# 1. Windows Fundamentals 1
In part 1 of the Windows Fundamentals module, we'll start our journey learning about the Windows desktop, the NTFS file system, UAC, the Control Panel, and more.

## Task 1: Introduction
The Windows operating system (OS) is a complex product with many system files, utilities, settings, features, etc. 
This module will attempt to provide a general overview of just a handful of what makes up the Windows OS, navigate the user interface, make changes to the system, etc. The content is aimed at those who wish to understand and use the Windows OS on a more comfortable level. 
The virtual machine should open within your web browser. 
If you want to access the virtual machine via Remote Desktop, use the credentials below. 
- Machine IP: 10.10.98.70
- User: administrator
- Password: letmein123!
- doc: https://www.cyberark.com/resources/threat-research-blog/explain-like-i-m-5-remote-desktop-protocol-rdp

## Task 2 Windows Editions

The Windows operating system has evolved significantly since its inception in 1985, becoming the leading OS for both personal and corporate use. This popularity has made it a frequent target for hackers and malware.
- **Windows XP**: A highly popular version with a long lifespan. Its end-of-life announcement caused widespread concern among users and businesses.
- **Windows Vista**: Introduced as a major overhaul but faced numerous issues and was not well-received, leading to its quick phase-out.
- **Windows 7**: Emerged as the preferred successor to XP, prompting a rush among vendors to ensure compatibility. It also had a defined end-of-support date.
- **Windows 8.x**: Had a short lifespan similar to Vista.
- **Windows 10**: The current version for desktops, available in Home and Pro editions. Microsoft has announced support until October 14, 2025.
- **Windows Server 2019**: The current server OS version, with the Standard edition noted in the attached VM.
- **Windows 11**: Released on October 5, 2021, as the latest version for end-users.

Microsoft has consistently worked to enhance usability and security with each new Windows release, despite facing criticism.

Windows operating systems come in various editions, each tailored to different user needs and environments. Below are some of the key editions:

- **Windows Home**: Designed for personal use, offering essential features for everyday tasks.
- **Windows Pro**: Includes all features of the Home edition, plus additional capabilities for business use, such as BitLocker, Remote Desktop, and domain join.
- **Windows Enterprise**: Built for large organizations, providing advanced security and management features.
- **Windows Education**: Similar to the Enterprise edition, but tailored for educational institutions.
- **Windows Server**: A version of Windows designed for server use, providing features for managing network resources and services.


**Questions**:
1. What encryption can you enable on Pro that you can't enable in Home?
   - **Answer**: BitLocker


## Task 3: The Desktop (GUI)

<img src="../images/03_Windows/img1.png" alt="Windows Desktop" style = "width: 600px; height: 320px;"/>

The above screenshot is an example of a typical Windows Desktop. Each component that makes up the GUI is explained briefly below.

1. The Desktop
2. Start Menu
3. Search Box (Cortana)
4. Task View
5. Taskbar
6. Toolbars
7. Notification Area


- The Desktop: 
   - Display settings
   - Personalization settings
- The Start Menu
   - The Start Menu is the gateway to all of your applications.
   - It is also where you can access your settings and system tools.

**Questions**:
1. Which selection will hide/disable the Search box?
   - **Answer**: Hidden
2. Which selection will hide/disable the Task View button?
   - **Answer**: Show Task View button
3. Besides Clock and Network, what other icon is visible in the Notification Area?
   - **Answer**: Action Center


## Task 4: The File System

The file system used in modern versions of Windows is the New Technology File System or simply NTFS.

Before NTFS, there was FAT16/FAT32 (File Allocation Table) and HPFS (High Performance File System). 

You still see FAT partitions in use today. For example, you typically see FAT partitions in USB devices, MicroSD cards, etc. but traditionally not on personal Windows computers/laptops or Windows servers.

NTFS is known as a journaling file system. In case of a failure, the file system can automatically repair the folders/files on disk using information stored in a log file. This function is not possible with FAT.   

NTFS addresses many of the limitations of the previous file systems; such as: 
- Supports files larger than 4GB
- Set specific permissions on folders and files
- Folder and file compression
- Encryption (Encryption File System or EFS)

On NTFS volumes, you can set permissions that grant or deny access to files and folders.

The permissions are:
   - Full control
   - Modify
   - Read & Execute
   - List folder contents
   - Read
   - Write

The below image lists the meaning of each permission on how it applies to a file and a folder. (credit Microsoft)

<img src="../images/03_Windows/img2.png" alt="Windows Permissions" style = "width: 600px; height: 320px;"/>

How can you view the permissions for a file or folder?
- Right-click the file or folder you want to check for permissions.
- From the context menu, select Properties.
- Within Properties, click on the Security tab.
- In the Group or user names list, select the user, computer, or group whose permissions you want to view.
- In the below image, you can see the permissions for the Users group for the Windows folder. 

<img src="../images/03_Windows/img3.png" alt="Windows Permissions" style = "width: 600px; height: 320px;"/>

Refer to the Microsoft documentation to get a better understanding of the NTFS permissions for Special Permissions.

Another feature of NTFS is Alternate Data Streams (ADS).
**Alternate Data Streams (ADS)** is a file attribute specific to Windows NTFS (New Technology File System).
- Every file has at least one data stream ($DATA), and ADS allows files to contain more than one stream of data. 
- Natively Window Explorer doesn't display ADS to the user. There are 3rd party executables that can be used to view this data, but Powershell gives you the ability to view ADS for files.
- From a security perspective, malware writers have used ADS to hide data.
- Not all its uses are malicious. For example, when you download a file from the Internet, there are identifiers written to ADS to identify that the file was downloaded from the Internet.

To learn more about ADS, refer to the following link from MalwareBytes here. 
Bonus: If you wish to interact hands-on with ADS, I suggest exploring Day 21 of Advent of Cyber 2.

link: 
- [What's Changed in File Explorer](https://support.microsoft.com/en-us/windows/what-s-changed-in-file-explorer-ef370130-1cca-9dc5-e0df-2f7416fe1cb1)
- [PowerShell Scripting Overview](https://docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.1)
- [Introduction to Alternate Data Streams](https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/)
- [Advent of Cyber 2](https://tryhackme.com/room/adventofcyber2)


## Task 5: The Windows\System32 Folders

The Windows folder **(C:\Windows)** is traditionally known as the folder which contains the Windows operating system. 

The folder doesn't have to reside in the C drive necessarily. It can reside in any other drive and technically can reside in a different folder.

This is where environment variables, more specifically system environment variables, come into play. Even though not discussed yet, the system  environment variable for the Windows directory is **%windir%**.

*Per Microsoft, "Environment variables store information about the operating system environment. This information includes details such as the operating system path, the number of processors used by the operating system, and the location of temporary folders".*

There are many folders within the 'Windows' folder. See below.

<img src="../images/03_Windows/img4.png" alt="Windows Folders" style = "width: 600px; height: 320px;"/>

One of the many folders is **System32**. 

<img src="../images/03_Windows/img5.png" alt="Windows System32" style = "width: 600px; height: 320px;"/>

The System32 folder holds the important files that are critical for the operating system.

You should proceed with extreme caution when interacting with this folder. Accidentally deleting any files or folders within System32 can render the Windows OS inoperational. Read more about this action [here](https://support.microsoft.com/en-us/windows/delete-or-restore-system32-files-in-windows-10-445c2f69-f06c-449d-9c9d-8dc32d6c425f).  

Note: Many of the tools that will be covered in the Windows Fundamentals series reside within the System32 folder.

**Questions**:
1. What is the system variable for the Windows folder?
   - **Answer**: %windir%


## Task 6: User Accounts, Profiles, and Permissions

User accounts can be one of two types on a typical local Windows system: Administrator & Standard User. 
The user account type will determine what actions the user can perform on that specific Windows system. 
- An Administrator can make changes to the system: add users, delete users, modify groups, modify settings on the system, etc. 
- A Standard User can only make changes to folders/files attributed to the user & can't perform system-level changes, such as install programs.

You are currently logged in as an Administrator. There are several ways to determine which user accounts exist on the system. 

One way is to click the **Start Menu** and type **Other User**. A shortcut to **System Settings > Other users** should appear.

<img src="../images/03_Windows/img6.png" alt="Windows Other User" style = "width: 600px; height: 320px;"/>

When a user account is created, a profile is created for the user. The location for each user profile folder will fall under is **C:\Users**.
For example, the user profile folder for the user account Max will be **C:\Users\Max**.

The creation of the user's profile is done upon initial login. When a new user account logs in to a local system for the first time, they'll see several messages on the login screen. One of the messages, User Profile Service, sits on the login screen for a while, which is at work creating the user profile. See below.

Once logged in, the user will see a dialog box similar to the one below (again), indicating that the profile is in creation.

<img src="../images/03_Windows/img7.png" alt="Windows User Profile" style = "width: 600px; height: 320px;"/>

Each user profile will have the same folders; a few of them are:
- Desktop
- Documents
- Downloads
- Music
- Pictures

Another way to access this information, and then some, is using **Local User and Group Management**. 

Right-click on the Start Menu and click Run. Type **lusrmgr.msc**. You should see two folders: Users and Groups.

<img src="../images/03_Windows/img8.png" alt="Windows Local User and Group Management" style = "width: 600px; height: 320px;"/>

If you click on Groups, you see all the names of the local groups along with a brief description for each group. 
Each group has permissions set to it, and users are assigned/added to groups by the Administrator. When a user is assigned to a group, the user inherits the permissions of that group. A user can be assigned to multiple groups.

Note: If you click on Add someone else to this PC from Other users, it will open Local Users and Management. 

**Questions**:
1. What is the name of the other user account?
   - **Answer**: tryhackmebilly
2. What groups is this user a member of?
   - **Answer**: Remote Desktop Users,Users
3. What built-in account is for guest access to the computer?
   - **Answer**: Guest
4. What is the account description?
   - **Answer**: window$Fun1!

## Task 7: User Account Control

The large majority of home users are logged into their Windows systems as local administrators. Remember from the previous task that any user with administrator as the account type can make changes to the system.

A user doesn't need to run with high (elevated) privileges on the system to run tasks that don't require such privileges, such as surfing the Internet, working on a Word document, etc. This elevated privilege increases the risk of system compromise because it makes it easier for malware to infect the system. Consequently, since the user account can make changes to the system, the malware would run in the context of the logged-in user.

To protect the local user with such privileges, Microsoft introduced **User Account Control (UAC)**. This concept was first introduced with the short-lived Windows Vista and continued with versions of Windows that followed.

Note: UAC (by default) doesn't apply for the built-in local administrator account. 

How does UAC work? When a user with an account type of administrator logs into a system, the current session doesn't run with elevated permissions. When an operation requiring higher-level privileges needs to execute, the user will be prompted to confirm if they permit the operation to run. 
Let's look at the program on the account you're currently logged into, the built-in administrator account—Right-click to view its Properties.
In the Security tab, we can see the users/groups and their permissions to this file. Notice that the standard user is not listed.

<img src="../images/03_Windows/img9.png" alt="Windows User Account Control" style = "width: 500px; height: 600px;"/>


Log in as the standard user and try to install this program. To do this, you can remote desktop into the machine as the standard user account. 
Note: You have the username and password for the standard user. It's visible in lusrmgr.msc.
Before installing the program, notice the icon. Do you see the difference? When you're logged in as the standard user, the shield icon is on the program's default icon. 
This shield icon is an indicator that UAC will prompt to allow higher-level privileges to install the program.
Double-click the program, and you'll see the UAC prompt. Notice that the built-in administrator account is already set as the user name and prompts the account's password. See below.

<img src="../images/03_Windows/img11.png" alt="Windows User Account Control" style = "width: 500px; height: 600px;"/>
<img src="../images/03_Windows/img10.png" alt="Windows User Account Control" style = "width: 100px; height: 100px;"/>


After some time, if a password is not entered, the UAC prompt disappears, and the program does not install. 

This feature reduces the likelihood of malware successfully compromising your system. You can read more about UAC [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).


## Task 8: Settings and the Control Panel

**Questions**:
1. In the Control Panel, change the view to Small icons. What is the last setting in the Control Panel view?
   - **Answer**: Windows Defender Firewall

## Task 9: Task Manager

The Task Manager provides information about the applications and processes currently running on the system. Other information is also available, such as how much CPU and RAM are being utilized, which falls under Performance.

You can refer to this blog post for more detailed information about the Task Manager.
- [Task Manager](https://www.howtogeek.com/405806/windows-task-manager-the-complete-guide/)

**Questions**:
1. What is the keyboard shortcut to open the Task Manager?
   - **Answer**: Ctrl + Shift + Esc

---

# 2. Windows Fundamentals 2

## Task 1: Introduction

The System Configuration utility **(MSConfig)** is for advanced troubleshooting, and its main purpose is to help diagnose startup issues. 
Reference the following document [here](https://docs.microsoft.com/en-us/troubleshoot/windows-client/performance/system-configuration-utility-troubleshoot-configuration-errors) for more information on the System Configuration utility. 
There are several methods to launch System Configuration. One method is from the Start Menu.
Note: You need local administrator rights to open this utility. 
The utility has five tabs across the top. Below are the names for each tab. We will briefly cover each tab in this task. 
- General
- Boot
- Services
- Startup
- Tools

<img src="../images/03_Windows/02_img2.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

In the **General** tab, we can select what devices and services for Windows to load upon boot. The options are: **Normal**, **Diagnostic**, or **Selective**.
In the **Boot** tab, we can define various boot options for the Operating System.

<img src="../images/03_Windows/02_img3.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

The **Services** tab lists all services configured for the system regardless of their state (running or stopped). A service is a special type of application that runs in the background.

<img src="../images/03_Windows/02_img4.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>


In the **Startup** tab, you won't see anything interesting in the attached VM.  Below is a screenshot of the Startup tab for MSConfig from my local machine.

<img src="../images/03_Windows/02_img5.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

As you can see, Microsoft advises using Task Manager (**taskmgr**) to manage (enable/disable) startup items. The System Configuration utility is NOT a startup management program.

There is a list of various utilities (tools) in the Tools tab that we can run to configure the operating system further. There is a brief description of each tool to provide some insight into what the tool is for. 

<img src="../images/03_Windows/02_img6.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

Notice the **Selected command** section. The information in this textbox will change per tool.

To run a tool, we can use the command to launch the tool via the run prompt, command prompt, or by clicking the **Launch** button.

**Questions**:
1. What is the name of the service that lists Systems Internals as the manufacturer?
   - **Answer**: PsShutdown
2. Whom is the Windows license registered to?
   - **Answer**: Windows User
3. What is the command for Windows Troubleshooting?
   - **Answer**: C:\Windows\System32\control.exe /name Microsoft.Troubleshooting
4. What command will open the Control Panel? (The answer is  the name of .exe, not the full path)
   - **Answer**: control.exe

- **PsShutdown**: is a tool that allows you to shut down, restart, or log off the system.

<img src="../images/03_Windows/02_img7.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

- **Windows User**: is a tool that allows you to manage user accounts on the system.

<img src="../images/03_Windows/02_img8.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>


- **Windows Troubleshooting**: is a tool that allows you to troubleshoot the system.

<img src="../images/03_Windows/02_img9.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

- **Control Panel**: is a tool that allows you to manage the system's settings.

<img src="../images/03_Windows/02_img10.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>


## Task 3: Change UAC Settings

The UAC settings can be changed or even turned off entirely (not recommended). You can move the slider to see how the setting will change the UAC settings and Microsoft's stance on the setting.

<img src="../images/03_Windows/02_img11.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

**Questions**:
1. What is the command to open User Account Control Settings? (The answer is the name of the .exe file, not the full path)
   - **Answer**: UserAccountControlSettings.exe


## Task 4: Computer Management

We're continuing with Tools that are available through the **System Configuration** panel.
The **Computer Management** (**compmgmt**) utility has three primary sections: **System Tools**, **Storage**, and **Services and Applications**.

<img src="../images/03_Windows/02_img12.png" alt="Windows System Configuration" style = "width: 500px; height: 320px;"/>

**System Tools**

- **Task Scheduler**. Per Microsoft, with **Task Scheduler**, we can create and manage common tasks that our computer will carry out automatically at the times we specify.
A task can run an application, a script, etc., and tasks can be configured to run at any point. A task can run at log in or at log off. Tasks can also be configured to run on a specific schedule, for example, every five mins.
To create a basic task, click on **Create Basic Task** under **Actions** (right pane)

- **Event Viewer**. Event Viewer allows us to view events that have occurred on the computer. These records of events can be seen as an audit trail that can be used to understand the activity of the computer system. This information is often used to diagnose problems and investigate actions executed on the system.

<img src="../images/03_Windows/02_img13.png" alt="Windows System Configuration" style = "width: 600px; height: 120px;"/>

Event Viewer has three panes.
    1. The pane on the left provides a hierarchical tree listing of the event log providers. (as shown in the image above)
    2. The pane in the middle will display a general overview and summary of the events specific to a selected provider.
    3. The pane on the right is the actions pane.
There are five types of events that can be logged. Below is a table from docs.microsoft.com providing a brief description for each.

<img src="../images/03_Windows/02_img14.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

The standard logs are visible under **Windows Logs**. Below is a table from docs.microsoft.com providing a brief description for each.

<img src="../images/03_Windows/02_img15.png" alt="Windows System Configuration" style = "width: 600px; height: 220px;"/>

For more information about Event Viewer and Event Logs, please refer to the [Windows Event Log](https://tryhackme.com/room/windowseventlog) room.


**Shared Folders** is where you will see a complete list of shares and folders shared that others can connect to. 
In the above image, under **Shares**, are the default share of Windows, **C$**, and default remote administration shares created by Windows, such as **ADMIN$**. 
As with any object in Windows, you can right-click on a folder to view its properties, such as **Permissions** (who can access the shared resource). 
Under **Sessions**, you will see a list of users who are currently connected to the shares. In this VM, you won't see anybody connected to the shares.
All the folders and/or files that the connected users access will list under **Open Files**.

<img src="../images/03_Windows/02_img16.png" alt="Windows System Configuration" style = "width: 550px; height: 300px;"/>


The **Local Users and Groups** section you should be familiar with from Windows Fundamentals 1 because it's **lusrmgr.msc**.

<img src="../images/03_Windows/02_img17.png" alt="Windows System Configuration" style = "width: 400px; height: 220px;"/>

In **Performance**, you'll see a utility called **Performance Monitor** (**perfmon**).

<img src="../images/03_Windows/02_img18.png" alt="Windows System Configuration" style = "width:300px; height: 300px;"/>


**Device Manager** allows us to view and configure the hardware, such as disabling any hardware attached to the computer.

<img src="../images/03_Windows/02_img19.png" alt="Windows System Configuration" style = "width: 550px; height: 320px;"/>


Storage  

Under **Storage** is **Windows Server Backup** and **Disk Management**. We'll only look at **Disk Management** in this room.

Disk Management is a system utility in Windows that enables you to perform advanced storage tasks.  Some tasks are:
- Set up a new drive
- Extend a partition
- Shrink a partition
- Assign or change a drive letter (ex. E:) 

<img src="../images/03_Windows/02_img20.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

**Services and Applications**

<img src="../images/03_Windows/02_img21.png" alt="Windows System Configuration" style = "width: 600px; height: 100px;"/>

<img src="../images/03_Windows/02_img22.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

**WMI Control** configures and controls the **Windows Management Instrumentation (WMI)** service.

Per Wikipedia, "WMI allows scripting languages (such as VBScript or Windows PowerShell) to manage Microsoft Windows personal computers and servers, both locally and remotely. Microsoft also provides a command-line interface to WMI called Windows Management Instrumentation Command-line (WMIC)."
Note: The WMIC tool is deprecated in Windows 10, version 21H1. Windows PowerShell supersedes this tool for WMI. 


**Questions**:
1. What is the command to open Computer Management? (The answer is the name of the .msc file, not the full path)
   - **Answer**: compmgmt.msc
2. At what time every day is the GoogleUpdateTaskMachineUA task configured to run?
   - **Answer**: 6:15 AM
3. What is the name of the hidden folder that is shared?
   - **Answer**: sh4r3dF0Ld3r

<img src="../images/03_Windows/02_img23.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

<img src="../images/03_Windows/02_img24.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>



## Task 5: System Information

What is the System Information (**msinfo32**) tool?

Per Microsoft, "Windows includes a tool called Microsoft System Information (Msinfo32.exe).  This tool gathers information about your computer and displays a comprehensive view of your hardware, system components, and software environment, which you can use to diagnose computer issues."

The information in **System Summary** is divided into three sections:
- Hardware Resources
- Components
- Software Environment
**System Summary** will display general technical specifications for the computer, such as processor brand and model.

<img src="../images/03_Windows/02_img25.png" alt="Windows System Configuration" style = "width: 300px; height: 320px;"/>

The information displayed in **Hardware Resources** is not for the average computer user. If you want to learn more about this section, refer to the official Microsoft page [here](https://docs.microsoft.com/en-us/windows/win32/wmisdk/hardware-resources).

In the **Software Environment** section, you can see information about software baked into the operating system and software you have installed. Other details are visible in this section as well, such as **Environment Variables** and **Network Connections**. 


Recall from the Windows Fundamentals 1 room (The Windows\System32 Folder task) where **Environment Variables** was briefly touched on. 

Per Microsoft, "Environment variables store information about the operating system environment. This information includes details such as the operating system path, the number of processors used by the operating system, and the location of temporary folders.
The environment variables store data that is used by the operating system and other programs. For example, the WINDIR environment variable contains the location of the Windows installation directory. Programs can query the value of this variable to determine where Windows operating system files are located".
Another method to view environment variables is **Control Panel > System and Security > System > Advanced system settings > Environment Variables** OR **Settings > System > About > system info > Advanced system settings > Environment Variables**

<img src="../images/03_Windows/02_img26.png" alt="Windows System Configuration" style = "width: 500px; height: 320px;"/>


The detour is over. Let's redirect our attention back to msinfo32 and pick up where we left off.

Towards the very bottom of this utility, there is a search bar. Please give it a go. Select **Components** and search for **IP address**.

<img src="../images/03_Windows/02_img27.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>


## Task 6: Resource Monitor
We're continuing with Tools that are available through the System Configuration panel. What is **Resource Monitor** (**resmon**) ?
Per Microsoft, "Resource Monitor displays per-process and aggregate CPU, memory, disk, and network usage information, in addition to providing details about which processes are using individual file handles and modules. Advanced filtering allows users to isolate the data related to one or more processes (either applications or services), start, stop, pause, and resume services, and close unresponsive applications from the user interface. It also includes a process analysis feature that can help identify deadlocked processes and file locking conflicts so that the user can attempt to resolve the conflict instead of closing an application and potentially losing data."
As some of the other tools mentioned in this room, this utility is geared primarily to advanced users who need to perform advanced troubleshooting on the computer system.

In the **Overview** tab, Resmon has four sections:
- CPU
- Disk
- Network
- Memory

<img src="../images/03_Windows/02_img28.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>


## Task 7: Command Prompt

We're continuing with Tools that are available through the System Configuration panel.
The **command prompt (cmd)** can seem daunting at first, but it's really not that bad once you understand how to interact with it. 
In early operating systems, the command line was the sole way to interact with the operating system.
When the **GUI (graphical user interface)** was introduced, it allowed users to perform complex tasks with a few clicks of a button instead of entering commands in the command prompt. 
Even though the GUI is the primary way to interact with the operating system, a computer user can still interact via the command prompt. 
In this task, we'll only cover a few commands that a computer user can run in the command prompt to obtain information about the computer system.

Let's start with a few simple commands:
- **hostname**: displays the name of the computer.
- **whoami**: displays the current user context.
- **ipconfig**: displays all the network configuration information for the computer.
- **cls**: clears the command prompt screen.
- **netstat**: Per the help manual, this command will display protocol statistics and current TCP/IP network connections. 
- **net**: is a command that can be used to display information about network connections, network interfaces, and network policies.
- **net user**: displays information about the specified user account.
- **net localgroup**: displays information about the specified local group.

A command to retrieve the help manual for a command is **/?**.
For example, to see the help manual for **ipconfig**, you can use the following command: **ipconfig /?**

<img src="../images/03_Windows/02_img29.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

The structure tells us the **netstat** command can be run alone or with parameters, such as **-a**, **-b**, **-e**, etc. 
When any of the parameters are appended to the root command, **netstat** in this case, the output changes. Play with a few to see for yourself.

<img src="../images/03_Windows/02_img30.png" alt="Windows System Configuration" style = "width: 400px; height: 180px;"/>

You can use the same command to view the help information for other useful **net** sub-commands, such as **localgroup**, **user**, **share**, and **session**.
Refer to the following link to see a comprehensive list of commands you can execute in the command prompt here. 
- [List of commands](https://ss64.com/nt/cmd.html)


**Questions**:
1. In System Configuration, what is the full command for Internet Protocol Configuration?
   - **Answer**: C:\Windows\System32\cmd.exe /k %windir%\system32\ipconfig.exe
2. For the ipconfig command, how do you show detailed information?
   - **Answer**: ipconfig /all


## Task 8: Registry Editor
We're continuing with Tools that are available through the System Configuration panel.
The **Windows Registry** (per Microsoft) is a central hierarchical database used to store information necessary to configure the system for one or more users, applications, and hardware devices.

The registry contains information that Windows continually references during operation, such as:
- Profiles for each user
- Applications installed on the computer and the types of documents that each can create
- Property sheet settings for folders and application icons
- What hardware exists on the system
- The ports that are being used.
Warning: The registry is for advanced computer users. Making changes to the registry can affect normal computer operations. 
There are various ways to view/edit the registry. One way is to use the **Registry Editor (regedit)**.

<img src="../images/03_Windows/02_img31.png" alt="Windows System Configuration" style = "width: 400px; height: 200px;"/>

**Questions**:
1. What is the command to open the Registry Editor? (The answer is the name of the .exe file, not the full path)
   - **Answer**: regedit32.exe





---

# 2. Windows Fundamentals 3

## Task 1: Introduction

To summarize the previous two rooms:
- In Windows Fundamentals 1, we covered the desktop, the file system, user account control, the control panel, settings, and the task manager. 
- In Windows Fundamentals 2, we covered various utilities, such as System Configuration, Computer Management, Resource Monitor, etc. 
This module will attempt to provide an overview of the security features within the Windows operating system

## Task 2: Windows Updates

**Windows Update** is a service provided by Microsoft to provide security updates, feature enhancements, and patches for the Windows operating system and other Microsoft products, such as Microsoft Defender

Updates are typically released on the 2nd Tuesday of each month. This day is called Patch Tuesday. That doesn't necessarily mean that a critical update/patch has to wait for the next Patch Tuesday to be released. If the update is urgent, then Microsoft will push the update via the Windows Update service to the Windows devices.

Refer to the following link to see the Microsoft Security Update Guide [here](https://msrc.microsoft.com/update-guide).


Windows Update is located in Settings. Another way to access Windows Update is from the Run dialog box, or CMD, by running the command **control /name Microsoft.WindowsUpdate**.


**Questions**:
1. There were two definition updates installed in the attached VM. On what date were these updates installed?
   - **Answer**: 11/19/2024

## Task 3: Windows Security

Per Microsoft, "Windows Security is your home to manage the tools that protect your device and your data".
In case you missed it, Windows Security is also available in Settings.

<img src="../images/03_Windows/03_img1.png" alt="Windows System Configuration" style = "width: 500px; height: 320px;"/>

In the above image, focus your attention on Protection areas.

Virus & threat protection
- Firewall & network protection
- App & browser control
- Device security
Each following task will briefly touch on these areas.

Before proceeding, let's provide a quick comment on the status icons.

- Green means your device is sufficiently protected, and there aren't any recommended actions.
- Yellow means there is a safety recommendation for you to review.
- Red is a warning that something needs your immediate attention.


## Task 4: Virus & Threat Protection

**Virus & threat protection** is divided into two parts:
- Current threats
- Virus & threat protection settings

Current threats

Scan options

Quick scan - Checks folders in your system where threats are commonly found.
- Full scan - Checks all files and running programs on your hard disk. This scan could take longer than one hour.
- Custom scan - Choose which files and locations you want to check.

Threat history

- Last scan - Windows Defender Antivirus automatically scans your device for viruses and other threats to help keep it safe.
- Quarantined threats - Quarantined threats have been isolated and prevented from running on your device. They will be periodically removed.
- Allowed threats - Allowed threats are items identified as threats, which you allowed to run on your device. 

**Virus & threat protection settings**

Manage settings 

- Real-time protection - Locates and stops malware from installing or running on your device.
- Cloud-delivered protection - Provides increased and faster protection with access to the latest protection data in the cloud.
- Automatic sample submission - Send sample files to Microsoft to help protect you and others from potential threats. 
- Controlled folder access - Protect files, folders, and memory areas on your device from unauthorized changes by unfriendly applications.
- Exclusions - Windows Defender Antivirus won't scan items that you've excluded.
- Notifications - Windows Defender Antivirus will send notifications with critical information about the health and security of your device. 


**Questions**:
1. Specifically, what is turned off that Windows is notifying you to turn on?
   - **Answer**: Real-time protection


## Task 5: Firewall & network protection

**What is a firewall?**

Per Microsoft, "Traffic flows into and out of devices via what we call ports. A firewall is what controls what is - and more importantly isn't - allowed to pass through those ports. You can think of it like a security guard standing at the door, checking the ID of everything that tries to enter or exit".

**What is the difference between the 3 (Domain, Private, and Public)?**

Per Microsoft, "Windows Firewall offers three firewall profiles: domain, private and public".

- **Domain** - The domain profile applies to networks where the host system can authenticate to a domain controller. 
- **Private** - The private profile is a user-assigned profile and is used to designate private or home networks.
- **Public** - The default profile is the public profile, used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.


If you click on any firewall profile, another screen will appear with two options: turn the firewall on/off and block all incoming connections.

**Allow an app through firewall**

<img src="../images/03_Windows/03_img2.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

**Advanced Settings**

<img src="../images/03_Windows/03_img3.png" alt="Windows System Configuration" style = "width: 600px; height: 320px;"/>

Configuring the Windows Defender Firewall is for advanced Windows users. Refer to the following Microsoft documentation on best practices here. 
- [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring)

**Questions**:
1. If you were connected to airport Wi-Fi, what most likely will be the active firewall profile?
   - **Answer**: Public

## Task 6: App & browser control
Per Microsoft, "Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files".

Refer to the official Microsoft document for more information on Microsoft Defender SmartScreen here. 
- [Microsoft Defender SmartScreen](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)

<img src="../images/03_Windows/03_img4.png" alt="Windows System Configuration" style = "width: 320px; height: 400px;"/>

**Check apps and files**
- **Windows Defender SmartScreen** helps protect your device by checking for unrecognized apps and files from the web

<img src="../images/03_Windows/03_img5.png" alt="Windows System Configuration" style = "width: 220px; height: 120px;"/>

**Exploit protection**
- **Exploit protection** is built into Windows 10 (and, in our case, Windows Server 2019) to help protect your device against attacks.

<img src="../images/03_Windows/03_img6.png" alt="Windows System Configuration" style = "width: 200px; height: 320px;"/>


## Task 7: Device security

**Core isolation**

- **Memory Integrity** - Prevents attacks from inserting malicious code into high-security processes.

**Security processor**

<img src="../images/03_Windows/03_img7.png" alt="Windows System Configuration" style = "width: 250px; height: 320px;"/>

- **Trusted Platform Module (TPM)** - A hardware security module that helps protect your device against attacks.
Per Microsoft, "**Trusted Platform Module (TPM)** technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM".

## Task 8: BitLocker

**What is BitLocker?**

Per Microsoft, "**BitLocker Drive Encryption** is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers".

On devices with TPM installed, BitLocker offers the best protection.

Per Microsoft, "**BitLocker** provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline".

Refer to the official Microsoft documentation to learn more about BitLocker here.
- [BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview)

**Questions**:
1. What must a user insert on computers that DO NOT have a TPM version 1.2 or later?
   - **Answer**: USB Startup Key

For BitLocker to use the system integrity check provided by a TPM, the device must have TPM 1.2 or later versions. If a device doesn't have a TPM, saving a startup key on a removable drive is mandatory when enabling BitLocker


## Task 9: Volume Shadow Copy Service

**What is the Volume Shadow Copy Service (VSS)?**

Per Microsoft, the **Volume Shadow Copy Service (VSS)** coordinates the required actions to create a consistent shadow copy (also known as a snapshot or a point-in-time copy) of the data that is to be backed up. 

Volume Shadow Copies are stored on the System Volume Information folder on each drive that has protection enabled.

If VSS is enabled (System Protection turned on), you can perform the following tasks from within advanced system settings. 

- **Create a restore point**
- **Perform system restore**
- **Configure restore settings**
- **Delete restore points**

From a security perspective, malware writers know of this Windows feature and write code in their malware to look for these files and delete them. Doing so makes it impossible to recover from a ransomware attack unless you have an offline/off-site backup.

<img src="../images/03_Windows/03_img8.png" alt="Windows System Configuration" style = "width: 320px; height: 320px;"/>
<img src="../images/03_Windows/03_img9.png" alt="Windows System Configuration" style = "width: 320px; height: 320px;"/>

## Task 10: Conclusion

In this room, we covered several built-in Windows security tools that ship with the Windows OS to help keep the device protected. 

There is still so much to explain and cover regarding the Windows OS. As mentioned in the Windows Fundamentals 1 room, "The content is aimed at those who wish to understand and use the Windows OS on a more comfortable level ."

To learn more about the Windows OS, you'll need to continue the journey on your own. 

**Further reading material:**

- [Antimalware Scan Interface](https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal)
- [Credential Guard](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage)
- [Windows 10 Hello](https://support.microsoft.com/en-us/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0#:~:text=Windows%2010,in%20with%20just%20your%20PIN)
- [CSO Online - The best new Windows 10 security features](https://www.csoonline.com/article/3253899/the-best-new-windows-10-security-features.html)

**Note:** Attackers use built-in Windows tools and utilities in an attempt to go undetected within the victim environment.  This tactic is known as Living Off The Land. Refer to the following resource here to learn more about this. 
- [Living Off The Land](https://lolbas-project.github.io/)
