

















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This certification validates expert-level understanding of Windows operating system internals. The exam covers process and thread management, memory subsystems, I/O architecture, kernel objects, scheduling, system calls, and debugging techniques. Candidates are evaluated on their ability to analyze Windows behavior at a granular level for research, troubleshooting, and security analysis purposes.
Typology: Exams
1 / 89
This page cannot be seen from the preview
Don't miss anything!


















































































Question 1. Which component abstracts the physical hardware details and provides a consistent interface to the Windows kernel? A) Executive B) HAL C) ntdll.dll D) Win32k.sys Answer: B Explanation: The Hardware Abstraction Layer (HAL) hides hardware differences, allowing the kernel to operate uniformly across platforms. Question 2. In the Windows privilege ring model, which ring corresponds to user‑mode code? A) Ring 0 B) Ring 1 C) Ring 2 D) Ring 3 Answer: D Explanation: Ring 3 is the least privileged level where user‑mode applications execute; Ring 0 is kernel mode. Question 3. The transition from a Win32 API call to the native Windows kernel is performed through which library? A) kernel32.dll B) user32.dll C) ntdll.dll D) advapi32.dll Answer: C
Explanation: ntdll.dll implements the Native API and marshals Win32 calls to the kernel via system calls. Question 4. Which instruction is used on x64 Windows to invoke a system service? A) INT 2E B) SYSCALL C) SYSENTER D) CALL Fs:[0] Answer: B Explanation: On x64, the SYSCALL instruction transfers control to the kernel’s system‑service dispatcher. Question 5. The System Service Dispatch Table (SSDT) is primarily used for: A) Mapping device I/O ports B) Storing pointers to kernel mode routines for system calls C) Managing user‑mode thread stacks D) Registering window classes Answer: B Explanation: SSDT holds the addresses of kernel routines that implement each system call. Question 6. Which Windows subsystem is responsible for console management? A) winlogon.exe B) csrss.exe C) services.exe D) smss.exe Answer: B
Answer: C Explanation: The kernel creates the EPROCESS object to represent the process before allocating the PEB. Question 10. The Thread Environment Block (TEB) is located in which address space? A) Kernel mode only B) User mode only C) Both user and kernel mode D) Not mapped into any address space Answer: B Explanation: The TEB resides in the user‑mode address space of each thread and holds thread‑local data. Question 11. Which kernel structure represents a thread’s execution context? A) EPROCESS B) ETHREAD C) TEB D) PEB Answer: B Explanation: ETHREAD is the kernel‑mode object that stores scheduling, state, and other thread information. Question 12. In Windows scheduling, what is the default quantum length for a thread on a time‑sharing system? A) 10 ms B) 20 ms C) 30 ms
D) 40 ms Answer: B Explanation: Windows typically assigns a 20 ms quantum to time‑sharing threads, though it can vary with priority. Question 13. Which priority class provides the highest base priority for its threads? A) IDLE_PRIORITY_CLASS B) BELOW_NORMAL_PRIORITY_CLASS C) NORMAL_PRIORITY_CLASS D) REALTIME_PRIORITY_CLASS Answer: D Explanation: REALTIME_PRIORITY_CLASS gives threads the highest base priority, above normal and above‑normal classes. Question 14. Job objects are primarily used to: A) Isolate kernel memory pools B) Group processes for collective resource limits C) Provide a user‑mode API for thread creation D) Manage device driver loading Answer: B Explanation: Job objects allow administrators to enforce CPU, memory, and I/O limits on a set of processes. Question 15. Which Windows feature implements container‑style isolation using “silos”? A) AppContainer B) Protected Process Light (PPL) C) Server Silos (Windows Containers)
C) csrss.exe D) smss.exe Answer: B Explanation: Pico processes are created by the Windows Subsystem for Linux to run Linux binaries within Windows. Question 19. In a 64‑bit Windows system, which region of the virtual address space is reserved for kernel‑mode allocations? A) 0x0000 0000 0000 0000 – 0x0000 7FFF FFFF FFFF B) 0x0000 8000 0000 0000 – 0xFFFF FFFF FFFF FFFF C) 0x7FFF 0000 0000 0000 – 0x7FFF FFFF FFFF FFFF D) 0xFFFF 8000 0000 0000 – 0xFFFF FFFF FFFF FFFF Answer: D Explanation: The upper half (starting at 0xFFFF 8000 0000 0000) is the kernel address space on x64 Windows. Question 20. Address Space Layout Randomization (ASLR) primarily randomizes which of the following? A) Physical memory addresses of the CPU cache B) Virtual base addresses of executables and DLLs C) Disk sector locations of the pagefile D) IRQ numbers of hardware devices Answer: B Explanation: ASLR randomizes the virtual base addresses of modules and the stack/heap to impede exploitation. Question 21. Which page‑table level directly maps a 2 MiB large page in the x64 paging hierarchy?
Answer: C Explanation: The Page Directory (PD) entries can reference 2 MiB pages when the PS (Page Size) flag is set. Question 22. The PFN database is used by the memory manager to track: A) Open file handles B) Physical page frames and their usage state C) Thread priorities D) Registry keys Answer: B Explanation: The Page Frame Number (PFN) database records the state, ownership, and reference count of each physical page. Question 23. Which pool type can be paged out to disk when not in use? A) Non‑paged pool B) Paged pool C) Session pool D) Lookaside pool Answer: B Explanation: Paged pool memory may be moved to the system pagefile; non‑paged pool must stay resident. Question 24. A pool overflow typically corrupts which of the following structures?
Question 27. Deferred Procedure Calls (DPCs) run at which IRQL? A) PASSIVE_LEVEL B) APC_LEVEL C) DISPATCH_LEVEL D) HIGH_LEVEL Answer: C Explanation: DPCs are queued to execute at DISPATCH_LEVEL, allowing them to run after the interrupt handler finishes. Question 28. Which synchronization primitive can be acquired in user mode without entering the kernel? A) Mutex B) Semaphore C) Spinlock D) Critical Section Answer: D Explanation: Critical Sections are implemented using user‑mode spin waiting and only transition to the kernel if contention occurs. Question 29. A fast mutex in the kernel is implemented using which of the following? A) InterlockedCompareExchange on the Owner field B) A spinlock that disables preemption C) A kernel event object D) A semaphore with a count of one Answer: A
Explanation: Fast mutexes use an interlocked compare‑exchange on the Owner field to acquire the lock without a full kernel object. Question 30. The Object Manager stores the security descriptor for a kernel object in which part of the object? A) Header B) Body C) Type object D) Handle table entry Answer: A Explanation: The Object Header contains a pointer to the security descriptor associated with the object. Question 31. ETW providers register themselves using which API? A) RegisterEventSource B) EventRegister C) CreateEventLog D) TraceEventRegister Answer: B Explanation: EventRegister is the ETW API that a provider calls to register with the kernel tracing infrastructure. Question 32. In a WoW64 process, which subsystem translates 32‑bit system calls to 64‑bit equivalents? A) Nt32.dll B) wow64cpu.dll C) wow64.dll
C) The kernel’s global ACL list D) The process’s environment block Answer: B Explanation: Access Check walks the DACL, matching each ACE’s SID with the token’s SIDs to decide if access is granted. Question 36. Which integrity level is assigned to processes started by the system for performing privileged tasks? A) Low B) Medium C) High D) System Answer: D Explanation: The “System” integrity level is higher than High and is used for core OS services. Question 37. AppContainers primarily enforce isolation by: A) Running processes in kernel mode only B) Using a restricted token with a unique AppContainer SID C) Disabling all network access D) Encrypting all process memory Answer: B Explanation: An AppContainer token contains a unique AppContainer SID and a reduced set of privileges, isolating the app. Question 38. Which service hosts the Local Security Authority (LSASS) process? A) Netlogon B) Security Account Manager (SAM)
C) Authentication Authority Service D) The LSASS service itself (lsass.exe) Answer: D Explanation: lsass.exe is the executable that runs the LSASS, handling authentication and policy enforcement. Question 39. During a process creation, which function in the kernel parses the executable image and creates the initial section object? A) MmCreateSection B) MiCreateImageSection C) ZwCreateSection D) NtCreateSection Answer: B Explanation: MiCreateImageSection is the internal routine that maps the executable into memory during CreateProcess. Question 40. Which flag in the EPROCESS structure indicates that the process is a protected process? A) NoDebugInherit B) ProtectedProcess C) ImageFileName D) BreakOnTermination Answer: B Explanation: The ProtectedProcess flag marks a process as a Protected Process (PP), restricting operations on it. Question 41. What is the purpose of the “session ID” field in the ETHREAD structure?
B) It is allocated per user logon session and freed when the session ends C) It can only be used by kernel drivers D) It resides in non‑paged memory only Answer: B Explanation: Session pool memory is tied to a logon session, allowing cleanup when the user logs off. Question 45. In the Windows kernel, which IRQL level permits acquisition of a spinlock without risking deadlock? A) PASSIVE_LEVEL B) APC_LEVEL C) DISPATCH_LEVEL D) HIGH_LEVEL Answer: C Explanation: Spinlocks are designed to be acquired at DISPATCH_LEVEL; acquiring them at a lower IRQL could lead to deadlock. Question 46. Which component of the Object Manager maintains the mapping between handle values and kernel objects? A) Type Object Table B) Directory Object C) Handle Table D) Security Descriptor Table Answer: C Explanation: Each process has a handle table that maps numeric handles to kernel object pointers.
Question 47. The “NtCreateFile” system call ultimately calls which kernel routine to open a file object? A) IoCreateFile B) ObCreateObject C) FsCreateFileEx D) ZwCreateFile Answer: A Explanation: NtCreateFile is the user‑mode entry; the kernel’s IoCreateFile routine creates the FILE_OBJECT. Question 48. Which of the following is NOT a valid reason for a thread to be placed in the “Ready” state? A) It has been preempted by a higher‑priority thread B) It is waiting for I/O completion C) It has been signaled by a synchronization object D) It has been created but not yet scheduled Answer: B Explanation: Waiting for I/O places a thread in the “Waiting” state, not “Ready”. Question 49. The “Thread Stack Guard” page is used to: A) Detect stack overflow by causing an access violation B) Store the thread’s TLS array C) Hold the thread’s context record D) Cache frequently used kernel routines Answer: A Explanation: The guard page is marked no‑access; an overflow into it triggers an exception, allowing detection.
Answer: D Explanation: KeInvalidateTlbEntry invalidates a single TLB entry for the modified virtual address. Question 53. Which of the following is a valid reason for a driver to request non‑paged pool memory? A) The memory is only accessed during initialization B) The driver needs memory that is safe at IRQL ≥ DISPATCH_LEVEL C) The memory will be swapped to the pagefile frequently D) The driver wants to reduce its memory footprint Answer: B Explanation: Non‑paged pool stays resident and can be accessed at high IRQL where paging is prohibited. Question 54. The “MmSystemCache” is used primarily for: A) Storing the kernel’s code segment B) Caching file data for fast I/O C) Holding the list of loaded drivers D) Managing the process’s heap Answer: B Explanation: The system cache holds file data that has been read from disk to accelerate subsequent reads. Question 55. Which of the following best describes a “section view” created by a process? A) A kernel object that holds a security descriptor B) A memory mapping of a section object into the process’s address space C) A handle to a device driver D) A table entry in the process’s PEB
Answer: B Explanation: A view maps a section (file or pagefile‑backed) into the virtual address space of a process. Question 56. Which of the following IRQL levels is raised when a thread acquires a mutex in kernel mode? A) PASSIVE_LEVEL B) APC_LEVEL C) DISPATCH_LEVEL D) HIGH_LEVEL Answer: A Explanation: Kernel‑mode mutex acquisition does not raise IRQL; it remains at PASSIVE_LEVEL. Question 57. The “KeBugCheck” routine is invoked when: A) A process calls ExitProcess B) A driver detects a serious error and the system must halt C) The system needs to allocate more pool memory D) A user logs off Answer: B Explanation: KeBugCheck triggers a system crash (blue screen) when a critical unrecoverable error occurs. Question 58. Which Windows component implements the “Event Tracing for Windows” (ETW) controller? A) Kernel‑mode driver “etw.sys” B) User‑mode library “etw.dll” C) The kernel’s “TraceLogging” subsystem