Windows Fundamentals Student.pdf

Full Transcript

Windows Fundamentals

DOI: 2024 JUL
 (U) Administrative Information

Safety Requirements: Emergency Exits, 911, Fire

Risk Assessment: LOW

Environmental Conditions: Reduce, Reuse, Recycle

Evaluation: Daily quiz

Classification/Dissemination: UNCLASSIFIED
 TLO KNOWLEDGE AND SKILLS
Conditions:

Given a classroom, applicable references, practical exercises, and necessary information technology equipment such as, a
computer with virtualization capabilities, the Cyber Operations Specialist student will be able to describe, identify, and
understand the Fundamentals of the Windows Environment.

Knowledge:

Describe Windows Authentications and user/group management
Describe the File/File Systems, Directory Structure, and File Permissions
Describe different Command Line Interface and PowerShell Command/cmdlets
Describe Backups, Logs and Schedule Tasks
Describe Windows Boot Process, Kernel Designs, and Baseline Process
Describe Interrupts, Exceptions, Trap Handling and Device Drivers

Skills:

Use CLI or PowerShell to gather information about the Windows environment
Manage accounts through use of CLI and PowerShell
 OBJECTIVES
Describe Windows Authentications Describe Boot Process

Describe User/Group Management Describe Kernel Designs

Describe File/File Systems Describe Process Baseline

Describe Directory Structure Describe Concurrency

Describe File Permissions Describe Interrupts

Describe Windows Command(s) Line Describe Exceptions

Identify PowerShell Describe Trap Handling

Describe Backups Describe Device Drivers

Describe Logs Demonstrate Windows Fundamentals

Describe Scheduled Tasks
 Keys
Emphasis/Highlighting

Active Demo (Take Notes)

File Paths

Demo Scripts

Commands
 Windows Authentication
Windows Authentication is a secure form of Authentication. Authentication is the process of verifying the identity
of a user, system, or device. It ensures that the entity attempting to access a resource is indeed who it claims
to be.

Different authentication methods exist. To include but not limited to:
Password-based authentication: Users provide a password, which is compared to a stored hash
value. If they match, access is granted.

Multi-factor authentication (MFA): Combines multiple factors (e.g., password, SMS code,
biometrics) for stronger security.

Public key infrastructure (PKI): Uses digital certificates and private keys for secure
communication.

OAuth: Allows third-party applications to access resources on behalf of a user without sharing credentials.

Windows Authentication (NTLM): Used in Windows environments, relying on domain accounts and
challenge-response mechanisms. Transitioned to Kerberos or another Negotiation type system.
 USER ACCOUNTS
A user account is a profile used by end users in the network for determining access. These accounts exist in either the SAM
or in the Domain Controller (DC).

Three types of user accounts:

Local: does not permit access to network resources, authenticated by the SAM and utilized by work groups

Domain: domain account that provides access to network resources, authenticated by the DC and reside in Active Directory
(AD)

Built-in: automatically created when the OS, Active Directory, or other applications are loaded. Built-in accounts can exist in
local or domain environments

○ Standard: User accounts are for everyday computing.

○ Administrator: account that have full access to the computer; different types depending on the scope of the network

○ Guest: provides a user with temporary access; limited privileges with no access to network but can get on the internet. It
is a best security practice to rename and disable these accounts.
 User/Group Management
User and group management involves creating, modifying, and deleting user accounts and groups within an
operating system. It includes setting permissions, managing user roles, and ensuring secure access to
resources. Groups allow for easier management of permissions for multiple users.

GUI:
Control Panel > User Accounts> Manage User Accounts

CLI:
‘net user username password /add’, ‘/domain’ – domain users
‘net localgroup groupname /add’, ‘/domain’ – domain groups

PowerShell:
‘New-LocalUser –Name “username” –Password (ConvertTo-SecureString “Password12345!” –
AsPlainText – Force)’
‘New-LocalGroup –Name “groupname”’
 Check On Learning

1. ___ is the process of verifying the identity of a user, system, or device. It ensures that the entity attempting to
access a resource is indeed who it claims to be.

2. A ___ ___ is a profile used by end users in the network for determining access.

3. What is the CLI command to create a domain user?
 File/File Systems
When accessing resources remotely, a connection needs to be made to a shared folder via networking
protocols by providing appropriate credentials. If access is granted, depending on an individuals DACLs, the
user will have access to all files within that folder.

A File is a collection of data stored on a computer or digital device.
They can contain text, images, videos, programs, or any other type
of information.

A File System defines the way data is named, stored, organized,
and assessed on a hard drive. It is used by the OS to manage
files.

Each type of file system has its own properties and features, they
are organized into 6 layers: Application Programs, Logical
File System, File-organization Module, Basis File Dervish. (2022, March 3). What is file system in windows operating systems? AOMEI Partition Assistant. Retrieved September 12, 2022, from https://www.diskpart.com/articles/what-is-file-system-
1984.html

System, I/O Control, and Devices.

Common file systems include FAT (File Allocation Table) and NTFS
(New Technology File System).
 File/File Systems - FAT
The FAT (File Allocation Table) system is the original file system used since the early days of DOS.
It originated in 1977 for use on floppy disks and was later adapted for hard disks and other
storage devices.

Originally designed with an 8-bit file system.

FAT keeps track of file locations by using a table that maps file names to their physical locations
on the disk.

With each version of a FAT update, the number of bits increased. The versions of the FAT format
are named after the number of bits it represents: (FAT12), (FAT16), (FAT32), and ExFAT.

Max file size with FAT16B and FAT32 is 4GB-1, or exactly 4,294,967,295 bytes.
 File/File Systems -ExFAT
The ExFAT (Extended File Allocation Table, FAT64) system is newer and more complex than the
FAT file system. It provides more storage than FAT32.
ExFAT is widely used is USBs and other removable media that need larger storage
capacity.

Despite the attempts to update the FAT versions, it failed to provide security for data and
lacked options for recovery in the event of damaged or corrupted files.

The ExFAT format allows individual files larger than 4 GB it can support Storage media of
any size, up to 256 TB.
 File/File Systems - NTFS
Introduced as a replacement for FAT32, New Technology File System (NTFS) was created in 1993 and
is the most common file system offered by Microsoft Windows.

Key features of NTFS:

Compression

Disk Quotas

File and folder security (DACLs & SACLs)

Reliability using transaction-based logging

Encryption

Mounted Volumes
 Directory Structure
A directory structure is the hierarchical arrangement of
directories (folders) on a storage device.

Windows uses a hierarchical directory structure where all
directories and files fall under a disk volume’s root
directory.

Windows identifies the root directory ( \ ) with all other files
and directories stored under the root directory.

Windows file systems use a letter to specify which disk
volume (disk/storage) is being used (C:, D:, etc.).
Default Windows configurations install the Windows OS
onto the C: volume.
 Directory Structure Cont.
Windows Folder - The default name of this folder may vary depending on the
Operating System that is installed. The Windows folder contains folders and files of
the specific Windows Operating System and is referred to as “system root”.
System 32 -
critical components of the Windows operating system are stored here. The
two most common file types you’ll see in System 32 are.dll and.exe.dll -
Dynamic Link Library - DLL file is a library that contains a set of code and data
for carrying out a particular activity in Windows. DLL files are a lot like executable
(EXE) files, except that DLL files cannot be directly executed in Windows..exe -Executables are files that install or run software applications. Every program
you run on a Windows PC, is a.exe.
 Directory Structure Cont.
Program Files - This contains folders and files of installed software,
like Microsoft Office, Adobe Acrobat, Symantec Antivirus, or other
optional third party and non-OS software.

Users Folder - This contains a subdirectory for each user who has
logged on to the system. These subdirectories contain profiles,
which contains user personal data and preferences.
 File Permissions
File permissions control the ability of users to view, modify, execute, or otherwise interact with a
file. Permissions are typically set for different levels of access, such as owner, group, and
others. In Windows, these permissions can include read, write, execute, and modify, among
others.

Authentication is a mechanism by which a system securely identifies a user.

Authorization, however, is a mechanism by which a system determines the level of access an
authenticated user has to system resources (e.g., files and directories).

Most modern Windows OSs use Discretionary Access Control Lists (DACL) to assign file and
directory permissions.
 Check On Learning
1. What defines the way data is named, stored, organized, and assessed on a hard drive. It is used by the OS
to manage files.

2. What three of the six key features of NTFS:

3. Window uses what type of directory structure?

4. What is the mechanism by which a system determines the level of access an authenticated user has to
system resources.
 Windows Command(s) Line
The Windows Command Line, also known as Command Prompt or cmd.exe, is a command-
line interpreter application available in most Windows operating systems. It provides a text-
based interface to execute commands and run scripts.

Using the File Explorer, you can navigate throughout windows file directory using My
Computer, or the Command-Line Interface (CLI). The shell is a program that handles the
user interface with the OS and is also a command language interpreter capable of running
batch files or scripts.

There are several methods to open a Windows CLI. The Start > Run window is probably the
quickest and most commonly used. Once the Run window appears, type cmd and click OK.
You can also simply type terminal into the search bar and the command line appears as an
option.
 Windows Command Line
The command line interface will benefit you as cyber operators. In order to
navigate the Windows Command line, you have to know the proper Syntax
for commands. Syntax is the grammatical rules and patterns that govern the
ordered use of appropriate words and symbols necessary for commands to
execute.

If in doubt about the proper syntax of a command you can always utilize the
HELP function by typing the COMMAND followed by /? or /help.
 Windows Command Line
Basic Commands
dir: Lists the contents of a directory.
cd: Changes the current directory.
copy: Copies files from one location to another.
move: Moves files from one location to another.
del: Deletes one or more files.
mkdir: Creates a new directory.
rmdir: Removes a directory.
type: Displays the contents of a file.
echo: Displays messages or turns command echoing on or off.
ipconfig: Displays all current TCP/IP network configuration values.
cls: clear your terminal screen.
exit: Exits the command prompt.
 PowerShell
PowerShell is a cross-platform task automation and configuration management
framework from Microsoft. It includes a command-line shell and scripting
language built on the.NET framework, designed for system administrators and
power users to automate tasks and manage systems.

Key Features:
Command-line interface: PowerShell provides a command-line interface for
executing commands and scripts.

Scripting Language: It supports a scripting language that allows you to
write complex scripts to automate administrative tasks.

Cmdlets: PowerShell commands, known as cmdlets, follow a Verb-Noun
naming convention, such as ‘Get-Process’ or ‘Set-Item’.
 PowerShell Cont.
Pipelines: PowerShell supports pipelining, which allows you to pass the output of
one cmdlet as input to another cmdlet, enabling complex data manipulation.

Object-oriented: Unlike traditional command-line interfaces that output text,
PowerShell outputs objects. This allows for more advanced data manipulation and
processing.

Remote Management: PowerShell supports remote management and scripting,
enabling administrators to manage multiple systems from a single interface.

Modules: PowerShell functionalities can be extended using modules, which are
packages of cmdlets, providers, functions, and other tools.
 PowerShell Common uses:
System Administration: Automating repetitive tasks, managing configurations, and
handling system operations.

Configuration Management: Setting up and managing system configurations
across many servers.

Task Automation: Writing scripts to automate complex workflows and repetitive tasks.

File Management: Performing file and directory operations such as copying, moving,
deleting, and renaming files.

User Management: Creating, modifying, and deleting user accounts and groups.

Service Management: Starting, stopping, and managing Windows services.

Software Deployment: Installing, configuring, and managing software packages.
 PowerShell Basic Commands:
Get-Help: Displays help information about PowerShell cmdlets.
Update-Help: to update your Help Files
Get-Command: Lists all cmdlets, functions, workflows, aliases installed on your system.

Get-ChildItem: displays the files and directories in the PowerShell console.
Get-Process: Retrieves the processes running on a local or remote computer.
Get-Service: Gets the status of services on a local or remote machine.
New-Item: Creates a new item, such as a file or directory.

Copy-Item: Copies an item from one location to another.
Remove-Item: Deletes files or directories.
 Check On Learning
1. What is also known as Command Prompt or cmd.exe?

2. What window’s command displays all current TCP/IP network configuration values?

3. _____ is a cross-platform task automation and configuration management framework from Microsoft.

4. What are the three key features of PowerShell?
 Backups
Backups involve creating copies of data to protect against data
loss. Backups can be full, incremental, or differential. They
are critical for data recovery in case of hardware failure, data
corruption, or other issues.

Backup Types:
Full: Used to backup an entire/complete system by selecting
the entire volume. It involves copying the entire data set of
the system to a separate partition or an external disk. It
creates a complete copy of the specified data volume.

Incremental: Used to copy only the data that has changed
since the last (either full or incremental) backup.

Differential: Used to copy changes since the last full
backup, but they don’t rely on a previous differential backup.
https://spanning.com/blog/types-of-backup-understanding-full-differential-
incremental-backup/
 Logs
Logs are records of events that occur within an operating system or software application.
They are used for monitoring, debugging, and auditing purposes. Logs typically include
information about system events, errors, user activities, and security incidents.

All operating systems provide some form of logging capabilities. A log file is a record of
system or user activities. Logs can contain events generated either locally or from a remote
system. The Department of Defense requires various levels of logging depending on the
type and/or classification of a system.

Log files can be stored locally. However, some OSs can consolidate Logs in a centralized
location. In forensics, log analysis may be used by analysts to provide insight on a security
incident. It can prove if someone accessed a file, downloaded material, or even plugged a
removable storage device into a computer.
 Logs
Logs can also be accessed through the command line.

1.Open the command line and type powershell or navigate directly to the powershell interface
by typing powershell in the search bar.

1.Type get-eventlog * (The asterisk denotes a wildcard and will show all logs)
to view the entire contents of specific log type get-eventlog
Example: get-eventlog Application

2.The log can also be cleared from the
CLI with: Clear-eventlog Application
 Scheduled Tasks
Scheduled Tasks in Windows are automated processes that run at specific times or in response to
specific events. The Task Scheduler is used to create and manage these tasks, which can include running
scripts, launching programs, or executing commands.

It does this by monitoring whatever criteria you choose (referred to as a trigger) and then executing the tasks
when those criteria are met.

Examples of Triggers:
A specific time

When a specific system event occurs

When the system is booted

At a specific time on a daily, weekly, or monthly schedule
− Such as scheduling system backups that occur repeatedly
When a user logs on
 Scheduled Tasks
CLI Schedulers: There are two command-line schedulers in Windows,
at and schtasks. With the addition of PS there is also now the new-
sheduledtask cmdlet that starts a Windows PS background task on the
local computer.
at: Original command-line scheduler. On Windows 5.* architectures this
command was used to escalate privileges by scheduling a process to
run
interactively as the local SYSTEM account. This command is deprecated
on 10.*
schtasks: Cannot be used to escalate privileges like at command.
It also does not allow user interaction with a job scheduled to run as
any
user other than the currently logged on user.
Example: Bob cannot schedule a job to run as Administrator and interact
with that job, the job will just run in the background.

Tasks are stored in the %SystemRoot%\System32\Tasks directory
 Scheduled Tasks
Schtasks /? Displays scheduled tasks
Schtasks /create Creates new task
schtasks /create /sc once /tn command /tr cmd.exe /st 08:00
Schtasks /delete Deletes a task by name
Schtasks /delete /tn command
Schtasks /change Changes the task that is run, but not the name
Schtasks /change /tn Notepad /tr C:\Windows\System32\calc.exe
Schtasks /query Displays current scheduled tasks
Schtasks /query /tn Notepad /v /fo list
 Check On Learning
1. What are the three backup types?

2. What is a record of system or user activities?

3. _____ is a cross-platform task automation and configuration management framework from Microsoft.

4. What is the PowerShell cmdlet to see all logs?

5. What in Windows are automated processes that run at specific times or in response to specific events?
 Boot Process
Windows OS supports two processor rings.

Kernel Mode - Kernels runs in the MOST privileged ring of the CPU (Ring 0)
User Mode - The OS interface and User applications execute in the LEAST privileged ring
(Ring 3)

KERNEL MODE (RING 0):

Access to all system memory and entire CPU instruction set
Kernel mode OS and device driver code share address space
Privileged to perform almost any action
Closest to hardware

USER MODE (RING 3):

Limited in permission and authority
OS interface and system software
User applications
Closest to user
 Boot Process
The boot process is the sequence of steps the computer goes through when it is
powered on, culminating in the operating system being loaded and becoming
operational. This includes the BIOS/UEFI initialization, loading the bootloader, and
starting the operating system kernel.

Windows 10 boot process on BIOS systems comprises of four major phases. It starts
from POST and ends up in loading the Windows OS Loader or the Kernel. Here is
the list of the phases it goes through:
1.) Pre-Boot
2.) Windows Boot Manager
3.) Windows OS Loader
4.) Windows NT OS Kernel init.
5.) Windows User Logon
 Pre-Boot Process – Phase 1
Basic Input Output System
Pre-Boot: POST or Power-On Self-Test loads firmware settings. It
checks for a valid disk system, and if the system is good to go for
the next phase.

If the computer has a valid MBR, i.e. Master Boot Record, the boot
process moves further and loads Windows Boot Manager.

Firmware can be either Unified Extensible Firmware Interface
(UEFI) or Basic Input/Output (BIOS).

During every process, a program is loaded. Depending on whether
it uses Legacy BIOS or UEFI, the file paths and files change.
Unified Extensible Firmware Interface
 Boot Process – Phase 2 & 3
During every process, a program is loaded. Depending on whether it uses Legacy BIOS or
UEFI, the file paths and files change.

Windows Boot Manager: This step determines if you have multiple OS installed on your
computer. If yes, then it offers a menu with the names of the OSs. When you select the OS, it
will load the right program, i.e. Winload.exe to boot you into the correct OS.
1. bootmgr: Switches from real mode to protected mode
2. bootmgr: Reads BCD (store on BIOS/UEFI)
3. bootmgr: Starts winload.exe

Windows OS Loader: WinLoad.exe loads important drivers to kick start the Windows Kernel.
The kernel uses the drivers to talk to the hardware and do rest of the things required for the boot
process to continue.
1. Loads ntoskrnl.exe and hal.dll
2. Starts drivers with start value of (0x0)
 Boot Process – Phase 4
Windows NT OS Kernel: The Kernel Initialization Phase is the last stage which picks up the
Registry settings, additional drivers, etc. Once that has been read, the control is taken by the
system manager process. It loads up the UI, the rest of the hardware and software. That’s when
you finally get to see your Windows 10 Login screen.

1. Ntoskrnl.exe: Ntdll.dll is mapped into address space

2. Ntoskrnl.exe: Creates HKLM\Hardware key

3. Ntoskrnl.exe: Starts drivers, System Files and Services

4. Ntoskrnl.exe: Starts smss.exe (0) process
 Boot Process – cont…
User Mode Start Up

1.Smss.exe (0): starts the subsystem process csrss.exe (0) and dependencies

1.Smss.exe (0): Starts wininit.exe

1.wininit.exe: Starts the SCM (services.exe) and the LSA (lsass.exe)

1.SCM starts all services with start value of (0x2)

1.Smss.exe (0) starts an instance of itself, smss.exe (1)

1.Smss.exe (1) starts csrss.exe (1) and its dependencies

1.Smss.exe (1) then starts winlogon.exe and smss.exe (1) exits

1.Winlogon.exe starts logonui.exe (1) (exits) and Userinit.exe (1)

1.Userinit.exe starts explorer.exe (1)
 Check On Learning
1. What are the two modes in Window’s OS?

2. What is the sequence of steps the computer goes through when it is powered on, culminating in the
operating system being loaded and becoming operational?

3. The firmware is loaded in ___ phase?

4. What are the three responsibility of the bootmgr?

5. What is last stage in the boot process?
 Kernel Designs
The kernel sits between the HAL and the Executive and provides multiprocessor synchronization,
thread and interrupt scheduling and dispatching, and trap handling and exception dispatching; it is
also responsible for initializing device drivers at bootup that are necessary to get the operating
system up and running.
Kernel designs refer to the architecture of the core component of an operating system, which
manages system resources and communication between hardware and software. Common designs
include monolithic kernels and microkernels.

Kernel Designs:
Monolithic Kernel
Microkernel
Hybrid Kernel
Exokernel
Virtual Kernel
 Kernel Designs: Monolithic Kernel
Monolithic Kernel: all essential operating system functions reside in a single large
binary. Both user services and kernel services are implemented under the same
address space. It increases the size of the kernel, thus increasing the size of the
operating system.
Advantage:
CPU scheduling, memory management, file management, and other operating system
functions through system calls.
Single large process running
Faster operating system execution.
Single static binary file

Disadvantage:
Any service failure leads to entire system failure
New service require entire operating system
Security vulnerabilities
 Kernel Designs: Microkernel
Microkernel: keeps only the most critical functions in the kernel space, with other
services running in user space. This type of kernel is characterized by its
modularity, simplicity, and ability to run multiple operating systems on the same
hardware.
Advantage:
More secure OS due to reduce attack surface
Smaller in size
Easily extendible and customizable
Stability, Service failure does not affect the microkernel

Disadvantage:
Message passing between User and kernel spaces
Slower
Increase complexity and limited performance optimization
Increase memory usage
 Kernel Designs: Hybrid Kernel
Hybrid Kernel: combines aspects and benefits of both monolithic sand microkernels. It has
speed and design of monolithic kernel and modularity and stability of microkernel.

The hybrid kernel works to have a kernel structure like that of a microkernel, but to
implement that structure in the manner of a monolithic kernel.
Advantages:
1. Performance
2. Reliability
3. Flexibility
4. Compatibility

Disadvantages:
1. Complexity
2. Security
3. Maintenance
4. Resource usage
 Kernel Designs
Exokernel: exposes hardware resource directly to user level-applications. Provide minimal
abstractions, allowing applications to manage resources efficiently.

Advantages:
1. Flexibility
2. Performance
3. Security
4. Modularity

Disadvantages:
1. Complexity
2. Development Difficulty
3. Limited Support
4. Debugging Difficulty
 Kernel Designs
Virtual Kernel: manage virtual machines (VMs) and allow multiple operation
systems to run concurrently on the same physical hardware
 Check On Learning
1. The kernel sits between the ___ and the ___?

2. What are the five Kernel Designs?

3. What are the disadvantages of Monolithic Kernel?

4. What kernel exposes hardware resource directly to user level-applications and provide minimal
abstractions, allowing applications to manage resources efficiently?
 PROCESS BASELINE
A process baseline is a set of standard performance metrics or behaviors established for processes
running on a system. It is data collected periodically so that the performance of the network/system can be
properly evaluated. The data collected are then used as a reference during real-time monitoring and
evaluation so we can effectively identify abnormalities or establish network normalcy.

- Creating and maintaining an up-to-date, in-depth, and precise baseline of any given system is vital.

- Often this makes the difference between spotting exploits and losing valuable infrastructure/data.

- Baselines can be stand-alone, or they can be collected over a period to help with pattern of life
assessments.

https://medium.com/purple-team/network-scanning-and-
enumeration-4e998752eb10
 Concurrency
Concurrency in computing refers to the ability of a system to manage multiple tasks or processes
simultaneously. This is achieved through mechanisms like multitasking, multithreading, and parallel
processing, allowing for efficient use of system resources and improved performance.

Benefits of Concurrency:
Improved Responsiveness: Allows a system to remain responsive even while certain tasks are
blocked or waiting for resources.

Resource Utilization: Maximizes the use of available processing resources (CPU cores) by keeping
them busy with productive work.

Modularity and Scalability: Enables modular design and scalability in applications, where tasks can
be divided into smaller units that can run concurrently.
 Concurrency cont…
A single processor may only be scheduled to run one process at a time.
Multi-tasking is the illusion of performing multiple jobs simultaneously by interleaving processes on the same
CPU.

Systems with multiple processors, schedule multiple processes simultaneously in what is known as
concurrency. When running concurrent processes certain conditions may arise.
Race Condition - Occurs due to a process depending on the timely output sequence of another
process. If the dependent process receives the data out of sequence or in an untimely manner,
unanticipated behavior results.

Deadlocks: Situations where two or more processes are unable to proceed because each is waiting
for another to release a resource.

Synchronization: Techniques like locks, semaphores, and mutexes are used to coordinate access to
shared resources and prevent race conditions.
 Interrupts
Interrupts are signals sent to the CPU by hardware or
software indicating an event that needs immediate
attention.

They temporarily halt the current execution flow, allowing
the CPU to address the interrupting event, and then
resume normal operations.

In I/O devices one of the bus control lines is dedicated for
this purpose and is called the Interrupt Service Routine
(ISR).

1. Software Interrupts
Traps and exceptions are other names for software
interruptions. Software interrupts often occur when
system calls are made.

2. Hardware Interrupts
All the devices are connected to the Interrupt Request
Line to request an interrupt.
 Exceptions
Exceptions are events that disrupt the normal flow of execution in a program, often due to errors.
They are handled by special constructs in programming languages, allowing the program to take
corrective action or terminate gracefully.

Examples of exceptions include memory access violations, debugging issues, and mathematical
anomalies like division by zero.
Not all exceptions result from faults. System calls are treated as exceptions by the OS kernel.
 Trap Handling
Trap handling involves managing software-generated interrupts or exceptions. When a trap occurs, the operating
system's kernel takes control, performs the necessary actions to address the issue, and then returns control to
the appropriate point in the program.
The OS kernel uses a trap handler to take control of interrupts and exceptions when they occur.

When an interrupt occurs, the kernel traps the currently executing process/thread and changes its state to
wait.

The interrupting process/thread is then scheduled to run on the CPU if permitted by the kernel.

Interrupts are typically scheduled with higher priority in the queue.
 Device Drivers
Device drivers are specialized software programs that allow the operating system to
communicate with hardware devices. They provide the necessary interface for the OS to
control and interact with devices like printers, graphics cards, and network adapters.

A driver is a software component that lets the operating system and a device communicate
with each other. This is why when you connect hardware to a computer you often need a
driver.
The device does not know how communicate with the OS, but the driver is the translator.
Both the device, driver, and OS all know how to communicate with each other.
 Check On Learning
1. A ____ ____ is a set of standard performance metrics or behaviors established for processes running on a
system.

2. What in computing refers to the ability of a system to manage multiple tasks or processes simultaneously?

3. This benefit of Concurrency maximizes the use of available processing resources (CPU cores) by keeping
them busy with productive work.

4. What are the two types of interrupts?

5. ___ are events that disrupt the normal flow of execution in a program, often due to errors.
What Are
Your
Question
s
SUMMARY
 OBJECTIVES
Describe Windows Authentications Describe Boot Process

Describe User/Group Management Describe Kernel Designs

Describe File/File Systems Describe Process Baseline

Describe Directory Structure Describe Concurrency

Describe File Permissions Describe Interrupts

Describe Windows Command(s) Line Describe Exceptions

Identify PowerShell Describe Trap Handling

Describe Backups Describe Device Drivers

Describe Logs Demonstrate Windows Fundamentals

Describe Scheduled Tasks
 Identify Win Fund. Part I SUMMARY
LSA 1: Describe Windows Authentications
Different authentication methods:
Password-based authentication
Multi-factor authentication (MFA)
Public key infrastructure (PKI)
Oauth
Windows Authentication (NTLM) (Kerberos or negotiation type)

LSA 2: Describe User/Group Management

Two types of accounts primarily exist: User & Service Accounts

Three types of user accounts: Local, Domain, Built-in:
Types of built-in: Standard: Administrator, & Guest:
User and Group Management: GUI, CLI and PS

LSA 3: Describe File/File Systems
Difference between File and File System
 Identify Win Fund. Part I SUMMARY cont.

LSA 4: Describe Directory Structure: Windows Folder, System 32,.dll,.exe, Program Files and Users Folder

LSA 5: Describe File Permissions: Authentication and Authorization

LSA 6: Describe Windows Command(s) Line and using the /? and /help

LSA 7: Identify PowerShell: Cross-platform interface
Key features: CLI, Scripting language and CMDLETs, Pipelines, Object-oriented, Remote management, & modules
Common Uses: Management, automation, Sys Admin, & software deployment

LSA 8: Describe Backups: Full, Incremental, & Differential
LSA 9: Describe Logs: the difference between Logs and Log files
LSA 10: Describe Scheduled Tasks: Triggers and syntax
 Windows Command Line
Basic Commands
dir: Lists the contents of a directory.
cd: Changes the current directory.
copy: Copies files from one location to another.
move: Moves files from one location to another.
del: Deletes one or more files.
mkdir: Creates a new directory.
rmdir: Removes a directory.
type: Displays the contents of a file.
echo: Displays messages or turns command echoing on or off.
ipconfig: Displays all current TCP/IP network configuration values.
cls: clear your terminal screen.
exit: Exits the command prompt.
 PowerShell Basic Commands:
Get-Help: Displays help information about PowerShell cmdlets.
Update-Help: to update your Help Files

Get-Command: Lists all cmdlets, functions, workflows, aliases installed on your system.
Get-ChildItem: displays the files and directories in the PowerShell console.
Get-Process: Retrieves the processes running on a local or remote computer.
Get-Service: Gets the status of services on a local or remote machine.
New-Item: Creates a new item, such as a file or directory.

Copy-Item: Copies an item from one location to another.
Remove-Item: Deletes files or directories.
 Identify Win Fund. Part II SUMMARY
LSA 11: Describe Boot Process:
Two types of Modes: Kernel (priv) & User (least priv)
Boot phases: 1. Pre-boot: POST, BIOS/UEFI Firmware
2. Boot Mgr: Real-Protected, Read BCD, and starts winload.exe
3. OS Loader: Ntoskrnl.exe, HAL.dll, Drivers 4. Kernel Init: Ntdll.dl and the rest of drivers and services 5. User Logon: from
SMSS.exe – explorer.exe

LSA 12: Describe Kernel Designs: monolithic, microkernel, hybrid, exo, & virtual
LAS 13: Describe Process Baseline: to establish a standard and help identify abnormality on systems.
LSA 14: Describe Concurrency: managing multiple task efficiently.
Benefits: Improved Responsiveness, Resource Utilization, Modularity and stability.
Conditions: Race, Deadlocks and synchronization.

LSA 15: Describe Interrupts: Indication of an event that needs immediate attention.
Two types: Software and Hardware

LSA 16: Describe Exceptions: disruption to normal flow
LSA 17: Describe Trap Handling: Managing software-generated interrupts or exceptions.
LSA 18: Describe Device Drivers: OS to communicate with Hardware
 Identify Win Fund. CLI Demonstration
Basic Commands
dir: Lists the contents of a directory.
cd: Changes the current directory.
copy: Copies files from one location to another.
move: Moves files from one location to another.
del: Deletes one or more files.
mkdir: Creates a new directory.
rmdir: Removes a directory.
type: Displays the contents of a file.
echo: Displays messages or turns command echoing on or off.
ipconfig: Displays all current TCP/IP network configuration values.
cls: clear your terminal screen.
exit: Exits the command prompt.
 Identify Win Fund. PS Demonstration
Get-Help: Displays help information about PowerShell cmdlets.
Update-Help: to update your Help Files
Get-Command: Lists all cmdlets, functions, workflows, aliases installed on your system.
Get-ChildItem: displays the files and directories in the PowerShell console.
Get-Process: Retrieves the processes running on a local or remote computer.
Get-Service: Gets the status of services on a local or remote machine.
New-Item: Creates a new item, such as a file or directory.
Copy-Item: Copies an item from one location to another.
Remove-Item: Deletes files or directories.