Windows Internals, Part 1
System architecture, processes, threads, memory management, and more
The canonical Microsoft Press reference on Windows internals: how processes, threads, memory and system services are actually implemented in the modern Windows kernel. User-mode focus in this volume.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Published
- 2017
- Publisher
- Microsoft Press
- Pages
- 800
- Language
- English
Read this if
Windows malware analysts, kernel reverse engineers, OS-level developers, and anyone whose security work requires understanding the platform at depth. Russinovich's name is on the cover for a reason; this is the canonical reference for what Windows actually does.
Skip this if
Beginners or readers without programming background. The book is dense, lengthy, and assumes Win32 API fluency at minimum. Read after Practical Reverse Engineering, not before.
Key takeaways
- Process, thread, and memory management on Windows have specific shapes that don't transfer from Linux mental models; the chapters on each are the canonical authority.
- Object Manager and the kernel handle table are the two concepts most malware analysts wish they'd understood earlier; the book is where to learn them.
- User-mode security boundaries (token, ACL, integrity levels, AppContainer) are the layer where most modern Windows exploits operate; the book maps the surface.
Notes
Pair with Practical Reverse Engineering (Dang/Gazet/Bachaalany) and the Sysinternals tools (Process Explorer, Process Monitor, Autoruns) for the practitioner's view. Volume 2 covers I/O, file systems, and advanced kernel topics. Russinovich's blog and the Microsoft Sysinternals YouTube channel are the natural follow-ups. The book is from 2017 but Windows internals change slowly at the layer documented here; most material is still current.
What to read before
What to read before Windows Internals, Part 1 →Advanced · 2014
Android Security Internals
Nikolay Elenkov on the actual implementation of Android's security model: package manager internals, permissions, keystore, SELinux integration, verified boot.
Advanced · 2014
Practical Reverse Engineering
A working reverser's textbook from three Microsoft / Quarkslab veterans, covering the architectures and toolchain you'll actually meet on real targets, including the Windows kernel and modern obfuscation patterns.
Advanced · 2019
Rootkits and Bootkits
Matrosov, Rodionov and Bratus on persistent, deeply-embedded malware: kernel rootkits, MBR/UEFI bootkits, and the forensic techniques that surface them. Strongly Windows-internals oriented.
What to read next
What to read after Windows Internals, Part 1 →Advanced · 2014
Android Security Internals
Nikolay Elenkov on the actual implementation of Android's security model: package manager internals, permissions, keystore, SELinux integration, verified boot.
Advanced · 2014
Practical Reverse Engineering
A working reverser's textbook from three Microsoft / Quarkslab veterans, covering the architectures and toolchain you'll actually meet on real targets, including the Windows kernel and modern obfuscation patterns.
Advanced · 2019
Rootkits and Bootkits
Matrosov, Rodionov and Bratus on persistent, deeply-embedded malware: kernel rootkits, MBR/UEFI bootkits, and the forensic techniques that surface them. Strongly Windows-internals oriented.
Explore similar books
Alternatives to Windows Internals, Part 1 →Advanced · 2019
Rootkits and Bootkits
Matrosov, Rodionov and Bratus on persistent, deeply-embedded malware: kernel rootkits, MBR/UEFI bootkits, and the forensic techniques that surface them. Strongly Windows-internals oriented.
Advanced · 2014
Android Security Internals
Nikolay Elenkov on the actual implementation of Android's security model: package manager internals, permissions, keystore, SELinux integration, verified boot.
Advanced · 2014
Practical Reverse Engineering
A working reverser's textbook from three Microsoft / Quarkslab veterans, covering the architectures and toolchain you'll actually meet on real targets, including the Windows kernel and modern obfuscation patterns.