How does Windows Subsystem for Linux (Version 1) actually work?

Note: This blog post is designed to complement the accompanying video embedded at the top of the page. The video provides an in-depth, visual demonstration of the concepts and code discussed here, making it an invaluable resource for learners.

Windows Subsystem for Linux (WSL) first appeared in Windows 10 (Anniversary Update, 1607). It enables Linux binaries to run directly on Windows without recompilation. This capability is often described as “magical,” but behind the scenes there is a clear technical design.

WSL 1 vs. WSL 2

WSL has two versions. Version 1 executes Linux binaries natively through Windows mechanisms, while version 2 uses a lightweight virtual machine with a real Linux kernel. This post focuses on version 1, which is unique in how it simulates Linux system calls.

ELF Binaries on Windows

Linux binaries are compiled into ELF format, unlike Windows’ PE format. WSL 1 can load ELF binaries into a special type of Windows process. These binaries run as though they were native, despite not linking to Windows libraries.

Pico Processes and the Pico Provider

Microsoft introduced a new concept: the pico process.

• A pico process begins as a “minimal process” with no Windows DLLs.
  
• Linux binaries and libraries are mapped directly into this process.
  
• When a Linux system call is issued, Windows identifies the pico process and diverts the call to the pico provider.
  
• The pico provider, a Microsoft driver, emulates Linux kernel behavior for that call.
  

This mechanism allows Linux applications to run without modification while Windows effectively “pretends” to be a Linux kernel.

Practical Implications

• Developers: Run Linux tools and workflows directly on Windows.
  
• Researchers: Study process structures, system call translation, and subsystem design.
  
• Students: Understand how Microsoft implemented Linux compatibility without virtualization.

Pick Your Path and Join the Elite

Windows Master Developer

Takes you from a “generic” C programmer to a master Windows programmer in user mode and kernel mode.

Become Master Developer

Windows Security Researcher

Provides the necessary knowledge, understanding, and tools to be a successful Windows OS researcher.

Become Security Researcher

Questions Answered in the Video

1. What is WSL?
   A Windows feature that allows Linux binaries to run on Windows without recompilation.
   
2. When did WSL first appear?
   In Windows 10, version 1607 (Anniversary Update).
   
3. What is the main difference between WSL 1 and WSL 2?
   WSL 1 simulates Linux system calls inside Windows; WSL 2 runs a real Linux kernel in a lightweight VM.
   
4. What is the file format of Linux binaries?
   ELF (Executable and Linkable Format).
   
5. Why is ELF a challenge for Windows?
   Because Windows uses PE format, and ELF must be specially parsed.
   
6. What is a minimal process?
   A Windows process with no DLLs or user-mode components, used internally by the kernel.
   
7. What is a pico process?
   A process type created from a minimal process that loads Linux binaries.
   
8. What is the pico provider?
   A Microsoft driver that handles Linux system calls for pico processes.
   
9. Why doesn’t WSL 1 use the Linux kernel?
   Because system calls are intercepted and simulated by the pico provider instead.
   
10. Can pico providers be written by third parties?
    No, only Microsoft can implement them, as they require privileged kernel access.
    
11. How do Linux system calls differ from Windows system calls?
    They use different numbers, conventions, and parameters.
    
12. Why doesn’t Windows automatically understand Linux syscalls?
    Because they have different kernels, so interception and translation are required.
    
13. How are Linux processes shown in Task Manager?
    They appear as “normal” Windows processes with Windows PIDs, but with no Windows handles.
    
14. Why do Linux processes show zero handles in Task Manager?
    Because Linux uses file descriptors, not Windows handles.
    
15. Can Linux commands like ps, top, and dd run in WSL 1?
    Yes, they run inside pico processes and appear as Windows processes.
    
16. What happens if you kill a Linux process in Task Manager?
    It terminates just like in Linux, since it maps to the same process.
    
17. Where do Linux shared libraries (.so files) appear?
    They are mapped into the pico process memory space, visible in tools like Process Explorer.
    
18. What happens when Linux system calls reach the Windows kernel?
    They are intercepted and redirected to the pico provider driver.
    
19. Why did Microsoft create WSL 2?
    Because maintaining syscall simulation for an evolving Linux kernel became too complex.
    
20. What is the future of WSL 1?
    It remains supported, but WSL 2 is the preferred version moving forward.
    

Why It Matters for TrainSec Students

Studying WSL 1 reveals how operating systems manage compatibility layers and process models. For security professionals, this knowledge is valuable when analyzing process internals, debugging, and understanding cross-platform interactions.This explanation is part of the free TrainSec Knowledge Library, which provides in-depth technical resources for cybersecurity learners.

Before you go…

The TrainSec Knowledge Library hosts this article, dozens of free write-ups, and curated links to help you grow from curious developer to seasoned cybersecurity professional. New pieces constantly drop, subscribe to our mailing list and I’ll make sure fresh kernel tips (and occasional war stories) land directly in your inbox.