Operating Systems
Hold three copies of data, on two different forms of media, and one copy held offsite and offline
3-2-1 Rules
Based on the CPU, this determines the bit length of the memory address. Operating systems have different versions based on how many bits the CPU has. 32 bit has less processing power as a result slower
32 bit vs 64 bit
There are basic settings, but there are also more advanced settings that can be accessed that allow more control over your browser by using chrome://flags or about:config or something else depending on your browser.
Advanced browser settings.
Remember frequency and retenton Full Only - Backs up everything into a single file. This option takes up the most space and time. Low recovery complexity Full with Incremental - Does a full only back up, then proceeds to do incremental file back ups only of files that were modified after the last file backup. High recovery complexity This is the least amount of time and space. Full with Differential - Does a full only back up, then proceeds to do incremental file back ups only of files that were modified after the last full backup. This is moderate time and space used. Moderate recovery complexity
Backup Chains
Operating System by Google for chromebooks and other netbooks
Chrome OS
eventvwr.msc
Command for Event Viewer
msinfo32.exe Has hardware information
Command for System Information
devmgmt.msc
Command for device manager
net view net view \\<servername> is for specific server information
Command to display all servers on local network
net user
Command to look at user accounts or modify them
certmgr.msc Don't give malware certificates
Command to see certificates
tracert IP address or pathping IP address. This will record each access point it connects to and the speed it took to reach that point unless there is an error. Each point is considered to be a hop. This can be used to find the point of failure. pathping will ping each router to determine the round trip to better measure latency. If a host cannot be found, it will still show all the routers that it passes through. If there is a routing issue, double check that your ISP does not have any wider network outages, and if not, try restarting the router.
Command to track path of packet
If there is an issue with name resolution: nslookup /option host dnsServer. You can compare your domain with somebody else's domain and compare their results to see if there are any configuration issues.
Command to troubleshoot DNS
Digital Rights Management (Copyright for media)
DRM
Updates to antivirus that is daily or hourly that updates antivirus about new viruses that exist
Definition/pattern updates
wf.msc
Firewall command
Grandfather-father-son. Scheme that determines retention of files based on how often it is modified. This is usually connected with tape drives, but can sometimes apply to hard drives.
GFS
Globally Unique Identifier Partition Table. This is UEFI based boot partition and allows up to 128 primary partitions and allows larger partitions. GPT can be used as MBR if the computer firmware does not recognize GPT
GPT
Hardware Compatibility List. Windows has a compatibility list that lists all the tested and supported hardware for Windows
HCL
Go to advanced system settings > System Protection. Checkpoints should be made automatically but you can make changes here. System restore will rollback operating system to a chosen checkpoint without removing most files. System restore can be accessed through rstrui.exe
How to configure System Restore
Control panel > System and Security > Windows Defender Firewall > Allow an app or...
How to configure firewall
MMC > Add shared folders > right-click > properties > profile > configure settings as you wish. This is an old way of doing this and has the drawback of limiting files to one computer. You can set up a roaming profile which loads your files from a shared drive when you sign in then uploads any changes to the shared drive when you sign out, which can be slow if big files are being dealt with. You can also use folder redirection under group policies to default people's files to a shared drive.
How to create home folder
Control Panel > Backup and Restore > Create a system image and add it to USB. If you need to use it, you can use it under Advanced Boot Options or System Image Recovery. If you do not have a recovery image, then you may need to reinstall windows via Reset this PC. If reseting the PC and giving the PC away, remove all files and select the option to securely delete files.
How to create recovery image
Find "Indexing Options" in the control panel or through Windows search bar
How to edit "search" settings for file explorer
Right click folder > Properties > Advanced > Encrypt Not available on Home addition
How to encrypt individual files
Cannot be joined through Windows Home. Domain can be accessed through System Properties (sysdm.cpl) or through the "Access work or school" option under accounts.
How to join a domain
Incident Response Plan
IRP
secpol.msc
Local Security Policy. (Look at)
msra.exe
MSRA
System that requires the user to log in before the desktop is loaded when using RDP. This is to prevent DDoS attacks.
NLA
They grant permissions for both local access and network access. Right click folder > security
NTFS permissions
When an antivirus checks a file before user opens it in order to determine if it is safe or not.
On-access scanning
Preboot eXecution Environment. UEFI firmware that allows you to connect to a server over the network that contains boot files or files to install an OS to the computer. Computers that have this option may also support internet-based boot
PXE
%Usage - The amount of paging is occurring on the drive. If this number is too large, then it will impact disk performance. Paging is disk intensive.
Paging Counter (For Performance Monitors)
A device that combines the features of a smartphone with a tablet.
Phablet
This is to remove the host from the main network. This is recommended if you suspect that there is malware on your computer
Quarantine
mstsc.exe To enable the ability to use RDP into another computer, it must be enabled under settings > system > remote desktop. Use Select users to configure who is allowed to access the computer remotely. Advanced settings have more configuration options
RDP
Investigate and verify malware symptoms. Quarantine infected systems. Disable System Restore in Windows. Remediate infected systems: - Update anti-malware software. - Scanning and removal techniques (e.g., safe mode, preinstallation environment). Schedule scans and run updates. Enable System Restore and create a restore point in Windows. Educate the end user.
Removing malware
A type of trojan that disguises itself as an antivirus
Rogue Antivirus
This is a software update for the antivirus to make sure that it scans better.
Scan engine/component updates
It hides it but can still be accessed through cmd
Significance of $ at the end of a shared folder name
There are different power levels using the Advanced Configuration and Power Interface (ACPI) power modes. S0: Power On S1-S3: Standby/Suspend to RAM - Cuts power to most devices except for RAM S4: Hibernate/Suspend to disk - Cuts power to most devices except for the disk. RAM memory gets transferred over to disk and added to a data file (hiberfil.sys) S5: Soft power off G3: Mechanically off
Sleep Modes
Spyware can change settings and add bookmarks and other changes, so if you notice them and don't remember changing them, then... URL redirecting Certificate warnings
Symptoms of malware affecting browser
When you use back up files in order to create a new full backup file.
Synthetic Backup
This is a program that can be used to schedule scans for any damaged or malicious use of system files, registry keys, and files. sfc /scannow - Runs scan immediately sfc /scanonce - Runs scan on next reboot sfc /scanboot - Runs each time the computer boots. sfc /verifyonly - Scans files but does not attempt to repair them
System File Checker
sysdm.cpl You can change hostname here
System Properties
Try to boot into safe mode to see if the graphical driver is messed up and fix that. If it does not load anything, then perhaps the OS needs to be repaired or recovered. You can check if the OS is responsive if you do start+ctrl+shift+b, where you will hear a beep and the display will reinitialize. Check if msconfig needs to be set back if this occurs after changing msconfig settings. If this happens too often, then use chkdsk
What happens if it looks like the OS loads but there is a black screen.
winver Version refers to last feature update (1607 is July 2016 or 22H2 is second half of 2022) OS Build is a two numbered code where first number represents feature update and the second number represents patches. This number can be used to determine if there have been any known issues with this update. About settings page has more information regarding the OS though
cmd command to check Windows version
dir to list directories md or mkdir to make a directory in the current directory rd or rmdir to remove directory rmdir /s to remove all files and subdirectories in addition to the directory itself
cmd directory commands
Run diskpart, then enter select disk 0 or whatever numbered disk that needs to be analyzed, then enter detail disk to display configuration information regarding the disk. It should say that all the partitions are healthy, but if it says that there is no partition table, then that means that the partition table is probably corrupted. Enter select partition 0 or select volume 0 or whatever numbered partition that you want to select, and enter detail partition or detail volume to get more information regarding the partition. You can use the commands assign, delete, or extend here to manage partition.
diskpart command
format C: /fs:NTFS or whatever drive letter and filesystem that you want to use. This will scan the drive for bad sectors first before continuing. You can use the /q switch to disable this. This command will remove data on the drive, but this can be recovered through third-party software
format command
shutdown /s - Shutdown shutdown /h - Hibernate shutdown /l - Log off shutdown /r - Restart /t adds a timer /a aborts shutdown
shutdown command
Replaced AutoRun from legacy Windows which would automatically run code on USB or CD that would be inserted into a computer so that you can access the files, which is bad if there is malware. Now with AutoPlay, which prompts the user to take an action when USB is inserted first. AutoPlay settings can be configured under Settings > Devices.
AutoPlay
Settings > Update and Security > Backup
Backing up data or folders
Try testing the restore function, on a test file or in a virtual machine. Configure software used to verify the backup after it creates it. Run chkdsk regularly to ensure nothing gets corrupt. Verify backup contains all contents. Items should be backed up any time you have to do hardware maintenance inside a computer
Backup Testing and Recovery Best Practices
cleanmgr.exe This can remove whatever unnecessary files to reclaim some space back
Command for disk clean-up
dfrgui.exe
Command for disk defragmentor/optimizer
diskmgmt.msc
Command for disk management
lusrmgr.msc You can modify user permissions and accounts here
Command for local users and group console
perfmon.msc
Command for performance monitor
gpedit.msc This has settings that is likely not found under Settings or Control Panel
Command for policy editor
regedit.exe
Command for registry editor
resmon.exe
Command for resource monitor
services.msc
Command for services
msconfig.exe. Gives options regarding booting. Can enter safemode, limit resources, access services, access admin tools, etc.
Command for system configuration
taskmgr.exe
Command for task manager
tasksch.msc You can schedule commands and batch files here if you want
Command for task scheduler
netstat -a is used to show all connections -b is time consuming but runs executables to determine the name of the application involved with each connection -n displays connections in numerical form
Command that shows all open ports and listening ports
gpupdate applies any changed made to group policies immediately. You can use /force to reapply unchanged group policies as well. gpresult to show result.
Command to update group policies
bootrec /fixmbr is to fix MBR. Do not use this command if the computer is using GPT bootrec /fixboot is to fix boot sector bootrec /rebuildbed is to add missing Windows installation to the BCD
Commands to recover OS if no OS is found
%Disk Time - Percentage of time that the disk is performing read and write requests. If this over 85% for an extended period of time, then there might be a disk problem. Average Disk Queue Length - The number of requests outstanding on the disk. If this number is increasing and %Disk Time is high, then there is likely a disk problem.
Disk Counters (For Performance Monitors)
SHREDDING, INCINERATING, DEGAUSSING
Disposal of storage media
End-user license agreement.
EULA
Settings > Network & Internet > Status
How to perform network reset and clear network configurations
Instead of System Restore, it might be work checking control panel > programs > programs and features > uninstall an update.
How to remove recently installed Windows Updates
ipconfig /all to see lease information ipconfig /release AdapterName to remove lease ipconfig /renew AdapterName to renew lease
How to replace lease from IP in case it is either missing or incorrect
Device manager > right click > properties > driver > roll back
How to roll back driver
Right click a network folder and select Map Network Drive, assign a letter, and check "Reconnect on Sign-in" unless you only want it to be temporary. This can be done through the command line too net use M: \\<servername>\<folder> /persistent:yes is to map folder to drive letter M net use M: /delete deletes the specified map drive (M in this case). net use * /delete deletes all mapped drives You can turn of network discovery afterwards
How to set up a mapped drive
ipconfig /displaydns If cache records are out of date from above, then use ipconfig /flushdns
How to troubleshoot DNS issues regarding name records
User > Properties > Account > Unlock account If user forgot password. Right click account and right-click reset password.
How to unlock account that has been locked due to too many failed attempts
There should be an error message that pops up that you can look up. Logs can also be found in %SystemRoot%/WindowsUpdate.txt
If a Windows Update failed...
Master Boot Record. Creates a partition of 512 MB for the operating system. A drive can support up to 4 primary partitions that can have an operating system installed, with one of them marked as active. Each primary partition will start with a boot sector or partition boot record (PBR) that facilitates loading the operating system. This is for Legacy boot devices. This can only be used by using BIOS and not UEFI
MBR
Use Task Manager to terminate suspicious processes. Execute commands at a command prompt terminal, and/or manually remove registry items using regedit. Use msconfig to perform a safe boot or boot into Safe Mode, hopefully preventing any infected code from running at startup. Boot the computer using the product disc or recovery media, and use the Windows Preinstallation Environment (WinPE) to run commands from a clean command environment. Remove the disk from the infected system, and scan it from another system, taking care not to allow cross-infection.
Manual virus removal steps
Available Bytes - The amount of memory available. This shouldn't really be below 10%. If this number decreases over time, then there could be a memory leak. Pages/Sec - The number of pages written and read from disk because of page faults. This number should not be averaging above 50. Check paging usage
Memory Counters (For Performance Monitors)
ping 127.0.0.1
Ping loopback address
%Processor Time - Percentage of time that the processor is executing a non-idle thread. If this number is above 85% for a long period, then there could be a processor bottleneck %Privileged Time - This can be useful to look at if %Processor Time is very high. This represents system processes, so if this is high too, then the CPU is under-powered %User Time - This can be useful to look at if %Processor Time is very high. This represents software processes.
Processor Counters (For Performance Monitors)
Based on the bits for the CPU, RAM can be limited. 32 bit CPU can only use 4 GB as the maximum size of memory, while 64 bit is 16 exabytes. This number is far bigger than anything we need today, and it is regularly limited on purpose by software and licenses. For example, Windows 10 Home edition is only limited to 128 GB of RAM. (Pro is 2TB, and enterprise and pro for workstations is 6TB)
RAM limitations
RDP Restricted Admin (RDPRA) Mode and Remote Credential Guard can be used to mitigate some risk of logging into a system remotely that has malware on it.
RDPRA
Create a fresh restore point or system image and a clean data backup. Validate any other security-critical services and settings that might have been compromised by the malware. Verify DNS configuration—DNS spoofing allows attackers to direct victims away from the legitimate sites they were intending to visit and toward fake sites. As part of preventing reinfection, you should inspect and re-secure the DNS configuration. Re-enable software firewalls—If malware was able to run with administrative privileges, it may have made changes to the software (host) firewall configuration to facilitate connection with a C&C network. An unauthorized port could potentially facilitate reinfection of the machine. You should inspect the firewall policy to see if there are any unauthorized changes. Consider resetting the policy to the default. Run another antivirus scan and disable quarantine if computer is safe.
Re-enable system restore
You can run 32 bit operating systems and applications on 64 bit hardware, but not vice versa. Updating an operating system could also mess with old software that previously worked. Not all software is available for every operating system
Software Compatability
Viruses - Requires you to run an executable which then affects other files Boot Sector Viruses - These are viruses that intend to attack the boot sector Trojans - Virus that conceals itself as legitimate software while it is running malware in the background Worms - Malware that can replicate itself and spread itself to other hosts. Fileless Malware - Uses scripts or batch files to do malicious stuff. This is not necessarily an executable.
Types of malware
Backdoor - When malware is installed that allows an attacker to remote into the computer to either unleash more malware, add it to a botnet, or gain greater access into a network. The attacker uses a command and control (C&C) host or network to establish a connection to the compromised host. Spyware - Malware that can perform reconfiguration of browser settings Keylogger - Malware that records keystrokes Rootkit - Malware that finds a way to get elevated permissions so it can do anything Ransomware - Malware that tries to escort money out of the user Cryptominer - Malware that uses your resources to mine crypto
Types of malware payloads
End-of-life: When the developer stops updating an operating system, there will be no more patches, updates, or technical support for it. Software developers will also stop creating applications that support the operating system. This also goes for outdated versions of an operating system. If someone doesn't update their operating system or switch to a non-discontinued operating system, then security flaws that won't be patched can appear and could affect the user experience
Vendor Specific Limitations
You can change a policy or registry to enable highly detailed status messages for more details. msconfig.exe under boot tab may have boot logging or more information during booting. Usually this is caused by loading drivers and services, but there could be some form of file corruption as well. If the person can sign in but the desktop is very slow to load, then perhaps the profile become corrupted, in which case, you'll need to make a new profile, and transfer over all the files except for the NTUSER.DAT, NTUSER.DAT.LOG, and NTUSER.INI files.
What to do if system boots but very slowly.
Advanced sharing settings in control panel. You can turn on network discovery here. Under "All Networks", you can turn off password protected sharing
Where to configure sharing options
Task Manager
Where to disable which process start on boot up
System Configuration. You can launch other settings here to through "Tools"
Where to find boot options
Services
Where to turn off background process or restart them.
move source destination copy source destination xcopy source destination robocopy source destination xcopy and robocopy are both designs to copy the contents of more than one directory, but robocopy is more preferred for this. Robocopy can tolerate network interruptions. /v verifies that copy was successful /y suppresses prompting /-y prompts you if you are overwriting
cmd copy commands
If it says that the IP address or domain name is unreachable, then that means that the host is disconnected or undiscoverable. If host is supposed to be up, then there is some configuration issue. If router IP is unreachable then there must be a configuration issue. This is assuming that both hosts are on the same network. No reply (request timed out) means that the message was sent to the hose but it didn't reply. Either host is down or configured to not respond.
ipconfig failure messages