When a computer is powered up, all the various layers between the hardware and the visible interface have to be prepared, or initialized , from the bottom up. The hardware is initialized first. A circuit on the computer's motherboard sends a reset signal to each chip, module, and external hardware device, to set the hardware to a known state. The reset signal places the Intel or Intel-compatible processors used in Windows PCs in what is called real mode , in which the processor addresses memory by physical hardware addresses and in which there are no restrictions on memory or hardware access. The CPU then begins retrieving instructions from a fixed memory address, FFFFFFF0 in hexadecimal. PC motherboards are constructed with a built-in read-only memory chip (ROM) or electrically erasable and reprogrammable memory (FLASH) at that address. This chip contains a set of programs called the Basic Input Output System (BIOS) and its instructions initialize the computer, test its hardware, and load an operating system. BIOS StartupA handful of companies produce the BIOS code used in most PCs, and the goings-on inside the BIOS are proprietary. Even the mechanism by which the BIOS is updated in FLASH is secret. However, although the specifics are not public, the boot process goes something like this:
Note To read about Plug and Play and other hardware specifications, check out www.microsoft.com/whdc/resources/respec/ specs . When the BIOS or user selects the bootstrap device, a bootstrap loader is used to bring in the actual operating system. Bootstrap LoadersAs the previous section discussed, the BIOS program stored on the motherboard contains the instructions your PC needs to start up, test itself, and access the keyboard, display, and mass storage devices. Because the BIOS can't know in advance what operating system you're going to use, or how or where that operating system is stored on your disks, or how it's to be read from disk and started up, an intermediate startup program is used, called a bootstrap loader or OS loader . This is a very small operating system-specific program that the BIOS can find and read into memory; the loader is then responsible for actually starting up your operating system. All bootable media use a standard layout so that the BIOS can find the loader. Note Disk organization and bootstrap structures are described in detail in Chapter 10, "Windows File Systems." The BIOS begins the bootstrap process by reading the first 512 bytes stored on whatever startup disk is used, whether it's a floppy disk, hard disk, CD, DVD, Zip disk, Jazz disk, or other removable disk. This block of data is called the boot sector and it begins with the bootstrap loader specific to your operating system; it's placed there when you install the OS. It must end with the bytes 55 and AA (hexadecimal), so only 510 bytes are available for the boot program itself. The block is stored starting at address 0000:7C00 and executed there. Note You can replace a missing or damaged boot sector loader using the Windows Recovery Console's fixboot command, discussed in Chapter 12, "Windows Troubleshooting." The boot sector loader contains whatever instructions are necessary to
Because the secondary loader program is not limited to 510 bytes in size , it can do the more sophisticated job of examining the disk's file system and directory structures. The process of locating the secondary loader depends on the medium and operating system in use:
The next few sections discuss how the Windows boot-up process continues. Windows XP/2000/NT StartupAlthough Windows 9x and Me computers actually boot up MS-DOS and then start up Windows, Windows NT and its descendentsWindows 2000 and XPhave a completely different startup mechanism. For Windows NT and relatives, the bootstrap process begins as described previously. However, the active partition's secondary loader takes things in a different direction. The secondary loader determines whether the disk is formatted with the FAT or NTFS file system, and then locates and reads file ntldr from the root directory of the boot partition, and ntldr continues the boot process. Ntldr locates file boot.ini , also stored in the root folder of the boot partition. Boot.ini contains a list of operating system choices, and optionally , multiple entries for Windows, each with different startup options specified, which can be used to recover from failures and for debugging purposes. If you install your operating systems carefully and in the right order, boot.ini can also contain entries that allow you to select between MS-DOS, Windows 9x, Windows 2000, XP, Linux, and possibly other operating systems. The section "Boot Options," later in this chapter discusses boot.ini further. For each operating system choice, boot.ini contains a file path that points to a Windows folder or to a folder that contains a file that contains an alternate secondary-boot sector. If there is more than one choice, ntldr displays a menu. If you make a selection, or if a timeout period elapses, ntldr starts the highlighted operating system. You can also press F8 during a very small time window during the startup process, which makes ntldr display the built-in Windows Advanced Options menu. This menu includes the option to boot in Safe mode, with a minimal set of drivers, along with several other startup options. If MS-DOS, Windows 9x, or Windows Me is selected from the boot menu, ntldr reads a saved copy of the boot sector installed by the older OS (for example, bootsect.dos ). The standard DOS or Windows 9x boot process continues from there. For Windows NT, 2000, and XP, ntldr runs the program ntdetect.com , which collects information about the installed hardware. It performs some hardware detection itself and collects other information from tables left in memory by the BIOS. If multiple hardware profiles are loaded, at this point ntldr may also stop and display the Hardware Profiles/Configuration Recovery menu. Ntldr then locates files ntoskrnl .exe and hal.dll in the system32 folder under the selected Windows folder. These two files form the Windows kernel , the foundation on which the operating system is based. The Windows NT KernelWindows NT, 2000, and XP are all based on a kernel layer that provides basic, fundamental services to mediate access to hardware, start and stop processes, control the CPU's hardware, manage multiple CPUs if present, manage memory, and so on. Differences between motherboard and CPU designs are handled by the kernel's Hardware Abstraction Layer (HAL), which performs CPU hardware management functions for the kernel and higher levels of Windows, without requiring them to know the details of the particular hardware implementation. The standard HAL versions provided with Windows XP are listed in Table 4.1. Table 4.1. Standard Windows XP HAL versions
Note Windows Setup detects your CPU and motherboard type during setup, and automatically selects the appropriate HAL version. The HAL module is copied to your \windows\system32 folder with the name hal.dll no matter which version was selected. If you need to force Setup to make another choice, visit support.microsoft.com and search for Knowledge Base Article 299340. This article describes a procedure that lets you manually choose a HAL version. On Windows XP, Windows automatically switches between multiprocessor and uniprocessor HALs and kernels ; you no longer need to reinstall Windows or use the Device Manager if you change the number of processors, for example, by enabling Hyperthreading or installing a dual-core CPU. The "NT Kernel" is actually not "Windows." The Windows that you are familiar with, the graphical interface, is actually implemented in layers above the kernel, by the 32-bit Windows (Win32) subsystem. And in fact other operating system environments (subsystems) such as UNIX and OS/2 can also take advantage of the NT Kernel. Microsoft provided an OS/2 subsystem that made it possible to run character-mode OS/2 programs on Windows NT and 2000, although it's not provided with Windows XP. The UNIX (actually, POSIX) subsystem provided with Windows NT and 2000 is now called Interix, and it's available as a free download for Windows XP Professionalsee Appendix A for more information. In addition to loading the kernel and HAL into memory, ntldr locates and loads the Registry's component files. It examines the Registry for value HKEY_LOCAL_MACHINE\System\Select\Current or HKEY_LOCAL_MACHINE\System\Select\LastKnownGood , depending on the selected boot mode, and creates key HKEY_LOCAL_MACHINE\System\CurrentControlSet , which is an "alias" to HKEY_LOCAL_MACHINE\System\ControlSet nnn , where nnn is the value retrieved from Select. It then examines key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles to see whether there multiple profiles are defined. If more than one profile is defined and is feasible to load, ntldr displays another menu on the console, and again, if the user does not make a selection, a default setting is used. With the desired Hardware Profile determined, ntldr scans Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services for entries with a Type value of 1, which indicates a kernel-level device driver. Drivers that are marked for Boot time startup are loaded by ntldr . At this point, the Windows kernel takes over. The kernel performs two initialization phases. In the first phase, a minimum of services are initialized: the HAL, the Memory Manager, the Object Manager, the Security Reference manager (which is ultimately responsible for all access control under Windows, including files, Registry keys, synchronization objects, and internal data structures), and the Process Manager. The display is now switched for the first time from the text mode set up by the BIOS to a graphics mode and the small Windows startup progress bar is displayed. Now, all systems are reinitialized and the startup process starts in earnest. Device drivers and filter drivers are loaded, in the order specified by the Load Ordering list show in Table 4.2, and the Session Manager Subsystem (SMSS) starts. It loads the Win32 subsystem ( win32k.sys ). At this point, it's fair to say that Windows itself, rather than just the generic kernel, is running. The second Windows graphical startup screen is displayed. The Windows Service Controller ( services.exe ) is started, and services are started, as described later in the chapter under Windows Services. Table 4.2. Windows XP Driver, Filter, and Service Load Ordering
Finally, the Windows logon process, winlogon.exe , is started. Winlogon.exe displays the Welcome screen or logon dialog. At this point, a user can log on, although for a short time, Windows services not essential for logon such as the IIS web server are still loading. The Logon ProcessWhen you log on using the Welcome Screen or logon dialog (the only option on corporate networks), Windows checks the logon name and password against the local account database, or in the case of a domain logon, forwards the logon request to a domain controller for verification. Successful domain logons may be cached on the local computer to speed future logons . Note For more detailed information about the domain logon process, search microsoft.com for the Microsoft Technet article "How Interactive Logon Works." The User ProfileWhen a user has successfully authenticated him- or herself, the user profile is loaded. The profile is a folder stored under Documents and Settings, and it contains several significant files and folders:
The first time a user logs on to a given computer, a new profile folder is created. For local users, the new profile is a copy of the Default User profile folder. (A simple copy will not work, as Registry key and file permissions must be modified to match the user to whom the profile belongs. This is why user profiles must be managed from the System Properties dialog, using the User Profile management dialog.) For users on a corporate domain network whose account is set up as a Roaming User Profile, the profile folder must be copied from a server. At logoff , changes will be copied back to the server, and on the next logon, only changes made to the network profile since the last local logon must be copied down again. The Windows File Replication Service manages this process. In this way, the user's settings and My Documents folder "follow" her on the network and are available at any computer. (On such networks, email is typically not stored locally on the computer, but is kept in a central mailbox repository and accessed over the network using IMAP or Exchange services.) PolicyGroup or Local Computer policy is applied next. Group Policy is a function of the Windows Server Active Directory system, and it is constructed from one or more sources, depending on the policy groups and/or containers to which the user and the computer itself are assigned. The resulting set of policy (RSOP) is transmitted to the computer from a domain server. Policy is actually a set of Registry entries that add to, or supercede when overlapping regular Registry entries, and cannot be modified by the user using the Registry editor. Windows components and applications look at this combined set of Registry data for settings that restrict or enforce certain behavior. This feature is used not only to tighten security by limiting users' ability to make configuration changes, but also to ensure consistent and appropriate configuration for all users of an organization. The User EnvironmentThe environment variable list is created from the following sources, in the following order:
If more than one source defines the same environment variable, the last definition is the one that is kept, with the exception of the PATH variable. If there are multiple definitions of PATH, the first definition is kept, a semicolon is added, and the additional definition is appended. This way, PATH accumulates all paths defined in the various sources. Changes to the first two sources only take effect after a reboot or on your next logon. Changes to the third and fourth sources take effect the next time you start a program; for example, on opening a new command prompt window. Startup ProgramsWhen the user profile has been loaded, winlogon starts the user's shell program, which is by default explorer.exe , the standard Windows Explorer program. When it recognizes that it is being run as the user's first application, however, it knows that it's being asked to act as the user's desktop shell, so it displays the desktop, taskbar, and Start menu. Tip If explorer.exe is terminated or crashes, winlogon should automatically start another copy. If your desktop icons and taskbar disappear and don't start coming back within a few seconds, you can help the process along by pressing Ctrl+Alt+Del, viewing the Applications tab, clicking New Task, and entering explorer as the program name. Explorer.exe is the default shell, but another program could be used just as well, such as cmd.exe which would give you a command prompt window with no Start menuor perhaps a custom program of your own devising. The shell program is specified in the registry by the value Shell under the key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon . If this value is present, it is used to determine the user's shell program; otherwise , the same key and value under HKEY_LOCAL_MACHINE is read, which specifies the systemwide default. Be very careful if you decide to change the systemwide setting as you could render your system unusable if you specify an improper program. Tip I have seen spyware programs that exploit this Registry entry by adding a program name after explorer.exe . This leaves Explorer as the shell but also runs the spyware as soon as anyone logs on. To fix this, press F8 when Windows boots (see the discussion of Safe mode later in this chapter) and select Safe Mode with Command Prompt. Log on, run regedit , and repair the Shell Registry value. Remove the program from any other startup program entries in which it appears (see the discussion that follows ), and delete the program's .Exe file(s). Then, restart Windows. While the desktop icons are being collected and displayed, startup scripts and startup programs are run from the following sources:
At this point, the user is completely logged on and ready to work. Note Besides the Shell Registry entry and the list of startup program sources listed previously, there is one other method that I've seen spyware authors use to install and run programs in a sneaky manner: creating a bogus print monitor. Print monitors are DLLs (program library modules) loaded by the Windows printing system, and they run in the context of the currently logged on user. If a program appears in the Task Manager's Processes under your username, and you can't find it listed in any other startup location (the Winlogon\Shell value, the Run Registry entries and Startup folder under All Users and your own user account, and the win.ini file), look for a bogus print monitor entry under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors . Spyware can install a DLL here, Windows will load it, and it then starts the spyware application that you see in the Processes list. If you find such an entry, boot Windows in Safe Mode with Command Prompt, log on, run regedit , and delete the bogus key under Monitors . There will most likely be several start techniques in use, so you'll need to check carefullysee the "Shell" tip mentioned previously. |