Booting-Process

What is the Booting Process?

Leave a Comment / CHFI / By

Booting is the process of starting or resetting the computer when the user turns the system on. The process includes getting both the hardware and software ready and running. The booting process is of two types:

  • Cold booting: The process happening when we first turn on the computer. Also called as hard boot, this happens when user completely cuts the power supply to the system.
  • Warm booting is the process happening when we reset the computer. In this process, the user restarts the system via operating system.

During the process of booting, the computer loads the operating system to its memory or RAM and prepares it for use. During initialization, the system switches on the BIOS and loads it onto the ROM. BIOS stores the first instruction, which is the command to perform the power-on self-test (POST). Under POST, the system checks the BIOS chip and CMOS RAM.

If the POST detects no battery failure, it continues to start other parts of the CPU by checking the hardware devices and secondary storage devices.

Essential Windows System Files

After installation of an operating system, the setup program creates folders and required files on the system drive. The following are the essential Windows system files.

1. Windows Boot Process

Windows XP, Vista, and 7 OSs power on and start up using the traditional BIOS-MBR method. Whereas, the Microsoft operating systems starting with Windows 8 and later versions will use either traditional BIOS-MBR method or newer UEFI-GPT method according to the user choice.

Below is process that occurs within the system when switched ON.

  1. When the user switches the system ON, CPU sends a Power Good signal to motherboard and checks for computer’s BIOS firmware.
  2. BIOS starts a Power-On Self-Test (POST) which checks if all the hardware required for system boot are available and load all the firmware settings from nonvolatile memory on the motherboard.
  3. If POST is successful, add-on adapters perform a self-test for integration with the system.
  4. The pre-boot process will complete with POST, detecting a valid system boot disk.
  5. After POST, the computer’s firmware scans boot disk and loads the master boot record (MBR), which search for basic boot information in Boot Configuration Data (BCD),
  6. MBR triggers Bootmgr.exe, which locates Windows loader (Winload.exe) on the Windows boot partition and triggers Winload.exe.
  7. Windows loader loads the OS kernel ntoskrnl.exe.
  8. Once the Kernel starts running, the Windows loader loads HAL.DLL, boot-class device drivers marked as BOOT START and the SYSTEM registry hive into the memory.
  9. Kernel passes the control of boot process to the Session Manager Process (5MSS.exe), which loads all other registry hives and drivers required to configure Win32 subsystem run
  10. Session Manager Process triggers Winfogon.exe, which presents the user logon screen for user authorization.
  11. Session Manager Process initiates Service control manager, which starts all the services, rest of the non-essential device drivers, the security subsystem L5ASS.EXE and Group policy scripts.
  12. Once user logs in, Windows creates a session for the user.
  13. Service control manager starts the Explorer.exe and initiates the Desktop Window Manager (DMW) process, which set the desktop for the user.

Related Product : Computer Hacking Forensic Investigator | CHFI

Windows Boot Process (Cont’d)

The EFI boot manager controls the UM boot process. It starts with platform firmware initialization; the boot manager loads UEFI drivers and UEFI applications (including UEFI OS boot loaders) to initialize platform functions. The system loads the OS loader at the final stage and then OS starts booting. Once the OS receives the controls, it halts the UEFI boot service.

The LIEF’ boot process has five phases and each phase has its own role. These five phases are:

  • SEC (Security) Phase

This phase of EFI consists of initialization code that the system executes after powering the EFI system on. It manages platform reset events and sets the system so that it can find, validate, install, and run the PEI.

  • PEI (Pre-EFI Initialization) Phase

The PEI phase initializes the CPU, temporary memory, and boot firmware volume (BF A. It locates and executes the Pre Initialization modules (PEIMs) present in the BFV so as to initialize all the found hardware In the system. Finally, it creates a Hand-Off Block List with all found resources interface descriptors and passes it to the next phase i.e. the DXE phase.

  • DXE (Driver Execution Environment) Phase

Most of the initialization happens in this phase. Using the Hand-Off Block List (HOBOL) it initializes the entire system physical memory, I/O, and MIMO (Memory Mapped Input Output) resources and finally begins dispatching DXE Drivers present in the system

Firmware Volumes (given in the HOBL). The DXE core produces a set of EH Boot Services and EFI Runtime Services. The EFI Boot Services provided are allocating memory and loading executable images. The EFI Runtime services provided are converting memory addresses from physical to virtual while handing over to the kernel, and resetting the CPU, to code running within the EFI environment or within the 05 kernel once the CPU takes the control of the system.

  • BDS (Boot Device Selection) Phase

In this phase, the BD S interprets the boot configuration data and selects the Boot Policy for later implementation. This phase works with the DXE to check if the device drivers require signature verification.

In this phase, the system loads MBR boot code into memory for Legacy BIOS Boot or loads the Bootloader program from the EFI partition for UEFI Boot. It also provides an option for the user to choose EFI Shell or an UEFI application as the Boot Device from the Setup.

  •  RT (Run Time) Phase

At this point, the system clears the UEFI program from memory and transfers it to the OS. During UEFI BIOS update, the OS calls the run time service using a small part of the memory.

2. Macintosh Boot Process

Following are the steps for the Macintosh boot process:

  • The Macintosh boot process starts with the activation of BootROM, which initializes system hardware and selects an operating system to run
  • Once you power on the Macintosh, BootROM performs POST (Power-On Self-Test) to test some hardware interfaces required for startup
  • On PowerPC-based Macintosh computers, Open Firmware initializes the rest of the hardware interfaces
  • On Intel-based Macintosh computers, EP initializes the rest of the hardware interfaces
  • After initializing the hardware interfaces, the system selects the operating system
  • If the system contains multiple operating systems, then it allows the user to choose the particular operating system by holding down the Option key
  • Once the BootROM operation is finished, the control passes to the Boot{ (PowerPC) or boot.efi (Intel) boot loader, which is located in the /System/Library/CoreServices directory
  • The boot loader loads a pre-linked version of the kernel, which is located at /S System/Library /Caches/com.apple.kernelcaches
  • If the pre-linked kernel is missing, the boot loader attempts to load the mkext cache file, which contains a set of device drivers.
  • If the mkext cache file is also missing, the boot loader searches for drivers in the /System/Library/Extensions directory
  • Once the essential drivers are loaded, the boot loader starts initialization of the kernel, Math and BSD data structures, as well as the I/O kit
  • The I/O kit uses the device tree to link the loaded drivers to the kernel
  • The launchd, which has replaced the mach_init process, runs startup items and prepares the system for the user.

Also Read : Hard Disk Partitions

3. Linux Boot Process

In Linux boot process, the process flow starts with the BIOS, which searches for active and bootable devices. The system boots Linux from hard disk, in which the MBR contains the primary boot loader.

The Linux Boot Process consists of three stages. They are as follows:

  • The BIOS Stage
  • The Bootloader Stage
  • Kernel Stage

1. The BIOS Stage

The first stage of the Linux boot process is the 13105 stage. It initializes the system hardware during the booting process. The BIOS retrieves the information, stored in the CMOS chip (Complementary Metal-Oxide Semiconductor) which is a battery operated memory chip on the motherboard that contains information about the system’s hardware configuration.

During the boot process, the BIOS performs a Power-On Self-Test (POST) to make sure that all the hardware components of the system are working. Once BIOS confirms that everything is fine, it starts searching for the drive or disk which contains the operating system in a standard sequence. If the first listed device is not available or not working, then it checks for the next one and so on. A drive can be bootable only if it has the Master Boot Record in its first sector known as the boot sector. The system’s hard disk acts as the primary boot disk and the optical drive works as the secondary boot disk for booting the operating system from the removable disk if in case the main hard disk fails.

2. The Bootloader Stage

The bootloader stage includes the task of loading the Linux kernel and optional initial RAM disk. The kernel will help enabling the CPU to access RAM and the disk. The second pre-cursor software is an image of a temporary virtual file system called the initrd image or initial RAMdisk. Now, the system prepares to deploy the actual root file system. It then detects the device that contains the file system and loads the necessary modules. The last step of the bootloader stage is to load the kernel into the memory.

3. Kernel Stage

Once the control shifts from the bootloader stage to the Kernel stage, the virtual root file system created by the initrd image executes the Linuxrc program. This program generates the real file system for the kernel and later removes the initrd image. The kernel then searches for new hardware and loads any suitable device drivers found. It then mounts the actual root file system and then performs the init process. The init reads the file “/etc/inittab” and uses this file to load the rest of the system daemons. This prepares the system and the user can log in and start using it. The typical bootloaders for Linux are LILO (Linux Loader) and GRUB (Grand Unified Bootloader). These bootloaders allow the user to select which OS kernel to load during boot time.

Questions related to this topic

  1. How does BIOS load the operating system?
  2. Is MBR a bootloader?
  3. What is the difference between UEFI and CSM boot?
  4. How does kernel work in boot time?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment