Windows Fundamentals Flashcards
What is the file system used in modern versions of Windows?
NTFS, New Technology File System
Alternate Data Streams
File attribute specific to NTFS. Allows files to have more than one stream of data.
For example when you download a file from the internet there are identifiers written to ADS to identify it as a download.
Bad actors sometimes use ADS to hide data
In Windows, what folder holds the important files that are critical for the operating system?
System32
Where are user profiles kept in Windows?
C:\Users
Example- C:\Users\Dylan
What Windows feature prevents operations requiring higher-level privileges from executing without confirmation from the local admin?
UAC, User Account Control
System process- what is it, what is its file name?
System is responsible for the system memory and compressed memory in the NT kernel.
File name is ntoskrnl.exe
smss.exe
Windows Session Manager, responsible for creating new sessions
What should be the parent process for smss.exe?
System
What does smss.exe start in Session 0?
An isolated Windows session for the operating system, with two processes:
csrss.exe
wininit.exe
What does smss.exe start in Session 1?
The user session, with two processes:
csrss.exe
winlogon.exe
csrss.exe
Client Server Runtime Process
The user-mode side of the Windows subsystem. This process is always running and is critical to system operation.
What should csrss.exe show for a parent process?
It shouldn’t. csrss.exe is started by smss.exe which then self-terminates, so it will show as “non-existent process”
wininit.exe
Another critical Windows process that runs in the background, along with its child processes.
Responsible for launching services.exe (Service Control Manager), lsass.exe (Local Security Authority), and lsaiso.exe within Session 0.
What should wininit.exe show for a parent process?
It shouldn’t. wininit.exe is started by smss.exe which then self-terminates, so it will show as “non-existent process”
services.exe
Service Control Manager (SCM)
Primary responsibility is to handle system services: loading services, interacting with services and starting or ending services.
It maintains a database that can be queried using a Windows built-in utility, sc.exe.
What should services.exe show for a parent process?
wininit.exe
How many instances of services.exe should be running on a Windows system?
1
svchost.exe
Responsible for hosting and managing Windows services
How many instances of svchost.exe should be running on a Windows system?
There can be many.
Since svchost.exe will always have multiple running processes on any Windows system, this process has been a target for malicious use. Adversaries create malware to masquerade as this process and try to hide amongst the legitimate svchost.exe processes.
What parameter should svchost.exe always use to call upon
-k
What should svchost.exe show for a parent process?
services.exe
lsass.exe
Local Security Authority Subsystem Service
Responsible for enforcing the security policy on the system.
It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.
How many instances of lsass.exe should be running on a Windows system?
1
What should lsass.exe show for a parent process?
wininit.exe
