








































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The PrepIQ TrainSec Windows Master Developer Ultimate Exam prepares advanced developers to build secure and optimized Windows-based applications. Learners study Windows APIs, system programming, debugging, memory management, and advanced development techniques for enterprise and security-focused environments.
Typology: Exams
1 / 48
This page cannot be seen from the preview
Don't miss anything!









































Question 1. Which ring level does user-mode code execute in Windows? A) Ring 0 B) Ring 1 C) Ring 2 D) Ring 3 Answer: D Explanation: User-mode processes run in Ring 3, the least-privileged CPU protection level, while kernel code runs in Ring 0. Question 2. The Windows component that abstracts hardware differences for the kernel is called: A) Executive B) HAL C) Win32 Subsystem D) ntdll.dll Answer: B Explanation: The Hardware Abstraction Layer (HAL) isolates the kernel from hardware variations, providing a uniform interface. Question 3. Which of the following is NOT a Windows subsystem? A) Win B) POSIX C) .NET CLR D) Windows Subsystem for Linux (WSL) Answer: C Explanation: The .NET CLR is a runtime, not a native Windows subsystem; Win32, POSIX, and WSL are subsystems. Question 4. The primary purpose of ntdll.dll is to: A) Provide GUI widgets
B) Expose the Native API and perform syscalls C) Manage user accounts D) Implement the .NET runtime Answer: B Explanation: ntdll.dll implements the Native API and marshals calls from user mode to kernel mode via syscalls. Question 5. In the Object Manager, which object type is used to represent a file on disk? A) Event B) Mutant C) File object D) Semaphore Answer: C Explanation: A File object encapsulates a file’s state and I/O operations within the Object Manager. Question 6. When a process creates a handle with the DUPLICATE_SAME_ACCESS flag, the duplicated handle: A) Inherits the same access rights as the original B) Receives no access rights C) Gets the maximum possible rights D) Is automatically closed after use Answer: A Explanation: DUPLICATE_SAME_ACCESS tells the system to give the new handle the same access permissions as the source handle. Question 7. Symbolic links in the Object Manager are mainly used to: A) Synchronize threads B) Provide alternative names for objects C) Encrypt data
Explanation: Job objects allow a set of processes to be managed collectively, enforcing limits on CPU, memory, and I/O. Question 11. Which Windows feature isolates a group of processes with its own namespace and resource limits? A) Job objects B) Windows Containers (Silos) C) Security descriptors D) Thread pools Answer: B Explanation: Windows Containers (also called Silos) provide isolation with separate namespaces, similar to Linux containers. Question 12. In virtual memory, which state indicates that pages have a backing store on disk but are not currently loaded? A) Free B) Reserved C) Committed D) Stacked Answer: B Explanation: Reserved pages have address space allocated but no physical storage; they become committed when backed by RAM or page file. Question 13. The VirtualAlloc function with MEM_COMMIT flag does what? A) Reserves address space only B. Commits physical storage for already reserved pages C) Frees the specified region D) Changes page protection to PAGE_NOACCESS Answer: B Explanation: MEM_COMMIT allocates physical memory (or page-file space) for pages that have already been reserved.
Question 14. Which Windows API creates a private heap that is not shared with other processes? A) HeapCreate B) CreateHeap C) VirtualAllocEx D) GlobalAlloc Answer: A Explanation: HeapCreate creates a private heap object usable only by the calling process. Question 15. Memory-mapped files are implemented using which kernel object? A) Section object B) File object C) Event object D) Mutex object Answer: A Explanation: Section objects represent memory-mapped sections; they can be backed by a file or the page file. Question 16. Which flag for CreateProcess causes the new process to inherit the calling process’s handles? A) CREATE_SUSPENDED B) CREATE_NEW_CONSOLE C) CREATE_NO_WINDOW D) CREATE_INHERIT_HANDLES Answer: D Explanation: CREATE_INHERIT_HANDLES tells the system to duplicate inheritable handles into the child process.
A) DllMain B) WinMain C) mainCRTStartup D) DllEntryPoint Answer: A Explanation: DllMain is the standard entry routine for DLL load/unload and thread attach/detach notifications. Question 21. Which of the following is considered unsafe inside DllMain? A) Storing a pointer to the module handle B) Creating a thread C) Initializing a global variable D) Loading another DLL using LoadLibrary Answer: B Explanation: Creating a thread inside DllMain can cause deadlocks because the loader lock is held. Question 22. Remote-thread DLL injection typically uses which API to create a thread in the target process? A) CreateRemoteThread B) SetWindowsHookEx C) QueueUserAPC D) NtCreateThreadEx Answer: A Explanation: CreateRemoteThread (or its native counterpart NtCreateThreadEx) is the classic method for remote-thread injection. Question 23. Which Windows security component uniquely identifies a user or group? A) ACL B) SID
C) Token D) LUID Answer: B Explanation: A Security Identifier (SID) uniquely represents a user, group, or computer account. Question 24. An Access Control List (ACL) that specifies the types of access that are allowed is called a: A) SACL B) DACL C) ACL-Allow D) Permission List Answer: B Explanation: A Discretionary Access Control List (DACL) contains Allow (and optionally Deny) ACEs controlling access. Question 25. Which privilege must a process have to shut down the system? A) SeDebugPrivilege B) SeShutdownPrivilege C) SeChangeNotifyPrivilege D) SeBackupPrivilege Answer: B Explanation: SeShutdownPrivilege grants the right to initiate a system shutdown. Question 26. In COM, the method that retrieves pointers to other interfaces on the same object is: A) AddRef B) Release C) QueryInterface D) CoCreateInstance
Explanation: CComPtr is a smart pointer that calls Release on the wrapped interface when destroyed. Question 30. Which COM server type runs in the same process as the client? A) In-process server (DLL) B) Local server (EXE) C) Remote server (DCOM) D) Service server Answer: A Explanation: An in-process COM server is a DLL loaded into the client’s address space. Question 31. The primary purpose of the Windows Driver Kit (WDK) is to: A) Build .NET applications B) Provide headers, libraries, and tools for driver development C) Create Windows Store apps D) Manage Active Directory Answer: B Explanation: The WDK supplies the necessary development environment for kernel-mode drivers. Question 32. The mandatory entry routine that every kernel-mode driver must export is: A) DriverEntry B) DriverInitialize C) DriverStart D) DriverLoad Answer: A Explanation: DriverEntry is called by the I/O manager when the driver is loaded.
Question 33. In the I/O stack, the IRP’s MajorFunction field is used to: A) Store the driver’s version number B) Indicate the type of I/O operation (e.g., IRP_MJ_READ) C) Hold the device object pointer D) Define the IRQL level Answer: B Explanation: MajorFunction specifies the requested operation such as read, write, or device control. Question 34. Which IRQL is the highest and can only be raised on a single processor? A) APC_LEVEL B) DISPATCH_LEVEL C) PROFILE_LEVEL D) HIGH_LEVEL Answer: D Explanation: HIGH_LEVEL (also called DIRQL) is the topmost IRQL, used for hardware interrupts. Question 35. A kernel-mode synchronization object that can be acquired without blocking at DISPATCH_LEVEL is: A) Mutex B) Fast Mutex C) Spinlock D) Semaphore Answer: C Explanation: Spinlocks are designed for short-duration protection at high IRQLs, including DISPATCH_LEVEL. Question 36. Which registry callback routine can be registered to be notified of registry changes?
C) IOCTL_CUSTOM_BASE (user-defined) D) IOCTL_STORAGE_CHECK_VERIFY Answer: C Explanation: Drivers define their own IOCTL codes using the CTL_CODE macro; a custom base is common for proprietary commands. Question 40. The KMDF framework provides which of the following benefits? A) Automatic reference counting of objects B) Built-in support for .NET interop C) Direct access to raw hardware registers D) Replacement for the Windows Registry Answer: A Explanation: KMDF manages object lifetimes, reference counting, and provides standard driver scaffolding. Question 41. In WinDbg, the command to load symbols for the current module is: A) .symfix B) .reload /f C) .exepath D) .sympath Answer: B Explanation: .reload /f forces a reload of symbols for the current module, ensuring the debugger has up-to-date symbol information. Question 42. Which WinDbg extension command lists all loaded drivers? A) lm B) !process 0 0 C) !driverlist D) !analyze -v
Answer: A Explanation: The “lm” (list modules) command displays loaded drivers and their symbol information. Question 43. To examine a user-mode call stack in WinDbg, you would use: A) k B) !process 0 ff C) !thread 0 0 D) dt Answer: A Explanation: The “k” command prints the current thread’s call stack. Question 44. When analyzing a BSOD minidump, the command that automatically determines the likely cause is: A) !analyze -v B) !dumpheap C) !handle D) !process 0 0 Answer: A Explanation: “!analyze -v” performs a detailed analysis and suggests the probable bugcheck source. Question 45. Which Sysinternals tool shows the hierarchical view of all kernel objects? A) Process Explorer B) WinObj C) VMMap D) Autoruns Answer: B Explanation: WinObj displays the Object Manager namespace, showing all kernel objects like events, mutexes, and sections.
A) [uuid] B) [object] C) [dual] D) [implements] Answer: D Explanation: The [implements] attribute (or similar in IDL) declares that a coclass implements a given interface. Question 50. The COM apartment model that requires all calls to be marshaled to a single thread is: A) MTA B) STA C) Neutral D) Free-Threaded Answer: B Explanation: Single-Threaded Apartment (STA) enforces that all method calls are executed on the apartment’s owning thread. Question 51. Which function creates a new thread pool work item in Windows? A) CreateThreadpoolWork B) QueueUserWorkItem C) CreateThreadpoolTimer D) SubmitThreadpoolWork Answer: A Explanation: CreateThreadpoolWork creates a work object that can later be submitted to the thread pool. Question 52. When a thread pool work item is submitted, which callback runs? A) WorkCallback B) TimerCallback
C) APCCallback D) CompletionCallback Answer: A Explanation: The WorkCallback function specified at creation is invoked when the work item executes. Question 53. Which flag to VirtualProtect changes a region to read-only without affecting its commitment state? A) PAGE_READONLY B) PAGE_EXECUTE_READWRITE C) MEM_COMMIT D) MEM_RESERVE Answer: A Explanation: PAGE_READONLY modifies protection bits while leaving the allocation state unchanged. Question 54. The Windows API function that maps a view of a file into a process’s address space is: A) MapViewOfFile B) CreateFileMapping C) LoadLibrary D) VirtualAllocEx Answer: A Explanation: MapViewOfFile creates a memory mapping of a file section into the caller’s address space. Question 55. Which of the following is true about a Windows Event object created with manual-reset? A) It automatically resets after releasing a single waiter B) It stays signaled until explicitly reset by the creator C) It cannot be used across processes
Answer: A Explanation: The [dual] attribute indicates that the interface supports both early (v-table) and late (IDispatch) binding. Question 59. In kernel mode, which routine is used to register a callback for process creation and termination events? A) PsSetCreateProcessNotifyRoutine B) IoRegisterProcessNotify C) KeRegisterProcessNotify D) NtSetInformationProcess Answer: A Explanation: PsSetCreateProcessNotifyRoutine registers a driver’s routine to receive notifications for process creation and exit. Question 60. Which IRP major function code is used for device-specific control commands? A) IRP_MJ_READ B) IRP_MJ_WRITE C) IRP_MJ_DEVICE_CONTROL D) IRP_MJ_CREATE Answer: C Explanation: IRP_MJ_DEVICE_CONTROL carries IOCTL commands that are defined by the driver. Question 61. The function KeRaiseIrqlToDpcLevel raises the current IRQL to: A) PASSIVE_LEVEL B) APC_LEVEL C) DISPATCH_LEVEL D) HIGH_LEVEL Answer: C Explanation: DISPATCH_LEVEL is the IRQL used for Deferred Procedure Calls (DPCs).
Question 62. Which kernel synchronization primitive can be waited on with KeWaitForSingleObject and also supports IRQL ≤ DISPATCH_LEVEL? A) Fast Mutex B) Mutex (kernel object) C) Event (kernel object) D) Spinlock Answer: C Explanation: Kernel Event objects can be waited on at IRQL ≤ DISPATCH_LEVEL using KeWaitForSingleObject. Question 63. In the context of WFP, a callout driver is primarily responsible for: A) Registering a filter that decides whether to permit or block network packets B) Managing file system filters C) Providing user-mode APIs for networking D) Handling IRP_MJ_READ requests Answer: A Explanation: A WFP callout implements the processing logic for a filter that inspects or modifies network traffic. Question 64. The IOCTL code for a driver’s custom command is built using CTL_CODE macro. Which parameter of CTL_CODE defines the device type? A) DeviceType B) Function C) Method D) Access Answer: A Explanation: The first argument to CTL_CODE is the device type (e.g., FILE_DEVICE_UNKNOWN).