WEBVTT

1
00:00:00.080 --> 00:00:03.759
<v Speaker 1>Ever crack open your laptop and wonder, like, what's really

2
00:00:03.799 --> 00:00:04.559
<v Speaker 1>going on in there?

3
00:00:04.759 --> 00:00:04.960
<v Speaker 2>Yeah?

4
00:00:05.000 --> 00:00:07.759
<v Speaker 1>Most people just click and go right right, But today

5
00:00:08.080 --> 00:00:14.679
<v Speaker 1>we're going deeper into Windows internals. Our guide this beast of.

6
00:00:14.640 --> 00:00:19.879
<v Speaker 2>A book, Windows Internals, Part two, seventh edition, Heavy stuff.

7
00:00:19.559 --> 00:00:22.839
<v Speaker 1>Literally Yeah, by Mark Rosinovinch, David Solomon.

8
00:00:22.600 --> 00:00:24.519
<v Speaker 2>And Andrea Olivi, the trio.

9
00:00:24.280 --> 00:00:27.839
<v Speaker 1>Who know Windows inside out, Like this is the bible

10
00:00:28.000 --> 00:00:29.359
<v Speaker 1>for anyone.

11
00:00:28.920 --> 00:00:31.920
<v Speaker 2>Who wants to know how the OS really ticks.

12
00:00:32.079 --> 00:00:35.359
<v Speaker 1>But don't worry, we'll keep it fun. Promise. Get ready

13
00:00:35.359 --> 00:00:36.719
<v Speaker 1>for some aha moments.

14
00:00:36.560 --> 00:00:39.479
<v Speaker 2>About your computer's memory, how it handles security, even what.

15
00:00:39.439 --> 00:00:43.039
<v Speaker 1>Happens when things crash. Stuff most folks never think about, but.

16
00:00:43.000 --> 00:00:45.960
<v Speaker 2>It's happening every time you hit the power button. Fascinating stuff.

17
00:00:46.000 --> 00:00:48.159
<v Speaker 1>Okay, before we get too deep, tell us about these authors,

18
00:00:48.159 --> 00:00:49.240
<v Speaker 1>not your average tech writers.

19
00:00:49.320 --> 00:00:52.719
<v Speaker 2>Oh no, no, it starts with Mark Rassinovitch legend in the

20
00:00:52.719 --> 00:00:56.520
<v Speaker 2>Windows world. He envisioned a book that really dug into Windows.

21
00:00:56.240 --> 00:00:57.719
<v Speaker 1>Empty hardcore from the start.

22
00:00:57.880 --> 00:01:01.320
<v Speaker 2>But then David Solomon, another expert, publishes a book covering

23
00:01:01.399 --> 00:01:05.079
<v Speaker 2>similar ground. You'd think rivalry.

24
00:01:04.799 --> 00:01:06.000
<v Speaker 1>Right, competition time.

25
00:01:06.400 --> 00:01:09.719
<v Speaker 2>Nope, Mark reaches out to David suggests the ten up

26
00:01:09.920 --> 00:01:12.879
<v Speaker 2>for the next edition, talk about collaboration and get this.

27
00:01:13.280 --> 00:01:16.599
<v Speaker 2>He even offered to include his entire c's internal's toolkit.

28
00:01:16.719 --> 00:01:20.920
<v Speaker 1>Those are like power tools for Cissigmin's exactly super valuable.

29
00:01:21.159 --> 00:01:24.120
<v Speaker 2>Then later on they bring in Andrea Olivi.

30
00:01:23.920 --> 00:01:25.879
<v Speaker 1>Who actually worked inside Microsoft.

31
00:01:25.920 --> 00:01:29.760
<v Speaker 2>Ye, that insider perspective is gold. It's this blend that

32
00:01:29.799 --> 00:01:31.760
<v Speaker 2>makes the book so insightful, like.

33
00:01:31.760 --> 00:01:33.239
<v Speaker 1>Having all sides of the story.

34
00:01:33.599 --> 00:01:37.040
<v Speaker 2>Speaking of insights, let's dive into the core stuff CPUs,

35
00:01:37.359 --> 00:01:39.760
<v Speaker 2>cash and how it all ties into security.

36
00:01:39.959 --> 00:01:44.120
<v Speaker 1>CPUs. I know they're important, but honestly a bit fuzzy

37
00:01:44.159 --> 00:01:45.319
<v Speaker 1>on what they do exactly.

38
00:01:45.439 --> 00:01:48.519
<v Speaker 2>Think of it like this. Your CPU has different access levels,

39
00:01:48.519 --> 00:01:52.359
<v Speaker 2>almost like security clearances. There's kernel mode, the VIP area

40
00:01:52.359 --> 00:01:53.519
<v Speaker 2>where critical stuff.

41
00:01:53.280 --> 00:01:55.280
<v Speaker 1>Happens pop secret operation.

42
00:01:55.000 --> 00:01:57.920
<v Speaker 2>And then user mode where your everyday apps run. This

43
00:01:58.040 --> 00:02:01.599
<v Speaker 2>protected mode segmentation keep those worlds separate so a.

44
00:02:01.680 --> 00:02:04.640
<v Speaker 1>Rogue program can't just mess with the important stuff.

45
00:02:04.719 --> 00:02:07.799
<v Speaker 2>Exactly. It's like having a bank vault separate from the lobby.

46
00:02:08.360 --> 00:02:12.639
<v Speaker 2>And this segmentation also helps the CPU quickly grab important data,

47
00:02:12.800 --> 00:02:15.240
<v Speaker 2>things like the thread environment block or TAVE.

48
00:02:15.400 --> 00:02:17.360
<v Speaker 1>Sounds technical, it's basically.

49
00:02:16.960 --> 00:02:20.840
<v Speaker 2>The CPU's cheat sheet for the running program and the

50
00:02:21.000 --> 00:02:25.039
<v Speaker 2>kernel process or control region or KPCR. That's the CPU's

51
00:02:25.039 --> 00:02:26.000
<v Speaker 2>own status report.

52
00:02:26.039 --> 00:02:28.360
<v Speaker 1>Gotta keep those sandy absolutely.

53
00:02:28.199 --> 00:02:31.639
<v Speaker 2>Now, cpu cashes. Ever, Notice how some things on your

54
00:02:31.680 --> 00:02:33.319
<v Speaker 2>computer are just instant.

55
00:02:33.439 --> 00:02:35.680
<v Speaker 1>Oh yeah, like opening certain files.

56
00:02:35.360 --> 00:02:38.439
<v Speaker 2>Or exactly, that's the cash working. Think of it like

57
00:02:38.479 --> 00:02:42.240
<v Speaker 2>your desk versus going to the filing cabinet. Cash holds

58
00:02:42.280 --> 00:02:44.240
<v Speaker 2>the data your CPU's most likely to need.

59
00:02:44.360 --> 00:02:45.919
<v Speaker 1>Next, t Oh, it's all about speed.

60
00:02:46.000 --> 00:02:49.240
<v Speaker 2>Speed is key. But here's where it gets tricky, this

61
00:02:49.280 --> 00:02:52.080
<v Speaker 2>whole cash system, it can actually be a security risk.

62
00:02:52.199 --> 00:02:54.639
<v Speaker 1>Wait what how See, modern.

63
00:02:54.400 --> 00:02:57.080
<v Speaker 2>CPUs are clever. They try to predict what data you'll

64
00:02:57.120 --> 00:02:59.719
<v Speaker 2>need and prefetch it into the cash. Great for performance,

65
00:03:00.039 --> 00:03:03.159
<v Speaker 2>but attackers can actually manipulate these predictions, tricking the CPU

66
00:03:03.159 --> 00:03:05.879
<v Speaker 2>into accessing data it shouldn't. That's how those specter and

67
00:03:05.919 --> 00:03:07.240
<v Speaker 2>meltdown vulnerabilities work.

68
00:03:07.319 --> 00:03:11.479
<v Speaker 1>So my CPU trying to be HLPFL is actually a weakness.

69
00:03:11.759 --> 00:03:15.039
<v Speaker 1>It's a delicate balance. Windows has ways to mitigate the

70
00:03:15.120 --> 00:03:19.039
<v Speaker 1>risk though. Think of it like security checks, but optimized

71
00:03:19.120 --> 00:03:21.080
<v Speaker 1>so they're not constantly slowing you down.

72
00:03:21.240 --> 00:03:23.439
<v Speaker 2>Like a superfficient airport security line.

73
00:03:23.479 --> 00:03:30.560
<v Speaker 1>Exactly. Now, let's move on to interrupts dpcs outphasis what

74
00:03:30.599 --> 00:03:30.960
<v Speaker 1>are those?

75
00:03:31.080 --> 00:03:35.120
<v Speaker 2>Imagine you're focused on work and suddenly fire alarm. You

76
00:03:35.240 --> 00:03:36.560
<v Speaker 2>got to drop everything.

77
00:03:36.199 --> 00:03:37.719
<v Speaker 1>And handle that right priority.

78
00:03:37.840 --> 00:03:40.479
<v Speaker 2>That's an interrupt for your computer, an urgent request that

79
00:03:40.560 --> 00:03:44.680
<v Speaker 2>can't wait. And just like alarms, there are levels of urgency.

80
00:03:44.879 --> 00:03:48.240
<v Speaker 2>That's where irqls come in, interrupt request levels.

81
00:03:48.000 --> 00:03:49.599
<v Speaker 1>So fire alarm versus.

82
00:03:49.319 --> 00:03:53.280
<v Speaker 2>Doorbell precisely make sure the most critical stuff gets handled first.

83
00:03:54.000 --> 00:03:56.599
<v Speaker 2>But what happens after the fire's out? You still got

84
00:03:56.639 --> 00:03:58.639
<v Speaker 2>to deal with the mess, but not right then.

85
00:03:58.840 --> 00:03:59.599
<v Speaker 1>Clean up time.

86
00:04:00.039 --> 00:04:03.199
<v Speaker 2>That's where deferred procedure calls come in, or dpcs, like

87
00:04:03.280 --> 00:04:05.319
<v Speaker 2>leaving yourself a note to deal with the less urgent

88
00:04:05.360 --> 00:04:06.120
<v Speaker 2>stuff later.

89
00:04:05.960 --> 00:04:08.560
<v Speaker 1>So you don't get totally sidetracked exactly.

90
00:04:08.159 --> 00:04:09.879
<v Speaker 2>And the book even shows you how to watch these

91
00:04:09.960 --> 00:04:12.520
<v Speaker 2>dpcs happening on your own computer real time.

92
00:04:12.520 --> 00:04:15.520
<v Speaker 1>Pretty neat, like seeing the gears turning. Okay, we've got

93
00:04:15.520 --> 00:04:18.600
<v Speaker 1>interrupts dpcs. What about APCs.

94
00:04:18.240 --> 00:04:22.079
<v Speaker 2>Asynchronous procedure calls? Those are more like scheduled deliveries. They

95
00:04:22.079 --> 00:04:24.480
<v Speaker 2>happen at specific times or when certain conditions are.

96
00:04:24.399 --> 00:04:28.240
<v Speaker 1>Met, so more organized chaos in a way.

97
00:04:28.360 --> 00:04:33.079
<v Speaker 2>Yes, some are for system tasks, others deliver messages to applications.

98
00:04:33.560 --> 00:04:35.879
<v Speaker 2>All about keeping things running smoothly.

99
00:04:35.639 --> 00:04:38.560
<v Speaker 1>Like a well oiled machine. But so much going on

100
00:04:38.639 --> 00:04:39.519
<v Speaker 1>we never see.

101
00:04:39.600 --> 00:04:42.199
<v Speaker 2>That's the beauty of it. And believe me, we're just

102
00:04:42.279 --> 00:04:43.360
<v Speaker 2>scratching the surface.

103
00:04:43.600 --> 00:04:46.120
<v Speaker 1>So much happening behind the scenes. And Windows before we

104
00:04:46.199 --> 00:04:50.800
<v Speaker 1>jumped into this, we were digging into objects, handles, name spaces,

105
00:04:51.560 --> 00:04:54.160
<v Speaker 1>like the lego bricks of the OS exactly.

106
00:04:54.639 --> 00:04:57.319
<v Speaker 2>But you need more than bricks to build something complex, right,

107
00:04:57.439 --> 00:05:00.279
<v Speaker 2>You need a way to make sure everything works together smoothly.

108
00:05:00.079 --> 00:05:02.319
<v Speaker 1>Like an orchestra, all the instruments in sync.

109
00:05:02.480 --> 00:05:06.279
<v Speaker 2>Perfect analogy. That's where synchronization comes in. Especially with multi

110
00:05:06.360 --> 00:05:10.319
<v Speaker 2>core CPUs, things can get chaotic fast without coordination to

111
00:05:10.399 --> 00:05:13.439
<v Speaker 2>make cooks in the kitchen exactly. Windows has ways to

112
00:05:13.439 --> 00:05:15.800
<v Speaker 2>make sure different parts of the system aren't fighting over

113
00:05:15.839 --> 00:05:19.639
<v Speaker 2>the same resources. One basic tool spin locks.

114
00:05:19.759 --> 00:05:22.360
<v Speaker 1>Spin locks sounds like a workout class kind.

115
00:05:22.160 --> 00:05:25.120
<v Speaker 2>Of imagine a revolving door, only one person through at

116
00:05:25.120 --> 00:05:28.040
<v Speaker 2>a time. When a CPU needs to access some shared data,

117
00:05:28.560 --> 00:05:32.639
<v Speaker 2>it grabs the spin lock, saying mine, now, other's.

118
00:05:32.240 --> 00:05:35.639
<v Speaker 1>Got to wait, first come, first serve for CPUs. But

119
00:05:35.720 --> 00:05:37.879
<v Speaker 1>what if the wait is long? Isn't that inefficient?

120
00:05:38.120 --> 00:05:40.360
<v Speaker 2>It can be. That's why there are acute spin locks,

121
00:05:40.399 --> 00:05:43.839
<v Speaker 2>like a more organized line. No more CPUs constantly checking

122
00:05:43.879 --> 00:05:44.600
<v Speaker 2>if the door's.

123
00:05:44.399 --> 00:05:47.000
<v Speaker 1>Free, so polite waiting in line exactly.

124
00:05:47.720 --> 00:05:50.959
<v Speaker 2>Then there are reader writer spin locks. They give a library.

125
00:05:51.279 --> 00:05:53.079
<v Speaker 2>Many people can read a book at once, but only

126
00:05:53.160 --> 00:05:54.600
<v Speaker 2>one can check it out to write in it.

127
00:05:54.879 --> 00:05:57.759
<v Speaker 1>Ah, So multiple CPUs can read data but only one

128
00:05:57.800 --> 00:05:58.560
<v Speaker 1>writes at a time.

129
00:05:58.800 --> 00:06:02.800
<v Speaker 2>Makes sense, right, optimize for different use cases, and sometimes

130
00:06:02.959 --> 00:06:06.639
<v Speaker 2>spinlocks aren't the best tool, especially for long waits. That's

131
00:06:06.639 --> 00:06:08.879
<v Speaker 2>where low irc rol synchronization comes in.

132
00:06:09.199 --> 00:06:12.439
<v Speaker 1>Lo my arcle will of getting a bit technical.

133
00:06:12.079 --> 00:06:14.000
<v Speaker 2>Now it is, but think of it like this. Instead

134
00:06:14.000 --> 00:06:16.839
<v Speaker 2>of constantly checking the door spin lock, you get a

135
00:06:16.839 --> 00:06:19.680
<v Speaker 2>signal when it's your turn. Dispatch your objects handle that

136
00:06:20.199 --> 00:06:22.160
<v Speaker 2>like traffic signals for CPUs, So.

137
00:06:22.199 --> 00:06:24.120
<v Speaker 1>Choosing the right tool depending on the situation.

138
00:06:24.560 --> 00:06:29.480
<v Speaker 2>Efficiency is key. And speaking of efficient, let's talk ALPC

139
00:06:30.079 --> 00:06:32.160
<v Speaker 2>Advanced Local Procedure.

140
00:06:31.639 --> 00:06:33.639
<v Speaker 1>Call another acronym. What's that do?

141
00:06:34.040 --> 00:06:37.680
<v Speaker 2>It's the super highway for different processes on your computer

142
00:06:38.040 --> 00:06:41.959
<v Speaker 2>to talk to each other, like internal messaging but fast.

143
00:06:41.959 --> 00:06:44.839
<v Speaker 1>So departments within Windows sending memos back and forth.

144
00:06:44.879 --> 00:06:46.879
<v Speaker 2>Good way to put it, and a key feature is

145
00:06:46.959 --> 00:06:49.959
<v Speaker 2>handle passing sounds official. Imagine you've got a key to

146
00:06:50.000 --> 00:06:52.800
<v Speaker 2>a safe deposit box. You want to give someone access,

147
00:06:53.000 --> 00:06:55.240
<v Speaker 2>but not the actual key, so you give them a

148
00:06:55.240 --> 00:06:57.279
<v Speaker 2>temporary pass, limited time.

149
00:06:57.040 --> 00:07:00.759
<v Speaker 1>Only, delegating access without giving full control. Clever.

150
00:07:01.120 --> 00:07:05.279
<v Speaker 2>That's handle passing and ALPC is optimized to the max.

151
00:07:05.560 --> 00:07:09.279
<v Speaker 2>It uses things like completion lists to avoid unnecessary waiting around,

152
00:07:09.639 --> 00:07:11.240
<v Speaker 2>like an express lane for data.

153
00:07:11.279 --> 00:07:13.879
<v Speaker 1>All about speed, so much going on, we never realize

154
00:07:14.000 --> 00:07:14.680
<v Speaker 1>it's true.

155
00:07:14.800 --> 00:07:18.720
<v Speaker 2>Now for something a bit different, WNF Windows Notification.

156
00:07:18.279 --> 00:07:21.360
<v Speaker 1>Facility sounds like a news channel for Windows kind of.

157
00:07:21.519 --> 00:07:24.279
<v Speaker 2>It's a published subscribe system. You subscribe to what interests

158
00:07:24.319 --> 00:07:27.000
<v Speaker 2>you and get notified about changes. Different parts of Windows

159
00:07:27.120 --> 00:07:28.399
<v Speaker 2>use this to stay in sync.

160
00:07:28.279 --> 00:07:30.360
<v Speaker 1>So no need to constantly check for updates. You just

161
00:07:30.399 --> 00:07:31.199
<v Speaker 1>get them right.

162
00:07:31.680 --> 00:07:35.000
<v Speaker 2>And there are different state names like categories for the info,

163
00:07:35.319 --> 00:07:38.759
<v Speaker 2>permanent ones for core stuff, persistent ones that survive restarts,

164
00:07:39.120 --> 00:07:40.680
<v Speaker 2>and temporary ones for quick.

165
00:07:40.560 --> 00:07:43.639
<v Speaker 1>Announcements like breaking news versus scheduled programming.

166
00:07:43.680 --> 00:07:47.480
<v Speaker 2>Good analogy. One use of WNF is the System Events Broker.

167
00:07:48.040 --> 00:07:51.160
<v Speaker 2>It tells those modern UWP apps about what's happening in the.

168
00:07:51.120 --> 00:07:53.959
<v Speaker 1>System, keeping everyone in the loop. Okay, Switching gears a

169
00:07:53.959 --> 00:07:54.920
<v Speaker 1>bit debugging.

170
00:07:55.120 --> 00:07:58.120
<v Speaker 2>Ah yes, debucking the art of finding and fixing those

171
00:07:58.199 --> 00:08:01.319
<v Speaker 2>nasty bugs that sneak into software, like being a detective

172
00:08:01.319 --> 00:08:01.759
<v Speaker 2>for code.

173
00:08:01.839 --> 00:08:03.120
<v Speaker 1>Always wondered how that works.

174
00:08:03.680 --> 00:08:07.000
<v Speaker 2>The basics are simple. You attach a special tool, a debugger,

175
00:08:07.199 --> 00:08:09.399
<v Speaker 2>to the program and lets you pause the program, look

176
00:08:09.439 --> 00:08:11.079
<v Speaker 2>at its memory, go line by.

177
00:08:10.920 --> 00:08:12.560
<v Speaker 1>Line, and putting it under a microscope.

178
00:08:12.680 --> 00:08:16.120
<v Speaker 2>Exactly. And in Windows user mode debugging is a team effort,

179
00:08:16.360 --> 00:08:19.279
<v Speaker 2>part of the OS a helper in NTDL specific APIs

180
00:08:20.040 --> 00:08:20.759
<v Speaker 2>all working.

181
00:08:20.480 --> 00:08:23.560
<v Speaker 1>Together, coordinated effort. The book mentioned debug events too, What

182
00:08:23.600 --> 00:08:24.240
<v Speaker 1>are those.

183
00:08:24.199 --> 00:08:27.560
<v Speaker 2>Like trip wires telling the debugger something happened, process created,

184
00:08:27.800 --> 00:08:31.839
<v Speaker 2>threads started, DLL loaded. You get notified so you can investigate.

185
00:08:31.959 --> 00:08:33.559
<v Speaker 1>Staying informed makes sense.

186
00:08:33.799 --> 00:08:37.960
<v Speaker 2>And there's a special case for Windows air reporting or WHIRR,

187
00:08:38.559 --> 00:08:41.000
<v Speaker 2>that thing that pops up when an app crashes asking

188
00:08:41.039 --> 00:08:41.759
<v Speaker 2>to send a report.

189
00:08:41.919 --> 00:08:44.039
<v Speaker 1>Oh yeah, see that all the time. Always wonder what

190
00:08:44.159 --> 00:08:44.639
<v Speaker 1>it does.

191
00:08:44.960 --> 00:08:48.559
<v Speaker 2>Well, we're uses our friend ALPC to talk to the

192
00:08:48.559 --> 00:08:53.000
<v Speaker 2>crashed process, even if it's badly damaged, gathers info about

193
00:08:53.000 --> 00:08:53.720
<v Speaker 2>what went wrong.

194
00:08:53.960 --> 00:08:55.919
<v Speaker 1>ALPC always showing up.

195
00:08:56.200 --> 00:08:59.240
<v Speaker 2>It's versatile. Now for a topic everyone's heard of, but

196
00:08:59.320 --> 00:09:02.559
<v Speaker 2>maybe don't fully get the registry Oh yeah.

197
00:09:02.600 --> 00:09:04.879
<v Speaker 1>The registry bit intimidating, if I'm.

198
00:09:04.720 --> 00:09:08.360
<v Speaker 2>Honest, understandable. It's got a reputation, but at its core

199
00:09:08.399 --> 00:09:11.960
<v Speaker 2>it's just a database storing settings for everything in Windows, like.

200
00:09:11.919 --> 00:09:14.960
<v Speaker 1>A giant settings file for the whole OS exactly.

201
00:09:15.120 --> 00:09:18.720
<v Speaker 2>Hardware, user preferences, software, it's all in there, the central

202
00:09:18.720 --> 00:09:19.720
<v Speaker 2>nervous system, you could say.

203
00:09:19.799 --> 00:09:22.080
<v Speaker 1>And it's organized right with those h KEY things. What

204
00:09:22.120 --> 00:09:22.799
<v Speaker 1>are they all about?

205
00:09:22.840 --> 00:09:27.000
<v Speaker 2>Think different branches of government, HKE, local Machine or HKLM.

206
00:09:27.080 --> 00:09:29.919
<v Speaker 2>That's system wide settings affecting everyone federal level.

207
00:09:30.000 --> 00:09:31.279
<v Speaker 1>Okay, big picture stuff.

208
00:09:31.320 --> 00:09:34.519
<v Speaker 2>Then you've got hkey users for each user's specific settings

209
00:09:34.600 --> 00:09:35.799
<v Speaker 2>like state level control.

210
00:09:36.080 --> 00:09:39.879
<v Speaker 1>So changing something in HKLM affects everyone on the computer,

211
00:09:40.000 --> 00:09:43.240
<v Speaker 1>but in HQ users it's just my account precisely.

212
00:09:43.799 --> 00:09:47.480
<v Speaker 2>In those modern UWP apps, they use application hids to

213
00:09:47.519 --> 00:09:50.080
<v Speaker 2>store their settings separate from the rest.

214
00:09:50.279 --> 00:09:52.200
<v Speaker 1>Keeps things tidy, I guess it does.

215
00:09:52.399 --> 00:09:56.039
<v Speaker 2>And the registry is built to be tough uses transactions,

216
00:09:56.120 --> 00:09:58.960
<v Speaker 2>so changes are all or nothing. No partial updates that

217
00:09:59.000 --> 00:09:59.840
<v Speaker 2>could mess things up.

218
00:10:00.039 --> 00:10:02.279
<v Speaker 1>Take a safety net for your settings exactly.

219
00:10:02.519 --> 00:10:04.919
<v Speaker 2>The book even shows how to use process monitor to

220
00:10:05.000 --> 00:10:08.559
<v Speaker 2>watch the age registry changes in real time. Pretty cool

221
00:10:08.559 --> 00:10:10.080
<v Speaker 2>if you're into that level of detail, I.

222
00:10:10.080 --> 00:10:12.559
<v Speaker 1>Might have to check that out. Okay, shifting focus a bit,

223
00:10:12.799 --> 00:10:14.720
<v Speaker 1>Windows services, What are those all about?

224
00:10:15.120 --> 00:10:18.679
<v Speaker 2>The unsung heroes of the OS background processes doing all

225
00:10:18.720 --> 00:10:21.000
<v Speaker 2>sorts of work, usually without you noticing.

226
00:10:20.840 --> 00:10:23.080
<v Speaker 1>Like the stage crew making sure the show goes.

227
00:10:22.840 --> 00:10:27.639
<v Speaker 2>On precisely, handling network stuff, printing updates, tons of things.

228
00:10:28.120 --> 00:10:32.080
<v Speaker 2>And the Service Control Manager or SEM is like the conductor.

229
00:10:31.759 --> 00:10:33.080
<v Speaker 1>Keeping the orchestra in tune.

230
00:10:33.200 --> 00:10:36.200
<v Speaker 2>You got it, make sure services start stop, don't conflict.

231
00:10:36.720 --> 00:10:39.440
<v Speaker 2>And it uses the registry as it's cheat sheet.

232
00:10:39.080 --> 00:10:41.320
<v Speaker 1>So each service has its instructions in.

233
00:10:41.279 --> 00:10:45.519
<v Speaker 2>The registry YEP path to the program file, how it starts,

234
00:10:46.000 --> 00:10:49.840
<v Speaker 2>dependencies all in there like a blueprint for the SEM.

235
00:10:49.960 --> 00:10:52.480
<v Speaker 1>Very organized. And what about service accounts?

236
00:10:52.840 --> 00:10:56.200
<v Speaker 2>AH that determines the security context to service runs under.

237
00:10:56.720 --> 00:11:00.159
<v Speaker 2>Could be the local system account, a specific user, or

238
00:11:00.159 --> 00:11:02.639
<v Speaker 2>special ones like local service or network.

239
00:11:02.279 --> 00:11:04.639
<v Speaker 1>Service like different levels of access.

240
00:11:04.320 --> 00:11:07.679
<v Speaker 2>Exactly important for security. Making sure a service only has

241
00:11:07.720 --> 00:11:10.279
<v Speaker 2>the permissions it needs. And the book gets into how

242
00:11:10.360 --> 00:11:13.639
<v Speaker 2>services are isolated from your user session for safety. That's

243
00:11:13.679 --> 00:11:16.080
<v Speaker 2>why they don't usually pop up Windows on your desktop

244
00:11:16.080 --> 00:11:16.600
<v Speaker 2>for example.

245
00:11:17.039 --> 00:11:20.519
<v Speaker 1>Makes sense, things could get messy otherwise, Okay, one more

246
00:11:20.559 --> 00:11:24.120
<v Speaker 1>system to explore, the Windows Task scheduler. I use it

247
00:11:24.159 --> 00:11:26.080
<v Speaker 1>to automate stuff, but never thought about how it.

248
00:11:26.080 --> 00:11:28.919
<v Speaker 2>Works past schedulers. Like a personal assistant for your computer,

249
00:11:29.200 --> 00:11:31.679
<v Speaker 2>tells things when a run based on time or events.

250
00:11:31.840 --> 00:11:35.440
<v Speaker 1>Handy. The book mentioned different types of tasks, including hosted tasks,

251
00:11:35.480 --> 00:11:37.919
<v Speaker 1>which are calm objects. What's that all about?

252
00:11:37.960 --> 00:11:41.480
<v Speaker 2>Hosted tasks are the power users more complex, can do

253
00:11:41.519 --> 00:11:44.919
<v Speaker 2>a wider range of actions, and being calm objects, they

254
00:11:44.919 --> 00:11:46.799
<v Speaker 2>can be controlled in specific ways.

255
00:11:46.759 --> 00:11:49.159
<v Speaker 1>Like a scripting language within the scheduler.

256
00:11:49.360 --> 00:11:52.960
<v Speaker 2>You got it, more flexibility. The book even shows an

257
00:11:53.000 --> 00:11:56.519
<v Speaker 2>example the process Memory Diagnostic Events task and how to

258
00:11:56.559 --> 00:11:58.159
<v Speaker 2>find the calm object behind it.

259
00:11:58.360 --> 00:12:01.159
<v Speaker 1>Getting into the weeds now, but it is fascinating.

260
00:12:01.240 --> 00:12:05.639
<v Speaker 2>It is okay. Ready for another powerful tool WMI. Windows

261
00:12:05.720 --> 00:12:06.919
<v Speaker 2>Management Instrumentation.

262
00:12:07.399 --> 00:12:09.759
<v Speaker 1>WMI sounds a bit scary.

263
00:12:09.559 --> 00:12:11.720
<v Speaker 2>It's not once you get it. Think of it as

264
00:12:11.720 --> 00:12:16.039
<v Speaker 2>a universal language for managing and monitoring almost anything in Windows.

265
00:12:16.519 --> 00:12:19.639
<v Speaker 1>So different parts of the system and even different systems,

266
00:12:19.919 --> 00:12:22.159
<v Speaker 1>can talk about management tasks exactly.

267
00:12:22.320 --> 00:12:25.200
<v Speaker 2>And at the heart of it are providers providers of

268
00:12:25.200 --> 00:12:27.840
<v Speaker 2>what think of them like translators. They bridge the gap

269
00:12:27.879 --> 00:12:31.240
<v Speaker 2>between WMI and the actual resources like a provider for

270
00:12:31.320 --> 00:12:34.200
<v Speaker 2>the registry of the filesystem, network adapters, you name it.

271
00:12:34.360 --> 00:12:37.879
<v Speaker 1>So if I want info on my network settings through WMI,

272
00:12:38.279 --> 00:12:41.080
<v Speaker 1>I talk to the network adapter provider and it figures

273
00:12:41.080 --> 00:12:43.279
<v Speaker 1>out how to get that info from the actual hardware.

274
00:12:43.480 --> 00:12:46.799
<v Speaker 2>Exactly different types too, once for getting info, ones for

275
00:12:46.919 --> 00:12:50.440
<v Speaker 2>doing things, ones that notify you about events.

276
00:12:49.639 --> 00:12:52.720
<v Speaker 1>Super versatile. The book even has a script showing how

277
00:12:52.759 --> 00:12:56.159
<v Speaker 1>to use WMI to track process creation events.

278
00:12:56.240 --> 00:12:59.960
<v Speaker 2>It does practical example. Now to go even deeper into

279
00:13:00.120 --> 00:13:03.559
<v Speaker 2>monitoring ETW event tracing.

280
00:13:03.200 --> 00:13:05.159
<v Speaker 1>For Windows sounds intense.

281
00:13:05.279 --> 00:13:09.480
<v Speaker 2>It's powerful. ETW is a high performance tracing system capturing

282
00:13:09.559 --> 00:13:13.279
<v Speaker 2>detailed logs of events and performance data. Windows itself uses

283
00:13:13.279 --> 00:13:15.159
<v Speaker 2>it a latti, and so do many apps and.

284
00:13:15.159 --> 00:13:17.320
<v Speaker 1>Drivers, like a flight recorder for your computer.

285
00:13:17.559 --> 00:13:22.279
<v Speaker 2>Exactly great for troubleshooting, finding performance bottlenecks, seeing how everything interacts.

286
00:13:22.399 --> 00:13:27.000
<v Speaker 1>Lots of uses. The book talked about providers, sessions, loggers, consumers.

287
00:13:27.440 --> 00:13:28.200
<v Speaker 1>What are all those?

288
00:13:28.360 --> 00:13:31.159
<v Speaker 2>Okay, think of it like a news organization. Providers are

289
00:13:31.200 --> 00:13:35.200
<v Speaker 2>the reporters creating the news. Events Sessions are like specific

290
00:13:35.200 --> 00:13:37.320
<v Speaker 2>news programs grouping related events together.

291
00:13:37.440 --> 00:13:38.159
<v Speaker 1>Okay, I'm following.

292
00:13:38.360 --> 00:13:41.279
<v Speaker 2>Loggers are the cameras and recording equipment capturing the news,

293
00:13:41.799 --> 00:13:44.759
<v Speaker 2>and consumers are the viewers analyzing the broadcasts.

294
00:13:44.840 --> 00:13:48.600
<v Speaker 1>So providers make the events, sessions organize them, loggers capture them,

295
00:13:48.679 --> 00:13:49.840
<v Speaker 1>consumers analyze them.

296
00:13:50.039 --> 00:13:53.039
<v Speaker 2>Got it in one and like news. Different types of

297
00:13:53.080 --> 00:13:57.200
<v Speaker 2>providers kernel mode for OS stuff, user mode for applications,

298
00:13:57.519 --> 00:13:59.759
<v Speaker 2>specialized ones for things like networking.

299
00:13:59.399 --> 00:14:02.720
<v Speaker 1>Covers all the The book had an experiment about tracing

300
00:14:02.759 --> 00:14:06.240
<v Speaker 1>TCPIP traffic using the kernel logger and performance monitor.

301
00:14:06.360 --> 00:14:09.039
<v Speaker 2>Right yep, hands on way to see how EQW can

302
00:14:09.080 --> 00:14:10.320
<v Speaker 2>help with network troubleshooting.

303
00:14:10.480 --> 00:14:13.679
<v Speaker 1>Definitely got to try that. Okay, last, but not least,

304
00:14:13.840 --> 00:14:17.840
<v Speaker 1>Windows error reporting or WHIRR gets a bad wrap sometimes,

305
00:14:17.879 --> 00:14:18.639
<v Speaker 1>but it's.

306
00:14:18.519 --> 00:14:22.879
<v Speaker 2>There to help. Where's the crash investigator handling those unfortunate

307
00:14:22.879 --> 00:14:26.080
<v Speaker 2>moments when an app goes belly up gathering evidence precisely

308
00:14:26.399 --> 00:14:28.519
<v Speaker 2>collects info about the crash. Let's you send a report

309
00:14:28.559 --> 00:14:29.200
<v Speaker 2>to Microsoft?

310
00:14:29.200 --> 00:14:31.879
<v Speaker 1>And the book explained how where uses our friend ALPC

311
00:14:32.120 --> 00:14:34.720
<v Speaker 1>to talk to the crash process even if it's barely.

312
00:14:34.440 --> 00:14:37.840
<v Speaker 2>Functioning, right, robust system making sure at least some information

313
00:14:37.919 --> 00:14:41.600
<v Speaker 2>is salvaged, like a black box recorder, but for software.

314
00:14:41.799 --> 00:14:44.879
<v Speaker 1>Pretty amazing stuff. So there we have it a whirlwind

315
00:14:44.919 --> 00:14:47.000
<v Speaker 1>tour of Windows internals.

316
00:14:47.120 --> 00:14:51.799
<v Speaker 2>We covered a lot CPUs, registry threads, debugging, error reporting.

317
00:14:52.120 --> 00:14:54.720
<v Speaker 1>It makes you realize how much is happening every time

318
00:14:54.720 --> 00:14:57.679
<v Speaker 1>you click something, and how much clever engineering is behind

319
00:14:57.720 --> 00:14:58.000
<v Speaker 1>it all.

320
00:14:58.240 --> 00:15:01.559
<v Speaker 2>Absolutely, if you're e I'm a little bit curious about

321
00:15:01.559 --> 00:15:06.399
<v Speaker 2>how computers really work, Windows internals is worth checking out. Challenging,

322
00:15:06.960 --> 00:15:08.840
<v Speaker 2>but yes, so rewarding.

323
00:15:09.000 --> 00:15:11.000
<v Speaker 1>And we'll be right back after a quick break to

324
00:15:11.039 --> 00:15:13.000
<v Speaker 1>wrap up this deep dive and leave you with some

325
00:15:13.159 --> 00:15:13.919
<v Speaker 1>final thoughts.

326
00:15:15.799 --> 00:15:18.919
<v Speaker 2>We're back wrapping up our Windows Internals deep dive. It's

327
00:15:18.960 --> 00:15:20.440
<v Speaker 2>been a lot.

328
00:15:20.679 --> 00:15:25.120
<v Speaker 1>It has CPUs to the registry, threads, dancing around, debugging magic.

329
00:15:25.200 --> 00:15:27.159
<v Speaker 2>It's amazing how it all comes together. This OS we

330
00:15:27.240 --> 00:15:27.960
<v Speaker 2>use every day.

331
00:15:27.960 --> 00:15:31.200
<v Speaker 1>Right, powerful and surprisingly resilient when you see what's going

332
00:15:31.240 --> 00:15:31.960
<v Speaker 1>on under the hood.

333
00:15:32.120 --> 00:15:35.200
<v Speaker 2>For me, the big takeaway is the sheer optimization of

334
00:15:35.200 --> 00:15:35.440
<v Speaker 2>it all.

335
00:15:35.519 --> 00:15:39.039
<v Speaker 1>Oh, Absolutely, every little thing, from caching data to how

336
00:15:39.159 --> 00:15:42.039
<v Speaker 1>processes talk to each other designed for speed, like a

337
00:15:42.039 --> 00:15:43.320
<v Speaker 1>finely tuned engine.

338
00:15:43.480 --> 00:15:46.360
<v Speaker 2>It's true, and that's what makes Windows internals so fascinating,

339
00:15:46.600 --> 00:15:49.559
<v Speaker 2>not just how it works, but the cleverness behind it right.

340
00:15:49.759 --> 00:15:52.919
<v Speaker 1>The attention to detail is incredible. If you're at all

341
00:15:53.080 --> 00:15:57.480
<v Speaker 1>curious about tech, about what really makes computers tick, this

342
00:15:57.519 --> 00:16:01.080
<v Speaker 1>book is a must read. Challenging, yeah, but worth it.

343
00:16:01.120 --> 00:16:03.720
<v Speaker 1>Like getting a peek behind the curtain of your own machine.

344
00:16:03.799 --> 00:16:06.039
<v Speaker 2>It makes you realize how much we take for granted,

345
00:16:06.159 --> 00:16:07.080
<v Speaker 2>clicking away.

346
00:16:06.840 --> 00:16:09.360
<v Speaker 1>On the surface, and it leaves you wanting to learn more.

347
00:16:10.240 --> 00:16:14.399
<v Speaker 1>What's next for you? In terms of Windows knowledge any

348
00:16:14.480 --> 00:16:15.879
<v Speaker 1>rabbit holes calling your name?

349
00:16:16.200 --> 00:16:18.679
<v Speaker 2>You know what always gets me is how operating systems

350
00:16:18.919 --> 00:16:23.879
<v Speaker 2>EVLVE Windows has come a long way and it's not stopping.

351
00:16:24.799 --> 00:16:28.279
<v Speaker 2>I'm really curious to see how things like cloud computing AI,

352
00:16:28.879 --> 00:16:30.600
<v Speaker 2>how those shape the future of Windows.

353
00:16:30.759 --> 00:16:33.759
<v Speaker 1>That's a great point. Exciting times ahead. Who knows what

354
00:16:33.799 --> 00:16:37.919
<v Speaker 1>we'll see, But that drive to explore, to keep learning,

355
00:16:38.159 --> 00:16:39.240
<v Speaker 1>that's key, right.

356
00:16:39.120 --> 00:16:41.799
<v Speaker 2>Absolutely, There's always more to uncover. It never ends.

357
00:16:41.960 --> 00:16:45.159
<v Speaker 1>So to everyone listening out there, keep that curiosity alive.

358
00:16:45.240 --> 00:16:48.120
<v Speaker 1>Don't be afraid to dig deeper, ask questions, explore.

359
00:16:48.320 --> 00:16:50.320
<v Speaker 2>The more you learn, the more you realize how much

360
00:16:50.360 --> 00:16:50.919
<v Speaker 2>there is to know.

361
00:16:51.120 --> 00:16:54.000
<v Speaker 1>And that's what makes the world of tech so endlessly fascinating.

362
00:16:54.279 --> 00:16:56.679
<v Speaker 1>Until next time, happy exploring, everyone,