The Windows Club

TheWindowsClub covers authentic Windows 11, Windows 10 tips, tutorials, how-to's, features, freeware. Created by Anand Khanse, MVP.

What makes Windows operating system so secure

Download Windows Speedup Tool to fix errors and make PC run faster

We all use one or more antivirus software, Internet Security Suite, or Firewall software on our Windows computer. We keep them updated, use zero-day patches, and keep hunting for a better anti-malware combination for better protection. But what most anti-malware programs do is provide us with application-level security. This is because the anti-virus is itself loaded as an application. With such a system, our computers are still at risk during boot and also while invoking any other program. What we need to tackle such threats is an operating system that works like an anti-malware.

Windows most secure operating system

Windows Anti Malware Operating System

Windows 11/10/8.1 has some good security features to counter malware. We’ll look at the feature while talking about possible vulnerabilities on any computer.

Trusted Boot

Any computer is most vulnerable just when you press the Power button. When it is booting, there is a time gap between loading critical OS components and then the anti-malware. This gap is used by many malware to manipulate the boot process and thereby compromise the computer or network.

Most advanced operating systems now apply different techniques to prevent boot-hijacking. One of the most accepted methods is Trusted Booting. In this method, the operating system first loads a component that verifies if the other components being loaded are indeed operating system files or files needed to run a particular application. If it finds any anomalies, the boot process is terminated.

Likewise, for “secure applications”, that are considered part of the operating system and which are required by the OS to work properly, the app signature is determined by the Trusted Start process. If it appears hazy, it won’t load and you may or may not receive an error message based upon the nature of the application.

Windows boot-time anti-malware protection

Windows supports four protection features to help prevent malware from loading during the boot process:

  1. Secure Boot. PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted operating system boot loaders. This is Secure Boot.
  2. Trusted Boot. Windows checks the integrity of every component of the startup process before loading it.
  3. Early Launch Anti-Malware. ELAM protection technology tests all drivers before they load and prevents unapproved drivers from loading.
  4. Measured Boot. The PC’s firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PC’s health.

Coming to different applications we use on a different operating system, we tend to rely on third-party anti-malware which keeps analyzing the different processes on a real-time basis and alerts you when anything suspicious is found.

Robust Windows Firewall

Though the Firewall was bought in early with Windows XP, it was weak. With subsequent versions of Windows, the OS-bundled firewall only improved. It keeps a real-time check on both incoming and outgoing packets and blocks any connection that acts suspiciously. The only downside (if you think it is) is the lack of alerts, so people don’t know whether the firewall is indeed working. But you can always check the Firewall log from the Control Panel – Windows Firewall to see how the traffic/packets were handled. Today, the Windows firewall is truly a robust one!

RAM compartmentalization

Along with hack attempts that bypass firewalls, another problem with traditional operating systems is that they tend to conflate electronic memory (RAM bytes) with one or more programs. For example, if you are running programs A, B, and C at the same time, and if there is a need for some data to be stored for program B, the operating system will simply put the data into the next available empty cells. These data cells are not isolated, so other programs may snoop on them or even write to them to infect the computer.

The operating system provides a RAM compartment for each program and its data. That is a kind of sandboxed RAM. If program A is running in compartment 2, program B cannot store its code or data into the empty RAM cells allotted to program A. If more storage is needed, it falls back to the paging file on the hard disk.

Add TheWindowsClub as a Preferred Source on Google Search

In short, the operating system now ensures that each program runs in its own shell (designated area) and that other programs cannot manipulate its data, thereby reducing the chance of malware attacks and replication.

I do not know much about Mac and Linux, as I did not study them in depth. I know the previous versions of Windows were vulnerable. However, with Windows 8.1 and later, a trend appears to have emerged toward an “anti-malware operating system” that reduces vulnerabilities to a minimum.

If you have doubts about Measured Boot, Secure Boot, or Trusted boot in Windows, or anything to add, please leave a comment below.

ArunKumar@TWC

Arun Kumar has been a Microsoft MVP (2010-12). He is obsessed with technology, especially the Internet. He deals with the multimedia content needs of training and corporate houses.