Skip to content

Windows Filesystem

NTFS replaced FAT32 decades ago for good reason
New Technology File System supports file permissions , encryption , compression , journaling , symbolic links , hard links , alternate data streams , and disk quotas

Core Directory Structure

C:\Windows                       # OS files (System32 lives here)
C:\Windows\System32              # Critical DLLs , executables
C:\Windows\System32\config       # Registry files (SAM , SECURITY , SYSTEM)
C:\Windows\System32\drivers      # Device drivers
C:\Windows\Temp                  # System temp files
C:\Program Files                 # 64-bit applications
C:\Program Files (x86)           # 32-bit applications
C:\Users                         # User profiles
C:\Users\%USERNAME%\AppData      # App config , cache , local data
C:\Users\Public                  # Shared files

Security-Critical Paths

C:\Windows\System32\config\SAM          # Local password hashes
C:\Windows\System32\config\SYSTEM       # System hive (boot key)
C:\Windows\NTDS\NTDS.dit               # Domain Controller AD database
C:\Windows\System32\Tasks              # Scheduled tasks
C:\Windows\System32\winevt\Logs        # Event logs (.evtx)
C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent  # Recent files

Alternate Data Streams (NTFS Superpower)

Every NTFS file can have multiple data streams attached The main stream is $DATA but you can hide data in additional streams

echo hidden > file.txt:hidden.txt
dir /R file.txt                      # See ADS streams
type file.txt:hidden.txt             # Read ADS content

Attackers use ADS extensively to hide payloads because dir doesn't show them by default and most antivirus doesn't scan ADS streams thoroughly

Permissions (ACLs)

NTFS permissions on steroids compared to Linux Each file has a Security Descriptor with Owner, Group, DACL, and SACL

icacls file.txt                      # View permissions
icacls file.txt /grant user:F       # Grant full control
icacls file.txt /inheritance:e      # Enable inheritance

Mount Points

Windows can mount drives to folders (not just drive letters)

C:\MountedVolume -> D:\

Useful for extending disk space and also useful for attackers hiding tools. Check mount points during forensic examination

Reparse Points

Junction points, symbolic links, and mount points are all reparse points. Windows symbolic links work similar to Linux

mklink link target                  # Create symbolic link
mklink /D link target              # Directory symbolic link
mklink /J link target              # Directory junction