1-Windows Block Test

Question 1

Kernel

Answer 1

Heart of the OS
Fast and simple operations
Handles low level tasks such as hardware and thread management

Question 2

Processor

Answer 2

Brain of computer
Runs in two modes: User and Kernel

Question 3

User Mode (Processor)

Answer 3

Unprivileged/Restricted
Own private virtual address space
Isolates app to prevent alteration of outside data

Question 4

Kernel Mode (Processor)

Answer 4

Privileged/Unrestricted
Shares address space
Can overwrite other programs and compromise system

Question 5

Drivers

Answer 5

Software that enables communication between OS and hardware
Can communicate directly with hardware, or with lower level drivers
Come in two types: User mode and kernel mode
Three levels: High, intermediate, and low
Three categories: Software, Bus, and Device

Question 6

User Mode (Driver)

Answer 6

Interface between apps and kernel-mode drivers or other OS components

Question 7

Kernel Mode (Driver)

Answer 7

Interface with hardware, I/O, thread management, etc.

Question 8

High Level (Driver)

Answer 8

Always depend on low level drivers
Ex: File system drivers

Question 9

Intermediate Level (Driver)

Answer 9

Always depend on low level drivers
Divided into 3 categories: Function, Filter, and Software Bus

Question 10

Low Level (Drivers)

Answer 10

Controls bus in which hardware is connected
Does NOT depend on low level drivers
Ex: PCI bus drivers

Question 11

Function Drivers

Answer 11

Intermediate Level
Handles reads/writes to a device
Typically created by device manufacturer and are required
Provides operational interface for device

Question 12

Filter Drivers

Answer 12

Intermediate Level
Optional drivers
Provide additional functionality
Communicates with other filter or function drivers

Question 13

Software Bus Drivers

Answer 13

Intermediate Level
Provides interface for high level drivers to attach to a set of child devices

Question 14

Software Driver

Answer 14

Always runs in kernel mode
Not associated with hardware device
Created to gain access to data accessible only to the kernel

Question 15

Bus Driver

Answer 15

Always runs in kernel mode
Ex: PCI bus, USB bus
Provides communication to several devices sharing a bus

Question 16

Device Driver

Answer 16

Can run in kernel or user mode
Drivers necessary for the OS to communicate with an attached device

Question 17

Boot Phases

Answer 17

BIOS Phase (Preboot)
Boot Loader Phase
Kernel Phase

Question 18

BIOS Phase (Boot process)

Answer 18

UEFI performs POST
MBR read in (IDs where system partition is)
runs bootmgr file

Question 19

Boot Loader Phase (Boot process)

Answer 19

Windows Boot Manager launched (Reads in BCD to HKLM\BCD00000000
Windows Boot Loader launched (Starts Winload.exe)
Boot Manager and Loader load Kernel into memory

Question 20

Kernel Phase (Boot process)

Answer 20

Loads registry and drivers marked as "BOOT_START"
Launches Session Manager (smss.exe)
User session processes launched
Launch Services
Winlogon.exe (logon screen)
User session created

Question 21

FAT and NTFS

Answer 21

Two Windows file systems

Question 22

FAT

Answer 22

File Allocation Table
MS-DOS to Windows ME
Does not support file compression or encryption

Question 23

FAT16

Answer 23

Drives up to 16GB; max file size 2GB

Question 24

FAT32

Answer 24

Drives up to 16TB; max file size 4GB

Question 25

exFAT

Answer 25

Drives up to 512TiB - 64ZiB; max file size approx 128 PiB

Question 26

NTFS

Answer 26

New Technology File System
Win NT to Win 10
Drive size up to just under 16EB, max volume size 256TB
Supports EFS (Encrypting File System)
Supports User/Group permissions
Uses change log tracking system changes
Supports VSS (Volume Shadow Copy Service) - Backs up files currently on the system
Dynamically remaps corrupt sectors so the system doesn't use them

Question 27

NTFS Permission Types

Answer 27

NTFS Permissions and Share Permissions

Question 28

NTFS Permissions

Answer 28

Basic Permissions: Read, Read and Execute, Write, Modify, List Contents, Full Control

Advanced Permissions available for more granular control

Can be inherited

Question 29

Share Permissions

Answer 29

Less granular control
Full Control, Change, Read
Only applies to files on network share

Question 30

File Permission Priorities

Answer 30

Local Files use only NTFS permissions
Remote files use NTFS AND Share permissions (Most restrictive applied first)
User permissions are cumulative with group permissions

Question 31

Inherited vs Explicit Permissions

Answer 31

Inherited: Inherited from parent folder
Explicit: Assigned directly to file/folder. Take precedence over inherited permissions

Explicit Deny > Explicit Allow > Inherited Deny > Inherited Allow

Question 32

Copy within NTFS partition

Answer 32

Creates NEW FILE, inherits permissions of target folder

Question 33

Moving across NTFS partition

Answer 33

Creates NEW FILE and deletes old one, inherits target folder permissions

Question 34

Moving within NTFS Partition

Answer 34

Does NOT create new file, updatets location in directory and keeps original permissions

Question 35

Moving/copying from NTFS partition to FAT partition

Answer 35

Lose attributes and security permissions
Retain long file names

Question 36

Registry

Answer 36

Central hierarchical database that stores config info for system to run
Windows continually references during operation

Question 37

Registry Root Keys

Answer 37

Root Keys:
HKEY_LOCAL_MACHINE: Config info for OS
HKEY_USERS: User profile Info

Linked Keys:

HKEY_CLASSES_ROOT: HKLM\SOFTWARE\Classes

HKEY_CURRENT_USER: HKU\SID

HKEY_CURRENT_CONFIG: HKLM\SYSTEM\CurrentControlSet\HardwareProfiles\Current

Question 38

Registry Structure

Answer 38

Keys - Comparable to Folders
Values - Comparable to Files
Value Types:
Binary: REG_BINARY - Binary data
String: REG_SZ - null-terminated string
Multi String: REG_MULTI_SZ - Sequence of null-terminated Strings
Expandable String: REG_EXPAND_SZ - Environment Variables
Double Word: REG_DWORD - 32 bit number
Quadruple Word: REG_QWORD - 64 bit number
Data - Content determined by the value's type

Question 39

SID

Answer 39

Unique value ID'ing Users or groups
"Well known SIDs" exist for static values such as administrators group
Made up of Domain Identifier (IDs Domain or Computer) and Relative ID (RID, Unique value identifying user, group, or account)

Question 40

GUID

Answer 40

128 bit number used to ID software or hardware versions

Question 41

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Answer 41

System location - any user logging in will run

Question 42

HKU\Software\Microsoft\Windows\CurrentVersion\Run

Answer 42

Only specific user will run

Question 43

Remote Desktop Config

Answer 43

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
Set fDenyTSConnections to 0 to enable RDP, 1 to disable

Question 44

Modify Services through Registry

Answer 44

HKLM\SYSTEM\CurrentControlSet\Services

Binary must know how to communicate with services controller

Question 45

Delete or move files on reboot

Answer 45

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
Value: PendingFileRenameOperations
Data: Absolute File Path for the moving/deleting of certain files

Question 46

Windows Defender Exclusions (Registry)

Answer 46

HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Value: Absolute Filepath to a folder
Data: REG_DWORD 0x0

Excludes filepath from Windows Defender actions