Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
81 Cards in this Set
- Front
- Back
|
ties clusters together
|
linked allocation
|
|
|
kernel operates in ring ___ and ___
|
0 and 3
kernel and user |
|
|
____ are the building blocks for programmers
|
API
|
|
|
in windows ___ and API's are used to allow abstraction (removing the user from the inner processes of windows)
|
dll's
|
|
|
single runtime instance of a statically defined function in kernel mode
|
object
|
|
|
lowest layer dll
|
hal
|
|
|
kernel 2 modes
|
executive and kernel
|
|
|
exe that runs executive and kernel modes
|
ntoskernel.exe
|
|
|
___ does priviliged actions with the hal
|
kernel
|
|
|
4 main kernel responsibilities
|
thread sched
interupt exception handling low level processor synch recovery after a power failure |
|
|
provides standard interface for every object in the system
|
object manager
|
|
|
windows executive that creates manages terminates processes and threads
|
process mgr
|
|
|
windows executive provides a private address space for each process
|
virt mem mgr
|
|
|
windows executive that processes file and i/o requests
|
i/o mgr
|
|
|
windows executive that enforces sec.
|
sec. ref. mon.
|
|
|
2 main types of objects
|
kernel objects and executive objects
|
|
|
these objects allow environment subsystems to create their own objects
|
executive objects
|
|
|
3 main things in an object header
|
obj name
security descriptor object type |
|
|
handles are in the object ____
|
header
|
|
|
2 phases that allow deletion of objects
|
name retention and deleting the object
|
|
|
windows will delete objects if there are no ____ or ____
|
handles or pointers
|
|
|
mechanism to refer to an object indirectly
|
symbolic link
|
|
|
6 resources for processes
|
1 virtual address space
2 executable program 3 list of open handles 4 access token 5 PID 6 thread |
|
|
how a process opens (6 steps)
|
1 image of file
2 create windows executive process object 3 create initial thread 4 notify subsystem 5 start execution of thread 6 complete initialization of address space & execute program |
|
|
2 functions of VMM
|
give each process its own page directory
each index has its own page index |
|
|
pages can be ____, ____, or _____
|
free reserved commited
|
|
|
executive that controls shared memory
|
vmm
|
|
|
heap manager exists in these 2 dll's
|
ntdll and ntoskernel
|
|
|
responsible for memory allocations inside larger memory areas
|
heap mgr
|
|
|
____ are used to keep track of which virtual addresses have been reserved, & which have not
|
VAD
|
|
|
what is the IRP
|
I/O request packet - used to communicate with system components and locate stack positions
|
|
|
what is called when a process opens a handle to an object?
|
SRM
|
|
|
this handles windows client server methodology
|
local procedure call
|
|
|
this executive has lists of devices, loads drivers, sends start requests
|
P&P mgr
|
|
|
runs posix and os/2
|
WSS
|
|
|
exe for WSS
|
csrss.exe
|
|
|
native API
|
ntdll.dll
|
|
|
kernel portion of the WSS
|
win32k.sys
|
|
|
dividing line between user mode and kernel mode
|
ntdll.dll
|
|
|
3 dll's in the WSS
|
kernel32.dll
user32.dll gdi32.dll |
|
|
this service is responsible for mgt of database that contains users/groups on the local machine
|
SAM
|
|
|
SAM runs in context of ____ process
|
lsass
|
|
|
executive responsible for registry
|
configuration mgr
|
|
|
conditions that divert processor to code outside the normal flow of control
|
interupts and exceptions
|
|
|
used to capture thread when interrupt occurs
|
trap dispatching
|
|
|
processes exceptions & interrupts and transfers control
|
trap handler
|
|
|
interrupts are in priority order...
|
high number = high pri
|
|
|
kernel allows devices to register these interrupts
|
interrupt service routines
|
|
|
single volume over multi disks
|
spanning
|
|
|
raid 0
|
striping +speed/-redundancy
|
|
|
raid 1
|
mirroring -space/+redundancy
|
|
|
raid 5
|
striping w/parity -space/+redundancy
|
|
|
FAT directory entries contain these 3 things
|
address size and date
|
|
|
in FAT these tie clusters together
|
linked allocation
|
|
|
in FAT there can be how many primary partitions
|
4
|
|
|
cluster sizes are created during ____
|
formatting
|
|
|
in a FAT table layout this contains the boot record and OS info
|
reserved
|
|
|
in a FAT table layout, this area conducts cluster mgt
|
FAT area
|
|
|
in a FAT table layout, this area has file storage and root directory
|
Data Area
|
|
|
FAT time stamps are local?
|
yes, local to machine
|
|
|
which time is only accurate to the day?
|
last access time
|
|
|
can you encrypt and compress in NTFS?
|
nope
|
|
|
the heart of NTFS
|
MFT
|
|
|
MFT has an entry for itself?
|
yes
|
|
|
NTFS entries begin with this symbol
|
$
|
|
|
entries 0-? are reserved for metadata
|
15
|
|
|
1k files are called ___ because the whole file resides in the MFT (NTFS)
|
resident
|
|
|
Files larger than 1k (NTFS) are considered
|
non-resident
|
|
|
instead of linked allocation tables, NTFS uses:
|
VCN to LCN
|
|
|
NTFS best true time stamp
|
$standard_information
|
|
|
shows the parent directory in this NTFS entry
|
$file_name
|
|
|
where root kits can be installed in this NTFS entry
|
$data
|
|
|
this NTFS entry shows directories and subdirectories like a tree
|
$index_root
|
|
|
encryption entries in NTFS
|
$obj_id
$efs |
|
|
what 5 things trigger a restore point
|
app installation
auto update backup recovery manual daily |
|
|
xp backups use this form
|
shadow copy
|
|
|
5 boot sections
|
preboot
boot kernel load kernel init logon |
|
|
key boot files
|
ntldr and ntdetect
|
|
|
during boot, this switches user to protected mode
|
ntldr
|
|
|
first 512 byte sector
|
MBR
|
|
|
MBR contains these 3 things for boot
|
partition table
boot sector OS control flag |
