Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Host-Based Analysis practice sets

200-201 Host-Based Analysis • Complete Question Bank

200-201 Host-Based Analysis — All Questions With Answers

Complete 200-201 Host-Based Analysis question bank — all 0 questions with answers and detailed explanations.

99
Questions
Free
No signup
Certifications/200-201/Practice Test/Host-Based Analysis/All Questions
Question 1easymultiple choice
Read the full Host-Based Analysis explanation →

An analyst is investigating a Windows host suspected of malware persistence. Which registry key is commonly used by malware to run a program every time a user logs in, located under both HKLM and HKCU?

Question 2mediummultiple choice
Read the full Host-Based Analysis explanation →

During an incident response on a Linux server, an analyst runs 'ps aux' and notices a process named 'cryptominer' with high CPU usage. The process PPID is 1. Which tool would best help the analyst examine the parent-child relationship and find how the process was started?

Question 3hardmultiple choice
Read the full Host-Based Analysis explanation →

A security analyst is analyzing a suspicious PE file. Using a hex editor, the analyst sees the MZ header (4D 5A). The file's entropy is calculated as 7.8. What does the high entropy most likely indicate?

Question 4mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst uses Volatility to analyze a memory dump from a compromised Windows machine. Which Volatility command would show the list of running processes along with their parent process IDs?

Question 5easymultiple choice
Read the full Host-Based Analysis explanation →

A Linux administrator checks authentication logs to investigate a possible brute-force attack. Which log file typically contains records of successful and failed SSH login attempts?

Question 6mediummultiple choice
Read the full Host-Based Analysis explanation →

A Windows Event Log shows Event ID 4625 multiple times from the same source IP address. What type of activity does this indicate?

Question 7hardmultiple choice
Read the full Host-Based Analysis explanation →

During memory analysis with Volatility, the 'cmdline' plugin shows a process with no command-line arguments. Which plugin could help recover the original command line if it was truncated or hidden?

Question 8mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is examining a suspicious file that appears to be a PDF but when checking the magic bytes at offset 0, sees '50 4B 03 04'. What does this indicate?

Question 9mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst uses 'sc query' on a Windows host and finds a service named 'WindowsUpdate' with a binary path pointing to 'C:\Users\Public\update.exe'. The service is running. Why is this suspicious?

Question 10easymultiple choice
Read the full Host-Based Analysis explanation →

Which Windows artifact stores evidence of file execution, including the path and run count, and is located in C:\Windows\Prefetch?

Question 11hardmultiple choice
Read the full Host-Based Analysis explanation →

A Linux host has an unusual cron job that runs a script from /tmp every minute. The analyst checks /etc/crontab and /var/spool/cron/ but finds nothing. Where else could the cron job be defined?

Question 12mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst uses Volatility's 'netscan' on a memory dump and finds an established connection to an external IP on port 4444. Which type of activity is this commonly associated with?

Question 13mediummulti select
Read the full Host-Based Analysis explanation →

An analyst is investigating a Windows host that likely has malware persistence via the registry. Which TWO registry hives are commonly used to store Run keys for user logon persistence? (Select 2)

Question 14hardmulti select
Read the full Host-Based Analysis explanation →

A security analyst is analyzing a Linux system suspected of being used as a phishing server. Which THREE artifacts should the analyst examine to identify persistence mechanisms? (Select 3)

Question 15mediummulti select
Read the full Host-Based Analysis explanation →

A Windows Event Log analysis reveals Event ID 4720 and 4726 occurrences for the same account within a short time. Which TWO actions were performed? (Select 2)

Question 16easymultiple choice
Read the full Host-Based Analysis explanation →

An analyst is investigating a Windows system for signs of malware persistence. Which registry key is commonly used by malware to run automatically at user logon?

Question 17mediummultiple choice
Read the full Host-Based Analysis explanation →

During incident response on a Linux server, an analyst runs 'ss -tlnp' and sees an SSH service listening on a non-standard high port. Which step should the analyst take next to investigate potential unauthorized access?

Question 18mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is analyzing a suspicious executable file. Using the 'file' command, it returns 'data' instead of 'PE32 executable'. What is the most likely reason?

Question 19hardmultiple choice
Read the full Host-Based Analysis explanation →

A forensic analyst uses Volatility on a memory dump and runs the 'malfind' plugin. The output shows a process with a VAD region that has PAGE_EXECUTE_READWRITE protection and contains the pattern 'MZ'. What does this indicate?

Question 20easymultiple choice
Read the full Host-Based Analysis explanation →

Which Windows Event ID is recorded when a user account is created, indicating potential unauthorized account creation?

Question 21mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst finds a suspicious service named 'UpdateSvc' running on a Windows system. Which tool or command would best help determine the service's binary path and start type?

Question 22hardmultiple choice
Read the full Host-Based Analysis explanation →

A Linux analyst notices a process named '[kworker/1:1+events]' in the process list with high CPU usage. Which further analysis step would help determine if this is a legitimate kernel worker or a rootkit hiding as one?

Question 23easymultiple choice
Read the full Host-Based Analysis explanation →

Which Windows Prefetch file extension indicates that a program has been executed on the system?

Question 24mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst finds an unknown scheduled task on a Windows system that runs a PowerShell script at system startup. Which tool is best for examining the task's trigger and actions?

Question 25hardmultiple choice
Read the full Host-Based Analysis explanation →

During memory analysis with Volatility, the 'pstree' plugin shows a parent process of 'winlogon.exe' spawning 'cmd.exe'. What is the most likely explanation for this anomaly?

Question 26mediummultiple choice
Read the full Host-Based Analysis explanation →

Which Linux log file is most appropriate for reviewing failed SSH login attempts?

Question 27mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is examining a PE file and notices that the 'TimeDateStamp' in the optional header is 0x00000000. What does this suggest?

Question 28easymulti select
Read the full Host-Based Analysis explanation →

An analyst is investigating a Linux system for persistence mechanisms. Which TWO of the following are common locations for cron-based persistence? (Select TWO)

Question 29mediummulti select
Read the full Host-Based Analysis explanation →

During memory analysis using Volatility, an analyst wants to identify processes with suspicious network connections and potentially injected code. Which THREE plugins should the analyst use? (Select THREE)

Question 30hardmulti select
Read the full Host-Based Analysis explanation →

An analyst is examining a Windows system for evidence of privilege escalation or credential theft. Which THREE Event IDs should the analyst focus on in the Security log? (Select THREE)

Question 31easymultiple choice
Read the full Host-Based Analysis explanation →

A security analyst is investigating a Windows host suspected of malware infection. Which tool would allow the analyst to view parent-child relationships of running processes and inspect command line arguments?

Question 32mediummultiple choice
Read the full Host-Based Analysis explanation →

During a host-based analysis, a Windows system is found to have a suspicious service that starts automatically. Which command-line tool can be used to query the status and configuration of services, particularly to identify non-standard service names or paths?

Question 33hardmultiple choice
Read the full Host-Based Analysis explanation →

An analyst discovers that a Windows system executes a payload each time a user logs in, even before the desktop appears. Which registry key is most likely used for such persistence, and why would it be harder to detect than typical Run keys?

Question 34mediummultiple choice
Read the full Host-Based Analysis explanation →

A Windows event log review shows Event ID 4625 multiple times from a single source IP. What does this event indicate, and which log contains it?

Question 35easymultiple choice
Read the full Host-Based Analysis explanation →

In Linux forensics, which file would an analyst check to see command history of a user, potentially revealing malicious commands executed?

Question 36mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst uses Volatility on a memory dump and runs the 'pstree' command. What specific information does this provide compared to 'pslist'?

Question 37hardmultiple choice
Read the full Host-Based Analysis explanation →

When analyzing a suspicious PE file, the analyst calculates the file's entropy and finds it to be 7.8. What does a high entropy value typically indicate, and why is it relevant to malware analysis?

Question 38easymultiple choice
Read the full Host-Based Analysis explanation →

A Linux analyst wants to identify all listening TCP ports on a system. Which command is most appropriate?

Question 39mediummultiple choice
Read the full Host-Based Analysis explanation →

In Windows, prefetch files (C:\Windows\Prefetch\*.pf) are used by the system to speed up application loading. How can an analyst leverage prefetch files during host-based analysis?

Question 40hardmultiple choice
Read the full Host-Based Analysis explanation →

An analyst examining a Linux server notices an unusual cron job in /etc/crontab that runs a script every 5 minutes. Which of the following describes the best approach to determine if this cron job is malicious?

Question 41mediummultiple choice
Read the full Host-Based Analysis explanation →

A Windows system's security log shows Event ID 4720 followed by 4726 for the same username within minutes. What does this sequence indicate?

Question 42easymultiple choice
Read the full Host-Based Analysis explanation →

When performing file analysis, which method is most reliable for determining the actual file type regardless of its extension?

Question 43mediummulti select
Read the full Host-Based Analysis explanation →

An analyst is investigating a Windows host for malware persistence. Which TWO registry locations are commonly abused for persistence by modifying the 'Run' key? (Select TWO)

Question 44hardmulti select
Read the full Host-Based Analysis explanation →

A Linux server has been compromised. The analyst checks for persistence mechanisms. Which THREE of the following are common Linux persistence techniques that should be examined? (Select THREE)

Question 45mediummulti select
Read the full Host-Based Analysis explanation →

During memory analysis using Volatility, an analyst suspects code injection. Which THREE commands would be most useful to identify injected code? (Select THREE)

Question 46easymultiple choice
Read the full Host-Based Analysis explanation →

An analyst is investigating a Windows host for signs of malware persistence. Which registry key would the analyst check for programs that run automatically when any user logs in?

Question 47mediummultiple choice
Read the full Host-Based Analysis explanation →

During an incident response, a Linux system shows unusual outbound network connections from a process named 'httpd'. The analyst uses 'ss -tlnp' to examine listening sockets. Which column would most likely indicate if the process is malicious?

Question 48hardmultiple choice
Read the full Host-Based Analysis explanation →

A security analyst is analyzing a memory dump using Volatility. The command 'volatility -f mem.dump malfind' returns several results with VAD tags 'VadS' and 'Vadl'. What does this indicate?

Question 49easymultiple choice
Read the full Host-Based Analysis explanation →

An analyst is reviewing Windows Event Logs and sees Event ID 4625. What does this event indicate?

Question 50mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is investigating a Windows system where a suspicious executable is running. Using Process Explorer, the analyst observes that the process 'svchost.exe' has a parent process of 'cmd.exe'. What is the significance of this parent-child relationship?

Question 51hardmultiple choice
Read the full Host-Based Analysis explanation →

During forensic analysis of a Windows host, an analyst finds a file in C:\Windows\Prefetch with the name 'MALWARE.EXE-3F2A1B0C.pf'. Which type of information can be extracted from this prefetch file to assist the investigation?

Question 52mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is examining a Linux system for persistence mechanisms. Which of the following files should be reviewed to detect cron-based persistence?

Question 53mediummultiple choice
Read the full Host-Based Analysis explanation →

A security analyst is analyzing a suspicious PE file. Using a hex editor, the analyst sees the ASCII string 'MZ' at the beginning. What does this indicate?

Question 54hardmultiple choice
Read the full Host-Based Analysis explanation →

An analyst is using Volatility's 'pslist' and 'pstree' commands on a memory dump. The output shows a process named 'lsass.exe' with a PID of 1024. However, the usual PID for lsass.exe on this system is 512. What does this discrepancy likely indicate?

Question 55easymultiple choice
Read the full Host-Based Analysis explanation →

An analyst needs to check for services that were set to start automatically on a Windows host. Which command-line utility can be used to query the state and start type of all services?

Question 56mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is investigating a Linux host and runs 'cat /proc/1234/cmdline'. What information does this provide?

Question 57mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst finds a registry modification under 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options'. What is the primary use of this registry key?

Question 58hardmultiple choice
Read the full Host-Based Analysis explanation →

A forensic analyst is examining a suspicious file. The file has a high entropy score (close to 8.0) and the PE section names are obfuscated. Which tool or technique would best help determine if the file is packed?

Question 59mediummulti select
Read the full Host-Based Analysis explanation →

An analyst is examining a Linux system for signs of an attacker establishing persistence. Which TWO of the following locations should the analyst check? (Choose two.)

Question 60hardmulti select
Read the full Host-Based Analysis explanation →

An analyst is investigating a Windows host and observes a suspicious process with PID 1337. Which THREE of the following Volatility commands would provide useful information about this process? (Choose three.)

Question 61easymultiple choice
Read the full Host-Based Analysis explanation →

A security analyst is investigating a Windows host and wants to view running processes along with their parent-child relationships and command-line arguments. Which tool is best suited for this task?

Question 62easymultiple choice
Read the full Host-Based Analysis explanation →

An analyst discovers a suspicious service on a Windows host. Which command can be used to query the status and details of services from the command line?

Question 63mediummultiple choice
Read the full Host-Based Analysis explanation →

During an incident response, an analyst checks for persistence mechanisms and finds an entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. What is the most likely purpose of this registry key?

Question 64mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is reviewing Windows Security Event Logs and finds Event ID 4648. What does this event indicate?

Question 65mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst investigating a Linux host notices an unusual process running as root. Which command would provide the most detailed process listing including parent PID and CPU usage?

Question 66mediummultiple choice
Read the full Host-Based Analysis explanation →

A Linux system administrator notices unauthorized SSH logins in /var/log/auth.log. Which of the following log entries would indicate a failed SSH login attempt?

Question 67mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is performing memory forensics on a Windows machine using Volatility. Which command would be most useful to identify hidden or injected code within a process?

Question 68hardmultiple choice
Read the full Host-Based Analysis explanation →

During a forensic examination of a Linux system, an analyst wants to check for persistence mechanisms. Which file or directory should be examined to find user-specific cron jobs that may have been added by an attacker?

Question 69hardmultiple choice
Read the full Host-Based Analysis explanation →

An analyst is analyzing a suspicious PE file. The file's entropy is high (close to 8.0), and the section names appear random. What does this likely indicate?

Question 70hardmultiple choice
Read the full Host-Based Analysis explanation →

An analyst uses Volatility's pstree plugin on a memory dump. The output shows that process 'winlogon.exe' has a child process 'cmd.exe' that is not typical. What is the most likely explanation?

Question 71mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is reviewing Windows Event Logs and sees multiple Event ID 4625 entries from a single IP address. What does this indicate?

Question 72mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst discovers an unknown process on a Windows host that has no parent process (PPID 0). What does this likely indicate?

Question 73mediummulti select
Read the full Host-Based Analysis explanation →

An incident responder is analyzing a Windows machine for evidence of malware persistence. Which TWO registry keys are commonly abused to achieve automatic execution at user logon?

Question 74hardmulti select
Read the full Host-Based Analysis explanation →

A security analyst is examining a Linux system suspected of compromise. Which THREE artifacts should be reviewed to identify potential persistence mechanisms?

Question 75hardmulti select
Read the full Host-Based Analysis explanation →

An analyst is using Volatility to analyze a memory dump. Which TWO plugins are most effective for detecting code injection?

Question 76easymultiple choice
Read the full Host-Based Analysis explanation →

During a host-based analysis of a Windows system, an analyst finds a suspicious executable that runs every time the system boots. Which registry key is most commonly used for this type of persistence?

Question 77mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is investigating a Linux system and wants to view the current network connections. Which command is most appropriate to list listening TCP ports along with the associated processes?

Question 78hardmultiple choice
Read the full Host-Based Analysis explanation →

A security analyst is analyzing a memory dump from a compromised Windows system using Volatility. Which command would best reveal hidden or injected code within a process?

Question 79mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is reviewing Windows Event Logs and finds Event ID 4648. What does this event typically indicate?

Question 80mediummultiple choice
Read the full Host-Based Analysis explanation →

During a host-based analysis, an analyst discovers a suspicious service on a Windows machine. Which tool or command can be used to query the service configuration?

Question 81easymultiple choice
Read the full Host-Based Analysis explanation →

An analyst wants to determine if a specific executable has been run on a Windows system. Which artifact provides evidence of prior execution?

Question 82hardmultiple choice
Read the full Host-Based Analysis explanation →

An analyst is examining a suspicious PE file. The file's entropy is very high (close to 8.0) and the import table is almost empty. What does this indicate?

Question 83mediummultiple choice
Read the full Host-Based Analysis explanation →

In a Linux system, an analyst wants to check for unauthorized cron jobs. Which of the following is a common location for user-specific cron jobs?

Question 84mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst runs Volatility's pstree plugin on a memory dump. The output shows that a process 'svchost.exe' is the child of 'explorer.exe'. What is suspicious about this?

Question 85easymultiple choice
Read the full Host-Based Analysis explanation →

Which Windows Event ID corresponds to a successful user logon?

Question 86hardmultiple choice
Read the full Host-Based Analysis explanation →

An analyst is reviewing a memory dump and uses Volatility's cmdline plugin to view process command lines. One process shows command line arguments that include a long base64-encoded string. What should the analyst suspect?

Question 87mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is examining a Linux server and notices an unusual systemd service that starts automatically. Which command would be used to disable this service?

Question 88mediummulti select
Read the full Host-Based Analysis explanation →

An analyst is investigating a Windows system for signs of malware persistence. Which TWO registry locations are commonly used by malware to achieve automatic startup? (Choose two.)

Question 89hardmulti select
Read the full Host-Based Analysis explanation →

An analyst is analyzing a Linux system that may have been compromised. Which THREE artifacts would provide evidence of attacker activity? (Choose three.)

Question 90mediummulti select
Read the full Host-Based Analysis explanation →

During memory analysis using Volatility, an analyst wants to identify processes that may be hiding. Which TWO plugins are most useful for detecting hidden or injected code? (Choose two.)

Question 91easymultiple choice
Read the full Host-Based Analysis explanation →

An analyst examines a Windows endpoint and finds a suspicious executable in the Startup folder. Which registry key is commonly used for persistence via legitimate startup programs and is often abused by malware?

Question 92hardmultiple choice
Read the full Host-Based Analysis explanation →

During incident response, a Linux server is found to have an unknown process listening on a high TCP port. The process is not listed in any systemd unit files. Which command will best help identify the process parent and its command-line arguments?

Question 93mediummulti select
Read the full Host-Based Analysis explanation →

A security analyst is investigating a Windows workstation that experienced a series of failed logon attempts followed by a successful logon. Which TWO Windows Event IDs should the analyst examine to understand this activity?

Question 94mediummulti select
Read the full Host-Based Analysis explanation →

An analyst is reviewing a memory dump using Volatility. They want to identify processes with potential code injection. Which TWO Volatility plugins would be most appropriate for detecting injected code?

Question 95hardmulti select
Read the full Host-Based Analysis explanation →

During a Linux forensic investigation, an analyst finds a suspicious process. The analyst wants to check for persistence mechanisms. Which THREE Linux artifacts should be examined?

Question 96easymulti select
Read the full Host-Based Analysis explanation →

A Windows analyst uses Process Explorer to investigate parent-child relationships. Which TWO characteristics are commonly associated with malicious processes?

Question 97mediummulti select
Read the full Host-Based Analysis explanation →

An analyst is examining a suspicious executable file. The file has a .pdf extension but the magic bytes are 'MZ'. Which THREE indicators suggest the file is malicious?

Question 98mediummulti select
Read the full Host-Based Analysis explanation →

During a Linux incident response, an analyst runs 'ps aux' and sees a process with a suspicious name. The analyst wants to gather more information. Which TWO commands can provide the process's network connections?

Question 99hardmulti select
Read the full Host-Based Analysis explanation →

An analyst is investigating a Windows system using prefetch files. The analyst notices a prefetch file for a tool called 'procdump.exe' with a run count of 1 and the last run time corresponding to the time of the incident. Which THREE conclusions can be drawn?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

200-201 Practice Test 1 — 25 Questions→200-201 Practice Test 2 — 25 Questions→200-201 Practice Test 3 — 25 Questions→200-201 Practice Test 4 — 25 Questions→200-201 Practice Test 5 — 25 Questions→200-201 Practice Exam 1 — 20 Questions→200-201 Practice Exam 2 — 20 Questions→200-201 Practice Exam 3 — 20 Questions→200-201 Practice Exam 4 — 20 Questions→Free 200-201 Practice Test 1 — 30 Questions→Free 200-201 Practice Test 2 — 30 Questions→Free 200-201 Practice Test 3 — 30 Questions→200-201 Practice Questions 1 — 50 Questions→200-201 Practice Questions 2 — 50 Questions→200-201 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security MonitoringNetwork Intrusion AnalysisSecurity Policies and ProceduresHost-Based AnalysisSecurity Concepts

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Host-Based Analysis setsAll Host-Based Analysis questions200-201 Practice Hub