Windows BOOT Sequence
Boot Order has 7 steps:
Step 1 – Master Boot Record (MBR)
- Reads & loads the partition boot sectors
Step 2 – Boot Sector
- Reads root directory to load NTLDR
Step 3 – NTLDR
- Turns on paging
- Reads Boot.ini
- Presents Boot Menu
- Loads NTOSKRNL.exe
- Boot start Device Drivers
Step 4 – NTOSKRNL.exe
- Initalises Executive subystems
- System start Device Drivers
- Runs SMSS.exe
Step 5 – SMSS
- Loads Win32 Subsystem
- Winlogon.exe – started
Step 6 – WINLOGON
- Starts Service Control Manager (SCM)
- Local Security Subsystem (LSASS)
- LSA generates the Token (includes User SID, Group SID, Impersonation Rights, privileges and expiry time of Token)
- Presents Interactive Logon Dialogue Box
Step 7 – Service Control Manager (SCM)
- Loads Auto start Device Drivrs
- Win32 services
What are device drivers?
Device drivers are loadable KERNEL MODE modules (end in .sys) that interface between the I/O Manager and the hardware. They run in KERNEL mode, in 3 contexts (User thread, Kernel system thread or interrupt).
Device drivers – call the HAL (Hal.dll)
HAL – calls the hardware.
They don’t manipulate hardware directly, they call functions in the HAL to interface to the Hardware.
There are several types of device drivers:
1. Hardware drivers manipulate hardware (using the HAL) to write to physical device.
2. File system drivers – accepts file oriented I/O requests.
3. File System FILTER drivers – Encryption, Disk mirroring, intercept I/O’s
4. Network redirectors – transmit file system I/O requests to the network
5. Protocol drivers – implement networking protocols such as TCP/IP, NetBeui etc
6. Kernel Streaming FILTER drivers – chained together to perform signal processing on data streams, recording or displaying audio or video.