Windows Kernel Internals (KERINT)

Instructed by T. Roy

Kernel-mode software has unrestricted access to the system. This is why most anti-malware solutions and rootkits are implemented as Windows kernel modules. To analyze rootkits, identify indicators of compromise (IoC) and collect forensic evidence it is critical to have a good understanding of the architecture and internals of the Windows kernel. This course takes a deep dive into the internals of the Windows kernel from a security perspective with an emphasis on internal algorithms, data structures, debugger usage.

Classes are limited. Get registered!

This training course focuses on security-related topics anddoes not cover topics related to hardwaresuch as plug and play, power management, BIOS, or ACPI.

In the hands-on lab exercises, students dig into the kernel using the kernel debugger (WinDBG/KD) commands and learning how to interpret the debugger output of these commands to understand how the kernel works. Hands-on lab exercises are performed on precaptured memory dumps and on a live VM running the latest version of Windows 10 64-bit.

Learning Objectives

  • Understand the key principles behind the design and implementation of the Windows kernel.
  • Understand the major components in the Windows Kernel and the functionality they provide.
  • Be able to investigate system data structures using kernel debugger and interpret the output of debugger commands.
  • Be able to navigate between different data structures in the kernel using debugger commands.
  • Be able to locate indicators of compromise while hunting for kernel-mode malware.
  • Be able to perform forensic analysis of the Windows kernel.
  • Understand how kernel-mode rootkits and commercial anti-malware solutions interact with the system


Students will need:


  • Virtualization capable CPU(s)
  • Minimum 8GB of RAM (for running one guest VM)
  • Minimum 40 GB free disk space
  • Working USB Port
  • Working Wireless LAN


  • Host OS Windows 10 64-bit
  • Windows Enterprise WDK for Windows 10 Version 1709 (RS3)
  • Debugging Tools for Windows (included in WDK)
  • SysInternals Tools
  • Volatility Framework
  • Virtualization Software (Hyper-V, VMWare, VirtualBox)
  • Guest OS Windows 10 64-bit Version 1709 (RS3)
  • System Administrator access required on both host and guest OSs
  • WinDBG must be setup and configured on the host to debug the guest OS
  • All other software will be provided by the instructor.



Live-Online & In-Person


Private Basis (Live-Online)


5 days


Anti-malware engineers, malware analysts, forensics examiners, security researchers who are responsible for detecting, analyzing, and defending against rootkits and other kernel post exploitation techniques.

  • Standard Rate


Attendees must have a solid understanding of operating system concepts and have a working knowledge of Windows. This course does not require any programming knowledge.

Why choose the Center for Cyber Security Training

Interactive, classroom-based learning

Subject matter experts

Trusted by US government agencies


T.Roy, an author, instructor, and consultant, is the founder of CodeMachine. He has more than 20 years of experience in information security has been involved with Windows internals, development, debugging and security, since the inception of Windows NT in 1992. He has been involved in the development of some of the leading endpoint security solutions such as intrusion prevention, network firewalls, behavioral anti-malware, document security and data leak prevention systems. He has taught all over the world and has received many instructor recognition awards.

I really enjoyed the course! It was interesting to see a different perspective on penetration testing and ways of progressing from recon to initial access to escalating privilege and lateral movement.

- Robert L., Washington, DC

Want more information?

Download the Windows Kernel Internals course outline now.

Upcoming Training Sessions

Private Basis (Live-Online)

Classes are limited.

Enroll Now.

Related Courses

Our classroom delivers the most in-demand content from the highest profile subject matter experts. Intense and interactive, our courses prepare students with actionable insight and proven strategies.

windows internal architecture

Windows Internal Architecture

Whether you analyze malware, perform security research, conduct forensic investigations, engage in adversary simulation or prevent it, or build security solutions for Windows, understanding how Windows works internally is critical to be effective at your task.


Exploit Development Bootcamp & Advanced

Our three-day Bootcamp will teach both basic & advanced techniques from a leading exploit developer. In our Advanced course, experienced students will learn how to write exploits that bypass modern memory protections for the Win32 platform in a fast-paced, interactive learning environment.

Looking for a course that's not here? We'd love to hear your suggestions!

Are you fully prepared to deal with today's increasing cyber security risks? We can help you get the training you need.


*We respect your privacy