Windows NT Architecture

2008 Oct 18

**Windows NT System**
User Mode
Winlogon	Windows 16 Client	Virtual DOS Machine (VDM)	Windows 32 Client	OS/2 Client	POSIX Client	RAS Client
Security Subsystem	Windows on Windows (WOW)	DOS Client	Windows 32 Subsystem	OS/2 Subsystem	POSIX Subsystem	RAS Subsystem

Kernel Mode
I/O Manager	Object Manager	Security Reference Manager	Process Manager	Local Procedure Call	Virtual Memory Manager	Graphics Driver Manager

		Kernel
	Hardware Abstraction Layer

Winlogon : handles user logon attempts
Windows 32 Subsystem : coordinates the activity of User Mode subsystems and provides an interface between this mode and Kernel Mode
Windows on Windows : enables users to run the older 16 bit applications
OS/2 : supports its specific enviornment if needed
POSIX : supports its specific enviornment if needed
Security Subsystem : known as the Local Security Authrity (LSA), determines whether login attempts are valid by sending entries to the Security Accounts Manager (SAM) - there are two encrypted fields for the password for newr and older compatibility in SAM.
Security Reference Manager : verifies users and programs have permission to access a file or directory; and defines how audit settings translate into the actual capture of events in the Event Log.
Hardware Abstraction Layer : Interfaces to the device drivers

NT Passwords

NT password hashes are formed by taking the password to be exactly 14 characters (longer are truncated at end, shorter are padded with spaces). This is then passed through the MD-4 (Message Digest, ver 4) hashing algorithm three times to produce the hash. The older LM representation is an encrypted fixed hexadecimal number derived from the password.

2005-2008