Day 5

Question 1

windows boot process

Answer 1

pre-boot, boot, kernel initialization, user mode startup

Question 2

pre-boot

Answer 2

the BIOS/UEFI loads from firmware and perform preboot sequences.
*UEFI replaces BIOS and allows Windows to install bootladers directly form firmware

Question 3

boot

Answer 3

Windows 6* uses bootmgr as a 2nd stage boot loader.
begins execution in real-mode
once loaded, bootmgr switches to protected mode.
reads the boot configuration database (BCD)

Question 4

BCD (boot cont)

Answer 4

used to identify the disk controller, disk, and partition location of the OS

Question 5

boot cont.

Answer 5

after reading the BCD…

bootmgr starts winload.exe process

Question 6

winload.exe (boot cont)

Answer 6

queries firmware to gather a list of installed hardware
Loads ntoskrnl.exe and hal.dll
scans drivers for start value of (oxo)

Question 7

kernel initialization

Answer 7

begins once winload.exe has completed starting boot drivers.
executive managers create their initial objects, type objects and management mechanisms.
Ntdll.dll is mapped into the ntoskrnl.exe address space.
Creates hardware registry key.
Scans services registry for drivers with start value of 0x1).
Starts smss.exe (0) process

Question 8

entire boot process

Answer 8

refer to page 71 and loose leaf page.

Question 9

windows services

Answer 9

services do not depend on a user and are intended to provide OS features like DHCP, DNS, FTP, etc

Question 10

ways in which windows services differ from ordinary applications

Answer 10

services run in the background and are not tied to an interactive user.
services do not have a user interface and do not interact with users.
services on 6* architectures run mostly in session 0
services may be configured to auto-start at boot

Question 11

windows services consist of:

Answer 11

service applications, service control programs, SCM

Question 12

service applications

Answer 12

the services themselves!

svchost.exe processes are generic hosts for DLL services.

Question 13

service control programs (SCPs)

Answer 13

programs used to communicate desired service configuration changes to the SCM.
most common is services.msc

Question 14

SCM

Answer 14

manages windows services.
starts, stops, and interacts with all system services.
(services.exe)

Question 15

service properties

Answer 15

viewed through services.msc.
general tab:
services name:name as it appears in the registry
display name: services common name
path: file path to process
startup type: automatic, manual, or disabled

log on tab identifies the service account:
local system
local service
network service

Question 16

service registry keys

Answer 16

sub keys contain start, type, and error control values

Question 17

start value

Answer 17

indicates when and how drivers and/or services are started.
0x0 boot
0x1 system
0x2 automatic
0x3 manual
0x4 disabled

Question 18

delayed autostart

Answer 18

may be enabled with a 0x1 or disabled with a 0x0 and used in combination with start value of 0x2

Question 19

type value

Answer 19

indicates whether the service executes in its own process or shares other services:
0x10 in a process by itself
0x20 shares a process

Question 20

error control value

Answer 20

specifies severity of error if the service or driver fails to start.
what the system does if there is an error

Question 21

command line scp’s

Answer 21

psservice.exe, sc.exe, net start and net stop

Question 22

psservice.exe

Answer 22

an SCP from the sysinternals suite (not built in) and works locally and remotely

Question 23

sc.exe

Answer 23

a built in scp that works locally and remotely

Question 24

net start and net stop

Answer 24

built in scp that only works locally

Question 25

local log in

Answer 25

refer to page 77 for local log in steps

Question 26

Lan Manager (LM)

Answer 26

uses DES hashing
passwords are convert to capital and either padded or reduced to 14 characters.
divided into two, 7 character hashes
does not support time stamps

Question 27

NTLMv1

Answer 27

uses MD4 hashing algorithm
supports 127 alphanumeric characters
128 bit encryption
does not use time stamps

Question 28

NTLMv2

Answer 28

uses MD5 hashing algorithm
supports 127 alphanumeric characters
128 bit encryption
uses time stamps

Question 29

network login

Answer 29

when accessing a remote system, the LSA on a user’s workstation uses current credentials in an attempt to establish identity with the LSA of the remote system. if these credentials do not match, credentials that exist in the remote system’s SAM must be provided to gain access.