04 Flashcards
(37 cards)
___________ Used by winlogon.exe to start the user’s desktop process. (process name)
Userinit.exe
____________ Started by winlogon.exe to retrieve user credentials. (Process name)
Logonui.exe
____________ contains a SID sub-key for all loaded user profiles
(registry keys)
HKU User
____________ contains specific information about the hardware, software, and preferences for all users who log into the system
(registry keys)
HKLM Local Machine
____________ contains user profile environment settings of the interactively logged on user
(registry keys)
HKCU
___________ is used to establish the current hardware configuration
(registry keys)
HKCC
___________ is used to associate file types with programs that are used to open them. (registry keys)
HKCR
Which of the following are HKLM subkeys?
BCD000000000
Hardware
SAM
SECURITY
NTUSER
APPEVENTS
SYSTEM
SOFTWARE
NTDS
SERVICE
BCD000000000
Hardware
SAM
SECURITY
SYSTEM
SOFTWARE
__________ uses user authentication packages to perform user credential verification
Iaass.exe
The hypervisor context of Kernal mode in the lower section is there to increase security T/F?
True
____________ is the lower section of kernel mode, where the hyper-v hypervisor executes, providing a security buffer between the hardware and the actual kernel of the OS
Kernal Mode (HyperVidor Context)
___________ is the kernel process. When executed during the boot sequence, it provides the kernel and executive functions within kernal mode.
__________ and ___________ run in the context of this
NTOskrnl.exe
Hardware Abstarction and Native API DLLs
___________ is a kernel-loadable module that operates between the hardware and the windows executive so that app[lications and device drivers do not have to be aware of hardware-specific information
HAL
The ________ is the lower layer of ntoskrnl.exe and provides fundamental mechanisms used by the executive components and low-level hardware architecture support
Kernal
What is the Kernels four main responsibilities?
-
-
Thread Scheduling
Intterupt and Exception Handling
Low-level processor synchronization
Power failure recovery
The ____________ is the upper layer of ntoskrnl.exe and is the windows system call handler that verifies and provides kernel services
Executive
___________ provides standardized interface for every system object
___________ enforces local security policy
____________ creates, manages, and terminates processes and threads
____________ provides private address space for each process
____________ processes all file and I/O requests; responsible for dispatching to device drivers as well as plug and play capabilities
___________ passes messages between client and server processes on the same computer
___________ responsible for implementing and managing the registry
Object Manager
Security reference moniter
Process Manager
Virtual memory manager
I/O manager
Asynchronous Local inter-processes communication
Configuration Manager
Object criteria
- C
- H
- P
- D
- SS
Each object belongs to a statistically defined class. A few object classes are file, key, process, and thread
A processes references objects via handles and must own a handle to an object before its threads use the object
Objects use pointers to reference and use other objects within kernel mode
Objects use hierarchical directories and naming structures in order to distinguish one object from another, query objects, and provide a way for processes to share objects.
Objects are protected by object-based security and support synchronization
The Object header stores data and is used by the _____________ to manage objects regardless of their type or class
The _________________ is responsible for the object body
Object manager
Executive manager, responsible for whatever data type in it is
Object header attributes
_____________ Makes an object visible to other processes for sharing
____________ determines who can use the object and what they can do with it
___________ counts the number of times a handle has been opened by an object
___________ points to a type object that contains attributes common to objects of this type
_________ counts the number of times a kernel mode component has referenced the address of the object via a pointer
Object Name
Security Descriptor
Open Handle Count
Object Type
Reference Count
What are the two phases of object retention and there steps?
Name Retention
When handle count hits zero it deletes the name from its global name space
Object Deletion
when Refernce count hits zero the object is released, when both reference and handle count hit zero the object is deleted
Where does the security descriptor source its information from? (3 things)
Default information depending on OS version and policies
inheritesd from a parent object
explicit permissions set by user (ACL)
What are the two types of ACLS in the security descriptor and how are they described?
DACL
- empty dacl - no one can access it
- null dacl - anyone can access it
SACL controls how system audits object access attempts
The ______ enforces security policies, guarding kernel mode resources by performing object access protection and auditing
SRM Security reference monitor
