PrepIQ TrainSec Windows Master Developer Ultimate Exam, Exams of Technology

The PrepIQ TrainSec Windows Master Developer Ultimate Exam prepares advanced developers to build secure and optimized Windows-based applications. Learners study Windows APIs, system programming, debugging, memory management, and advanced development techniques for enterprise and security-focused environments.

Typology: Exams

2025/2026

Available from 06/03/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 48

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PrepIQ TrainSec Windows Master
Developer Ultimate Exam
**Question 1. Which ring level does user-mode code execute in Windows?**
A) Ring 0
B) Ring 1
C) Ring 2
D) Ring 3
Answer: D
Explanation: User-mode processes run in Ring 3, the least-privileged CPU protection
level, while kernel code runs in Ring 0.
**Question 2. The Windows component that abstracts hardware differences for the
kernel is called:**
A) Executive
B) HAL
C) Win32 Subsystem
D) ntdll.dll
Answer: B
Explanation: The Hardware Abstraction Layer (HAL) isolates the kernel from
hardware variations, providing a uniform interface.
**Question 3. Which of the following is NOT a Windows subsystem?**
A) Win32
B) POSIX
C) .NET CLR
D) Windows Subsystem for Linux (WSL)
Answer: C
Explanation: The .NET CLR is a runtime, not a native Windows subsystem; Win32,
POSIX, and WSL are subsystems.
**Question 4. The primary purpose of ntdll.dll is to:**
A) Provide GUI widgets
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30

Partial preview of the text

Download PrepIQ TrainSec Windows Master Developer Ultimate Exam and more Exams Technology in PDF only on Docsity!

Developer Ultimate Exam

Question 1. Which ring level does user-mode code execute in Windows? A) Ring 0 B) Ring 1 C) Ring 2 D) Ring 3 Answer: D Explanation: User-mode processes run in Ring 3, the least-privileged CPU protection level, while kernel code runs in Ring 0. Question 2. The Windows component that abstracts hardware differences for the kernel is called: A) Executive B) HAL C) Win32 Subsystem D) ntdll.dll Answer: B Explanation: The Hardware Abstraction Layer (HAL) isolates the kernel from hardware variations, providing a uniform interface. Question 3. Which of the following is NOT a Windows subsystem? A) Win B) POSIX C) .NET CLR D) Windows Subsystem for Linux (WSL) Answer: C Explanation: The .NET CLR is a runtime, not a native Windows subsystem; Win32, POSIX, and WSL are subsystems. Question 4. The primary purpose of ntdll.dll is to: A) Provide GUI widgets

Developer Ultimate Exam

B) Expose the Native API and perform syscalls C) Manage user accounts D) Implement the .NET runtime Answer: B Explanation: ntdll.dll implements the Native API and marshals calls from user mode to kernel mode via syscalls. Question 5. In the Object Manager, which object type is used to represent a file on disk? A) Event B) Mutant C) File object D) Semaphore Answer: C Explanation: A File object encapsulates a file’s state and I/O operations within the Object Manager. Question 6. When a process creates a handle with the DUPLICATE_SAME_ACCESS flag, the duplicated handle: A) Inherits the same access rights as the original B) Receives no access rights C) Gets the maximum possible rights D) Is automatically closed after use Answer: A Explanation: DUPLICATE_SAME_ACCESS tells the system to give the new handle the same access permissions as the source handle. Question 7. Symbolic links in the Object Manager are mainly used to: A) Synchronize threads B) Provide alternative names for objects C) Encrypt data

Developer Ultimate Exam

Explanation: Job objects allow a set of processes to be managed collectively, enforcing limits on CPU, memory, and I/O. Question 11. Which Windows feature isolates a group of processes with its own namespace and resource limits? A) Job objects B) Windows Containers (Silos) C) Security descriptors D) Thread pools Answer: B Explanation: Windows Containers (also called Silos) provide isolation with separate namespaces, similar to Linux containers. Question 12. In virtual memory, which state indicates that pages have a backing store on disk but are not currently loaded? A) Free B) Reserved C) Committed D) Stacked Answer: B Explanation: Reserved pages have address space allocated but no physical storage; they become committed when backed by RAM or page file. Question 13. The VirtualAlloc function with MEM_COMMIT flag does what? A) Reserves address space only B. Commits physical storage for already reserved pages C) Frees the specified region D) Changes page protection to PAGE_NOACCESS Answer: B Explanation: MEM_COMMIT allocates physical memory (or page-file space) for pages that have already been reserved.

Developer Ultimate Exam

Question 14. Which Windows API creates a private heap that is not shared with other processes? A) HeapCreate B) CreateHeap C) VirtualAllocEx D) GlobalAlloc Answer: A Explanation: HeapCreate creates a private heap object usable only by the calling process. Question 15. Memory-mapped files are implemented using which kernel object? A) Section object B) File object C) Event object D) Mutex object Answer: A Explanation: Section objects represent memory-mapped sections; they can be backed by a file or the page file. Question 16. Which flag for CreateProcess causes the new process to inherit the calling process’s handles? A) CREATE_SUSPENDED B) CREATE_NEW_CONSOLE C) CREATE_NO_WINDOW D) CREATE_INHERIT_HANDLES Answer: D Explanation: CREATE_INHERIT_HANDLES tells the system to duplicate inheritable handles into the child process.

Developer Ultimate Exam

A) DllMain B) WinMain C) mainCRTStartup D) DllEntryPoint Answer: A Explanation: DllMain is the standard entry routine for DLL load/unload and thread attach/detach notifications. Question 21. Which of the following is considered unsafe inside DllMain? A) Storing a pointer to the module handle B) Creating a thread C) Initializing a global variable D) Loading another DLL using LoadLibrary Answer: B Explanation: Creating a thread inside DllMain can cause deadlocks because the loader lock is held. Question 22. Remote-thread DLL injection typically uses which API to create a thread in the target process? A) CreateRemoteThread B) SetWindowsHookEx C) QueueUserAPC D) NtCreateThreadEx Answer: A Explanation: CreateRemoteThread (or its native counterpart NtCreateThreadEx) is the classic method for remote-thread injection. Question 23. Which Windows security component uniquely identifies a user or group? A) ACL B) SID

Developer Ultimate Exam

C) Token D) LUID Answer: B Explanation: A Security Identifier (SID) uniquely represents a user, group, or computer account. Question 24. An Access Control List (ACL) that specifies the types of access that are allowed is called a: A) SACL B) DACL C) ACL-Allow D) Permission List Answer: B Explanation: A Discretionary Access Control List (DACL) contains Allow (and optionally Deny) ACEs controlling access. Question 25. Which privilege must a process have to shut down the system? A) SeDebugPrivilege B) SeShutdownPrivilege C) SeChangeNotifyPrivilege D) SeBackupPrivilege Answer: B Explanation: SeShutdownPrivilege grants the right to initiate a system shutdown. Question 26. In COM, the method that retrieves pointers to other interfaces on the same object is: A) AddRef B) Release C) QueryInterface D) CoCreateInstance

Developer Ultimate Exam

Explanation: CComPtr is a smart pointer that calls Release on the wrapped interface when destroyed. Question 30. Which COM server type runs in the same process as the client? A) In-process server (DLL) B) Local server (EXE) C) Remote server (DCOM) D) Service server Answer: A Explanation: An in-process COM server is a DLL loaded into the client’s address space. Question 31. The primary purpose of the Windows Driver Kit (WDK) is to: A) Build .NET applications B) Provide headers, libraries, and tools for driver development C) Create Windows Store apps D) Manage Active Directory Answer: B Explanation: The WDK supplies the necessary development environment for kernel-mode drivers. Question 32. The mandatory entry routine that every kernel-mode driver must export is: A) DriverEntry B) DriverInitialize C) DriverStart D) DriverLoad Answer: A Explanation: DriverEntry is called by the I/O manager when the driver is loaded.

Developer Ultimate Exam

Question 33. In the I/O stack, the IRP’s MajorFunction field is used to: A) Store the driver’s version number B) Indicate the type of I/O operation (e.g., IRP_MJ_READ) C) Hold the device object pointer D) Define the IRQL level Answer: B Explanation: MajorFunction specifies the requested operation such as read, write, or device control. Question 34. Which IRQL is the highest and can only be raised on a single processor? A) APC_LEVEL B) DISPATCH_LEVEL C) PROFILE_LEVEL D) HIGH_LEVEL Answer: D Explanation: HIGH_LEVEL (also called DIRQL) is the topmost IRQL, used for hardware interrupts. Question 35. A kernel-mode synchronization object that can be acquired without blocking at DISPATCH_LEVEL is: A) Mutex B) Fast Mutex C) Spinlock D) Semaphore Answer: C Explanation: Spinlocks are designed for short-duration protection at high IRQLs, including DISPATCH_LEVEL. Question 36. Which registry callback routine can be registered to be notified of registry changes?

Developer Ultimate Exam

C) IOCTL_CUSTOM_BASE (user-defined) D) IOCTL_STORAGE_CHECK_VERIFY Answer: C Explanation: Drivers define their own IOCTL codes using the CTL_CODE macro; a custom base is common for proprietary commands. Question 40. The KMDF framework provides which of the following benefits? A) Automatic reference counting of objects B) Built-in support for .NET interop C) Direct access to raw hardware registers D) Replacement for the Windows Registry Answer: A Explanation: KMDF manages object lifetimes, reference counting, and provides standard driver scaffolding. Question 41. In WinDbg, the command to load symbols for the current module is: A) .symfix B) .reload /f C) .exepath D) .sympath Answer: B Explanation: .reload /f forces a reload of symbols for the current module, ensuring the debugger has up-to-date symbol information. Question 42. Which WinDbg extension command lists all loaded drivers? A) lm B) !process 0 0 C) !driverlist D) !analyze -v

Developer Ultimate Exam

Answer: A Explanation: The “lm” (list modules) command displays loaded drivers and their symbol information. Question 43. To examine a user-mode call stack in WinDbg, you would use: A) k B) !process 0 ff C) !thread 0 0 D) dt Answer: A Explanation: The “k” command prints the current thread’s call stack. Question 44. When analyzing a BSOD minidump, the command that automatically determines the likely cause is: A) !analyze -v B) !dumpheap C) !handle D) !process 0 0 Answer: A Explanation: “!analyze -v” performs a detailed analysis and suggests the probable bugcheck source. Question 45. Which Sysinternals tool shows the hierarchical view of all kernel objects? A) Process Explorer B) WinObj C) VMMap D) Autoruns Answer: B Explanation: WinObj displays the Object Manager namespace, showing all kernel objects like events, mutexes, and sections.

Developer Ultimate Exam

A) [uuid] B) [object] C) [dual] D) [implements] Answer: D Explanation: The [implements] attribute (or similar in IDL) declares that a coclass implements a given interface. Question 50. The COM apartment model that requires all calls to be marshaled to a single thread is: A) MTA B) STA C) Neutral D) Free-Threaded Answer: B Explanation: Single-Threaded Apartment (STA) enforces that all method calls are executed on the apartment’s owning thread. Question 51. Which function creates a new thread pool work item in Windows? A) CreateThreadpoolWork B) QueueUserWorkItem C) CreateThreadpoolTimer D) SubmitThreadpoolWork Answer: A Explanation: CreateThreadpoolWork creates a work object that can later be submitted to the thread pool. Question 52. When a thread pool work item is submitted, which callback runs? A) WorkCallback B) TimerCallback

Developer Ultimate Exam

C) APCCallback D) CompletionCallback Answer: A Explanation: The WorkCallback function specified at creation is invoked when the work item executes. Question 53. Which flag to VirtualProtect changes a region to read-only without affecting its commitment state? A) PAGE_READONLY B) PAGE_EXECUTE_READWRITE C) MEM_COMMIT D) MEM_RESERVE Answer: A Explanation: PAGE_READONLY modifies protection bits while leaving the allocation state unchanged. Question 54. The Windows API function that maps a view of a file into a process’s address space is: A) MapViewOfFile B) CreateFileMapping C) LoadLibrary D) VirtualAllocEx Answer: A Explanation: MapViewOfFile creates a memory mapping of a file section into the caller’s address space. Question 55. Which of the following is true about a Windows Event object created with manual-reset? A) It automatically resets after releasing a single waiter B) It stays signaled until explicitly reset by the creator C) It cannot be used across processes

Developer Ultimate Exam

Answer: A Explanation: The [dual] attribute indicates that the interface supports both early (v-table) and late (IDispatch) binding. Question 59. In kernel mode, which routine is used to register a callback for process creation and termination events? A) PsSetCreateProcessNotifyRoutine B) IoRegisterProcessNotify C) KeRegisterProcessNotify D) NtSetInformationProcess Answer: A Explanation: PsSetCreateProcessNotifyRoutine registers a driver’s routine to receive notifications for process creation and exit. Question 60. Which IRP major function code is used for device-specific control commands? A) IRP_MJ_READ B) IRP_MJ_WRITE C) IRP_MJ_DEVICE_CONTROL D) IRP_MJ_CREATE Answer: C Explanation: IRP_MJ_DEVICE_CONTROL carries IOCTL commands that are defined by the driver. Question 61. The function KeRaiseIrqlToDpcLevel raises the current IRQL to: A) PASSIVE_LEVEL B) APC_LEVEL C) DISPATCH_LEVEL D) HIGH_LEVEL Answer: C Explanation: DISPATCH_LEVEL is the IRQL used for Deferred Procedure Calls (DPCs).

Developer Ultimate Exam

Question 62. Which kernel synchronization primitive can be waited on with KeWaitForSingleObject and also supports IRQL ≤ DISPATCH_LEVEL? A) Fast Mutex B) Mutex (kernel object) C) Event (kernel object) D) Spinlock Answer: C Explanation: Kernel Event objects can be waited on at IRQL ≤ DISPATCH_LEVEL using KeWaitForSingleObject. Question 63. In the context of WFP, a callout driver is primarily responsible for: A) Registering a filter that decides whether to permit or block network packets B) Managing file system filters C) Providing user-mode APIs for networking D) Handling IRP_MJ_READ requests Answer: A Explanation: A WFP callout implements the processing logic for a filter that inspects or modifies network traffic. Question 64. The IOCTL code for a driver’s custom command is built using CTL_CODE macro. Which parameter of CTL_CODE defines the device type? A) DeviceType B) Function C) Method D) Access Answer: A Explanation: The first argument to CTL_CODE is the device type (e.g., FILE_DEVICE_UNKNOWN).