| Module 5 - Windows Basics |
| Windows |
| 32-Bit and 64-Bit Files and Folders |
| System Root Directory | |
| Folder | |
| Windows | x86 or x64 C:\Windows |
| explorer.exe, System32, SysWOW64 etc. : File + Folder | |
| To Open Folder Location, RUN@ %systemroot% | |
| System32 |
| 64-Bit Version of System, Programs, Libraries etc. |
| 64-Bit System Directory | |
| Folder | |
| System32 | x64 C:\Windows\System32 |
| ntoskrnl.exe, winver.exe, ntdll.dll etc. : File | |
| To Open Folder Location, RUN@ system32 | |
| SysWOW64 |
| 32-Bit Version of Programs, Libraries etc. |
| 32-Bit System Directory | |
| Folder | |
| SysWOW64 | x86 C:\Windows\SysWOW64 |
| winver.exe, ntdll.dll etc. : File | |
| To Open Folder Location, RUN@ syswow64 | |
| WinSxS |
| 32-Bit and 64-Bit Version of Core Components |
| Component Directory | |
| Folder | |
| WinSxS | x86 or x64 C:\Windows\WinSxS |
| *.exe, *.dll etc. : File | |
| To Open Folder Location, RUN@ winsxs | |
| Globalization |
| Language and Support Files |
| Preference Directory | |
| Folder | |
| Globalization | x86 or x64 C:\Windows\Globalization |
| *.nls, *.mui etc. : File | |
| To Open Folder Location, RUN@ globalization | |
| AppPatch |
| Application Compatibility Fix and Patch Files |
| AppFix Directory | |
| Folder | |
| apppatch | x86 or x64 C:\Windows\apppatch |
| *.sdb etc. : File | |
| To Open Folder Location, RUN@ apppatch | |
| Assembly |
| 32-Bit and 64-Bit .NET Assemblies and Native Images |
| Native Image Cache Directory | |
| Folder | |
| assembly | x86 or x64 C:\Windows\assembly |
| *.exe, *.dll etc. : File | |
| To Open Folder Location, RUN@ assembly | |
| Prefetch |
| Application Optimized Execution Files |
| Software Activity Directory | |
| Folder | |
| Prefetch | x86 or x64 C:\Windows\Prefetch |
| *.pf etc. : File | |
| To Open Folder Location, RUN@ prefetch | |
| Temp |
| System Profile Temporary Files |
| Temporary Directory | |
| Folder | |
| Temp | x86 or x64 C:\Windows\Temp |
| *.tmp etc. : File | |
| To Open Folder Location, RUN@ temp | |
| Temp |
| User Profile Temporary Files |
| Temporary Directory | |
| Folder | |
| Temp | x86 or x64 C:\Users\{User}\AppData\Local\Temp |
| {User} : User Name *.tmp etc. : File | |
| To Open Folder Location, RUN@ %temp% | |
| Inetsrv |
| Web Server Programs, Libraries, Configurations etc. |
| Internet Server Directory | |||
| Folder | |||
| inetsrv |
| ||
| w3wp.exe, *.exe, *.dll etc. : File | |||
| To Open Folder Location, RUN@ inetsrv | |||
| Windows Kernel |
| Responsible for Process, Thread, Memory, Object, IO Management etc. |
| NT Kernel & System | |
| Application | |
| ntoskrnl.exe | x64 C:\Windows\System32\ntoskrnl.exe |
| Kernel and Executive : Layer | |
| Prefix Exported Functions like Dbg, Io, Ke, Ldr, Ps, Rtl, Zw / Nt etc. | |
| Windows Native API |
| Call Kernel Mode Functions from User Mode |
| NT Layer | |||
| Application Extension | |||
| ntdll.dll |
| ||
| Native Subsystem : API | |||
| Exported Functions like RtlUserThreadStart, LdrInitializeThunk, NtWaitForSingleObject etc. | |||
| Windows API |
| Access Resources like IO, GDI, Dialog, Socket, Registry etc. |
| NT Base API | |||||||||||
| Application Extension | |||||||||||
| *.dll |
| ||||||||||
| Windows Subsystem : API | |||||||||||
| Exported Functions like BaseThreadInitThunk, ExitProcessImplementation etc. | |||||||||||
| Execution Engine |
| Find and Load CLR Virtual Machine |
| .NET Runtime Execution Engine | |||
| Application Extension | |||
| mscoree.dll |
| ||
| Shell Shim : API | |||
| Exported Functions like _CorExeMain, _CorExeMain2, _CorDllMain etc. | |||