1. pre boot
for bios MBR/PBR (Bootstrap Code)
for uefi UEFI Firmware
2.Windows Boot Manager (bootmgfw.efi )
Bios: %SystemDrive%\bootmgr
UEFI: \EFI\Microsoft\Boot\bootmgfw.efi
this file is copied from C:\Windows\Boot\EFI\bootmgfw.efi
bootmgr reads a database called BCD. This is a binary database, maintained by the administrative program, BCDEDIT.EXE.
mount efi partition
diskpart
list disk
select disk 0
list partition
select partititon 1
assign letter=s
tree /f s:\
Folder PATH listing
Volume serial number is 000000F3 6402:5B64
S:\
│
├───EFI
│ ├───Boot
│ │ BOOTX64.EFI
│ │
│ └───Microsoft
│ ├───Boot
│ │ │ boot.stl
│ │ │ bootmgfw.efi
│ │ │ bootmgr.efi
│ │ │ winsipolicy.p7b
│ │ │ BCD
│ │ │ kdnet_uart16550.dll
│ │ │ kdstub.dll
│ │ │ kd_02_10df.dll
│ │ │ kd_02_10ec.dll
│ │ │ kd_02_1137.dll
│ │ │ kd_02_14e4.dll
│ │ │ kd_02_15b3.dll
│ │ │ kd_02_1969.dll
│ │ │ kd_02_19a2.dll
│ │ │ kd_02_1af4.dll
│ │ │ kd_02_8086.dll
│ │ │ kd_07_1415.dll
│ │ │ kd_0C_8086.dll
│ │ │ memtest.efi
│ │ │
│ │ ├───CIPolicies
│ │ │ └───Active
│ │ ├───en-US
│ │ │ bootmgfw.efi.mui
│ │ │ bootmgr.efi.mui
│ │ │ memtest.efi.mui
│ │ │
│ │ ├───Fonts
│ │ │ segmono_boot.ttf
│ │ │ segoen_slboot.ttf
│ │ │ segoe_slboot.ttf
│ │ │ wgl4_boot.ttf
│ │ │
│ │ ├───Resources
│ │ │ │ bootres.dll
│ │ │ │
│ │ │ └───en-US
│ │ │ bootres.dll.mui
│ │ │
│ │ └───qps-ploc
│ │ memtest.efi.mui
│ │
│ └───Recovery
│ BCD
The BCD may indicate that the previous execution of Windows was terminated when Windows was hibernated. In that case bootmgr calls WINLOAD, which reloads memory and resume OS execution.
bcdedit
Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=\Device\HarddiskVolume6
path \EFI\Microsoft\Boot\bootmgfw.efi
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {current}
resumeobject {0a2d72e1-d4b5-11ed-b261-aeaa742d760f}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30
Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.efi
description Windows 10
locale en-US
inherit {bootloadersettings}
isolatedcontext Yes
allowedinmemorysettings 0x15000075
osdevice partition=C:
systemroot \Windows
resumeobject {0a2d72e1-d4b5-11ed-b261-aeaa742d760f}
nx OptIn
bootmenupolicy Standard
bootmgr loads WINLOAD(the same program used for resuming from hibernation).
3. Windows OS Loader(winload.efi)
%SystemRoot%\system32\winload.exe
%SystemRoot%\system32\winload.efi
WINLOAD then determines what I/O devices are available. This information is written into the Windows registry (a system database).
WINLOAD loads HAL.DLL which contains the Hardware Abstraction Layer, that provides the low-level hardware-dependent interfaces for the NT kernel.
WINLOAD then loads those device drivers that are marked "BOOT" in the registry. NTOSKRNL, HAL, and boot drivers are all loaded using the BIOS or UEFI disk I/O driver.
WinLoad.exe/efi loads important drivers to kick start the Windows Kernel (ntoskrnl.exe)
Once the boot device drivers are loaded, control is passed to the kernel.
4. Windows NT OS Kernel (ntoskrnl.exe)
%SystemRoot%\system32\ntoskrnl.exe
NTOSKRNL.EXE contains the bulk of the kernel and executive code.
picks up the Registry settings, additional drivers, etc. Once that has been read, the control is taken by the system manager process. It loads up the UI, the rest of the hardware and software
hal.dll helps the kernel to interact with hardware
Windows executive processes config info in HKLM\SYSTEM\CurrentControlSet
When the kernel receives control, it performs the following initialization steps:
The kernal switches the processor from real mode to 32- or 64-bit protected mode. (When bootmgr was used, it performed this step.)
The kernel next initializes various internal components.
The kernel then calls the initialization routines for the drivers loaded by the boot loader (NTLDR or WINLOAD.EXE, depending on the Windows version)
The kernal loads and intializaes additional device drivers that are marked "SYSTEM" in the registry. (These drivers are loaded by the Windows disk driver that was loaded and initialized above.)
The NT kernel does some additional initialization and the state of all disk file systems is checked.
The kernel begins dispatching processes. This begins the next stage of system initialization
Winlogon.exe starts login procedure
5. Windows System Process Initialization
After the Windows kernel finishes initilization, it begins dispatching processes. Once this happens, the following actions occur:
1.When the system is first started there are two "pre-existing" processes:
- IDLE - which runs whenever no other process is ready to run. This is the lowest-priority process in the system.
- SYSTEM - which contains a number of kernel threads that perform various tasks on behalf of the kernel.
- SERVICE.EXE, the Service control manager.
- LSASS.EXE: The Local Security Authority Subsystem.
Windows Login
On Windows, login is handled by WINLOGIN.EXE.
In the case of username/password, the values entered may be verified locally or (in the case of a domain login) remotely. Remote logins use either NTLM (NT LAN Manager) which is a challenge/response mechanism, or Kerberos which uses a series of symetrically encrypted "tickets"
Once the user has been authenticated, the system does an initialization of the user's environment.
Windows User Process Startup
Once a user has entered a valid ID and password, WINLOGIN starts a process running USERINIT.EXE.
USERINIT initializes the user environment, including starting the user's shell, which is normally EXPLORER.EXE (not to be confused with Internet Explorer).
EXPLORER starts any additional processes specified in the user's "Startup" folder and the "All Users" startup folder, as well as values stored in the registry under the following keys:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Once EXPLORER has initialized, the user can interact with the system.
src:
https://glennastory.net/?p=273
https://glennastory.net/boot/
Comments
Post a Comment