Windows Security

Current UEFI/GPT Boot

Globally Unique IDentifier Partition Table (GPT)

Because of MBR's disk size limitation, as drives approached the 2TB mark in the late 2000s, it's days were numbered. To address disk size and other limitations of the MBR partition scheme, the UEFI specification defined the GPT format. A GPT FAQ page from Microsoft can be accessed here which provides a brief overview.

Key points are as follows:

  • GPT supports extremely large drives, the size limitation is now based on OS or filesystem restrictions not the partition scheme
  • Windows supports up to 128 basic GPT partitions, as opposed to MBR's 4
  • Each GPT partition has a 36-character Unicode name to provide a human readable ID
  • Windows Server 2003 with SP1 and later support GPT partitioned disks
  • GPT provides a Protective MBR to prevent legacy tools from thinking the disk is blank and re-partitioning it
  • A Windows UEFI boot drive must have an Extensible Firmware Interface System Partition (ESP), which stores boot files, a Microsoft Reserved Partition (MSR), which provides reserved space for the OS, and a basic data partition which stores the OS
  • Only one ESP should exist on a system no matter how many OSes are installed. Multiple OSes use the same ESP
  • UEFI firmware can still boot MBR partitioned disks, but GPT is the future

Microsoft states that, "GPT disks do not allow hidden sectors. Software components that formerly used hidden sectors now allocate portions of the MSR for component-specific partitions. For example, converting a basic disk to a dynamic disk causes the MSR on that disk to be reduced in size and a newly created partition holds the dynamic disk database."

Given that the MSR is a hidden storage space which is required by Windows GPT drives, and usually has free space available, what potential uses can you imagine for this partition?

Unified Extensible Firmware Interface (UEFI)

Here is Lowell Vanderpool with an explanation of the UEFI boot process for Windows:

Sandip Roy provides a good comparison overview of BIOS vs. UEFI on this page. Additionally, this diagram from Microsoft provides a flow chart of both BIOS/MBR and UEFI/GPT boot processes for Windows.

Key points:

  • While BIOS can only load the MBR sector, UEFI supports reading FAT32/FAT16 partitions and files
  • UEFI will load bootloaders from the EFI System Partition
  • The ESP must be FAT16/32 formatted and must have an \EFI directory in the root of that partition
  • Windows will create an \EFI\Microsoft subdirectory in the ESP
  • Bootmgfw.efi (Lowell's video has a typo) is the Windows UEFI Boot Manager file
  • Windows writes the path of the Boot Manager to the UEFI Non-Volatile Random Access Memory (NVRAM)
  • \EFI\Boot\bootx64.efi is the default boot path that UEFI firmware on 64-bit X86 systems will use
  • The Boot Manager is stored with the Boot Configuration Data (BCD) registry hive in \EFI\Microsoft\Boot
  • The Boot Manager will load boot configuration data from BCD to enumerate boot options
  • The BCD will point to the location of winload.efi (default \Windows\system32\winload.efi) to load the Windows kernel (ntoskrnl.exe)
Once the Windows OS kernel is loaded the kernel boot process is the same for both BIOS/MBR and UEFI systems:
  • The Kernel loads the system registry hive and starts drivers marked BOOT_START
  • The Kernel passes control to the Session Manager process (smss.exe) which initializes the system session and loads the remaining drivers
  • For Windows Vista and later smss.exe launches a second instance of itself to configure session 0
  • This smss.exe instance launches the Windows Startup Application (wininit.exe) and the Client-Server Runtime Subsystem (csrss.exe) and then exits
  • wininit.exe launches services.exe, the Local Security Authority Subsystem Service (lsass.exe), and the Local Session Manager (lsm.exe)
  • smss.exe starts another instance of itself to configure a console session
  • The console smss.exe instance launches a csrss.exe and winlogon.exe instance for the console session to prepare for user login
  • winlogon.exe launches the Logon User Interface Host (logonui.exe) which presents the Windows Security screen
  • The Windows Security screen prompts the user to press CTRL+ALT+DELETE to log in, completing the Windows loading process