Windows Protection Hierarchy
Interactive diagram of Windows security privilege levels. Explore the boundaries between user mode, kernel mode, hypervisor, and firmware, and how each layer restricts access from below.
By Mohamed Habib Jaouadi•November 1, 2025•
Post Related
#windows-internals
#security
#kernel
#privilege-levels
#hypervisor
Windows Protection Hierarchy
Understanding privilege levels and protection boundaries. Click on any level to see details.
User Mode (Ring 3)
Standard application privilege levelsProtection Boundary
Kernel Mode (Ring 0)
Ultimate system authorityProtected Process Light (PPL) - Details
Privileges & Capabilities
- ✓Protected from Admin/SYSTEM
- ✓Only accessible by equal/higher signers
- ✓Memory cannot be read
- ✓Code injection blocked
Limitations & Restrictions
- ✗Can be accessed by kernel drivers
- ✗Requires proper signer certificates
- ✗Subject to kernel debugging
- ✗Vulnerable to BYOVD attacks
Key Insight
The kernel enforces PPL protection at Ring 0, creating a security boundary that even Administrator and SYSTEM accounts cannot cross. This is why tools like Process Explorer fail to access protected processes—the kernel refuses to grant the necessary handle permissions, regardless of your user privileges.