🪟Windows Fundamentals

File Structure

• In Windows, the root directory is represented as <drive_letter>:\, with the C: drive typically designated as the boot partition (where the operating system is installed). Additional physical or virtual drives are assigned letters such as Data (E:).

• Boot Partition Directory Structure:

Directory	Function
Perflogs	Can hold Windows performance logs but is empty by default.
Program Files	On 32-bit systems, all 16-bit and 32-bit programs are installed here. On 64-bit systems, only 64-bit programs are installed here.
Program Files (x86)	32-bit and 16-bit programs are installed here on 64-bit editions of Windows.
ProgramData	This is a hidden folder that contains data that is essential for certain installed programs to run. This data is accessible by the program no matter what user is running it.
Users	This folder contains user profiles for each user that logs onto the system and contains the two folders Public and Default.
Default	This is the default user profile template for all created users. Whenever a new user is added to the system, their profile is based on the Default profile.
Public	This folder is intended for computer users to share files and is accessible to all users by default. This folder is shared over the network by default but requires a valid network account to access.
AppData	Per user application data and settings are stored in a hidden user subfolder. Each of these folders contains three subfolders. The Roaming folder contains machine-independent data that should follow the user's profile, such as custom dictionaries. The Local folder is specific to the computer itself and is never synchronized across the network. LocalLow is similar to the Local folder, but it has a lower data integrity level. Therefore it can be used, for example, by a web browser set to protected or safe mode.
Windows	The majority of the files required for the Windows operating system are contained here.
System, System32, SysWOW64	Contains all DLLs required for the core features of Windows and the Windows API. The operating system searches these folders any time a program asks to load a DLL without specifying an absolute path.
WinSxS	The Windows Component Store contains a copy of all Windows components, updates, and service packs.

Windows File Systems

• FAT12 and FAT16: Legacy systems no longer used in modern Windows.

• FAT32, NTFS, and exFAT: Current options.

  • NTFS (New Technology File System) is the default since Windows NT 3.1.

  • NTFS advantages: Granular permissions, improved reliability, and advanced features.

  • FAT advantages: Broader compatibility with non-Windows devices.

NTFS Permissions

Permission Type	Description
Full Control	Allows reading, writing, changing, deleting of files/folders.
Modify	Allows reading, writing, and deleting of files/folders.
List Folder Contents	Allows for viewing and listing folders and subfolders as well as executing files. Folders only inherit this permission.
Read and Execute	Allows for viewing and listing files and subfolders as well as executing files. Files and folders inherit this permission.
Write	Allows for adding files to folders and subfolders and writing to a file.
Read	Allows for viewing and listing of folders and subfolders and viewing a file's contents.
Traverse Folder	This allows or denies the ability to move through folders to reach other files or folders. For example, a user may not have permission to list the directory contents or view files in the documents or web apps directory in this example c:\users\bsmith\documents\webapps\backups\backup_02042020.zip but with Traverse Folder permissions applied, they can access the backup archive.

• Inherited from parent folders by default (can be disabled).

• Managed via:

  • File Explorer GUI (Security tab).

  • Command line using icacls.

    • Example Commands: icacls c:\users /grant joe:f # Grants "Full Access" to user Joe icacls c:\users /remove joe # Revokes Joe's permissions

• Permission Inheritance Flags:

  • (CI): container inherit

  • (OI): object inherit

  • (IO): inherit only

  • (NP): do not propagate inherit

  • (I): permission inherited from parent container

• Basic Access Levels:

  • F : full access

  • D :  delete access

  • N :  no access

  • M :  modify access

  • RX :  read and execute access

  • R :  read-only access

  • W :  write-only access

NTFS vs. Share Permissions

• NTFS vs. Share Permissions

  • NTFS Permissions: Apply locally to files/folders on the host system.

  • Share Permissions: Control access via SMB protocol (e.g., network shares).

    • Note: Windows Defender Firewall may block SMB access.

    • By default, the C: drive is shared, allowing remote access with proper credentials.

Windows Services

• Services are background processes that run independently of user interaction.

• Key Features:

  • Start automatically at boot (no user login required).

  • Managed via Service Control Manager (SCM) (services.msc).

  • Statuses: Running, Stopped, Paused.

  • Startup Types: Automatic, Manual, Delayed.

• Service Categories:

  • Local Services

  • Network Services

  • System Services

• Permissions:

  • Most require administrative privileges to modify.

  • Critical services (e.g., DHCP, Active Directory) often run under LocalSystem (highest privileges).

  • By default privileges tied to the logged-in user context.

Processes

• Processes run in the background on Windows systems.

Local Security Authority Subsystem Service (LSASS)

• Enforces security policies.

• Validates user logins, generates access tokens, and manages password changes.

Task Manager

• Monitors processes, performance, services, startup programs, and active users.

• Critical for troubleshooting and resource management.

Windows Sessions

• There are 2 types of sessions, these are

  • Interactive: User logs in locally or via domain credentials.

  • Non-Interactive:

    • Local System Account: Highest privileges.

    • Local Service Account: Limited local rights.

    • Network Service Account: Limited network rights.

• Other than interacting with the windows through the Graphical User Interface (GUI), windows can be interacted with using Command Prompt (cmd.exe) and Powershell which is basically a CMD on steroids (mainly scripting powers).

• Note that scripting is managed through execution policies to prevent malicious script runs.

Windows Security

Security Identifier (SID)

• Unique identifier for users, groups, and devices.

• Example: S-1-5-21-674899381-4069889467-2080702030-1002

  • Structure: (SID)-(Revision)-(Authority)-(Subauthorities)

Security Accounts Manager (SAM) and Access Control Entries (ACE)

• Manages user rights via Access Control Entries (ACE) in Access Control Lists (ACL).

User Account Control (UAC)

• Blocks unauthorized system changes or installations through requesting admin approval.

Windows Defender

• Windows Defender is a built-in antivirus that ships for free with Windows operating systems that comes with several features such as real-time protection

App Locker

• AppLocker is Microsoft's application whitelisting solution and was first introduced in Windows 7. It gives system administrators control over which applications and files users can run.

Group Policies

• Group Policy allows administrators to set, configure, and adjust a variety of settings. Group Policy can be configured locally, in both domain environments and non-domain environments.

Registry

• The Registry is a hierarchical database in Windows. It stores low-level settings for the Windows operating system and applications. It is divided into computer-specific and user-specific data.