The Birth of Windows Desktop

Have you ever thought of how your operating system(windows) is loaded? It’s quite interesting to know about the miniature details that are involved in the process. This article will shed some light on this topic. The actual execution of the processor begins when you power on the system. Following are the major steps involved.
1.       BIOS performs some initial check and read the Zero sector of the hard disc, This Zero sector has a special name – MBR(Master Boot Record)

Snap from HxD hex editor


2.       MBR contains two sections 
2.1.    Boot Code(446 bytes)
2.2.    Partition Table Entries(16 bytes colored entries in the bottom)

3.       The purpose of boot code is to iterate over all the partition table entries and check for a bootable partition (if the first byte of the partition entry is 0x80 then it is a bootable partition. Also called as boot partition or system volume)(There can be only four entries specified in the MBR, does it mean we are limited with 4 drives ?)(this is where extended partitions come into picture)

4.       Now besides locating the boot partition it will know exactly from which sector the boot partition begins. This is done by examining the 8th-12th bytes in the partition entry(so in the above picture 3f 00 00 00 converted to little endian we get 0000003f = 63rdSector). In general it will be 63rd sector.

5.       Again the first sector(63rd) of the bootable partition is called as Boot Sector which contain enough code to read a special file named ntldr (NT loader) from the root (c:) drive. This is the time where you may at times see “NTLDR is missing” error message. Following are the tasks performed by ntldr
5.1.    The main purpose of ntldr is to setup the stage for the windows kernel to load.
5.2.    It enables paging and preliminary hardware detection using BIOS routines(int) and
5.3.    Reads boot.ini  to display boot menu

Windows boot menu created from c:boot.ini


5.4.    If the system is hibernated during the last shutdown it will resumed from hiberfil.sys
5.5.    Most importantly it loads boot start drivers ( these are the core drivers for proper functioning of OS) following are the examples for boot start drivers

Drivers tab in process hacker displaying boot start drivers


5.6.    Sets CPU registers e.t.c and pass on the control to ntoskrnl.exe(NT OS Kernel). This ends the life of ntldr

6.       Ntoskrnl is mainly responsible for setting up following OS services ( here you will see windows XP logo progress bar)
6.1.    Phase 0 Initialization
6.1.1.Memory Management Services
6.1.2.Process Management Services(First kernel mode process the system process is created)
6.1.3.Object Manger Services
6.1.4.Plug and Play Management Services
6.1.5.Security Reference Monitor Services
6.2.    Phase 1 Initialization
6.2.1.Hal initialization (Hardware Abstraction Layer)
6.2.2.Multi processor support
6.2.3.Scheduler support (inherently dependent on processor architecture)
6.2.4.Power management

kernel and boot drivers initialization


7.       Now the control is passed on to smss.exe(Session Manager Subsystem), It is the first user mode process that is created in the life span of windows.

Threads inside System and Smss processes


7.2.    The following are the tasks performed by smss process
7.2.1. Runs check disk ( disc check )

Disk check triggered by smss process


7.2.2. Pending file copy and file deletes ( some softwares need to overwrite the files which are in use by the OS and they will ask you for reboot) and this is the phase where those pending copy and deletes will be performed.
7.2.3.Page file is created(pagefile.sys)

Registry path to PagingFiles – Used by Smss for creating page files


7.3.    Loads registry hives from WindowsSystem32Config*.*

7.4.    Finally it creates two processes csrss.exe(Client Server Run-Time Subsystem), Winlogon.exe
7.4.1.Csrss.exe is responsible for user mode functionality of the system and sits as an interface for windows API)
7.4.2.Winlogon.exe is responsible for starting all auto-start services (services.exe) and creating the lsass.exe(Local Security and Authentication Subsystem)  this process is for authenticating the user logins
7.4.3.Next winlogon will show the logon screen to the user, upon successful logon winlogon will load the explorer.exe under the current user profile. This is where you will see the desktop

Winlogon displaying active login screen


Explorer created with current logged in user account
The Desktop is Born!


Though the actual process involves more complicated steps I have over simplified the overall flow in favor of novice users and tried not to lose the brevity of the content. Please feel free to comment on the post. +ve criticism is most welcome.

1.      Windows Internals 4thEd By Mark E. Russinovich, David A. Solomon

Setting up kernel mode debugger in windows

When ever there is a bug in your program you usually open a debugger(Turbo C++, GDB,visual studio debugger etc) to fix it, but how do you debug a bug in the operating system? Do you load the running OS in to debugger? Is it possible? The simple answer is no. It is not possible because in order for any debugger to work it requires help from the Os on which the program is being debugged. So we cannot debug an OS with the help of itself. So in such scenarios we require 2 machines one is your defective Os(slave) and other machine contains the debugger software(master). Earlier people used to connect slave and master machines using a high speed cable and then once the slave machine is started they used to pause its execution by connecting the debugger to it from the master machine. It used to be the only solution with many drawbacks. 

  1. The connection speed between the machines is too slow, because the data and commands should be passed to and fro between master and slave.
  2. Require extra hardware like cable and two separate machines

Fortunately we now have much better options for beginners who want to study the internals of the OS by debugging. With the help of virtual machines we now donot require two separate machines. The slave machine can be thought of as a one of the guest VMs and master machine can be thought of as a host computer(your real physical machine). The connection between these host and guest have been made even simpler with the help of a software called VirtualKD(Virtual Kernel Debugger)[with out this tool we have to manually set up a named pipe in the guest and modify boot.ini to enable some special options. Its little time consuming]. So in this tutorial I will help you set up kernel mode debugger.

I will be using following tools.

  1. WinDbg (Windows Kernel Debugger)
  2. Virtual Box (Virtual Machine Manager)
  3. VirtualKD (Tool to enable very high speed kernel debugging between host and just machines)

here after when ever I refer to OS it will be one version of windows

First thing we have to do is install virtual box and then install a guest OS of your choice Here I would like to demo you using Windows XP as my guest 
Second extract the virtualKD to some folder 
Rename the VBoxDD.dll file in your VirtualBox program files folder to VBoxDD0.dll.
Copy modified VBoxDD.dll from VirtualKD archive to VirtualBox directory(Ensure that you have selected correct version (x86 or x64) of VBoxDD.dll)


Third install WinDbg (simple next next install)
for any debugger to properly work we should have symbol files of the program being debugged, think of these files as extra information about your program which helps debugger in displaying meaningful information to the user. If we have correct symbol files we will have the extract function names and the line numbers etc getting showed in the debugger, without that we will see some hard to understand Hex address. So following few lines will help you configure symbol files for you operating system

If you have internet connection all the time follow this
o   Create an environment variable named _NT_SYMBOL_PATH and set its value to say srv*c:symbols*       
o   Symbols will be downloaded from the microsoft symbol server on demand to c:symbols
Else follow this
o   Create an environment variable named _NT_SYMBOL_PATH and set its value to say c:symbols
o   C:program filessymchk.exe  /r  c:windowssystem32*  /s SRV*C:symbols*
o   The above command will fetch all the symbols for the files in system32 at once (takes time and space)
o   Its a one time task 

when WinDbg is launched it will check this variable to know the path of symbol files.

Fourth run VirtualKD in the guest machine and then reboot the guest as instructed

once you are at the boot prompt open 


choose the highlighted one and then open vmmon.exe from VirtualKD which will automatically launch WinDBG and connect to the currently running VM and pauses its execution


done. the rest is left to your imagination.

The Anatomy of Information Technology

The title is ‘The Anatomy of Computer Science Information Technology’ and I would like to talk about it in-general from technical point of view. As being an Information Technology graduate its always good to know what it is. Many people often ask me following questions
  1. “What is JQuery ? Is it mandatory to learn JavaScript to use JQuery?”
  2. “What is Win32 Api ? Can I develop sneeky GUI interfaces in it?”
  3. “In which language this piece of software might have been created?”
  4. “How do we create such effects in web pages? Is it done is photoshop or dreamweaver?”
  5. “What technology is right for particular task?”
  6. “How to write a virus program in Java?” 
  7. “bla……bla……e.t.c”
Though I may not give all the answers to the above questions in this article, but I am particularly excited to present you how we can classify various technologies that exist in todays market and their pros and cons.
The classification was done based on the platform and the type of development we do to accomplish the task.
Fundamentals are always important, today though we have ever growing gigantic frameworks to help us, Its always good to be aware of how the same task can be done without those frameworks. This is particularly true with JQuery. JQuery is an extension library to JavaScript. It only contains some easier functions to help program mundane JavaScript tasks. Though I don’t recommend you to be a black belt in JavaScript its good to know what it is and its +ves and -ves.
Get to know what is what with all the technologies. If you look at 4th question first of all we should know what will be done with photoshop and dream weaver. Then the answer is simple.
Choosing the right technology and tools plays an important role in fulfilling the task. If you look at the 6th question, small viruses can be written in Java but it is not the right one to choose, Because Java wont help us in querying low level system details(what are all the processes running on the current machine? Injecting malicious code in to winlogon process e.t.c)
Similarly Win32 api is a collection of low level windows system functions mainly suitable for writing windows drivers, Even though we can create GUI with it its not cake walk to code sneeky GUI interfaces like Windows Media Player, Kaspersky e.t.c in it.
I have not considered some of the technologies data exchange formats like XML, JSON e.t.c and ignored the description of all the software involved in the development process like Netbeans,Eclipse,Visual Studio,Tomcat,JBoss e.t.c

The above discussion is completely my own opinions and understandings. Please correct me If I was wrong. Please comment to the post if you have any queries related to a particular technology.

CSS selectors 101

This time I want to give glimpse of CSS(Cascading style sheets)
Before I jump in to CSS its better to know what comprises a web page. Basically any moderate web page is composed of 3 technologies.

  1. HTML – Content
  2. JavaScript – Behavior
  3. CSS – Presentation

Read on →

Finding removable drive type(CD or DVD) in Windows

The heart of the following code snippet is DeviceIoControl Win32 function and IOCTL_STORAGE_GET_MEDIA_TYPES_EX control code(used to get the media types).
The documentation provided in MSDN for the usage of IOCTL_STORAGE_GET_MEDIA_TYPES_EX is really hopeless. There isn’t much to explain in the code.

  1. Enumerate each drive (using bit vector returned by GetLogicalDrives)
  2. Determine if the drive is a removeable drive(using GetDriveType)
  3. Open removable device(using CreateFile function) and pass the device handle to DeviceIoControl. ** the buffer passed to DeviceIoControl function must be big enough hold DEVICE_MEDIA_INFO ** (MSDN really sucks)
  4. Finally examine the mediaTypes->DeviceType value.

Hope it helps you. Comment on it.