Windows Security Internals 1 / converted Edition James Forshaw

Windows Security Internals 1 / converted Edition
James Forshaw download
https://textbookfull.com/product/windows-security-
internals-1-converted-edition-james-forshaw/
Download more ebook from https://textbookfull.com

We believe these products will be a great fit for you. Click
the link to download now, or visit textbookfull.com
to discover even more!
Windows Security Internals: A Deep Dive into Windows
Authentication, Authorization, and Auditing 1 /
converted Edition James Forshaw
https://textbookfull.com/product/windows-security-internals-a-
deep-dive-into-windows-authentication-authorization-and-
auditing-1-converted-edition-james-forshaw/
Windows Security Internals - A Deep Dive into Windows
Authentication, Authorization, and Auditing (for True
Epub) 1st Edition James Forshaw
https://textbookfull.com/product/windows-security-internals-a-
deep-dive-into-windows-authentication-authorization-and-auditing-
for-true-epub-1st-edition-james-forshaw/
Windows Internals Part 1 7th Edition Pavel Yosifovich
https://textbookfull.com/product/windows-internals-part-1-7th-
edition-pavel-yosifovich/
Windows Internals Part 2 Developer Reference 7th
Edition Russinovich
https://textbookfull.com/product/windows-internals-
part-2-developer-reference-7th-edition-russinovich/

Mastering Cloud Security Posture Management (CSPM) 1 /
converted Edition Qamar Nomani
https://textbookfull.com/product/mastering-cloud-security-
posture-management-cspm-1-converted-edition-qamar-nomani/
Attacking Network Protocols A Hacker s Guide to Capture
Analysis and Exploitation 1st Edition James Forshaw
[Forshaw
https://textbookfull.com/product/attacking-network-protocols-a-
hacker-s-guide-to-capture-analysis-and-exploitation-1st-edition-
james-forshaw-forshaw/
Learning OpenTelemetry 1 / converted Edition Ted Young
https://textbookfull.com/product/learning-
opentelemetry-1-converted-edition-ted-young/
Android Software Internals Quick Reference: A Field
Manual and Security Reference Guide to Java-based
Android Components 1st Edition James Stevenson
https://textbookfull.com/product/android-software-internals-
quick-reference-a-field-manual-and-security-reference-guide-to-
java-based-android-components-1st-edition-james-stevenson/
PowerShell 7 Workshop 1 / converted Edition Nick Parlow
https://textbookfull.com/product/powershell-7-workshop-1-
converted-edition-nick-parlow/

CONTENTS IN DETAIL
TITLE PAGE
COPYRIGHT
DEDICATION
ABOUT THE AUTHOR AND TECHNICAL REVIEWER
FOREWORD
ACKNOWLEDGMENTS
INTRODUCTION
Who Is This Book For?
What Is in This Book?
PowerShell Conventions Used in This Book
Getting in Touch
PART I: AN OVERVIEW OF THE WINDOWS
OPERATING SYSTEM
1
SETTING UP A POWERSHELL TESTING ENVIRONMENT
Choosing a PowerShell Version
Configuring PowerShell
An Overview of the PowerShell Language
Understanding Types, Variables, and Expressions
Executing Commands
Discovering Commands and Getting Help
Defining Functions
Displaying and Manipulating Objects

Filtering, Ordering, and Grouping Objects
Exporting Data
Wrapping Up
2
THE WINDOWS KERNEL
The Windows Kernel Executive
The Security Reference Monitor
The Object Manager
Object Types
The Object Manager Namespace
System Calls
NTSTATUS Codes
Object Handles
Query and Set Information System Calls
The Input/Output Manager
The Process and Thread Manager
The Memory Manager
NtVirtualMemory Commands
Section Objects
Code Integrity
Advanced Local Procedure Call
The Configuration Manager
Worked Examples
Finding Open Handles by Name
Finding Shared Objects
Modifying a Mapped Section
Finding Writable and Executable Memory
Wrapping Up
3
USER-MODE APPLICATIONS
Win32 and the User-Mode Windows APIs
Loading a New Library
Viewing Imported APIs
Searching for DLLs
The Win32 GUI
GUI Kernel Resources
Window Messages
Console Sessions
Comparing Win32 APIs and System Calls
Win32 Registry Paths
Opening Keys
Listing the Registry’s Contents
DOS Device Paths
Path Types

Maximum Path Lengths
Process Creation
Command Line Parsing
Shell APIs
System Processes
The Session Manager
The Windows Logon Process
The Local Security Authority Subsystem
The Service Control Manager
Worked Examples
Finding Executables That Import Specific APIs
Finding Hidden Registry Keys or Values
Wrapping Up
PART II: THE WINDOWS SECURITY
REFERENCE MONITOR
4
SECURITY ACCESS TOKENS
Primary Tokens
Impersonation Tokens
Security Quality of Service
Explicit Token Impersonation
Converting Between Token Types
Pseudo Token Handles
Token Groups
Enabled, EnabledByDefault, and Mandatory
LogonId
Owner
UseForDenyOnly
Integrity and IntegrityEnabled
Resource
Device Groups
Privileges
Sandbox Tokens
Restricted Tokens
Write-Restricted Tokens
AppContainer and Lowbox Tokens
What Makes an Administrator User?
User Account Control
Linked Tokens and Elevation Type
UI Access
Virtualization
Security Attributes
Creating Tokens

Token Assignment
Assigning a Primary Token
Assigning an Impersonation Token
Worked Examples
Finding UI Access Processes
Finding Token Handles to Impersonate
Removing Administrator Privileges
Wrapping Up
5
SECURITY DESCRIPTORS
The Structure of a Security Descriptor
The Structure of a SID
Absolute and Relative Security Descriptors
Access Control List Headers and Entries
The Header
The ACE List
Constructing and Manipulating Security Descriptors
Creating a New Security Descriptor
Ordering the ACEs
Formatting Security Descriptors
Converting to and from a Relative Security Descriptor
The Security Descriptor Definition Language
Worked Examples
Manually Parsing a Binary SID
Enumerating SIDs
Wrapping Up
6
READING AND ASSIGNING SECURITY DESCRIPTORS
Reading Security Descriptors
Assigning Security Descriptors
Assigning a Security Descriptor During Resource Creation
Assigning a Security Descriptor to an Existing Resource
Win32 Security APIs
Server Security Descriptors and Compound ACEs
A Summary of Inheritance Behavior
Worked Examples
Finding Object Manager Resource Owners
Changing the Ownership of a Resource
Wrapping Up
7
THE ACCESS CHECK PROCESS
Running an Access Check
Kernel-Mode Access Checks

User-Mode Access Checks
The Get-NtGrantedAccess PowerShell Command
The Access Check Process in PowerShell
Defining the Access Check Function
Performing the Mandatory Access Check
Performing the Token Access Check
Performing the Discretionary Access Check
Sandboxing
Restricted Tokens
Lowbox Tokens
Enterprise Access Checks
The Object Type Access Check
The Central Access Policy
Worked Examples
Using the Get-PSGrantedAccess Command
Calculating Granted Access for Resources
Wrapping Up
8
OTHER ACCESS CHECKING USE CASES
Traversal Checking
The SeChangeNotifyPrivilege Privilege
Limited Checks
Handle Duplication Access Checks
Sandbox Token Checks
Automating Access Checks
Worked Examples
Simplifying an Access Check for an Object
Finding Writable Section Objects
Wrapping Up
9
SECURITY AUDITING
The Security Event Log
Configuring the System Audit Policy
Configuring the Per-User Audit Policy
Audit Policy Security
Configuring the Resource SACL
Configuring the Global SACL
Worked Examples
Verifying Audit Access Security
Finding Resources with Audit ACEs
Wrapping Up
PART III: THE LOCAL SECURITY AUTHORITY

AND AUTHENTICATION
10
WINDOWS AUTHENTICATION
Domain Authentication
Local Authentication
Enterprise Network Domains
Domain Forests
Local Domain Configuration
The User Database
The LSA Policy Database
Remote LSA Services
The SAM Remote Service
The Domain Policy Remote Service
The SAM and SECURITY Databases
Accessing the SAM Database Through the Registry
Inspecting the SECURITY Database
Worked Examples
RID Cycling
Forcing a User‘s Password Change
Extracting All Local User Hashes
Wrapping Up
11
ACTIVE DIRECTORY
A Brief History of Active Directory
Exploring an Active Directory Domain with PowerShell
The Remote Server Administration Tools
Basic Forest and Domain Information
The Users
The Groups
The Computers
Objects and Distinguished Names
Enumerating Directory Objects
Accessing Objects in Other Domains
The Schema
Inspecting the Schema
Accessing the Security Attributes
Security Descriptors
Querying Security Descriptors of Directory Objects
Assigning Security Descriptors to New Directory Objects
Assigning Security Descriptors to Existing Objects
Inspecting a Security Descriptor’s Inherited Security
Access Checks
Creating Objects
Deleting Objects

Listing Objects
Reading and Writing Attributes
Checking Multiple Attributes
Analyzing Property Sets
Inspecting Control Access Rights
Analyzing Write-Validated Access Rights
Accessing the SELF SID
Performing Additional Security Checks
Claims and Central Access Policies
Group Policies
Worked Example
Building the Authorization Context
Gathering Object Information
Running the Access Check
Wrapping Up
12
INTERACTIVE AUTHENTICATION
Creating a User’s Desktop
The LsaLogonUser API
Local Authentication
Domain Authentication
Logon and Console Sessions
Token Creation
Using the LsaLogonUser API from PowerShell
Creating a New Process with a Token
The Service Logon Type
Worked Examples
Testing Privileges and Logon Account Rights
Creating a Process in a Different Console Session
Authenticating Virtual Accounts
Wrapping Up
13
NETWORK AUTHENTICATION
NTLM Network Authentication
NTLM Authentication Using PowerShell
The Cryptographic Derivation Process
Pass-Through Authentication
Local Loopback Authentication
Alternative Client Credentials
The NTLM Relay Attack
Attack Overview
Active Server Challenges
Signing and Sealing
Target Names

Channel Binding
Worked Example
Overview
The Code Module
The Server Implementation
The Client Implementation
The NTLM Authentication Test
Wrapping Up
14
KERBEROS
Interactive Authentication with Kerberos
Initial User Authentication
Network Service Authentication
Performing Kerberos Authentication in PowerShell
Decrypting the AP-REQ Message
Decrypting the AP-REP Message
Cross-Domain Authentication
Kerberos Delegation
Unconstrained Delegation
Constrained Delegation
User-to-User Kerberos Authentication
Worked Examples
Querying the Kerberos Ticket Cache
Simple Kerberoasting
Wrapping Up
15
NEGOTIATE AUTHENTICATION AND OTHER SECURITY
PACKAGES
Security Buffers
Using Buffers with an Authentication Context
Using Buffers with Signing and Sealing
The Negotiate Protocol
Less Common Security Packages
Secure Channel
CredSSP
Remote Credential Guard and Restricted Admin Mode
The Credential Manager
Additional Request Attribute Flags
Anonymous Sessions
Identity Tokens
Network Authentication with a Lowbox Token
Authentication with the Enterprise Authentication Capability
Authentication to a Known Web Proxy
Authentication with Explicit Credentials

The Authentication Audit Event Log
Worked Examples
Identifying the Reason for an Authentication Failure
Using a Secure Channel to Extract a Server’s TLS Certificate
Wrapping Up
Final Thoughts
A
BUILDING A WINDOWS DOMAIN NETWORK FOR TESTING
The Domain Network
Installing and Configuring Windows Hyper-V
Creating the Virtual Machines
The PRIMARYDC Server
The GRAPHITE Workstation
The SALESDC Server
B
SDDL SID ALIAS MAPPING
INDEX

WINDOWS SECURITY
INTERNALS
A Deep Dive into Windows
Authentication, Authorization, and
Auditing
by James Forshaw
San Francisco

WINDOWS SECURITY INTERNALS. Copyright © 2024 by James Forshaw.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any
means, electronic or mechanical, including photocopying, recording, or by any information storage or
retrieval system, without the prior written permission of the copyright owner and the publisher.
First printing
ISBN-13: 978-1-7185-0198-0 (print)
ISBN-13: 978-1-7185-0199-7 (ebook)
Published by No Starch Press®, Inc.
245 8th Street, San Francisco, CA 94103
phone: +1.415.863.9900
www.nostarch.com; info@nostarch.com
Publisher: William Pollock
Managing Editor: Jill Franklin
Production Manager: Sabrina Plomitallo-González
Production Editor: Sydney Cromwell
Developmental Editors: Alex Freed and Frances Saux
Cover Illustrator: Garry Booth
Interior Design: Octopod Studios
Technical Reviewer: Lee Holmes
Copyeditor: Rachel Head
Proofreader: Audrey Doyle
Indexer: BIM Creatives, LLC
Library of Congress Cataloging-in-Publication Data
Name: Forshaw, James, author.
Title: Windows security internals / James Forshaw.
Description: San Francisco : No Starch Press, [2024] | Includes index. | Identifiers:
LCCN 2023040842 (print) | LCCN 2023040843 (ebook) | ISBN 9781718501980 (print) |
ISBN 9781718501997 (ebook)
Subjects: LCSH: Computer security. | Microsoft Windows (Computer file) | Computer
networks—Security measures.
Classification: LCC QA76.9.A25 F65655 2024 (print) | LCC QA76.9.A25 (ebook) | DDC
005.8—dc23/eng/20231208
LC record available at https://lccn.loc.gov/2023040842
LC ebook record available at https://lccn.loc.gov/2023040843
For customer service inquiries, please contact info@nostarch.com. For information on distribution,
bulk sales, corporate sales, or translations: sales@nostarch.com. For permission to translate this work:
rights@nostarch.com. To report counterfeit copies or piracy: counterfeit@nostarch.com.
No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other
product and company names mentioned herein may be the trademarks of their respective owners.
Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the
names only in an editorial fashion and to the benefit of the trademark owner, with no intention of
infringement of the trademark.

The information in this book is distributed on an “As Is” basis, without warranty. While every
precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc.
shall have any liability to any person or entity with respect to any loss or damage caused or alleged to
be caused directly or indirectly by the information contained in it.

Dedicated to my amazing wife, Huayi, and my little Jacob, without whom I
would never get anything done.

About the Author
James Forshaw is a renowned computer security expert on Google’s Project
Zero team. In his more than 20 years of experience analyzing and exploiting
security issues in Microsoft Windows and other products, he has discovered
hundreds of publicly disclosed vulnerabilities in Microsoft platforms. Others
frequently cite his research, which he presents in blogs, on the world stage, or
through novel tooling, and he has inspired numerous researchers in the
industry. When not breaking the security of other products, James works as a
defender, advising teams on their security design and improving the
Chromium Windows sandbox to secure billions of users worldwide.
About the Technical Reviewer
Lee Holmes is a security architect in Azure security, an original developer on
the PowerShell team, a fanatical hobbyist, and the author of The PowerShell
Cookbook (O’Reilly Media, 2010). You can find him on Mastodon
(@Lee_Holmes@infosec.exchange), as well as on his personal website
(https://leeholmes.com).

FOREWORD
A Microsoft Technical Fellow once told me he had never met someone who
understood how the security of the Windows operating system actually
worked. While I don’t think he was right (and plan to send him a copy of this
book to prove it), he had a point. Though critical, there is no doubt that
Windows security is complex.
One of the reasons for this is related to the core architectural difference
between Linux and Windows. Linux is a file-oriented operating system,
while Windows is API oriented, and though APIs can provide a much richer
set of capabilities, they come at the expense of simplicity. So, exploring an
API-oriented operating system is more difficult. You need to read the API
documentation, write code, compile and run it, and debug the results.
This is a very time-consuming loop, and it’s why so few people have a
deep understanding of how Windows security works—it’s just too hard to
explore.
It was because of these problems that I invented PowerShell. I wanted
administrators to automate Windows and had originally tried to do so by
distributing Unix tools for free. (Remember Windows Services for Unix?)
This failed because Unix tools work on files, while everything important in
Windows lives behind an API. Thus, awk didn’t work against the registry,
grep didn’t work against Windows Management Instrumentation (WMI), sed
didn’t work against Active Directory, and so on. What we needed was an
API-oriented command line interface and scripting tool. So, I created
PowerShell.
Today, James is using PowerShell to address the difficulty of acquiring
Windows security expertise; he has made the system explorable. Step one:
install his PowerShell module, NTObjectManager, which provides over 550

cmdlets to experiment with all aspects of Windows security. This hands-on
exploration will allow you to understand how things really work.
This book belongs on the desk of every security professional and
developer working with Windows security. Part I provides an overview of
Windows security’s architecture, Part II covers the details of the operating
system’s security mechanisms and services, and Part III explores the various
aspects of Windows authentication. Each chapter includes a set of
PowerShell examples.
I strongly encourage you to follow the examples provided; exploration
turns words into experience, and experience is the foundation of competence.
Run the commands, make intentional mistakes, and see what errors you get.
In doing so, you’ll acquire a deep understanding of the system.
And trust me: it will be fun.
Jeffrey Snover
Inventor of PowerShell, former chief architect for Windows Server, and
former Microsoft Technical Fellow

ACKNOWLEDGMENTS
Few books are written in complete isolation, and this one certainly doesn’t
break that mold. I’d like to take the opportunity to thank some of the many
people who have contributed to making this tome a reality. I apologize to
anyone I’ve forgotten.
I must start by acknowledging the contribution of my wife, Huayi, who
cheers me up when I’m down and kicks me (metaphorically) when I’m being
lazy. Without her by my side, the past few years would have been much less
agreeable. The rest of my family are just as important; without them, my life
would be so very different.
Next, I’d like to thank my technical reviewer, Lee Holmes, who has
made the review a valuable experience, teaching me many PowerShell tricks
I didn’t know existed and providing important feedback on the structure and
content.
I’m not the only person doing significant research on Windows. While
there are far too many to list here, I’d like to acknowledge the following
people who have made important contributions to my work. First is Alex
Ionescu, well-known Windows internals guru and my sometimes collaborator
(or competitor), who always seems to know some weird bit of operating
system esoterica. Then there are the many practitioners of Windows
enterprise security research and testing, such as Lee Christensen, Will
Schroeder, and Nick Landers. They’ve been important sounding boards for
my understanding of software like Active Directory and Kerberos and have
actively tested and contributed to my tooling projects.
I’d be remiss not to mention the amazing researchers from my more
formative years, especially Pete and Rich; you know who you are. Also, I’d
like to thank Rob and his team for looking at early drafts of my book’s

chapters and providing valuable feedback.
My relationship with Microsoft has had its ups and downs. That said, I’d
like to thank many of its current and former employees who have helped me
along the way. This includes Katie Moussouris, who was instrumental in
convincing me that it pays to find bugs in Microsoft products. Without her
friendship and contributions, I doubt I’d be as successful as I am today. Then
there’s Nate Warfield, who for many years was my point of contact at the
Microsoft Security Response Center (MSRC), where he shielded me from
much of the company’s party politics and ensured the bugs I reported got
fixed in a timely manner. Finally, I’d like to thank current MSRC
representatives, including Nic Fillingham and Stephanie Calabrese, for
helping me when I need to contact someone deep inside the beast, and for
providing me with swag.
Special thanks to my Google colleagues, who support me in making and
breaking things on Windows. This includes the entirety of the current Google
Project Zero team and its alumni: the best set of security researchers you’ll
likely ever find in a single room, or even two. Then there’s Will Harris, my
friend and colleague on the Chromium Windows sandbox team, who asked
me many of the questions about Windows security on which this book is
based. Finally, thanks to Heather Adkins, who was instrumental in my being
allowed to write a book of this nature while keeping a job at Google.
I’d also like to thank everyone at No Starch Press who has worked on
this book and been patient with me: especially Alex Freed, my longtime
editor, who unfortunately left before this book was published, and Frances
Saux, who became my new editor after Alex’s departure and pulled this
book, kicking and screaming, to completion. Finally, I must thank Bill
Pollock, who is a good friend and always has amazing advice on the book
writing process, as well as the latest recommendations for incredible
restaurants.
I don’t have the space here to name everyone, but to wrap up I’d like to
express my gratitude to all the friends and colleagues who contribute
massively every day to my life and success. Thanks also to you, for picking
up my book. I hope you find the information about Windows security
contained herein to be useful.

INTRODUCTION
Hundreds of millions of devices use the
Microsoft Windows platform. Many of
the world’s largest companies rely on its security to
protect their data and communications, as does anyone
hosting their code in the Azure cloud. But because
Windows is so important to the security of the modern
internet, it’s also a popular target for attack.
The Windows NT operating system began including security in its
design in 1993, when it introduced user accounts, control over resources, and
remote access from a network. In the more than 20 years since then, much
has changed in Windows security. Microsoft has replaced its original
authentication process with modern technology, granted the access control
mechanism additional capabilities, and significantly hardened the platform
against attack.
Today, the security of the Windows platform is surprisingly complex,
and many attacks rely on abusing this complexity. Unfortunately, Microsoft’s
documentation in this area can be lacking. As Windows is not open source,
sometimes the only way to understand its security is through deep research
and analysis.
This is where I come in. I’ve spent more than 20 years as a developer
and security researcher on Windows platforms, cultivating an understanding
of the operating system’s undocumented corners. In this book, I share some
of my extensive expertise in an easy-to-understand form. By mastering the

principles of Windows security, you’ll be able to kick-start your own
research project or improve your software product.

Who Is This Book For?
I wrote this book for people who work with Windows security. Perhaps
you’re a developer of Windows software and want to ensure that your
product is secure. Or maybe you’re a system administrator tasked with
securing Windows across an enterprise and don’t fully understand how
various security features combine to protect the platform. Or you might want
to poke holes in the operating system to find security vulnerabilities as a
researcher.
This book assumes reasonable familiarity with the Windows user
interface and its basic operations, such as manipulating files. That said, you
don’t need to be a low-level Windows expert: for those who need a little
more grounding, Chapters 2 and 3 provide an overview of the operating
system and how it’s put together.
I rely heavily on the use of PowerShell scripting, so you’ll find it helpful
to have some experience with the language, as well as with the .NET
framework on which it’s based. To get you up to speed, Chapter 1 gives a
very quick overview of some of PowerShell’s features. Elsewhere, I’ll do my
best to avoid using esoteric features of the language, to keep the code
accessible to readers with knowledge of other scripting languages or shell
environments (such as bash).
What Is in This Book?
In each chapter, we’ll cover core security features implemented in modern
versions of Windows. We’ll also walk through several worked examples
written in PowerShell, which should give you a better understanding of the
commands introduced in the chapter. Here’s a brief summary of what each
chapter covers.
Part I surveys the Windows operating system from a programming
perspective. It should provide you with the foundation needed to understand
the material in the rest of the book.
Chapter 1: Setting Up a PowerShell Testing Environment In this
chapter, you’ll set up PowerShell to run the examples included in the
subsequent chapters. This includes installing a PowerShell module I’ve

written to interact with Windows and its security features. The chapter
also provides an overview of the PowerShell scripting language.
Chapter 2: The Windows Kernel This chapter covers the basics of
the Windows kernel and its system call interface, a topic crucial to
developing a solid understanding of Windows security. I also describe
the object manager, used to manage resources.
Chapter 3: User-Mode Applications Most applications don’t directly
use the system call interface from the kernel; instead, they use a set of
higher-level programming interfaces. This chapter covers Windows
features such as file handling and the registry.
Part II covers the most important component of the Windows kernel for
security, the Security Reference Monitor. We’ll look at all aspects of access
control, from constructing the user’s identity to securing an individual
resource, such as a file.
Chapter 4: Security Access Tokens Windows assigns every running
process an access token, which represents the user’s identity to the
system. This chapter describes the various components stored in the
token that are used to check access.
Chapter 5: Security Descriptors Each securable resource needs a
description of who is allowed to access it and what type of access they
are granted. This is the purpose of security descriptors. In this chapter,
we’ll cover their internal structure and how you can create and
manipulate them.
Chapter 6: Reading and Assigning Security Descriptors To inspect
the security of the system, you need to be able to query the security
descriptor of a resource. This chapter explains how this querying
happens for different types of resources. It also covers the many complex
ways that Windows assigns security descriptors to resources.
Chapter 7: The Access Check Process Windows uses the access
check to determine what access to grant a user to a resource. This
operation takes the token and the security descriptor and follows an
algorithm to determine the granted access. This chapter works through a
PowerShell implementation of the algorithm to explore its design in
depth.

Chapter 8: Other Access Checking Use Cases Although Windows
primarily uses access checks to grant access to resources, it sometimes
uses them to determine other security properties, such as the visibility of
resources and whether a process is running with a low level of privilege.
This chapter covers these alternative use cases for the access check.
Chapter 9: Security Auditing The access check process can also
create logs of the resources a user has accessed, and with what level of
access. This chapter covers these system auditing policies.
Part III contains details of Windows authentication, the mechanisms that
verify a user’s identity for the purposes of access control.
Chapter 10: Windows Authentication As the topic of authentication
is quite complex, this chapter summarizes the authentication structure
and services on which the rest of the authentication mechanisms depend.
Chapter 11: Active Directory Windows 2000 introduced a new
model for networking Windows systems in an enterprise, with all
authentication information stored in a network directory that users and
administrators could query and modify. This chapter covers how Active
Directory stores information and secures it from malicious modification.
Chapter 12: Interactive Authentication The most common
authentication scenario on Windows occurs when a user enters their
username and password into their computer and gains access to the
desktop. This chapter covers how the operating system implements this
authentication process.
Chapter 13: Network Authentication When a user wants to access a
network service in a Windows enterprise network, they typically must
authenticate to it. Windows provides special network protocols to
implement this authentication without disclosing the user’s credentials to
a potentially hostile network. This chapter explains the network
authentication process, focusing on the New Technology LAN Manager
(NTLM) authentication protocol.
Chapter 14: Kerberos Along with Active Directory, Windows 2000
also introduced the use of the open Kerberos authentication protocol for
enterprise network authentication. This chapter explains how Kerberos
works in Windows to authenticate a user interactively and over a

network.
Chapter 15: Negotiate Authentication and Other Security
Packages Over the years, Windows has added other types of network
authentication protocols. This chapter covers these new types, including
Negotiate, to supplement those discussed in Chapters 13 and 14.
Finally, the two appendices provide configuration details and further
resources.
Appendix A: Building a Windows Domain Network for Testing To
run some of the examples in the book, you’ll need a Windows domain
network. This appendix provides some steps for using PowerShell to
configure a network for testing.
Appendix B: SDDL SID Alias Mapping This appendix provides a
table of constants referenced in Chapter 5.
PowerShell Conventions Used in This Book
The PowerShell scripting language, which is included with all versions of
Windows, is one of the best ways to flexibly experiment with the internals of
the operating system without needing to install much additional software. As
PowerShell is based on the .NET runtime, this book will use a .NET library
I’ve written for interacting with Windows, making it easy to develop
complex scripts. All example scripts in the book will be available to
download from https://github.com/tyranid/windows-security-internals.
The PowerShell examples in each chapter follow a common set of style
conventions that should help you understand how to use them. Each example
is provided as a listing, of which there are two types: interactive and non-
interactive. Interactive PowerShell listings are those you should enter on the
command line to observe the results. Here is an example of an interactive
listing:
❶ PS> ls C:
❷ Directory: C:
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 4/17 11:45 AM Program Files
❸ --snip--

An interactive listing precedes each command to enter with a
PowerShell- style prompt (PS>) and shows the command in bold ❶. You’ll
see the resulting output below the command ❷. Sometimes the output can be
quite long, so to save space, I use --snip-- to indicate that the output has
been truncated ❸. Also note that in some examples the output is indicative; it
might be subtly different depending on your operating system or network
configuration.
Most of the interactive listings are designed to be executed from a
normal user account. However, some must run under an administrator
account to access certain protected features. If you don’t run the commands
as an administrator, the results won’t be correct. The text preceding each
listing will clarify whether you must run the command as an administrator.
A non-interactive listing contains PowerShell code that you can copy
into a script file for reuse, like this:
function Get-Hello {
"Hello"
}
Non-interactive listings don’t include the PowerShell prompt and aren’t in
bold.
If you’ve written any scripts in PowerShell, you’ll know that the
language is notorious for verbose command and parameter names. This
makes it difficult to fit certain commands on a single line in the book. Here is
an example of a long PowerShell line and a few ways the book might split it
to make it fit on the page:
PS> Get-ChildItem -LiteralPath "C:" -Filter "*.exe" -Recurse
-Hidden
❶ -System -Depth 5 | Where-Object {
❷ $_.Name -eq "Hello"
}
The first line, using the Get-ChildItem command, is too long to fit on
the page, so it wraps onto a subsequent line ❶. You can’t just add a newline

in the middle of such a command, so when you’re entering it into the shell or
a file, you should treat it as a single line. The key indicator that the line
continues, instead of being part of the output, is that there’s a bold character
in the first column.
PowerShell can break long lines on certain characters, such as the pipe
(|), the comma (,), or braces ({}). In this listing, I’ve added a newline
following the opening brace ({) and placed the subsequent commands in the
braced block, indented one level ❷. In this case, the shell will handle the
introduction of the new line. Note that the closing brace (}) is in the first
column, so you might assume it needs to be placed on the previous line.
While moving the brace to the previous line will still work in this specific
case, it’s unnecessary.
Note that the Windows operating system is still under active
development. While all the PowerShell examples have been tested on the
latest versions of Windows available at the time of writing, there is a chance
that new security features will have been introduced, or older ones
deprecated, by the time you come to read this book. The following is a list of
the versions on which the examples were tested, along with the major OS
build number:
Windows 11 (OS build 22631)
Windows 10 (OS build 19045)
Windows Server 2022 (OS build 20384)
Windows Server 2019 (OS build 17763)
Any mentions of “the latest versions” in the text refer to these versions.
Getting in Touch
I’m always interested in receiving feedback, both positive and negative, on
my work, and this book is no exception. You can email me at
winsecinternals.book@gmail.com. You can also subscribe to my blog at
https://www.tiraniddo.dev, where I post some of my latest advanced security
research.

PART I
AN OVERVIEW OF THE WINDOWS
OPERATING SYSTEM

1
SETTING UP A POWERSHELL TESTING
ENVIRONMENT
In this chapter, you’ll configure
PowerShell so you can work through the
code examples presented in the rest of the book. Then,
we’ll walk through a very quick overview of the
PowerShell language, including its types, variables,
and expressions. We’ll also cover how to execute its
commands, how to get help, and how to export data for
later use.
Choosing a PowerShell Version
The most important tool you’ll need to use this book effectively is
PowerShell, which has been installed on the Windows operating system by
default since Windows 7. However, there are many different versions of this
tool. The version installed by default on currently supported versions of
Windows is 5.1, which is suitable for our purposes, even though Microsoft no
longer fully supports it. More recent versions of PowerShell are cross
platform and open source but must be installed separately on Windows.
All the code presented in this book will run in both PowerShell 5.1 and
the latest open source version, so it doesn’t matter which you choose. If you

Random documents with unrelated
content Scribd suggests to you:

On the whole, then, this is not an insuperable difficulty; while the
previous arguments render the idea of a future life distinctly
probable. And this has, of course, a most important bearing on our
next question; indeed, it is scarcely too much to say that the
probability of a revelation depends on that of a future life. For if
death ends all, man's existence is so short that a revelation can
scarcely be thought probable; but if he is to live for ever, the case is
very different.
(B.) The Probability of a Revelation.
Now (assuming man to be immortal) a revelation, from whichever
side we regard it, appears to be somewhat probable. For God is a
Being, Who seems likely to make a revelation; and man is a being
exactly fitted to receive one; so we will consider these points first,
and then the chief difficulties.
(1.) From God's character.
Now we have already shown that God takes an interest in man's
welfare, being not only beneficent, but righteous; and that He
apparently wishes to train and develop man's character, so that he
may be righteous also. And from this we may infer that if a
revelation would benefit man, and thus help him to be righteous
also, it would not be improbable for God to make one. And that the
knowledge given by a revelation might influence him in this way
cannot be denied; for, as a matter of fact, such knowledge, either
real or pretended, has had precisely this effect on millions of men.
We may also infer from God's methods in nature, which are those of
slow development, that if He made a revelation at all it would be
done gradually. At first it would be very simple, and such as could be
transmitted orally. Then when man acquired the art of writing, and
could thus hand it on accurately, a more definite revelation might be
given. And this again might become more and more perfect, as man
himself became more perfect. We obviously do not know enough to
speak with confidence, but still God's character, so far as we can

judge of it, seems to be in favour of His making some revelation—
and that a progressive revelation—to man.
(2.) From man's character.
Passing on now to man's character, we find that he has been given a
nature exactly fitted to receive a revelation. For religion of some kind
is, and always has been, practically universal; and nearly all
important religions have rested on real or pretended revelations from
God, and have been accepted in consequence. In other words the
nature of man has everywhere led him to seek for, demand, and, if
need be, imagine a revelation from God. Nor is this in any way
surprising, for a thoughtful man cannot help wishing to know why he
is placed in this world; why he is given free will; how he is meant to
use his freedom; and what future, if any, is in store for him
hereafter: in short, what was God's object in creating him. It seems
of all knowledge to be the highest, the noblest, the most worth
knowing.
And therefore as this result of man's nature was not only brought
about by God, but must have been foreknown, and intended by Him,
it is not improbable that He should satisfy it; especially as it cannot
be satisfied in any other way, for the knowledge being superhuman,
is out of man's own reach. And it may be added, the more we realise
this, and feel that God is Unknowable, in the sense that we can gain
no satisfactory knowledge about Him by human science and
reasoning, so much the more likely does it seem that He should give
us such knowledge by revelation.
And all this is strengthened when we consider man's unique position
to which we have already alluded. For if we admit that the creation
and perfecting of man is the chief object the Creator had in view for
so many thousands of years, it does not seem unlikely that He might
wish to hold some communication with him. In fact, as the whole of
nature shows design or purpose; and as man occupies a special
place in nature; we may fairly conclude that God has some special

purpose in regard to man, and, for all we know, He may have
something special to tell him about it.
We conclude then that man's character, and the unique position he
occupies on this earth, is a strong argument in favour of his
receiving some revelation from God.
(3.) Two difficulties.
But now for the other side. There are two chief difficulties. The first
is on the ground of injustice; since any revelation, it is said, would
imply a partiality to the men or nation to whom it was given, and
would therefore be unjust to the rest of mankind. But this is quite
untenable, for God's other benefits are not bestowed impartially. On
the contrary, pleasure and pain, good and evil, are never equally
distributed in this world. What seems to be partiality and favouritism
is the rule everywhere, and this without any apparent merit on the
part of the men concerned. Moreover, the advantages of a revelation
may not concern this world only. And all who believe in a future life
are convinced of God's justice, and that men will only be judged
according to the knowledge of His Will which they possessed, or
might have possessed had they chosen, and not according to any
higher standard which was out of their reach.
The other and more important difficulty is, that if God gave a
revelation at all, it would be absolutely convincing. Everything that
God does He does well; and we cannot, it is urged, imagine His
making a revelation to man, and yet doing it so imperfectly as to
leave men in doubt as to whether He had done it or not. For this
would imply that He either could not, or would not, make the
evidence sufficient to ensure conviction, neither of which is credible.
Now, though all this seems very probable, a moment's reflection will
show that it is not conclusive; for exactly the same may be said in
regard to the whole of Natural Religion. Is it likely, for instance, that
God should create free and responsible men, and yet give them such
insufficient evidence about it, that while many are fully convinced,

others deny not only their own freedom and responsibility, but even
the existence of the God Who made them? Yet He has done so.
Therefore there is nothing improbable in the evidence for a
revelation, if one were given, being of a similar character.
Indeed, there is much to be said in favour of its being so, since in
most other matters man is left a free choice. He is often able to find
out how he ought to think and how he ought to act, but he is not
forced to do either. And God may have wished that the same rule
should be followed in regard to a revelation, and that man should be
left free to believe it or not, just as he is left free to act on it or not,
if he does believe it, and just as he is left free to choose right or
wrong in other cases. Therefore we cannot say that no revelation
can come from God unless the evidence for it is overwhelming. It
would doubtless be sufficient to convince a man if he took the
trouble to examine it carefully; only it need not be such as to compel
conviction. What kind of evidence we may expect will be considered
in the next chapter.
Neither of these difficulties, then, is at all serious; and we are forced
back to the conclusion that, provided man is immortal, a revelation
seems for several reasons to be somewhat probable. To put it
shortly, if God is good and really cares for man's welfare, it seems
unlikely that He should withhold from him that knowledge which is
the highest, the noblest, and the most longed for;—the knowledge
of Himself. While, if man is a free and immortal being, occupying a
unique position in the world, and intended to live for ever, it seems
unlikely that he should be told nothing, and therefore know nothing,
as to why he was created, or what is his future destiny. Thus when
we consider both God's character and man's character, it seems on
the whole to be somewhat probable, that God would make a
revelation to man; telling him how he ought to use his freedom in
this world, and possibly what future is in store for him hereafter.

CHAPTER VII.
THAT A MIRACULOUS REVELATION IS CREDIBLE.
A Divine messenger would probably have credentials.
(A.) Superhuman Signs.
These include superhuman knowledge, afterwards verified (such
as prophecy), and superhuman coincidences; and there is
nothing incredible in either.
(B.) Supernatural Signs, or Miracles.
These are 'marvels specially worked by God as signs to confirm a
revelation.' This definition is threefold, referring to their
outward appearance, cause, and purpose.
(1.) Miracles as marvels: though they seem to be contrary to
experience, they are not really so, for we have no
experience of the proper kind to refer to.
(2.) Miracles as special works of God: they only interfere with the
uniformity of nature in the same way that human works
interfere with it.
(3.) Miracles as signs: there is nothing to show that they are
inconsistent with God's Character.
We decided in the last chapter that it was somewhat probable for
God to make a revelation to man, that is to say, to certain men, for
them to make known to others. And if so, it is also probable that
these men would have some means of showing that the knowledge
had come from God and not from themselves. In other words, if God
sends a message to man, it is probable that the messenger would
have credentials. And this is especially so when we remember that
men have often appeared in the world's history who professed to

have a revelation from God, and have misled mankind in
consequence. Is it not probable, then, that if God really did give a
revelation, He would take care that His true messengers should have
credentials which would distinguish them from all the others?
These credentials, then, or signs, must plainly be such as could not
be imitated by man; and must therefore of necessity be
superhuman, if not supernatural. So we may divide them into these
two classes; and we have now to consider whether they are
credible. By this is meant something more than merely possible; for
the possibility of such signs follows at once from the existence of
God. But are they credible? is there, that is, at least a slight chance
that they would occur?
(A.) Superhuman Signs.
These include, to begin with, superhuman knowledge, which can be
afterwards verified, such as prophecy. And there is no difficulty here,
provided we admit a revelation at all. The only possible objection
refers to prophecies regarding human conduct; which it may be said
would interfere with man's freedom. But this is only part of the more
general objection that any foreknowledge on God's part would
interfere with man's freedom, which we have already considered in
Chapter II.; and there is no special difficulty in regard to prophecies.
In every case, as said before, God merely foreknows the use man
will make of his freedom. Therefore the event will not occur because
it was foretold, but rather it was foretold because God knew that it
would occur.
Superhuman coincidences form another, and very important class of
superhuman signs. In these a man's acts or sayings are confirmed
by natural events coinciding with them in a remarkable manner. For
example, suppose a prophet claimed to have a revelation from God;
and, as a proof of this, invited the people to witness a sacrifice on a
cloudless day. He then killed an animal, and placed it on an altar of
stones, but put no fire under it, and even threw water over it.
Suddenly, however, a thunderstorm arose, and the sacrifice was

struck by lightning. Now the thunderstorm might have arisen and
the lightning might have struck on that particular spot, in strict
accordance with natural laws. Yet the coincidence of this occurring
just when and where the prophet wanted it, would tend strongly to
show that God, Who must have foreknown and designed the
coincidence, meant to confirm what the prophet said.
Or, to put the argument in other words, the lightning would seem to
have struck the sacrifice on purpose; and therefore such events have
been popularly described as natural forces acting rationally. Of
course, as a rule, the forces of nature do not act rationally. A falling
meteorite, for instance, does not go a yard out of its way to kill
anyone, or to spare him. Man, on the other hand, does act rationally.
His acts are directed for a purpose, and thus show design. And, in
the events we are considering, the forces of nature seem also to act
with a purpose; and this makes it probable that the Author of these
forces was really acting with this purpose. In short, the events seem
to have been not only superhuman, but designed coincidences. And
they present no difficulty whatever from a scientific point of view, as
they are part of the ordinary course of nature.
Of course, the value of such coincidences varies greatly according to
whether the event is of a usual or unusual character. In the latter
case, more especially if the event is very unusual or the coincidence
very striking, they are popularly called miracles. And they may have
considerable value, though there is always a slight chance of the
agreement being, as we might say, accidental.
(B.) Supernatural Signs.
We pass on now to supernatural signs or Miracles in the strict sense;
which we will define as marvels specially worked by God as signs to
confirm a revelation. This definition has, of course, been chosen so
as to suit the miracles recorded in the Bible, and it is really threefold.
In the first place, a miracle is described as to its outward
appearance. It is a marvel—that is to say, a strange and unusual
event, which we cannot account for, and which thus attracts

attention. Secondly, it is described as to its cause. This marvel is said
to have been specially worked by God—that is to say, by some
action on His part different from His usual action in nature. While,
lastly, it is described as to its purpose; it is a marvel worked by God
as a sign to confirm a revelation.
The first of these aspects is expressed in the Old Testament by the
word wonder, the second by such phrases as God's mighty hand or
outstretched arm, and the third by the word sign; all these terms
being often used together. While in the New Testament the words
used are wonders, mighty works, and signs, which again exactly
correspond to these three aspects of the miracles. And it should be
noticed these aspects are not chosen merely to suit the present
argument, since other events can and ought to be looked at in the
same way, not as mere facts, but also with reference to their alleged
cause and purpose. And to show the great importance of this, we
will consider an event from modern history; and select the well-
known example of the Mont Cenis Tunnel.
Suppose, then, that anyone heard of this as a marvel only, the cause
and purpose being left out of account. Suppose, that is, he heard
that a small straight cavity of uniform size, and several miles long,
had been formed under a range of mountains; and that it had begun
as two cavities, one from each end, which after years of growth, had
exactly met in the middle. He would at once pronounce the event
incredible, for the cavity is quite unlike all natural cavities.
But now suppose the next point, as to its cause, to be introduced. It
is said to be something more than a natural cavity, and to be the
work of man. All previous difficulties would now vanish, but fresh
ones would arise. For numbers of men must have worked together
for years to excavate such a cavity, and from what we know of
human nature, men will only do this for commercial or profitable
ends, and not for boring useless holes through mountains; so the
event is still practically incredible.

But now suppose the last point of purpose to be introduced. It is
said that this is not a mere useless hole bored through a mountain;
but a hole bored for a particular purpose; it is, in fact, a railway
tunnel. Then all difficulties would disappear. Of course, whether we
believe the tunnel was actually made depends upon what evidence
we have; but it is clear that when we consider the cause by which,
and the purpose for which, it is said to have been made, there is
nothing incredible about it.
Now a similar method must be adopted in regard to miracles. They
must not be regarded simply as marvels, but as marvels said to have
been brought about by an adequate cause, and for a sufficient
purpose. And it is just these elements of cause and purpose which
may make the marvels credible. We will consider these points in
turn.
(1.) Miracles as marvels.
The first aspect of miracles is that of marvels. As such, they are
events which seem to be contrary to our experience—contrary, that
is, to what our experience of apparently similar events would lead us
to expect. Suppose, for instance, it were stated that on one occasion
three men were thrown into a furnace, but instead of being burnt to
death they walked about, and in a few minutes came out alive and
unhurt.
Such a marvel would be contrary to our experience, and that it
would be therefore very improbable is obvious. But is this
improbability sufficient in all cases to make the event incredible, no
matter what testimony there may be in its favour? Hume's argument
that it is sufficient is well known. He says we can only judge of the
probability of anything, whether it be the occurrence of an event, or
the truthfulness of the narrator, by experience. And as it is contrary
to experience for miracles to be true, but not contrary to experience
for testimony to be false, the balance of probability must always be
against the miracle.

But of course this reasoning, if true, must apply to all alleged events
which are contrary to experience; and yet such events have occurred
by the thousand. Let us take a single example. Everyone has had
some experience as to how far it is possible to hear the human voice
distinctly, and till the last half century, the limit has always been
fixed at a few hundred yards. Now, suppose anyone were told for
the first time that it was possible to speak right across England, he
would justly say that it was utterly contrary to experience. No one,
he would think, could possibly speak loud enough to be heard even
twenty miles away. But ought he to add that it was therefore
incredible?
From this it is clear that there must be some flaw in Hume's
argument; and it is easily discovered. For the argument regards the
event only as a marvel, and without reference to its cause. But we
have no right to leave this out of account, nor do we in ordinary
affairs. When anyone first hears of a marvel, he does not merely
compare it with his previous experience, and then come to a
decision; in which case, as Hume supposes, it might be always
against the marvel. But he first inquires how this strange event is
said to have been brought about. For if any cause is stated to have
been at work as to the influence of which he knows nothing, then he
has no experience of the proper kind to appeal to. There is the
testimony in favour of the event as before; and if he disbelieves it,
he does so, not because it is contrary to his experience, but because
he thinks the supposed cause either did not exist, or would not have
had the effect asserted.
A reference to the previous example will make this quite plain. When
the man first heard of persons talking across England, instead of at
once declaring it incredible, he would, if a reasonable man, inquire
as to the cause of this. He would then be told that a wire was
stretched across England with an instrument called a telephone at
each end. Now, as to the possibility or adequacy of such a
contrivance he might doubt a good deal; but one thing would be

quite clear, that this was a case to which his experience, however
large, did not apply.
Here, then, is the explanation of Hume's argument. So long as a
marvel, contrary to experience, is regarded only as a marvel, the
probability must be always against its truth. But if we inquire as to
how it was brought about, and find that some cause is said to have
been at work, as to the influence of which we are ignorant, then the
argument is no longer applicable. We have simply no experience of
the proper kind to appeal to.
Now this is precisely the case with regard to miracles. As marvels
they seem contrary to experience; but they claim to have a special
cause, to be specially worked by God—that is to say, by some action
on His part different from His usual action in nature; and of the
influence of this cause we have no experience whatever. We may, of
course, deny its existence or doubt its adequacy; but the argument,
that the event is contrary to experience, vanishes.
It is clear then that the fact of miracles appearing to be contrary to
experience is no reason for disbelieving them, though it might be a
reason for disbelieving other alleged marvels, because they claim to
have a special cause, by which to account for this special character.
We have now to examine whether this special cause really existed—
that is to say, we pass on to the second aspect of the miracles; our
conclusion thus far being that they are credible as marvels, if it be
credible that they were specially worked by God.
(2.) Miracles as special works of God.
Now, any special action on God's part is often thought to present
great difficulties, as interfering with the uniformity of nature. But, as
we shall see, it would only interfere with it in the same way that
human action interferes with it. Neither of them violates the laws of
nature, though both are able to bring about results which nature of
itself could not have brought about.

In the case of human action this is quite obvious. Suppose, for
example, a clock with an iron pendulum is placed on a table and
keeps perfect time. Suddenly, without anyone touching it, it begins
to gain rapidly, and then, after a short time, goes on as before. To
anyone unacquainted with the cause, this would appear a marvel:
and might even be thought incredible, as (assuming the clock to be
properly constructed) it would seem to imply some alteration in the
laws of motion, or the force of gravity. Yet we know a man can easily
produce such a marvel by holding a magnet under the table. The
disturbing cause, it will be noticed, was not really the magnet, which
always acts according to law; nor the hand which held it; but the
action of the human will on matter. This took place in the man's
brain, and enabled him to move first his hand, and then the magnet.
Thus we may say the marvel was produced by natural means
supernaturally applied; for the magnet was undoubtedly a natural
means, yet nature of itself would never have used it in the way
described. It required something above nature (something super-
natural) and this was the free will of man.
Now, miracles claim to have been produced in a somewhat similar,
though to us unknown, manner by the action of God's Will on
matter, that is to say, by natural means supernaturally applied; and,
if so, they are certainly credible, under this head. For we know that
God has the power of acting on matter, and that He used it once in
creating the universe, so He might use it again if He thought fit.
Moreover, God's knowledge of the laws of nature is complete, while
man's is only partial. As, then, man, with his limited power over
nature and partial knowledge of its laws, can produce marvels so
unlike nature's ordinary course (a steam engine, for instance), yet
without violating any of its laws; still more can God, Who has
complete power over nature, and complete knowledge of its laws.
For to deny this would be to deny to God the power which we
concede to man; and which we must remember, God Himself has
given to man. And this would lead to the strange conclusion that
God has enabled man to do what He cannot do Himself. No doubt

we cannot imagine how God can exert His Will over matter, but
neither can we imagine how we can do it ourselves. The difficulty is
as great in the one case as in the other.
From this it is clear that miracles need not violate natural laws. And
though at first one might be inclined to dispute this with regard to
particular miracles; the statement is quite correct, provided we make
due allowance for our own ignorance. Take, for example, the
supposed case of the men in the furnace. We certainly do not know
how their bodies were kept cool, but we cannot say it was
impossible. For extreme heat, and even extreme cold, may be very
close together, as is shown by the well-known experiment of freezing
mercury inside a red-hot crucible. As a mere marvel this is quite as
wonderful as the men in the furnace; and an ignorant man would
probably pronounce both to be equally incredible.
Or, to take another example, suppose it were said that on one
occasion a few loaves of bread were miraculously increased so as to
feed some thousands of persons: could we say that this must have
violated natural laws? Certainly not, for bread is composed of
carbon, and other elements, which were in abundance all round.
And though we only know one way of forming them into bread,
which is by means of a living plant, we cannot say that this is the
only method. Indeed, there is nothing incredible in substances like
bread being made artificially some day. Of course in all marvels
produced by man, we know the special cause at work, but this does
not justify us in saying that in a miracle, merely because we do not
know it, the laws of nature must be violated.
Moreover there is much to be said in favour of what is usually called
God's immanence in nature, but which would perhaps be better
described as nature's immanence in God.[9]
This means that all
natural forces are due to the present and immediate action of God's
Will; and if it is correct, it greatly lessens the difficulty as to miracles.
For then there would be no interference with nature at all, leave
alone violating its laws, God would be working there all the time,

only in a miracle He would not be working in exactly the same way
as in ordinary events.
[9] Acts 17. 28; Col. 1. 17.
But in any case there is, as we have shown, nothing incredible in the
way in which miracles are said to be caused, provided it is credible
that God should wish to use His power over nature in the assumed
manner; for natural forces are anyhow His servants, not His masters.
And this brings us to the third aspect of the miracles; for whether
God would wish to act in a certain way depends of course on what
purpose He had in doing so.
(3.) Miracles as signs.
Now the purpose for which miracles are said to be worked is as
signs to confirm a revelation. Therefore, since we have already
shown that it is somewhat probable that God would make a
revelation, we have now only to inquire whether miracles are
suitable means for confirming it. And they appear to be the most
suitable means possible; for they would both attract men's attention
to the revelation, and also convince them of its superhuman
character; which are precisely the two points required.
It may still be objected, however, that God's character, as shown by
nature, is Unchangeable; and therefore it is most improbable that He
would at times act in a special manner with regard to natural events.
And the more nature is studied the stronger does this objection
appear; since there are thousands of cases, such as storms and
earthquakes, when it seems to us that a slight interference with
nature would be most beneficial to man, yet it never occurs. Or the
objection may be otherwise expressed by saying that a miracle
would reflect on either the Wisdom or the Power of God; since, if All-
Wise, He would have foreseen the occasion, and if All-Powerful, He
would have provided for it; so any subsequent interference with
nature is something like having to remedy a fault.

This is no doubt the most serious objection to miracles, but it is by
no means insuperable. For, to begin with, God is a Free Being, Who
does not always act the same (Chapter I.). And when we turn to the
only other free being we know of, which is man himself, what do we
find? A man may, as a rule, act uniformly, yet on some special
occasion, and for some special reason, he may, and often does, act
differently; and why should not God do the same? Indeed the only
changelessness in a man which we could admire, would be that of
moral character, always and invariably acting right. And for all we
know the changelessness of God may be only of such a kind, and
this certainly would not prevent Him from acting in some special
manner, in order to obtain some special purpose.
Secondly, in the case before us, it is even probable that He would do
so, since the chief object of the miracles could not have been
obtained by the ordinary course of nature, though their immediate
effects might have been. For example, instead of healing men
miraculously, they might be healed naturally; but then there would
be no evidence that the healer was sent by God, and was speaking
in His name. In short, the messenger would be without credentials;
and, as we have already shown, this seems unlikely.
Thirdly, though miracles do not show God's changelessness in the
same manner as the unchanging course of nature, they are not
inconsistent with it. For no one supposes them to be after-thoughts
with God, but to have been planned from the very beginning. And if
God always intended to make a revelation to man, and always
intended that when He did so, He would confirm it by miracles, they
would involve no inconsistency or change on His part.
Fourthly, there may be some other attributes of God which miracles
show, and which the ordinary course of nature does not; such as His
superiority over nature itself on the one hand, and the interest He
takes in man on the other. One object of a revelation might be to
convince man that though God was the Ruler of the Universe, He yet
cared for man's happiness and valued his affections. And how could
such a revelation as this, be better confirmed than by an (apparent)

interference with nature for the benefit of man. For this would show,
as nothing else could show, both that there was a Being above
nature, and that He cared for man more than He cared for nature.
And it entirely agrees with what we decided in the last chapter, that
the whole of nature seems to be only a means to an end, the end
being the moral training of man, enabling, that is, a free man to
become a righteous man. And if so, it is out of the question to think
that in order to further this end—the very end for which nature itself
exists—God might not, if He thought fit, interfere with the course of
nature. We may therefore answer the objection in one sentence,
God is All-Good, as well as All-Wise, and All-Powerful; and His
Goodness might induce Him to use miracles, though by His Wisdom
and Power He might have dispensed with them.
We may now sum up the present argument. We showed that
miracles are credible both as marvels and as special works of God, if
it be credible that they were brought about as signs to confirm a
revelation. And we have now shown that, supposing God to make a
revelation, which we have already admitted, there is nothing
inconsistent with His character as far as we know it, and therefore
nothing in the slightest degree incredible, in His using such signs, as
one of the means of confirming its truth. On the whole, then, we
conclude that a Miraculous Revelation is certainly credible. Whether
one has ever been made will be discussed in the following chapters.

PART II.
THE JEWISH RELIGION.
CHAP. VIII. THAT THE ACCOUNT OF THE CREATION WAS DIVINELY
REVEALED.
" IX. THAT ITS ORIGIN WAS CONFIRMED BY MIRACLES.
" X. THAT ITS HISTORY WAS CONFIRMED BY MIRACLES.
" XI. THAT ITS HISTORY WAS ALSO CONFIRMED BY PROPHECIES.
" XII. THAT THE JEWISH RELIGION IS PROBABLY TRUE.

CHAPTER VIII.
THAT THE ACCOUNT OF THE CREATION WAS DIVINELY REVEALED.
(A.) Its General Principles.
(1.) Its pure Monotheism; admittedly true.
(2.) Its seven days need not be taken literally.
(3.) Its gradual development; admittedly true.
(B.) Its Detailed Order.
(1.) The earliest state of the earth.
(2.) Light.
(3.) The Firmament.
(4.) Dry Land.
(5.) Vegetation.
(6.) The Sun and Moon.
(7.) Fishes and Birds.
(8.) Land Animals.
(9.) Man.
(C.) Conclusion.
The accuracy of the narrative points to its having been Divinely
revealed.
Having decided in the previous chapters on the Existence of God,
and that it was credible that He might make a miraculous Revelation
to man; we pass on now to the Jewish Religion, which (as well as
the Christian) actually claims to be such a Revelation.
And the first argument we have to consider in its favour is that
afforded by the opening chapter of Genesis. It is urged that this
account of the Creation must have been Divinely revealed, since it

contains a substantially correct account of events which could not
have been otherwise known at the time. What then we have to
examine is, whether this narrative is nearer the truth, as we now
know it from geology and other sciences, than could have been the
case, if written by a man ignorant of these sciences. And the ancient
narratives of Babylonia, India, Persia, and elsewhere, show how far
from the truth mere human conjecture on such a subject is likely to
be.
While if we admit a revelation at all, there is nothing improbable in
some account of the creation of the world having been revealed to
man very early in his history, and being accurately preserved by the
Jews, while only distorted versions of it occur among other nations.
Indeed considering the common custom among ancient nations of
worshipping the heavenly bodies, animals, etc., no subject could
have been more suited for a first revelation than the statement in
simple language that all these were created by one supreme God.
We will now consider the general principles of the narrative, and
then its detailed order.
(A.) Its General Principles.
The most important of these are its pure Monotheism, its seven
days, and its gradual development, each of which we will notice in
turn.
(1.) Its pure Monotheism.
This alone renders it almost, if not quite, unique among similar
narratives. According to the writer, the whole universe, including
sun, moon, and stars, was all due to one God. And this is obvious
enough now, but it was not so when the narrative was written. For
other ancient accounts are either Pantheistic, and confuse God with
the universe; or Dualistic, and assume two eternal principles of good
and evil; or Polytheistic, and make the universe the work of several
gods. The Jewish writer, on the other hand, has kept clear of all
these theories; and he is admittedly right and all the others wrong.

(2.) Its seven days.
Next as to the seven days. Now it is generally assumed, doubtless
from their being referred to in the Fourth Commandment, that the
writer intended these days to be ordinary days of twenty-four hours
each, but this is at least doubtful. For ordinary days depend on the
sun, and would therefore have been impossible before the formation
of the sun on the fourth day; as the writer himself implies, when he
says that the division of time into days and years was due to the
sun.
Then there is the difficulty as to the seventh day, when God rested
from all His work. This, it will be remembered had no close, or
evening, and it is implied that it has continued ever since. For if God
only rested for twenty-four hours, and then set to work again it
would not have been a rest from all His work. But in this case, the
seventh day would represent a long period of time, and if so the
other days would probably do the same. Moreover the writer, or
compiler, of this very narrative, after describing the creation in six
days, says it all occurred in one day,[10]
so he could scarcely have
thought the days to be literal.
[10] Gen. 2. 4.
There are thus great difficulties from the narrative itself in taking the
word day in its ordinary sense; and it seems better to consider it
(like so many terms in the Bible) as a human analogy applied to
God. Then God's days must be understood in the same way as God's
eyes or God's hands; and this removes all difficulties.
None of these terms are of course literally true, but they represent
the truth to man in such a way that he can to some extent
understand it. For example, the phrase that God gained the victory
by His own right hand clearly means that He gained it not with the
assistance of others, or with the help of weapons, but simply by His
own unaided inherent strength. It was such a victory as might in a
man be described as gained by his own right hand. And the same
may be said of the passage, The eyes of the Lord are over the

righteous, and His ears are open unto their prayers, and many
others which occur in the Bible. The terms hands, eyes, and ears,
when applied to God, are thus human analogies, which must not be
taken literally.
And in one passage at least the word day is used in a similar sense;
for we read "Hast thou eyes of flesh or seest thou as man seeth? Are
thy days as the days of man, or thy years as man's days?"[11]
Here it
will be noticed days and years are applied to God in precisely the
same manner as eyes and seeing.
[11] Job 10. 4, 5.
Moreover similar terms occur all through the present narrative. Even
the simple words God said cannot be taken literally, for there was no
one to speak to. They must be meant in the sense that God thought,
or that God willed. And we have no more right to suppose the days
to be literal days than to suppose that God literally spoke. What we
are to suppose in the one case is that God—the Almighty One, for
whom nothing is too hard—created all things in such a way as might
to man be best represented by a simple word of command. And
what we are to suppose in the other case, is that God—the Eternal
One, to whom a thousand years are but as yesterday—created all
things in such periods of time as might to man be best represented
by six days. Vast as the universe was, man was to regard it as being
to God no more than a week's work to himself. In short, the time of
creation, however long in itself, was utterly insignificant in its
relation to God; to Him each stage was a mere day.
And this it may be added, is not a purely modern theory, made to
reconcile the narrative with science; for the Greek Jew, Philo, born
about B.C. 20, who knew nothing of geology, ridicules the idea of the
days of Genesis being literal, or representing any definite periods of
time.[12]
[12] Works of Philo Judæus, First book of Allegories of the Sacred
Laws, Yonge's translation, 1854, vol. i., p. 52.

(3.) Its gradual development.
Next, it must be noticed that, according to Genesis, God did not
create a perfect world all at once, but slowly built it up step by step.
At first the earth was waste and void, and only after it had passed
through several stages did it become fully inhabited. Moreover, at
every step (with two exceptions, the firmament and man, noticed
later on), God examined the work and pronounced it good. He
seems thus to have discerned a beauty and excellence in each
stage; though it was not till the close of the whole work that He was
completely satisfied, and pronounced it all very good.
And the narrative appears to be quite correct. For geology shows
that the formation of the earth, with its various inhabitants, was a
gradual process, not accomplished all at once, but slowly step by
step, through successive ages. And it also shows that these ages
were of such magnitude and importance that we cannot regard them
as mere preparations for man's coming, but as having a beauty and
excellence of their own, so that they well deserved to be called
good. But we may ask, how did the writer of Genesis know all this?
And then as to the way in which this development was brought
about. According to Genesis, each stage was due to what we may
call a Special Divine force, represented by a word of command from
God. And this also seems correct, for we cannot otherwise account
for the first appearance of the various groups, such as plants,
animals, and men. It is not disputed that these various stages may
have been evolved from the previous ones, e.g., the living from the
not-living, which the narrative itself suggests in the words, Let the
earth put forth grass; and also at its close, when it speaks of the
generations of the heaven and of the earth; which implies some kind
of organic descent, or evolution. Indeed the common expression
that God made, is probably used in the sense of evolved; since the
same word is employed in ver. II of fruit-trees making fruit
(translated bearing or yielding fruit); yet we know they do not make
fruit suddenly out of nothing, but slowly produce it.

What is disputed is, that this evolution took place merely under the
influence of natural development, and without the additional
influence of a new Divine force. And considering that all attempts to
effect a similar transition now have failed completely, it is not
unreasonable to suppose that there was some other and special
Cause at work then. Nor is it easy to see how some of the changes
could have been otherwise produced. Take, for instance, this very
subject of the origin of life. As far as we know, the only natural
mode in which life can begin is from a living parent, yet there was a
time when there were no living parents on this earth. How, then,
could it have originated, except by some process other than natural,
i.e., supernatural? Or, again, to take another instance, when the first
free being, whether animal or man, appeared on this planet, a force
totally different from all natural forces was introduced, and one
which could not have been derived from them alone.
And then there is another, and very interesting point, to notice. It is
that according to Genesis, these steps were not all of equal
importance. For while it describes most of them by the word made,
which, as just said, seems to mean here evolved; on three
occasions, and only three, it uses the word create. These refer to the
origin of the universe, of animal life (fishes and birds), and of man.
And this is very significant, when we remember that these
correspond to the beginning of matter, mind, and spirit; and are
therefore (as said in Chapter IV.) just the three places where
something altogether new was introduced; which could not, as far as
we can see, have been evolved from anything else. And this double
method of producing, partly by creating, and partly by making or
evolving, is again referred to at the close of the narrative, where we
read that God rested from all His work, which He had created and
made. So much for the general principles of the narrative, we pass
on now to its detailed order.
(B.) Its Detailed Order.
It will be remembered that in Genesis, after describing the earliest
state of the earth, there are eight stages in its development; two of

Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade
Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.
Let us accompany you on the journey of exploring knowledge and
personal growth!
textbookfull.com

Windows Security Internals 1 / converted Edition James Forshaw

More Related Content

Similar to Windows Security Internals 1 / converted Edition James Forshaw (20)

Recently uploaded (20)

Windows Security Internals 1 / converted Edition James Forshaw