Windows Architecture

System Files

Program Files:

  • \Program Files: For 64-bit programs on 64-bit Windows.

  • \Program Files (x86): For 32-bit programs on 64-bit Windows.

  • \ProgramData: For program data independent of users.

User Data:

  • \Users: Contains a profile folder for each user.

  • \Public: For files shared among users.

  • [username]\AppData: For per-user application data and settings.

Windows System:

  • \Windows: Contains Windows itself.

  • \System, \System32, \SysWOW64: Contains Windows core components and dynamic link libraries (DLLs).

  • \WinSxS: Windows component store (including updates and service packs).

Other:

  • \PerfLogs: Windows performance logs (empty by default).

File System

When Windows was first released, it used the FAT (File Allocation Table) file system. FAT was a simple and compatible file system but didn't support large files (over 4 GB) and didn't offer advanced security features.

In 1993, with the release of Windows NT 3.1, the NTFS (New Technology File System) was introduced. NTFS was designed to address the limitations of FAT. It supports large files, offers advanced security features such as file and folder permissions, and uses disk space more efficiently. NTFS is the default file system for Windows today.

In the early 2000s, portable storage devices like USB flash drives became popular. The FAT32 file system emerged as an ideal solution for portable storage devices. FAT32 is a more advanced file system than FAT and supports files larger than 4 GB.

In 2006, Windows Vista introduced the exFAT (Extended File Allocation Table) file system. exFAT was designed to replace FAT32 and supports files larger than 4 GB. While not as advanced as NTFS, it is simpler and more suitable for portable storage devices.

NTFS and FAT

NTFS is known as a journaling file system. In the event of a failure, the file system can automatically repair folders/files on the disk using information stored in a journal file. This function is not possible with FAT.

NTFS was a significant development at a time when Windows' storage needs were growing and overcame many of FAT's limitations:

Security: NTFS offered a more robust security model by providing permissions to control file access.

Scalability: NTFS supported larger file sizes and drive capacities, accommodating more modern storage needs.

Reliability: NTFS provided journaling to enhance data integrity and recovery.

Features: NTFS offered additional functions such as file compression, encryption, and disk quotas to improve storage management and security.

As a result, NTFS remains a more modern, secure, and scalable file system compared to FAT and continues to be a fundamental component of Windows.

Access Control List (ACL)

ACL stands for Access Control List. This list determines who can access a resource (file, folder, printer, network resource, etc.) on a computer system and what access permissions they have.

ACL allows system administrators and users to protect sensitive data and ensure that only authorized individuals can access specific resources.

In NTFS disks, access permissions for files and folders can be set.

The adjustable permissions are:

  • Full control

  • Modify

  • Read and execute

  • List folder contents

  • Read

  • Write

Viewing/Changing the Access Control List

  1. Right-click the file or folder

  2. Select Properties from the menu.

  3. In the Properties window, click the Security tab.

  4. In the Group or user names list, select the user, computer, or group whose permissions you want to view.

Alternative Data Streams (ADS)

In the world of NTFS file systems, Alternative Data Streams (ADS) act like hidden compartments within files. NTFS allows files to have more than just the visible regular data.

Advantages:

ADS provides legitimate purposes for applications. Programs can use:

  • Metadata such as thumbnail previews or document summaries for images.

  • Non-critical information associated with the file.

  • Security information about downloaded files.

  • Information about where the file was downloaded from, etc.

Security Risks:

While ADS has valid uses, it can also be misused.

Malware can exploit ADS to hide malicious code within a file, making it challenging to detect using traditional methods.

Shadow Copy

Shadow copy is a feature in Windows that allows you to create and store a copy of a file or folder at a specific point in time. This helps you restore files or folders if you accidentally delete or modify them.

Although it is not covered in detail, it should be noted that this feature is not a means of protection against ransomware attacks.

Malware developers are aware of the shadow copy feature in Windows and can write code to find and delete these files. This can make recovering from a ransomware attack impossible if you don't have an offline backup.

User Structure

Windows uses a user structure that categorizes users with different access rights. The two most common categories are:

Administrators:

  • Have full control over the computer.

  • Can change system settings, install and uninstall programs, manage other user accounts, and perform many other tasks.

  • Administrators have the ability to modify sensitive system files and data, so this role should only be assigned to trusted individuals.

Standard Users:

  • Have basic permissions to use the computer.

  • Can run programs, open and edit files, and access the internet.

  • Cannot change system settings, install or uninstall programs, or manage other user accounts.

  • Standard users have limited permissions to help maintain the computer's security and stability.

Other User Types:

  • Guest: A user type with limited permissions to temporarily use the computer.

  • Assigned Access: A user type with special permissions to use specific programs or files.

Managing User Accounts

The quickest way to manage accounts is to edit via Local Users and Groups.

Open the Start menu, type PowerShell, and open it.

In the prompt, type:

lusrmgr

In the window that appears, you can manage local users and groups.

You can change account types, activate/deactivate accounts, and do much more.

User Account Control (UAC)

UAC stands for User Account Control, a built-in security feature in Microsoft Windows operating systems. UAC works by asking for your confirmation before performing operations that require administrative permissions on your computer. This helps to prevent errors caused by unauthorized changes or the installation of malicious software.

When a program attempts to perform an operation requiring administrative privileges (e.g., installing a program, changing system settings), the UAC window appears on the screen. You need to approve or deny this action.

Levels (from high to low):

  • Always notify: The most secure option. You receive notifications for everything, including changes you make to system settings.

  • Notify me only when programs try to make changes to my computer (default): You receive notifications for changes made by programs but not for changes you make yourself.

  • Notify me only when programs try to make changes to my computer (do not dim my desktop): The least secure of the three notification options. The warning is the same as above, but the desktop remains usable when the UAC window is open.

  • Never notify (UAC disabled): Not recommended. It disables all UAC warnings, making your system vulnerable.

Advantages

  • Security: UAC helps prevent errors caused by unauthorized changes and the installation of malicious software.

  • Control: Provides more control over operations requiring administrative privileges.

  • User-Friendly: The UAC window allows you to understand what is happening and stop an operation before giving approval.

Disadvantages

  • Inconvenience: UAC may frequently request approval, which can be annoying for some users.

  • Incompatibility: Some programs may be incompatible with UAC and may not work correctly.

PreviousWindows FundamentalsNextIntroduction

Last updated