Does NTDETECT and NTOSKRNL available with UEFI GPT booting?

1

I am not able to understand the process after ESP will call Boot Manager where it ll begin loading Boot Loader and passes to the kernel.

Last step which i mentioned am not able to understand whether NTDETECT or NTOSKRNL will be called upon here then WINLOGON or LTASS? or it ll be different fro UEFI GPT Booting?

Can anyone explain?

shivaniverma6991

Posted 2019-10-18T10:48:56.357

Reputation: 67

Answers

2

I am not able to understand the process after ESP will call Boot Manager where it ll begin loading Boot Loader and passes to the kernel.

The boot process is performed by the firmware (EFI), not by the ESP. The "ESP" is only a partition that holds files (bootloaders, etc.) used by the firmware.

EFI firmware has a built in boot manager, which stores settings in NVRAM: this is how it knows which file from the ESP to actually load.

However, when talking about things like BOOTMGR or NTLDR, the firmware doesn't really distinguish between boot managers and boot loaders – they're both just .efi applications started by the firmware. (And in BIOS, both are the same kind of boot sector as well.)

If the application supports showing a menu to select the OS (like NTLDR or BOOTMGR does), then it's called a boot manager; if it supports starting the OS kernel itself (like WINLOAD does), then it's called a boot loader; but to the firmware it's still the same type of program.

So on BIOS:

  1. The firmware reads NVRAM data (usually called "CMOS" or "BIOS settings"), which tells it which disk's MBR to use.
  2. The firmware starts the MBR boot sector, which then starts BOOTMGR (the BIOS variant of Windows Boot Manager) from the Windows system partition.
  3. Windows Boot Manager reads the BCD and shows a menu if needed, then it starts WINLOAD.EXE (the BIOS variant of Windows Boot Loader) from the main Windows partition.
  4. Windows Boot Loader starts NTOSKRNL.EXE (the main Windows kernel).

And on UEFI:

  1. The firmware reads NVRAM data (EFI variables), which tells it which *.EFI file to use and on which disk to find it.
  2. The firmware starts BOOTMGFW.EFI (the EFI variant of Windows Boot Manager) from the EFI system partition.
  3. Windows Boot Manager reads the BCD and shows a menu if needed, then it starts WINLOAD.EFI (the EFI variant of Windows Boot Loader) from the main Windows partition.
  4. Windows Boot Loader starts NTOSKRNL.EXE (the main Windows kernel).

Both eventually start the same kernel. The process afterwards is the same for both firmware types as well. Windows components such as LSASS do not care whether you're booting in EFI mode or BIOS mode – by the time they're started, the firmware's main task has been done already.

user1686

Posted 2019-10-18T10:48:56.357

Reputation: 283 655

any role of NVRAM variable comes into picture? where that will come? – shivaniverma6991 – 2019-10-18T11:18:54.093

1The NVRAM holds configuration for UEFI's built-in boot manager. Its primary job is to tell EFI which .efi file to start. (Yeah, that means that when booting Windows you go through two boot-managers, the one built into firmware and the one provided by Windows BOOTMGR...) – user1686 – 2019-10-18T12:53:36.190

Note also that Windows goes out of it's way to try and make sure certain UEFI settings match up with what it sees in the BCD. Most notably, it will rewrite the default boot entry on UEFI systems if it doesn't match what Windows thinks it should be based on the BCD (which is a serious pain in the arse when setting up multiboot configurations on UEFI that include Windows). – Austin Hemmelgarn – 2019-10-18T19:07:41.333

It does? Haven't seen that happen on any of my Win10+Linux systems... – user1686 – 2019-10-18T19:20:04.300

Asked: 2019-10-18T10:48:56.357

Viewed: 42 times

Active: 2019-10-18T12:54:43.620