04

Question 1

___________ Used by winlogon.exe to start the user’s desktop process. (process name)

Answer 1

Userinit.exe

Question 2

____________ Started by winlogon.exe to retrieve user credentials. (Process name)

Answer 2

Logonui.exe

Question 3

____________ contains a SID sub-key for all loaded user profiles
(registry keys)

Answer 3

HKU User

Question 4

____________ contains specific information about the hardware, software, and preferences for all users who log into the system
(registry keys)

Answer 4

HKLM Local Machine

Question 5

____________ contains user profile environment settings of the interactively logged on user
(registry keys)

Answer 5

HKCU

Question 6

___________ is used to establish the current hardware configuration
(registry keys)

Answer 6

HKCC

Question 7

___________ is used to associate file types with programs that are used to open them. (registry keys)

Answer 7

HKCR

Question 8

Which of the following are HKLM subkeys?
BCD000000000
Hardware
SAM
SECURITY
NTUSER
APPEVENTS
SYSTEM
SOFTWARE
NTDS
SERVICE

Answer 8

BCD000000000
Hardware
SAM
SECURITY
SYSTEM
SOFTWARE

Question 9

__________ uses user authentication packages to perform user credential verification

Answer 9

Iaass.exe

Question 10

The hypervisor context of Kernal mode in the lower section is there to increase security T/F?

Answer 10

True

Question 11

____________ is the lower section of kernel mode, where the hyper-v hypervisor executes, providing a security buffer between the hardware and the actual kernel of the OS

Answer 11

Kernal Mode (HyperVidor Context)

Question 12

___________ is the kernel process. When executed during the boot sequence, it provides the kernel and executive functions within kernal mode.

__________ and ___________ run in the context of this

Answer 12

NTOskrnl.exe

Hardware Abstarction and Native API DLLs

Question 13

___________ is a kernel-loadable module that operates between the hardware and the windows executive so that app[lications and device drivers do not have to be aware of hardware-specific information

Answer 13

HAL

Question 14

The ________ is the lower layer of ntoskrnl.exe and provides fundamental mechanisms used by the executive components and low-level hardware architecture support

Answer 14

Kernal

Question 15

What is the Kernels four main responsibilities?

-
-

Answer 15

Thread Scheduling
Intterupt and Exception Handling
Low-level processor synchronization
Power failure recovery

Question 16

The ____________ is the upper layer of ntoskrnl.exe and is the windows system call handler that verifies and provides kernel services

Answer 16

Executive

Question 17

___________ provides standardized interface for every system object

___________ enforces local security policy

____________ creates, manages, and terminates processes and threads

____________ provides private address space for each process

____________ processes all file and I/O requests; responsible for dispatching to device drivers as well as plug and play capabilities

___________ passes messages between client and server processes on the same computer

___________ responsible for implementing and managing the registry

Answer 17

Object Manager

Security reference moniter

Process Manager

Virtual memory manager

I/O manager

Asynchronous Local inter-processes communication

Configuration Manager

Question 18

Object criteria

• C
• H
• P
• D
• SS

Answer 18

Each object belongs to a statistically defined class. A few object classes are file, key, process, and thread

A processes references objects via handles and must own a handle to an object before its threads use the object

Objects use pointers to reference and use other objects within kernel mode

Objects use hierarchical directories and naming structures in order to distinguish one object from another, query objects, and provide a way for processes to share objects.

Objects are protected by object-based security and support synchronization

Question 19

The Object header stores data and is used by the _____________ to manage objects regardless of their type or class

The _________________ is responsible for the object body

Answer 19

Object manager

Executive manager, responsible for whatever data type in it is

Question 20

Object header attributes

_____________ Makes an object visible to other processes for sharing

____________ determines who can use the object and what they can do with it

___________ counts the number of times a handle has been opened by an object

___________ points to a type object that contains attributes common to objects of this type

_________ counts the number of times a kernel mode component has referenced the address of the object via a pointer

Answer 20

Object Name

Security Descriptor

Open Handle Count

Object Type

Reference Count

Question 21

What are the two phases of object retention and there steps?

Answer 21

Name Retention
When handle count hits zero it deletes the name from its global name space

Object Deletion
when Refernce count hits zero the object is released, when both reference and handle count hit zero the object is deleted

Question 22

Where does the security descriptor source its information from? (3 things)

Answer 22

Default information depending on OS version and policies

inheritesd from a parent object

explicit permissions set by user (ACL)

Question 23

What are the two types of ACLS in the security descriptor and how are they described?

Answer 23

DACL
- empty dacl - no one can access it
- null dacl - anyone can access it

SACL controls how system audits object access attempts

Question 24

The ______ enforces security policies, guarding kernel mode resources by performing object access protection and auditing

Answer 24

SRM Security reference monitor

Question 25

What are the resources that the process manager requires?
HEAP IT

Answer 25

A List of open HANDLES to resources that all threads in the process use

An EXECUTABLE program (image file)

An ACCESS TOKEN that identifies the user, security groups and privileges associated with the process

A PRIVATE virtual address space

A Unique IDIENTIFIER that is called a process ID (PID)

At least one THREAD of execution

Question 26

What are the seven stages of process creation?

Stage 1:
Stage 2:
Stage 3:
Stage 4:
Stage 5:
Stage 6:
Stage 7:

create executive process object

Executable calls create process function

subsystem notifications

system call opens the image file

finalize new process initialization

create initial thread

start execution of initial thread

Answer 26

Executable calls create process function

system call opens the image file

create executive process object

create initial thread

subsystem notifications

start execution of initial thread

finalize new process initialization

Question 27

What are the two main responsibilities of Virtual memory manager VMM?

Answer 27

mapping a process virtual address into physical memory

swapping physical memory contents to disk when running threads or system code tries to use more memory then available

Question 28

Within a 64-bit address space the lower 128TB half is reserved for _________ while the upper 128TB half is reserved for _________

Answer 28

User Space
Kernal Space

Question 29

Another name for virtual address space is _________
when its mapped to physical memory its called __________

Are they equally sized?

Answer 29

Page
Frame

yes

Question 30

What are the three states that pages can be in? What’s there definitions?

Answer 30

Free: page is not mapped to a page frame address

Reserved: Allows a thread to reserve a range of virtual addresses that are about to be committed

Committed: pages are mapped to a page frame address

Question 31

If reference to a page is invalid for any reason a ___________ is generated

Answer 31

page fault

Question 32

What are some of the reasons a page fault can be generated?

Answer 32

accessing a page that has been swapped out to disk
accessing a page that is not committed
attempting to write-to a page that is read-only
executing code in a page that is marked as “no execute”

Question 33

Windows provides _____________ to keep processes from potentially corrupting unauthorized address space

What are some of the ways it does this?

Answer 33

Private virtual address space
ACLs
No Execute
hardware-controlled memory protection

Question 34

____________ connects applications and system components to virtual, logical, and physical devices

Answer 34

I/O Manager

Question 35

____________ facility is a message-passing mechanism used to [pass requests and results between a client and a server process within a single machine

Answer 35

ALPC Asynchronous local inter-process communication

Question 36

______________ is responsible for implementing and managing the system Registry.

Answer 36

Configuration Manager

Question 37

Windows uses what mechanism to ensure drivers are approved for use?

Answer 37

driver signing