Work Package 2: Analysis of Windows 10 Version: 1.0 Federal Office for Information Security Post Box 20 03 63 D-53133 Bonn Phone: +49 22899 95820-0 E-Mail: [email protected] Internet: https://www.bsi.bund.de © Federal Office for Information Security 2018 Table of Contents Table of Contents 1 Introduction.......................................................................................................................................................................................... 5 1.1 Zusammenfassung...................................................................................................................................................................... 5 1.2 Executive Summary................................................................................................................................................................. 10 2 Architecture Overview.................................................................................................................................................................. 12 2.1 Traditional Architecture......................................................................................................................................................... 12 2.2 Virtual Secure Mode Architecture..................................................................................................................................... 17 2.3 Terminology and Scope.......................................................................................................................................................... 19 3 Component Architecture............................................................................................................................................................. 20 3.1 PowerShell and Windows Script Host.............................................................................................................................20 3.1.1 PowerShell............................................................................................................................................................................. 20 3.1.2 Windows Script Host........................................................................................................................................................ 22 3.2 Telemetry...................................................................................................................................................................................... 24 3.3 Virtual Secure Mode................................................................................................................................................................ 26 3.4 Device Guard............................................................................................................................................................................... 29 3.5 Trusted Platform Module and Unified Extensible Firmware Interface “Secure Boot”.............................31 3.6 Universal Windows Platform.............................................................................................................................................. 36 3.7 Other Components................................................................................................................................................................... 40 3.7.1 System Support Processes.............................................................................................................................................. 41 3.7.2 Services.................................................................................................................................................................................... 42 3.7.3 Drivers..................................................................................................................................................................................... 43 3.7.4 Windows Subsystem, ntdll.dll, Windows Kernel, and HAL............................................................................44 3.7.5 Summary................................................................................................................................................................................ 47 4 Logging Capabilities....................................................................................................................................................................... 53 4.1 Windows 10: Logging Capabilities....................................................................................................................................53 4.2 Logging Domain: EventLog.................................................................................................................................................. 56 4.3 Logging Domain: Components.......................................................................................................................................... 57 Appendix.............................................................................................................................................................................................. 60 Tools................................................................................................................................................................................................ 60 List of Services............................................................................................................................................................................ 61 List of Drivers.............................................................................................................................................................................. 63 Audit Policy Categories and Event IDs............................................................................................................................67 Reference Documentation........................................................................................................................................................... 98 Keywords and Abbreviations...................................................................................................................................................... 99 Figures Figure 1: A compact overview of the architecture of Windows 10.........................................................................................13 Figure 2: An overview of the architecture of Windows 10.........................................................................................................15 Figure 3: Implementation of the ExAllocatePoolWithTag routine in the Windows kernel.......................................16 Figure 4: A function call chain in Windows 10................................................................................................................................17 Figure 5: An overview of the architecture of Windows 10 (VSM enabled).........................................................................18 Figure 6: The deployment of the local security authority in a Windows 10 system with a) VSM disabled; b) VSM enabled.................................................................................................................................................................................................... 18 Federal Office for Information Security 3 Table of Contents Figure 7: The architecture of PowerShell........................................................................................................................................... 20 Figure 8: PowerShell core modules....................................................................................................................................................... 21 Figure 9: The architecture of WSH........................................................................................................................................................ 22 Figure 10: The COM interface of WSH: The WSHNetwork COM object.............................................................................23 Figure 11: The architecture of Microsoft Telemetry......................................................................................................................24 Figure 12: Deployment of the DiagTrack service............................................................................................................................25 Figure 13: Network traffic between Windows 10 and the Microsoft Data Management Service............................25 Figure 14: Trace providers configured for Diagtrack-Listener.................................................................................................25 Figure 15: VTLs............................................................................................................................................................................................... 27 Figure 16: The architecture and function execution paths of VSM.......................................................................................28 Figure 17: An invocation of the SkCallNormalMode routine...................................................................................................28 Figure 18: The architecture of Device Guard....................................................................................................................................30 Figure 19: A Device Guard policy file...................................................................................................................................................