CCNA Windows Command Line Tools Questions

30 questions · Windows Command Line Tools topic · All types, answers revealed

1
MCQeasy

A user reports that their Windows 10 PC is running slowly and they suspect a background process is consuming too much memory. You need to identify the process and its memory usage without installing any additional tools. Which command-line tool should you use?

A.ipconfig
B.tasklist
C.chkdsk
D.sfc /scannow
AnswerB

tasklist lists all running processes and their memory usage, making it the correct tool for this scenario.

Why this answer

The tasklist command displays a list of running processes along with memory usage (in kilobytes) directly from the command prompt. It is a built-in Windows tool, so no extra software is needed. Other options either do not show process details or require additional tools.

2
MCQeasy

A user reports that a specific application crashes immediately on launch. You want to verify the integrity of the application's core files without reinstalling. Which command-line tool can you use to scan and repair system files that the application depends on?

A.sfc /scannow
B.chkdsk /f
C.tasklist
D.dism /online /cleanup-image /restorehealth
AnswerA

Correct. sfc scans and repairs corrupted system files that might cause application crashes.

Why this answer

The System File Checker (sfc /scannow) scans protected system files and replaces corrupted ones with cached copies. If the application relies on system files, sfc can fix the issue. DISM repairs the system image itself, chkdsk checks disk errors, and tasklist lists processes.

3
MCQmedium

A customer calls the help desk stating that their computer displays 'Bootmgr is missing' and will not start Windows. You suspect the Boot Configuration Data (BCD) is corrupted. Which command-line tool should you use from the Windows Recovery Environment to repair the BCD?

A.chkdsk /r
B.bootrec /rebuildbcd
C.sfc /scannow
D.diskpart
AnswerB

Rebuilds the BCD store, fixing the 'Bootmgr is missing' error.

Why this answer

The correct answer is `bootrec /rebuildbcd`, which scans for Windows installations and rebuilds the BCD store. This is a standard repair for boot manager issues. Other commands are for disk checking, system file repair, or partition management.

4
MCQhard

During a security audit, you need to identify all user accounts that have been created or modified in the last 24 hours on a Windows Server. Which command-line tool can parse security event logs to extract this information?

A.wevtutil qe Security /q:"*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]"
B.eventvwr
C.net user
D.diskpart
AnswerA

This command queries the Security log for events created in the last 24 hours (86400000 ms), enabling precise filtering for account changes.

Why this answer

The wevtutil command can query event logs using structured XML queries, allowing you to filter events by time and ID (e.g., 4720 for user creation). It is a powerful tool for log analysis. Other commands either display logs without filtering or manage disk partitions.

5
MCQmedium

During a security incident, you need to identify which processes are listening on specific network ports on a Windows server. Which command-line tool should you use?

A.nslookup
B.tracert
C.netstat -an
D.ipconfig /all
AnswerC

Correct. netstat -an displays all active connections and listening ports with numerical addresses, helping identify suspicious services.

Why this answer

The netstat command with the -a (all connections) and -n (numerical addresses) options shows all listening ports and their associated processes. This is essential for security analysis. Other tools like nslookup resolve DNS, tracert trace routes, and ipconfig show IP configuration.

6
MCQmedium

A customer complains that their Windows 11 laptop cannot connect to the internet, but other devices on the same network work fine. You suspect the IP configuration is incorrect. Which command will release and renew the IP address from the DHCP server?

A.ipconfig /flushdns
B.ipconfig /release then ipconfig /renew
C.ipconfig /all
D.ping 127.0.0.1
AnswerB

This sequence releases the current IP and obtains a new one from DHCP, directly addressing the connectivity issue.

Why this answer

The ipconfig /release command releases the current DHCP lease, and ipconfig /renew requests a new IP address from the DHCP server. This is the standard troubleshooting sequence for IP configuration issues. Other commands either display information or flush DNS, which does not address the IP lease issue.

7
MCQhard

A technician is troubleshooting a Windows 11 system that intermittently loses network connectivity. They need to continuously monitor the connection to a remote server and log the results to a text file for analysis. Which command should they use?

A.ping -n 100 > log.txt
B.ping -t > log.txt
C.tracert -d > log.txt
D.pathping > log.txt
AnswerB

This sends continuous pings until manually stopped, with output redirected to a log file for analysis.

Why this answer

The ping -t command sends continuous ICMP echo requests until stopped, and appending > log.txt redirects output to a file. This allows for long-term monitoring of connectivity. Other commands either perform a single test or trace the route.

8
MCQmedium

A security incident is suspected on a Windows 10 workstation. You need to list all active network connections and the associated processes to identify potential malicious activity. Which command provides this information?

A.netstat -a
B.netstat -b
C.tasklist /svc
D.ipconfig /displaydns
AnswerB

This shows active connections and the binary (process) that created them, directly linking network activity to processes.

Why this answer

The netstat -b command displays active connections along with the executable involved in creating each connection, making it ideal for identifying suspicious processes. Other options either show process information without network details or vice versa.

9
MCQeasy

After deploying a new application to 50 workstations, several users report that the application crashes on launch. You need to quickly check if the application's core DLL files are present and correctly registered on a remote computer. Which command should you use?

A.regsvr32 /s C:\App\core.dll
B.ipconfig /flushdns
C.chkdsk C:
D.tasklist /S remotePC
AnswerA

Registers the specified DLL silently, and if successful, confirms the DLL is present and registered.

Why this answer

The correct answer is `regsvr32` which is used to register or unregister DLL files. This command verifies that the necessary DLLs are properly registered, which is essential for application functionality. Incorrect answers involve network configuration, file system repair, or process listing.

10
MCQeasy

A technician needs to map a network drive to a shared folder on a file server for a user who frequently works remotely. The share path is \\Server\Data. Which command would you use to persistently map this drive as drive letter Z:?

A.net user Z: \\Server\Data /add
B.net use Z: \\Server\Data /persistent:yes
C.chkdsk Z: /f
D.ipconfig /renew
AnswerB

Correctly maps the drive persistently.

Why this answer

The correct answer is `net use Z: \\Server\Data /persistent:yes`. This command maps the network drive and makes it persistent so it reconnects at logon. Other commands deal with user accounts, disk repair, or network configuration.

11
MCQmedium

A user reports that their computer's hard drive is making clicking noises and they cannot access certain files. You want to check the disk for errors and attempt to repair any bad sectors. Which command should you run from an elevated command prompt?

A.chkdsk /f
B.chkdsk /r
C.sfc /scannow
D.diskpart
AnswerB

Scans for bad sectors and recovers readable data, appropriate for clicking drives.

Why this answer

The correct answer is `chkdsk /r`, which locates bad sectors and attempts to recover readable data. `/f` only fixes file system errors, while `/scan` and `/spotfix` are used in newer versions for online repair. The `/r` option implies `/f` and does a thorough check.

12
MCQmedium

A technician is troubleshooting a user's inability to access a specific website. The user can access other websites without issue. The technician wants to check the route packets take to the problematic server and identify where the connection fails. Which command should be used?

A.ping -t example.com
B.tracert example.com
C.nslookup example.com
D.netstat -an
AnswerB

Traces the route and displays each hop, ideal for identifying where connectivity fails.

Why this answer

The correct answer is `tracert`, which traces the route to a destination and shows each hop. This helps pinpoint where packets are being dropped. `ping` only tests reachability, `nslookup` resolves names, and `netstat` shows connections.

13
MCQhard

A security audit reveals that a Windows 10 workstation has an unauthorized local user account. You need to remove this account from the command line without using the GUI. Which command should you use?

A.net localgroup Administrators UnauthorizedUser /delete
B.net user UnauthorizedUser /delete
C.wmic useraccount where name='UnauthorizedUser' delete
D.gpresult /r
AnswerB

Correct. net user /delete removes the specified user account from the system.

Why this answer

The net user command with the /delete switch removes a local user account. For example, 'net user UnauthorizedUser /delete' deletes the account. Other commands like net localgroup manage groups, wmic useraccount can also delete but net user is the standard CLI tool. gpresult shows group policy results.

14
MCQhard

A user reports that their Windows 10 computer is infected with ransomware that has encrypted their files. The technician boots into the Windows Recovery Environment and wants to restore the system to a previous restore point. Which command should be used?

A.rstrui.exe
B.vssadmin list shadows
C.wbadmin start recovery
D.bootrec /fixboot
AnswerA

Launches the System Restore utility, allowing restoration to a previous point.

Why this answer

The correct answer is `rstrui.exe`, which launches the System Restore wizard. This can revert system files and settings to a previous state. `vssadmin` manages shadow copies but does not directly restore, `wbadmin` is for backup and restore, and `bootrec` repairs boot issues.

15
MCQeasy

A customer complains that their Windows 10 laptop frequently loses network connectivity. You suspect the IP address configuration is incorrect. Which command should you use to release the current IP address and request a new one from the DHCP server?

A.ping 8.8.8.8
B.ipconfig /release
C.nslookup google.com
D.netstat -a
AnswerB

Correct. ipconfig /release releases the current IP lease, and then ipconfig /renew obtains a new one from DHCP.

Why this answer

The ipconfig /release command releases the current DHCP lease, and ipconfig /renew requests a new IP address from the DHCP server. This is the standard method to refresh IP configuration. Other commands like ping test connectivity, nslookup queries DNS, and netstat shows network connections.

16
MCQmedium

During a security audit, you discover that a user's workstation has an unauthorized application running. You need to terminate the process immediately from the command line. The process name is 'malware.exe'. Which command should you use?

A.tasklist /FI "IMAGENAME eq malware.exe"
B.taskkill /IM malware.exe /F
C.net stop malware
D.shutdown /r /t 0
AnswerB

Forcefully terminates the specified process.

Why this answer

The correct answer is `taskkill /IM malware.exe /F`. This forcefully terminates the process by image name. `tasklist` only lists processes, `net stop` stops services (not processes), and `shutdown` restarts the computer.

17
MCQhard

A user reports that they cannot access a shared folder on a file server. You suspect the network path is incorrect or the share is unavailable. Which command can you use to test connectivity to the server and the share simultaneously?

A.ping \\ServerName
B.net view \\ServerName
C.net use Z: \\ServerName\Share
D.tracert \\ServerName
AnswerB

This command lists all shared resources on the server, confirming both connectivity and share availability.

Why this answer

The net view command lists available shared resources on a specified server, allowing you to verify both network connectivity and share availability. It is a quick diagnostic tool for shared folder issues. Other commands either test basic connectivity or map drives but do not list shares.

18
MCQeasy

During a software deployment, you need to copy a configuration file from a network share to multiple workstations. The command must run silently and overwrite existing files. Which command should you use?

A.copy /y
B.xcopy /y
C.move /y
D.robocopy /mir
AnswerB

xcopy /y copies files and directories, suppressing confirmation prompts to overwrite, ideal for silent deployment.

Why this answer

The xcopy command with the /y switch suppresses the prompt to confirm overwriting, and /s copies directories and subdirectories (if needed). It is designed for file copying with advanced options like silent overwrite. Other commands either do not copy files or lack the silent overwrite feature.

19
MCQhard

A technician needs to configure a Windows 10 computer to use a static IP address of 192.168.1.100 with subnet mask 255.255.255.0 and default gateway 192.168.1.1. Which command-line tool and syntax should be used?

A.netsh interface ip set address "Local Area Connection" static 192.168.1.100 255.255.255.0 192.168.1.1 1
B.ipconfig /setaddress 192.168.1.100
C.netstat -r
D.ping 192.168.1.1
AnswerA

Correctly sets a static IP with subnet mask and gateway.

Why this answer

The correct answer is `netsh interface ip set address "Local Area Connection" static 192.168.1.100 255.255.255.0 192.168.1.1 1`. This sets a static IP with the specified parameters. `ipconfig` is used for display, `netstat` for connections, and `ping` for testing.

20
MCQmedium

After deploying a group policy update, several users report that their mapped network drives are missing. You need to force an immediate refresh of group policy settings on a remote workstation without rebooting. Which command should you run?

A.net use
B.gpresult
C.gpupdate /force
D.nslookup
AnswerC

This command forces an immediate policy refresh, applying the new drive mappings without reboot.

Why this answer

The gpupdate /force command forces an immediate refresh of all group policy settings, including drive maps, without requiring a reboot. It is the standard tool for applying policy changes on Windows. Other commands either manage user accounts or network configurations.

21
MCQmedium

A user reports that their Windows 10 PC is infected with malware that prevents the Task Manager from opening. You need to terminate a suspicious process from the command line. Which command should you use to forcefully end a process by its name?

A.tasklist /v
B.taskkill /IM malware.exe /F
C.shutdown /r /t 0
D.regedit /e backup.reg
AnswerB

Correct. taskkill /IM terminates the process by image name, and /F forces it to stop.

Why this answer

The taskkill command can terminate processes by name or PID. The /F flag forces termination, which is necessary for stubborn malware. Other commands like tasklist list processes, shutdown reboots the system, and regedit edits the registry.

22
MCQmedium

A technician is troubleshooting a Windows 10 system that fails to boot with a 'Bootmgr is missing' error. They need to repair the boot configuration data (BCD) from the Windows Recovery Environment. Which command should they use?

A.bootrec /fixmbr
B.bootrec /fixboot
C.bootrec /rebuildbcd
D.sfc /scannow
AnswerC

This command rebuilds the BCD store, directly fixing the 'Bootmgr is missing' error.

Why this answer

The bootrec /rebuildbcd command scans all drives for Windows installations and rebuilds the Boot Configuration Data store. This is the standard recovery command for missing or corrupt BCD. Other commands either fix the master boot record or system files, not the BCD specifically.

23
MCQhard

After a failed Windows Update, a Windows 10 system repeatedly attempts to install the update and fails. You need to stop the Windows Update service and delete the temporary update files from the command line. Which two commands, in order, should you use? (Select the first command from the options.)

A.net stop wuauserv
B.sfc /scannow
C.dism /online /cleanup-image /restorehealth
D.taskkill /IM svchost.exe /F
AnswerA

Correct. net stop wuauserv stops the Windows Update service, allowing deletion of its temporary files.

Why this answer

First, you must stop the Windows Update service using net stop wuauserv. Then, delete the contents of the SoftwareDistribution folder (e.g., del /f /s /q C:\Windows\SoftwareDistribution\*). Other commands like sfc repair system files, dism repair the image, and taskkill terminate processes but are not the correct sequence.

24
MCQeasy

After installing a new application, a user's Windows 10 system fails to boot and displays a 'Bootmgr is missing' error. Which command-line tool should you use from the Windows Recovery Environment to repair the boot configuration?

A.diskpart
B.bootrec
C.sfc /scannow
D.chkdsk /f
AnswerB

Correct. bootrec with /fixboot or /rebuildbcd repairs the boot configuration data (BCD) and fixes boot manager issues.

Why this answer

The bootrec tool is specifically designed to repair boot-related issues like a missing or corrupted Boot Manager. The /fixboot and /rebuildbcd options can resolve the 'Bootmgr is missing' error. Other tools like diskpart manage disks, sfc repairs system files, and chkdsk checks disk integrity.

25
MCQmedium

A technician is troubleshooting a DNS resolution issue on a Windows 10 workstation. The user can ping an IP address but not a domain name. Which command should be used to clear the local DNS cache?

A.nslookup example.com
B.ipconfig /flushdns
C.netstat -r
D.ping -a 192.168.1.1
AnswerB

Correct. ipconfig /flushdns clears the DNS resolver cache, forcing the system to query DNS servers fresh.

Why this answer

The ipconfig /flushdns command clears the DNS resolver cache, which can resolve issues caused by stale or corrupted entries. Other commands like nslookup query DNS servers, netstat show connections, and ping test connectivity but do not clear the cache.

26
MCQhard

A technician needs to deploy a software update to 100 computers in a domain. The update requires administrative privileges. The technician wants to run the installer silently without user interaction. Which command-line syntax should be used?

A.msiexec /i update.msi /passive
B.msiexec /i update.msi /quiet /norestart
C.msiexec /i update.msi /qb
D.msiexec /i update.msi /l* log.txt
AnswerB

Installs silently and prevents automatic restart.

Why this answer

The correct answer is `msiexec /i update.msi /quiet /norestart`. This installs the MSI silently without prompting the user. `/passive` shows a progress bar, `/qb` shows a basic UI, and `/l*` creates a log file but does not suppress UI.

27
MCQeasy

A user reports that their Windows 10 PC is running slowly and they suspect a background process is consuming excessive memory. Which command-line tool should you use to identify the process by name and memory usage?

A.tasklist
B.ipconfig
C.chkdsk
D.sfc
AnswerA

Correct. tasklist lists all running processes with memory usage, allowing you to identify the culprit.

Why this answer

The tasklist command displays a list of running processes along with their PID, session name, and memory usage. This makes it the correct tool for identifying a memory-hungry process by name. Other options either do not show memory details or are used for different purposes like network configuration or disk management.

28
MCQeasy

A user reports that their Windows 10 PC is running very slowly, and they suspect a background process is consuming too much memory. Which command-line tool would you use from an elevated command prompt to identify the process with the highest memory usage?

A.tasklist /FI "MEMUSAGE gt 100000"
B.ipconfig /all
C.chkdsk /f
D.sfc /scannow
AnswerA

This command filters the task list to show only processes using more than 100,000 KB of memory, directly identifying high-memory processes.

Why this answer

The correct answer is tasklist, which displays a list of running processes along with memory usage. You can sort the output by memory to quickly find the culprit. This is a fundamental command for identifying resource-hungry processes.

29
MCQmedium

A technician needs to deploy a custom script to 50 Windows 10 workstations during an automated software installation. The script must run with administrative privileges. Which command-line tool should be used to execute the script with elevated rights from a batch file?

A.msiexec /i package.msi
B.wmic os get name
C.runas /user:Administrator script.bat
D.schtasks /create
AnswerC

Correct. runas executes the script under the Administrator account, ensuring necessary permissions.

Why this answer

The runas command allows executing a program with different credentials, typically an administrator account. In deployment scripts, runas /user:Administrator ensures the script runs with elevated privileges. Other options like msiexec install MSI packages, wmic queries WMI, and schtasks schedules tasks.

30
MCQmedium

You are deploying a new application to multiple Windows 10 workstations using a script. The application requires administrator privileges, and you need to run the command with elevated rights from within the script. Which command should precede your installation command?

A.runas /user:Administrator
B.net user
C.cd
D.whoami
AnswerA

This command runs the subsequent program with administrator privileges, as required for the installation.

Why this answer

The runas command allows you to run a program with different credentials, such as an administrator account, from the command line. It is the standard way to elevate privileges in a script. Other commands either manage user accounts or change directories.

Ready to test yourself?

Try a timed practice session using only Windows Command Line Tools questions.