hail,
NTLDR has the SCSIPORT exports and looks like NTBootDD.sys is bound to
them the same way as the SCSI miniport is bound in the running OS.
This looks rather suspicious. I suspect that even NTLDR does not use BIOS
for
disk access in the later stages - when loading boot drivers+kernel+HAL+NLS
tables+SYSTEM registry, for instance. Looks like even NTLDR uses BIOS only
on the earliest stage.
Does this really means (as i suppose) NTLDR uses low-level IO commands
to r/w hdd by accessing hdd-controller directly? I just am not sure for
100% :T
I suspect the boot process is the following:
- NTLDR is installed on the disk only by NT setup - either by installation
or by
“repair system files” feature.- this installation retrieves the sector numbers of the whole NTLDR (by
FSCTL_GET_RETRIEVAL_POINTERS possibly) and writes the sector
numbers somewhere to NTLDR starting part.- the first sector of NTLDR is written to the boot block.
- the boot block loads the first part of the NTLDR using int13 and the
sector
map described above.- the first part of NTLDR is smart enough to load its own PE part +
NTBootDD.sys and link them together. I also suspect the boot menu is shown
by it - there are still ways to DOS and other loaders like LILO from this
stage.
one interesting link (Exploring the Windows NT boot sequence)
http://www.elementkjournals.com/ewn/9312/ewn30021.htm
says that :
NTLDR is a special program Microsoft includes with Windows NT. When the
system first loads NTLDR, the memory of the machine is still in real mode,
which uses segments and offsets.
NTLDRs first task is to switch the memory into 32-bit flat mode. Once
NTLDR accomplishes that, it initializes the appropriate mini file
system. Mini file systems are special versions of the FAT, HPFS, and NTFS
file systems. The mini file systems are part of the NTLDR module.
So, does NTLDRs mini-fs-drivers really uses INs and OUTs ?
progLammer