The Birth of Windows Desktop

Have you ever thought of how your operating system(windows) is loaded? It’s quite interesting to know about the miniature details that are involved in the process. This article will shed some light on this topic. The actual execution of the processor begins when you power on the system. Following are the major steps involved.
1.       BIOS performs some initial check and read the Zero sector of the hard disc, This Zero sector has a special name – MBR(Master Boot Record)

Snap from HxD hex editor


2.       MBR contains two sections 
2.1.    Boot Code(446 bytes)
2.2.    Partition Table Entries(16 bytes colored entries in the bottom)

3.       The purpose of boot code is to iterate over all the partition table entries and check for a bootable partition (if the first byte of the partition entry is 0x80 then it is a bootable partition. Also called as boot partition or system volume)(There can be only four entries specified in the MBR, does it mean we are limited with 4 drives ?)(this is where extended partitions come into picture)

4.       Now besides locating the boot partition it will know exactly from which sector the boot partition begins. This is done by examining the 8th-12th bytes in the partition entry(so in the above picture 3f 00 00 00 converted to little endian we get 0000003f = 63rdSector). In general it will be 63rd sector.

5.       Again the first sector(63rd) of the bootable partition is called as Boot Sector which contain enough code to read a special file named ntldr (NT loader) from the root (c:) drive. This is the time where you may at times see “NTLDR is missing” error message. Following are the tasks performed by ntldr
5.1.    The main purpose of ntldr is to setup the stage for the windows kernel to load.
5.2.    It enables paging and preliminary hardware detection using BIOS routines(int) and
5.3.    Reads boot.ini  to display boot menu

Windows boot menu created from c:boot.ini


5.4.    If the system is hibernated during the last shutdown it will resumed from hiberfil.sys
5.5.    Most importantly it loads boot start drivers ( these are the core drivers for proper functioning of OS) following are the examples for boot start drivers

Drivers tab in process hacker displaying boot start drivers


5.6.    Sets CPU registers e.t.c and pass on the control to ntoskrnl.exe(NT OS Kernel). This ends the life of ntldr

6.       Ntoskrnl is mainly responsible for setting up following OS services ( here you will see windows XP logo progress bar)
6.1.    Phase 0 Initialization
6.1.1.Memory Management Services
6.1.2.Process Management Services(First kernel mode process the system process is created)
6.1.3.Object Manger Services
6.1.4.Plug and Play Management Services
6.1.5.Security Reference Monitor Services
6.2.    Phase 1 Initialization
6.2.1.Hal initialization (Hardware Abstraction Layer)
6.2.2.Multi processor support
6.2.3.Scheduler support (inherently dependent on processor architecture)
6.2.4.Power management

kernel and boot drivers initialization


7.       Now the control is passed on to smss.exe(Session Manager Subsystem), It is the first user mode process that is created in the life span of windows.

Threads inside System and Smss processes


7.2.    The following are the tasks performed by smss process
7.2.1. Runs check disk ( disc check )

Disk check triggered by smss process


7.2.2. Pending file copy and file deletes ( some softwares need to overwrite the files which are in use by the OS and they will ask you for reboot) and this is the phase where those pending copy and deletes will be performed.
7.2.3.Page file is created(pagefile.sys)

Registry path to PagingFiles – Used by Smss for creating page files


7.3.    Loads registry hives from WindowsSystem32Config*.*

7.4.    Finally it creates two processes csrss.exe(Client Server Run-Time Subsystem), Winlogon.exe
7.4.1.Csrss.exe is responsible for user mode functionality of the system and sits as an interface for windows API)
7.4.2.Winlogon.exe is responsible for starting all auto-start services (services.exe) and creating the lsass.exe(Local Security and Authentication Subsystem)  this process is for authenticating the user logins
7.4.3.Next winlogon will show the logon screen to the user, upon successful logon winlogon will load the explorer.exe under the current user profile. This is where you will see the desktop

Winlogon displaying active login screen


Explorer created with current logged in user account
The Desktop is Born!


Though the actual process involves more complicated steps I have over simplified the overall flow in favor of novice users and tried not to lose the brevity of the content. Please feel free to comment on the post. +ve criticism is most welcome.

1.      Windows Internals 4thEd By Mark E. Russinovich, David A. Solomon