Practice 200-201 Host-Based Analysis questions with full explanations on every answer.
Start practicing
Host-Based Analysis — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An analyst is investigating a Windows host suspected of malware persistence. Which registry key is commonly used by malware to run a program every time a user logs in, located under both HKLM and HKCU?
2During an incident response on a Linux server, an analyst runs 'ps aux' and notices a process named 'cryptominer' with high CPU usage. The process PPID is 1. Which tool would best help the analyst examine the parent-child relationship and find how the process was started?
3A security analyst is analyzing a suspicious PE file. Using a hex editor, the analyst sees the MZ header (4D 5A). The file's entropy is calculated as 7.8. What does the high entropy most likely indicate?
4An analyst uses Volatility to analyze a memory dump from a compromised Windows machine. Which Volatility command would show the list of running processes along with their parent process IDs?
5A Linux administrator checks authentication logs to investigate a possible brute-force attack. Which log file typically contains records of successful and failed SSH login attempts?
6A Windows Event Log shows Event ID 4625 multiple times from the same source IP address. What type of activity does this indicate?
7During memory analysis with Volatility, the 'cmdline' plugin shows a process with no command-line arguments. Which plugin could help recover the original command line if it was truncated or hidden?
8An analyst is examining a suspicious file that appears to be a PDF but when checking the magic bytes at offset 0, sees '50 4B 03 04'. What does this indicate?
9An analyst uses 'sc query' on a Windows host and finds a service named 'WindowsUpdate' with a binary path pointing to 'C:\Users\Public\update.exe'. The service is running. Why is this suspicious?
10Which Windows artifact stores evidence of file execution, including the path and run count, and is located in C:\Windows\Prefetch?
11A Linux host has an unusual cron job that runs a script from /tmp every minute. The analyst checks /etc/crontab and /var/spool/cron/ but finds nothing. Where else could the cron job be defined?
12An analyst uses Volatility's 'netscan' on a memory dump and finds an established connection to an external IP on port 4444. Which type of activity is this commonly associated with?
13An analyst is investigating a Windows host that likely has malware persistence via the registry. Which TWO registry hives are commonly used to store Run keys for user logon persistence? (Select 2)
14A security analyst is analyzing a Linux system suspected of being used as a phishing server. Which THREE artifacts should the analyst examine to identify persistence mechanisms? (Select 3)
15A Windows Event Log analysis reveals Event ID 4720 and 4726 occurrences for the same account within a short time. Which TWO actions were performed? (Select 2)
16An analyst is investigating a Windows system for signs of malware persistence. Which registry key is commonly used by malware to run automatically at user logon?
17During incident response on a Linux server, an analyst runs 'ss -tlnp' and sees an SSH service listening on a non-standard high port. Which step should the analyst take next to investigate potential unauthorized access?
18An analyst is analyzing a suspicious executable file. Using the 'file' command, it returns 'data' instead of 'PE32 executable'. What is the most likely reason?
19A forensic analyst uses Volatility on a memory dump and runs the 'malfind' plugin. The output shows a process with a VAD region that has PAGE_EXECUTE_READWRITE protection and contains the pattern 'MZ'. What does this indicate?
20Which Windows Event ID is recorded when a user account is created, indicating potential unauthorized account creation?
21An analyst finds a suspicious service named 'UpdateSvc' running on a Windows system. Which tool or command would best help determine the service's binary path and start type?
22A Linux analyst notices a process named '[kworker/1:1+events]' in the process list with high CPU usage. Which further analysis step would help determine if this is a legitimate kernel worker or a rootkit hiding as one?
23Which Windows Prefetch file extension indicates that a program has been executed on the system?
24An analyst finds an unknown scheduled task on a Windows system that runs a PowerShell script at system startup. Which tool is best for examining the task's trigger and actions?
25During memory analysis with Volatility, the 'pstree' plugin shows a parent process of 'winlogon.exe' spawning 'cmd.exe'. What is the most likely explanation for this anomaly?
26Which Linux log file is most appropriate for reviewing failed SSH login attempts?
27An analyst is examining a PE file and notices that the 'TimeDateStamp' in the optional header is 0x00000000. What does this suggest?
28An analyst is investigating a Linux system for persistence mechanisms. Which TWO of the following are common locations for cron-based persistence? (Select TWO)
29During memory analysis using Volatility, an analyst wants to identify processes with suspicious network connections and potentially injected code. Which THREE plugins should the analyst use? (Select THREE)
30An analyst is examining a Windows system for evidence of privilege escalation or credential theft. Which THREE Event IDs should the analyst focus on in the Security log? (Select THREE)
31A security analyst is investigating a Windows host suspected of malware infection. Which tool would allow the analyst to view parent-child relationships of running processes and inspect command line arguments?
32During a host-based analysis, a Windows system is found to have a suspicious service that starts automatically. Which command-line tool can be used to query the status and configuration of services, particularly to identify non-standard service names or paths?
33An analyst discovers that a Windows system executes a payload each time a user logs in, even before the desktop appears. Which registry key is most likely used for such persistence, and why would it be harder to detect than typical Run keys?
34A Windows event log review shows Event ID 4625 multiple times from a single source IP. What does this event indicate, and which log contains it?
35In Linux forensics, which file would an analyst check to see command history of a user, potentially revealing malicious commands executed?
36An analyst uses Volatility on a memory dump and runs the 'pstree' command. What specific information does this provide compared to 'pslist'?
37When analyzing a suspicious PE file, the analyst calculates the file's entropy and finds it to be 7.8. What does a high entropy value typically indicate, and why is it relevant to malware analysis?
38A Linux analyst wants to identify all listening TCP ports on a system. Which command is most appropriate?
39In Windows, prefetch files (C:\Windows\Prefetch\*.pf) are used by the system to speed up application loading. How can an analyst leverage prefetch files during host-based analysis?
40An analyst examining a Linux server notices an unusual cron job in /etc/crontab that runs a script every 5 minutes. Which of the following describes the best approach to determine if this cron job is malicious?
41A Windows system's security log shows Event ID 4720 followed by 4726 for the same username within minutes. What does this sequence indicate?
42When performing file analysis, which method is most reliable for determining the actual file type regardless of its extension?
43An analyst is investigating a Windows host for malware persistence. Which TWO registry locations are commonly abused for persistence by modifying the 'Run' key? (Select TWO)
44A Linux server has been compromised. The analyst checks for persistence mechanisms. Which THREE of the following are common Linux persistence techniques that should be examined? (Select THREE)
45During memory analysis using Volatility, an analyst suspects code injection. Which THREE commands would be most useful to identify injected code? (Select THREE)
46An analyst is investigating a Windows host for signs of malware persistence. Which registry key would the analyst check for programs that run automatically when any user logs in?
47During an incident response, a Linux system shows unusual outbound network connections from a process named 'httpd'. The analyst uses 'ss -tlnp' to examine listening sockets. Which column would most likely indicate if the process is malicious?
48A security analyst is analyzing a memory dump using Volatility. The command 'volatility -f mem.dump malfind' returns several results with VAD tags 'VadS' and 'Vadl'. What does this indicate?
49An analyst is reviewing Windows Event Logs and sees Event ID 4625. What does this event indicate?
50An analyst is investigating a Windows system where a suspicious executable is running. Using Process Explorer, the analyst observes that the process 'svchost.exe' has a parent process of 'cmd.exe'. What is the significance of this parent-child relationship?
51During forensic analysis of a Windows host, an analyst finds a file in C:\Windows\Prefetch with the name 'MALWARE.EXE-3F2A1B0C.pf'. Which type of information can be extracted from this prefetch file to assist the investigation?
52An analyst is examining a Linux system for persistence mechanisms. Which of the following files should be reviewed to detect cron-based persistence?
53A security analyst is analyzing a suspicious PE file. Using a hex editor, the analyst sees the ASCII string 'MZ' at the beginning. What does this indicate?
54An analyst is using Volatility's 'pslist' and 'pstree' commands on a memory dump. The output shows a process named 'lsass.exe' with a PID of 1024. However, the usual PID for lsass.exe on this system is 512. What does this discrepancy likely indicate?
55An analyst needs to check for services that were set to start automatically on a Windows host. Which command-line utility can be used to query the state and start type of all services?
56An analyst is investigating a Linux host and runs 'cat /proc/1234/cmdline'. What information does this provide?
57An analyst finds a registry modification under 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options'. What is the primary use of this registry key?
58A forensic analyst is examining a suspicious file. The file has a high entropy score (close to 8.0) and the PE section names are obfuscated. Which tool or technique would best help determine if the file is packed?
59An analyst is examining a Linux system for signs of an attacker establishing persistence. Which TWO of the following locations should the analyst check? (Choose two.)
60An analyst is investigating a Windows host and observes a suspicious process with PID 1337. Which THREE of the following Volatility commands would provide useful information about this process? (Choose three.)
61A security analyst is investigating a Windows host and wants to view running processes along with their parent-child relationships and command-line arguments. Which tool is best suited for this task?
62An analyst discovers a suspicious service on a Windows host. Which command can be used to query the status and details of services from the command line?
63During an incident response, an analyst checks for persistence mechanisms and finds an entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. What is the most likely purpose of this registry key?
64An analyst is reviewing Windows Security Event Logs and finds Event ID 4648. What does this event indicate?
65An analyst investigating a Linux host notices an unusual process running as root. Which command would provide the most detailed process listing including parent PID and CPU usage?
66A Linux system administrator notices unauthorized SSH logins in /var/log/auth.log. Which of the following log entries would indicate a failed SSH login attempt?
67An analyst is performing memory forensics on a Windows machine using Volatility. Which command would be most useful to identify hidden or injected code within a process?
68During a forensic examination of a Linux system, an analyst wants to check for persistence mechanisms. Which file or directory should be examined to find user-specific cron jobs that may have been added by an attacker?
69An analyst is analyzing a suspicious PE file. The file's entropy is high (close to 8.0), and the section names appear random. What does this likely indicate?
70An analyst uses Volatility's pstree plugin on a memory dump. The output shows that process 'winlogon.exe' has a child process 'cmd.exe' that is not typical. What is the most likely explanation?
71An analyst is reviewing Windows Event Logs and sees multiple Event ID 4625 entries from a single IP address. What does this indicate?
72An analyst discovers an unknown process on a Windows host that has no parent process (PPID 0). What does this likely indicate?
73An incident responder is analyzing a Windows machine for evidence of malware persistence. Which TWO registry keys are commonly abused to achieve automatic execution at user logon?
74A security analyst is examining a Linux system suspected of compromise. Which THREE artifacts should be reviewed to identify potential persistence mechanisms?
75An analyst is using Volatility to analyze a memory dump. Which TWO plugins are most effective for detecting code injection?
76During a host-based analysis of a Windows system, an analyst finds a suspicious executable that runs every time the system boots. Which registry key is most commonly used for this type of persistence?
77An analyst is investigating a Linux system and wants to view the current network connections. Which command is most appropriate to list listening TCP ports along with the associated processes?
78A security analyst is analyzing a memory dump from a compromised Windows system using Volatility. Which command would best reveal hidden or injected code within a process?
79An analyst is reviewing Windows Event Logs and finds Event ID 4648. What does this event typically indicate?
80During a host-based analysis, an analyst discovers a suspicious service on a Windows machine. Which tool or command can be used to query the service configuration?
81An analyst wants to determine if a specific executable has been run on a Windows system. Which artifact provides evidence of prior execution?
82An analyst is examining a suspicious PE file. The file's entropy is very high (close to 8.0) and the import table is almost empty. What does this indicate?
83In a Linux system, an analyst wants to check for unauthorized cron jobs. Which of the following is a common location for user-specific cron jobs?
84An analyst runs Volatility's pstree plugin on a memory dump. The output shows that a process 'svchost.exe' is the child of 'explorer.exe'. What is suspicious about this?
85Which Windows Event ID corresponds to a successful user logon?
86An analyst is reviewing a memory dump and uses Volatility's cmdline plugin to view process command lines. One process shows command line arguments that include a long base64-encoded string. What should the analyst suspect?
87An analyst is examining a Linux server and notices an unusual systemd service that starts automatically. Which command would be used to disable this service?
88An analyst is investigating a Windows system for signs of malware persistence. Which TWO registry locations are commonly used by malware to achieve automatic startup? (Choose two.)
89An analyst is analyzing a Linux system that may have been compromised. Which THREE artifacts would provide evidence of attacker activity? (Choose three.)
90During memory analysis using Volatility, an analyst wants to identify processes that may be hiding. Which TWO plugins are most useful for detecting hidden or injected code? (Choose two.)
91An analyst examines a Windows endpoint and finds a suspicious executable in the Startup folder. Which registry key is commonly used for persistence via legitimate startup programs and is often abused by malware?
92During incident response, a Linux server is found to have an unknown process listening on a high TCP port. The process is not listed in any systemd unit files. Which command will best help identify the process parent and its command-line arguments?
93A security analyst is investigating a Windows workstation that experienced a series of failed logon attempts followed by a successful logon. Which TWO Windows Event IDs should the analyst examine to understand this activity?
94An analyst is reviewing a memory dump using Volatility. They want to identify processes with potential code injection. Which TWO Volatility plugins would be most appropriate for detecting injected code?
95During a Linux forensic investigation, an analyst finds a suspicious process. The analyst wants to check for persistence mechanisms. Which THREE Linux artifacts should be examined?
96A Windows analyst uses Process Explorer to investigate parent-child relationships. Which TWO characteristics are commonly associated with malicious processes?
97An analyst is examining a suspicious executable file. The file has a .pdf extension but the magic bytes are 'MZ'. Which THREE indicators suggest the file is malicious?
98During a Linux incident response, an analyst runs 'ps aux' and sees a process with a suspicious name. The analyst wants to gather more information. Which TWO commands can provide the process's network connections?
99An analyst is investigating a Windows system using prefetch files. The analyst notices a prefetch file for a tool called 'procdump.exe' with a run count of 1 and the last run time corresponding to the time of the incident. Which THREE conclusions can be drawn?
The Host-Based Analysis domain covers the key concepts tested in this area of the 200-201 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 200-201 domains — no account required.
The Courseiva 200-201 question bank contains 99 questions in the Host-Based Analysis domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Host-Based Analysis domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included