Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications200-201DomainsHost-Based Analysis
200-201Free — No Signup

Host-Based Analysis

Practice 200-201 Host-Based Analysis questions with full explanations on every answer.

99questions

Start practicing

Host-Based Analysis — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

200-201 Domains

Security MonitoringNetwork Intrusion AnalysisSecurity Policies and ProceduresHost-Based AnalysisSecurity Concepts

Practice Host-Based Analysis questions

10Q20Q30Q50Q

All 200-201 Host-Based Analysis questions (99)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An analyst is investigating a Windows host suspected of malware persistence. Which registry key is commonly used by malware to run a program every time a user logs in, located under both HKLM and HKCU?

2

During an incident response on a Linux server, an analyst runs 'ps aux' and notices a process named 'cryptominer' with high CPU usage. The process PPID is 1. Which tool would best help the analyst examine the parent-child relationship and find how the process was started?

3

A security analyst is analyzing a suspicious PE file. Using a hex editor, the analyst sees the MZ header (4D 5A). The file's entropy is calculated as 7.8. What does the high entropy most likely indicate?

4

An analyst uses Volatility to analyze a memory dump from a compromised Windows machine. Which Volatility command would show the list of running processes along with their parent process IDs?

5

A Linux administrator checks authentication logs to investigate a possible brute-force attack. Which log file typically contains records of successful and failed SSH login attempts?

6

A Windows Event Log shows Event ID 4625 multiple times from the same source IP address. What type of activity does this indicate?

7

During memory analysis with Volatility, the 'cmdline' plugin shows a process with no command-line arguments. Which plugin could help recover the original command line if it was truncated or hidden?

8

An analyst is examining a suspicious file that appears to be a PDF but when checking the magic bytes at offset 0, sees '50 4B 03 04'. What does this indicate?

9

An analyst uses 'sc query' on a Windows host and finds a service named 'WindowsUpdate' with a binary path pointing to 'C:\Users\Public\update.exe'. The service is running. Why is this suspicious?

10

Which Windows artifact stores evidence of file execution, including the path and run count, and is located in C:\Windows\Prefetch?

11

A Linux host has an unusual cron job that runs a script from /tmp every minute. The analyst checks /etc/crontab and /var/spool/cron/ but finds nothing. Where else could the cron job be defined?

12

An analyst uses Volatility's 'netscan' on a memory dump and finds an established connection to an external IP on port 4444. Which type of activity is this commonly associated with?

13

An analyst is investigating a Windows host that likely has malware persistence via the registry. Which TWO registry hives are commonly used to store Run keys for user logon persistence? (Select 2)

14

A security analyst is analyzing a Linux system suspected of being used as a phishing server. Which THREE artifacts should the analyst examine to identify persistence mechanisms? (Select 3)

15

A Windows Event Log analysis reveals Event ID 4720 and 4726 occurrences for the same account within a short time. Which TWO actions were performed? (Select 2)

16

An analyst is investigating a Windows system for signs of malware persistence. Which registry key is commonly used by malware to run automatically at user logon?

17

During incident response on a Linux server, an analyst runs 'ss -tlnp' and sees an SSH service listening on a non-standard high port. Which step should the analyst take next to investigate potential unauthorized access?

18

An analyst is analyzing a suspicious executable file. Using the 'file' command, it returns 'data' instead of 'PE32 executable'. What is the most likely reason?

19

A forensic analyst uses Volatility on a memory dump and runs the 'malfind' plugin. The output shows a process with a VAD region that has PAGE_EXECUTE_READWRITE protection and contains the pattern 'MZ'. What does this indicate?

20

Which Windows Event ID is recorded when a user account is created, indicating potential unauthorized account creation?

21

An analyst finds a suspicious service named 'UpdateSvc' running on a Windows system. Which tool or command would best help determine the service's binary path and start type?

22

A Linux analyst notices a process named '[kworker/1:1+events]' in the process list with high CPU usage. Which further analysis step would help determine if this is a legitimate kernel worker or a rootkit hiding as one?

23

Which Windows Prefetch file extension indicates that a program has been executed on the system?

24

An analyst finds an unknown scheduled task on a Windows system that runs a PowerShell script at system startup. Which tool is best for examining the task's trigger and actions?

25

During memory analysis with Volatility, the 'pstree' plugin shows a parent process of 'winlogon.exe' spawning 'cmd.exe'. What is the most likely explanation for this anomaly?

26

Which Linux log file is most appropriate for reviewing failed SSH login attempts?

27

An analyst is examining a PE file and notices that the 'TimeDateStamp' in the optional header is 0x00000000. What does this suggest?

28

An analyst is investigating a Linux system for persistence mechanisms. Which TWO of the following are common locations for cron-based persistence? (Select TWO)

29

During memory analysis using Volatility, an analyst wants to identify processes with suspicious network connections and potentially injected code. Which THREE plugins should the analyst use? (Select THREE)

30

An analyst is examining a Windows system for evidence of privilege escalation or credential theft. Which THREE Event IDs should the analyst focus on in the Security log? (Select THREE)

31

A security analyst is investigating a Windows host suspected of malware infection. Which tool would allow the analyst to view parent-child relationships of running processes and inspect command line arguments?

32

During a host-based analysis, a Windows system is found to have a suspicious service that starts automatically. Which command-line tool can be used to query the status and configuration of services, particularly to identify non-standard service names or paths?

33

An analyst discovers that a Windows system executes a payload each time a user logs in, even before the desktop appears. Which registry key is most likely used for such persistence, and why would it be harder to detect than typical Run keys?

34

A Windows event log review shows Event ID 4625 multiple times from a single source IP. What does this event indicate, and which log contains it?

35

In Linux forensics, which file would an analyst check to see command history of a user, potentially revealing malicious commands executed?

36

An analyst uses Volatility on a memory dump and runs the 'pstree' command. What specific information does this provide compared to 'pslist'?

37

When analyzing a suspicious PE file, the analyst calculates the file's entropy and finds it to be 7.8. What does a high entropy value typically indicate, and why is it relevant to malware analysis?

38

A Linux analyst wants to identify all listening TCP ports on a system. Which command is most appropriate?

39

In Windows, prefetch files (C:\Windows\Prefetch\*.pf) are used by the system to speed up application loading. How can an analyst leverage prefetch files during host-based analysis?

40

An analyst examining a Linux server notices an unusual cron job in /etc/crontab that runs a script every 5 minutes. Which of the following describes the best approach to determine if this cron job is malicious?

41

A Windows system's security log shows Event ID 4720 followed by 4726 for the same username within minutes. What does this sequence indicate?

42

When performing file analysis, which method is most reliable for determining the actual file type regardless of its extension?

43

An analyst is investigating a Windows host for malware persistence. Which TWO registry locations are commonly abused for persistence by modifying the 'Run' key? (Select TWO)

44

A Linux server has been compromised. The analyst checks for persistence mechanisms. Which THREE of the following are common Linux persistence techniques that should be examined? (Select THREE)

45

During memory analysis using Volatility, an analyst suspects code injection. Which THREE commands would be most useful to identify injected code? (Select THREE)

46

An analyst is investigating a Windows host for signs of malware persistence. Which registry key would the analyst check for programs that run automatically when any user logs in?

47

During an incident response, a Linux system shows unusual outbound network connections from a process named 'httpd'. The analyst uses 'ss -tlnp' to examine listening sockets. Which column would most likely indicate if the process is malicious?

48

A security analyst is analyzing a memory dump using Volatility. The command 'volatility -f mem.dump malfind' returns several results with VAD tags 'VadS' and 'Vadl'. What does this indicate?

49

An analyst is reviewing Windows Event Logs and sees Event ID 4625. What does this event indicate?

50

An analyst is investigating a Windows system where a suspicious executable is running. Using Process Explorer, the analyst observes that the process 'svchost.exe' has a parent process of 'cmd.exe'. What is the significance of this parent-child relationship?

51

During forensic analysis of a Windows host, an analyst finds a file in C:\Windows\Prefetch with the name 'MALWARE.EXE-3F2A1B0C.pf'. Which type of information can be extracted from this prefetch file to assist the investigation?

52

An analyst is examining a Linux system for persistence mechanisms. Which of the following files should be reviewed to detect cron-based persistence?

53

A security analyst is analyzing a suspicious PE file. Using a hex editor, the analyst sees the ASCII string 'MZ' at the beginning. What does this indicate?

54

An analyst is using Volatility's 'pslist' and 'pstree' commands on a memory dump. The output shows a process named 'lsass.exe' with a PID of 1024. However, the usual PID for lsass.exe on this system is 512. What does this discrepancy likely indicate?

55

An analyst needs to check for services that were set to start automatically on a Windows host. Which command-line utility can be used to query the state and start type of all services?

56

An analyst is investigating a Linux host and runs 'cat /proc/1234/cmdline'. What information does this provide?

57

An analyst finds a registry modification under 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options'. What is the primary use of this registry key?

58

A forensic analyst is examining a suspicious file. The file has a high entropy score (close to 8.0) and the PE section names are obfuscated. Which tool or technique would best help determine if the file is packed?

59

An analyst is examining a Linux system for signs of an attacker establishing persistence. Which TWO of the following locations should the analyst check? (Choose two.)

60

An analyst is investigating a Windows host and observes a suspicious process with PID 1337. Which THREE of the following Volatility commands would provide useful information about this process? (Choose three.)

61

A security analyst is investigating a Windows host and wants to view running processes along with their parent-child relationships and command-line arguments. Which tool is best suited for this task?

62

An analyst discovers a suspicious service on a Windows host. Which command can be used to query the status and details of services from the command line?

63

During an incident response, an analyst checks for persistence mechanisms and finds an entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. What is the most likely purpose of this registry key?

64

An analyst is reviewing Windows Security Event Logs and finds Event ID 4648. What does this event indicate?

65

An analyst investigating a Linux host notices an unusual process running as root. Which command would provide the most detailed process listing including parent PID and CPU usage?

66

A Linux system administrator notices unauthorized SSH logins in /var/log/auth.log. Which of the following log entries would indicate a failed SSH login attempt?

67

An analyst is performing memory forensics on a Windows machine using Volatility. Which command would be most useful to identify hidden or injected code within a process?

68

During a forensic examination of a Linux system, an analyst wants to check for persistence mechanisms. Which file or directory should be examined to find user-specific cron jobs that may have been added by an attacker?

69

An analyst is analyzing a suspicious PE file. The file's entropy is high (close to 8.0), and the section names appear random. What does this likely indicate?

70

An analyst uses Volatility's pstree plugin on a memory dump. The output shows that process 'winlogon.exe' has a child process 'cmd.exe' that is not typical. What is the most likely explanation?

71

An analyst is reviewing Windows Event Logs and sees multiple Event ID 4625 entries from a single IP address. What does this indicate?

72

An analyst discovers an unknown process on a Windows host that has no parent process (PPID 0). What does this likely indicate?

73

An incident responder is analyzing a Windows machine for evidence of malware persistence. Which TWO registry keys are commonly abused to achieve automatic execution at user logon?

74

A security analyst is examining a Linux system suspected of compromise. Which THREE artifacts should be reviewed to identify potential persistence mechanisms?

75

An analyst is using Volatility to analyze a memory dump. Which TWO plugins are most effective for detecting code injection?

76

During a host-based analysis of a Windows system, an analyst finds a suspicious executable that runs every time the system boots. Which registry key is most commonly used for this type of persistence?

77

An analyst is investigating a Linux system and wants to view the current network connections. Which command is most appropriate to list listening TCP ports along with the associated processes?

78

A security analyst is analyzing a memory dump from a compromised Windows system using Volatility. Which command would best reveal hidden or injected code within a process?

79

An analyst is reviewing Windows Event Logs and finds Event ID 4648. What does this event typically indicate?

80

During a host-based analysis, an analyst discovers a suspicious service on a Windows machine. Which tool or command can be used to query the service configuration?

81

An analyst wants to determine if a specific executable has been run on a Windows system. Which artifact provides evidence of prior execution?

82

An analyst is examining a suspicious PE file. The file's entropy is very high (close to 8.0) and the import table is almost empty. What does this indicate?

83

In a Linux system, an analyst wants to check for unauthorized cron jobs. Which of the following is a common location for user-specific cron jobs?

84

An analyst runs Volatility's pstree plugin on a memory dump. The output shows that a process 'svchost.exe' is the child of 'explorer.exe'. What is suspicious about this?

85

Which Windows Event ID corresponds to a successful user logon?

86

An analyst is reviewing a memory dump and uses Volatility's cmdline plugin to view process command lines. One process shows command line arguments that include a long base64-encoded string. What should the analyst suspect?

87

An analyst is examining a Linux server and notices an unusual systemd service that starts automatically. Which command would be used to disable this service?

88

An analyst is investigating a Windows system for signs of malware persistence. Which TWO registry locations are commonly used by malware to achieve automatic startup? (Choose two.)

89

An analyst is analyzing a Linux system that may have been compromised. Which THREE artifacts would provide evidence of attacker activity? (Choose three.)

90

During memory analysis using Volatility, an analyst wants to identify processes that may be hiding. Which TWO plugins are most useful for detecting hidden or injected code? (Choose two.)

91

An analyst examines a Windows endpoint and finds a suspicious executable in the Startup folder. Which registry key is commonly used for persistence via legitimate startup programs and is often abused by malware?

92

During incident response, a Linux server is found to have an unknown process listening on a high TCP port. The process is not listed in any systemd unit files. Which command will best help identify the process parent and its command-line arguments?

93

A security analyst is investigating a Windows workstation that experienced a series of failed logon attempts followed by a successful logon. Which TWO Windows Event IDs should the analyst examine to understand this activity?

94

An analyst is reviewing a memory dump using Volatility. They want to identify processes with potential code injection. Which TWO Volatility plugins would be most appropriate for detecting injected code?

95

During a Linux forensic investigation, an analyst finds a suspicious process. The analyst wants to check for persistence mechanisms. Which THREE Linux artifacts should be examined?

96

A Windows analyst uses Process Explorer to investigate parent-child relationships. Which TWO characteristics are commonly associated with malicious processes?

97

An analyst is examining a suspicious executable file. The file has a .pdf extension but the magic bytes are 'MZ'. Which THREE indicators suggest the file is malicious?

98

During a Linux incident response, an analyst runs 'ps aux' and sees a process with a suspicious name. The analyst wants to gather more information. Which TWO commands can provide the process's network connections?

99

An analyst is investigating a Windows system using prefetch files. The analyst notices a prefetch file for a tool called 'procdump.exe' with a run count of 1 and the last run time corresponding to the time of the incident. Which THREE conclusions can be drawn?

Practice all 99 Host-Based Analysis questions

Other 200-201 exam domains

Security MonitoringNetwork Intrusion AnalysisSecurity Policies and ProceduresSecurity Concepts

Frequently asked questions

What does the Host-Based Analysis domain cover on the 200-201 exam?

The Host-Based Analysis domain covers the key concepts tested in this area of the 200-201 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 200-201 domains — no account required.

How many Host-Based Analysis questions are in the 200-201 question bank?

The Courseiva 200-201 question bank contains 99 questions in the Host-Based Analysis domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Host-Based Analysis for 200-201?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Host-Based Analysis questions for 200-201?

Yes — the session launcher on this page draws questions exclusively from the Host-Based Analysis domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your 200-201 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

200-301SY0-701CS0-003CEH