Skip to main content

windows boot process

 1. pre boot

 for bios MBR/PBR (Bootstrap Code) 

for uefi  UEFI Firmware


2.Windows Boot Manager (bootmgfw.efi )

Bios:  %SystemDrive%\bootmgr  

UEFI:  \EFI\Microsoft\Boot\bootmgfw.efi 

this file is copied from C:\Windows\Boot\EFI\bootmgfw.efi


bootmgr reads a database called BCD. This is a binary database, maintained by the administrative program, BCDEDIT.EXE. 


mount efi partition 


list disk

select disk 0

list partition 

select partititon 1

 assign letter=s

tree /f  s:\
Folder PATH listing
Volume serial number is 000000F3 6402:5B64

│   ├───Boot
│   │       BOOTX64.EFI
│   │
│   └───Microsoft
│       ├───Boot
│       │   │   boot.stl
│       │   │   bootmgfw.efi
│       │   │   bootmgr.efi
│       │   │   winsipolicy.p7b
│       │   │   BCD
│       │   │   kdnet_uart16550.dll
│       │   │   kdstub.dll
│       │   │   kd_02_10df.dll
│       │   │   kd_02_10ec.dll
│       │   │   kd_02_1137.dll
│       │   │   kd_02_14e4.dll
│       │   │   kd_02_15b3.dll
│       │   │   kd_02_1969.dll
│       │   │   kd_02_19a2.dll
│       │   │   kd_02_1af4.dll
│       │   │   kd_02_8086.dll
│       │   │   kd_07_1415.dll
│       │   │   kd_0C_8086.dll
│       │   │   memtest.efi
│       │   │
│       │   ├───CIPolicies
│       │   │   └───Active
│       │   ├───en-US
│       │   │       bootmgfw.efi.mui
│       │   │       bootmgr.efi.mui
│       │   │       memtest.efi.mui
│       │   │
│       │   ├───Fonts
│       │   │       segmono_boot.ttf
│       │   │       segoen_slboot.ttf
│       │   │       segoe_slboot.ttf
│       │   │       wgl4_boot.ttf
│       │   │
│       │   ├───Resources
│       │   │   │   bootres.dll
│       │   │   │
│       │   │   └───en-US
│       │   │           bootres.dll.mui
│       │   │
│       │   └───qps-ploc
│       │           memtest.efi.mui
│       │
│       └───Recovery
│               BCD

The BCD may indicate that the previous execution of Windows was terminated when Windows was hibernated. In that case bootmgr calls WINLOAD, which reloads memory and resume OS execution. 


Windows Boot Manager
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume6
path                    \EFI\Microsoft\Boot\bootmgfw.efi
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {0a2d72e1-d4b5-11ed-b261-aeaa742d760f}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.efi
description             Windows 10
locale                  en-US
inherit                 {bootloadersettings}
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \Windows
resumeobject            {0a2d72e1-d4b5-11ed-b261-aeaa742d760f}
nx                      OptIn
bootmenupolicy          Standard


bootmgr loads WINLOAD(the same program used for resuming from hibernation).




3. Windows OS Loader(winload.efi)



WINLOAD then determines what I/O devices are available. This information is written into the Windows registry (a system database).

WINLOAD loads HAL.DLL which contains the Hardware Abstraction Layer, that provides the low-level hardware-dependent interfaces for the NT kernel.  

WINLOAD then loads those device drivers that are marked "BOOT" in the registry. NTOSKRNL, HAL, and boot drivers are all loaded using the BIOS or UEFI disk I/O driver.

WinLoad.exe/efi loads important drivers to kick start the Windows Kernel (ntoskrnl.exe)

Once the boot device drivers are loaded, control is passed to the kernel.


4. Windows NT OS Kernel (ntoskrnl.exe)


  NTOSKRNL.EXE contains the bulk of the kernel and executive code.

  picks up the Registry settings, additional drivers, etc. Once that has been read, the control is taken by the system manager process. It loads up the UI, the rest of the hardware and software

hal.dll helps the kernel to interact with hardware

Windows executive processes config info in HKLM\SYSTEM\CurrentControlSet 

When the kernel receives control, it performs the following initialization steps: 

The kernal switches the processor from real mode to 32- or 64-bit protected mode. (When bootmgr was used, it performed this step.)  

The kernel next initializes various internal components. 

The kernel then calls the initialization routines for the drivers loaded by the boot loader (NTLDR or WINLOAD.EXE, depending on the Windows version)

The kernal loads and intializaes additional device drivers that are marked "SYSTEM" in the registry. (These drivers are loaded by the Windows disk driver that was loaded and initialized above.) 

The NT kernel does some additional initialization and the state of all disk file systems is checked.

 The kernel begins dispatching processes. This begins the next stage of system initialization

Winlogon.exe starts login procedure


5. Windows System Process Initialization

After the Windows kernel finishes initilization, it begins dispatching processes. Once this happens, the following actions occur: 

1.When the system is first started there are two "pre-existing" processes:

  1. IDLE - which runs whenever no other process is ready to run. This is the lowest-priority process in the system.
  2. SYSTEM - which contains a number of kernel threads that perform various tasks on behalf of the kernel. 
2. Thread 0 of the SYSTEM process launches SMSS.EXE, the session manager, as the first "created" process in the system. 
3. SMSS creates a process for each subsystem marked in the registry as "required". Normally this is only CSRSS.EXE, the WIN32 subsystem. (Other subsystems include the Posix subsystem, and in older versions of Windows, the OS/2 subsystem. Each subsystem provides its own API (Application Programming Interface). 
4. SMSS then starts a process for WINLOGIN.EXE, the the login manager. 
5. WINLOGIN starts the following processes:
  1. SERVICE.EXE, the Service control manager.
  2. LSASS.EXE: The Local Security Authority Subsystem. 
6. SERVICE starts any device drivers that are marked "AUTOMATIC" in the registry. 

7. SERVICE then starts any service process marked in the registry for automatic startup. 

8. Meanwhile, (concurrently with and subsequent to the previous two steps) WINLOGIN waits for a user to log in. 


Windows Login

 On Windows, login is handled by WINLOGIN.EXE.

In the case of username/password, the values entered may be verified locally or (in the case of a domain login) remotely. Remote logins use either NTLM (NT LAN Manager) which is a challenge/response mechanism, or Kerberos which uses a series of symetrically encrypted "tickets"


Once the user has been authenticated, the system does an initialization of the user's environment.



Windows User Process Startup

  Once a user has entered a valid ID and password, WINLOGIN starts a process running USERINIT.EXE. 

USERINIT initializes the user environment, including starting the user's shell, which is normally EXPLORER.EXE (not to be confused with Internet Explorer). 

EXPLORER starts any additional processes specified in the user's "Startup" folder and the "All Users" startup folder, as well as values stored in the registry under the following keys: 

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 

Once EXPLORER has initialized, the user can interact with the system. 









Popular posts from this blog

sxhkd volume andbrightness config for dwm on void

xbps-install  sxhkd ------------ mkdir .config/sxhkd cd .config/sxhkd nano/vim sxhkdrc -------------------------------- XF86AudioRaiseVolume         amixer -c 1 -- sset Master 2db+ XF86AudioLowerVolume         amixer -c 1 -- sset Master 2db- XF86AudioMute         amixer -c 1 -- sset Master toggle alt + shift + Escape         pkill -USR1 -x sxhkd XF86MonBrightnessUp          xbacklight -inc 20 XF86MonBrightnessDown          xbacklight -dec 20 ------------------------------------------------------------- amixer -c card_no -- sset Interface volume run alsamixer to find card no and interface names xbps-install -S git git clone xbps-install -S base-devel libX11-devel libXft-devel libXinerama-devel  vim # FREETYPEINC = ${X11INC}/freetype2 #comment for non-bsd make clean install   cp config.def.h config.h vim config.h xbps-install -S font-symbola #for emoji on statusbar support     void audio config xbps-i

Hidden Wiki

Welcome to The Hidden Wiki New hidden wiki url 2015 http://zqktlwi4fecvo6ri.onion Add it to bookmarks and spread it!!! Editor's picks Bored? Pick a random page from the article index and replace one of these slots with it. The Matrix - Very nice to read. How to Exit the Matrix - Learn how to Protect yourself and your rights, online and off. Verifying PGP signatures - A short and simple how-to guide. In Praise Of Hawala - Anonymous informal value transfer system. Volunteer Here are five different things that you can help us out with. Plunder other hidden service lists for links and place them here! File the SnapBBSIndex links wherever they go. Set external links to HTTPS where available, good certificate, and same content. Care to start recording onionland's history? Check out Onionland's Museum Perform Dead Services Duties. Introduction Points - Clearnet search engine for Tor Hidden Services (allows you

download office 2021 and activate

get office from here open powershell as admin (win+x and a ) type cmd  goto insall dir 1.         cd /d %ProgramFiles(x86)%\Microsoft Office\Office16 2.           cd /d %ProgramFiles%\Microsoft Office\Office16 try 1 or 2 depending on installation  install volume license  for /f %x in ('dir /b ..\root\Licenses16\ProPlus2021VL_KMS*.xrm-ms') do cscript ospp.vbs /inslic:"..\root\Licenses16\%x" activate using kms cscript ospp.vbs /setprt:1688 cscript ospp.vbs /unpkey:6F7TH >nul cscript ospp.vbs /inpkey:FXYTK-NJJ8C-GB6DW-3DYQT-6F7TH cscript ospp.vbs / cscript ospp.vbs /act Automatic script (windefender may block it) ------------------------------------------------------------------------------------------------------------------- @echo off title Activate Microsoft Office 2021 (ALL versions) for FREE - =====================================================================================&