The -kernelbreaking- work of a staggering genius…

… aka Mark Russinovich. Check out his last post (it’s also the first one on his new blog), it’s simply incredible how deeply this man knows Windows. I wonder why Microsoft waited so long before ask him to join them.

Enjoy his nonchalance while unrevealing Windows mysteries:

1. Explorer’s Run dialog calls ShellExecuteCmdLine
2. ShellExecuteCmdLine calls out to shell execute hooks
3. Windows Defender’s hook for real-time protection, MpShHook.Dll, calls RPC to communicate with the Windows Defender service, passing the SID of the service as an argument
4. The RPC library calls GetMachineAccountSid to see if the SID matches the computer’s domain SID, in which case it would map the SID to the local system account SID
5. GetMachineAccountSid performs an RPC to the Netlogon service to get the computer account’s SID
6. If the computer account’s SID hasn’t been obtained already, Netlogon tries to connect to a domain controller
7. If the domain controller connection fails after a timeout (the delay), Netlogon returns a trust-relationship failure error
8. The Windows Defender RPC proceeds using the unmapped SID
9. Windows Defender’s service performs real-time checks and then process launches

Hey Mark! what about renaming your blog into something like “Thinking in [Windows] API – Mark Russinovich’s technical blog covering topics such as those no one else can“? I think it would be more appropriate.

Share this post: Email it!  |  to!  |  digg it!  |  reddit!  |  Furl it!  |  to any service


~ by Matteo on August 31, 2006.

2 Responses to “The -kernelbreaking- work of a staggering genius…”

  1. “I wonder why Microsoft waited so long before ask him to join them”

    you are kidding, right?

  2. not at all. can you explain what do you mean?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: