Day 5 Flashcards
windows boot process
pre-boot, boot, kernel initialization, user mode startup
pre-boot
the BIOS/UEFI loads from firmware and perform preboot sequences.
*UEFI replaces BIOS and allows Windows to install bootladers directly form firmware
boot
Windows 6* uses bootmgr as a 2nd stage boot loader.
begins execution in real-mode
once loaded, bootmgr switches to protected mode.
reads the boot configuration database (BCD)
BCD (boot cont)
used to identify the disk controller, disk, and partition location of the OS
boot cont.
after reading the BCD…
bootmgr starts winload.exe process
winload.exe (boot cont)
queries firmware to gather a list of installed hardware
Loads ntoskrnl.exe and hal.dll
scans drivers for start value of (oxo)
kernel initialization
begins once winload.exe has completed starting boot drivers.
executive managers create their initial objects, type objects and management mechanisms.
Ntdll.dll is mapped into the ntoskrnl.exe address space.
Creates hardware registry key.
Scans services registry for drivers with start value of 0x1).
Starts smss.exe (0) process
entire boot process
refer to page 71 and loose leaf page.
windows services
services do not depend on a user and are intended to provide OS features like DHCP, DNS, FTP, etc
ways in which windows services differ from ordinary applications
services run in the background and are not tied to an interactive user.
services do not have a user interface and do not interact with users.
services on 6* architectures run mostly in session 0
services may be configured to auto-start at boot
windows services consist of:
service applications, service control programs, SCM
service applications
the services themselves!
svchost.exe processes are generic hosts for DLL services.
service control programs (SCPs)
programs used to communicate desired service configuration changes to the SCM.
most common is services.msc
SCM
manages windows services.
starts, stops, and interacts with all system services.
(services.exe)
service properties
viewed through services.msc.
general tab:
services name:name as it appears in the registry
display name: services common name
path: file path to process
startup type: automatic, manual, or disabled
log on tab identifies the service account:
local system
local service
network service
service registry keys
sub keys contain start, type, and error control values
start value
indicates when and how drivers and/or services are started. 0x0 boot 0x1 system 0x2 automatic 0x3 manual 0x4 disabled
delayed autostart
may be enabled with a 0x1 or disabled with a 0x0 and used in combination with start value of 0x2
type value
indicates whether the service executes in its own process or shares other services:
0x10 in a process by itself
0x20 shares a process
error control value
specifies severity of error if the service or driver fails to start.
what the system does if there is an error
command line scp’s
psservice.exe, sc.exe, net start and net stop
psservice.exe
an SCP from the sysinternals suite (not built in) and works locally and remotely
sc.exe
a built in scp that works locally and remotely
net start and net stop
built in scp that only works locally
local log in
refer to page 77 for local log in steps
Lan Manager (LM)
uses DES hashing
passwords are convert to capital and either padded or reduced to 14 characters.
divided into two, 7 character hashes
does not support time stamps
NTLMv1
uses MD4 hashing algorithm
supports 127 alphanumeric characters
128 bit encryption
does not use time stamps
NTLMv2
uses MD5 hashing algorithm
supports 127 alphanumeric characters
128 bit encryption
uses time stamps
network login
when accessing a remote system, the LSA on a user’s workstation uses current credentials in an attempt to establish identity with the LSA of the remote system. if these credentials do not match, credentials that exist in the remote system’s SAM must be provided to gain access.
