windows-internals
7 posts tagged windows-internals.
-
The Same-Privilege Paradox: Twenty-One Years of Windows Kernel Self-Defense
PatchGuard, KASLR, KDP, and the Win32k Lockdown are four answers to one paradox -- a defense at the attacker's privilege cannot succeed in principle. The 2005-2026 trajectory is migration out of the kernel.
-
A Mitigation That Became a Primitive: The Story of SeImpersonatePrivilege
How a 2003 backward-compatibility privilege became the most-abused Windows service primitive, and why every Microsoft closure path breaks something shipped.
-
Three Years of PrintNightmare: How the Oldest Windows Service Survived Four Patch Waves
How the Windows Print Spooler produced nine SYSTEM-execution primitives in 2010-2024 and why Microsoft answered with two parallel architectures, not one.
-
Every UAC Prompt Is an ALPC Handshake: A Field Guide to Windows' Most-Attacked Local IPC Fabric
ALPC and LRPC are the asynchronous local-IPC fabric under every Windows service. This is the story of the kernel object Microsoft does not document and the attack surface almost every Patch Tuesday still fixes.
-
eBPF vs ETW: Two Generations of Kernel Observability
Why Windows ETW emits events and Linux eBPF computes them -- and what eBPF-for-Windows reveals about the convergence of two operating systems.
-
ETW: How Windows 2000's Performance Hack Became the EDR Substrate
Event Tracing for Windows is the kernel-buffered observability bus every modern Windows EDR consumes. This is the architecture, the attacks, and the one provider that survives them.
-
The Object Manager Namespace: The Hierarchical Filesystem Underneath Every Windows Security Boundary
A bottom-up tour of the Windows Object Manager namespace, the 1993 Cutler-era kernel data structure that every Windows security boundary quietly assumes.