The objective of this work package is the analysis of the architecture and logging capabilities of the Windows 10 operating system, as well as of individual system functionalities (e.g., telemetry, code integrity verification). The analysis’ focus is put on new architectural parts and features leveraging virtualization and being introduced with Windows 10.

• Work Package 2: Analysis of Windows 10 (Version 1.0)

Table of contents analysis document

1 Introduction
1.1 Executive Summary (german)
1.2 Executive Summary (english)
2 Architecture Overview
2.1 Traditional Architecture
2.2 Virtual Secure Mode Architecture
2.3 Terminology and Scope
3 Component Architecture
3.1 Powershell and Windows Script Host
3.2 Telemetry
3.3 Viirtual Secure Mode
3.4 Device Guard
3.5 TPM and UEFI "SecureBoot"
3.6 Universal Windows Platform
3.7 Other components
4. Logging
4.1 Windows 10: Logging Capabilities
4.2 Logging Domain: Event Log
4.3 Logging Domain: Components
Appendix
Reference Documentation
Keywords and Abbreviations

Summary:

For each component, an overview will be given describing the general architecture and relationships between different components:

• Power Shell and Windows Script Host
• Telemetry
• Device Guard
• Virtual Secure Mode (VSM)
• Trusted Platform Module (TPM)
• Unified Extensible Firmware Interface (UEFI) "Secure Boot"
• Universal Windows Platform (UWP)

During the analysis several security relevant components have been identified wich will be analyzed during the course of the project:

• The so-called. "Application Compatibility Infrastructure" (AppCompat), which enables the execution of older software by providing specific execution environments and which had vulnerabilities in the past;
• Windows Driver Management, which controls installation and configuration drivers. Driveres are highly privileged system components.
• "PatchGuard", which is a Windows feature for detection and remediation of unauthorized changes to the Operating System kernel.