Archive for September, 2010

Booting Process in windows :

September 15, 2010 3 comments
Booting Process in windows :

                        Hi , every one uses Desktops or laptops these days but some of us don’t know how the computer starts how it boot up the windows and what are the importance of some files which we delete accidentally when we see them as hidden, I hope this Post will help for the beginners and advanced user as a reference.

Firstly when we power on SMPS starts and generates Power good signal to the components and CPU started then CPU reads first instruction stored in BIOS (Error message is given if any error in RAM / CMOS).
BIOS performs the POST (Power On Self Test) operation – checks all the hardware components then
BIOS loads MBR and 
MBR (Master Boot Record) stores the booting record loads Boot sector from system
Boot sector Loads NTLDR
NTLDR reads BOOT.ini 
BOOT.ini file stores information regarding which operating system is to be booted if the system is of Dual operating system and the display time for the operating system selection.
**From this we can change name of the operating system shown at boot time and can change the display time.
BOOT.ini Loads and executes from system to perform BIOS Hardware detection then loads NTOSKRNL.exe, HAL.dll, BOOTTVID.dll, KDCOM.dll from the boot volume
Here NTOSKRNL is linked against the HAL (Hardware Abstraction layer), which is in turn linked against NTOSKRNL. (They both use functions in each other.) NTOSKRNL is also linked to the following binaries: 
Pshed.dll (Platform-Specific Hardware Error Driver). It provides an abstraction of the hardware error reporting facilities of the underlying platform by hiding the details of a platform’s error handling mechanisms from the operating system and exposing a consistent interface to the Windows operating system. 
Bootvid.dll (Boot Video Driver).It provides support for the VGA commands required to display boot text and the boot logo during startup. On x64 kernels, this library is built into the kernel to avoid conflicts with Kernel Patch Protection (KPP).
NTLDR loads windows\system32\system which is your system hive HKLM\system in regedit
NTLDR loads drivers flagged as “boot” in the system hive then passes control to NTOSKRNL.exe
NTOSKRNL.exe brings up the loading splash screen and initializes the kernel subsystem
then starts the boot-start drivers and then loads & starts the system-start drivers then creates the Session Manager process (SMSS.EXE
SMSS.exe runs any programs specified in Boot Execute like chkdsk, cleaning virus files by the antivirus.
Then processes any installations like update service packs.
 SMSS.exe then initializes the paging files and the remaining registry hives then starts the kernel-mode portion of the Win32 subsystem (WIN32K.SYS) and the user-mode portion of the Win32 subsystem (CSRSS.EXE) , starts WINLOGON.exe
WINLOGON.exe starts the Local Security Authority (LSASS.EXE) and loads the Graphical User Identification and Authentication DLL. and displays the logon window by user action it starts the services controller (SERVICES.EXE)

SERVICES.EXE: starts all services.
This process is same in windows XP, Windows vista and seven, but in windows vista and seven it has been updated and security is provided. My next post will discuss more about other system files.
Categories: cyberstack, Forensics