Series

The Windows Security Wars

6 parts of 6

1. Part 1 Two Months Without Code: The Windows Security Wars Part 1 (1995-2001)

   May 29, 2026 · 69 min read

   In 1995-2001 the worms won. The Trustworthy Computing memo and the ten-week Windows Security Push that followed taught the industry how to ship secure software.

2. Part 2 Eight Primitives, One Worm: The Windows Security Wars Part 2 (2002-2008)

   May 28, 2026 · 72 min read

   How Microsoft re-engineered Windows around security between January 2002 and October 2009 -- and why a wormable RCE patched on October 23, 2008 still infected nine to fifteen million machines.

3. Part 3 Mimikatz and the Credential-Theft Decade: The Windows Security Wars Part 3 (2009-2014)

   May 30, 2026 · 62 min read

   Microsoft killed the rootkit class with AppLocker, Secure Boot, ELAM, and AppContainer. Then a side project in C named Mimikatz proved the wrong layer had been hardened.

4. Part 4 Above the Kernel: The Windows Security Wars Part 4 (2015-2019)

   May 26, 2026 · 66 min read

   Windows 10 ships Virtualization-Based Security and finally puts the credential store above the kernel -- in the same five years that ransomware became a billion-dollar industry.

5. Part 5 The Thirteen Months That Made Zero Trust Unavoidable: The Windows Security Wars Part 5 (2020-2023)

   May 26, 2026 · 74 min read

   Four incidents in thirteen months -- SolarWinds, ProxyLogon, PrintNightmare, Log4Shell -- broke four Windows architectural assumptions and forced the Zero Trust pivot the industry had on the shelf since August 2020.

6. Part 6 The Layer Above the OS: The Windows Security Wars Part 6 (2023-2026)

   May 29, 2026 · 57 min read

   How Storm-0558, CrowdStrike, and the Recall saga forced Microsoft to admit the biggest attack surface on a modern Windows PC is no longer the OS itself.

← All series · Start here