.
Users, Groups & Permissions
windows security fundamentally relies on accounts and groups.
your machine has:
- local accounts → users on the device
- groups → collections of users (Admin, Users, Guests etc.)
- privileges → what they can or cannot do
lame language definition:
groups decide your power level in the system
formal definition:
Windows uses discretionary access control (DAC) where access tokens containing SIDs (security identifiers) determine permissions on resources.
important ones:
Administrators → full control
Users → standard, limited
SYSTEM → highest privilege (more than admin)
File System & NTFS Permissions
NTFS is the default file system.
it supports ACLs (access control lists) — which define exactly who can read, write, execute something.
permissions include:
- FullControl
- Modify
- ReadExecute
- Write
- Read
lame language definition:
every file/folder has a list of “allowed people” and “what they can do”
formal definition:
NTFS implements per-object discretionary access control using ACEs linked to user or group SIDs, enabling granular file system security.
The Registry
registry = the huge configuration database for windows.
everything from installed programs to startup items to system policies lives here.
important hives:
- HKEY_LOCAL_MACHINE (HKLM) → system-wide settings
- HKEY_CURRENT_USER (HKCU) → settings for the logged-in user
lame language definition:
registry is windows’ brain storing all configuration
formal definition:
the Windows Registry is a hierarchical database storing system, user, and application configuration accessed via registry APIs.
attackers often abuse registry for persistence.
Windows Services & Processes
services = background programs
processes = running programs
you’ll often check them during enumeration.
useful concepts:
- services can run as SYSTEM
- misconfigured services can be escalated
- startup type: auto, manual, disabled
- process tree shows parent-child relationships
lame language definition:
services are programs that run even when no one is logged in
formal definition:
Windows services are long-running executables managed by the Service Control Manager (SCM), often running with elevated privileges.
Event Viewer (Logs)
windows logs everything meaningful: logons, errors, privilege changes, network events, etc.
important logs for security:
- Security
- System
- Application
lame language definition:
event viewer is where you spy on what happened on the system
formal definition:
event logs are structured records generated by system components, applications, and security subsystems stored using the Windows Event Log API.
Networking (Windows Context)
important tools:
ipconfig → interface info
netstat → active connections
net commands → users, shares, groups
ping, tracert, nslookup → basic diagnostics
common enum areas:
- open shares
- firewall rules
- RDP status
- running services over ports
Windows Shares (SMB)
SMB allows sharing folders/printers across network.
enumeration often reveals misconfigured shares.
share types:
C$, ADMIN$, IPC$ → administrative
- custom shares → may expose sensitive files
lame language definition:
SMB is like “network folders” that anyone on LAN can access if allowed
formal definition:
Server Message Block (SMB) is a network file-sharing protocol enabling access to files and services over TCP/IP.
PowerShell (Quick Summary)
PowerShell is the backbone of Windows automation and recon.
important ideas:
- everything is an object
- pipelines pass objects
- cmdlets follow Verb-Noun pattern
- easy access to registry, services, WMI, CIM, processes
you've already covered this in detail in the previous writeup.
Active Directory (AD)
What is Active Directory
AD is basically identity + permission management for large networks (like companies) using Windows machines.
lame language definition:
AD is a system that controls “who you are” and “what you can do” inside a company network
formal definition:
Active Directory is a directory service built on LDAP and Kerberos, providing centralized authentication, authorization, and policy management within Windows domains.
Domain, OU, Users, Groups
in AD, machines and users belong to a domain (example: corp.local).
objects inside AD are organized into:
- Users
- Groups
- Computers
- Organizational Units (OUs)
lame language definition:
domain = company network
OU = folders to organize users/computers
formal definition:
OUs are containers in AD enabling hierarchical organization and targeted Group Policy application.
Domain Controllers (DC)
domain controller = server that runs AD services.
it handles:
- login authentication (Kerberos)
- directory lookups (LDAP)
- group policies
lame language definition:
DC is the boss server that decides if you can log in or not
formal definition:
a Domain Controller is a Windows server hosting AD DS, responsible for authentication, authorization, and domain policy enforcement.
Kerberos (Authentication)
Kerberos is default authentication in AD.
flow (very simplified):
- user requests a TGT
- DC verifies identity
- DC issues a TGT
- user uses TGT to access services
lame language definition:
kerberos gives you a “ticket” proving who you are
formal definition:
Kerberos is a network authentication protocol using symmetric cryptography and ticket-based identity validation.
Group Policy (GPO)
GPOs apply settings to many users/computers at once:
- password policies
- software restrictions
- login scripts
- firewall rules
- drive mappings
lame language definition:
admins use GPOs so they don’t have to configure 500 computers manually
formal definition:
Group Policy is a centralized configuration management feature applying domain-level policies via AD.
AD Enumeration (Security Context)
attackers and defenders both enumerate AD for:
- user lists
- group memberships
- misconfigured permissions
- service accounts
- SPNs (for kerberoasting)
- unconstrained delegation
- password policy weaknesses
tools commonly used:
net commands
- PowerShell (
Get-ADUser, Get-ADComputer, Get-ADGroup)
- bloodhound / sharphound
Conclusion
windows fundamentals + active directory fundamentals combine into one big idea:
windows controls security using accounts, permissions, groups, services, registry, and processes — and AD extends this model to whole networks using domains, policies, and centralized authentication.
understanding these core systems is enough to navigate almost any Windows/AD cybersecurity task.
`