220-1102 Exam Questions and Answers

A user reports that their Windows 10 computer is running slowly and they see a 'Low memory' message when opening applications. What should the technician check first to diagnose the issue?

Check for malware using anti-malware software

Increase virtual memory in System Properties

Check RAM usage in Task Manager

Task Manager provides real-time memory usage data, helping to identify if the system is low on RAM or if a specific application is consuming excessive memory.

Run Disk Cleanup to free up space

Why: When a user experiences low memory errors, the first step is to check current memory usage via Task Manager to determine if the system is running out of RAM due to high usage or a memory leak. Checking for malware, adjusting virtual memory, or running disk cleanup are subsequent steps that may be taken after identifying the cause.

A technician needs to dual-boot Windows 10 and a Linux distribution on a UEFI-based system. Which partition style is required for the boot drive?

MBR

GPT

GPT is required for UEFI boot, as it supports the EFI System Partition and secure boot features.

FAT32

NTFS

Why: UEFI firmware requires the GPT partition style to boot correctly. MBR is used for legacy BIOS systems. FAT32 and NTFS are file systems, not partition styles. GPT is necessary for UEFI to store boot files in the EFI System Partition (ESP).

A user reports that Windows Update on a Windows 10 Pro workstation has been stuck on 'Downloading updates 0%' for several hours. The technician has already run the Windows Update Troubleshooter, which reported no issues. Which command-line tool should the technician use NEXT to attempt to resolve the problem by repairing potential system file corruption affecting the update process?

sfc /scannow

dism /online /cleanup-image /restorehealth

DISM with /restorehealth checks the component store for corruption and repairs it using Windows Update or a local source. This addresses the root cause of many Windows Update failures and is the appropriate next step after the troubleshooter.

net stop wuauserv && net start wuauserv

wuauclt /detectnow

Why: When Windows Update is stuck and the built-in troubleshooter doesn't help, deeper system file corruption may be the cause. DISM (Deployment Imaging Service and Management Tool) with the /restorehealth option repairs the component store, which can fix underlying issues that prevent Windows Update from working correctly. Running DISM first, followed by sfc /scannow, is the recommended troubleshooting order. The other options either only restart services, use a deprecated command, or address less systemic issues.

A Linux administrator needs to change the permissions of a script file named 'script.sh' so that the owner has read, write, and execute permissions; the group has read and execute permissions; and all other users have no permissions. Which of the following commands will achieve the desired permissions?

chmod 750 script.sh

750 sets owner to rwx (7), group to r-x (5), others to --- (0). This matches the requirement exactly.

chmod 755 script.sh

chmod 754 script.sh

chmod 751 script.sh

Why: Linux file permissions are represented by three digits for owner, group, and others. The octal values are: read (4), write (2), execute (1). Owner: rwx = 4+2+1 = 7. Group: r-x = 4+0+1 = 5. Others: --- = 0+0+0 = 0. The command chmod 750 script.sh sets exactly these permissions. Other options either give extra permissions to others (754, 751) or give write permission to group (755).

A technician needs to configure a Windows 10 workstation that will be used by multiple employees who share the same physical device. Each employee should have their own personalized settings and files, and must be able to log in with their own domain credentials. Which of the following should the technician implement?

Join the computer to a workgroup and create local user accounts.

Join the computer to the domain and allow domain user logins.

Domain join enables users to authenticate with their domain credentials. Windows automatically creates roaming or local profiles per user, allowing personalized settings and file storage.

Enable Guest access for all employees.

Configure Windows 10 as a Remote Desktop server and have employees log in remotely.

Why: To allow multiple employees to have personalized profiles while using domain credentials, the workstation must be joined to the domain. When a domain user logs in, Windows creates a local profile for that user, preserving their settings. A workgroup with local accounts does not support domain credentials. Guest access provides no personalization. Remote Desktop configuration is for remote access, not for multiple users to share the same physical device locally.

A technician is setting up a Windows 10 system to run as an informational kiosk in a hotel lobby. The computer must automatically log into a standard user account without requiring a password after any restart or power failure. Which of the following tools should the technician use to configure this behavior?

Local Group Policy Editor (gpedit.msc)

The User Accounts tool (netplwiz)

netplwiz provides the 'Users must enter a user name and password to use this computer' checkbox. Clearing it and entering the account credentials configures automatic logon.

Task Scheduler (taskschd.msc)

Registry Editor (regedit)

Why: The 'netplwiz' (User Accounts) control panel includes an option to 'Users must enter a user name and password to use this computer.' Unchecking this and providing the credentials enables automatic logon. Local Group Policy can enforce some settings but does not directly control automatic logon. Task Scheduler can run a task at startup but cannot bypass the login screen. Registry editing is possible but netplwiz is the standard GUI method.

Want more Operating Systems practice?

Domain 2: Security

All Security questions

A helpdesk technician receives a call from a user who reports that their antivirus software is disabled and cannot be re-enabled. Additionally, the user's files have been renamed with a '.encrypted' extension. Which type of malware is most likely responsible?

Trojan

Worm

Ransomware

Ransomware disables security tools and encrypts files, demanding payment for the decryption key.

Rootkit

Why: Ransomware typically disables security software and encrypts files, renaming them with extensions like .encrypted, and demands a ransom for decryption. Trojans disguise themselves as legitimate software, worms spread without user action, and rootkits hide malware from detection—none primarily focus on file encryption.

hardFull explanation →

A small business owner calls a technician after discovering that all files on their Windows 10 workstation have been renamed with a '.crypt' extension. A ransom note demands payment in Bitcoin within 72 hours or the files will be permanently lost. The business has no recent backups. Which action should the technician take FIRST?

Advise the owner to pay the ransom to recover the files quickly.

Run a full antivirus scan on the affected system.

Disconnect the affected system from the network immediately.

Disconnecting the system halts the spread of ransomware to other network shares or computers. This is the first step in incident response to contain the threat.

Attempt to restore files from Shadow Copies using Previous Versions.

Why: In a ransomware infection, the immediate priority is to isolate the affected system from the network to prevent the malware from spreading to other devices. Paying the ransom does not guarantee data recovery and may encourage further attacks. Antivirus scans and other remediation steps should occur after containment.

A user receives an email that appears to be from their bank, stating that their account has been compromised and they must click a link to verify their identity. The user notices the sender's email address does not match the bank's official domain. What is the BEST immediate action for the user to take?

Reply to the email asking the sender to verify their identity

Click the link to see if the page looks legitimate

Forward the email to the bank's official customer service or security team

Reporting the suspicious email to the official contact allows the bank to verify the communication and warn other customers. This is a safe and responsible action that helps combat phishing.

Delete the email and ignore it

Why: Phishing emails often impersonate legitimate organizations to steal credentials. If a user suspects a phishing attempt, they should not engage with the email. Forwarding the email to the bank's official customer service (or to their IT security team if it's a work email) is the best immediate action because it allows the organization to investigate and take protective measures. Replying, clicking links, or simply deleting without reporting can leave others vulnerable.

A security administrator notices that a user's workstation is sending outbound traffic to a known malicious IP address at regular intervals. The user reports no unusual activity. The technician has already run a full antivirus scan with no detections. Which of the following should the technician do NEXT to investigate the persistent network connection?

Run a network packet capture to analyze the traffic content.

Packet capture provides detailed visibility into the actual data being transmitted, helping to identify the nature of the communication (e.g., command and control traffic or data exfiltration). This is the best investigative step.

Disable the network adapter and disconnect the workstation from the network.

Reimage the workstation immediately.

Check the Windows Firewall logs for blocked connections.

Why: When a workstation is communicating with a known malicious IP and antivirus has not detected anything, the next step is to analyze the network traffic to understand what data is being sent or received. Running a packet capture (e.g., with Wireshark) allows the technician to inspect the payload and determine if the traffic is malicious. Disconnecting the workstation may be a containment step, but it does not help with investigation. Reimaging is too drastic without confirming the threat and losing forensic evidence. Checking firewall logs may show allowed connections but does not capture the content of active traffic.

A user reports that their Windows 10 workstation suddenly cannot access any network resources. A technician remotely views the system and notices a popup that mimics a Windows Security alert, stating the system is infected. The technician checks the IP configuration and sees the workstation has an APIPA address (169.254.x.x). The network adapter shows no physical link issues. Which of the following is the MOST likely cause of the issue?

A rogue DHCP server is issuing invalid IP addresses on the network.

An ARP poisoning attack is redirecting network traffic, causing the system to lose its lease.

Malware is disabling the DHCP client service to block internet access as part of a scareware campaign.

Scareware often disables network services to create a sense of urgency. APIPA results when the DHCP client fails, and the fake security popup is a classic tactic of scareware.

A DNS hijack is preventing the workstation from resolving network names, so it falls back to APIPA.

Why: The combination of a fake security popup (scareware) and a loss of IP address suggests malware is intentionally disrupting network connectivity to pressure the user into paying for a fake solution. The APIPA address indicates the DHCP client was unable to obtain a lease, which can be caused by malware disabling the DHCP client service or corrupting network settings. Rogue DHCP servers, ARP poisoning, or DNS hijacking would not typically produce an APIPA address or a fraudulent security popup.

hardFull explanation →

A security audit reveals that a legacy application running on a Windows 10 workstation transmits sensitive data over an unencrypted protocol. The application is critical for business operations and cannot be updated or replaced. The workstation is located in a secured server room with restricted physical access. Which of the following would BEST mitigate the risk of data interception for this legacy application?

Implement an IPsec policy on the workstation to encrypt all network traffic.

IPsec provides end-to-end encryption at the network layer, securing all communications from the workstation regardless of application protocol. It can be enforced via Group Policy or local settings.

Install a VPN client on the workstation and connect to a corporate VPN server.

Change the application configuration to use HTTPS for communication.

Place the workstation on an isolated VLAN that has no access to external networks.

Why: IPsec (Internet Protocol Security) can be configured on the workstation to encrypt all outbound traffic at the network layer, protecting data in transit without modifying the application. A VPN client may be an alternative but typically only encrypts traffic to the VPN gateway, not all network traffic, and may not be persistent. Placing the workstation on an isolated VLAN reduces exposure but does not encrypt the data. Modifying the application is not possible per the scenario.

Want more Security practice?

All Software Troubleshooting questions

Domain 3: Software Troubleshooting

A user reports that after installing a new printer driver on a Windows 10 computer, the system blue screens whenever they attempt to print. The computer boots normally but crashes during the print job. Which of the following should the technician do FIRST to resolve the issue?

Run the System File Checker (sfc /scannow) from the Command Prompt.

Boot into Safe Mode and roll back the printer driver.

Safe Mode loads minimal drivers, allowing the technician to access Device Manager and roll back the driver that is causing the blue screen. This directly addresses the problem.

Use System Restore to revert the system to a point before the driver installation.

Perform a repair installation of Windows 10 using installation media.

Why: A blue screen caused by a new driver should be addressed by booting into Safe Mode, which loads only essential drivers, and then rolling back the problematic driver. This is the most direct and effective first step to restore functionality without affecting other system settings.

A user's Windows 10 computer displays the error 'Invalid system disk' after a power outage. The computer previously booted normally. Which of the following is the MOST likely cause of this error?

The Boot Configuration Data (BCD) is corrupted.

The hard drive has failed completely.

The BIOS boot order has changed due to the power outage.

Power outages can cause the CMOS battery to lose power temporarily, resetting BIOS settings. The boot order may default to a non-bootable device, causing the error.

The operating system files are missing or damaged.

Why: A power outage can cause the BIOS/UEFI settings to reset to defaults. If the BIOS boot order is changed, the system may attempt to boot from a non-bootable device like a CD/DVD or USB drive, resulting in the 'Invalid system disk' error. Checking and correcting the boot order is the first troubleshooting step.

hardFull explanation →

A technician updates the graphics driver on a Windows 10 workstation. After restarting, the computer boots to a black screen with only a mouse cursor. The technician is able to boot into Safe Mode by pressing F8 during startup (assuming legacy boot). Which of the following should the technician do FIRST to resolve the issue?

Use System Restore to revert to a previous restore point

Roll back the graphics driver in Device Manager

In Safe Mode, Device Manager is functional. The Driver Roll Back feature reverts to the previously installed driver version, which should restore normal operation. This is the quickest and most specific fix.

Use the Last Known Good Configuration option

Boot into Safe Mode and run sfc /scannow

Why: When a driver update causes a black screen on Windows 10, the most direct fix is to roll back the driver to the previous version. Safe Mode loads only essential drivers, including the basic VGA driver, so the technician can access Device Manager and perform the rollback. This immediately restores the previous, working driver without affecting other settings. System Restore could also work but may take longer and affect other changes. The Last Known Good Configuration is not available in Windows 10. Running sfc /scannow is for system file corruption, which is not indicated here.

A user reports that a critical application crashes every time they attempt to save a file to a network drive. The application works fine when saving locally. The network drive is accessible and other users can save files to it without issues. Which of the following steps should the technician take FIRST?

Reinstall the application.

Check the disk space on the network drive.

Insufficient disk space or a quota limit can cause save operations to fail. This is a common cause and should be verified first. The technician can check via the drive properties or server management.

Run chkdsk on the local drive.

Update the network driver.

Why: Since the application saves locally without issue but fails on the network drive, the problem is likely related to the network drive itself, most commonly insufficient disk space or quota limits. Checking disk space is a quick and non-invasive first step. Reinstalling the application is drastic and not indicated. Chkdsk on the local drive addresses local file system errors, which are not the issue. Updating the network driver might help if there were connectivity problems, but since the drive is accessible and others can save, it is less likely and should be checked later.

A user reports that Microsoft Word 2019 crashes every time they attempt to open a specific .docx file. Other Word documents open without issue. The technician has already booted Word in Safe Mode and the crash still occurs when opening this file. Which of the following should the technician do NEXT to resolve the issue?

Reinstall Microsoft Office from the installation media.

Run the System File Checker (SFC) utility from an elevated command prompt.

Use the Open and Repair feature in Word to attempt to recover the file.

Open and Repair is specifically designed to repair corrupted Office documents. It is the appropriate next step after safe mode fails to isolate the issue to the file itself.

Check for Microsoft Office updates and install any available patches.

Why: Since the file opens correctly in other applications (implied) and other documents work, the problem is likely with the file itself. Word's 'Open and Repair' feature attempts to fix corruption at the file level. Reinstalling Office or repairing Office would be excessive and not target the specific file. SFC is a system file checker for Windows, not for application documents.

A user reports that a Windows 10 application frequently crashes with an error indicating that a required DLL file is missing. The technician has verified that the application worked previously. Which of the following should the technician do FIRST?

Reinstall the application

Run SFC /scannow

SFC scans and repairs corrupted system files, which is a logical first step for a missing DLL error when system files may be involved.

Update the graphics driver

Perform a System Restore

Why: A missing DLL error often indicates a corrupted or deleted system file. Running the System File Checker (SFC /scannow) verifies and repairs protected system files, which is a non-intrusive first step. Reinstalling the application is a later step if SFC does not resolve the issue. Updating the graphics driver is unrelated to DLL errors. System Restore could fix the issue but is more disruptive and should be attempted after SFC.

Want more Software Troubleshooting practice?

All Operational Procedures questions

Domain 4: Operational Procedures

A technician is decommissioning several hard drives that contained sensitive client data. The drives are still functional but need to be disposed of securely. Which method ensures the data cannot be recovered?

Quick format the drives and then sell them.

Delete all files and empty the Recycle Bin.

Use a degausser to demagnetize the platters.

Degaussing destroys the magnetic field that stores data, making recovery impossible. This is an industry-standard method for secure disposal of magnetic media.

Perform a standard format and then reuse the drives.

Why: Degaussing uses a strong magnetic field to destroy the data on magnetic storage media, rendering the drive unusable and data unrecoverable. Other methods like formatting or deleting files leave data recoverable with specialized software.

A technician receives a report that several employees have received an email appearing to be from the company's IT department asking them to click a link and enter their login credentials. The technician suspects a phishing attack. What is the FIRST step the technician should take according to incident response procedures?

Identify the affected users and determine if any credentials have been compromised.

Identifying affected users is the initial step to assess the impact. This allows the technician to understand the extent of the breach before taking further action.

Report the incident to management immediately.

Block the sender's email address and delete the email from all inboxes.

Send a company-wide email educating users on how to spot phishing emails.

Why: The first step in incident response is to identify the scope of the incident. The technician must determine which employees received the email and whether any have already clicked the link or entered credentials. This information guides subsequent containment and remediation actions.

A small business is upgrading its office equipment and needs to dispose of several old CRT monitors and LCD displays. Which of the following is the MOST environmentally responsible method of disposal for these electronic devices?

Place them in the regular trash dumpster

Sell them to a scrap metal recycler

Donate them to a local charity

Take them to an e-waste recycling center

E-waste recycling facilities are designed to safely dismantle and process electronic devices, recovering materials while minimizing environmental harm. This is the most responsible disposal method.

Why: CRT monitors and LCD displays contain hazardous materials such as lead, mercury, and other toxic substances. E-waste recycling centers are specifically designed to safely handle these materials, recover valuable components, and prevent environmental contamination. Placing them in regular trash is illegal in many jurisdictions. Scrap metal recyclers may not handle all components properly. Donation is an option only if the equipment is still functional, but the question focuses on disposal. E-waste recycling is the most responsible choice.

A technician is setting up a secure disposal plan for old laptops. Which of the following procedures BEST ensures that all sensitive data is irretrievable before disposal?

Deleting all files and emptying the recycle bin.

Performing a standard format of the hard drive.

Using disk encryption software that meets industry standards.

Physically destroying the hard drive platters.

Physical destruction (e.g., shredding, drilling through platters, or incineration) makes data recovery impossible, providing the highest level of security for disposal.

Why: For secure disposal, physical destruction of the storage media (such as hard drive platters) is the only method that guarantees data cannot be recovered, even with advanced forensic tools. Deleting files or formatting only removes file system pointers; data remains until overwritten. Encryption protects data while the device is in use but does not help during disposal unless the encryption key is securely destroyed, which is less reliable than physical destruction.

A technician is decommissioning several old laptop batteries that are no longer holding a charge. Which of the following is the MOST appropriate method of disposal for these batteries?

Place them in the regular office trash for collection.

Recycle them through an approved electronics recycling vendor or battery drop-off program.

Proper recycling ensures hazardous materials are handled safely and valuable materials are recovered. This is the environmentally responsible and often legally required method.

Incinerate them at a licensed waste-to-energy facility.

Donate them to a local school for use in demonstrations.

Why: Lithium-ion and other rechargeable batteries contain hazardous materials and must be recycled through designated e-waste facilities or battery collection programs to prevent environmental contamination. Disposing of them in regular trash or incineration is illegal in many jurisdictions and harmful.

A technician is documenting a recurring issue where users lose network connectivity after a specific software update is installed. The technician has identified the root cause and implemented a temporary workaround. According to change management best practices, what is the NEXT step the technician should take?

Inform all users of the workaround

Submit a request to deploy a permanent fix through the change control process

Change management dictates that any permanent fix must go through the change control process for review, approval, and scheduled deployment.

Revert the update on all affected systems

Escalate the issue to the vendor for a patch

Why: After identifying a root cause and implementing a workaround, the proper change management process requires submitting a formal change request to deploy a permanent fix. This ensures proper review, testing, and approval before making changes in production. Informing users or escalating to the vendor are important but occur after the change request is processed or as part of it.

Want more Operational Procedures practice?