Server 2008 Boot Process Making a boot disk.

Todays topic is something that virtually nobody has paid any attention to with both Vista and Server 2008, yet the assumptions behind not investigating the very way both Vista and Server 2008 boot will undoubtedly have catastrophic ramifications for some poor tech somewhere. While not well known, the whole process in which server 2008 boots is dramatically different from previous versions of Windows. Moreover, it is precisely these differences that make it so critical to know how to make a proper boot disk for Server 2008 and know where to start troubleshooting when your server just sits there and taunts you with flashing lights and spinning fans with Windows nowhere to be found. The classic Windows NT boot process is well known and goes like this. 1. You power on the machine which then goes to the startup BIOS. 2. The Start up Bios loads and performs the Power On Self Test (Post) 3. The startup bios loads the Master Boot Recod of the active partition which then loads up the partition boot record. 4. The boot sector loads NTLDR which then loads the following. boot.ini ntdetect.com ntoskrnl.exe system registry hive device drivers hal.dll At this point, if all has gone well, you will now be looking at a running Windows NT, XP, Server 2003 machine. In server 2008, instead of loading NTLDR a new file called bootmgr exists. Bootmgr then rus the following Boot Configuration Database (BCD) Winload.exe ntoskrnl.exe system registry hive device drivers

hal.dll Then bootmgr passes control to ntoskrnl.exe and the boot sequence is complete. As can be clearly seen, the traditional boot disk files are of no use in server 2008 as the machine boots in a completely different fashion. Furthermore, when a boot disk is made, it is unique to the server 2008 box it was made for as the BCD file needed for the boot disk contains a system GUID that must match the system upon which it is booting. Making a boot disk is accomplished in the following fashion. 1. Format a floppy in your Server 2008/Vista machine using the quick option. 2. Open a command prompt with elevated privileges and run the following lines. MKDIR A:\BOOT XCOPY /H C:\bootmgr A:\ REG SAVE HKLM\BCD00000000 A:\BOOT\BCD With this, you have now created the file structure needed for a server 2008 boot disk, and have also copied the files needed for boot. You will notice that copying the C:\Boot\BCD files directly to disk will fail as these are actually loaded as hives in the registry and locked. The hive that they reside in HKLM\BCD00000000 is a hidden registry key and cannot be seen from within regedit.exe. After creating your boot disk, I would highly suggest that you test it once or twice, label it and put it away somewhere safe for a rainy day. Cheers!

Windows NT/2000/XP and Server 2003 Windows 2000/XP and Server 2003 are built off the original NT kernel so they take many of the base features from Windows NT including the startup process. The startup process on these Operating Systems is as follows: The Boot Loader executes the NTLDR file which is found in the root "\" directory of the boot drive (so it's normally located at C:\NTLDR but this can vary in dual boot systems). The NTLDR loads the file system on the boot drive (either FAT, FAT32, NTFS or CDFS) and checks for a hiberfil.sys file. If it is present and the user has previously hibernated the machine, the machine is resumed to the previous state and the rest of this boot process is skipped. After loading the basic file system, if the machine is not hibernating, the NTLDR file checks for a boot.ini file in the root "\" directory of the boot drive (If there is no boot.ini then the boot loader will attempt to boot from C:\WINNT in Windows NT and 2000 or from C:\Windows in Windows XP or Server 2003 . This file lists

all the operating systems stored on the computer. If there is more than one entry and depending on the settings in the boot.ini file, it will display the Boot Menu, asking for the user to choose which operating system they want. If the User chooses an operating system that is not either Windows NT/2000/XP or Server 2003 then it will pass control over to the boot loader for that OS and the rest of this boot process is skipped. After a Windows NT/2000/XP or Server 2003 installation has been chosen from the boot menu either automatically or by the user then ntdetect.com is run. This file will run hardware detection. After this finishes ntoskrnl.exe is run and it takes the information from ntdetect.com and starts to load the NT kernel. The Kernel reads the hal.dll file which allows for a small number of core devices to interact with the software. The System component of the registry is also read so that key drivers for CD-ROMs, Display Adapters, Memory etc are ready for loading by the kernel. This is the point where the Windows 2000/XP/Server 2003 logo appears and all the System Drivers are loaded into memory. Once the system drivers are loaded then smss.exe (Session Manager Subsystem) is run which scans to check if drives were shut down cleanly and if not allows for the famous "Chkdsk" scan. Once the check is done then win32k.sys is loaded and Windows can now switch to graphical mode (YAY!). The Win32 User Mode subsystem (csrss.exe) is loaded which allows Win32 to be accessible to applications. At this point Virtual Memory paging files are created and then winlogon.exe is loaded. By this point you should be seeing the Windows is Starting Up screen. Winlogon.exe loads the Local Security Authority Subsystem Service (Lsass.exe) and the Service Control Manager (SCM) which allows all the other Windows Services to be run if they are set to run on boot. These include things such as network server/client, Windows Firewall etc. Winlogon.exe then calls on GINA (Graphical Identification and Authentication - Msgina.dll). This allows Windows to bring up that nice pretty logon box for you to enter your logon details into. Once you enter your password and click OK, GINA gives the username and password you entered back over to LSASS and it checks whether it need to authenticate with SAM (Security Accounts Manager) or the Active Directory for computers on a Domain. Windows Server 2003, if it's a standalone server will authenticate with the SAM and if it's a Domain Controller it will bypass the SAM completely and login with the Active Directory. Finally LSASS then makes sure the user permissions are enforced. Finally all the programs located in your startup folder and in the Run keys in the registry are executed and the Windows shell (explorer.exe) is loaded. This allows your desktop to appear and you can get to work Windows Vista, 7 & Server 2008 Windows Vista, 7 and Server 2008 were built mostly off the 2000/XP/Server 2003 kernel so they take many of the base features from Windows NT, but the startup and

authentication process has changed a bit since Windows XP the startup process on these Operating Systems is as follows: The computer boots either from the Boot Loader MBR (if it's a BIOS based machine) or from the EFI if it's a machine based on the Extensible Firmware Interface. The boot loader or EFI will load the Windows Boot Manager "bootmgr" (which is located on the root "\" directory of the system drive. This replaces NTLDR in previous versions of Windows. The Windows Boot Manager reads from the Boot Configuration Data which is stored in the \Boot\BCD folder on BIOS based system and on the special EFI System partition on EFI based systems. It is similar to the Windows Registry in the way it's built. This boot configuration data replaces the boot.ini file from previous versions of Windows. This file has a list of all the operating systems. If the user chooses a Windows NT/2000/XP/Server 2003 system then the Windows Boot Manager will pass control over to NTLDR for that OS and the old boot style is invoked. For other Operating Systems control is passed over to the relevant boot loader. For a Windows Vista/7/Server 2008 system the Windows Boot Manager and Boot Configuration Data then checks if the system will be resuming from hibernation, in which case winresume.exe is loaded and the system is brought out of hibernation. If the system is booting from shutdown then winload.exe is loaded. This then loads the Windows Kernel (ntoskrnl.exe) and then the basic boot process until login is the same as Windows NT/2000/XP and Server 2003. In Windows Vista when you login the LSASS assigns all users tokens. Administrative users get 2 tokens, one limited token and one administrative token, Limited Users only receive a limited token. When an administrative user tries to run a process that requires privileges that the limited token can't supply then a UAC prompt appears asking for permission to continue. This appears on a secure desktop so that malware cannot click the Continue button automatically. Once permission is given that process then receives an administrative token and it can continue as normal. If a limited user tries to run a program that requires and administrative token, a UAC prompt also appears, but it requires the user of an administrator account to enter their password to continue. This security allows Microsoft to stop programs running as administrator unless it's absolutely required.