Day 3

Question 1

Master Keys

Answer 1

contain everything in the registry

HKU and HKLM

Question 2

HKEY_USERS (HKU)

Answer 2

contains a SID sub-key for all loaded user profiles for all users currently logged in.
these profile environment settings are stored in each user’s NTUSER.dat file and loaded at login

Question 3

HKEY_LOCAL_MACHINE (HKLM)

Answer 3

HKLM contains the hardware, SAM, security, software, and system sub-keys. The BCD000000 sub-key was introduced with 6.0 version architectures

Question 4

HKLM sub-keys

Answer 4

HKLM\BCD000000 contains boot configuration data, used with 6*architectures
HKLM\HARDWARE volatile hive created at boot that contains hardware information provided by the firm ware (created every time the system is started
HKLM\SAM contains local account information as well as password values.
HKLM\SECURITY contains cached logons and local security policy
HKLM\SOFTWARE contains a collection of sub-keys for various installed components and programs
HKLM\SYSTEM contains control sets from which HKCC is derived

Question 5

HARDWARE subkey

Answer 5

volatile….contains information about currently installed hardware

Question 6

SAM sub-key

Answer 6

contains all local account information.

SAM subkeys:account, passwords, built-in

Question 7

SECURITY sub-key

Answer 7

security sub-key contains information about cached logons, policy, special accounts, and RXACT package
the CACHED subkey contains logon information for the last 10 people.
the POLICY subkey contains security settings for users, groups, and other components

Question 8

SOFTWARE Sub-Key

Answer 8

CurrentVersion defines current installation of Windows
CurrentVersion/Run list of exe’s that run on system startup.
CurrentVersion\RunOnce runs an exe the next time a user logs on and then deletes it
CurrentVersion\RunServices Similar to run but for services

Question 9

SYSTEM Sub-Key

Answer 9

ControlSet001-The control set (copy of windows) that booted
ControlSet002-The last known good control set (copy of windows) prior to current boot
CurrentControlSet an alias to ControlSet001

Question 10

subkeys to the system subkeys

Answer 10

each system subkey has the following subkeys:
Control-for booting and system initialization and has its own subkeys
LSA (Local Security Authority). Validates security for local users
Session Manager-Manages user’s session and basic startup
TimeZoneInformation-manages time and time zones
Product Options- System determines which edition is booted by querying registry values

Enum (a SYSTEM subkey like Control)–represents beginning of a hardware tree.
USB/USBSTOR-logs information for all USB devices connected to the system

Question 11

Derived Keys

Answer 11

shortcuts to the master keys

Question 12

HKEY_CLASSES_ROOT (HKCR)

Answer 12

used to associate file types with programs that are used to open them.
derived from two keys: HKLM\SOFTWARE\CLASSES and HKU\Software\Classes.

Question 13

HKEY_CURRENT_USER (HKCU)

Answer 13

contains user profile environment settings of the interactively logged on user. whenever an interactive logon loads a profile, HKCU is derived from HKU\SID.
Changes to environment settings are normally saved to HKU\SID (ntuser.dat file) at logoff

Question 14

HKEY_CURRENT_CONFIG (HKCC)

Answer 14

used to establish current hardware congif profile.
derived from HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current.
Windows 6.* architecture no longer support hardware profiles

Question 15

Registry values

Answer 15

keys contain values consisting of name, data type, and corresponding data.

Question 16

data types

Answer 16

REG_BINARY Raw binary data
REG_DWORD 32-bit numbers expressed in hex or decimal
REG-SZ A fixed-length text string
REG-EXPAND_SZ A variable-length data string allowing use of environmental variables
REG_MULTI_SZ contains lists or multiple string values

Question 17

Command line registry manipulation

Answer 17

REG Add add an object or value to registry
Reg query displays object value
Reg delete removes an object
Reg copy changes path or moves to another machine

Question 18

windows architecture

Answer 18

Windows OS architecture was developed with very clear design goals: extensibility, portability, reliability, security, compatibility, performance

Question 19

extensibility

Answer 19

meet ever-changing market demands

Question 20

portability

Answer 20

adaptable for innovations and new technologies

Question 21

reliability

Answer 21

protect itself from internal malfunctions and faulty applications

Question 22

security

Answer 22

meet government and industry requirements for system securtiy

Question 23

compatibility

Answer 23

provide extended legacy support and integration with other systems

Question 24

performance

Answer 24

fast and responsive

Question 25

Kernel Mode (Ring 0)

Answer 25

Most privileged ring.
closest to hardware
privileged to perform almost any action
access to all system memory and entire CPU instruction set

Question 26

User Mode (Ring 3)

Answer 26

closest to user
user applications
OS interface and system software
greatly limited in permission and authority

Question 27

session manager (smss.exe)

Answer 27

• smss.exe is loaded by the kernal during the boot process. smss.exe is responsible for:
• creates system wide environment variables
• initializes swap file (pagefile.sys)
• initializes remaining HKLM sub-keys (SOFTWARE,SAM,SECURITY)
• starts session 0 subsystem process (csrss.exe) and loads kernel mode portion of the subsystem (win32k.sys)
• starts windows initialization process (wininit.exe) only started by master session manager at session 0
• master session manager (session) initializes a copy of itself as session 1
• session 1 session manager process (smss.exe) starts the subsystem for session 1 (csrss.exe and win32k.sys)
• session 1 session manager then starts winlogon.exe for session 1
• session 1 manager exits

Question 28

csrss.exe

Answer 28

the subsystem process. subsystem DLL’s run in this process

Question 29

subsystem dll’s containing documented windows API functions

dll’s for csrss.exe

Answer 29

kernel32.dll-contains code that gives programs access to system functions
user32.dll-contains basic functions, such as window management, user input, text, etc.
gdi32.dll-part of the Windows Graphics Device interface that allows applications to use graphics
advapi32.dll- advanced API services…phasing out with 6.1 architectures
KERNELBASE.dll-introduced with 6.1, is a combination of kernel32 and advapi32 libraries

Question 30

win32k.sys

Answer 30

subsystem kernel mode device driver.

enables kernel to use the services from gdi32.dll

Question 31

conhost.ext

Answer 31

message handling intermediary between the console and the csrss.exe to protect against certain exploits.

Question 32

wininit.exe

Answer 32

started by the master session manager (session 0). has the:
Service Control Manager(SCM) (services.exe)
Local Security Authority(LSA) (lsass.exe)
Local Session Manager (LSM)(lsm.exe)

Question 33

SCM (services.exe)

Answer 33

responsible for managing services (such as DHCP and DNS)

Question 34

LSA (lsass.exe)

Answer 34

utilizes authentication packages to perform user credential verifications for local and domain logins.
The SAM runs in the context of isass.exe as a DLL, samsrv.dll for 6, and samsrv.dll and samlib.dll for 5

Question 35

LSM (lsm.exe)

Answer 35

manages the state of sessions on the local system.
communicates with Winlogon and csrss.exe
logon and logoff
session connects and disconnects
desktop locks/unlocks.
notifies the csrss.exe of session connections and terminations

Question 36

Winlogon (winlogon.exe)

Answer 36

handles interactive user logons and logoffs.

Secure Attention Sequence (SAS) is a logon request initiated with CTRL+ALT+DEL

Question 37

logonui.exe

Answer 37

used by winlogon to retrieve/accept credentials and pass them to the lsass.exe

Question 38

native api (ntdll.dll

Answer 38

contains internal support functions used by subsystem DLL’s and serves as the dispatch to the Windows executive.
When a subsystem function requests a kernel mode service, ntdll.dll translates the request into the actual system call dispatched to the system call handler

Question 39

applications

Answer 39

user applications don’t call system services directly, but instead rely on API functions contained in subsystem DLL’s

Question 40

task manager (taskmgr.exe)

Answer 40

a built in windows tool used to view and manage active processes

Question 41

explorer (explorer.exe)

Answer 41

the windows user interface

our desktop!

Question 42

windows 32 on windows64 (wow64)

Answer 42

wow 64 acts as the emulator for allowing 32-bit applications to run seamlessly on a windows 64-bit OS

Question 43

redirecting DLL’s

Answer 43

wow64.dll– translates between 32-bit and 64-bit calls
wow64cpu.dll– provides architecture specific support and manages switching the CPU between 32-bit and 64 bit modes
wow64Win.dll– intercepts gui system calls exported by win32k.sys

Question 44

for 32-bit applications, Wow64 redirects all path related api calls by replacing the 64-bit directory location with the 32-bit location

Answer 44

64-bit 32 bit
\program files \program files (x86)
3rd party 64 bit images 3rd party 32 bit images
\windows\system32 \windows\syswow64
built-in 64 bit images 32 bit images and Dll’s
(cmd.exe) and DLL’s needed for redirection
including wow64 DLL’s