1-Windows Block Test Flashcards
Kernel
Heart of the OS
Fast and simple operations
Handles low level tasks such as hardware and thread management
Processor
Brain of computer
Runs in two modes: User and Kernel
User Mode (Processor)
Unprivileged/Restricted
Own private virtual address space
Isolates app to prevent alteration of outside data
Kernel Mode (Processor)
Privileged/Unrestricted
Shares address space
Can overwrite other programs and compromise system
Drivers
Software that enables communication between OS and hardware
Can communicate directly with hardware, or with lower level drivers
Come in two types: User mode and kernel mode
Three levels: High, intermediate, and low
Three categories: Software, Bus, and Device
User Mode (Driver)
Interface between apps and kernel-mode drivers or other OS components
Kernel Mode (Driver)
Interface with hardware, I/O, thread management, etc.
High Level (Driver)
Always depend on low level drivers
Ex: File system drivers
Intermediate Level (Driver)
Always depend on low level drivers
Divided into 3 categories: Function, Filter, and Software Bus
Low Level (Drivers)
Controls bus in which hardware is connected
Does NOT depend on low level drivers
Ex: PCI bus drivers
Function Drivers
Intermediate Level
Handles reads/writes to a device
Typically created by device manufacturer and are required
Provides operational interface for device
Filter Drivers
Intermediate Level
Optional drivers
Provide additional functionality
Communicates with other filter or function drivers
Software Bus Drivers
Intermediate Level
Provides interface for high level drivers to attach to a set of child devices
Software Driver
Always runs in kernel mode
Not associated with hardware device
Created to gain access to data accessible only to the kernel
Bus Driver
Always runs in kernel mode
Ex: PCI bus, USB bus
Provides communication to several devices sharing a bus
Device Driver
Can run in kernel or user mode
Drivers necessary for the OS to communicate with an attached device
Boot Phases
BIOS Phase (Preboot)
Boot Loader Phase
Kernel Phase
BIOS Phase (Boot process)
UEFI performs POST
MBR read in (IDs where system partition is)
runs bootmgr file
Boot Loader Phase (Boot process)
Windows Boot Manager launched (Reads in BCD to HKLM\BCD00000000
Windows Boot Loader launched (Starts Winload.exe)
Boot Manager and Loader load Kernel into memory
Kernel Phase (Boot process)
Loads registry and drivers marked as "BOOT_START"
Launches Session Manager (smss.exe)
User session processes launched
Launch Services
Winlogon.exe (logon screen)
User session created
FAT and NTFS
Two Windows file systems
FAT
File Allocation Table
MS-DOS to Windows ME
Does not support file compression or encryption
FAT16
Drives up to 16GB; max file size 2GB
FAT32
Drives up to 16TB; max file size 4GB
exFAT
Drives up to 512TiB - 64ZiB; max file size approx 128 PiB
NTFS
New Technology File System
Win NT to Win 10
Drive size up to just under 16EB, max volume size 256TB
Supports EFS (Encrypting File System)
Supports User/Group permissions
Uses change log tracking system changes
Supports VSS (Volume Shadow Copy Service) - Backs up files currently on the system
Dynamically remaps corrupt sectors so the system doesn't use them
NTFS Permission Types
NTFS Permissions and Share Permissions
NTFS Permissions
Basic Permissions: Read, Read and Execute, Write, Modify, List Contents, Full Control
Advanced Permissions available for more granular control
Can be inherited
Share Permissions
Less granular control
Full Control, Change, Read
Only applies to files on network share
File Permission Priorities
Local Files use only NTFS permissions
Remote files use NTFS AND Share permissions (Most restrictive applied first)
User permissions are cumulative with group permissions
Inherited vs Explicit Permissions
Inherited: Inherited from parent folder
Explicit: Assigned directly to file/folder. Take precedence over inherited permissions
Explicit Deny > Explicit Allow > Inherited Deny > Inherited Allow
Copy within NTFS partition
Creates NEW FILE, inherits permissions of target folder
Moving across NTFS partition
Creates NEW FILE and deletes old one, inherits target folder permissions
Moving within NTFS Partition
Does NOT create new file, updatets location in directory and keeps original permissions
Moving/copying from NTFS partition to FAT partition
Lose attributes and security permissions
Retain long file names
Registry
Central hierarchical database that stores config info for system to run
Windows continually references during operation
Registry Root Keys
Root Keys:
HKEY_LOCAL_MACHINE: Config info for OS
HKEY_USERS: User profile Info
Linked Keys:
HKEY_CLASSES_ROOT: HKLM\SOFTWARE\Classes
HKEY_CURRENT_USER: HKU\SID
HKEY_CURRENT_CONFIG: HKLM\SYSTEM\CurrentControlSet\HardwareProfiles\Current
Registry Structure
Keys - Comparable to Folders
Values - Comparable to Files
Value Types:
Binary: REG_BINARY - Binary data
String: REG_SZ - null-terminated string
Multi String: REG_MULTI_SZ - Sequence of null-terminated Strings
Expandable String: REG_EXPAND_SZ - Environment Variables
Double Word: REG_DWORD - 32 bit number
Quadruple Word: REG_QWORD - 64 bit number
Data - Content determined by the value's type
SID
Unique value ID'ing Users or groups
"Well known SIDs" exist for static values such as administrators group
Made up of Domain Identifier (IDs Domain or Computer) and Relative ID (RID, Unique value identifying user, group, or account)
GUID
128 bit number used to ID software or hardware versions
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System location - any user logging in will run
HKU\Software\Microsoft\Windows\CurrentVersion\Run
Only specific user will run
Remote Desktop Config
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
Set fDenyTSConnections to 0 to enable RDP, 1 to disable
Modify Services through Registry
HKLM\SYSTEM\CurrentControlSet\Services
Binary must know how to communicate with services controller
Delete or move files on reboot
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
Value: PendingFileRenameOperations
Data: Absolute File Path for the moving/deleting of certain files
Windows Defender Exclusions (Registry)
HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Value: Absolute Filepath to a folder
Data: REG_DWORD 0x0
Excludes filepath from Windows Defender actions
