6.1 Windows boot process

In order for a computer to successfully boot, these components must all be working properly: BIOS, operating system, and hardware. If one of these components fails, it will likely result in a boot sequence failure.

The Windows boot process takes place in the following manner:

  • When the CPU is powered on, BIOS is loaded from BIOS ROM.
  • BIOS initiates POST (power on self test) which checks whether devices such as keyboard, RAM, and disks are working correctly.
  • BIOS searches for a boot device.
  • MBR is the beginning of the first disk partition or you can say it is present in sector 0 of a physical hard drive. MBR is read into the memory and executed, and it starts with code called BootStrap loader. MBR has a table called a partition table (pt) which keeps information about the partition.
  • The partition table has only one active partition, called the boot partition. The first sector of the active partition is called the boot sector or Volume Boot Record (VBR). VBR is one of the most important structures and can contain block size, partition size, MF, and so on. The Master File Table (MFT) is a table that contains details of files, their size, timestamp (when it was created or modified), file access (read/write permissions), and so on. The MFT is present when the filesystem is NTFS on Windows. Petya is known to encrypt the MFT. Hence Windows won't know the file location. Even though individual files are not encrypted, they cannot be recovered as the MFT ,which is the knowledge base of the files, is encrypted.
  • BootStrap loader loads the boot sector into memory and transfers control to it.
  • VBR locates and loads the bootloader code. In Windows XP, the bootloader is NTLDR while Windows 7 uses Boot configuration database (BCD).
  • In Windows XP NTLDR, the bootloader finds the list of operating systems to load. It is in the boot.ini file.
  • NTLDR loads the registry and devices needed during boot.
  • Windows 7 uses BOOTMGR instead of NTLDR and the list of OS for booting is present in the boot configuration database (BCD). After this stage, winload.exe loads the registry and devices in Windows 7.
  • Control is then transferred to NTOSKRNL.exe, which loads the drivers and services needed by the system:
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.174.168