Windows Boot process

What is involved in Windows Boot Process:


  • Power is turned on.
  • The first process starting when you turn on your computer is BIOS i.e, Basic Input Output System. BIOS has two functions, to conduct POST and read MBR.
    1. POST – POST stands for Power On Self Test. POST checks all the hardware devices connected to a computer like RAM, hard disk etc and make sure that the system can run smoothly with those hardware devices. If the POST is a failure the system halts with a beep sound.
    2. Now BIOS checks the boot priority. We can set the boot priority as CD drive, hard disk or floppy drive
    3. MBR – The next duty of BIOS is to read the MBR. MBR stands for Master Boot Record and its the first sector on a hard disk. MBR
      contains the partition table and boot loader.
  • Functions of Boot loader
    Now BIOS has passed the control to boot loader and boot loader is a small program which loads kernel to computers memory. Actually there are two stages of boot loaders, stage 1 boot loader and stage 2 boot loader. MBR contains the stage 1 boot loader and stage 1 boot loader is a link to the stage 2 boot loader. The stage 2 boot loader resides in the boot partition and it loads the kernel to memory.
  • Boot files and functions
    There are three boot files in a Windows operating system and they are NTLDR, NTDETECT.COM and Boot.ini. The boot files are found in the active partition of hard disk and its normally C drive in a Windows machine.

    1. NTLDR – NTLDR stands for NT Loader and its the second stage bootloader. The path of NTLDR is C:\Windows\i386\NTLDR.
    2. Boot.ini – Boot.ini contains the configuration files of NTLDR. When the operating system is loaded we cannot pass any arguments to kernel, so those arguments are passed through boot.ini. You can edit boot.ini by opening through notepad. The path of Boot.ini is C:\boot.ini.

    3. NTDETECT.COM – This file detect hardware’s and passes information to NTLDR. Using the collected information the NTLDR creates a hardware key and this key is used to detect hardware’s. A new hardware key is generated after each reboot of the operating system and that’s why system asks to reboot after installation of a new hardware. The hardware keys created by NTLDR can be found in Windows registry at

  • Kernel and its functions
    After executing the functions of boot files the control is passed to Kernel. ntoskrnal.exe is the kernel file in a Windows machine and its path is C:\Windows\system 32\ntoskrnal.exe. Kernel acts as a layer between software and hardware. The library file hal.dll (C;\Windows\system32\hal.dll) helps Kernel to interact with hardware’s. HAL stands for Hardware Abstraction Layer and this hal.dll file is
    machine specific. Now the drivers for hardware’s are loaded from the file C:\Windows\system32\config\system and the Kernel is loaded to primary memory.
  • Services and log in procedure
    When kernel is loaded in the primary memory services for each process is started and the registry entry for those services can be found at HKEY_LOCAL_MACHINE – System – Current control set – Services.
    Winlogon.exe (C:\Windows\system32\winlogon.exe) is the last service started during this process.
    Winlogon.exe starts the log in procedures of windows machine. It first calls the library file msgina.dll (C:\Windows\system32\msgina.dll). MSGINA stands for Microsoft Graphics Identification and Authentication and it provides the log in window. Now msginal.dll passes the control to LSA (Local Security Authority), it verifies the username and password from the SAM file. SAM (Security Accounts Manager) contains the information about all users created in a Windows operating system.
    Now the booting procedure is over and we have reached the desktop of Windows operating system.



Mac OS X Boot Process

What is Mac OS X Boot Process:

Boot ROM Firmware. Part of Hardware system
BootROM firmware is activated
POST Power-On Self Test
initializes some hardware interfaces and verifies that sufficient memory is available and in a good state.
EFI Extensible Firmware Interface
EFI does basic hardware initialization and selects which operating system to use.
BOOTX boot.efi boot loader
load the kernel environment
Rooting/Kernel The init routine of the kernel is executed
boot loader starts the kernel’s initialization procedure
Various Mach/BSD data structures are initialized by the kernel.
The I/O Kit is initialized.
The kernel starts /sbin/mach_init
Run Level mach_init starts /sbin/init
init determines the runlevel, and runs /etc/rc.boot, which sets up the machine enough to run single-user.
rc.boot figures out the type of boot (Multi-User, Safe, CD-ROM, Network etc.)
  • Power is turned on.
  • Open Firmware code is executed.
  • Hardware information is collected and hardware is initialized.
  • Something (usually the OS, but also things like the Apple Hardware Test, etc.) is selected to boot. The user may be prompted to select what to boot.
  • Control passes to /System/Library/CoreServices/BootX, the boot loader. BootX loads the kernel and also draws the OS badges, if any.
  • BootX tries to load a previously cached list of device drivers (created/updated by /usr/sbin/kextcache). Such a cache is of the type mkext and contains the info dictionaries and binary files for multiple kernel extensions. Note that if the mkext cache is corrupt or missing, BootX would look in /System/Library/Extensions for extensions that are needed in the current scenario (as determined by the value of the OSBundleRequired property in the Info.plist file of the extension’s bundle.
  • The init routine of the kernel is executed. The root device of the booting system is determined. At this point, Open Firmware is not accessible any more.
  • Various Mach/BSD data structures are initialized by the kernel.
  • The I/O Kit is initialized.
  • The kernel starts /sbin/mach_init, the Mach service naming (bootstrap) daemon. mach_init maintains mappings between service names and the Mach ports that provide access to those services.
  • From here on, the startup becomes user-level:

  • mach_init starts /sbin/init, the traditional BSD init process. init determines the runlevel, and runs /etc/rc.boot, which sets up the machine enough to run single-user.
  • rc.boot figures out the type of boot (Multi-User, Safe, CD-ROM, Network etc.). In case of a network boot (the sysctl variable kern.netboot will be set to 1 in which case), it runs /etc/rc.netboot with a start argument.


Linux Boot process

Let’s describe Linux Boot Process:

Executes MBR
MBR Master Boot Record
Executes GRUB
GRUB Grand Unified Bootloader
Executes kernel
Executes /sbin/init
Executes Run level programs
Run Level Run Level Programs are executed from /etc/rc.d/rc*.d/
  • As power comes up the BIOS is given control
  • BIOS runs self tests, usually including cursory memory tests.
  • The BIOS then loads the first sector of the disk to be used for booting and transfers control to it.
  • The MBR code varies. One version will chain to the code in the first sector of the boot partition (Windows), another will load a bootloader. Windows boot proceeds from code and information in the boot partition.
  • The bootloader chooses kernel location and version
  • The bootloader prepares kernel and initrd image in memory, transfers control to kernel
  • Loading kernel modules
  • Discovering hardware and load additional kernel modules to support it
  • Looking for disks
  • R/O mount of / partition so that it can potentially be checked and repaired
  • init process spawn
  • /etc/inittab read and executing
  • Mounting all FSes from /etc/fstab
  • runlevels running (based on default runlevel in /etc/inittab) or another init method such as systemd or upstart
  • rc.local
  • login prompt


  3. Watch video here