I think that is one of those old CCSE exam questions that has carried over even though it is not covered anymore.

We could joke and say that it is one of those few real-world questions, but if there isn't good documentation around it then it may be better if it is removed from the exam question pool.

Can you share where you found the references please?

"What user-mode process is responsible for the FW CLI commands? "

I have it in my head that it is FWD, and the way I always explain it is that the commands are issues/sent to FWD and FWD then executes and gathers the information.

fw stat and fw ctl pstat are two examples where the information is gathered from the Firewall Kernel but that is a busy piece of software that requires a structured communication channel to prioritise and respond to requests in a timely manner.

FWD is 'allowed' to use that IO channel to get the information requested by the command.

I just checked my CCSE R80.10 notes and found this:

fwd – Check Point Firewall Daemon

Allows other processes, including the kernel, to forward logs to external Log servers, as well as the Security Management Server.

fwd communicates with the kernel using command line tools, such as the fw commands, kernel variables, and kernel control commands.

Examples:
fw stat
fw ctl chain
fw ctl pstat
fw ctl set (Configures the specified value for the specified kernel parameter)
- fw ctl setsync <off|start> stop or start synchronization in a cluster

I checked https://support.checkpoint.com/results/sk/sk97638 and under FWD it does not confirm that but then it is a summary of FWD, which has a lot of responsibilities on the SGs.