Posted on

Windows Boot Sequence

Each and every day we just push that button, none of us wouldn’t really care about what is behind the scene of a windows boot process.

Let’s talk about how Windows loads into our PCs from pressing the Power Button until we see the Windows desktop.
If you understand how Windows loads and starts up, you can much more easily find out how attackers are designing their malware to be hidden during the bootup process.

I’ll explain the basics and provide you with the right resources if you wish to explore more to build your Cyber Defense Strategy more effectively from an endpoint perspective.

Well, before that, we need to know a few abbreviations and understand what it does.
The below list of bulleted points should be sufficient for now.

  • BIOS – Basic Input/Output System
  • POST – Power on Self Test
  • MBR – Master Boot Record
  • PBR – Partition Boot Record
  • VBR – Volume Boot Record
  • BCD – Boot Configuration Data

Boot loading of a windows operating system involves a three-phased process.

  1. BIOS Phase
  2. Boot Loader Phase
  3. Kernel Phase

PHASE – 1 | BIOS Phase

As we are all aware of what a BIOS is, I will now explain what BIOS does in this phase of the boot loading process.

This is also called as Pre-Boot phase where a few tests are run and the boot devices are searched and selected.
The first thing that starts when you push the power button is POST – Power on Self Test.

POST – Power on Self Test

Think of it as a demo of a newly launched mobile phone. You would want to test it before you actually purchase it.
Here in BIOS, it initiates few tests to evaluate the computer hardware components and ensure that these physical parts are not experiencing any setbacks.

POST can easily detect problems from all of the hardware components including the processor or central processing unit, monitor, power supply, hard drive, motherboard, RAM memory modules, video card, system fan, and more.
Some instances of hardware failures could be as simple as a cord not being properly plugged into one of the ports and the PC missing a hard drive. If a single beep is sounded from the PC, then there are no hardware issues present in the system.

However, an alternative beep sequence indicates that the PC has detected a hardware issue that needs to be resolved before moving on to the next stages of the process.

Search Boot Device

As soon as the tests are completed, the BIOS will now search for a specific storage device or a hard disk that contains a boot record and it is known as MBR – Master Boot Record

MBR – Master Boot Record

We are not diving deep into this, we’ll just get through the basic understanding of what MBR does and what it is.
Think of MBR as a table that contains all the information about the Operating system that is loaded on the hard disk.
The table contains details of a program known as bootloader and also has information about partitions of the hard disk.

Partition Table

Now the BIOS search and find for an Active partition in the partition table and then the bootloader is initiated. With this the BIOS / Pre – Boot Phase is completed.

PHASE -2 | Boot Loader Phase

In this phase, the Windows Boot Manager is launched and the BCD – boot configuration data file is accessed to read the operating-system configurations.

Windows Boot Manager

Boot Manager or bootloader has few stages of loading files for the OS boot-up process. We are not diving into that as it’s a piece of deep knowledge. You would want to know the stages unless you are a developer or a computer researcher. This bootloader is initiated by Phase 1and is found in the volume boot record.

For now, we will stick to the fact that the bootloader is responsible to get you into the Operating System.

BCD- Boot Configuration Data

So, the bootloader when it is started actually reads a configuration file or database known as BCD. This file contains menu entries that are presented by the windows boot manager.

Nothing to get complicated. I’m sure everyone would have seen the boot menu, where it says ” Choose an Operating System of your choice” and you would want to select one to load boot into the operating system.

It is as simple as that, BCD is responsible to show the menu to choose the operating systems or to run advanced system diagnostics.

At this point in time, all the required configurations and files are ready to be loaded. In other words this is called OS Kernel and it is loaded into the memory.

OS Kernel

Think of it like a Manager, that manages all the system processes, hardware and memory. Now that is all for OS Kernel, don’t take it much.

PHASE -3 | Kernel Phase

In this phase, the OS Kernel is run and it launces a piece of program (smss.exe) known as a session manager.
This session manager is responsible for calling another piece of the program (winlogon.exe) and that is it.

You should see the login interface of the Operating System.

To sum it up, the below diagram should help you understand the process involved in booting up the operating system.

Hope you enjoyed it.

Leave a comment