Welcome to Bucaro TecHelp!

Bucaro TecHelp
Maintain Your Computer and Use it More Effectively
to Design a Web Site and Make Money on the Web

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds


Victims of Sandy Hook

Stop the Slaughter of Innocents. Congress is bought and paid for by gun lunatics and gun promotion groups. If you want to live in a safe America, help buy Congress back for America. Send a donation to Mayors Against Illegal Guns, 909 Third Avenue, 15th Floor New York, NY 10022

The Windows Bootup Process

To better understand how malware autostarts in Windows, lets take a quick look at how Windows boots up. Depending on whether the system is BIOS-based or EFI-based, the bootup process differs up to the point of passing control to the Kernel.

BIOS-Based System

On a BIOS-based system, the bootup process begins with the BIOS. The BIOS code selects a boot device and loads that device's Master Boot Record (MBR) into memory. The MBR is 512 bytes in size and is located at the first sector of the device. It contains the boot code and the partition table. The partition table contains the location of the primary partition in the disk. After the MBR is loaded, the BIOS passes control to the MBR boot code.

The boot code parses the partition table and looks for a bootable partition. This is also called the system partition. After it is found, the MBR book code reads the system partition's boot sector, which is found at the system partition's first sector. The MBR then passes control to the boot sector code, which informs Windows on the nature of the volume and loads the Bootmgr file from the volume's root directory, after which, control is passed to the Bootmgr.

A simplistic view of the bootup process
A simplistic view of the bootup process

Bootmgr operates in real mode. This means that what's on disk is what's in memory. There is no virtual-to-physical translation of memory. But the first thing it does is switch the operational mode of the CPU to protected mode. As a result, the full 32 bits of memory become accessible, enabling the Bootmgr to access not just the first 1 MB (20 bits) of physical memory, a limitation in real mode, but all of them. For Windows to operate normally, the system must be running in protected mode with paging enabled. So after switching to protected mode, the Bootmgr also enables paging.

Note
For BIOS-based systems, the Bootmgr briefly switches back to real mode to execute BIOS functions, especially if Bootmgr needs to access the computer display and integrated development environment (IDE) disks.

Once the system is running in protected mode with paging enabled, the Bootmgr then loads the Boot Configuration Data (BCD) store in the Boot folder located on the root directory of the system volume. As defined by Microsoft, the BCD store contains boot configuration parameters and controls how the operating system is started in newer versions of Microsoft operating systems, starting with Microsoft Vista and Microsoft Server 2008 operating systems. Once the BCD is loaded, it directs the Bootmgr to the partition where Windows is located. This is also known as the boot partition of the boot volume. From here, the Bootmgr loads Winload.ext, which is Windows' boot loader.

LINGO
As Microsoft puts it, the system partition contains the hardware-related files that tell a computer where to look to start Windows. A Boot partition is a partition that contains the Windows operating system files, which are located in the Windows file folder. Usually, these are the same partition, especially if you have only one operating system installed on your computer. If you have a multiboot computer, you will have more than one boot partition.

Note
The BCD can have multiple boot-selection entries that can include other operating systems. If this is the case, the Bootmgr displays the OS choices to the user and the user decides which one to boot. If the user does not choose anything within the time limit, Bootmgr loads the boot loader of the default OS.

RSS Feed RSS Feed


Follow Stephen Bucaro Follow @Stephen Bucaro


Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2017 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268