Scribd
Upload
86 views9 pages

Interview Q and A On Windows

The document provides an overview of Windows Active Directory (AD), detailing its features, the Kerberos authentication process, and common fields in Windows event logs. It also lists common Windows event IDs, logon types, core processes, and the differences between user accounts and service accounts, along with specific error codes related to login failures. This information is essential for understanding Windows network management and security protocols.

Uploaded by

JUSTFRND GAMING
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
86 views9 pages

Interview Q and A On Windows

The document provides an overview of Windows Active Directory (AD), detailing its features, the Kerberos authentication process, and common fields in Windows event logs. It also lists common Windows event IDs, logon types, core processes, and the differences between user accounts and service accounts, along with specific error codes related to login failures. This information is essential for understanding Windows network management and security protocols.

Uploaded by

JUSTFRND GAMING
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Interview Questions on Windows AD and

windows logs
What is Active directory

In Windows, AD stands for Active Directory, which is a directory service that stores and manages information about network resources, such as
users, groups, computers, and printers. Active Directory is a centralized database that enables administrators to manage and control access to
resources within a Windows domain.

Features:
• Authentication and authorization
• Domain Services
• Group Policy
• DNS Services
• Directory replication
What is Kerberos and how Kerberos Authentication works?

Kerberos is a network authentication protocol that is used to provide secure


authentication between clients and servers over an insecure network, such as the
Internet.

Kerberos authentication process:

1. User requests authentication: A user requests authentication to access a network


resource, such as a file share or printer.
2. Ticket-granting ticket request: The user's computer sends a request to the KDC for a
ticket-granting ticket (TGT).
3. TGT delivery: If the user's credentials are valid, the KDC delivers a TGT to the user's
computer. The TGT contains a session key that is used to encrypt and decrypt
subsequent communications between the user's computer and the network resource.
4. Resource request: The user's computer sends a request for access to the network
resource to the resource server.
5. Ticket request: The resource server sends a request to the KDC for a service ticket,
which contains the user's identity and a session key that is encrypted with the TGT.
6. Service ticket delivery: If the user is authorized to access the resource, the KDC
delivers a service ticket to the resource server.
7. Resource access: The resource server grants access to the requested resource.
common fields in Windows event logs

1. Date and Time: - This shows the date and time of the event.
2. Event ID: This is a unique identifier assigned to the event.
3. Source: Security - this is the name of the software component that generated the
event.
4. Level: Information - this is the severity level assigned to the event.
5. User: This is the user account involved in the event. In this example, the event was
initiated by the system account.
6. Computer: This is the name of the computer where the event occurred.
7. Description: An account was successfully logged on. - this is a text description of
the event.
8. Keywords: Audit Success - this is a keyword that describes the event, indicating that
it was a successful audit event.
9. Category: Logon - this is a numeric value assigned to the event that indicates its
category. In this example, the event is related to a user logon.
10.Event Data: Subject: Security ID: S-1-5-18 Account Name: DC1$ Account Domain:
Example Logon ID: 0x3E7
Can you please tell few Windows event ID’s

Here are some common Windows event IDs:

1.4624 - An account was successfully logged on.


2.4625 - An account failed to log on.
3.4634 - An account was logged off.
4. 4720- New user account has been created.
5. 4726- a user account has been deleted
6. 4740 -user account has been locked out
7- 4798 - A user's local group membership was enumerated.
8. 7034 - A service was stopped.
9. 1102 - The audit log was cleared.
Windows logon Types

There are 10 different logon types in Windows, which are as follows:

1. Interactive (logon at the console)


2. Network (logon over the network)
3. Batch (scheduled task)
4. Service
5. Proxy
6. Unlock
7. NetworkCleartext
8. NewCredentials
9. RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
10. CachedInteractive (logon with cached credentials)
What all Windows Core Process

1.System: This process is responsible for managing system resources such as


memory, threads, and processes.
2.Session Manager Subsystem (smss.exe): SMSS is responsible for managing
sessions and starting system services during system startup.
3.Local Security Authority Subsystem Service (LSASS): LSASS is responsible for
authentication and enforcing security policies on the system.
4.Windows Management Instrumentation (WMI): WMI is used to manage and
monitor system resources and events.
5.Services: The Services process manages Windows services, which are
programs that run in the background and provide system functions such as
network connectivity and printing.
6.Windows Explorer: This process provides the user interface for the desktop,
start menu, and other graphical elements of the system.
7.Task Manager: The Task Manager process provides a tool for managing and
monitoring system processes and resources.
8.Winlogon: Winlogon is responsible for managing the logon process and user
authentication.
9.Client Server Runtime Process (csrss.exe): CSRSS is responsible for managing
the Windows user interface and console windows.
What is the difference between a user account and a service
account in Windows?

User account is a type of account that is created for individual users to log in to a computer or a
network.
User accounts are associated with a user profile, which contains personal settings, preferences, and data
for the user
A service account, on the other hand, is a type of account that is used to run a service or a process on a
computer or a network.
Service accounts are typically used for system-level services such as database services, web servers, and
other types of application servers

One of the main differences between user accounts and service accounts is that user accounts are
associated with a user profile and are designed for interactive use, whereas service accounts are
designed for running services or processes in the background.
Log in failures specific error codes

1. Error code 0xc000006d: This error code indicates that the user account is locked out.

2. Error code 0xc0000072: This error code indicates that the user's password has expired and needs to be changed.

3. Error code 0xc000006a: This error code indicates that the user attempted to log on with an incorrect username or password.

4. Error code 0xc000006e: This error code indicates that the user attempted to log on outside of their allowed logon hours
5. .
6. Error code 0xc0000070: This error code indicates that the user attempted to log on to a workstation that does not have the
required network authentication.

7. Error code 0xc0000193: This error code indicates that the user attempted to log on to a workstation that has too many
concurrent connections.

8. Error code 0xc000007b: This error code indicates that the user attempted to log on to a workstation that has a mismatched
trust relationship with the domain.

You might also like