boot process of XP 1.

POST (Power On Self Test)

a. SMPS gets the power supply and CPU triggers the PGS to all the component s and checks its integrity. b. According to the boot sequence in the BIOS the control is passed to the specific boot device. c. If hard disk is the boot device then control passes to the first sector of the HDD, which is the MBR. d. According to the details in the partition table of MBR, Control move to the first sector of the system drive or active partition which is called boot se ctor. e. Boot sector has the MBC which helps in finding the boot loader; in this case the boot loader is NTLDR. f. Now NTLDR will start its execution from this point is the actual boot pr ocess of an OS starts. 2. a. mory. b. NTLDR It switches the real mode processor to protected mode to address more me NTLDR creates the pagefile.

c. Then looks for Boot.ini file i. Boot.ini file consist of an arc path which tells the location of the win dows root folder. ii. If multiple operating systems are installed then the Boot.ini displays t he Operating system selection menu by default for 30 seconds. iii. If an OS is not selected within the displayed seconds then the default O S is loaded automatically. iv. If this file is deleted then OS while loading displays error message Inva lid Boot.ini and continues to boot process. d. After reading the boot.ini file, NTLDR searches for hiberfill.sys to res ume from the hibernation. If hiberfill.sys is not found then it loads the NTDETE CT.COM e. NTDETECT.COM gets the details from the BIOS and detects the components c onnected to the system. i. The time and date information stored in the system s CMOS (nonvolatile mem ory) ii. The types of buses (for example, ISA, PCI, EISA, Micro Channel Architect ure [MCA]) on the system and identifiers for devices attached to the buses iii. The number, size, and type of disk drives on the system iv. The types of mouse input devices connected to the system v. The number and type of parallel ports configured on the system vi. The types of video adapters present on the system vii. The finding of NTDETECT.COM is updated in registry at HKLM\Hardware\Desc ription, by NTLDR. f. NTOSKRNL.exe and HAL.dll is initialized by NTLDR. i. NTOSKRNL.exe is the kernel of the OS which loads the drivers and service s based on the start values. ii. HAL.dll Hardware abstraction layer which stands in between the NTOSKRNL and the hardware, (i.e.) most of the hardware and the kernel resources happens t hrough the HAL.dll. g. i. NTLDR loads the KDCOM.dll and BOOTVID.dll. KDCOM.dll is the Kernel Debugger HW extension dll to ensure the smooth f

unctioning of the hardware with the OS. ii. KDCOM.dll helps to log the hardware errors while booting the OS as well as in the run time. iii. BOOTVID.dll brings the windows logo splash screen. h. i. level ii. i. 3. NTLDR loads the boot level drivers The drivers and services which have the start value of 0 are called boot drivers. Its get loaded from HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES Now the Control passes from NTLDR to NTOSKRNL.exe. NTOSKRNL.exe

a. NTOSKRNL initialization happens in 2 phases. i. Phase 0 1. Memory manager, Object manager, PnP manager, Security reference monitor , Process manager are initialized. ii. Phase 1 1. Kernel mode drivers are loaded ( start value 1) from HKLM\SYSTEM\CURRENT CONTROLSET\SERVICES 2. Loads the SMSS.exe b. SMSS.exe (Session Manager Sub System) 1. Creates the additional virtual memory as given in the key HKEY_LOCAL_MAC HINE\SYSTEM\CurrentControlSet\Control\Sessionmanager\Memory Management\PagingFil es. 2. Check for autochk.exe which runs check disk in path HKLM\System\CurrentC ontrolSet\Control\SessionManager- BootExecute 3. Creates the Environmental variable as given in the key HKLM\System\Curre ntControlSet\Control\SessionManager\Environment. 4. Loads the kernel-mode part of the Windows subsystem (Win32k.sys). SMSS d etermines the location of Win32k.sys 5. The initialization code in Win32k.sys uses the video driver to switch th e screen to the resolution defined by the default profile, so this is the point at which the screen changes from the VGA mode the boot video d river uses to the default resolution chosen for the system 6. Starts the subsystem processes, including CSRSS. a. Client Server Run time sub system Helps the graphical portion of user in terface to interact with the kernel mode 7. Winlogon is started by SMSS then, a. Winlogon then creates the service control manager (SCM) process \Windows \System32\Services.exe), which loads all services and device drivers marked for auto-start from the registry key HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES b. Winlogon calls HKLM\Software\Microsoft\Windows NT\Current Version\Winlog on\GinaDLL, Winlogon uses that DLL as the GINA; otherwise, it uses the Microsoft default GINA, Msgina (\Windows\System32\Msgina.dll), which displays the stand ard Windows logon dialog box. c. LSASS - Local security authentication subsystem process (\Windows\System 32\Lsass.exe) is started by Winlogon. i. Now when the user enters the credentials GINA passes it to the Winlogon which in turn passes to LSASS. ii. Credentials are verified by LSASS, if user logs successfully then HKLM\S YSTEM\Select\LastKnownGood is updated to match \CurrentControlSet. d. Winlogon next tells the GINA to start the shell. In response to this req

uest, Msgina launches the executable or executables HKLM\Software\Microsoft\ WindowsNT\CurrentVersion\WinLogon\Userinit with multiple executables separated b y commas) that by default points at \Windows\System32\Userinit.exe. . 000000000000000000 e. Userinit.exe performs the following steps: i. Processes the user scripts specified in HKCU\Software\Policies\Microsoft \Windows\System\Scripts and the machine logon scripts in HKLM\Sof tware\Policies\Microsoft\Windows\System\Scripts. (Because machine scripts run af ter userscripts, they can override user settings.) ii. If group policy specifies a user profile quota, starts \Windows\System32 \Proquota.exe to enforce the quota for the current user. iii. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run iv. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run v. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run vi. HKCU\Software\Microsoft\Windows\CurrentVersion\Run vii. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce viii. %ALLUSERSPROFILE%\Start Menu\Programs\Startup\ ix. %USERPROFILE%\Start Menu\Programs\Startup\ x. Launches the comma-separated shell or shells specified in HKCU\Software\ Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell. xi. If that value doesn t exist, Userinit.exe launches the shell or shell spec ified in HKLM\Software\ Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell, which is by default Explorer.exe.