System Startup Process

System Startup Process

1. When you press the enable key, the BIOS program in the BIOS chip of the Main Board is used to perform the hardware detection task. If the key hardware fault is found during the check, the user will be notified of a specific sound and the startup will stop. Where does the BIOS program come from? This is a program that is solidified on the chip when the motherboard leaves the factory.

2. When there is no hardware problem, the BIOS program will read the Master Boot Record of the hard disk and hand over the following task to the Master Boot Record code for completion. Where does the primary Boot Record come from? This is written to the hard disk when partitioning and formatting the disk during operating system installation. If the Master Boot Record cannot be found, the system will stop with an error and tell you that this is an illegal system boot disk.

3. The main guide record Code reads the root directory of the primary partition of the disk, reads the ntldr file, loads the file into the memory, and gives control to it. Check whether the root directory of your hard disk contains an ntldr file? The properties of this file are hidden and system. Therefore, you need to check all the files without hiding them. Where did this file come from? Oh, of course, it is copied to the hard disk when the operating system is installed. The files mentioned below are copied during the operating system installation. If the ntldr file cannot be found, the startup is stopped and the error message not found in ntldr is displayed.

4. What does ntldr do? It switches the system from the original 16-bit real-time mode to the 32-bit protection mode or the 64-bit long mode. Its job is to read the boot. ini file under the root directory. Obviously, the boot menu is displayed on a computer with multiple operating systems. Then it will clear the screen and display a black and white progress bar under win2000. The XP logo chart is displayed under XP and the following blue progress bar is continuously scrolling, it prompts you that it is loading some important files. What is it loading? First, ntoskrnl.exe and Hal. dll will be merged. If the two files cannot be found, the system will stop working and the corresponding file information will not be found. Then it reads the system key file of the Registry and finds out the various types of drivers that are automatically started. This is critical because some kernel-level Trojans are started at this time. Each time a screen is loaded, the progress bar will scroll all at once. In the middle, if a driver fails, it may lead to a blue screen crash.

Ntoskrnl.exe(or ntkrnlpa.exe) is used to connect the 5th worker. This is a kernel program. It does a lot of work and will not be detailed here. The last step is to create the session management sub-system. We have also discussed the smss.exe process created by the systemprocess.

The 6379smss.exe process is responsible for creating the user mode environment, which provides a visual window interface to Windows.

It runs the Program defined in bootexecute. Normally, it is autochk, a disk check program. However, some anti-virus software will add its own programs to implement anti-virus during boot. If your system has installed anti-virus software for Jiangmin, it will execute its anti-virus program during the boot period, it is the blue-blue virus scanning window that appears before the system.

Smss.exe also performs the delete and move operations on the sessionmanager file, that is, calling the API: movefileex and selecting to remove the file after restart. Currently, many security tools that claim to be able to delete all files use movefileex to delete files. But now we can understand that the deletion of files is performed at this stage, at this time, the driver has been loaded, so it is obviously not competent to use them to clear the driver-level Trojan.

Create an additional page file.

Load win32k. SYS. What does this thing do? This is a kernel-mode system driver, which is responsible for window display, screen input, mouse and keyboard input and message transmission. So it is also caused by win32k. sys sets the resolution of the display to the default value. At this time, our computer screens were actually refined. Previously, they were all in VGA mode, of course, the video driver was loaded when the driver was loaded. Now it is only useful.

Then start the two processes we mentioned above. Csrss.exeand winlogon.exe processes.

After the two processes are started, smss.exe enters the infinite waiting state. What is it waiting? Butler immediately went on strike, causing the system to crash completely. (After Windows XP, the death of csrssis caused by internal system crash, not smss.exe), so do not end the system process.

What does csrss.exe do? It is responsible for creating or deleting processes, threads, and support for the console and Virtual DOS machines. It starts to work now and no longer participates in subsequent startup processes. However, winlogon.exe has a lot to do. Let's take a look at the subsequent startup process.

7. What does winlogon.exe do? Let's see its name. The login process, and then read the DLL marked in the Registry GinaDLL. This dll will display a login conversation, that is, the window for entering the user name and password when entering the system.

What if I want to start lsass.exe first for example? This is the local security authentication subsystem, which is responsible for the security of the local system. It verifies the user name and password.

Which of the following processes is started by winlogon.exe? Then, after the user logs into the system, winlogon.exe starts the process for user initialization. You can also add a program with userinit.exe. then, winlogon.exe will start all the programs at that location.

Of course, I believe you have also thought of this, and the GinaDLL will become an optional location for Trojan startup.

At last, services.exe started by winlogon.exestarts to load services marked as self-starting, and services marked as manual but necessary to be loaded (the work it has done will be detailed later ).

9. userinit.exe, after the user is renewed, the explorer.exe is started, and the system returns.

In the 10th percentile, assumer.exe becomes our waiter, waiting for our instructions to wait and follow our instructions to start and process related programs.