Unit1 - Subjective Questions

In Windows architecture, the processor switches between two distinct modes to ensure system stability and security:

1. User Mode:

• Definition: This is a non-privileged mode where applications (like Word, Chrome) run.
• Isolation: Applications running here have their own private virtual address space. They cannot alter other applications' data or the OS data directly.
• Crash Impact: If an application in User Mode crashes, it typically only affects that specific application, not the entire operating system.
• API Usage: To access hardware, User Mode apps must call system APIs, which trigger a switch to Kernel Mode.

2. Kernel Mode (Privileged Mode):

• Definition: This is the mode where core operating system components and hardware drivers run.
• Access: Code running here has unrestricted access to all system memory and direct access to hardware instructions.
• Crash Impact: If a crash occurs in Kernel Mode (e.g., a faulty driver), it causes a fatal system error, commonly known as the Blue Screen of Death (BSOD), halting the entire system.

Key Distinction: The boundary prevents malicious or buggy user programs from overwriting critical OS data.

The differences between NTFS and FAT32 are as follows:

The Windows Registry is a hierarchical database used to store configuration settings for the operating system, hardware, and applications. It is structured like a file system with Keys (folders) and Values (files).

The Five Root Keys (Hives):

1. HKEY_CLASSES_ROOT (HKCR):
   • Stores information about file associations and OLE (Object Linking and Embedding) registration. It links file extensions (e.g., .pdf) to the application that handles them.
2. HKEY_CURRENT_USER (HKCU):
   • Contains configuration data for the user currently logged in (e.g., desktop wallpaper, installed printers, environment variables specific to the user).
3. HKEY_LOCAL_MACHINE (HKLM):
   • Stores settings specific to the local computer, regardless of who is logged in. This includes hardware drivers, OS startup info, and installed software settings.
4. HKEY_USERS (HKU):
   • Contains the user profiles for all users who have ever logged onto the computer. HKCU is actually a sub-key of this hive.
5. HKEY_CURRENT_CONFIG (HKCC):
   • Contains information about the hardware profile currently being used by the local computer system at startup.

Process:

• Definition: A process is an instance of a computer program that is being executed. It acts as a container for resources.
• Resources: It owns memory address space, handles to system objects (like files), and security context.
• Independence: Processes are isolated from one another.

Thread:

• Definition: A thread is the basic unit to which the operating system allocates processor time. It is the entity within a process that executes code.
• Relationship: A process must have at least one thread (the primary thread). Multiple threads can exist within a single process.
• Sharing: Threads within the same process share the process's memory and resources, allowing for efficient communication but requiring synchronization to avoid conflicts.

Summary: A Process is the container of resources; a Thread is the execution unit using those resources.

Windows Event Viewer is a Microsoft Management Console (MMC) snap-in that enables administrators and users to view the event logs on a local or remote machine. It is crucial for troubleshooting system errors and security auditing.

Main Log Types:

1. Application Log:
   • Events logged by software programs installed on the system. For example, a database error or a crash in a text editor would appear here. The classification (Error, Warning, Info) is determined by the application developer.
2. System Log:
   • Events logged by Windows system components. This includes failure of drivers to load, network connectivity issues, or services stopping unexpectedly.
3. Security Log:
   • Records security-related events based on the system's audit policies. This includes valid and invalid logon attempts (auditing success/failure) and resource access logs.

Purpose:
Environment variables are dynamic named values that can affect the way running processes will behave on a computer. They serve as shortcuts or placeholders for information about the system environment, such as drive letters, pathnames, or configuration preferences.

Types:

• User variables: Specific to the currently logged-in user.
• System variables: Apply to the entire system and all users.

Common Examples:

1. %PATH%: Specifies a list of directories where the operating system looks for executable files if the full path is not provided in the command line.
2. %TEMP% or %TMP%: Defines the directory where applications usually store temporary files.
3. %WINDIR%: Points to the directory where Windows is installed (usually C:\Windows).

Command Prompt (CMD):

• Legacy: It is the original command-line interpreter for Windows, based on the older MS-DOS commands.
• Input/Output: It is text-based. The output of a command is a string of text.
• Usage: Good for basic file manipulation and running batch scripts (.bat).
• Complexity: Limited scripting capabilities.

PowerShell:

• Modern: Built on the .NET framework, designed for advanced system administration and automation.
• Input/Output: It is Object-Oriented. The output of a command (cmdlet) is a .NET object, not just text, allowing properties to be manipulated easily.
• Usage: Used for complex automation, managing cloud resources (Azure), and registry manipulation.
• Scripting: Supports a powerful scripting language (.ps1) with loops, variables, and .NET integration.

Windows Services:
Windows Services are computer programs that run in the background to support the operating system or other applications. They typically perform tasks such as managing network connections, handling print jobs (Print Spooler), or managing user credentials.

Differences from Standard Applications:

1. Interface: Services usually run without a user interface (UI) and do not interact directly with the logged-in user.
2. Lifecycle: Services can be configured to start automatically when the operating system boots, even before a user logs on.
3. Management: They are managed via the Service Control Manager (services.msc), where they can be stopped, started, or paused, unlike apps managed via the Taskbar or Task Manager.
4. Privileges: They often run under specific system accounts (like LocalSystem) rather than a standard user account.

Definition:
The Hardware Abstraction Layer (HAL) is a layer of software (specifically a dynamic link library, hal.dll) that resides between the physical hardware of the computer and the operating system kernel.

Role & Functions:

1. Portability: It hides hardware-dependent details (like motherboard interfaces and interrupt controllers) from the upper layers of the OS. This allows the same Windows kernel code to run on different hardware architectures without rewriting the kernel.
2. Translation: When the kernel or drivers need to communicate with hardware, they call functions in the HAL. The HAL translates these generic commands into instructions specific to the actual hardware components.
3. Device Independence: It ensures that the OS doesn't need to know the specific intricacies of the chipset or motherboard, promoting stability and compatibility.

Task Manager is a system monitor program used to provide information about the processes and programs running on a computer, as well as the general status of the computer.

Key Tabs and Features:

1. Processes: Shows currently running apps and background processes along with their real-time usage of CPU, Memory, Disk, and Network.
2. Performance: Provides graphical views of system resource utilization (CPU speed, uptime, RAM usage, GPU activity).
3. App History: Shows resource usage statistics for Universal Windows Platform (UWP) apps over time.
4. Startup: Allows users to enable or disable programs that launch automatically when Windows starts.
5. Users: Shows all logged-in users and the resources consumed by their specific sessions.
6. Details/Services: Provides a technical list of process IDs (PIDs), priority levels, and service states.

Virtual Memory:
Virtual memory is a memory management capability of the OS that uses hardware and software to allow a computer to compensate for physical memory (RAM) shortages by temporarily transferring data from RAM to disk storage.

Role of pagefile.sys:

1. Extension of RAM: When physical RAM is full, Windows moves data that hasn't been used recently to a hidden system file on the hard drive called pagefile.sys (paging file).
2. Mechanism: This process is called "paging" or "swapping." It frees up RAM for active applications.
3. Crash Dumps: The page file is also used to back crash dumps. If the system crashes (BSOD), the contents of the memory are written to the page file to be analyzed later.
4. Location: It is typically located in the root of the C: drive.

These folders store core operating system library files (DLLs) and executables (EXEs).

1. System32 (C:\Windows\System32):

   • Counter-intuitively, on a 64-bit version of Windows, this folder contains the 64-bit system files. It is the primary location for the OS kernel files and native system tools.
   • The name is kept as "System32" for backward compatibility with hardcoded paths in older applications.

2. SysWOW64 (C:\Windows\SysWOW64):

   • This folder contains the 32-bit system files necessary to run 32-bit applications on a 64-bit OS.
   • WOW64 stands for "Windows on Windows 64-bit," a subsystem that handles the translation between 32-bit apps and the 64-bit OS.

Key Concept: When a 32-bit program tries to access System32, Windows automatically redirects it to SysWOW64 to ensure it loads the compatible 32-bit libraries.

Definition:
A Device Driver is a specialized software program that controls a specific hardware device attached to a computer. It acts as a translator between the Operating System/Applications and the hardware.

Relationship with Windows Kernel:

• Kernel Mode Execution: Most hardware drivers (specifically device drivers) run in Kernel Mode (Ring 0). This gives them high-priority access to hardware resources.
• Interaction: When a user application wants to print a document, it sends a request to the OS API. The Kernel receives this request and passes it to the Printer Driver. The Driver translates the OS command into electrical signals the printer understands.
• Stability Risk: Because drivers run in Kernel Mode, a poorly written driver can crash the entire operating system (causing a Blue Screen of Death), as it bypasses the safety nets of User Mode.

Microsoft segments Windows into editions to cater to different user needs:

1. Windows Home:

   • Target: Consumers and basic home users.
   • Features: Includes standard features like Edge, Cortana, Windows Hello, and basic security.
   • Limitations: Lacks BitLocker encryption, Remote Desktop (host), and Group Policy Management. Cannot join an Active Directory Domain.

2. Windows Pro:

   • Target: Small businesses and enthusiasts.
   • Features: Includes all Home features plus BitLocker (disk encryption), Remote Desktop (host capability), Hyper-V (virtualization), and the ability to join Domains and Azure Active Directory.

3. Windows Enterprise:

   • Target: Large organizations and corporations.
   • Features: Includes all Pro features plus advanced security features like AppLocker, DirectAccess (VPN alternative), and BranchCache (network optimization). Available only through Volume Licensing channels.

Resource Monitor (resmon):
Resource Monitor provides a deep, real-time look into how system resources are being used by specific processes and services.

Key Features:

• Detailed Breakdown: It splits usage into CPU, Disk, Network, and Memory tabs.
• File Handles: Unlike Task Manager, Resource Monitor can search for "Associated Handles." For example, if a file is locked and cannot be deleted, Resource Monitor can identify exactly which process is holding that file open.
• Disk Activity: It shows exactly which files are being read/written to the disk and at what speed (B/sec).
• Network Activity: It shows active TCP connections, listening ports, and latency/packet loss data for specific processes.

Difference from Task Manager:
While Task Manager provides a summary and allows killing processes, Resource Monitor is a diagnostic tool used to analyze performance bottlenecks and dependency issues in detail.

1. msinfo32 (System Information):

• Purpose: It is a comprehensive tool that displays details about the system hardware, resources, and software environment.
• Usage: It provides a hierarchical view of:
  • Hardware Resources: IRQs, DMA, and Memory addresses (useful for conflict resolution).
  • Components: Detailed info on Sound, Display, Storage, and Input devices.
  • Software Environment: Running tasks, services, startup programs, and print jobs.

2. dxdiag (DirectX Diagnostic Tool):

• Purpose: Primarily designed to troubleshoot issues related to DirectX audio and video hardware.
• Usage:
  • It reports detailed information about the Graphics Card (GPU), Video Memory (VRAM), and Drivers.
  • It verifies if DirectX features (Direct3D, DirectDraw) are enabled.
  • It is often used by support teams to diagnose gaming or multimedia performance issues.

NTFS (New Technology File System) allows administrators to control access to individual files and folders via an Access Control List (ACL).

Key Concepts:

1. Principals: Permissions are assigned to Users (e.g., "Bob") or Groups (e.g., "Administrators").
2. Permission Types:
   • Full Control: Read, write, modify, delete, and change permissions.
   • Modify: Read, write, and delete, but cannot change permissions.
   • Read & Execute: View files and run programs.
   • Read: View file contents only.
   • Write: Create files/folders.
3. Inheritance: By default, files and subfolders inherit permissions from their parent folder. This simplifies management.
4. Precedence: "Deny" permissions explicitly override "Allow" permissions. If a user is in a group that allows access but is individually denied, they will be denied.

Registry Structure:
The Windows Registry is a hierarchical database that resembles a file system tree.

1. Hives:

• A Hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system starts or a user logs in.
• Unlike standard folders, Hives are the "Root" nodes.
• Examples: HKEY_LOCAL_MACHINE and HKEY_USERS are the primary hives backed by physical files on the disk (like SAM, SOFTWARE, SYSTEM files in C:\Windows\System32\config).

2. Keys:

• Keys are the organizational units inside a Hive. They function exactly like folders in File Explorer.
• Keys can contain Subkeys (sub-folders) and Values (the actual data settings).
• Example Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft. Here, SOFTWARE and Microsoft are Keys.

The Kernel (specifically ntoskrnl.exe in Windows) is the core component of the operating system.

Primary Functions:

1. Memory Management: It handles the allocation and deallocation of memory (RAM) to different processes and manages Virtual Memory (Paging).
2. Process and Thread Management: It schedules threads for execution on the CPU (Context Switching) and manages the creation/termination of processes.
3. I/O Management: It manages communication between applications and hardware devices via drivers.
4. Security Reference Monitor: It enforces security policies, checking access rights (ACLs) whenever a process tries to access a resource (file, port, etc.).
5. Interrupt Handling: It manages hardware interrupts and exceptions, prioritizing critical hardware signals over standard processing.

1. ping:

• Function: Tests the reachability of a host on an Internet Protocol (IP) network.
• Usage: Sends ICMP Echo Request messages to the target and waits for Echo Reply. It measures the round-trip time (latency) and packet loss.

2. ipconfig (Internet Protocol Configuration):

• Function: Displays all current TCP/IP network configuration values.
• Usage: Shows IP address, Subnet Mask, and Default Gateway. ipconfig /all shows MAC addresses; ipconfig /flushdns clears the DNS resolver cache.

3. sfc (System File Checker):

• Function: Scans and restores corrupted Windows system files.
• Usage: sfc /scannow checks the integrity of protected system files and replaces incorrect versions with correct Microsoft versions.