The Windows Bootup Process
To better understand how malware autostarts in Windows, lets take a quick look at how
Windows boots up. Depending on whether the system is BIOS-based or EFI-based, the bootup
process differs up to the point of passing control to the Kernel.
On a BIOS-based system, the bootup process begins with the BIOS. The BIOS code selects
a boot device and loads that device's Master Boot Record (MBR) into memory. The MBR is
512 bytes in size and is located at the first sector of the device. It contains the boot
code and the partition table. The partition table contains the location of the primary
partition in the disk. After the MBR is loaded, the BIOS passes control to the MBR boot code.
The boot code parses the partition table and looks for a bootable partition. This
is also called the system partition. After it is found, the MBR book code reads the system
partition's boot sector, which is found at the system partition's first sector. The MBR
then passes control to the boot sector code, which informs Windows on the nature of the
volume and loads the Bootmgr file from the volume's root directory, after which, control
is passed to the Bootmgr.
A simplistic view of the bootup process
Bootmgr operates in real mode. This means that what's on disk is what's in memory.
There is no virtual-to-physical translation of memory. But the first thing it does is
switch the operational mode of the CPU to protected mode. As a result, the full 32 bits
of memory become accessible, enabling the Bootmgr to access not just the first 1 MB (20 bits)
of physical memory, a limitation in real mode, but all of them. For Windows to operate
normally, the system must be running in protected mode with paging enabled. So after
switching to protected mode, the Bootmgr also enables paging.
For BIOS-based systems, the Bootmgr briefly switches back to real mode to execute BIOS
functions, especially if Bootmgr needs to access the computer display and integrated
development environment (IDE) disks.
Once the system is running in protected mode with paging enabled, the Bootmgr then
loads the Boot Configuration Data (BCD) store in the Boot folder located on the root
directory of the system volume. As defined by Microsoft, the BCD store contains boot
configuration parameters and controls how the operating system is started in newer
versions of Microsoft operating systems, starting with Microsoft Vista and Microsoft
Server 2008 operating systems. Once the BCD is loaded, it directs the Bootmgr to the
partition where Windows is located. This is also known as the boot partition of the
boot volume. From here, the Bootmgr loads Winload.ext, which is Windows' boot loader.
As Microsoft puts it, the system partition contains the hardware-related files
that tell a computer where to look to start Windows. A Boot partition is a
partition that contains the Windows operating system files, which are located in the
Windows file folder. Usually, these are the same partition, especially if you have
only one operating system installed on your computer. If you have a multiboot computer,
you will have more than one boot partition.
The BCD can have multiple boot-selection entries that can include other operating systems.
If this is the case, the Bootmgr displays the OS choices to the user and the user decides
which one to boot. If the user does not choose anything within the time limit, Bootmgr
loads the boot loader of the default OS.