03

Question 1

___________________ Volatile hive created at boot that contains hardware information provided by the firmware (HKLM sub-key)

Answer 1

HKLM/Hardware

Question 2

_____________________ contains boot configuration data, used with 6.* and 10.* architectures (HKLM sub-key)

Answer 2

HKLM\BCD00000000000

Question 3

_____________ contains local account information as well as password values (HKLM sub-key)

Answer 3

HKLM/SAM

Question 4

____________ contains cached logons and local security policy (HKLM sub-key)

Answer 4

HKLM/Security

Question 5

__________ Contains a collection of sub-keys for various installed components and programs (HKLM-subkey)

Answer 5

HKLM\SOFTWARE

Question 6

__________ contains control sets from which HKCC is derived

Answer 6

HKLM/System

Question 7

_____________ contains information about currently installed hardware and contains several sub-keys with information that is generated during boot-up

Answer 7

HARDWARE Sub-Key

Question 8

____________ sub-key, contains all local account information

Answer 8

SAM sub-key

Question 9

___________ sub-key contains information about cached logons, policy, special accounts, and registry transaction (RXACT PACKAGE)

Answer 9

Security sub-key

Question 10

___________ sub-key contains logon information for the last ten people

Answer 10

cache sub-key

Question 11

__________ sub-key contains a collection of sub-keys for various installed components and applications

Answer 11

Software sub-key

Question 12

Important entries in the software sub-key

_______ defines current installation of windows

________list of executables that run on system start-up

________programs are deleted from key once executed (e.g., software updates)

________ similar to run but for services, (May not always be present

Answer 12

currentversion

currentversion\run

currentversion\runonce

currentversion\runservices

Question 13

Can the software sub-key be used to determine if the machine is a VM?

Answer 13

yes

Question 14

________ sub-key contains definitions, control sets, and information about removable media

Answer 14

System sub-key

Question 15

The select key contains
_______
_______
_______

Answer 15

Current
Failed
LastKnownGood

Question 16

What are the sub-keys for the control sets under System sub-key?

Answer 16

Control
Enum
Mounted Devices
Services

Question 17

What are the entries for control under controlsets?

_____________Local security authority. Validates security for local users.

____________ manages user’s session and basic start-up

___________System determines which edition is booted by querying registry values under HKLM\SYSTEM\CurrentControlSet\Control\Productoptions

Answer 17

LSA

Session Manager

Product options

Question 18

What are the entries for Enum under controlsets?

_________ Provides USB device information including a description and hardware identification. Useful for tracking usage of a particular USB-connected device across multiple machines.

_________ contains device driver information

Answer 18

USB/USBSTOR

SCSI

Question 19

_________ shows drives available to system (controlsets)

Answer 19

Mounted devices

Question 20

__________ contains information about services and drivers available to the system (controlsets)

Answer 20

Services

Question 21

Major sub-keys of HKCU include:

_________ user settings and defaults are stored here, including color schemes, appearance and accessibility options to name a few

_________ contains current session information

_____ contains installed software information

Answer 21

Control Panel

Session Information

Software

Question 22

HKCC is used to establish the current hardware configuration profile what are its two sub-keys?

_________ has a Microsoft sub-key, may have other application sub-keys

_________ contains objects that temporarily modify current control set

Answer 22

Software

System

Question 23

What are the Registry data types?

________ Raw binary data; hardware component information stored as binary data

________ Most common value type consisting of 32-bit numbers expressed in decimal or hexadecimal

_________ Fixed length text string

_________ A Variable-length text string allowing use of environmental variables

_________ contains lists or multiple text string values

Answer 23

REG_BINARY

REG_DWORD

REG_SZ

REG_EXPAND_SZ

REG_MULTI_SZ

Question 24

What command is used for editing the registry>

Answer 24

reg.exe

Question 25

___________ add an object or value to registry . registry path is root key or hive. Data type by default is REG_SZ unless another type is specified example? : C:

Answer 25

REG ADD reg add registrypath [data type] [\\Machine]

Question 26

_______ Displays registry object value command? example? C:

Answer 26

Reg query reg query keyname [/v valuename or /ve] [\\Machine]

Question 27

______ removes an object, it deletes a value forma remote machine example?

Answer 27

reg delete C:\>reg delete registrypath [//Machine] NewPath [\\Machine]

Question 28

________ changes path or moves to another machine example?

Answer 28

reg copy C:\>reg copy OldPath [//Machine] NewPath [\\Machine]

Question 29

_______ Loads a hive file example?

Answer 29

reg load C:\>reg load registrypath [filename]

Question 30

________ Code written for adaptability and change to meet ever-changing market demands. (windows architecture)

Answer 30

Extensibility

Question 31

_________ Support multiple hardware architectures and must be adaptable for innovations and new technologies. (windows architecture)

Answer 31

Portability

Question 32

_________ Protect itself from internal malfunctions and faulty applications. (windows architecture)

Answer 32

Reliability

Question 33

__________ Meet government and industry requirements for system security and protections against external tampering. (windows architecture)

Answer 33

Security

Question 34

________ User interface and API must provide extended legacy support and integration with other systems, such as UNIX. (windows architecture)

Answer 34

Compatibility

Question 35

________ Fast and responsive while meeting the constraints of the other design goals. (windows architecture)

Answer 35

Performance

Question 36

The ______ runs in the most p[riviliged ring of the CPU (RIng ___) known as __________

Answer 36

Kernel 0 Kernel Mode

Question 37

The OS Interface and user applications execute in the least privliged ring of the CPU (Ring __) known as __________

Answer 37

3 user mode

Question 38

Kernel mode RIng 0 characteristics - - -

Answer 38

Access too all system memory and entire CPU instruction set Kernel mode OS and device driver code share address space privileged to perform almost any action closest to hardware

Question 39

User mode Ring 3 characteristics - - - -

Answer 39

Greatly limited in permission and authority OS interface and system software User Applications Closest to User

Question 40

____________ determine the environment a user operates in, how that user gets authenticated, how the user accesses resources, etc

Answer 40

Processes

Question 41

The __________ process is loaded by the kernel during the boot process and is the first user mode process to start, WHAT LOADS THIS?

Answer 41

Session Manager NTOSKRNL.exe

Question 42

WHAT LOADS THE SUBSYSTEM? What are the components of the windows subsystem? ________ THE subsystem process. Subsystem DLLs run in the context of this process ________ contains code that gives programs access to system functions _______ contains basic functions, such as window management, user input , text, etc ________ part of the windows graphic device interface that enables programs and applications to use graphics and formatted text on the video display and printer _____ part of an advanced API services library supporting numerous APIs including security and registry calls _____ itroduced with 6.1 architectures, it contains a combination of functions and code originally contained in kernel32 and advapi32 libraries _____ Subsystem kernel mode device driver that performs the following Controls window displays; manages screen output; collects input from keyboard, mouse, and other devices; and passes user messages to applications.  Serves as the GDI for line, text, and graphics manipulation.

Answer 42

SMSS.EXE csrss.exe kernal 32.dll user32.dll gdi32.dll advapi32.dll kernealbase.dll win32k.sys

Question 43

Of the product type registry values, WinNT, LanmanNT, ServerNT What do each represent?

Answer 43

Windows workstation OS Windows server Domain COntroller OS Windows Server OS

Question 44

What process initializes file swap? What process loads this?

Answer 44

pagefile.sys SMSS.exe

Question 45

What process starts windows initialization process? What loads before this process?

Answer 45

wininit.exe CSRSS.exe

Question 46

What process is loaded by the kernel during the boot process and is the first user mode process to start?

Answer 46

smss.exe session manager

Question 47

What process acts as a message handling intermediary between the console and crss.exe to protect against certain exploits?

Answer 47

conhost.exe

Question 48

What process is after csrss.exe and what are its sub processes? what are each responsible for?

Answer 48

winint.exe services.exe (service control manager) managing services Lsass.exe (authentication for user credentials)

Question 49

What process follows wininit.exe? Can there be multiples of these? What does it do?

Answer 49

SMSS.EXE(1) yes for every user logged in, duplicating CSRSS.exe and all its dependencies

Question 50

SMSS.exe(1) what does this new session initialize following CSRSS.exe(1)? What does it do? What are the three processes it initiates?

Answer 50

winlogon.exe -handles interactive user logon and logoffs Logonui.exe userint.exe explorer.exe

Question 51

What process is the king of the whole boot sequence?

Answer 51

NTOSKRNL.exe

Question 52

What is the order of the boot processes? SMSS.EXE (1) Services.exe LSAASS.exe Winit.exe CSRSS.exe (0) WinLogon.exe(1) LogonUI.exe(1) Userinit.exe(1) SMSS.EXE(0) CSRSS.exe(1) pagefile.sys explorer.exe NTOSKRNL.exe kernal32.dll user32.dll gdi32.dll advapi32.dll kernalbase.dll win32k.sys conhost.exe

Answer 52

NTOSKRNL.exe SMSS.EXE pagefile.sys win32k.sys Csrss.exe(0) kernal32.dll user32.dll gdi32.dll advapi32.dll kernalbase.dll win32k.sys conhost.exe WIniit.exe (0) Lssas.exe (0) services.exe (0) Smss.exe(1) Csrss.exe(all dependency's) winlogon.exe(1) logonui.exe userinit.exe explorer.exe

Question 53

What process is responsible for the whole desktop?

Answer 53

explorer.exe

Question 54

______ acts as the emulator for allowing 32-bit applications to run seamlessly on a windows 64.bit OS

Answer 54

Wow64

Question 55

_______ core interface tha translates between 32-bit and 64-bit calls

Answer 55

wow64.dll

Question 56

_______ provides architecture specific support and manages switching the CPU between 32-bit and 64-bit modes

Answer 56

wow64cpu.dll

Question 57

____ intercepts GUI system calls exported by win32.sys

Answer 57

wow64win.dll

Question 58

where are the built-in 64 bit images (cmd.exe) and DLL's including wow64 DLLs located?

Answer 58

\Windows\System32

Question 59

Where are the 32 bit images and DLLs needed for redirection located?

Answer 59

\Windows\Syswow64

Question 60

The _____ contains internal support functions used by the subsystem DLLs and serves as the service call dispatch to the windows executive

Answer 60

ntd.dll Native API