Windows Internals Lab

Processes, Threads, Handles & Registry

Explore Windows internals using PowerShell — essential knowledge for malware analysis and incident response.

Core Concepts

Understanding Windows internals is crucial for security analysts. These four components form the foundation of how Windows operates:

Process

A running program with its own memory space, security token, and resources.

Thread

A unit of execution within a process. Processes can have multiple threads.

Handle

A reference to a system resource (file, registry key, mutex, etc.).

Registry

Hierarchical database storing system and application configuration.

Part 1: Process Investigation

Exercise 1.1: List Process Details

Get detailed process information

List all processes with their ID, name, memory usage, and path:

Get-Process | Select-Object Id, ProcessName, WorkingSet64, Path | Format-Table

Find a specific process

Search for processes by name pattern:

Get-Process -Name *svc* | Select-Object Id, ProcessName, StartTime

Get process owner

Identify which user account is running each process:

Get-WmiObject Win32_Process | Select-Object ProcessId, Name, @{N='Owner';E={$_.GetOwner().User}}
PowerShell - Windows Internals Lab
Windows PowerShell Internals Lab Type commands to explore processes, threads, handles, and registry.
PS>

Part 2: Threads & Handles

Exercise 2.1: Examine Threads

Count threads per process

See which processes have the most threads (potential indicator of complexity or malicious activity):

Get-Process | Select-Object ProcessName, Id, @{N='Threads';E={$_.Threads.Count}} | Sort-Object Threads -Descending | Select-Object -First 10

Exercise 2.2: Examine Handles

Count handles per process

High handle counts may indicate resource leaks or suspicious activity:

Get-Process | Select-Object ProcessName, Id, HandleCount | Sort-Object HandleCount -Descending | Select-Object -First 10

Part 3: Windows Registry

The registry stores critical configuration. Attackers often use it for persistence.

HKEY_LOCAL_MACHINE (HKLM) ├── SOFTWARE │ ├── Microsoft │ │ └── Windows │ │ └── CurrentVersion │ │ └── RunStartup programs (persistence!) │ └── [Installed Applications] ├── SYSTEM │ └── CurrentControlSet │ └── ServicesWindows services └── SECURITYSAM, security policies HKEY_CURRENT_USER (HKCU) └── SOFTWARE └── Microsoft └── Windows └── CurrentVersion └── RunUser-specific startup

Exercise 3.1: Query Registry for Persistence

Check Run keys (common persistence mechanism)

Malware often adds entries here to survive reboots:

Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'

Check user-specific Run key

Get-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'

List all services

Services are another persistence mechanism:

Get-Service | Where-Object {$_.StartType -eq 'Automatic'} | Select-Object Name, DisplayName, Status

Knowledge Check

1. Which registry key is commonly used by malware for persistence?

2. What is a "handle" in Windows?

3. Why might a security analyst be suspicious of a process with an unusually high thread count?

4. Which PowerShell command retrieves the owner of a running process?

Answer all questions to complete the lab.

Lab Complete!

You now understand Windows internals at a level useful for security analysis. These skills are essential for malware analysis and incident response.

← Return to Week 1