Operating Systems Basics

Module 1: Windows Operating System

Windows History
1.1.1 Disk Operating System
The Disk Operating System (DOS) is an operating system that the computer uses to enable these data storage devices to read and write
files. DOS provides a file system which organizes the files in a specific way on the disk. Microsoft bought DOS and developed MS-DOS.
Windows Architecture and Operations
1.2.1 Hardware Abstraction Layer
A hardware abstraction layer (HAL) is software that handles all of the communication between the hardware and the kernel. The kernel is
the core of the operating system and has control over the entire computer. It handles all of the input and output requests, memory, and all of
the peripherals connected to the computer.

In some instances, the kernel still communicates with the hardware directly, so it is not completely independent of the HAL. The HAL also
needs the kernel to perform some functions.
1.2.3 Windows File Systems
exFAT :
This is a simple file system supported by many different operating systems.
 FAT has limitations to the number of partitions, partition sizes, and file sizes that it can address, so it is not usually used for hard drives
(HDs) or solid-state drives (SSDs) anymore.
Both FAT16 and FAT32 are available to use, with FAT32 being the most common because it has many fewer restrictions than FAT16.

Hierarchical File System Plus (HFS+) :

This file system is used on MAC OS X computers and allows much longer filenames, file sizes, and partition sizes than previous file
systems.
Although it is not supported by Windows without special software, Windows is able to read data from HFS+ partitions.

Extended File System (EXT) :

This file system is used with Linux-based computers.
Although it is not supported by Windows, Windows is able to read data from EXT partitions with special software.

New Technology File System (NTFL) :

This is the most commonly used file system when installing Windows. All versions of Windows and Linux support NTFS.
Mac-OS X computers can only read an NTFS partition. They are able to write to an NTFS partition after installing special drivers.
NTFS formatting creates important structures on the disk for file storage, and tables for recording the locations of files:
Partition Boot Sector - This is the first 16 sectors of the drive. It contains the location of the Master File Table (MFT). The last 16
sectors contain a copy of the boot sector.
Master File Table (MFT) - This table contains the locations of all the files and directories on the partition, including file attributes
such as security information and timestamps.
System Files - These are hidden files that store information about other volumes and file attributes.
File Area - The main area of the partition where files and directories are stored.

NOTE : When formatting a partition, the previous data may still be recoverable because not all the data is completely removed. The free
space can be examined, and files can be retrieved which can compromise security. It is recommended to perform a secure wipe on a drive
that is being reused. The secure wipe will write data to the entire drive multiple times to ensure there is no remaining data.

1.2.4 Alternate Data Streams

NTFS stores files as attributes, including the data in the $DATA attribute. Alternate Data Streams (ADS) allow extra information to be
attached to files. This feature is exploited by malware to hide malicious code in an ADS, which can be executed from another file.

In the NTFS file system, a file with an ADS is identified after the filename and a colon, for example, Testfile.txt:ADS. This filename indicates
an ADS called ADS is associated with the file called Testfile.txt. An example of ADS is shown in the command output.

1 C:∖ADS> echo "Alternate Data Here" > Testfile.txt:ADS

2
3 C:∖ADS> dir
4
5 Volume in drive C is Windows
6
7 Volume Serial Number is A606-CB1B
8
9 Directory of C:∖ADS
10
11 2020-04-28 04:01 PM <DIR> .
12
13 2020-04-28 04:01 PM <DIR> ..
14
15 2020-04-28 04:01 PM 0 Testfile.txt
16
17 1 File(s) 0 bytes
18
19 2 Dir(s) 43,509,571,584 bytes free
20
21 C:∖ADS> more < Testfile.txt:ADS
22
23 "Alternate Data Here"
24
25 C:∖ADS> dir /r
26
27 Volume in drive C is Windows
28
29 Volume Serial Number is A606-CB1B
30
31 Directory of C:∖ADS
32
 33 2020-04-28 04:01 PM <DIR>
34
35 2020-04-28 04:01 PM <DIR>
36
37 2020-04-28 04:01 PM 0 Testfile.txt
38
39 24 Testfile.txt:ADS:$DATA
40
41 1 File(s) 0 bytes
42
43 2 Dir(s) 43,509,624,832 bytes free
44
45 C:∖ADS>

In the output:

The first command places the text “Alternate Data Here” into an ADS of the file Testfile.txt called “ADS”.
After that, dir, shows that the file was created, but the ADS is not visible.
The next command shows that there is data in the Testfile.txt:ADS data stream.
The last command shows the ADS of the Testfile.txt file because the r switch was used with the dir command.

1.2.5 Windows Boot Process

Two types of computer firmware exist:
 Basic Input Output System (BIOS) : BIOS firmware was created in the early 1980s and works in the same way it did when it was
created. As computers evolved, it became difficult for BIOS firmware to support all the new features requested by users.
Unified Extensible Firmware Interface (UEFI) : UEFI was designed to replace BIOS and support the new features.

The BIOS initialization phase starts with hardware checks and a power-on self-test (POST), ending when the system disk is found. The
BIOS then looks for the master boot record (MBR), which loads the operating system.

UEFI, in contrast, uses .efi files stored in the EFI System Partition (ESP) for booting, offering more visibility and security by storing boot
code in firmware.

Regardless of the firmware, Bootmgr.exe loads after a valid Windows installation is found. It switches the system to protected mode and
reads the Boot Configuration Database (BCD), which indicates whether the system is resuming from hibernation or starting fresh. If
hibernating, Winresume.exe loads the Hiberfil.sys file. For a cold start, Winload.exe creates a hardware record in the registry and ensures
that drivers are digitally signed using Kernel Mode Code Signing (KMCS).

Winload.exe then loads Ntoskrnl.exe to start the Windows kernel and HAL. The Session Manager Subsystem (SMSS) reads the registry,
prepares the user environment, and starts the Winlogon service for user logon.

1.2.6 Windows Startup

There are two important registry items that are used to automatically start applications and services :

HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER

Registry entries like Run, RunOnce, RunServices, RunServicesOnce, and Userinit define which services and applications start, based
on their entry type. While these can be manually added, it’s safer to use the Msconfig.exe tool to view and modify startup options.

Opening Msconfig via the search box brings up the System Configuration window, which contains five tabs with various configuration
options.

General
Three different startup types can be chosen here. Normal loads all drivers and services. Diagnostic loads only basic drivers and
services. Selective allows the user to choose what to load on startup.

Boot

Any installed operating system can be chosen here to start. There are also options for Safe boot, which is used to troubleshoot startup.
Services

All the installed services are listed here so that they can be chosen to start at startup.
Startup

All the applications and services that are configured to automatically begin at startup can be enabled or disabled by opening the task
manager from this tab.
**Tools**

Many common operating system tools can be launched directly from this tab.
1.2.8 Processes, Threads, and Services
A process is any program that is currently executing. Each process that runs is made up of at least one thread. A thread is a part of the
process that can be executed. The processor performs calculations on the thread.

All threads of a process share the same address space, meaning they cannot access the address space of other processes, which helps
prevent corruption. Windows supports multitasking, allowing multiple threads to run simultaneously, limited by the number of processors.
Some Windows processes are services—background programs that support the OS and applications. They can start automatically at boot,
be manually started, stopped, restarted, or disabled.

1.2.9 Memory Allocation and Handles

A computer works by storing instructions in RAM until the CPU processes them. The virtual address space for a process is the set of virtual
addresses that the process can use. The virtual address is not the actual physical location in memory, but an entry in a page table that is
used to translate the virtual address into the physical address.

Each process in a 32-bit Windows computer supports a virtual address space that enables addressing up to 4 gigabytes. Each process in a
64-bit Windows computer supports a virtual address space of 8 terabytes.

Each user space process runs in a private address space, separate from other user space processes. When the user space process needs
to access kernel resources, it must use a process handle. This is because the user space process is not allowed to directly access these
kernel resources. The process handle provides the access needed by the user space process without a direct connection to it.

AMMap, part of the Windows Sysinternals Suite, is a powerful tool for analyzing memory allocation. It provides detailed insights into how
Windows distributes system memory among the kernel, processes, drivers, and applications.
1.2.10 The Windows Registry
The registry is a hierarchical database where the highest level is known as a hive, below that there are keys, followed by subkeys. Values
store data and are stored in the keys and subkeys. A registry key can be up to 512 levels deep.

HKEY_CURRENT_USER (HKCU) : Holds information concerning the currently logged in user.

HKEY_USERS (HKU) : Holds information concerning all the user accounts on the host.
HKEY_CLASSES_ROOT (HKCR) : Holds information about object linking and embedding (OLE) registrations. OLE allows users to
embed objects from other applications (like a spreadsheet) into a single document (like a Word document).
HKEY_LOCAL_MACHINE (HKLM) : Holds system-related information.
==HKEY_CURRENT_CONFIG (HKCC)== : Holds information about the current hardware profile.

NOTE : New hives cannot be created. The registry keys and values in the hives can be created, modified, or deleted by an account with
administrative privileges.

Windows Configurations and Monitoring

1.3.1 Run as Administrator
Sometimes, it is necessary to run or install software that requires the privileges of the Administrator. To accomplish this, there are two
different ways to install it.

Administrator
Administrator Command Prompt

1.3.2 Local Users and Domains

When setting up a new Windows computer or installation, you must create a local user account, which stores customization settings,
permissions, and files. Windows also includes disabled Administrator and Guest accounts by default.
For security, do not enable the Administrator account or grant standard users administrative privileges. Instead, Windows prompts for the
Administrator password when elevated access is needed, preventing unauthorized software installation or execution.

The Guest account should remain disabled, as it has no password and provides a temporary, limited-access environment.

Windows simplifies user management with groups, assigning predefined permissions to members. Users can belong to multiple groups, with
"explicitly deny" permissions taking precedence. Groups like "Performance Log Users" enable specific tasks. Local users and groups are
managed via lusrmgr.msc
Windows also uses domains to set permissions. A domain is a network service where users, groups, computers, and security settings are
managed by domain controllers (DCs). Each user and computer must authenticate against a DC to log in and access resources. Security
settings from the DC override local settings by default.
1.3.3 CLI and PowerShell
These are the types of commands that PowerShell can execute:

cmdlets - These commands perform an action and return an output or object to the next command that will be executed.
**PowerShell scripts - These are files with a .ps1** extension that contain PowerShell commands that are executed.
**PowerShell functions -** These are pieces of code that can be referenced in a script.

There are four levels of help in Windows PowerShell:

get-help PS command - Displays basic help for a command

get-help _PS command [-examples] - Displays basic help for a command with examples
get-help _PS command [-detailed] - Displays detailed help for a command with examples
get-help _PS command [-full] - Displays all help information for a command with examples in greater depth

1.3.4 Windows Management Instrumentation

Windows Management Instrumentation (WMI) is used to manage remote computers. It can retrieve information about computer
components, hardware and software statistics, and monitor the health of remote computers. To open the WMI control from the Control
Panel, double-click Administrative Tools > Computer Management to open the Computer Management window, expand the Services
and Applications tree and right-click the WMI Control icon > Properties.

The WMI Control Properties window is shown in the figure.

These are the four tabs in the WMI Control Properties window:

**General -** Summary information about the local computer and WMI
 **Backup/Restore -** Allows manual backup of statistics gathered by WMI
**Security -** Settings to configure who has access to different WMI statistics
**Advanced -** Settings to configure the default namespace for WMI

Some attacks today use WMI to connect to remote systems, modify the registry, and run commands. WMI helps them to avoid detection
because it is common traffic, most often trusted by the network security devices and the remote WMI commands do not usually leave
evidence on the remote host. Because of this, WMI access should be strictly limited.

1.3.5 The net Command

net command is used in the administration and maintenance of the OS.

net accounts : Sets password and logon requirements for users.

net

Module 2 : Linux Overview

Module 3 : Mobile Devices Connectivity
Module 4 : Mobile Operating Systems and Security