The -kernelbreaking- work of a staggering genius…
… aka Mark Russinovich. Check out his last post (it’s also the first one on his new blog), it’s simply incredible how deeply this man knows Windows. I wonder why Microsoft waited so long before ask him to join them.
Enjoy his nonchalance while unrevealing Windows mysteries:
1. Explorer’s Run dialog calls ShellExecuteCmdLine
2. ShellExecuteCmdLine calls out to shell execute hooks
3. Windows Defender’s hook for real-time protection, MpShHook.Dll, calls RPC to communicate with the Windows Defender service, passing the SID of the service as an argument
4. The RPC library calls GetMachineAccountSid to see if the SID matches the computer’s domain SID, in which case it would map the SID to the local system account SID
5. GetMachineAccountSid performs an RPC to the Netlogon service to get the computer account’s SID
6. If the computer account’s SID hasn’t been obtained already, Netlogon tries to connect to a domain controller
7. If the domain controller connection fails after a timeout (the delay), Netlogon returns a trust-relationship failure error
8. The Windows Defender RPC proceeds using the unmapped SID
9. Windows Defender’s service performs real-time checks and then process launches
Hey Mark! what about renaming your blog into something like “Thinking in [Windows] API – Mark Russinovich’s technical blog covering topics such as those no one else can“? I think it would be more appropriate.
Share this post: Email it! | to del.icio.us! | digg it! | reddit! | Furl it! | to any service