Sorry to ask this just in case this has been asked before, I love the windows internals books and was just wondering if anyone knows whether an 8th edition will be on the way or wether the current 7th edition also is completely relevant to windows 11? I assume it is since I have heard that 11’s codebase is the same or most of it is to 10,s. Thanks to any replies!
@zodiacon3 күн бұрын
Yes, the 7th edition is relevant to Windows 11 as well as Windows 10. There are some new stuff in Windows 11, but it's still the same codebase.
@deankavanagh43063 күн бұрын
@@zodiacon Thanks Pavel, is there likely to be an 8th edition in the future if enough changes occur?
@zodiacon3 күн бұрын
I would say it's likely, but really no way to tell...
@deankavanagh43063 күн бұрын
@@zodiacon Thanks pavel, really appreciate your replies!
@johnnywilliams26414 күн бұрын
better than finding some porno magazines when I was a kid. kids today are lucky with the internet.
@nazmdar5 күн бұрын
Thanks for your nice explanation. Does this technic work even if "Address space layout randomization" is enabled? Does the address of "LoadLibraryA" the same in virtual address space of all processes?
@zodiacon5 күн бұрын
@@nazmdar yes
@user-yi4ef2gk1o6 күн бұрын
Very cool if you can maybe show us adding functions to a driver then injecting that driver without hurting the non-tampered with driver functionability !! 😃😄
@semihartan7 күн бұрын
Hey, anyone knows how to download the notepad's symbols? In my case, it seems like windbg doesn't download it automatically.
@zodiacon7 күн бұрын
If you're on Win 11 and using the "new" notepad - I believe the symbols are not provided by MS.
@semihartan7 күн бұрын
@@zodiacon Yes, I am on Win 11. I see it now, thanks alot. Uhh, if you don't mind, may I ask you why a Windows Guru like you doesn't prefer Win 11? I don't like Win 11 too but use it though because of hardware/driver compatibility.
@zodiacon7 күн бұрын
Win 11 is a failure, in my opinion. The kernel is still good, but the user-facing features are terrible, such as the task bar and explorer.
@semihartan6 күн бұрын
@@zodiacon Yes, I agree with you. In addition, its memory use in idle takes increasingly more memory. Even just a simple calculator app can take 100 MB in memory. I miss the old Windows 7 days so much.
@12335mohammad7 күн бұрын
thank for this content. you can access \Device\HarddiskVolume1 and read the content of it by create symlink of it using this command mklink /d C:\FAT \\?\GLOBALROOT\Device\HarddiskVolume1\ and then go to the path C:\FAT using cmd!
@_zproxy7 күн бұрын
it seems a sata volume can only be accessed after it was mounted into a empty folder. yet can we use a volume without mounting it to any folder?
@zodiacon7 күн бұрын
Not sure what you mean by "mounting to a folder" - a volume is independent of any folder. It may be unformatted, which will not allow "standard" access but still possible with APIs.
@_zproxy7 күн бұрын
@@zodiacon seems without calling SetVolumeMountPoint one cannot access files directly on the new volume, otherwise one could subst subfolders as drives directly via Control\Session Manager\DOS Devices ..
@zodiacon7 күн бұрын
I did access files directly...
@zodiacon7 күн бұрын
That said, there may be subtleties I am missing here.
@_zproxy7 күн бұрын
@@zodiacon your volume was mounted as C. try a volume thats not mounted at all.
@2radix7748 күн бұрын
btw, at 6:64 it shows you ObjectNameAddress (in this case 36feb2e5a8) in my case ObjectNameAddress is 0x0000000a`9232dd88 when I type: du 0xa9232dd88 it dosent show me the string representing path, why is that? (it only prints "VX")
@zodiacon8 күн бұрын
It's a UNICODE_STRING structure, so you may need to use dt ntdll!_UNICODE_STRING and the address
@semihartan8 күн бұрын
I love Windows Internals. It is really a pleasure to watch the videos of one of its co-authors.
@TilKenneth8 күн бұрын
Can use a different curl.exe than the one windows ship with then?
@2radix7749 күн бұрын
great explanation as always
@lukehjo9 күн бұрын
Another great video!
@Bagrat-III11 күн бұрын
I have to say your book about windows kernel programming is pure GOLD, huge thanks to you <3 <3 <3 also I have a question: would you advise me to read Richter's book about CLR? is it still relative info for .NET Core developer?
@zodiacon11 күн бұрын
The main ideas of .NET apply to .NET Core as well, but some internal details will be somewhat different. Also, his book only covers a relatively old versions of C# and .NET. I think even async/await (C# 5) was not available at the time.
@eve1234-gn316 күн бұрын
Pavel, thanks a lot for all the awesome and free material you always put out (have taken a few of your courses as well). Do you have plans of covering RPC (rpc server/client, and how rpc can be used to marshall/demarshall data, etc.) in future videos?
@zodiacon16 күн бұрын
I don't know. Not sure how interesting RPC is these days...
@_zproxy17 күн бұрын
vb6 used to be cool
@JeffOnsager19 күн бұрын
"the next parameter is reserved which is always a good thing..."😅
@testuser-lo2dt19 күн бұрын
i wish i had him as a mentor
@sherman416320 күн бұрын
Papa pavel
@ExtasyHosting20 күн бұрын
Papa pavel!
@r3dtech89620 күн бұрын
Papa pavel
@Pxiell-r7s20 күн бұрын
Papa pavel!
@RomanSmith-v4r20 күн бұрын
Papa pavel!!
@dead_in_heaven20 күн бұрын
Papa pavel
@Kaassap20 күн бұрын
Im very hyped for COM content. Im still very new and trying to learn com and winapi for amusement. Bought 'windows via c/c++' by Jeffrey Richter recently. I still have alot of work to do but Im planning on reading your book on native windows next. Is it just me or is com content on youtube really scarce?
@zodiacon20 күн бұрын
@@Kaassap I don't know, didn't look
@user-yi4ef2gk1o20 күн бұрын
Great video Pavel
@Bomag20 күн бұрын
This is great. Will you cover more COM things in the future e.g. the COM threading model (sta, mta) in future videos? I'm trying to find good COM resources for colleagues and they don't seem to like to read books :( your videos are perfect for the younger guys honestly.
@zodiacon20 күн бұрын
Probably, but no promises. I do have a full video course on COM on trainsec.net.
@Misheeification22 күн бұрын
Is it possible to query the ETW for the Event fields with logman instead than using ETW explorer?
@zodiacon22 күн бұрын
No as far as I can tell.
@worldwar_two289426 күн бұрын
Very nice! well explained! respect for boiling down this intricate stuff into sth ingestible and digestible! Also respect for the 128 GiB RAM machine 😅
@soniyakc935427 күн бұрын
Hi, How this percentage for CPU hard limit is going change based on Hardware? Based on system I am seeing value has different effect.
@zodiacon27 күн бұрын
I don't know what you mean. What are you seeing?
@soniyakc935413 күн бұрын
@@zodiacon Say if its 10% set for CpuRate using JobObject, Task manager it shows around 13 14% as the Harcap in my laptop.. Same executable if I run in high end system it shows 2.5% of CPU in taskmanager as hardlimit
@zodiacon13 күн бұрын
@@soniyakc9354 How "high end" is that system? You should see always around 10%, unless you have more than 64 processors on that system.
@CoolGamer6525Ай бұрын
hi, is it possible to convert a dll to .exe trainer?
@zodiaconАй бұрын
Depends on what you mean by "convert". You can remove the DLL bit from the PE header, but the entry point will DllMain, and it's not what is expected from an EXE, so likely to crash.
@cxmpcxmbo9130Ай бұрын
YOU the MAN PAVEL
@ALCHEMYTWEAKSАй бұрын
Thanks for your video Pavel, honestly you helping people to learn really fundamental things of windows for free . You the best
@SauvikRoyАй бұрын
Try launching a fork bomb!😅
@0x4ndr3Ай бұрын
One of my favorite channels. Keep these videos coming, please!
@ttutankhamon86Ай бұрын
Beautiful work! Love this!
@user-yi4ef2gk1oАй бұрын
always a good day when PAVEL POST :)
@CodeDdukDdakАй бұрын
thx thxthxthxthxththx
@amerafa12 ай бұрын
Thank you very much for sharing you knowledge, I know you have a course about this on trainsec but if possible please create a video teaching the basic of wdf.
@zodiacon2 ай бұрын
WDF is a big topic, not suitable for a video.
@user-yi4ef2gk1o2 ай бұрын
PAVEL
@user-yi4ef2gk1o2 ай бұрын
nice video, i have nearly watched the whole yt channel
@user-yi4ef2gk1o2 ай бұрын
good stuff my man
@user-yi4ef2gk1o2 ай бұрын
PAVEL you are the man !!
@gregandark85712 ай бұрын
If I will patch all telemetry hardcoded ip's inside windows, then windows at boot will stop working?
@Hallilo2 ай бұрын
You can use the hosts file to block addresses, however i wouldnt count on that if you want to get rid of telemetry
@gregandark85712 ай бұрын
@@Hallilo I got rid from windows, but my curiosity regarding all this argument is still alive.
@user-yi4ef2gk1o2 ай бұрын
smartt man!!
@Hallilo3 ай бұрын
Great video as always, what i think would be really interesting is a video about networking internals of windows because i never found a lot of information about that. Ive read Windows internals 7th edition part 1 and am currently reading part 2 but there isnt anything about networking.
@the_nurk3 ай бұрын
got to say the one thing I appreciate the most about all of what you are doing is the dedication to digging to the exact fact i need to see to verify what you're saying is true. windows makes that very hard.
@MarekKnapek3 ай бұрын
Your registry tool is using old style look and feel scroll bars. Maybe you are missing the v6 common controls XML manifest?
@zodiacon3 ай бұрын
No, the common controls 6 manifest is there. It's the normal style I am on win 10. It looks different on win 11.
@MarekKnapek3 ай бұрын
@@zodiaconOK, then something else is going on. The scroll bars are not consistent between the built-in tool and your tool.
@zodiacon3 ай бұрын
I will say this: my tool supports dark mode and for that I had to use some hooks and subclassing, but I didn't touch the scroll bars that are built into windows (like the list view), because they are very difficult to customize.
@MrDimension03 ай бұрын
Thank you for the great video. I am wondering if we need thread-synchronization especially for the wchar process name changed by the configurator process and used inside the compare function inside the .dll? Also what about memory barriers so that writes to pid and process name are actually flush the store buffer and can be observed by dll inside task manager? I'm a total noob on this and I am probably wrong. I would be grateful if you could add a short explanation why we don't need to care about these threading-problems in this case. Thanks a lot
@zodiacon3 ай бұрын
In theory, you would need thread sync (a simple mutex or SRWLock will do) because the globals are read and written potentially at the same time from 2 different threads, but not really in practice, since if something is observed as partially changed, it will be picked up correctly the next time NtQuerySystemInformation is called. A memory barrier here is an alternative to synchronization - you could add a memory barrier to force the memory to be observed by other processors right after update to ensure sequential consistency, but again, from a practical perspective it's not needed, especially since the configurator exits quickly which will force store buffer flushing . And in any case, the example is non-trivial as it is without adding sync to the mix :)
@the_nurk3 ай бұрын
can you use modular arithmetic for getting chunks?
Пікірлер
Sorry to ask this just in case this has been asked before, I love the windows internals books and was just wondering if anyone knows whether an 8th edition will be on the way or wether the current 7th edition also is completely relevant to windows 11? I assume it is since I have heard that 11’s codebase is the same or most of it is to 10,s. Thanks to any replies!
Yes, the 7th edition is relevant to Windows 11 as well as Windows 10. There are some new stuff in Windows 11, but it's still the same codebase.
@@zodiacon Thanks Pavel, is there likely to be an 8th edition in the future if enough changes occur?
I would say it's likely, but really no way to tell...
@@zodiacon Thanks pavel, really appreciate your replies!
better than finding some porno magazines when I was a kid. kids today are lucky with the internet.
Thanks for your nice explanation. Does this technic work even if "Address space layout randomization" is enabled? Does the address of "LoadLibraryA" the same in virtual address space of all processes?
@@nazmdar yes
Very cool if you can maybe show us adding functions to a driver then injecting that driver without hurting the non-tampered with driver functionability !! 😃😄
Hey, anyone knows how to download the notepad's symbols? In my case, it seems like windbg doesn't download it automatically.
If you're on Win 11 and using the "new" notepad - I believe the symbols are not provided by MS.
@@zodiacon Yes, I am on Win 11. I see it now, thanks alot. Uhh, if you don't mind, may I ask you why a Windows Guru like you doesn't prefer Win 11? I don't like Win 11 too but use it though because of hardware/driver compatibility.
Win 11 is a failure, in my opinion. The kernel is still good, but the user-facing features are terrible, such as the task bar and explorer.
@@zodiacon Yes, I agree with you. In addition, its memory use in idle takes increasingly more memory. Even just a simple calculator app can take 100 MB in memory. I miss the old Windows 7 days so much.
thank for this content. you can access \Device\HarddiskVolume1 and read the content of it by create symlink of it using this command mklink /d C:\FAT \\?\GLOBALROOT\Device\HarddiskVolume1\ and then go to the path C:\FAT using cmd!
it seems a sata volume can only be accessed after it was mounted into a empty folder. yet can we use a volume without mounting it to any folder?
Not sure what you mean by "mounting to a folder" - a volume is independent of any folder. It may be unformatted, which will not allow "standard" access but still possible with APIs.
@@zodiacon seems without calling SetVolumeMountPoint one cannot access files directly on the new volume, otherwise one could subst subfolders as drives directly via Control\Session Manager\DOS Devices ..
I did access files directly...
That said, there may be subtleties I am missing here.
@@zodiacon your volume was mounted as C. try a volume thats not mounted at all.
btw, at 6:64 it shows you ObjectNameAddress (in this case 36feb2e5a8) in my case ObjectNameAddress is 0x0000000a`9232dd88 when I type: du 0xa9232dd88 it dosent show me the string representing path, why is that? (it only prints "VX")
It's a UNICODE_STRING structure, so you may need to use dt ntdll!_UNICODE_STRING and the address
I love Windows Internals. It is really a pleasure to watch the videos of one of its co-authors.
Can use a different curl.exe than the one windows ship with then?
great explanation as always
Another great video!
I have to say your book about windows kernel programming is pure GOLD, huge thanks to you <3 <3 <3 also I have a question: would you advise me to read Richter's book about CLR? is it still relative info for .NET Core developer?
The main ideas of .NET apply to .NET Core as well, but some internal details will be somewhat different. Also, his book only covers a relatively old versions of C# and .NET. I think even async/await (C# 5) was not available at the time.
Pavel, thanks a lot for all the awesome and free material you always put out (have taken a few of your courses as well). Do you have plans of covering RPC (rpc server/client, and how rpc can be used to marshall/demarshall data, etc.) in future videos?
I don't know. Not sure how interesting RPC is these days...
vb6 used to be cool
"the next parameter is reserved which is always a good thing..."😅
i wish i had him as a mentor
Papa pavel
Papa pavel!
Papa pavel
Papa pavel!
Papa pavel!!
Papa pavel
Im very hyped for COM content. Im still very new and trying to learn com and winapi for amusement. Bought 'windows via c/c++' by Jeffrey Richter recently. I still have alot of work to do but Im planning on reading your book on native windows next. Is it just me or is com content on youtube really scarce?
@@Kaassap I don't know, didn't look
Great video Pavel
This is great. Will you cover more COM things in the future e.g. the COM threading model (sta, mta) in future videos? I'm trying to find good COM resources for colleagues and they don't seem to like to read books :( your videos are perfect for the younger guys honestly.
Probably, but no promises. I do have a full video course on COM on trainsec.net.
Is it possible to query the ETW for the Event fields with logman instead than using ETW explorer?
No as far as I can tell.
Very nice! well explained! respect for boiling down this intricate stuff into sth ingestible and digestible! Also respect for the 128 GiB RAM machine 😅
Hi, How this percentage for CPU hard limit is going change based on Hardware? Based on system I am seeing value has different effect.
I don't know what you mean. What are you seeing?
@@zodiacon Say if its 10% set for CpuRate using JobObject, Task manager it shows around 13 14% as the Harcap in my laptop.. Same executable if I run in high end system it shows 2.5% of CPU in taskmanager as hardlimit
@@soniyakc9354 How "high end" is that system? You should see always around 10%, unless you have more than 64 processors on that system.
hi, is it possible to convert a dll to .exe trainer?
Depends on what you mean by "convert". You can remove the DLL bit from the PE header, but the entry point will DllMain, and it's not what is expected from an EXE, so likely to crash.
YOU the MAN PAVEL
Thanks for your video Pavel, honestly you helping people to learn really fundamental things of windows for free . You the best
Try launching a fork bomb!😅
One of my favorite channels. Keep these videos coming, please!
Beautiful work! Love this!
always a good day when PAVEL POST :)
thx thxthxthxthxththx
Thank you very much for sharing you knowledge, I know you have a course about this on trainsec but if possible please create a video teaching the basic of wdf.
WDF is a big topic, not suitable for a video.
PAVEL
nice video, i have nearly watched the whole yt channel
good stuff my man
PAVEL you are the man !!
If I will patch all telemetry hardcoded ip's inside windows, then windows at boot will stop working?
You can use the hosts file to block addresses, however i wouldnt count on that if you want to get rid of telemetry
@@Hallilo I got rid from windows, but my curiosity regarding all this argument is still alive.
smartt man!!
Great video as always, what i think would be really interesting is a video about networking internals of windows because i never found a lot of information about that. Ive read Windows internals 7th edition part 1 and am currently reading part 2 but there isnt anything about networking.
got to say the one thing I appreciate the most about all of what you are doing is the dedication to digging to the exact fact i need to see to verify what you're saying is true. windows makes that very hard.
Your registry tool is using old style look and feel scroll bars. Maybe you are missing the v6 common controls XML manifest?
No, the common controls 6 manifest is there. It's the normal style I am on win 10. It looks different on win 11.
@@zodiaconOK, then something else is going on. The scroll bars are not consistent between the built-in tool and your tool.
I will say this: my tool supports dark mode and for that I had to use some hooks and subclassing, but I didn't touch the scroll bars that are built into windows (like the list view), because they are very difficult to customize.
Thank you for the great video. I am wondering if we need thread-synchronization especially for the wchar process name changed by the configurator process and used inside the compare function inside the .dll? Also what about memory barriers so that writes to pid and process name are actually flush the store buffer and can be observed by dll inside task manager? I'm a total noob on this and I am probably wrong. I would be grateful if you could add a short explanation why we don't need to care about these threading-problems in this case. Thanks a lot
In theory, you would need thread sync (a simple mutex or SRWLock will do) because the globals are read and written potentially at the same time from 2 different threads, but not really in practice, since if something is observed as partially changed, it will be picked up correctly the next time NtQuerySystemInformation is called. A memory barrier here is an alternative to synchronization - you could add a memory barrier to force the memory to be observed by other processors right after update to ensure sequential consistency, but again, from a practical perspective it's not needed, especially since the configurator exits quickly which will force store buffer flushing . And in any case, the example is non-trivial as it is without adding sync to the mix :)
can you use modular arithmetic for getting chunks?
What do you mean "modular arithmetic"?
@@zodiacon kzread.info/dash/bejne/nn5npaZyfZbUdbQ.html&pp=ygUdemFjaCBzdGFydCBtb2R1bGFyIGFyaXRobWV0aWM%3D
Thanks.
Great video! Are you using an extension for syntax highlighting? If so, which one? Thanks!
I think it's what you get out of the box. But if not, there is a syntax highlight extension from Mads Kristensen
Great content. Plenty to refer to in the future. Thanks!