Boot Process Flashcards

Question

CSRSS

Answer 1

Client/SErver Runtime SubSystem

Answer 2

Session Manager SubSystem

Answer 3

Boot Config Database

Answer 4

Extensible Firmware Interface

Answer 5

Unified Extensible Firmware Interface

Answer 6

Power On Self Test (POST)

Answer 7

``` Runs Bootloader (from NVRAM) Loads BCD (also in NVRAM) ```

Answer 8

Bootloader detects hardware

Answer 9

EFI boot manager gives OS boot menu

Answer 10

Winload.efi: EFI version of winload

Answer 11

Requires EFI system partition Formatted as FAT Up to 1GB in size

Answer 12

Coordinates logon and useractivity | Launches logonui

Answer 13

Interactive logon dialog box

Answer 14

Loads auto-start drivers and services

Answer 15

Where the user is authenticating

Answer 16

With the domain controller

Answer 17

cmd.exe : loaded modules, services, owner

Answer 18

Open file (.exe) Create initial thread Pass to kernel32.dll to check permissions Pass to csrss, build structure, spawns first sub-thread, inserts into windows subsystem-wide proc list Starts execution of initial thread For real-time systems, processes may be held in “New State” to avoid contention, otherwise moved to “Ready State”

Answer 19

Process currently being executed (one or more threads executing)

Answer 20

Process ready to execute when given the opportunity (CPU Time)

Answer 21

Process can’t execute until some event occurs (I/O Read)

Answer 22

Termination of a process due to a halt or abort

Answer 23

Memory is allocated to process in distinct chunks

Answer 24

Smallest unit of protection at the hardware level | 4KB for small page, 2MB for large page

Answer 25

Physical memory becomes overcommitted (threads try to use more memory than available) pages are written to the page file on disk

Answer 26

Occurs when a thread references an invalid page | if page is on disk in the page file, it can be brought back into memory

Answer 27

Long running executable application that run in their own container (process) Can be started automatically at boot, on demand, or when requested Can be paused, stopped, or restarted Run in the background, normally without a user interface

Answer 28

cmd.exe, querying and management

Answer 29

info for eventlog service including PID

Answer 30

query tasklist for PID associated with eventlog

Answer 31

query tasklist for svchost services

Answer 32

query eventlog service description

Answer 33

show the binary command that loads the service

Answer 34

Basic unit to which the OS allocates processor time Can execute any part of the process code Including parts currently being executed by another thread Share memory with each other as well as the process Deadlock is possible if the threads are waiting for each other’s resources Synchronization (semaphores, mutexes) are used to control access to shared variables Client/Server Run-Time Subsystem (CSRSS) maintains a list of threads Threads are part of a execution priority pool 0-31 per processor, highest executes next

Answer 35

Objects are data structures representing a system resource (file, thread, etc) Applications can’t access objects directly, must obtain a handle Handles for each process are tracked in an internal table known as the Object Manager Handles allow a common interface to objects, regardless of underlying changes to the object Handles allow Windows to track ACLs for objects during handle creation time

Answer 36

Waiting for Execution, in priority pool

Answer 37

Selected to run, but not yet executed. Optimization for scheduling database

Answer 38

Next thread to run, only one per processor per system

Answer 39

A thread currently running on a processor

Answer 40

A period of inactivity while waiting for an event

Answer 41

Ready for execution, but paging needed to bring back into memory

Answer 42

Finished execution, heading for deallocation in most cases

Answer 43

Thread is being created

Answer 44

The primary container (memory structure) for a program being executed

Answer 45

Represents sequential machine-code instructions that a processor executes

Answer 46

Pointer to OS objects referenced within a process

Answer 47

processes owned by, and executed by the operating system | required for the system to function

Answer 48

User | Kernel

Answer 49

Runs in private virtual address space | Applications are isolated, one crash will not cause another to crash

Answer 50

All run in a single virtual address space | Not isolated from other processes

Answer 51

Requires user interaction to replicate

Answer 52

Does not require user interaction to replicate

Answer 53

Malware hidden within another legitimate program | Not usually self-replicating

Answer 54

Transmitted from remote host to local host | Executed without user instruction (i.e. Javascript, VBScript, etc)

Answer 55

Multiple infection/transmission methods used together

Answer 56

Malicious program that allows illegitimate access to a machine User is unaware

Answer 57

Malicious program that provides remote command and control

Answer 58

Malicious program that is ONLY used to hide things | DOES NOT provide access or command and control alone

Answer 59

Records keyboard usage

Answer 60

Remote administration/Command and Control of a botnet

Answer 61

Monitors behavior of user

Answer 62

Paid for ads to infected users

Answer 63

Blocks access to a resource, requires payment from victim

Answer 64

Person in control of the botnet

Answer 65

Multiple machines infected and controlled by a bot herder

Answer 66

Individual machine infected and part of the botnet

Answer 67

Examine malware without executing it | Strings

Answer 68

Examine malware while it is running

Answer 69

Virtualization is technology that allows you to create multiple simulated environments or dedicated resources from a single, physical hardware system. Software called a HYPERVISOR connects directly to that hardware and allows you to split 1 system into separate, distinct, and secure environments known as VIRTUAL MACHINES (VMs).

Answer 70

One set of Hardware -> Many virtual machines (VM) VMs can be dynamically created and allocated to users Baseline Image can be more rapidly updated VMs instances can easily be rolled back to undo changes Provide fault tolerance through redundant hardware and migration Could be used as a pivot point Could provide persistence if data store is compromised Lessens attribution Configurable software solution (OS, Services, Programs, etc) Useful for protected Malware Analysis (Malware Detonation Chamber) Quick restoration times Usable as Honey Pot or Tar Pit Difficult for malware to maintain persistence Easily manageable across enterprise

Answer 71

Typically require more upfront planning and configuration In public cloud environments, lack of granularity in control of data at rest can lead to compliance issues (HIPPA, etc). Some functions may not work well in a VM, such as copy/paste, printers, netstat, without additional setup effort. Persistence can be lost if the target machine is restored Could end up in a honey pot or tar pit If the data store is compromised all new instances will also be compromised Planning and initial setup cost more with virtual networks.

Answer 72

A method of gaining an understanding of the current operating environment on the target machine It applies both defensively and offensively Allows you to get an idea of what the system is used for and what type of users use it Used to decide what courses of action are appropriate for the system

Answer 73

``` Running Processes Active Users Network Configuration Network Communications Logging Scheduled Jobs Aliases ```

Boot Process Flashcards

Learn the boot process