Understand Booting Process

 
What is the Booting Process?
  • Booting refers to the process of starting or resetting operating systems when the user turns on a computer system.
  • It loads the operating system stored in the hard disk to the RAM (working memory).
Types of Booting
  • Cold boot: It is the process of starting a computer from a powered down or off state.
  • Warm boot: It is the process of restarting a computer that is already turned on through the operating system.

Essential Windows System Files

  • exe – Executive and kernel
  • exe – Executive and kernel with support for Physical Address Extension
  • dll – Hardware abstraction layer
  • sys – Kernel-mode part of the Win32 subsystem
  • dll – Internal support functions and system service dispatch stubs to executive functions
  • dll – Win32 subsystem DLL files
  • dll – Win32 subsystem DLL files
  • dll – Win32 subsystem DLL files
  • Gdi32.dll – Win32 subsystem DLL files
Windows Boot Process

Windows XP, Vista, and 7 OSs power on and start up using the traditional BIOS-MBR method. Whereas OSs from Windows 8 and above use either the traditional BIOS-MBR method or newer UEFI-GPT method according to the user choice.


Windows Boot

Process: BIOS-MBR method

The process that occurs within the system when it is switched on in the BIOS-MBR method.

1.  When the user switches the system ON, the CPU sends a Power Good signal to the motherboard and checks for the computer’s BIOS firmware.

2. BIOS starts POST, which checks if all the hardware required for system boot is available and loads all the firmware settings from non-volatile memory onto the motherboard

3.  If POST is successful, add-on adapters perform a self-test for integration with the system

4. The pre-boot process is completed with POST, detecting a valid system boot disk

5. After POST, the computer’s firmware scans the boot disk and loads the MBR, which searches for basic boot information in boot configuration data

6. MBR triggers Bootmgr.exe, which locates the Windows loader (Winload.exe) on the Windows boot partition and triggers Winload.exe

7. The Windows loader loads the OS kernel ntoskrnl.exe

8. Once the Kernel starts running, the Windows loader loads hal.dll, boot-class device drivers marked as BOOT_START, and the SYSTEM registry hive into memory

9. The kernel passes control of the boot process to the Session Manager Process (SMSS.exe), which loads all other registry hives and drivers required to configure the Win32 subsystem run environment

10. The Session Manager Process triggers Winlogon.exe, which presents the user login screen for user authorization

11. The Session Manager Process initiates the Service Control Manager, which starts all the services, the rest of the non-essential device drivers, the security subsystem LSASS.EXE, and Group Policy scripts (Task Manager, Disk Cleanup, Disk Management)

12. Once the user logs in, Windows creates a session for the user

13. The Service Control Manager starts explorer.exe and initiates the Desktop Window Manager (DMW) process, which initializes the desktop for the user.

Identifying the MBR Partition

Open Disk management –> right click on partition and select properties –> select Hardware —> select Drive and check properties –> select volumes.


Windows Boot Process: UEFI-GPT

The Windows boot process on a UEFI-GPT system is a bit different than on older BIOS-MBR systems:

1. When you turn on your computer, the UEFI firmware starts and performs a Power-On Self-Test to check if hardware components are working correctly.

2. UEFI scans for bootable devices with a valid GUID Partition Table, and it looks for an EFI System Partition (ESP), a special partition on the GPT disk containing boot loaders and drivers.

3. UEFI reads its boot manager data to determine which UEFI application to launch. In the case of Windows, this is the Windows Boot Manager, which is a small program that resides in the ESP.

4. The Boot Manager reads the Boot Configuration Data (BCD) store, a database that contains boot options and settings. The BCD tells the Boot Manager which operating system to load and from which partition.

5. The Boot Manager launches the Windows Boot Loader (winload.efi), which is also located in the ESP. The boot loader loads essential drivers and prepares the Windows kernel for startup.

6. The Windows kernel (ntoskrnl.exe) starts and initializes the core components of the operating system. Device drivers are loaded, and the system begins the process of starting Windows services and the user interface.

7. Once the kernel is initialized and essential services are running, the user is presented with the login screen. After successful login, the Windows desktop appears, and the user can start using the computer.

Macintosh Boot Process

 

Boot Process of an Intel-based macOS

The following are the steps associated with the booting process of an Intel-based Mac:

  • After powering ON, it performs a secure boot using its Boot ROM. This is the first step where it evaluates the iBoot boot loader.
  • This iBoot now evaluates both the kernel and kernal extension code on the T2 chip followed by checking the UEFI firmware. However, the UEFI firmware and its signature are only initially accessible to the T2 chip.
  • Once the verification is successful, the UEFI firmware image will be mapped in a specific portion of the T2 chip memory. This memory is then made accessible to the Intel CPU via the enhanced Serial Peripheral Interface.
  • After the booting of the Intel CPU, it retrieves the UEFI firmware via eSPI from the memory-mapped firmware (copy present within the T2 chip).
  • The UEFI firmwire on the Intel CPU checks the signature of boot.efi, the macOS bootloader. Here, the Intel-based macOS secure boot signatures are stored in Image4 format.
  • After completing the boot.efi signature evaluation, the boot.efi evaluates the signature of a new file known as immutablekernel. After enabling secure boot, this immutablekernel file signifies the required Apple kernel extensions used to boot macOS.
  • Now, termination at the handoff to immutablekernel is performed by the secure boot policy followed by the implementation of macOS security policies such as signed kernel extensions and system integrity protection.

Boot Process of an Apple Silicon-based macOS

The following are the steps associated with the booting process of an Apple silicon-based Mac:

▪ After powering ON, the chip executes code from its Boot ROM. The macOS secure boot on the system evaluates the OS code, security policies, and user configured settings.

▪ Once the low-level bootstrap (LLB) is launched successfully, it evaluates and loads the system-paired firmware for the intra-SoC cores.

▪ The LLB loads the t file, which is signed by the secure enclave processor. This file defines the selected user configuration for the system boot along with the runtime security policies.

  • The LLB uses the secure enclave boot ROM to avoid replaying any previous LocalPolicy by fetching the LocalPolicy nonces from the secure storage.
  • The LocalPolicy file defines whether macOS has full, reduced, or permissive security configuration.

▪ Once the LLB handoff to iBoot is complete, the macOS-paired firmware is loaded. It also searches for information on the LocalPolicy that was handed from the LLB.

▪ iBoot also validates the boot kernel collection, auxiliary kernel collection (AuxKC), system trust cache, and signed system volume signatures based on the LocalPolicy to boot macOS.

  • If the LocalPolicy indicates that an AuxKC is needed, iBoot will search the file system and evaluate the associated signatures and hashes that are stored in the LocalPolicy.
  • After evaluating the AuxKC, iBoot will send it to the memory along with the boot kernel collection using the system coprocessor integrity protection (SCIP) before the full memory region is locked.
  • If iBoot does not find an AuxKC then the system boots macOS without it.

Linux Boot Process

The Linux boot process flow starts with the BIOS, which searches for active and bootable devices. The system boots Linux from the primary storage device, in which the MBR contains the primary boot loader.

The Linux boot process consists of the following three stages:

  • BIOS stage
  • Bootloader stage
  • Kernel stage

BIOS Stage

This initial stage focuses on hardware initialization during the booting process. The BIOS retrieves the information stored in the complementary metal–oxide semiconductor (CMOS) chip, which is a battery-operated memory chip on the motherboard that contains information about the system’s hardware configuration. During the boot process, the BIOS performs a POST to ensure that all the hardware components of the system are operational. After a successful POST, the BIOS starts searching for the drive or disk that contains the OS in a standard sequence. If the first listed device is not available or not working, then it checks for the next one, and so on. A drive is bootable only if it has the MBR in its first sector known as the boot sector. The system’s hard disk acts as the primary boot disk, and the optical drive works as the secondary boot disk for booting the OS in case the primary boot disk fails.

 

Bootloader Stage

This stage is responsible for loading the Linux kernel and an optional initial RAM disk. The kernel enables the CPU to access RAM and the disk. The second pre-cursor software is an image of a temporary virtual file system called the initrd image or initial RAMdisk. Now, the system prepares to deploy the actual root file system. It then detects the device that contains the file system and loads the necessary modules. The last step of the bootloader stage is to load the kernel into memory.

 

Kernel Stage

Once the control shifts from the bootloader stage to the kernel stage, the virtual root file system created by the initrd image executes the Linuxrc program. This program sets up the real root file system for the kernel and later removes the initrd image. The kernel then searches for new hardware and loads any suitable device drivers find. Subsequently, it mounts the actual root file system and performs the init process. The init reads the file “/etc/inittab” and uses this file to load the rest of the system daemons. This prepares the system, and the user can log in and start using it. Typical bootloaders for Linux are Linux Loader (LILO) and Grand Unified Bootloader (GRUB). These bootloaders allow the user to select which OS kernel to load during boot time.


refernce

1. Ec-Council CHFI Ebook