Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
114 Cards in this Set
- Front
- Back
|
The System call Handler is also referred to as? |
"The Executive" |
|
|
What ring does the Kernel Operate in? What ring does the user operate in? |
Ring 0; Ring 3 |
|
|
What is a program or an application? |
.exe; An executable software referred to as an executable image. |
|
|
What is a process? |
An executing instance of an application. |
|
|
What is an Application Programming Interface (API)? |
A interface for requesting OS services by using callable functions contained in libraries called DLL's. (Dynamic Link Libraries) |
|
|
What is a Dynamic Link Library? |
A set of callable functions and subroutines linked together as a binary file. Since DLLs cannot be executed individually, they need to be in the context of a process. |
|
|
What is the Native API? |
Used whenever a function needs a service from the Kernel, The Native API translates the request into the actual system call.
"He talks directly to the Kernel" |
|
|
What is the file name for the Native API? |
NTDLL.DLL |
|
|
What is the Hardware Abstraction Layer (HAL)? |
hal.dll; HAL is a kernel-loadable module that operates between hardware and the Executive so applications and device drive do not have to know hardware-specific information. |
|
|
What is Ntoskrnl.exe? |
This provides the kernel and executive when executed during start-up. |
|
|
The Kernel is object oriented and provides what 4 functions? |
Thread Scheduling; Interrupt and Exception Handling; Low-level Processor Synchronization: Power Failure Recovery. |
|
|
What is the "Executive"? |
The System Call Handler that verifies and provides kernel services. |
|
|
The Windows Executive consists of 8 things. They are? |
1. Object Manger 2.Process Manager 3.Virtual Memory Manager 4. I/O Manager 5. Security Reference Monitor 6. Local Procedure Call 7. PnP Manager 8.Configuration Manager |
|
|
What are the three main criteria of an object? |
1. An object is an instance of a statically defined class that exists in kernel mode.
2. An object is a system resource that two or more user mode processes can share.
3. Can have names, support synchronization and are protected by object-based security. |
|
|
What is a symbolic link? |
Objects used to refer to an object indirectly. They are often used to translate MS-DOS device names into Windows internal device names.
ex) C: to \Device\HarddiskVolume1 |
|
|
What are the 2 types of ACLs contained in the security descriptor? |
1. Discretionary ACL (DACL) - Identifies Permissions to a resource.
2. System ACL (SACL) - Controls how the system audits object access attempts. |
|
|
Each object has what 2 parts? |
An object header and object body. |
|
|
The object manager is responsible for? |
Standardizing the interface with all objects by controlling the object header. |
|
|
What are methods? |
Methods are the actions or routines that their objects can perform. |
|
|
What are 6 major components of an Object Header? |
1. Object Name 2. Security Descriptor - Who can use the file and their permissions. 3. Open Handles Count - How many times the handle has been opened. 4. Open Handles List - List of processes that have opened this handle 5. Object Type - Lets you know who is in charge, and how to handle the file. 6. Reference count - Number of times a kernel mode component has referenced the address of this object.
|
|
|
All user modes processes must own a __________ to an object before its __________ can use the object. |
handle; threads |
|
|
What is object retention? |
A way an object manager can determine if an object is in use or can be deleted. This is done by reference an objects Open Handle Count and Reference count. |
|
|
What two phases are used to implement object retention? |
Name retention - The number of open handles that exist to an object. When handles = 0, the name is deleted.
Object Deletion - When the reference count = 0, the kernel releases the object. Reference count and handle count must equal 0 in order for object to be deleted. |
|
|
What are the three way an object manager uses to build or assign a security descriptor? |
1. A subject that creates a new object and assigns information.
2. Object manager provides default security information.
3. Receives inherited information from a parent. |
|
|
What is the System Reference Monitor (SRM)? |
It enforces security policies that guard kernel mode resources by performing object access protections and auditing. It also generates most of the audit records in the Security event log. |
|
|
True or False. Security audits on most Windows systems are configured by default. |
False. |
|
|
Describe how a process receives access for a desired request. |
The SRM compares the process access token to the objects security descriptor list. If it matches up, access is permitted. The object manager then stores the access rights in the handle it creates. |
|
|
What resources does a process need in order to run... "HEAP IT" |
Handle Executable program; .exe Access Token Private address space
Identifier (PID) Thread |
|
|
What does theWindows subsystem consist of? |
csrss.exe; Win32k.sys; kernel32.dll; user32.dll; gdi32.dll; advapi32.dll |
|
|
What is the dll for the Native API? |
ntdll.dll; |
|
|
What does the Winlogon process do? |
Winlogon.exe handles user logons and logoffs; it also starts services.exe and lsass.exe. |
|
|
What does the session manager do and what is it's executable name? |
Session manager, or smss.exe, is the first user mode process to start. It creates system wide environment variables and starts winlogon.exe and csrss.exe. |
|
|
What is the Service Control Manager (SCM) and what is it responsible for? |
SCM, or services.exe is responsible for managing service processes. |
|
|
What is the Local System Authority (LSA) and what is it responsible for? |
LSA, or lsass.exe, uses authentication packages to verify user credentials. The SAM or Security Accounts manager can be found in here. Account information is maintained in an Active Directory in a domain environment. |
|
|
What is the purpose of explorer.exe? |
This manages the graphical interface for Windows. |
|
|
FAT, or File Allocation Table uses what to string together non-contingous data? |
linked allocation |
|
|
What are the timestamps associated with a FAT file? |
Created; Accessed; Written; |
|
|
What time stamps are associated with the NTFS, or New Technology File System? |
Creation; Modified; MFT Modified; Accessed. |
|
|
Describe the Pre-Boot Sequence of the System Boot Process.
|
The BIOS performs the POST. After the Post is completed, BIOS will load the MBR. After the active partition in the MBR is located, The MBR will load the Boot Sector from the system volume. The Boot Sector will then load NTLDR, also known as the Second Stage Boot Loader. |
|
|
Describe the Boot Sequence of the System Boot Process. |
The NTLDR will then switch the system from real to protected mode. The NTLDR will then read Boot.ini to determine which partition to boot. (Preferably the partition that contains the OS) Then the NTLDR will load and execute NTdetect.com, which gets the list of hardware from the results of BIOS's POST. |
|
|
Describe the Kernel Load Sequence of the System Boot Process. |
NTLDR will then load Ntoskrnl.exe and Hal.dll. He loads the HKLM/System Registry key and starts all device drives that start with a hex value of 0x0. He lastly, passes control to ntoskrnl.exe. |
|
|
Describe the Kernel Initialization Sequence of the System Boot process. |
The kernel uses the information gathered from BIOS's POST to make the HKLM/Hardware registry key. HE also creates the HKLM/SYSTEM key and starts all drivers with the hex value of 0x0. He then starts the Session Manager process, smss.exe. |
|
|
Describe the User Mode Start-up portion of the System Boot Process. |
Smss.exe will start the subsystem csrss.exe and winlogon.exe. (as well as Win32k.sys and all the subsystem DLLs associated with it as covered in a previous flash card) Winlogon will then start the SCM (services.exe) and the LSA (lsass.exe) process and present the logon box. Services will then load all services marked with a hex value of 0x2. |
|
|
What does each SCM Registry start value mean... 0x0? 0x1? 0x2? 0x3? 0x4?
|
0x0; Boot service: Loaded by the NTLDR. 0x1; System: Loaded at kernel initialization. 0x2; Automatic: Loaded by the SCM. 0x3; Manual: Loaded by user or SCM as needed. 0x4; Disabled: Service should not be started. |
|
|
What is the purpose of the Net Start and Stop command? |
They can start and stop services locally. |
|
|
What is Sc.exe? |
It is a CLI that can manipulate service control configurations functions on local and remote systems. It can even create it's own service. |
|
|
What is the purpose of Psservice? |
PsService is an Service Control Program, or SCP, that can start, stop, view and suspend services. It can also change configuration with the command "setconfig" |
|
|
What is the definition of Windows Services? |
Mechanisms used by the OS for system managment and configuration. Windows services consist of service applications, SCPs and SCM. |
|
|
What attributes are used in the FAT file system? What attributes are found in the NTFS file system? |
FAT = R,A,S,H. NTFS = A,R,C,H,E,S |
|
|
What is the difference between a Paged and Non-paged pool? |
A paged pool is just a list of pages identifying sections of virtual memory that can be swapped into and out of physical memory. Non-paged pool is a list of pages identifying sections of virtual memory that have to reside in physical memory at all times. |
|
|
What is the purpose of a Virtual Address Descriptor(VAD)? |
To keep track of which virtual addresses have been allocated in a process' address space and which have not. |
|
|
What are the two primary functions of a Vitual Memory Manager (VMM)? |
1) To map a process' virtual memory and 2) swapping while running threads or when the system tries to use more memory than made available. |
|
|
What is an interruption? |
Typically triggered by I/O devices or hardware. It is asynchronous. |
|
|
What is an exception? |
Typically triggered by software. It is synchronous. |
|
|
What is the Trap Handler? |
A kernel module that processes interrupts and exception by transferring control to code that handles the condition. |
|
|
What is and Interrupt Request (IRQ)? |
Interrputs are referred to as IRQ. It's priority is definied by it's level or IRQL. |
|
|
What is the purpose of an .inf file? |
It is the link between a particular hardware device and the driver that assumes primary control of the device. |
|
|
How do you view the Registry? |
Regedit |
|
|
True or False; Hardware data is stored on the Hard Drive permanently. |
False; Hardware Data can change at anytime, so the information considered volatile, meaning the information is created everytime the system boots and is stored in memory. |
|
|
What is the purpose of the Local Procedure Call (LPC)? |
To pass messages and requests betweena client server process in a single machine. |
|
|
What is the Win32k.sys? |
It is the kernel mode of the Windows susbsystem and contains the graphics device interface. |
|
|
What do the following DLLs contain... 1. kernel32.dll?
|
1. Contains code that gives programs access to system functions. ie, basic input/output, start/stopping processes and memory management. |
|
|
2. user32.dll? |
2. Contains basic functions such as window management, user input, text and allows programs to implement a GUI. |
|
|
3. gdi32.dll? |
3. enables programs and applications to use graphics and formatted text on the video display and printer. |
|
|
4. advapi32.dll? |
4. A part of an advanced API service library supporting numerous APIs including Security and Registry calls. |
|
|
The file System Structure can be broken down into five layers. They are? |
Filename, File System, Physical, Metadata and Data. |
|
|
What is the Master File Table (MFT)? |
Considered the heart of the file system, it is used to manage filename and metadata for the NTFS file system. It contains attribute entries for every file and directory on that file system. |
|
|
What does it mean for an attribute to be resident or non-resident? |
A resident attribute is stored completely within an MFT entry while and non-resident is stored outside of the MFT entry. |
|
|
What are the stages of the System Boot Process? |
Pre-Boot Sequence; Boot Sequence; Kernel Load Sequence; Kernel Initialization Sequence; User Mode Start-up. |
|
|
What are the timestamps for a FAT file system? |
Created, Accessed, Modified. |
|
|
What are the timestamps for NTFS? |
Created, Accessed, MFT modified, Modified (Written) |
|
|
What are the 2 data structures used in a FAT file system? |
Directory Entry and File allocation. |
|
|
What is included in a FAT Directory Entry? |
Filename, Starting cluster, Size, File Attributes (RASH) |
|
|
What data structures are used in NFTS? |
$INDEX_ROOT - DIrectories, Subdirectories and files contained in it. $STANDARD_INFORMATION - Accurate timestamps and File attributes (ARCHES) $FILE_NAME - File name, size and references the parent directory. $DATA - Contains file data or pointer to that data. |
|
|
If file data in NTFS is non resident, how does it keep track of the information? |
By using VCN to LCN mapping which is contained in the $DATA header. |
|
|
What port does Kerberos use? |
Kerberos.dll, or Kerberos uses port 88. |
|
|
Describe the Kerberos process. (DIsclaimer: This is the way that I would sum this up, so take it with a grain of salt) |
After receiver your credentials, kerberos.dll will send your information to the KDC or Domain controller. The Authentication server, that runs under the DC's LSA will then check your credentials against the Active Directory. The AD will then give its results to the AS (Authentication Service) and the AS will give you a TGT (Ticket Granting Ticket) proving you've been authorized. It will also encrypt this information while sending it using a hash from the kRbgtg as well as a SK (System Key) to be able to unlock and read this transmission. The TGT is stored in the Cache. |
|
|
Describe the Kerberos process (continued.) |
After you receive your TGT and the SK needed to decrypt it, you send this and the SK over to the TGS (Ticket Granting Service). The TGT proves that you have been authenticated, and it is making a valid request. The TGS will then return a ST (Service ticket) to the Workstations LSA. The LSA will then turn that ST to an access token to be used as requested. For logon, it would be return to msgina.dll to start the user's shell, otherwise known as explorer.exe |
|
|
What is LCN? |
Logical Cluster number - Tracks actual physical clusters on a Disk. |
|
|
What is VCN? |
Virtual Control Manager - Tracks how many clusters are required to store data. |
|
|
What is the Difference between a SACL and a DACL? |
SACL - Auditing - System DACL - User permissions - Discretionary |
|
|
There can be an Empty and Null DACL. What do they both entail? |
Empty DACL - Gives access to noone. Null DACL - Unconditional Access to everyone. |
|
|
What are the two types to access tokens |
Primary and Impersonation. |
|
|
True or False. When combining share permissions, the end result is always the Least Restrictive. |
True |
|
|
True or False. When combing NTFS permissions, The end result is the most restrictive. |
False; It's cumulative. |
|
|
True or False. When combining NTFS and Shared permissions, the effective permission is always the most restricted. |
True. |
|
|
True or False. Shared permissions are only effective when a file or folder is accessed over a network. |
True. NTFS permissions pertain to the local system. |
|
|
You have a folder made private to a user, but you need that user to view a file inside that folder. How can you resolve this issue. |
You can give him a pathway to that file specifically. Known as a UNC, or Universal Naming Convention. |
|
|
If Joe, is a user in a group Sales, and that group is denied access to a folder. How can you let Joe view a file in that folder. |
Change the group he is in. (DONT NUKE IT!) |
|
|
What are the shared permissions? |
Full Control, Read, Change and Deny. |
|
|
What's important to Remember about the Deny permission. |
It takes precedence over everything. |
|
|
What are the NTFS permissions. |
Full Control, Modify, Read&Execute, List Folder Contents, Read, Write, Special Permissions. |
|
|
What are the Special permissions? |
Take Ownership (important to remember that an owner can't be specified, just given the ability to take ownership) and Change Permission. |
|
|
ACLs are processed in a certain order for determining permissions. What is it? |
Explicit - Denied ACEs Explicit - Inherited ACEs Inherited - Denied ACEs Inherited - Inherited ACEs |
|
|
What are the administrative shares? |
1. Drive Letter$ - Root directory for a drive 2. ADMIN$ - Resources used during Comp Admin. 3. IPC$ - Name pipes required for communication between computers and programs. 4. NETLOGON - required by all client computers that access Domain controllers. 5. SYSVOL - required resource on all domain controllers |
|
|
What is a secondary Logon? |
A secondary logon utilized the RunAS program and service to perform tasks without having to logon as the administrator account. |
|
|
What are the 4 SCPs? |
Services.msc, PsService, SC and Net start/stop. |
|
|
For type values what do the following values mean... 1. 0x10 (16) 2. 0x20 (32) |
1. A service that runs in a process by itself. 2. A service that shares a process. |
|
|
Define the following... 1. Key Distribution Center? 2. Authentication Service? |
1. KDC is usually the Domain Controller that maintains a databse. Provides two main services. Authentication service and Ticket Granting Service. 2. Constructs a a ticket made from pre-authentication data. This comes encrypted and sent with a Session Key to decrypt it. |
|
|
Define the following... 3. Ticket Granting Service 4. Ticket Granting Ticket |
3. Upon reception of the TGT, the TGS will then return a Service Ticket to use for the requested service. LSA will use to make an Access Token. 4. Ticket that enables AS to safely transport requestors' credentials to the TGS. Stored in Cache. |
|
|
5. Service Ticket? 6. krbtgt Account? |
5. Used to authenticate with requested services. 6. It is used to generate a long term key. When a TGT is generated, the password hash from the krbtgt is used as an encryption key. Since this is a symmetric key, the TGS can encrypt and decrypt using the same keys as anyone on the network. |
|
|
7. Session key? |
7. The session key is used to encrypt and decrypt messages between the client and KDC. |
|
|
What is the Native API? |
ntdll.dll |
|
|
What is the Process Manager responsible for? |
Creating and managing process threads. |
|
|
What is the Virtual Memory Manager responsible for? |
Provides address space for each process. |
|
|
What is the I/O manager responsible for? |
Processing all file and I/O requests |
|
|
What is the Security Reference Monitor responsible for? |
Enforcing local Security policy. |
|
|
What is the Local Procedure Call responsible for? |
Transferring messages between Server and Client on the same computer. |
|
|
What is the PNP Manager recponsible for? |
Determining which drivers need to be loaded to support a device and loading them. |
|
|
What is the Configuration Manager responsible for? |
Responsible for implementing and managin the registry. |
|
|
What are two methods of Shared Memory Protection? |
1. DEP (Data Execution Prevention) 2. Copy on Write
|
|
|
RID Numbers and meanings... 1. 500 2. 501 3. 18 4. 19 5. 20 6. 1000+ |
1. Administrator 2. Guest 3. Local System (Service Account) 4. Local Service 5. Network Service 6. Ordinary Users |
|
|
What are the 5 parts t an SID, in order? |
1. SID 2. Revision Level 3. Authority Value 4. Sub-Authority Value 5. Relative Identifier (RID)
|
|
|
How you should approach with test? |
Approach it with confidence. You are here for a reason. Even if you don't believe it, you have paperwork that proves otherwise. Just relax and i'll see you in 7.2! |
