Windows V2 Flashcards
(29 cards)
What is Phase 1 of the Windows Boot Process?
Phase 1 (Pre-Boot): The PC’s firmware performs the POST, loads firmware settings, identifies a valid system disk, reads the MBR, and starts the Windows Boot Manager from %SystemDrive%\bootmgr.
What is the purpose of Phase 2 (Windows Boot Manager) in the Windows Boot Process?
Phase 2 (Windows Boot Manager) locates and initiates the Windows loader (Winload.exe) from the Windows boot partition at %SystemRoot%\system32\winload.exe.
What happens during Phase 3 (Windows OS Loader) in the boot process?
In Phase 3, essential drivers required to start the Windows kernel are loaded and the kernel begins running. The critical file is %SystemRoot%\system32\ntoskrnl.exe.
Describe what occurs in Phase 4 (Windows NT OS Kernel) of the Windows Boot Process.
Phase 4 involves the kernel loading the system registry hive, additional drivers marked as BOOT_START, and taking control by passing execution to the session manager process (Smss.exe) after the GUI loads.
What does HKEY_LOCAL_MACHINE (HKLM) in the Windows Registry store?
HKLM holds settings specific to the local computer. It is maintained in memory by the system kernel and includes subkeys such as SAM, SECURITY, SYSTEM, and SOFTWARE.
What information is stored in the SAM subkey of HKLM?
The SAM subkey contains all built-in and configured user accounts, including usernames, unique identifiers, cryptographic password hashes, the location of each user’s registry hive, status flags, and domain group memberships.
What does HKEY_CLASSES_ROOT (HKCR) contain?
HKCR contains information about registered applications, such as file associations and OLE Object Class IDs, and is compiled from both user-based (HKCU) and machine-based (HKLM) software class settings.
What is the role of HKEY_CURRENT_USER (HKCU) in the Windows Registry?
HKCU stores settings specific to the currently logged-in user and is linked to the corresponding subkey in HKEY_USERS, which stores individual user settings from NTUSER.DAT and USRCLASS.DAT files.
What is HKEY_CURRENT_CONFIG (HKCC) used for?
HKCC acts as a pointer to the hardware profile currently in use by referencing configuration information stored in the SYSTEM subkey of HKLM.
What does HKEY_USERS (HKU) contain?
HKU contains a SID subkey for each loaded (logged in) user profile—including system, default, and special accounts—with settings loaded from each profile’s NTUSER.DAT and USRCLASS.DAT files.
What is a Security Identifier (SID) in Windows?
A SID is a unique string that identifies a security principal (user account or group) in Windows. It is structured with an ‘S’ flag, a revision level, an ID authority, sub-authority values, and a Relative Identifier (RID).
How is the SID used when a user signs in on Windows?
Upon sign-in, Windows creates an access token that contains the user’s SID along with the SIDs of any groups the user belongs to, enabling the enforcement of security policies.
Break down the components of the SID example: S-1-5-21-776561741-162531612-682003330-500.
‘S’ indicates the string is a SID, ‘1’ is the revision level, ‘5’ is the ID authority, the following series (21-776561741-162531612-682003330) represents the sub-authority values with a domain/system identifier, and ‘500’ is the Relative Identifier (RID) unique to the account.
Name some well-known SIDs and their associated accounts.
Examples include: S-1-5-18 for Local System, S-1-5-19 for Local Service, S-1-5-20 for Network Service, S-1-5-[4a]-500 for the Administrator account, and S-1-5-[4a]-501 for the Guest account.
What is the purpose of the ‘Get’ command in PowerShell?
The ‘Get’ command retrieves information from the system, such as with ‘get-help’ which provides documentation on various commands.
List basic PowerShell commands along with their use cases.
Key commands include: Get (retrieve data), Start (run processes or jobs), Out (send output to a file), Stop (terminate processes), Set (define or change settings), and New (create items like SMB shares).
What does the ‘tasklist’ command do in Windows and what are some of its options?
‘tasklist’ displays a list of currently running processes. Options include /s (specify remote computer), /u and /p (specify user credentials), /fo (output format such as table, list, or csv), /fi (filter criteria), /m (modules loaded), and /v (verbose information).
What are some key options for the ‘ipconfig’ command in Windows?
‘ipconfig’ options include: /all for detailed TCP/IP configuration, /release to send a DHCP release message, /renew to request a new IP address, and /flushdns to clear the DNS resolver cache.
What is the function of the ‘netstat’ command in Windows?
‘netstat’ displays active TCP connections and shows the ports on which the computer is listening for communications.
What does the ‘tracert’ command do, and what is one of its options?
‘tracert’ determines the network path to a destination by sending ICMP echo requests with incrementally increasing TTL values; the /h option specifies the maximum number of hops.
What is SysWOW64 in the context of Windows?
SysWOW64 is a subsystem in 64-bit Windows that enables the operating system to run 32-bit applications.
What is a Dynamic Link Library (DLL) and its purpose in Windows?
A DLL is a library that contains code and data which can be used by multiple programs at the same time, promoting modular design and efficient memory use.
Define a Hard Link and its usage in file systems.
A Hard Link is a directory entry that associates a name with a file on a file system. On Windows, only NTFS supports hard links, and on Unix-like systems a hard link points to a file’s inode.
What is a Symbolic Link (symlink) in Windows, and how does it work?
A Symbolic Link is a file that contains a reference to another file or directory in the form of an absolute or relative path. On Windows, symlinks are limited in support and often work as shortcuts.