Day 2

Question 1

PowerShell

Answer 1

an object-oriented, interactive command environment with scripting language features
uses some *Nix commands and has a LINUX version.

Question 2

Windows PowerShell Integrated Scripting Environment (ISE)

Answer 2

where the scripting language aspect of Windows PS generally takes place

Question 3

Versions

Answer 3

use the Get-Host cmdlet or the $PSVersionTable variable to show the current PS version

Question 4

aliases

Answer 4

use the cmdlet Get-Alias to show a list of aliase commands.
aliases are windows CLI and unix commands that work the same as a PS command
ex. dir is an alias for the Get-ChildItem cmdlet

Question 5

help

Answer 5

get-command lists all available cmdlets.
use Get-help to show help information for those cmdlets
(help is an alias for Get-help)
you can use -examples to show examples of the cmdlet you are getting help for in use.
use wildcards with Get-Help (ex. Get-Help user

Question 6

cmdlets

Answer 6

small commands used within PS; they are not stand alone executables

Question 7

cmdlets breakdown

Answer 7

object
verb-noun attribute additional info
PS C:> get-ChildItem -Path C:\Windows
cmdlet parameter argument

Question 8

more on Get

Answer 8

get is not the only verb available. use Get-Verb to display a list of verbs

Question 9

cmdlet parameters (switches)

Answer 9

used to identify additional object attributes
ex.
-name
-computername
-path
-examples

Question 10

cmdlet arguments

Answer 10

arguments define additional information associated with a parameter name.
arguments are not required.

Question 11

pipeline

Answer 11

piping refers to the process of passing the results of one cmdlet as input into a second cmdlet

Question 12

modules

Answer 12

packages of PS commands, consisting of cmdlets, functions, variables, and aliases

Question 13

logging

Answer 13

a way for the OS and its services and applications to record important actions, post status messages, and track security events

Question 14

auditpol

Answer 14

the command line tool that enables auditing

Question 15

auditing

Answer 15

auditing is the tracking of changes

Question 16

security audits (appear in security logs)

Answer 16

event: description:
POLICY CHANGE–changes to policies
OBJECT ACCESS–when an object is accessed that has a *SACL
PRIVILEGE USE–when a user exercises a user right or privilege
PROCESS TRACKING–tracks all processes (program activation, process exit, indirect object access
SYSTEM–computer security events such as restart, shutdown or clearing the event log
ACCOUNT MANAGEMENT–creation, deletion, or change of user account
LOGON–logon attempts
ACCOUNT LOGON–authentication events authenticated through the SAM or AD
DIRECTORY SERVICE ACCESS–when a user accesses a directory service object with a *SACL

Question 17

logs

Answer 17

application log-contains events logged by programs
system log-contains events logged by system components
security log-provides security event information

Question 18

logs location

Answer 18

5*-%SystemRoot%\system32\config

6*-%SystemRoot%\system32\winevt\logs

Question 19

additional domain logs

Answer 19

directory service log– contains events logged by Active directory

file replication service log– contains information about replication events

DNS server log– available when machine is configured as a DNS server

Question 20

configuration of logs

Answer 20

log size can be set in incraments of 64kb to 4 Gb
default is 512kb
NSA group policy object changed the defaults of the event viewer from 512kb in size to over 4GB and from 7 days retention to never overwriting itself. events must be cleared manually

Question 21

log intrepretation

Answer 21

the bottom of the log contains a summary

the top part of the log contains the description.

Question 22

log event summary info

Answer 22

logged
user
computer
event ID
source 
levels (error, warning, info, critical)
keywords (success audit, failed audit)
task category
Op Code

Question 23

levels and keywords chart

Answer 23

Keywords Levels
application classic error,critical,warning,info
system classic

security success/failure info

Question 24

windows registry

Answer 24

windows registry is a vast hierarchical repository of operating system (OS), hardware, applications, and user settings that is referred to as the heart and soul of the OS

Question 25

The registry is read during the following times:

Answer 25

boot process, application startup, user login

Question 26

regedit

Answer 26

primary tool for viewing and editing the registry

Question 27

registry format

Answer 27

the registry is structured in a directory-type format containing hives, keys, sub-keys, and values containing data.

Question 28

root keys

Answer 28

the windows registry consists of five root key hives; two master keys and three derived keys

Question 29

master keys

Answer 29

HKEY_USERS (HKU)

HKEY_LOCAL_MACHINE (HKLM)

Question 30

derived keys

Answer 30

HKEY_CLASSES_ROOT (HKCR)
HKEY_CURRENT_USER (HKCU)
HKEY_CURRENT_CONFIG (HKCC)