Windows: Architecture and Evolution from Past to Present
The Beginning: From MS-DOS to Windows (1981–1990)
MS-DOS — The Foundation of Everything
MS-DOS (Microsoft Disk Operating System), which shipped with the IBM PC in 1981, was far removed from what we'd call a modern operating system:
- Single-tasking (no multitasking)
- Single-user
- Command-line interface only
- 640 KB RAM limit (Bill Gates's famous "640K ought to be enough for anybody")
- 16-bit real mode — no memory protection, every program can access all of RAM
MS-DOS Memory Map
┌─────────────────┐ 0xFFFFF (1 MB upper limit)
│ ROM BIOS │
├─────────────────┤ 0xC0000
│ Video Memory │
├─────────────────┤ 0xA0000
│ High Memory │ ← some drivers loaded here
├─────────────────┤ 0x9FFFF
│ User / │
│ Program Area │ ← 640 KB (actual program space)
├─────────────────┤ 0x00600
│ DOS Kernel │
└─────────────────┘ 0x00000
Windows 1.0 — 2.0 (1985–1990): A Graphical Shell
Windows was not an operating system at first — it was a graphical shell running on top of MS-DOS.
- Windows 1.0 (1985): Non-overlapping windows, mouse support
- Windows 2.0 (1987): Overlapping windows, keyboard shortcuts
- Windows/386 (1987): Used 386 protected mode to run multiple DOS applications
Users still launched Windows by typing WIN from the DOS prompt.
The Windows 3.x Era (1990–1994): Mass Adoption
Windows 3.0 (1990) and Windows 3.1 (1992) delivered the first real commercial success.
Technical Innovations
- 386 Enhanced Mode: 32-bit protected mode, virtual memory, multiple DOS sessions
- Virtual Machine Manager (VMM): Each DOS application ran in its own virtual machine
- GDI (Graphics Device Interface): Graphics drawing API — still present today
- USER module: Window management and message system
Windows 3.1 Layered Architecture
┌──────────────────────────────┐
│ User Applications │
├──────────────────────────────┤
│ USER.EXE │ GDI.EXE │ ... │ ← Win16 API (16-bit DLLs)
├──────────────────────────────┤
│ KRNL386.EXE │ ← Kernel (still 16-bit!)
├──────────────────────────────┤
│ MS-DOS │ ← DOS still underneath
├──────────────────────────────┤
│ Hardware │
└──────────────────────────────┘
Problems
- Weak memory protection: if one app crashed, Windows usually crashed with it
- Cooperative multitasking: applications had to "voluntarily" yield the CPU
- 16-bit architecture bottleneck: couldn't fully exploit 32-bit hardware
The Windows NT Lineage — A New Kernel (1993)
Why NT?
While working with IBM on OS/2, Microsoft hired Dave Cutler (architect of VMS). Cutler designed an enterprise-grade operating system kernel from scratch: Windows NT.
NT's design goals:
- Portability (x86, MIPS, Alpha, PowerPC)
- Security (targeting C2 security certification)
- Reliability (user-mode crashes don't affect the kernel)
- POSIX and OS/2 compatibility
Windows NT Kernel Architecture
┌─────────────────────────────────────────────────────┐
│ User Mode │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌────────┐ │
│ │Win32 App │ │POSIX App │ │ OS/2 App │ │Service │ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ └───┬────┘ │
│ │ │ │ │ │
│ ┌────▼─────────────▼─────────────▼───────────▼────┐│
│ │ Environment Subsystems ││
│ │ Win32 (csrss.exe) │ POSIX │ OS/2 ││
│ └────────────────────┬───────────────────────────┘ │
│ │ NT Native API │
├────────────────────────┼────────────────────────────┤
│ Kernel Mode │
│ │ │
│ ┌─────────────────────▼──────────────────────────┐ │
│ │ Executive Subsystem │ │
│ │ │ │
│ │ ┌─────────┐ ┌────────┐ ┌──────┐ ┌──────────┐ │ │
│ │ │ Process │ │ Object │ │ I/O │ │ Security │ │ │
│ │ │ Manager │ │Manager │ │ Mgr │ │Reference │ │ │
│ │ └─────────┘ └────────┘ └──────┘ └──────────┘ │ │
│ │ ┌──────────────────┐ ┌─────────────────────┐ │ │
│ │ │ Memory Manager │ │ Cache Manager │ │ │
│ │ └──────────────────┘ └─────────────────────┘ │ │
│ └──────────────────────┬──────────────────────────┘ │
│ │ │
│ ┌───────────────────────▼──────────────────────────┐│
│ │ NT Kernel (ntoskrnl.exe) ││
│ │ Scheduling │ Synchronization │ Interrupt Hdlg ││
│ └───────────────────────┬──────────────────────────┘│
│ │ │
│ ┌────────────────────────▼─────────────────────────┐│
│ │ Hardware Abstraction Layer (HAL) ││
│ └────────────────────────┬─────────────────────────┘│
└───────────────────────────┼─────────────────────────┘
│
Hardware
Core NT Concepts
Object Manager In NT, everything is an object: files, processes, threads, mutexes, sockets. All share the same reference-counting and security mechanism.
Object Types
├── Process
├── Thread
├── File
├── Event
├── Mutex
├── Semaphore
├── Token (security)
└── Section (shared memory)
HAL (Hardware Abstraction Layer) Isolates hardware-specific code in a single layer. The same NT kernel can run on x86, MIPS, or Alpha with a different HAL.
Windows NT Releases
| Version | Year | Highlight |
|---|---|---|
| NT 3.1 | 1993 | First NT, workstation + server |
| NT 3.51 | 1995 | Performance improvements |
| NT 4.0 | 1996 | Win95 UI + GDI moved to kernel mode |
Windows 95/98/Me — The Consumer Line (1995–2000)
In parallel with NT, Microsoft maintained a separate line for home users.
Windows 95 (1995)
One of the most significant OS launches in history. Key innovations:
- 32-bit API (Win32) — same API surface as NT
- Long file names — end of the 8.3 limit
- Plug and Play — automatic hardware detection
- Taskbar + Start menu — a UI paradigm that endures to this day
- Preemptive multitasking (for Win32 applications)
But MS-DOS was still underneath. IO.SYS and MSDOS.SYS remained as hidden
system files. The kernel was a hybrid of MS-DOS and 16-bit Windows components.
Windows 98 / 98 SE (1998–1999)
- USB support added
- Deep integration with Internet Explorer 4/5 (subject of the antitrust case)
- FAT32 support
- Multi-monitor support
Windows Me (2000) — The Bottom of the Barrel
One of the worst-received Windows releases in history:
- Removed MS-DOS mode (but DOS was still there underneath)
- Added System Restore (good idea, poor implementation)
- Heavy instability and crash complaints
- Short-lived: everyone abandoned it the moment Windows XP shipped
Windows 2000 and XP — The Merger (2000–2007)
Windows 2000 (2000)
Also known as NT 5.0. Brought the NT kernel outside of the enterprise:
- Active Directory for the first time
- NTFS 3.0 (quotas, encryption, sparse files)
- Plug and Play + WDM driver model
- First attempt to bring the NT kernel to the consumer segment
Windows XP (2001) — The Long Reign
The convergence point of the consumer (95/98/Me) and enterprise (NT/2000) lines. Built on the NT 5.1 kernel.
Windows XP Architecture
┌─────────────────────────────────────────────┐
│ User Mode │
│ │
│ ┌─────────────────────────────────────────┐│
│ │ Win32 Subsystem ││
│ │ csrss.exe │ winlogon.exe │ services.exe││
│ └────────────────────┬────────────────────┘│
│ │ Win32k.sys (syscall)│
├────────────────────────┼────────────────────┤
│ Kernel Mode │
│ │
│ ┌─────────────────────────────────────────┐│
│ │ ntoskrnl.exe (Executive + Kernel) ││
│ └─────────────────────────────────────────┘│
│ ┌─────────────┐ ┌──────────────────────┐ │
│ │ win32k.sys │ │ Drivers (.sys) │ │
│ │ (GDI+USER) │ │ NDIS, FS, HID... │ │
│ └─────────────┘ └──────────────────────┘ │
│ ┌─────────────────────────────────────────┐│
│ │ HAL.DLL ││
│ └─────────────────────────────────────────┘│
└─────────────────────────────────────────────┘
XP's biggest contributions:
- ClearType font smoothing
- Fast User Switching — switch users without logging out
- System Restore (the version that actually worked)
- Driver Signing — warnings for unsigned drivers
- WPA (Windows Product Activation) — anti-piracy
XP was supported by Microsoft until 2014. 13 years.
Windows Vista (2007) — Major Architectural Shift, Difficult Birth
Vista was the product of five years of development and brought deep architectural changes. However, hardware requirements and compatibility issues led to a poor reception.
Key Architectural Innovations
Windows Display Driver Model (WDDM) The graphics driver no longer runs entirely in kernel mode:
- The bulk of the driver was moved to user mode
- GPU memory is managed like virtual memory
- GPU crashes no longer bring down the system (the driver can restart)
User Account Control (UAC) Admin privileges are no longer automatic. Every privileged operation requires consent. (Users initially hated it, but it was a security revolution.)
Integrity Levels (IL) Every process and file has an integrity level:
System → kernel components
High → administrator processes
Medium → normal user applications
Low → Internet Explorer, sandboxed applications
A Low IL process cannot write to a Medium IL resource. A browser exploit can't take over the system because IL protection kicks in.
BitLocker Full-disk encryption integrated with TPM (Trusted Platform Module).
Kernel Patch Protection (KPP / PatchGuard) Prevents patching the kernel on 64-bit systems. Revolutionary for both rootkits and antivirus software (it impacted both).
Windows 7 (2009) — Vista Matured
Vista's criticised aspects were fixed; its solid architecture was kept.
- Aero Snap: Snap windows by dragging to screen edges
- Jump Lists: Recent files right from the taskbar
- HomeGroup: Home network sharing
- UAC tuning: Users can choose their preferred level
- XP Mode: Run XP applications inside a virtual machine
Kernel: NT 6.1 — not very different from Vista (NT 6.0). But the perception was completely different: hailed as "Vista fixed."
Windows 8 / 8.1 (2012–2013) — The Touch Revolution (and Retreat)
The desktop paradigm was dismantled to enter the tablet market.
Metro / Modern UI
- Start menu removed → Start Screen introduced (full-screen tiles)
- Two modes: "Modern" (touch) and "Desktop" (classic)
- WinRT (Windows Runtime) API introduced
WinRT Architecture
┌────────────────────────────────────────────────────┐
│ Application Layer │
│ ┌──────────────┐ ┌───────────────────────┐ │
│ │ Win32 / COM │ │ WinRT (Modern App) │ │
│ │ .NET / MFC │ │ C++ / C# / JS / VB │ │
│ └──────┬───────┘ └───────────┬───────────┘ │
│ │ │ │
│ ┌──────▼──────────────────────────▼───────────┐ │
│ │ Windows Runtime (WinRT) │ │
│ │ (COM-based, language-neutral component model)│ │
│ └──────────────────────┬──────────────────────┘ │
│ │ │
├───────────────────────────┼────────────────────────┤
│ Kernel (NT 6.2) │
└────────────────────────────────────────────────────┘
Reception
- Enterprise and desktop users revolted
- "Where is the Start menu?" dominated the internet
- Windows 8.1 brought back the Start button (but not the menu)
- Market share stayed below XP and 7
Windows 10 (2015) — The Compromise and "Last Windows"
Key Changes
- Start menu back + tiles side by side
- Cortana voice assistant
- Edge browser (successor to Internet Explorer)
- DirectX 12: Multi-threaded GPU command submission, lower driver overhead
- WSL (Windows Subsystem for Linux): Run real Linux binaries
- Universal Windows Platform (UWP): One app for all Windows devices
Servicing Model
"Windows as a Service" for the first time:
- Periodic Feature Updates (every 6 months) instead of major releases
- Every user on the same base kernel
Virtualization-Based Security (VBS)
Hyper-V-based security layers arrived with Windows 10:
Hardware (CPU, RAM, Storage)
│
▼
┌───────────────────────────────────────────┐
│ Hyper-V Hypervisor │
├───────────────────┬───────────────────────┤
│ Normal VM │ Secure VM (VSM) │
│ Windows 10 OS │ Credential Guard │
│ Applications │ Hypervisor-Protected │
│ │ Code Integrity (HVCI) │
└───────────────────┴───────────────────────┘
- Credential Guard: LSASS (credential store) runs in an isolated VM — can't be dumped
- HVCI: Kernel drivers are validated by the hypervisor
WSL — Linux Inside Windows (2016–Present)
Windows Subsystem for Linux was a paradigm shift for developers.
WSL 1 (2016): Translation Layer
Linux Application (ELF binary)
│ Linux syscall (read, write, fork…)
▼
WSL Translation Layer
│ Convert to Windows NT Native API
▼
NT Kernel
No Linux kernel — every Linux syscall is mapped to its NT equivalent. Fast, but some syscalls were missing or behaved incorrectly.
WSL 2 (2019): Real Linux Kernel
Linux Application
│
▼
Real Linux Kernel (Microsoft's custom build)
│
▼
Hyper-V Lightweight VM
│
▼
Windows NT Kernel
Real Linux kernel → full syscall compatibility.
docker, systemd, GPU pass-through all supported.
Windows 11 (2021) — TPM Requirement and Innovation
Hardware Requirements Controversy
- TPM 2.0 mandatory: Security-focused but excluded many existing machines
- Secure Boot: UEFI Secure Boot must be enabled
- CPU list: Only specific Intel/AMD CPUs officially supported
Architectural Innovations
Android Applications (Amazon Appstore) Android apps run via WSL-like virtualisation.
DirectStorage Direct NVMe → GPU memory copy for games, bypassing the CPU:
Traditional: NVMe → RAM (CPU decompress) → GPU RAM
DirectStorage: NVMe → GPU RAM (GPU decompress, CPU bypassed)
Smart App Control Subjects unsigned applications to AI-powered analysis before allowing them to run.
NT Kernel Evolution: By the Numbers
| Windows | NT Version | x64 | ARM | Kernel Innovations |
|---|---|---|---|---|
| 2000 | 5.0 | ✗ | ✗ | Active Directory, NTFS 3.0 |
| XP | 5.1 | ✗ | ✗ | WPA, ClearType |
| Vista | 6.0 | ✓ | ✗ | WDDM, UAC, IL, PatchGuard |
| 7 | 6.1 | ✓ | ✗ | Performance, HomeGroup |
| 8 | 6.2 | ✓ | ✓ | WinRT, Storage Spaces |
| 10 | 10.0 | ✓ | ✓ | VBS, WSL, DX12 |
| 11 | 10.0 | ✓ | ✓ | DirectStorage, TPM 2.0 |
NTFS — Windows' File System
NTFS (NT File System), which replaced FAT32, shipped with NT 3.1.
NTFS Disk Layout
┌────────────────────────────────────────┐
│ VBR (Volume Boot Record) │
├────────────────────────────────────────┤
│ MFT (Master File Table) │
│ ├── One record per file (~1 KB) │
│ ├── $MFT (the MFT itself) │
│ ├── $Bitmap (free cluster map) │
│ ├── $LogFile (journal/log) │
│ └── $Secure (security descriptors) │
├────────────────────────────────────────┤
│ Data Area (clusters) │
└────────────────────────────────────────┘
NTFS Features
- Journaling: Prevents inconsistent state after a power loss
- ACL: Per-file/folder permission matrix
- Alternate Data Streams (ADS): Hidden data streams can be attached to any file
- Sparse files: Large files that are mostly empty don't consume disk space
- Compression: Transparent file compression
- Encryption (EFS): Transparent encryption with the user's key
Windows Security Model Summary
User logs in
│
▼
LSA (Local Security Authority)
Creates token: SID + Privilege list + IL
│
▼
Every process inherits this token
│
┌────┴──────────────────────────────┐
│ │
▼ ▼
Resource access request UAC elevation needed?
│ → new High IL token
▼
Security Reference Monitor
├── Read the object's DACL
├── Compare token SIDs against DACL ACEs
└── Access granted or denied
- SID (Security Identifier): User/group identity (
S-1-5-21-...) - DACL (Discretionary Access Control List): Who can do what to the object
- SACL (System ACL): For audit logging
Conclusion: 40 Years in Summary
1981 MS-DOS ──────────────────────────────────────────────────►
│ Single-tasking, 16-bit
1985 Win 1.0 ┤
1990 Win 3.x ┤ ← Graphical shell, cooperative multitasking
│
1993 NT 3.1 ┼ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─►
│ NT kernel: secure,
1995 Win 95 ┤ ← 32-bit API, Start menu (DOS still underneath) portable, object-based
2000 Win 2000┤
2001 Win XP ┼ ← Consumer + NT merged, reigned for 13 years
2007 Vista ┤ ← WDDM, UAC, PatchGuard — poorly received
2009 Win 7 ┤ ← Vista matured, beloved
2012 Win 8 ┤ ← Touch gamble, alienated desktop users
2015 Win 10 ┤ ← The compromise: WSL, VBS, DirectX 12
2021 Win 11 ┤ ← TPM 2.0, DirectStorage, refreshed UI
│
▼
Today: A single NT kernel runs on every
Microsoft device except phones
Over 40 years, Windows evolved from a single-user 16-bit DOS shell into a platform that hosts hypervisor-based security, a real Linux kernel, and direct GPU storage — all in the same binary. At every step, backward compatibility was preserved not by sacrificing features, but by adding layers. That is both its greatest strength and its greatest architectural burden.
Comments
(0)Loading comments...