Windows

avatar
Created by
EarlyHorse17571

Subdecks (2)

Cards (85)

  • The Windows operating system
    • Has a long history dating back to 1985, and currently, it is the dominant operating system in both home use and corporate networks. Because of this, Windows has always been targeted by hackers & malware writers.
    • Windows XP was a popular version of Windows and had a long-running. Microsoft announced Windows Vista, which was a complete overhaul of the Windows operating system. There were many issues with Windows Vista. It wasn't received well by Windows users, and it was quickly phased out.
  • What encryption can you enable on Pro that you can't enable in Home?
    • bitlocker
  • The Desktop
    • The desktop is where you will have shortcuts to programs, folders, files, etc. These icons will either be well organized in folders sorted alphabetically or scattered randomly with no specific organization on the desktop. In either case, these items are typically placed on the desktop for quick access.
    • The look and feel of the desktop can be changed to suit your liking. By right-clicking anywhere on the desktop, a context menu will appear.
    • Under Display settings, you can make changes to the screen's resolution and orientation. In case you have multiple computer screens, you can make configurations to the multi-screen setup here.
    • You can also change the wallpaper by selecting Personalize.
  • The Start Menu
    • In previous versions of Windows, the word Start was visible at the bottom left corner of the desktop GUI. In modern versions of Windows, such as Windows 10, the word 'Start' doesn't appear anymore, but rather a Windows Logo is shown instead. Even though the look of the Start Menu has changed, its overall purpose is the same. 
    • The Start Menu provides access to all the apps/programs, files, utility tools, etc., that are most useful. 
    Clicking on the Windows logo, the Start Menu will open. The Start Menu is broken up into sections. See below.
  • The right side of the Start Menu is where you will find icons for specific apps/programs or utilities. These icons are known as tiles. Some tiles are added to this section by default. If you right-click any of the tiles, you guessed it; a menu will appear to allow you to perform more actions on the selected tile; such as resizing the tile, unpinning from Start Menu, view its Properties, etc. See below.
    • Apps/programs can be added to this Start Menu section by right-clicking the app/program and selecting Pin to Start
  • The Taskbar
    • Some of the components are enabled and visible by default. The Toolbar (6), for example, was enabled for demonstration purposes.  
    • If you're like me and want to disable some of these components, you can right-click on Taskbar to bring up a context menu that will allow you to make changes.
  • The Notification Area
    • The Notification Area, which is typically located at the bottom right of the Windows screen, is where the date and time are displayed. Other icons possibly visible in this area is the volume icon, network/wireless icon, to name a few. Icons can be either added or removed from the Notification Area in Taskbar settings. 
    • Tip: You can right-click any folder, file, app/program, or icon to view more information or perform other actions on the clicked item. 
  • File System:
    • The file system used in modern versions of Windows is the New Technology File System or simply NTFS.
    • Before NTFS, there was FAT16/FAT32 (File Allocation Table) and HPFS (High Performance File System). 
    • You still see FAT partitions in use today. For example, you typically see FAT partitions in USB devices, MicroSD cards, etc. but traditionally not on personal Windows computers/laptops or Windows servers.
  • NTFS:
    NTFS is known as a journaling file system. In case of a failure, the file system can automatically repair the folders/files on disk using information stored in a log file. This function is not possible with FAT.   
    NTFS addresses many of the limitations of the previous file systems; such as: 
    • Supports files larger than 4GB
    • Set specific permissions on folders and files
    • Folder and file compression
    • Encryption (Encryption File System or EFS)
  • File System:
    • If you're running Windows, what is the file system your Windows installation is using? You can check the Properties (right-click) of the drive your operating system is installed on, typically the C drive (C:\). This PC > Right Click C:\ Drive > Properties
  • On NTFS volumes, you can set permissions that grant or deny access to files and folders.
    The permissions are:
    • Full control
    • Modify
    • Read & Execute
    • List folder contents
    • Read
    • Write
  • How can you view the permissions for a file or folder?
    • Right-click the file or folder you want to check for permissions.
    • From the context menu, select Properties.
    • Within Properties, click on the Security tab.
    • In the Group or user names list, select the user, computer, or group whose permissions you want to view.
  • Another feature of NTFS is Alternate Data Streams (ADS).
    • Alternate Data Streams (ADS) is a file attribute specific to Windows NTFS (New Technology File System).
    • Every file has at least one data stream ($DATA), and ADS allows files to contain more than one stream of data. Natively Window Explorer doesn't display ADS to the user. There are 3rd party executables that can be used to view this data, but Powershell gives you the ability to view ADS for files.
  • Alternate Data Streams (ADS):
    • From a security perspective, malware writers have used ADS to hide data.
    • Not all its uses are malicious. For example, when you download a file from the Internet, there are identifiers written to ADS to identify that the file was downloaded from the Internet.
  • Alternate Data Streams (ADS)
    • Is a feature in the NTFS file system used by Windows. ADS allows additional data to be associated with a file or folder, beyond what is typically visible. This feature was designed to support the Resource Fork used in Mac OS, but on Windows, it's often overlooked and can potentially be misused for malicious purposes.
    • In the context of security, ADS can be used for both legitimate and malicious purposes. Security professionals often need to be aware of ADS and monitor for potential misuse.
  • Alternate Data Streams:
    Legitimate Use:
    • Some applications and system processes use ADS for legitimate purposes. For example, Internet Explorer uses ADS to store metadata information about downloaded files.
    1. Hidden Data:
    • ADS allows data to be hidden within a file without altering its primary content. This can be exploited by malware to hide code or other malicious data.
    1. Security Monitoring:
    • Security analysts may monitor for the presence of ADS as part of their routine security assessments. Unusual or unexpected streams associated with files may be indicative of malicious activity.
  • Alternate Data Streams:
    1. Command Line Utilities:
    • Windows provides command-line utilities like more or type that might not display the content of alternate streams. Special tools or utilities, like Streams from Sysinternals, are often used to detect and view ADS.
    1. Potential for Exploitation:
    • Malware authors may use ADS to hide their code or other malicious artifacts. Security measures need to consider the potential misuse of ADS for hiding malware.
  • Alternate Data Streams:
    • File Integrity Monitoring:
    • File integrity monitoring solutions should be configured to detect changes in alternate streams, especially for critical system files. Unexpected changes might be an indicator of compromise.
    • Forensic Analysis:
    • During forensic investigations, analysts may examine alternate data streams to gather additional information about a file's history or potential malicious activities.
  • Here's an example of how to create an alternate data stream using the command prompt:
    • echo "This is a hidden message" > C:\path\to\file.txt:hidden.txt
    In this example, "hidden.txt" is an alternate data stream associated with "file.txt." Note that not all tools will display this stream by default.
  • OS Folder:
    • The Windows folder (C:\Windows) is traditionally known as the folder which contains the Windows operating system.
    • The folder doesn't have to reside in the C drive necessarily. It can reside in any other drive and technically can reside in a different folder.
    • This is where environment variables, more specifically system environment variables, come into play. Even though not discussed yet, the system environment variable for the Windows directory is %windir%.
  • Per Microsoft, "Environment variables store information about the operating system environment. This information includes details such as the operating system path, the number of processors used by the operating system, and the location of temporary folders".
  • There are many folders within the 'Windows' folder, Located at: This PC > C:\ Drive > Windows
    • One of the many folders is System32. 
    • The System32 folder holds the important files that are critical for the operating system.
    • You should proceed with extreme caution when interacting with this folder. Accidentally deleting any files or folders within System32 can render the Windows OS inoperational.
  • User accounts can be one of two types on a typical local Windows system: Administrator & Standard User. 
    The user account type will determine what actions the user can perform on that specific Windows system. 
    • An Administrator can make changes to the system: add users, delete users, modify groups, modify settings on the system, etc. 
    • A Standard User can only make changes to folders/files attributed to the user & can't perform system-level changes, such as install programs.
  • Determining What User You Are:
    • One way is to click the Start Menu and type Other User. A shortcut to System Settings > Other users should appear. 
    • If you click on it, a Settings window should now appear. See below.
    • If you're the Administrator, you see an option to Add someone else to this PC. A Standard User will not see this option.  
    • Click on the local user account. More options should appear: Change account type and Remove. 
    • Click on Change account type. The value in the drop-down box (or the highlighted value if you click the drop-down) is the current account type. 
  • When a user account is created, a profile is created for the user. The location for each user profile folder will fall under is C:\Users.
    • For example, the user profile folder for the user account Max will be C:\Users\Max.
    • The creation of the user's profile is done upon initial login. When a new user account logs in to a local system for the first time, they'll see several messages on the login screen.
    • Each user profile will have the same folders; a few of them are:
    • Desktop
    • Documents
    • Downloads
    • Music
    • Pictures
  • User Profiles:
    • Another way to access this information, and then some, is using Local User and Group Management. 
    • Right-click on the Start Menu and click Run. Type lusrmgr.msc. See below
    • you should see two folders: Users and Groups. 
    • If you click on Groups, you see all the names of the local groups along with a brief description for each group. 
    Each group has permissions set to it, and users are assigned/added to groups by the Administrator. When a user is assigned to a group, the user inherits the permissions of that group. A user can be assigned to multiple groups.
  • User Privileges:
    • The large majority of home users are logged into their Windows systems as local administrators.
    • A user doesn't need to run with high (elevated) privileges on the system to run tasks that don't require such privileges, such as surfing the Internet, working on a Word document, etc. This elevated privilege increases the risk of system compromise because it makes it easier for malware to infect the system. Consequently, since the user account can make changes to the system, the malware would run in the context of the logged-in user.
  • User Account Control(UAC):
    • To protect the local user with such privileges, Microsoft introduced User Account Control (UAC). This concept was first introduced with the short-lived Windows Vista and continued with versions of Windows that followed.
    • Note: UAC (by default) doesn't apply for the built-in local administrator account. 
  • User Account Control(UAC):
    • When a user with an account type of administrator logs into a system, the current session doesn't run with elevated permissions. When an operation requiring higher-level privileges needs to execute, the user will be prompted to confirm if they permit the operation to run. 
    • As a standard user, this shield icon is an indicator that UAC will prompt to allow higher-level privileges to install the program.
    • Double-click the program, and you'll see the UAC prompt. The built-in administrator account is already set as the user name and prompts the account's password.
  • Installing with UAC:
    • After some time, if a password is not entered, the UAC prompt disappears, and the program does not install. 
    • This feature reduces the likelihood of malware successfully compromising your system
  • Control Panel:
    • On a Windows system, the primary locations to make changes are the Settings menu and the Control Panel.
    • For a long time, the Control Panel has been the go-to location to make system changes, such as adding a printer, uninstall a program, etc. 
    • The Settings menu was introduced in Windows 8, the first Windows operating system catered to touch screen tablets, and is still available in Windows 10. As a matter of fact, the Settings menu is now the primary location a user goes to if they are looking to change the system. 
  • Control Panel:
    Control Panel is the menu where you will access more complex settings and perform more complex actions. In some cases, you can start in Settings and end up in the Control Panel.
    • For example, in Settings, click on Network & Internet. From here, click on Change adapter options. 
  • Task Manager.
    • The Task Manager provides information about the applications and processes currently running on the system. Other information is also available, such as how much CPU and RAM are being utilized, which falls under Performance. 
    • You can access the Task Manager by right-clicking the taskbar. 
    • Click on More details, and the view changes.