Yesterday, the BSI (the German Federal Office for Information Security, or Bundesamt für Sicherheit in der Informationstechnik in German) published the first result document from the “Windows dissected” (ger.: “Windows seziert”) project: our analysis of Windows Hello for Business (WHfB). If you have followed this blog over the past year, you have seen the pieces. The full 170-page report has now been published. And it can be downloaded from the project page.
WHfB is a system of systems, building on Windows components that have been around for years. The document follows that path: from an application (like LogonUi) through the biometric service and the biometric unit, including the storage adapter and the full database format back into LogonUi, LSASS, Windows Passport and Kerberos. The annex contains the exported RPC interfaces and partial documentation for WINBIO_FRAMEWORK_INTERFACE; these exist because Microsoft’s documentation does not.
The german speaking press has picked up on BSI’s press release. Heise.de has released a good overview with the key points, and others have picked up the discussion as well.
There are quite a few more reports coming up as part of the “Windows dissected” project, so stay tuned!
In case you’re interested, here are other recent Windows internals contributions from ERNW:
- Windows Hello for Business Research @ Black Hat USA 2025 and TROOPERS
- Related blog post: Windows Hello for Business – Faceplant: Planting Biometric Templates
- Related blog post: Windows Hello for Business – The Face Swap
- Related blog post: Windows Hello for Business – Past and Present Attacks
- Blog post: Windows Early Boot Configuration: The
CmControlVectorandPspSystemMitigationOptions - WinpMem: Volatility’s driver that lets malware volatilize @ Recon 2025
- Related white paper release
My colleagues offer different training in the Microsoft security space.
- The Entra ID Security Essentials training covers Windows Hello for Business from a practinioers perspective. It takes place in august, september and november.
- The Hardening Microsoft Environments training goes into way more depth on Kerberos authentication than out report! It takes place in october and december.