


















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam assesses advanced Windows software development skills with a strong emphasis on low-level programming and system interaction as defined by TrainSec. Topics include Windows APIs, kernel-user interactions, memory management, driver awareness, debugging, performance optimization, and secure coding. Candidates must demonstrate mastery in developing high-performance, secure Windows applications with deep system awareness.
Typology: Exams
1 / 90
This page cannot be seen from the preview
Don't miss anything!



















































































Question 1. In Windows architecture, which ring provides the highest privilege level for code execution? A) Ring 1 B) Ring 2 C) Ring 3 D) Ring 0 Answer: D Explanation: Ring 0 is the kernel mode where the OS kernel and device drivers run, granting full hardware access. Question 2. Which component translates Windows NT native system calls into kernel-mode services? A) Win32 subsystem B) HAL (Hardware Abstraction Layer) C) ntdll.dll (Native API) D) Explorer.exe Answer: C Explanation: ntdll.dll implements the Native API and forwards system calls to the kernel via the syscall instruction. Question 3. The Object Manager in Windows is primarily responsible for which of the following? A) Managing CPU scheduling B) Maintaining the global namespace for kernel objects C) Rendering the graphical user interface D) Handling network packet routing Answer: B
Explanation: The Object Manager creates, stores, and resolves named kernel objects such as events, mutexes, and file objects. Question 4. Which of the following best describes a symbolic link object in the Windows Object Manager? A) A hard reference to a physical disk block B) An alias that maps one object name to another object’s name C) A pointer to a thread’s stack memory D) A security descriptor for a process Answer: B Explanation: Symbolic links allow one object name to refer to another, enabling redirection within the object namespace. Question 5. In a process’ PEB, which structure holds information about loaded modules? A) LDR_DATA_TABLE_ENTRY list B) TEB C) KTHREAD D) OBJECT_ATTRIBUTES Answer: A Explanation: The PEB’s Loader Data contains a linked list of LDR_DATA_TABLE_ENTRY structures describing each loaded DLL. Question 6. Which of the following fields in the TEB is used for thread‑local storage (TLS) callbacks? A) StackBase B) FiberData C) ThreadLocalStoragePointer
B) Total CPU time for all processes in the job C) Maximum size of the system page file D) Number of network sockets per thread Answer: B Explanation: Job objects can limit CPU time, memory, process count, and other resources for the group of processes they contain. Question 10. Which Windows feature isolates a group of processes with separate kernel objects and a distinct namespace? A) User Account Control (UAC) B) Windows Sandbox (Containers) C) NTFS permissions D) BitLocker encryption Answer: B Explanation: Windows Containers (also called Silos) provide isolation by giving each container its own object namespace. Question 11. In the virtual memory layout of a 64‑bit process, which region typically contains the executable image of the process? A) Low 2 GB (user space) B) High 2 GB (kernel space) C) The region marked as “Image” in the VM map D) The stack segment Answer: C Explanation: The “Image” region holds the loaded PE executable and its DLLs. Question 12. Which page protection flag permits reading and writing but not execution?
Answer: C Explanation: PAGE_READWRITE grants read/write access while preventing execution. Question 13. Which function creates a private heap that is not shared with other processes? A) HeapCreate B) VirtualAlloc C) CreateFileMapping D) GlobalAlloc Answer: A Explanation: HeapCreate allocates a private heap object that can be used exclusively by the calling process. Question 14. Memory‑mapped files are primarily implemented using which kernel object? A) Section object B) Event object C) Mutex object D) Semaphore object Answer: A Explanation: Section objects represent memory‑mapped files and can be shared across processes.
Explanation: Critical Sections are user‑mode spin locks that only enter the kernel when contention forces a wait. Question 18. In the thread‑pool API, which function queues a work item to be executed by a thread from the pool? A) QueueUserWorkItem B) CreateThread C) BeginThreadpoolIo D) SetThreadPriority Answer: A Explanation: QueueUserWorkItem submits a callback to the thread pool for asynchronous execution. Question 19. An Asynchronous Procedure Call (APC) can be delivered only to a thread that is in which state? A) Running B) Suspended C) Alertable wait state D) Terminated Answer: C Explanation: APCs are queued to a thread and executed when the thread enters an alertable wait (e.g., SleepEx, WaitForSingleObjectEx). Question 20. Which of the following statements about DLL injection via a remote thread is true? A) It requires modifying the target process’ PE header. B) It uses CreateRemoteThread to execute LoadLibrary in the target. C) It can only be performed on processes with the same security token.
D) It is only possible on 32‑bit processes. Answer: B Explanation: Remote‑thread injection typically creates a thread in the target that calls LoadLibrary to load the malicious DLL. Question 21. When a DLL is loaded implicitly, which function is called first by the system? A) DllMain with DLL_PROCESS_ATTACH B) DllEntryPoint with DLL_THREAD_DETACH C) DllRegisterServer D) DllGetClassObject Answer: A Explanation: The system calls DllMain with DLL_PROCESS_ATTACH when the DLL is loaded via the import table. Question 22. Which Windows security identifier (SID) represents the built‑in Administrators group? A) S- 1 - 5 - 18 B) S- 1 - 5 - 32 - 544 C) S- 1 - 1 - 0 D) S- 1 - 5 - 20 Answer: B Explanation: S- 1 - 5 - 32 - 544 is the well‑known SID for the local Administrators group. Question 23. In an Access Control List (ACL), which entry type specifies the permissions that are denied? A) Allow ACE B) Deny ACE
A) IDispatch B) IUnknown C) IClassFactory D) IProvideClassInfo Answer: B Explanation: IUnknown defines AddRef, Release, and QueryInterface, the core of COM’s lifetime management. Question 27. When a COM object is created via CoCreateInstance, which component is responsible for locating the class factory? A) The client’s DLL entry point B) The registry’s CLSID entry C) The OS kernel loader D) The ATL smart pointer implementation Answer: B Explanation: CoCreateInstance reads the CLSID entry in the registry to locate the server and obtain its class factory. Question 28. An out‑of‑process COM server runs in which type of process? A) DLL loaded into the client’s address space B) Separate EXE process communicating via RPC C) In the system kernel space D) As a Windows service only Answer: B Explanation: Out‑of‑process servers are EXE files that run in their own process and communicate with clients using COM’s RPC mechanisms.
Question 29. Which ATL class template simplifies COM object reference handling? A) CComModule B) CComPtr C) CComVariant D) CComObjectRootEx Answer: B Explanation: CComPtr is a smart pointer that automatically calls AddRef/Release for COM interfaces. Question 30. In COM threading models, which apartment type allows multiple threads to call the same object concurrently without marshaling? A) Single‑Threaded Apartment (STA) B) Multithreaded Apartment (MTA) C) Neutral Apartment (NA) D) No Apartment (NA) Answer: B Explanation: Objects in the MTA are free‑threaded; calls can be made directly from any thread in the MTA. Question 31. Which attribute in an IDL file specifies that a COM interface supports automation? A) [dual] B) [local] C) [oleautomation] D) [source] Answer: C
D) File system cache stack Answer: B Explanation: Each driver adds a stack location to the IRP as it is passed down the device stack. Question 35. Which IRQL level is the highest and can only be raised on a uniprocessor system? A) APC_LEVEL B) DISPATCH_LEVEL C) DIRQL (Device IRQL) D) PASSIVE_LEVEL Answer: C Explanation: DIRQL (e.g., HIGH_LEVEL) is the highest IRQL used for hardware interrupt handling; it can be raised only on the processor that receives the interrupt. Question 36. Which synchronization primitive must be used in kernel mode to protect data at DISPATCH_LEVEL or higher? A) Fast Mutex B) KeEnterCriticalRegion C) Spin Lock D) Mutant (Mutex) Answer: C Explanation: Spin locks are safe at DISPATCH_LEVEL and above because they do not block; they simply spin. Question 37. A file system mini‑filter driver registers which callback to intercept read operations? A) IRP_MJ_WRITE
Answer: B Explanation: IRP_MJ_READ is the major function code for read requests; a mini‑filter can register a pre‑operation callback for it. Question 38. The Windows Filtering Platform (WFP) primarily operates at which layer of the networking stack? A) Application layer (Winsock) B) Transport layer (TCP/UDP) C) Network layer (IP) and below D) Physical layer (NIC driver) Answer: C Explanation: WFP provides filters for IP, transport, and even lower layers, allowing inspection and modification of packets before they reach the transport protocols. Question 39. Which IOCTL code conventionally requests a driver to return its version string? A) IOCTL_GET_STATS B) IOCTL_GET_VERSION C) IOCTL_QUERY_INFORMATION D) IOCTL_READ_DATA Answer: B Explanation: By convention, drivers expose an IOCTL_GET_VERSION to return a version or build identifier.
Question 43. Which Sysinternals tool shows a hierarchical view of all named kernel objects? A) Process Explorer B) WinObj C) VMMap D) Autoruns Answer: B Explanation: WinObj displays the Object Manager namespace, allowing inspection of handles, sections, events, etc. Question 44. VMMap is primarily used to visualize which of the following? A) Registry hive structures B) Network socket activity C) Process virtual memory layout D) Driver load order Answer: C Explanation: VMMap shows the allocation types, protection, and usage of a process’s virtual address space. Question 45. Which of the following is NOT a valid Windows thread priority class? A) THREAD_PRIORITY_TIME_CRITICAL B) THREAD_PRIORITY_ABOVE_NORMAL C) THREAD_PRIORITY_LOWEST D) THREAD_PRIORITY_REALTIME Answer: D
Explanation: THREAD_PRIORITY_REALTIME is not a defined constant; the highest real‑time priority is THREAD_PRIORITY_TIME_CRITICAL. Question 46. The function SetThreadAffinityMask is used to: A) Change a thread’s priority level B) Restrict a thread to run on specific CPU cores C) Suspend a thread until an event is signaled D) Allocate a thread‑local storage slot Answer: B Explanation: SetThreadAffinityMask sets the processor affinity mask, limiting the CPUs on which the thread may execute. Question 47. Which of the following flags for CreateFile indicates that the file should be opened for overlapped (asynchronous) I/O? A) FILE_ATTRIBUTE_NORMAL B) FILE_FLAG_OVERLAPPED C) FILE_SHARE_READ D) FILE_FLAG_DELETE_ON_CLOSE Answer: B Explanation: FILE_FLAG_OVERLAPPED tells the system to create a handle that supports asynchronous I/O operations. Question 48. In the context of Windows security, what does the term “privilege escalation” refer to? A) Raising a process’s priority level B) Gaining higher access rights than originally granted C) Converting a user token to a system token
B) [threading_model("free")] C) [threading_model("both")] D) [threading_model("single")] Answer: D Explanation: The valid attributes are "apartment", "free", and "both". "single" is not recognized. Question 52. The COM function CoInitializeEx with COINIT_MULTITHREADED creates which apartment? A) STA (Single‑Threaded Apartment) B) MTA (Multithreaded Apartment) C) NA (Neutral Apartment) D) No apartment is created Answer: B Explanation: COINIT_MULTITHREADED initializes the calling thread for the MTA. Question 53. Which registry hive stores per‑user COM class registration information? A) HKEY_LOCAL_MACHINE\Software\Classes B) HKEY_CURRENT_USER\Software\Classes C) HKEY_USERS.DEFAULT\Software\Classes D) HKEY_CLASSES_ROOT Answer: B Explanation: Per‑user COM registrations are stored under HKCU\Software\Classes; HKLM holds machine‑wide entries. Question 54. In a KMDF driver, which object represents a logical device instance? A) WDFDRIVER B) WDFDEVICE
Answer: B Explanation: WDFDEVICE is the handle representing a device object in KMDF. Question 55. The function IoCreateDeviceSecure is used to: A) Create a device object with a security descriptor B) Register a network filter driver C) Allocate a DMA adapter object D) Initialize a driver’s unload routine Answer: A Explanation: IoCreateDeviceSecure creates a device object and attaches a security descriptor to control access. Question 56. Which IRP major function code is used for device I/O control requests? A) IRP_MJ_DEVICE_CONTROL B) IRP_MJ_QUERY_INFORMATION C) IRP_MJ_SET_INFORMATION D) IRP_MJ_CLEANUP Answer: A Explanation: IRP_MJ_DEVICE_CONTROL (or IRP_MJ_INTERNAL_DEVICE_CONTROL) handles custom IOCTLs. Question 57. Which of the following is the correct way to raise IRQL to DISPATCH_LEVEL in kernel code? A) KeRaiseIrql(DISPATCH_LEVEL, &oldIrql) B) KeRaiseIrqlToDpcLevel()