How does Windows or IIS protect a certificate or it's private key?

My question is of a basic nature. And I think that it boils down to constraining file system and registry access. But would like to have that confirmed by someone who has Windows experience.

In general given a SSL certificate and private key stored in a certificate store. For the operating system or application like a webserver to access it there are three options:

1. No password protection. Anything with access to the certificate store can access the certificates and keys it holds;
   
2. Password protected. On starting the server or service someone needs to manually enter the password;
   
3. Password protected. Password is stored somewhere on the machine. On starting this stored password is used. 

I am not familiar with how Windows or IIS handle this, but expect this works somehow similar under the hood. My problem is I don't know for sure. How is IIS able to use the certificate in Windows if no one enters it's password? Or is the password just stored in the registry?

I am familiar with using option 3 in non Windows environments. There the password storage is protected using file access controls.

I wonder if Windows is more secure. Or I just do not know where to look and in my case it's just security by obscurity.

So my question: Could someone who knows how Windows/IIS handles this explain options 2 and 3? And if there is some other magic going on?

Btw. Solutions like HSM or a nifty remote service-monitor which automatically logs on and enters the password I'm not interested in at the moment. Just how Windows handles this normally.

 Using google I have found various answers who explain things in general. They all return to the three options mentioned and tell me to have faith. That is, that's my interpretation.

The following two sites seem to explain it more Windows specific. But I cannot deduct if they indeed confirm option 3 in Windows just stores the password located somewhere in the registry.

• [CodingHorror] Keeping Private Keys Private
  
• [RootSecurity] How to export “non-exportable” certificates from the Microsoft Certificate Store