Windows
Filesystem
Modern windows uses NTFS (New Technology File System).
Alternate Data Stream - ADS
Alternate Data Stream is not shown by Windows File Explorer.
Every file contains at least one ADS stream ($DATA).
Malware’s could use it to hide data. Not all use-cases of ADS are
malicious. To learn more about ADS, refer to the following link from
MalwareBytes here
Windows/System32
The System32 folder holds the important files that are critical
for the operating system. System environment variable for windows
dir is %windir%.
User accounts and profiles
There are Administrator accounts and Standard User accounts. Users inherit the permission of the groups they are in.
Checking existing user accounts:
In start menu just type Other users
Profile
Each user account have its own profile. For example Jeb’s profile
folder would be C:\Users\Jeb. In Windows 10 (not win
11) with win+R and
lusrmrg.msc you can use tool called Local User and
Group Management. This tool allows you to access this profile
information.
User Account Control - UAC
With UAC windows sessions don’t run with elevated permissions. When operation is requiring higher-level privileges, user will be prompted to confirm ig they permit operation to run. You can read more about UAC here.
Core Processes
https://tryhackme.com/jr/btwindowsinternals
System Configuration
- MSConfig.exe
- UserAccountControlSettings.exe
Computer Management
- Computer Management (compmgmt.msc)
- Task Scheduler
- Event Viewer
- Event Logs
- Shared Folders
- Local Users and Groups (lusrmgr.msc)
- Performance Monitor (perfmon)
- Device Manager
- Storage
- Services and Applications
System Information
- System Information (msinfo32.exe)
- System Summary
- Hardware Resources
- Components
- Software Environment
Windows Registry (regedt32.exe)
Resource Monitor (resmon.exe)
Resource Monitor contains following fields: - CPU - Disk - Network - Memory
Command Prompt (cmd.exe)
Commands:
| Command | linux equivalent or explanation |
|---|---|
whoami |
|
hostname |
|
dir |
ls |
cd |
cd requires cd -d if drive is changed |
cls |
clear |
{command} /? |
man {command} some commands work with {command} help |
netstat |
display protocol statistics and current TCP/IP network
connections params such as -a, -b,
-e |
net |
manage network resources |
Task Manager
Complete guide for task manager
- Startup apps
Windows Update
Updates are released on the Patch Tuesday, the second Tuesday of month.
Windows Security
- Virus & threat protection
- Current threats
- Scans
- Quick scan - Checks folders in your system where threats are commonly found.
- Full scan - Checks all files and running programs on your hard disk.
- Scans
- Virus & threat protection settings
- Real-time protection
- Cloud-delivered protection
- Automatic sample submission
- Controlled folder access
- Exclusions
- Notifications
- Current threats
- Firewall & network protection
- App & browser control
- Device security
Windows smartscreen
Windows smartscreen can detect malicious files and stop you from running them. It checks apps and files.
Bitlocker
Bitlocker is built-in drive encryption that uses Trusted Platform Module (TPM) chip, that is hardware crypto-processor.
“On devices with TPM installed, BitLocker offers the best protection.”
Firewall and protection
Open with WF.msc.
Windows Firewall offers three firewall profiles: domain, private and public: - Domain - The domain profile applies to networks where the host system can authenticate to a domain controller. - Private - The private profile is a user-assigned profile and is used to designate private or home networks. - Public - The default profile is the public profile, used to designate public networks.
Volume Shadow Copy Service (VSS)
VSS coordinates required actions to create snapshot of the data that is to be backed up.
VSS enabled you can - Create a restore point - Perform system restore - Configure restore settings - Delete restore points