CCNA Windows Command-Line Tools Questions

30 questions · Windows Command-Line Tools · All types, answers revealed

1
MCQeasy

A user reports that their Windows 10 PC is running slowly and they suspect a background process is consuming too much memory. You need to identify the process and its memory usage without installing any additional tools. Which command-line tool should you use?

A.ipconfig
B.tasklist
C.chkdsk
D.sfc /scannow
AnswerB

tasklist lists all running processes and their memory usage, making it the correct tool for this scenario.

Why this answer

B is correct because the `tasklist` command displays a list of all currently running processes on a Windows system, including their memory usage (in kilobytes) under the 'Mem Usage' column. This built-in command-line tool allows you to identify which process is consuming excessive memory without installing any third-party software, directly addressing the user's need to diagnose a slow PC.

Exam trap

The trap here is that candidates may confuse `tasklist` with `ipconfig` or `sfc` because they are all common Windows command-line tools, but only `tasklist` is designed to display process information and memory usage.

How to eliminate wrong answers

Option A is wrong because `ipconfig` is used to display network configuration details (e.g., IP address, subnet mask, default gateway) and has no capability to list running processes or their memory usage. Option C is wrong because `chkdsk` checks the file system and disk for errors and bad sectors, but it does not provide any information about running processes or memory consumption. Option D is wrong because `sfc /scannow` scans and repairs protected system files, but it does not list processes or report memory usage.

2
MCQeasy

A user reports that a specific application crashes immediately on launch. You want to verify the integrity of the application's core files without reinstalling. Which command-line tool can you use to scan and repair system files that the application depends on?

A.sfc /scannow
B.chkdsk /f
C.tasklist
D.dism /online /cleanup-image /restorehealth
AnswerA

Correct. sfc scans and repairs corrupted system files that might cause application crashes.

Why this answer

The `sfc /scannow` (System File Checker) command scans all protected system files and replaces corrupted versions with a cached copy located in the `%WinDir%\System32\dllcache` directory. Since the application crashes on launch, it likely depends on core Windows system files (e.g., DLLs, executables) that may be corrupted or missing. Running `sfc /scannow` verifies and repairs these system files without reinstalling the application itself, directly addressing the integrity of the dependencies.

Exam trap

The trap here is that candidates often confuse `dism` with `sfc` because both repair system files, but `dism` repairs the component store (the source for SFC) rather than the installed system files themselves, making `sfc /scannow` the correct first-line tool for verifying and repairing application-dependent system files.

How to eliminate wrong answers

Option B is wrong because `chkdsk /f` checks the file system for logical and physical errors on a disk volume (e.g., bad sectors, cross-linked files) and does not scan or repair the content of system files that an application depends on. Option C is wrong because `tasklist` only displays a list of currently running processes and their associated details (PID, session name, memory usage); it cannot scan or repair any files. Option D is wrong because `dism /online /cleanup-image /restorehealth` repairs the Windows system image (the source files used by SFC) and is typically used when SFC itself fails due to a corrupted component store, but it does not directly scan and repair the application's dependent system files in the same targeted manner as SFC.

3
MCQmedium

A customer calls the help desk stating that their computer displays 'Bootmgr is missing' and will not start Windows. You suspect the Boot Configuration Data (BCD) is corrupted. Which command-line tool should you use from the Windows Recovery Environment to repair the BCD?

A.chkdsk /r
B.bootrec /rebuildbcd
C.sfc /scannow
D.diskpart
AnswerB

Rebuilds the BCD store, fixing the 'Bootmgr is missing' error.

Why this answer

The correct answer is `bootrec /rebuildbcd`, which scans for Windows installations and rebuilds the BCD store. This is a standard repair for boot manager issues. Other commands are for disk checking, system file repair, or partition management.

4
MCQhard

During a security audit, you need to identify all user accounts that have been created or modified in the last 24 hours on a Windows Server. Which command-line tool can parse security event logs to extract this information?

A.wevtutil qe Security /q:"*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]"
B.eventvwr
C.net user
D.diskpart
AnswerA

This command queries the Security log for events created in the last 24 hours (86400000 ms), enabling precise filtering for account changes.

Why this answer

The wevtutil command with the 'qe' (query-events) parameter and an XPath filter can directly query the Security event log for events created within a specific time window. The filter '*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]' retrieves events whose creation time is within the last 86,400,000 milliseconds (24 hours), allowing you to identify user accounts created or modified via event IDs such as 4720 (user created) or 4738 (user changed).

Exam trap

CompTIA exams often test the distinction between graphical tools (eventvwr) and command-line tools (wevtutil), and candidates may confuse 'net user' as a log-parsing tool when it only shows current account state, not historical changes.

How to eliminate wrong answers

Option B (eventvwr) is wrong because it is a graphical Event Viewer tool, not a command-line tool, and cannot be used in scripts or automated audits without additional interaction. Option C (net user) is wrong because it only displays current user account properties or modifies accounts, but it cannot parse historical security event logs to show accounts created or modified in the last 24 hours. Option D (diskpart) is wrong because it is a disk partitioning utility and has no capability to query event logs or user account information.

5
MCQmedium

During a security incident, you need to identify which processes are listening on specific network ports on a Windows server. Which command-line tool should you use?

A.nslookup
B.tracert
C.netstat -an
D.ipconfig /all
AnswerC

Correct. netstat -an displays all active connections and listening ports with numerical addresses, helping identify suspicious services.

Why this answer

The `netstat -an` command displays all active TCP connections and the TCP/UDP ports on which the computer is listening, with numerical addresses and port numbers. This makes it the correct tool to identify which processes are listening on specific network ports during a security incident on a Windows server.

Exam trap

CompTIA often tests the distinction between commands that show network configuration (ipconfig) versus those that show active connections and listening ports (netstat), leading candidates to confuse ipconfig /all as a tool for port enumeration.

How to eliminate wrong answers

Option A is wrong because `nslookup` is a DNS query tool used to resolve domain names to IP addresses, not to display listening ports or network connections. Option B is wrong because `tracert` (trace route) is used to determine the path packets take to a destination, showing hop-by-hop latency, not local port listening states. Option D is wrong because `ipconfig /all` displays detailed TCP/IP configuration for all network adapters, such as IP addresses, subnet masks, and DNS servers, but does not show listening ports or active connections.

6
MCQmedium

A customer complains that their Windows 11 laptop cannot connect to the internet, but other devices on the same network work fine. You suspect the IP configuration is incorrect. Which command will release and renew the IP address from the DHCP server?

A.ipconfig /flushdns
B.ipconfig /release then ipconfig /renew
C.ipconfig /all
D.ping 127.0.0.1
AnswerB

This sequence releases the current IP and obtains a new one from DHCP, directly addressing the connectivity issue.

Why this answer

The `ipconfig /release` command releases the current DHCP lease, setting the IP address to 0.0.0.0, and `ipconfig /renew` sends a DHCPDISCOVER broadcast to obtain a new IP configuration from the DHCP server. This is the correct sequence to resolve an incorrect IP configuration that prevents a Windows 11 client from connecting to the internet while other devices work fine.

Exam trap

The exam often tests the exact two-step sequence of `ipconfig /release` then `ipconfig /renew` as a required troubleshooting procedure, and the trap is that candidates may think a single command like `ipconfig /renew` alone is sufficient, or confuse it with other `ipconfig` subcommands like `/flushdns` or `/all`.

How to eliminate wrong answers

Option A is wrong because `ipconfig /flushdns` clears the DNS resolver cache, which resolves hostname-to-IP resolution issues, not IP address configuration problems. Option C is wrong because `ipconfig /all` displays current IP configuration details but does not change or renew the IP address. Option D is wrong because `ping 127.0.0.1` tests the local TCP/IP stack loopback interface and verifies that the protocol is installed, but it does not release or renew the IP address from DHCP.

7
MCQhard

A technician is troubleshooting a Windows 11 system that intermittently loses network connectivity. They need to continuously monitor the connection to a remote server and log the results to a text file for analysis. Which command should they use?

A.ping -n 100 > log.txt
B.ping -t > log.txt
C.tracert -d > log.txt
D.pathping > log.txt
AnswerB

This sends continuous pings until manually stopped, with output redirected to a log file for analysis.

Why this answer

Option B is correct because the `ping -t` command continuously sends ICMP Echo Request packets to the remote server until manually stopped, which allows the technician to monitor intermittent connectivity issues over an extended period. The `> log.txt` redirection operator captures all output (timestamps and replies) into a text file for later analysis, making it ideal for troubleshooting sporadic network drops.

Exam trap

A common mistake is thinking that `ping -n 100` or `pathping` provides continuous monitoring, but only `ping -t` (with redirection) allows indefinite logging for intermittent issues.

How to eliminate wrong answers

Option A is wrong because `ping -n 100` sends only 100 ICMP Echo Requests and then stops, which is insufficient for monitoring intermittent connectivity that may occur over hours or days. Option C is wrong because `tracert -d` performs a single route trace to the destination without continuous monitoring, and the `-d` flag only disables DNS resolution, not enabling persistence. Option D is wrong because `pathping` combines ping and traceroute but runs a fixed sequence of probes (default 100 hops and 300 seconds) and then exits, providing a one-time latency and loss report rather than continuous logging.

8
MCQmedium

A security incident is suspected on a Windows 10 workstation. You need to list all active network connections and the associated processes to identify potential malicious activity. Which command provides this information?

A.netstat -a
B.netstat -b
C.tasklist /svc
D.ipconfig /displaydns
AnswerB

This shows active connections and the binary (process) that created them, directly linking network activity to processes.

Why this answer

The `netstat -b` command displays all active TCP/UDP network connections along with the executable (process) name that created each connection. This is essential for identifying which process is communicating over the network, enabling you to spot suspicious activity like malware beaconing outbound.

Exam trap

CompTIA often tests the distinction between `netstat -a` (shows connections only) and `netstat -b` (shows connections with process names), expecting candidates to remember that `-b` requires administrative privileges and is the only option that links network activity to a specific executable.

How to eliminate wrong answers

Option A is wrong because `netstat -a` shows all active connections and listening ports but does not include the associated process name, so you cannot link a connection to a specific executable. Option C is wrong because `tasklist /svc` lists running processes and their associated services, but it does not display network connections or ports. Option D is wrong because `ipconfig /displaydns` shows the contents of the DNS resolver cache, which lists domain names and their resolved IP addresses, not active network connections or processes.

9
MCQeasy

After deploying a new application to 50 workstations, several users report that the application crashes on launch. You need to quickly check if the application's core DLL files are present and correctly registered on a remote computer. Which command should you use?

A.regsvr32 /s C:\App\core.dll
B.ipconfig /flushdns
C.chkdsk C:
D.tasklist /S remotePC
AnswerD

Tasklist with the /S switch allows querying processes on a remote computer; if the application is running, it implies its DLLs are correctly present and registered.

Why this answer

To check if the application's core DLL files are present and correctly registered on a remote computer, you can use `tasklist /S remotePC` to list running processes on that remote machine. If the application process appears, it indicates that its core DLLs are loaded and properly registered. The other options either run locally (regsvr32) or perform unrelated tasks (ipconfig, chkdsk).

10
MCQeasy

A technician needs to map a network drive to a shared folder on a file server for a user who frequently works remotely. The share path is \\Server\Data. Which command would you use to persistently map this drive as drive letter Z:?

A.net user Z: \\Server\Data /add
B.net use Z: \\Server\Data /persistent:yes
C.chkdsk Z: /f
D.ipconfig /renew
AnswerB

Correctly maps the drive persistently.

Why this answer

Option B is correct because the `net use` command is used to map a network share to a drive letter, and the `/persistent:yes` switch ensures the mapping is reconnected automatically after a reboot or network interruption, which is essential for a user who works remotely. The syntax `net use Z: \\Server\Data /persistent:yes` correctly specifies the drive letter, UNC path, and persistence flag.

Exam trap

The trap here is confusing `net use` with `net user` — candidates often misremember the command name or think `/add` applies to drive mappings, when in fact `net user` is strictly for account management.

How to eliminate wrong answers

Option A is wrong because `net user` is used to manage local user accounts, not to map network drives; the `/add` switch adds a user account, making this command entirely unrelated to drive mapping. Option C is wrong because `chkdsk` checks the file system integrity of a volume and cannot map a network share; the `/f` flag fixes errors on a local disk, not a remote path. Option D is wrong because `ipconfig /renew` renews the DHCP lease for a network adapter, which does not map a drive or create a persistent connection to a shared folder.

11
MCQmedium

A user reports that their computer's hard drive is making clicking noises and they cannot access certain files. You want to check the disk for errors and attempt to repair any bad sectors. Which command should you run from an elevated command prompt?

A.chkdsk /f
B.chkdsk /r
C.sfc /scannow
D.diskpart
AnswerB

Scans for bad sectors and recovers readable data, appropriate for clicking drives.

Why this answer

The correct command is `chkdsk /r` because it locates bad sectors on the hard drive and recovers readable information from them. The `/r` switch implies `/f` (which fixes file system errors) and additionally performs a surface scan to identify and mark bad sectors, directly addressing the clicking noise and file access issue.

Exam trap

The trap here is that candidates confuse `/f` (file system repair) with `/r` (bad sector recovery), assuming that fixing file system errors also addresses physical disk damage, but `/r` is the only switch that performs a surface scan for bad sectors.

How to eliminate wrong answers

Option A is wrong because `chkdsk /f` only fixes file system errors (e.g., in the MFT or directory structure) without scanning for or repairing bad sectors on the disk surface; it does not address physical media damage indicated by clicking noises. Option C is wrong because `sfc /scannow` (System File Checker) verifies and repairs protected system files, such as Windows DLLs and executables, not the hard drive's physical sectors or file system integrity. Option D is wrong because `diskpart` is a disk partitioning tool used to manage volumes and partitions (create, delete, extend) and has no capability to check for errors or repair bad sectors.

12
MCQmedium

A technician is troubleshooting a user's inability to access a specific website. The user can access other websites without issue. The technician wants to check the route packets take to the problematic server and identify where the connection fails. Which command should be used?

A.ping -t example.com
B.tracert example.com
C.nslookup example.com
D.netstat -an
AnswerB

Traces the route and displays each hop, ideal for identifying where connectivity fails.

Why this answer

The `tracert` command (short for 'trace route') is the correct tool because it sends ICMP Echo Request packets with incrementally increasing TTL (Time to Live) values, causing each router along the path to reply with an ICMP Time Exceeded message. This reveals the exact hop-by-hop path to the destination and pinpoints where the connection fails, which is precisely what the technician needs to diagnose a site-specific outage.

Exam trap

CompTIA A+ often tests the distinction between connectivity testing (`ping`) and path discovery (`tracert`), trapping candidates who think `ping -t` is sufficient for route analysis, when it only verifies end-to-end reachability without hop-by-hop detail.

How to eliminate wrong answers

Option A is wrong because `ping -t` continuously sends ICMP Echo Requests to the target; it only confirms reachability or loss, but does not show the route or identify which hop is failing. Option C is wrong because `nslookup` is a DNS query tool that resolves a domain name to an IP address; it does not test network path or routing. Option D is wrong because `netstat -an` displays active network connections, listening ports, and protocol statistics on the local machine; it provides no information about the path packets take to a remote server.

13
MCQhard

A security audit reveals that a Windows 10 workstation has an unauthorized local user account. You need to remove this account from the command line without using the GUI. Which command should you use?

A.net localgroup Administrators UnauthorizedUser /delete
B.net user UnauthorizedUser /delete
C.wmic useraccount where name='UnauthorizedUser' delete
D.gpresult /r
AnswerB

Correct. net user /delete removes the specified user account from the system.

Why this answer

The `net user UnauthorizedUser /delete` command correctly removes a local user account from the command line. The `net user` command is designed to manage local user accounts, and the `/delete` switch removes the specified account from the local Security Accounts Manager (SAM) database. This is the standard Windows CLI tool for deleting a local user without using the GUI.

Exam trap

CompTIA often tests the distinction between deleting a user account (`net user /delete`) and removing a user from a group (`net localgroup /delete`), trapping candidates who confuse group membership removal with account deletion.

How to eliminate wrong answers

Option A is wrong because `net localgroup Administrators UnauthorizedUser /delete` removes the user from the Administrators group, not the user account itself; the account remains on the system. Option C is wrong because `wmic useraccount where name='UnauthorizedUser' delete` is a valid command for deleting a user account via WMI, but the question specifically asks for a command that removes the account, and `net user /delete` is the more direct and commonly tested CLI method; however, the primary reason it is not the best answer is that the exam expects `net user` for this task, and `wmic` is deprecated in newer Windows versions. Option D is wrong because `gpresult /r` displays Resultant Set of Policy (RSoP) data for Group Policy, not user account management.

14
MCQhard

A user reports that their Windows 10 computer is infected with ransomware that has encrypted their files. The technician boots into the Windows Recovery Environment and wants to restore the system to a previous restore point. Which command should be used?

A.rstrui.exe
B.vssadmin list shadows
C.wbadmin start recovery
D.bootrec /fixboot
AnswerA

Launches the System Restore utility, allowing restoration to a previous point.

Why this answer

The correct command is `rstrui.exe`, which launches the System Restore utility. In the Windows Recovery Environment (WinRE), this command allows you to revert the system to a previous restore point, effectively undoing the ransomware encryption if a restore point was created before the infection. This is the standard tool for restoring system files and settings without affecting personal files, assuming the restore point predates the attack.

Exam trap

The trap here is that candidates confuse `vssadmin list shadows` (a query command) with an actual restoration command, or they mistakenly think `wbadmin start recovery` is for System Restore points when it is specifically for full server backups.

How to eliminate wrong answers

Option B is wrong because `vssadmin list shadows` only lists existing Volume Shadow Copies (snapshots) but does not perform a restoration; it is a query command, not a recovery action. Option C is wrong because `wbadmin start recovery` is used for restoring from a Windows Server Backup, not for System Restore points, and requires a preconfigured backup set, which is not the scenario here. Option D is wrong because `bootrec /fixboot` repairs the boot sector or boot configuration data (BCD) and has no ability to restore system files or revert to a restore point; it addresses boot failures, not ransomware file encryption.

15
MCQeasy

A customer complains that their Windows 10 laptop frequently loses network connectivity. You suspect the IP address configuration is incorrect. Which command should you use to release the current IP address and request a new one from the DHCP server?

A.ping 8.8.8.8
B.ipconfig /release
C.nslookup google.com
D.netstat -a
AnswerB

Correct. ipconfig /release releases the current IP lease, and then ipconfig /renew obtains a new one from DHCP.

Why this answer

Option B is correct because the `ipconfig /release` command sends a DHCPRELEASE message to the DHCP server, discarding the current IP address lease. This is followed by `ipconfig /renew` to request a new IP address from the DHCP server, which resolves connectivity issues caused by an incorrect or stale IP configuration.

Exam trap

The trap here is that candidates confuse `ipconfig /release` with `ipconfig /flushdns` or think `ping` can reset network settings, but the question specifically requires a command that releases the current IP address, which only `ipconfig /release` does.

How to eliminate wrong answers

Option A is wrong because `ping 8.8.8.8` tests network connectivity to a remote host but does not release or renew the IP address; it only verifies if the current configuration can reach the internet. Option C is wrong because `nslookup google.com` performs DNS resolution to translate a domain name to an IP address, but it has no effect on the local IP address lease or DHCP process. Option D is wrong because `netstat -a` displays active network connections and listening ports, but it does not interact with DHCP or modify the IP address configuration.

16
MCQmedium

During a security audit, you discover that a user's workstation has an unauthorized application running. You need to terminate the process immediately from the command line. The process name is 'malware.exe'. Which command should you use?

A.tasklist /FI "IMAGENAME eq malware.exe"
B.taskkill /IM malware.exe /F
C.net stop malware
D.shutdown /r /t 0
AnswerB

Forcefully terminates the specified process.

Why this answer

Option B is correct because the `taskkill` command with the `/IM` (image name) and `/F` (force) flags is the standard Windows CLI method to forcibly terminate a process by its executable name. This directly stops 'malware.exe' without requiring the process ID, making it the appropriate tool for immediate termination during a security incident.

Exam trap

The trap here is that candidates confuse `tasklist` (a listing tool) with `taskkill` (a termination tool), or assume `net stop` can stop any running program, when in fact it only applies to Windows services.

How to eliminate wrong answers

Option A is wrong because `tasklist` only lists running processes and does not terminate them; it is a diagnostic tool, not a termination command. Option C is wrong because `net stop` is used to stop Windows services, not user-mode processes like 'malware.exe'; it would fail unless the malware is registered as a service. Option D is wrong because `shutdown /r /t 0` restarts the entire system, which is an overly disruptive action that does not specifically target the unauthorized process and may allow the malware to persist or re-launch on reboot.

17
MCQhard

A user reports that they cannot access a shared folder on a file server. You suspect the network path is incorrect or the share is unavailable. Which command can you use to test connectivity to the server and the share simultaneously?

A.ping \\ServerName
B.net view \\ServerName
C.net use Z: \\ServerName\Share
D.tracert \\ServerName
AnswerB

This command lists all shared resources on the server, confirming both connectivity and share availability.

Why this answer

The `net view \\ServerName` command lists all shared resources on the specified server, confirming both network connectivity to the server and the availability of shares. If the server is unreachable or has no shares, the command will fail, directly testing the user's reported issue.

Exam trap

The trap here is that candidates often choose `ping` (Option A) because it is the most common connectivity test, but it does not verify SMB share availability or the correct network path to the share.

How to eliminate wrong answers

Option A is wrong because `ping` tests only ICMP-based network layer connectivity to the server's IP address, not the availability of the SMB share or the correct network path. Option C is wrong because `net use` attempts to map a drive to a specific share, which will fail if the share name is incorrect or the server is unreachable, but it does not simultaneously test connectivity to the server and list available shares. Option D is wrong because `tracert` traces the route to the server's IP address, verifying network path hops but not the SMB share availability or the server's NetBIOS name resolution.

18
MCQeasy

During a software deployment, you need to copy a configuration file from a network share to multiple workstations. The command must run silently and overwrite existing files. Which command should you use?

A.copy /y
B.xcopy /y
C.move /y
D.robocopy /mir
AnswerB

xcopy /y copies files and directories, suppressing confirmation prompts to overwrite, ideal for silent deployment.

Why this answer

The xcopy command with the /y switch suppresses the prompt to confirm overwriting, and /s copies directories and subdirectories (if needed). It is designed for file copying with advanced options like silent overwrite. Other commands either do not copy files or lack the silent overwrite feature.

19
MCQhard

A technician needs to configure a Windows 10 computer to use a static IP address of 192.168.1.100 with subnet mask 255.255.255.0 and default gateway 192.168.1.1. Which command-line tool and syntax should be used?

A.netsh interface ip set address "Local Area Connection" static 192.168.1.100 255.255.255.0 192.168.1.1 1
B.ipconfig /setaddress 192.168.1.100
C.netstat -r
D.ping 192.168.1.1
AnswerA

Correctly sets a static IP with subnet mask and gateway.

Why this answer

Option A is correct because the `netsh interface ip set address` command is the proper Windows command-line tool to configure a static IP address, subnet mask, and default gateway. The syntax `"Local Area Connection" static 192.168.1.100 255.255.255.0 192.168.1.1 1` specifies the interface name, the static keyword, the IP address, the subnet mask, the default gateway, and the metric (1), which matches the required configuration.

Exam trap

The trap here is that candidates may confuse `ipconfig` (a display-only tool) with a configuration tool, or assume `netstat` or `ping` can set IP addresses, when only `netsh` provides the correct static IP assignment syntax.

How to eliminate wrong answers

Option B is wrong because `ipconfig` is used to display IP configuration, not to set it; there is no `/setaddress` parameter in `ipconfig`. Option C is wrong because `netstat -r` displays the routing table, not configures IP settings. Option D is wrong because `ping 192.168.1.1` tests connectivity to the gateway but does not configure the IP address.

20
MCQmedium

After deploying a group policy update, several users report that their mapped network drives are missing. You need to force an immediate refresh of group policy settings on a remote workstation without rebooting. Which command should you run?

A.net use
B.gpresult
C.gpupdate /force
D.nslookup
AnswerC

This command forces an immediate policy refresh, applying the new drive mappings without reboot.

Why this answer

The `gpupdate /force` command is correct because it forces an immediate background refresh of all Group Policy settings, including drive maps, on a remote workstation without requiring a reboot. The `/force` switch re-applies all policies, even if they have not changed, which is necessary when users report missing mapped drives after a policy update.

Exam trap

The trap here is that candidates confuse `gpupdate` with `gpresult`, thinking that viewing policy results will also apply the changes, but `gpresult` only displays the current applied policy state without initiating a refresh.

How to eliminate wrong answers

Option A is wrong because `net use` is used to manually connect or disconnect network shares, not to refresh Group Policy settings. Option B is wrong because `gpresult` displays the Resultant Set of Policy (RSoP) for a user or computer, but it does not apply or refresh policies. Option D is wrong because `nslookup` is a DNS query tool used to resolve hostnames to IP addresses, and it has no role in Group Policy processing.

21
MCQmedium

A user reports that their Windows 10 PC is infected with malware that prevents the Task Manager from opening. You need to terminate a suspicious process from the command line. Which command should you use to forcefully end a process by its name?

A.tasklist /v
B.taskkill /IM malware.exe /F
C.shutdown /r /t 0
D.regedit /e backup.reg
AnswerB

Correct. taskkill /IM terminates the process by image name, and /F forces it to stop.

Why this answer

Option B is correct because the `taskkill` command with the `/IM` (image name) parameter targets a process by its executable name, and the `/F` flag forcefully terminates it. This is the appropriate tool when Task Manager is disabled by malware, as it directly ends the process from the command line without relying on GUI interaction.

Exam trap

The trap here is that candidates may confuse `tasklist` (which only lists processes) with `taskkill` (which terminates them), or mistakenly think `shutdown` or `regedit` can end a single process, leading them to choose a non-terminating command.

How to eliminate wrong answers

Option A is wrong because `tasklist /v` only lists running processes with verbose details (e.g., session name, status) but does not terminate any process. Option C is wrong because `shutdown /r /t 0` initiates an immediate system restart, which does not terminate a specific process; it shuts down the entire OS. Option D is wrong because `regedit /e backup.reg` exports the entire registry to a file; it does not interact with running processes and is used for backup, not process termination.

22
MCQmedium

A technician is troubleshooting a Windows 10 system that fails to boot with a 'Bootmgr is missing' error. They need to repair the boot configuration data (BCD) from the Windows Recovery Environment. Which command should they use?

A.bootrec /fixmbr
B.bootrec /fixboot
C.bootrec /rebuildbcd
D.sfc /scannow
AnswerC

This command rebuilds the BCD store, directly fixing the 'Bootmgr is missing' error.

Why this answer

The 'Bootmgr is missing' error indicates that the Boot Configuration Data (BCD) store is corrupted or missing. The `bootrec /rebuildbcd` command scans all disks for Windows installations and allows you to rebuild the BCD store from scratch, which directly resolves this issue. In contrast, `bootrec /fixmbr` and `bootrec /fixboot` repair the master boot record and boot sector, respectively, but do not rebuild the BCD store.

Exam trap

The trap here is that candidates often confuse `bootrec /fixboot` with repairing the boot configuration data, but `fixboot` only repairs the boot sector, not the BCD store, which is the actual cause of the 'Bootmgr is missing' error.

How to eliminate wrong answers

Option A is wrong because `bootrec /fixmbr` rewrites the master boot record (MBR) to the system partition, which addresses boot sector corruption but does not repair the BCD store. Option B is wrong because `bootrec /fixboot` writes a new boot sector to the system partition, which fixes boot sector issues but does not rebuild the BCD store. Option D is wrong because `sfc /scannow` checks and repairs system file integrity, but it does not operate on the BCD store or boot configuration data.

23
MCQhard

After a failed Windows Update, a Windows 10 system repeatedly attempts to install the update and fails. You need to stop the Windows Update service and delete the temporary update files from the command line. Which two commands, in order, should you use? (Select the first command from the options.)

A.net stop wuauserv
B.sfc /scannow
C.dism /online /cleanup-image /restorehealth
D.taskkill /IM svchost.exe /F
AnswerA

Correct. net stop wuauserv stops the Windows Update service, allowing deletion of its temporary files.

Why this answer

The correct first command is 'net stop wuauserv' because it stops the Windows Update service (wuauserv), which prevents the system from continuing to attempt the failed update installation. After stopping the service, you can then delete the temporary update files from the SoftwareDistribution folder using commands like 'del /f /s /q %systemroot%\SoftwareDistribution\*' or 'rmdir /s /q %systemroot%\SoftwareDistribution'. This two-step process is the standard method to clear a stuck update state.

Exam trap

CompTIA often tests the misconception that 'taskkill /IM svchost.exe /F' is a valid way to stop the Windows Update service, but this command kills all svchost instances indiscriminately, which can crash other critical services and is not the proper method for safely stopping a specific service.

How to eliminate wrong answers

Option B is wrong because 'sfc /scannow' scans and repairs protected system files, but it does not stop the Windows Update service or delete temporary update files; it addresses file corruption, not update stuck states. Option C is wrong because 'dism /online /cleanup-image /restorehealth' repairs the Windows system image and component store corruption, but it does not stop the update service or remove the temporary update files that cause repeated failed attempts. Option D is wrong because 'taskkill /IM svchost.exe /F' forcefully terminates all svchost.exe processes, which would crash critical system services including the Windows Update service, but it is a brute-force method that can destabilize the system and does not safely stop the service or clean up the temporary files.

24
MCQeasy

After installing a new application, a user's Windows 10 system fails to boot and displays a 'Bootmgr is missing' error. Which command-line tool should you use from the Windows Recovery Environment to repair the boot configuration?

A.diskpart
B.bootrec
C.sfc /scannow
D.chkdsk /f
AnswerB

Correct. bootrec with /fixboot or /rebuildbcd repairs the boot configuration data (BCD) and fixes boot manager issues.

Why this answer

The 'Bootmgr is missing' error indicates that the Boot Manager (bootmgr) is corrupted or the Boot Configuration Data (BCD) is damaged. The bootrec command, specifically with the /FixBoot, /FixMbr, and /RebuildBcd switches, is designed to repair the boot configuration and restore the boot manager from the Windows Recovery Environment.

Exam trap

CompTIA often tests the distinction between file system repair (chkdsk) and boot configuration repair (bootrec), leading candidates to mistakenly choose chkdsk when the error is clearly a boot manager issue.

How to eliminate wrong answers

Option A is wrong because diskpart is a disk partitioning tool used to manage volumes and partitions, not to repair boot configuration files. Option C is wrong because sfc /scannow scans and repairs protected system files, but it cannot fix boot manager or BCD issues when the system cannot boot. Option D is wrong because chkdsk /f checks and repairs file system integrity on a volume, but it does not address boot configuration corruption.

25
MCQmedium

A technician is troubleshooting a DNS resolution issue on a Windows 10 workstation. The user can ping an IP address but not a domain name. Which command should be used to clear the local DNS cache?

A.nslookup example.com
B.ipconfig /flushdns
C.netstat -r
D.ping -a 192.168.1.1
AnswerB

Correct. ipconfig /flushdns clears the DNS resolver cache, forcing the system to query DNS servers fresh.

Why this answer

The `ipconfig /flushdns` command clears the local DNS resolver cache on a Windows 10 workstation. When a user can ping an IP address but not a domain name, it often indicates a stale or corrupted DNS cache entry. Flushing the cache forces the system to query the DNS server for fresh resolution, resolving the issue.

Exam trap

The trap here is that candidates confuse `nslookup` (which queries the DNS server) with a cache-clearing command, not realizing that `nslookup` does not affect the local cache and may return a correct result even when the cache is corrupted.

How to eliminate wrong answers

Option A is wrong because `nslookup example.com` queries an external DNS server directly, bypassing the local cache, and does not clear the cache. Option C is wrong because `netstat -r` displays the IP routing table, not DNS cache information. Option D is wrong because `ping -a 192.168.1.1` performs a reverse DNS lookup to resolve an IP address to a hostname, but it does not clear the DNS cache.

26
MCQhard

A technician needs to deploy a software update to 100 computers in a domain. The update requires administrative privileges. The technician wants to run the installer silently without user interaction. Which command-line syntax should be used?

A.msiexec /i update.msi /passive
B.msiexec /i update.msi /quiet /norestart
C.msiexec /i update.msi /qb
D.msiexec /i update.msi /l* log.txt
AnswerB

Installs silently and prevents automatic restart.

Why this answer

Option B is correct because the `/quiet` switch suppresses all user interface and user interaction, which satisfies the requirement for silent installation. The `/norestart` switch prevents an automatic reboot after the installation, which is necessary when deploying to multiple computers without disrupting users. Together, these switches ensure the update runs with administrative privileges in a fully unattended manner.

Exam trap

CompTIA A+ often tests the distinction between /passive (which still shows a progress bar) and /quiet (which is truly silent), leading candidates to choose /passive when the question explicitly requires no user interaction.

How to eliminate wrong answers

Option A is wrong because `/passive` displays a progress bar and only minimizes user interaction, not eliminating it entirely; the installation is not fully silent. Option C is wrong because `/qb` shows a basic progress dialog (a basic UI), which still requires user interaction and does not meet the silent requirement. Option D is wrong because `/l* log.txt` only enables verbose logging to a file; it does not control the installation's user interface or silence it, so the installer would run with its default UI.

27
MCQeasy

A user reports that their Windows 10 PC is running slowly and they suspect a background process is consuming excessive memory. Which command-line tool should you use to identify the process by name and memory usage?

A.tasklist
B.ipconfig
C.chkdsk
D.sfc
AnswerA

Correct. tasklist lists all running processes with memory usage, allowing you to identify the culprit.

Why this answer

The `tasklist` command displays a list of all currently running processes on a Windows system, including their process ID (PID), session name, session number, and memory usage. By default, it shows memory consumption in kilobytes, allowing you to identify which process is consuming excessive memory by name. This makes it the correct tool for diagnosing a memory-hungry background process.

Exam trap

CompTIA often tests the distinction between system information commands (like `systeminfo` or `tasklist`) and network or disk utilities; the trap here is that candidates may confuse `ipconfig` (a network tool) or `sfc` (a system file checker) with a process management tool, or assume `chkdsk` can show memory usage because it reports disk-related resource consumption.

How to eliminate wrong answers

Option B (ipconfig) is wrong because it displays TCP/IP network configuration values (IP address, subnet mask, default gateway) and has no capability to list processes or memory usage. Option C (chkdsk) is wrong because it checks the file system integrity of a volume for logical and physical errors, not for running processes or memory consumption. Option D (sfc) is wrong because it scans and verifies the integrity of all protected system files, replacing incorrect versions with correct Microsoft versions, and does not provide any process or memory information.

28
MCQeasy

A user reports that their Windows 10 PC is running very slowly, and they suspect a background process is consuming too much memory. Which command-line tool would you use from an elevated command prompt to identify the process with the highest memory usage?

A.tasklist /FI "MEMUSAGE gt 100000"
B.ipconfig /all
C.chkdsk /f
D.sfc /scannow
AnswerA

This command filters the task list to show only processes using more than 100,000 KB of memory, directly identifying high-memory processes.

Why this answer

Option A is correct because the `tasklist` command with the `/FI` filter `MEMUSAGE gt 100000` lists all processes whose memory usage exceeds 100,000 KB (approximately 100 MB). This allows you to quickly identify processes consuming excessive memory from an elevated command prompt, directly addressing the user's suspicion of a memory-hungry background process.

Exam trap

The trap here is that candidates may confuse `tasklist` with other diagnostic tools like `ipconfig` or `sfc`, or assume that any command with a `/f` switch (like `chkdsk /f`) is related to fixing performance issues, when in fact only `tasklist` with the correct filter can identify memory-heavy processes.

How to eliminate wrong answers

Option B is wrong because `ipconfig /all` displays detailed TCP/IP configuration information (IP addresses, MAC addresses, DHCP server, DNS servers) and has no capability to list processes or memory usage. Option C is wrong because `chkdsk /f` checks the file system and fixes disk errors on a volume; it does not interact with running processes or memory statistics. Option D is wrong because `sfc /scannow` scans and repairs protected system files, but it does not provide any information about running processes or their memory consumption.

29
MCQmedium

A technician needs to deploy a custom script to 50 Windows 10 workstations during an automated software installation. The script must run with administrative privileges. Which command-line tool should be used to execute the script with elevated rights from a batch file?

A.msiexec /i package.msi
B.wmic os get name
C.runas /user:Administrator script.bat
D.schtasks /create
AnswerC

Correct. runas executes the script under the Administrator account, ensuring necessary permissions.

Why this answer

Option C is correct because the `runas` command allows executing a script with administrative privileges by specifying the `/user:Administrator` parameter, which prompts for the administrator password and runs the script in a security context with elevated rights. This is the appropriate tool for running a custom script with administrative privileges from a batch file during an automated deployment.

Exam trap

CompTIA often tests the distinction between tools that execute commands immediately with elevation (runas) versus tools that schedule tasks (schtasks) or install packages (msiexec), leading candidates to confuse scheduling with immediate execution.

How to eliminate wrong answers

Option A is wrong because `msiexec /i package.msi` is used to install Windows Installer (.msi) packages, not to execute arbitrary scripts with elevated rights; it does not provide a mechanism to run a custom script. Option B is wrong because `wmic os get name` retrieves the operating system name via WMI and does not execute scripts or elevate privileges. Option D is wrong because `schtasks /create` schedules a task for later execution but does not immediately run a script with administrative privileges from a batch file; it requires additional configuration and does not provide a direct interactive elevation prompt.

30
MCQmedium

You are deploying a new application to multiple Windows 10 workstations using a script. The application requires administrator privileges, and you need to run the command with elevated rights from within the script. Which command should precede your installation command?

A.runas /user:Administrator
B.net user
C.cd
D.whoami
AnswerA

This command runs the subsequent program with administrator privileges, as required for the installation.

Why this answer

The `runas /user:Administrator` command allows you to execute a subsequent command with the security context of the specified user (in this case, the built-in Administrator account), which provides the elevated privileges required to install the application. This is necessary because the script itself runs under the current user's context, which may lack the administrative rights needed for the installation.

Exam trap

CompTIA often tests the misconception that `runas` is the only way to elevate privileges within a script, but the trap here is that candidates might confuse `runas` with simply running the script itself as Administrator, forgetting that the command must explicitly precede the installation command to elevate that specific process.

How to eliminate wrong answers

Option B is wrong because `net user` is used to manage user accounts (create, delete, or modify) and does not execute a command with elevated privileges. Option C is wrong because `cd` changes the current directory and has no capability to elevate permissions. Option D is wrong because `whoami` displays the current user's username and security context but does not alter or elevate privileges.

Ready to test yourself?

Try a timed practice session using only Windows Command-Line Tools questions.