Win Boot Process

發佈日期: 作者:

boot type
cold boot (hard boot): starting a computer from a powered-down or off state
warm boot(soft boot): reboot by Ctrl+Alt+Del, skip memory test


boot process
1.check BIOS firmware
2.BIOS start a POST(Power-on self-test)
3.add-on adapters perform a self-test for integration with the system
4.loads the MBR for BCD(boot configuration data)

MBR tiggers/ boot load manager
NTLDR: for Windows NT/2000/XP
bootmgr : for vista and later
refer
http://resources.infosecinstitute.com/windows-booting-process/

MBR tiggers NTLDR(NT Loader)
1. NTLDR first action is to read the Boot.ini file
2. the Ntdetect.com file is executed, which identifies information about the computer’s hardware
3. the Ntoskrnl.exe file is executed, which is the kernel of the Windows system
refer
https://en.wikipedia.org/wiki/NTLDR


MBR tiggers bootmgr
1.winload.exe(windows loader) is triggered
2.windows loader loads ntoskrnl.exe
3.kernel start running,windows loader loads hal.dll, and system registry hive into memory
4.kernel call SMSS.exe(session manager process) load other registry hives
5.SMSS.exe triggers winlogon.exe for presents user logon screen
6.SMSS.exe initiates Service control manager
7.once user logs in, a session is created
8. service control manager start the explorer.exe and DWM(desktop windows manager)

ps:
DOS 啟動
1.MBR
2.IO.SYS – 包含所有與硬體溝通的命令
3.MSDOS.SYS – MS-DOS Kernel
4.command.com – 提供DOS命令
5.config.sys – 包含啟動所需的命令
6.autoexec.bat
refer
http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view


essential windows system files
ntsokrnl.exe : executive and kernel
hal.dll : hardware abstraction layer
gdi32.dll : win32 subsystem DLL files
advapi32.dll : win32 subsystem DLL files
kernel32.dll : win32 subsystem DLL files
user32.dll: win32 subsystem DLL files
bootvid.dll


Net Logon
Filename: lsass.exe
Command: C:Wndowssystem32lsass.exe
Description:
Microsoft service that supports pass-through authentication of account logon events for computers in a domain.
為使用者和服務身份驗證維護此電腦和網域控制站之間的秘密頻道。如果此服務被停用,電腦可能無法驗證使用者和服務身份並且網域控制站無法註冊 DNS 記錄。如果此服務被禁用,任何依賴它的服務將無法啟動。登陸活動目錄時,和域服務通訊驗證的一個服務,一般驗證通過之後,域伺服器會註冊你的 DNS 記錄,推送軟體補丁和策略等等,登陸域會用到它。工作組環境可以設為禁用。
refer
http://www.pczone.com.tw/vbb3/archive/t-146898.html


ps:
BOOT.SYS
A powerful DOS configuration manager before win98
refer
http://www.salvisberg.com/boot.sys