Windows Fundamentals Flashcards
What is the file system used in modern versions of Windows?
NTFS, New Technology File System
Alternate Data Streams
File attribute specific to NTFS. Allows files to have more than one stream of data.
For example when you download a file from the internet there are identifiers written to ADS to identify it as a download.
Bad actors sometimes use ADS to hide data
In Windows, what folder holds the important files that are critical for the operating system?
System32
Where are user profiles kept in Windows?
C:\Users
Example- C:\Users\Dylan
What Windows feature prevents operations requiring higher-level privileges from executing without confirmation from the local admin?
UAC, User Account Control
System process- what is it, what is its file name?
System is responsible for the system memory and compressed memory in the NT kernel.
File name is ntoskrnl.exe
smss.exe
Windows Session Manager, responsible for creating new sessions
What should be the parent process for smss.exe?
System
What does smss.exe start in Session 0?
An isolated Windows session for the operating system, with two processes:
csrss.exe
wininit.exe
What does smss.exe start in Session 1?
The user session, with two processes:
csrss.exe
winlogon.exe
csrss.exe
Client Server Runtime Process
The user-mode side of the Windows subsystem. This process is always running and is critical to system operation.
What should csrss.exe show for a parent process?
It shouldn’t. csrss.exe is started by smss.exe which then self-terminates, so it will show as “non-existent process”
wininit.exe
Another critical Windows process that runs in the background, along with its child processes.
Responsible for launching services.exe (Service Control Manager), lsass.exe (Local Security Authority), and lsaiso.exe within Session 0.
What should wininit.exe show for a parent process?
It shouldn’t. wininit.exe is started by smss.exe which then self-terminates, so it will show as “non-existent process”
services.exe
Service Control Manager (SCM)
Primary responsibility is to handle system services: loading services, interacting with services and starting or ending services.
It maintains a database that can be queried using a Windows built-in utility, sc.exe.
What should services.exe show for a parent process?
wininit.exe
How many instances of services.exe should be running on a Windows system?
1
svchost.exe
Responsible for hosting and managing Windows services
How many instances of svchost.exe should be running on a Windows system?
There can be many.
Since svchost.exe will always have multiple running processes on any Windows system, this process has been a target for malicious use. Adversaries create malware to masquerade as this process and try to hide amongst the legitimate svchost.exe processes.
What parameter should svchost.exe always use to call upon
-k
What should svchost.exe show for a parent process?
services.exe
lsass.exe
Local Security Authority Subsystem Service
Responsible for enforcing the security policy on the system.
It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.
How many instances of lsass.exe should be running on a Windows system?
1
What should lsass.exe show for a parent process?
wininit.exe
winlogon.exe
Windows Logon
Responsible for handling the Secure Attention Sequence (SAS)- the CTRL+ALT+DEL combo
This process is also responsible for loading the user profile, locking the screen and running the user’s screensaver.
What should winlogon.exe show for a parent process?
It shouldn’t. winlogon.exe is started by smss.exe which then self-terminates, so it will show as “non-existent process”
explorer.exe
Windows Explorer
The process that manages the Desktop. This process gives the user access to their folders and files. It also provides functionality for other features, such as the Start Menu and Taskbar.
What should explorer.exe show for a parent process?
It shouldn’t. explorer.exe is started by userinit.exe which then self-terminates, so it will show as “non-existent process”
What would be particularly concerning behavior for explorer.exe?
Seeing outbound TCP/IP connections
What are some things to look for with any of the core Windows processes to ensure they are legitimate?
The file path- typically C:\Windows\System32
The parent process- most should have a specific parent process or none listed at all
The number of instances- some should only have one
The spelling of process names- hackers may try to masquerade as a process and use a close but not accurately spelled name
Sysinternals
A compilation of over 70+ Windows-based tools. Includes File and Disk Utilities, Networking Utilities, Process Utilities, Security Utilities, System Information, etc
PsExec
Lightweight replacement for Telnet that allows remote process execution on another system.
This can be utilized by adversaries
Get-WinEvent
One of three primary methods of accessing event logs on a Windows system. This one is a Powershell cmdlet.
DLL
A DLL file, short for Dynamic Link Library, is a library that contains code and data that can be used by more than one program at the same time.
For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box related functions. Each program can use the functionality that is contained in this DLL to implement an Open dialog box. It helps promote code reuse and efficient memory usage.
Shadow Copies
Used to create manual and automatic backups of files and drives
Threat actors may target these to prevent restoration of encrypted files during a ransomware attack
What is the difference between Program Files and Program Files (x86)?
Program Files- 64 bit Windows programs
Program Files (x86)- 32 bit Windows programs
