Otechy - Azure Cloud Architecture, Cloud Adoption Framework, Well-Architected Frameworks and More

Windows OS Internals: Boot Sequence

Understanding how a computer goes from a cold piece of plastic and metal to a working desktop can be confusing. Think of the Windows Boot Process like a robot waking up and getting ready for school. It has to check its parts, find its map, and eventually open the front door for you to come in.

While the "morning routine" changed between the old days (Server 2003) and the modern era (Server 2008 and beyond), the goal remains the same: getting the system ready for work.

---

Boot Process Comparison

Here is how the two generations of Windows compare in their "wake-up" steps:

Step	Windows Server 2003 (Legacy)	Windows Server 2008+ (Modern)
First Loader	NTLDR (The "Old Boss")	BOOTMGR (The "New Manager")
The "Map"	BOOT.INI (Simple Text File)	BCD (Boot Configuration Database)
Hardware Scout	NTDETECT.COM	winload.exe (Windows Loader)
Hibernation	Basic restart	winresume.exe (Fast Wake-up)

---

Windows Server 2003: Legacy Path

In the 2003 era, the process was a bit more manual. Here is the step-by-step breakdown:

• Self-Check: When you hit the power button, the computer runs a POST (Power-On Self-Test) to make sure its brain and memory are working before loading the BIOS.
• Finding the Map: The BIOS looks at the very first sector of your hard drive, called the MBR (Master Boot Record), to find the partition table and see where the OS is hiding.
• Loading the Boss: Once the MBR is found, it loads a small program called NTLDR.
• Reading the Instructions: NTLDR reads a text file called BOOT.INI to figure out which drive contains the actual Windows files.
• Checking the Parts: NTLDR then runs NTDETECT.COM to see what kind of keyboard, mouse, and hardware are plugged in.
• Getting the Tools: It reads the Registry, chooses a hardware profile, and loads the "Boot" drivers needed to start the kernel, NTOSKRNL.EXE.
• Opening the Door: A program called SSMS.exe starts winlogon.exe, and the GINA system asks for your username and password.
• Final Guard: Once you log in, winlogon.exe starts LSASS to check your credentials and finally lets the Service Control Manager start all your background apps.

---

Windows Server 2008 and Beyond: Modern Path

Starting with Server 2008, Microsoft made the process faster and more secure by changing the "Manager."

• Same Start: Just like before, it starts with POST and the BIOS.
• Modern Manager: Instead of NTLDR, the BIOS finds the BOOTMGR.
• Secure Database: BOOTMGR doesn't read a text file; it reads the BCD (Boot Configuration Database), which is much harder for viruses to mess with.
• Hand-off: BOOTMGR passes control to the Windows Loader (winload.exe).
• Hibernation Logic: If the computer was "sleeping" (hibernated), it uses winresume.exe instead to get back to work faster.
• Loading the Brain: winload.exe finds all the drivers needed for the start-up and hands everything over to the kernel, NTOSKRNL.EXE.
• Same Welcome: From here, SSMS.exe and winlogon.exe take over to ask for your password.
• Ready for Action: Your credentials go to the LSASS (Local Security Authority Subsystem Service), and the Service Control Manager wakes up all the background services.

---

At a Glance: Boot Manager Evolution

Step	Windows Server 2003 (Legacy)	Windows Server 2008+ (Modern)
Stage	Power On & POST	Power On & POST
Stage 2	BIOS loads NTLDR	BIOS loads BOOTMGR
Stage 3	Reads BOOT.INI	Reads BCD (Database)
Stage 4	Runs NTDETECT.COM	Runs winload.exe
Stage 5	Hands off to NTOSKRNL	Hands off to NTOSKRNL

---

Windows Server 2003 Boot Process

This is the "old school" way Windows used to wake up. It relied on a few specific files that were essentially just simple text lists.

1. Power On & POST: The computer turns on and does a "Power-On Self-Test" (POST) to make sure the hardware is working.
2. MBR Search: The BIOS looks at the very first sector of the hard drive (the MBR) to find where the instructions are kept.
3. Loading NTLDR: Through the MBR, the boot sector is found and a program called NTLDR is loaded.
4. Reading the List: NTLDR reads a file called BOOT.INI to figure out exactly which drive has the Windows files on it.
5. Hardware Check: It runs NTDETECT.COM to "scout" the hardware (like your keyboard and screen) and tell the OS what’s plugged in.
6. Hand-off: NTLDR reads the Registry, selects a hardware profile, and loads "boot" drivers before handing control to the brain of the system, NTOSKRNL.EXE.
7. Logging In: The system starts winlogon.exe, where the GINA system asks for your password.
8. Security Guard: Once you type your password, LSASS (the security guard) checks it and passes it to the LSA (Local Security Authority) to let you in.

---

Windows Server 2008 Boot Process

For newer versions, Windows got a "New Manager" and a more secure database to store its settings.

1. Start: Just like the old version, it starts with the Power On, POST, and the BIOS.
2. New Manager: Instead of the old NTLDR, the BIOS finds and loads the BOOTMGR.
3. Secure Map: BOOTMGR reads the BCD (Boot Configuration Database). This is a special database that is much safer than the old text files.
4. Loader: Control is passed to winload.exe (or winresume.exe if the computer was just sleeping/hibernating).
5. Kernel Time: winload.exe loads the start-up drivers and hands control to the main kernel, NTOSKRNL.EXE.
6. Entry Way: SSMS.exe starts the login screen (winlogon.exe).
7. ID Check: The GINA SAS (or modern Credential Provider) accepts your password and sends it to WinLogon.
8. Full Speed: LSASS verifies everything, and the Service Control Manager finally starts up all the background apps and services you need.

Windows Server 2003 Boot Process

- Power On -> POST -> BIOS Loaded

- BIOS Looks for the MBR first sector for partition table on the bootable device

- Through the MBR the boot sector is located and the NTLDR is loaded

- NTLDR reads BOOT.INI from the system volume to determine the boot drive

- NTLDR loads and executes NTDETECT.COM from the system volume to perform BIOS hardware detection

- NTLDR reads the registry files, selects a hardware profile, control set, and loads drivers flagged as "boot" defined in the system hive, then passes control to NTOSKRNL.EXE (HAL library). SSMS.exe starts winlogon.exe and GINA SAS accepts credentials and passes control back to WinLogon. Winlogon then starts LSASS and transfers the credentials to LSA. Post that Services are loaded as per service control manager.

Windows Server 2008 Boot Process

- Power On -> POST ->  BOIS Loaded

- BIOS Looks for the MBR first sector for partition table on the bootable device

- Through the MBR the boot sector is located and the BOOTMGR is loaded

- BOOTMGR reads the BCD (boot configuration database) file from the \boot directory

- BOOTMGR transfer control to the Windows Loader (winload.exe) or winresume.exe in case the system was hibernated.

- Windows Loader loads drivers that are set to start at boot and then passes control to NTOSKRNL.EXE. NTOSKRNL.EXE. SSMS.exe starts winlogon.exe and GINA SAS accepts credentials and passes control back to WinLogon. Winlogon then starts LSASS and transfers the credentials to LSA. Post that Services are loaded as per service control manager.

---

Vocabulary: Who is who?

* MBR (Master Boot Record): The very first "index" on your hard drive.
* BCD (Boot Configuration Database): The modern, secure storage for boot settings.
* NTOSKRNL.EXE: The actual "Kernel" or the "Brain" of the Windows Operating System.
* LSASS: The Local Security Authority Subsystem—think of it as the ID inspector.