Windows XP Boot – Milestones & Behaviour

Process Monitor Configuration & Behaviour

Getting Process Monitor to use symbols is a little interesting. First you need a recent version of
DbgHelp.dll and also the symsrv.dll. You can get both from the latest version of WinDbg. Just make
sure they are in the same directory otherwise it doesn’t seem to work properly. Secondly, if you are
viewing a saved PML and the DbgHelp.dll was not correctly setup before capture, then you will not
be able to resolve the symbols! So in summary:

1. Download ‘WinDbg’ to get the most recent versions of the DLL’s (DbgHelp.dll and
SymSrv.dll) and point ‘ProcMon’ at them.
2. Make sure both DLL’s are in the same directory.
3. Make sure 1 and 2 are done *before* capture, otherwise you cannot resolve the symbols
afterwards.

Boot Logging
During Boot Logging, Process Monitor writes a file, ‘C:\Windows\Procmon.pmb’. When Process
Monitor is started after a Boot Logging session, a request will be made to save capture information
from the boot session. If ‘Yes’ is selected the file is read in and converted to a PML file.

The location of the boot logging file cannot be changed and the only viable option to reduce the
impact to the performance of the client during start-up is to move the location of the paging file to
another disk.

It has not been possible to identify the processor and memory utilisation when running ProcMon
with Boot Logging enabled during startup.

Processor & Memory Utilisation

Procmon V1.32 uses 9Mbytes of memory when open but not logging. Once logging starts, then the
amount of memory used varies between 10 to 13 Mbytes. Using Procmon V1.32 to read a capture
files results in around 13Mbytes of memory being used.

Capture files have a maximum size of 256Mbytes and should a capture session remain running for a
long period of time, then multiple capture files will be generated by ProcMon.

The total load on the processor by the ProcMon process seems to peak at just under 10%. This
measurement was taken on an Intel dual core 1.8GHz processor with 2GB of memory.

Reducing the Impact to Performance

When using ProcMon from the desktop and logging to a backing file the only option to reduce the
performance impact is to move the location of the backing file to another non-system/boot disk and
preferably to a disk that uses another channel or controller that is in independent from the system
and boot disk.

You can obtain the latest revision of Process Monitor from the Microsoft Sys-internals technical site,
found at:

http://technet.microsoft.com/en-us/sysinternals/

ProcMon was at revision 1.32 at the time of writing this document.

Page 1 of 47
 Windows XP Boot – Milestones & Behaviour

The Startup & Logon Process

Initial Startup

Windows NT Session Manager (SMSS.EXE) performs the following initialisation steps:

1. Creates an LPC port object (SmApiPort) and two threads to wait for client requests, such as
to load a new subsystem or create a session.
2. Defines the symbolic links for MS-DOS device names such as COM1 and LPT1.
3. If Terminal Services is installed, creates the \Sessions directory in the object manager’s
namespace for multiple sessions.
4. Runs any programs defined in HKLM\System\CurrentControlSet\Control\Session
Manager\BootExecute. Typically this value contains the command to run ‘Autochk’.
5. Performs delayed file rename and delete operations as directed by
HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
and HKLM\System\CurrentControlSet\Control\Session
Manager\PendingFileRenameOperations2.
6. Opens known DLL’s and creates section objects for them in the \Knowndlls directory of the
Object Manager Namespace. The list of DLLs considered known is located in
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDLLs, and the path to the
directory in which the DLLs are located is stored in the DllDirectory value of the key.
7. Creates additional pages in the paging files. Paging file configuration is stored under
HKLM\System\CurrentControlSet\Control\Session Manager\Memory
Management\PagingFiles.
8. Initialises the registry. The configuration manager fleshes out the registry by loading the
registry hives for the HKLM\SAM, HKLM\SECURITY and HKLM\SOFTWARE keys. Although
‘HKLM\SYSTEM\CurrentControlSet\Control\hivelist’ locates the hive files on disk, the
configuration manager is coded to look for them in ‘\Windows\System32\Config.
9. Creates system environment variables that are defined in
HKLM\System\CurrentControlSet\Session Manager\Environment.
10. Loads the kernel-mode part of the Windows subsystem (Win32K.sys). Smss.exe determines
the location of Win32k.sys and other components it loads by looking for their paths in
HKLM\ System\CurrentControlSet\Control\Session Manager. The initialisation code in
Win32k.sys uses the video driver to switch the screen to the resolution defined by the
default profile, so this is the point at which the screen changes from VGA mode the boot
driver uses to the default resolution chosen for the system.
11. Starts the subsystem processes, including Csrss, (client/server runtime subsystem).
12. Starts the logon process (WinLogon).

The SMSS.EXE process now waits forever for the process handles to CSRSS.EXE and WINLOGON.EXE.
If either of these processes terminates unexpectedly, SMSS.EXE or the kernel will crash the system.

Page 2 of 47
 Windows XP Boot – Milestones & Behaviour

DHCP & NetBIOS

13. Process ‘Svchost.exe’ initiates DHCP and reads DHCP information from the registry, including
the previous IP Address.
14. NetBIOS is bound to all adapters and the host name registration announcement is broadcast.
This can only be seen in Process Monitor once as subsequent broadcasts are performed by
memory resident components.

Logon Dialog Box

15. WinLogon uses the default GINA, MSGINA.DLL, which displays the standard Windows logon
dialog box and the prompt to press CTRL-ALT-DEL.

Authentication & Logon

16. CTRL-ALT-DEL (SAS event) has been pressed which results in the WinLogon process calling
the WlxSASNotify function which cannot be seen in ProcMon as the library containing the
function is already paged into memory. What can be seen is the next function call in the
sequence ‘WlxLoggedOutSAS’ which is used to specify the type of SAS that occurred, CTRL-
ALT-DEL pressed, Smart Card Insert, Smart Card Remove or Timeout.
17. The user has entered their username and password and pressed enter. This triggers the use
of Kerberos to carry out the authentication against the Kerberos realm which is usually
named the same as the domain it functions within.
18. Once initial authentication has been successful, the desktop starts to load and this is
associated with a large amount of SMB traffic to AD controllers and file servers to retrieve
policies, scripts and sometimes executables. Searching for the username in the SMB traffic
identifies the stream(s) associated with the user and user profile. It appears that once the
SMB streams associated with policies and logon scripts stop, the desktop is more or less
loaded, although responsiveness is reduced while waiting for AV software to complete
loading and services to complete startup.
Filtering the ProcMon capture file for anything in the path or detail that contains the
username, quickly identifies the processes associated with loading the profile and profile
specific settings. The large gaps in the activity near the end of the filtered trace can be used
as a marker to identify when the desktop is loaded.

Page 3 of 47
 Windows XP Boot – Milestones & Behaviour

The Start-up Process

Windows NT Session Manager (SMSS.EXE) performs the following initialisation steps:
1. Creates an LPC port object (SmApiPort) and two threads to wait for client requests, such as to load a new subsystem or create a session.
Two smss.exe threads as described in step 1.

2. Defines the symbolic links for MS-DOS device names such as COM1 and LPT1.

MS-DOS device names defined, such as COM1: in sequence 55375 and LPT1: in sequence 55379

Page 4 of 47
 Windows XP Boot – Milestones & Behaviour

3. If Terminal Services is installed, Smss.exe creates the \Sessions directory in the object manager’s namespace for multiple sessions. This step is not
present in this capture as Terminal Services was not installed on the machine.

4. Runs any programs defined in HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute.

Autochk.exe is referenced in the registry key highlighted below and is the only program listed to be executed at boot

Below the smss.exe process runs the program defined in the registry key shown above

Note: A description of Autochk.exe, how it is used and how to disable it can be found in Appendix B - Manually Resetting AUTOCHK.EXE for a Drive.

Page 5 of 47
 Windows XP Boot – Milestones & Behaviour

5. Performs delayed file rename and delete operations as directed by ‘HKLM\System\CurrentControlSet\Control\Session

Manager\PendingFileRenameOperations’ and ‘HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations2’.

This step was not executed as no pending operations were defined in the registry keys accessed by the Smss.exe process, highlighted below.

The Smss.exe process accesses the registry keys detailed in step 5, to identify any pending operations to be executed in the boot process

Page 6 of 47
 Windows XP Boot – Milestones & Behaviour

6. Opens known DLL’s and creates section objects for them in the \Knowndlls directory of the Object Manager Namespace. The list of DLLs considered
known is located in HKLM\System\CurrentControlSet\Control\Session Manager\KnownDLLs, and the path to the directory in which the DLLs are
located is stored in the DllDirectory value of the key.

The Smss.exe process identifies the list of DLL’s considered known

Page 7 of 47
 Windows XP Boot – Milestones & Behaviour

6. Continued. The SMS.EXE process starts to load the known DLL’s.

The Smss.exe process starts processing the known DLL’s, which are referred to in the previous page

Page 8 of 47
 Windows XP Boot – Milestones & Behaviour

7. Creates the paging file and writes to it. Paging file configuration is stored under HKLM\System\CurrentControlSet\Control\Session
Manager\Memory Management\PagingFiles.

The Smss.exe process creates the paging file

Page 9 of 47
 Windows XP Boot – Milestones & Behaviour

8. Initialises the registry. The configuration manager fleshes out the registry by loading the registry hives for the HKLM\SAM, HKLM\SECURITY and
HKLM\SOFTWARE keys. Although ‘HKLM\SYSTEM\CurrentControlSet\Control\hivelist’ locates the hive files on disk, the configuration manager is
coded to first look for them in ‘\Windows\System32\Config.
Smss.exe reads in the hive list and maps these to the local files

Page 10 of 47
 Windows XP Boot – Milestones & Behaviour

9. Creates system environment variables that are defined in HKLM\System\CurrentControlSet\Session Manager\Environment.

Smss.exe reads the environment variables that are defined in HKLM\System\CurrentControlSet\Session Manager\Environment

Page 11 of 47
 Windows XP Boot – Milestones & Behaviour

9. Continued. SMSS.EXE process creates the system environment variables seen in the path below.

Creates system environment variables defined in the registry keys highlighted in previous page

10. Loads the kernel-mode part of the Windows subsystem (Win32K.sys). Smss.exe determines the location of Win32k.sys and other components it
loads by looking for their paths in HKLM\ System\CurrentControlSet\Control\Session Manager.

Smss.exe loads the kernel-mode part of the subsystem

Page 12 of 47
 Windows XP Boot – Milestones & Behaviour

10. (Continued). The initialisation code in Win32k.sys uses the video driver to switch the screen to the resolution defined by the default profile, so this
is the point at which the screen changes from VGA mode the boot driver uses to the default resolution chosen for the system.

Default video driver initialised

11. Starts the subsystem processes, including Csrss, (client/server runtime subsystem).

Smss.exe starting the client/server runtime subsystem, (CRSS.EXE)

Page 13 of 47
 Windows XP Boot – Milestones & Behaviour

12. SMSS.EXE starts the logon process (WinLogon) and a new thread is created by the new WinLogon process.
Smss.exe process starting the WinLogon process

Page 14 of 47
 Windows XP Boot – Milestones & Behaviour

DHCP and NetBIOS

13. Process ‘Svchost.exe’ initiates DHCP and reads DHCP information from the registry, including the previous IP Address.

Svchost reading DHCP information from the registry, including the previous IP Address

Svchost.exe forms the DHCP request

Page 15 of 47
 Windows XP Boot – Milestones & Behaviour

13. Continued. Identifying when the DHCP request has been formed. This can be used to determine roughly when the DHCP request was sent.

The last entry that contains the API ‘SendDhcpRequest’ can be used to mark when the request was transmitted over the network

Page 16 of 47
 Windows XP Boot – Milestones & Behaviour

13. Continued. The DHCP request as captured on the network.

The DHCP request on the network

Page 17 of 47
 Windows XP Boot – Milestones & Behaviour

13. Continued. The system is configuring the network interface once having received an answer to the DHCP request. This can be used to determine
when the IP address was obtained and applied. The IP Address can be seen in event 109508 in the ProcMon window behind the stack window.
The IP Address being set using the ‘SetDhcpConfigurationForNIC’ function

Page 18 of 47
 Windows XP Boot – Milestones & Behaviour

14. NetBIOS is bound to all adapters and the host name registration announcement is broadcast.
NetBIOS name registration announcement being formed

Page 19 of 47
 Windows XP Boot – Milestones & Behaviour

14. Continued. The TDI driver sending or preparing to send the NetBIOS announcement.

The kernel mode TDI driver translates API calls into low level network protocol requests

Page 20 of 47
 Windows XP Boot – Milestones & Behaviour

14. Continued. The NetBIOS announcement on the network.

The NetBIOS name registration announcement

Page 21 of 47
 Windows XP Boot – Milestones & Behaviour

Logon Dialog Box

15. WinLogon uses the default GINA, MSGINA.DLL which displays the standard Windows logon dialog box.

WinLogon initialises the GINA by calling the WxlInitialize function

WinLogon calls the GINA’s WlxInitialize function.

This shows the WinLogon process initialising the
MSGINA.DLL library. While the WlxInitialize
function is in use in the stack, the logon dialog
box is yet to be displayed.

WinLogon is in the logged out state.

Page 22 of 47
 Windows XP Boot – Milestones & Behaviour

15. Continued. The Winlogon process reads the standard theme library that affects the presentation of the logon dialog box.

WinLogon calls the WlxDisplaySASNotice function

WinLogon calls the

WlxDisplaySASNotice function when
no user is logged on. As long as this
function is being called, no user is
logged on.

Page 23 of 47
 Windows XP Boot – Milestones & Behaviour

15. Continued. The Winlogon process can be seen to check for values in the ‘ForceFriendlyUI’ registry key. When the first instance of this is seen, it can
be used to determine when the dialog box is displayed.
The Windows logon dialog box is displayed at this point

Page 24 of 47
 Windows XP Boot – Milestones & Behaviour

15. Continued. The ‘WinLogon’ process calls the ‘WlxDisplaySASNotice’ function to display a notice when no users are logged on. This notice informs
users that they must enter CTRL+ALT+DELETE to logon.
The stack showing the WlxDisplaySASNotice function being called by the WinLogon process

Page 25 of 47
 Windows XP Boot – Milestones & Behaviour

Authentication & Logon

16. CTRL-ALT-DEL (SAS event) has been pressed which results in the WinLogon process calling the WlxSASNotify function which is already paged into
memory and therefore cannot be seen in ProcMon, but the ‘ReadFile operation to retrieve the memory page can be seen in sequence 447724.

The next function to be called in the sequence is the WlxLoggedOutSAS which can be seen in the stack. This function is used to identify the type of
SAS event that has taken place. The function will return a value to represent the actions, CTRL-ALT-DEL pressed, Smart Card inserted, Smart Card
removed and Timeout where no user input was received within the timeout period.

WlxLoggedOutSAS function is used to return the type of SAS event that occurred

Page 26 of 47
 Windows XP Boot – Milestones & Behaviour

17. The user has entered their username and password and pressed enter. This triggers the use of Kerberos to carry out the authentication against the
domain. Below the lsass.exe process is shown compiling the authentication request and below that is the associated network traffic.

LSASS.EXE compiles the authentication request using Kerberos

This is the point where Kerberos

is used to authenticate the user
on the domain. Notice the
lsass.exe process reading the
Kerberos.dll file in sequence
457778 prior to creating the
authentication request being
compiled as shown in the stack.

Page 27 of 47
 Windows XP Boot – Milestones & Behaviour

17. Continued. Network traffic associated with the authentication process.

Entering user credentials and pressing the Enter key triggers the use of Kerberos to authenticate the user against the domain.

The username (asldmr in this case) and domain can be seen in the Kerberos AS-REQ packet in frame 219 and the resulting Ticket Granting Service (TGS)
request from the client to obtain a ticket for the services in the domain in frame 223.

Please see ‘Appendix F – Kerberos Authentication Sequence’ for info about the behaviour of Kerberos during a domain logon.

Page 28 of 47
 Windows XP Boot – Milestones & Behaviour

18. Once initial authentication has been successful, the desktop starts to load and this is associated with a large amount of SMB traffic to AD controllers
and file servers to retrieve policies, scripts and sometimes executables. Searching for the username in the SMB traffic identifies the stream(s)
associated with the user and user profile. It appears that once the SMB streams associated with policies and logon scripts stop, the desktop is more
or less loaded, although responsiveness is reduced while waiting for AV software to complete loading and services to complete startup.

Searching for the username in the SMB traffic allows you to quickly identify the activity associated with the user and user profile

Page 29 of 47
 Windows XP Boot – Milestones & Behaviour

18. Continued. Filtering the ProcMon capture file for anything in the path or detail that contains the username quickly identifies the processes
associated with loading the profile and profile specific settings. The large gaps in the activity near the end of the filtered trace can be used as a
marker to identify when the desktop is loaded as shown by the highlighted sequence below.
Filtering the capture file for references to the username quickly identifies process activity associated with loading the user profile

Page 30 of 47
 Windows XP Boot – Milestones & Behaviour

Appendix A - Common Process Functions

Registry Operations:
RegOpenKey
The process opened the Registry key specified in the Path column.

RegCloseKey
The process closed the Registry key specified in the Path column.

RegQueryValue
The process queried for the value of the Registry value listed in the Path statement. The value retrieved is listed in the Detail column.

RegEnumValue
The process is querying the value names and their data for the key in the Path. You will see repeated RegEnumValue and RegQueryValue operations
until all the values under this key have been enumerated.

RegQueryKey
The process queried the Registry key listed in the Path for information about the key. This information, such as the amount of values or subkeys
underneath it, is displayed in the Detail column.

RegEnumKey
The process queried the Registry key listed in the Path for information about it’s subkeys. You will see further RegEnumKey entries until there are no
more subkeys to enumerate.

RegCreateKey
The process attempted to create the key specified in the Path column.

RegSetValue
The process created or set the data of the value in the Path column with the information from the Detail column.

Page 31 of 47
 Windows XP Boot – Milestones & Behaviour

File Operations:
QueryBasicInformationFile (FASTIO_QUERY_INFORMATION)
The process queried the file in the Path column for one of the following attributes:
CreationTime, LastAccessTime, LastWriteTime, ChangeTime, FileAttributes

QueryStandardInformationFile(FASTIO_QUERY_INFORMATION)
The process queried the file in the Path column for one of the following attributes:
AllocationSize, EndOfFile, NumberOfLinks, DeletePending, Directory

QueryNameInformationFile (IRP_MJ_QUERY_INFORMATION)
The process queried the file in the Path column for one of the following attributes: FileNameLength, FileName

SetBasicInformationFile (IRP_MJ_SET_INFORMATION)
The process changed one of the following attributes in the file in the Path field:
CreationTime, LastAccessTime, LastWriteTime, ChangeTime, FileAttributes

QueryOpen (FASTIO_NETWORK_QUERY_OPEN)
Appears before each CreateFile operation, checks for file specified in the Path.

CreateFile (IRP_MJ_CREATE)
The process opened or created the file specified in the Path. Whether the file was opened or created can be determined by the Disposition value in the
Details column.

CloseFile (IRP_MJ_CLEANUP)
The process closed the file specified in the Path.

QueryDirectory (IRP_MJ_DIRECTORY_CONTROL)
The process queried the contents of the directory listed in the Path. This listing will be found in the Details column.

WriteFile (IRP_MJ_WRITE)
The process wrote data to the file specified in the Path. The location written to in the file and the amount of data is specified in the Details column.

Page 32 of 47
 Windows XP Boot – Milestones & Behaviour

ReadFile (IRP_MJ_READ)
The process is reading the file specified in the Path statement. The Details column will tell you how many bytes were read during this operation. You
will see more ReadFile operations until an End of File (EOF) is reached.

SetEndOfFileInformationFile (IRP_MJ_SET_INFORMATION)
The process set the offset which the file’s End of File should be set to. This value is listed in the Details column.

SetRenameFileInformationFile (IRP_MJ_SET_INFORMATION)
The process renamed the file or directory in the Path column to the file or directory found in the Details column.

Process Operations:
Thread Create
The process opened the Registry key specified in the Path column..

Thread Exit
The process closed the Registry key specified in the Path column.

Process Exit
The process queried for the value of the Registry value listed in the Path statement. The value retrieved is listed in the Detail column.

Page 33 of 47
 Windows XP Boot – Milestones & Behaviour

Appendix B - Manually Resetting AUTOCHK.EXE for a Drive

Windows maintains a piece of metadata for each volume called the "dirty bit." The dirty bit is a flag that tells the system if there are still pending changes to
be written to the volume. If the system is shut down before the system's write cache is written out to disk, for instance, the dirty bit will remain set, and on
the next reboot the computer will notice this and automatically run AUTOCHK.EXE (a version of CHKDSK) to determine if there is a data corruption
problem.

Sometimes the dirty bit may be set spuriously, when in fact there is no cause for alarm. A crash can sometimes cause the dirty bit to be set when there was
no data pending to be written, provoking a disk check the next time the system is rebooted. This in turn can cause a disk check to run persistently at each
reboot, even when the dirty bit has not been set. If a disk check is running at each reboot regardless of whether or not the system was shut down cleanly,
then the problem is no longer the dirty bit per se, but rather the way AUTOCHK.EXE has been configured to run at startup.

There are a few ways to manually override this. The first is to run CHKDSK /F on the drive in question; if it runs successfully, the AUTOCHK.EXE command is
cleared and the system will no longer be checked at each reboot. Another way to do it is to edit the Registry directly and remove the AUTOCHK command.
To do this, navigate to HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Session Manager/ in the Registry and look for a REG_MULTI_SZ value
with the name BootExecute. Set the value of BootExecute to a null value. This will prevent AUTOCHK from running on next reboot.

On the whole, it's safest to first attempt to use CHKDSK /F on the drive that is being repeatedly checked at startup. Editing BootExecute should only be
done if CHKDSK doesn't seem to be working. Running CHKDSK also has the added bonus of manually clearing the dirty bit.

Page 34 of 47
 Windows XP Boot – Milestones & Behaviour

Appendix C – Test Machine Specification

Below is the technical information of the machine used during the tests,

General OS Information
OS Name Microsoft Windows XP Pro Version 5.1.2600 SP 2 Build 2600
OS Manufacturer Microsoft Corporation
System Name ASL9300B
System Manufacturer Dell Inc.
System Model Inspiron 9300
System Type X86-based PC
Processor x86 Family 6 Model 13 Stepping 8 GenuineIntel ~603 Mhz
BIOS Version/Date Dell Inc. A03, 29/03/2005 SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United Kingdom
Hardware Abstraction Layer Version = "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"
User Name ASL_HQ\asldmr
Time Zone GMT Standard Time
Total Physical Memory 512.00 MB
Available Physical Memory 105.88 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 4.47 GB
Page File C:\pagefile.sys

Disk Volume
Description Local Fixed Disk
Compressed No
File System NTFS
Size 52.96 GB (56,861,360,128 bytes)
Free Space 41.86 GB (44,950,687,744 bytes)

Page 35 of 47
 Windows XP Boot – Milestones & Behaviour

Appendix D - Test Machine Services State

Display Name Name State Start Mode
Alerter Alerter Stopped Disabled
Application Layer Gateway Service ALG Running Manual Own Process
Application Management AppMgmt Running Manual Share Process
ASP.NET State Service aspnet_state Stopped Manual Own Process
Ati HotKey Poller Ati HotKey Poller Running Auto Own Process
Windows Audio AudioSrv Running Auto Share Process
Background Intelligent Transfer Service BITS Running Auto Share Process
Computer Browser Browser Stopped Auto Share Process
Indexing Service CiSvc Running Auto Share Process
ClipBook ClipSrv Stopped Disabled Own Process
“.NET Runtime Optimization clr_optimization_ v2.0.50727_X86 Stopped Manual Own Process
Service v2.0.50727_X86”
COM+ System Application COMSysApp Stopped Manual Own Process
Cryptographic Services CryptSvc Running Auto Share Process
DCOM Server Process Launcher DcomLaunch Running Auto Share Process
DefWatch DefWatch Running Auto Own Process
DHCP Client Dhcp Running Auto Share Process
Logical Disk Manager Admin Service dmadmin Stopped Manual Share Process
Logical Disk Manager dmserver Running Auto Share Process
Whale Component Manager DMService Stopped Manual Own Process
DNS Client Dnscache Running Auto Share Process
Error Reporting Service ERSvc Running Auto Share Process
Event Log Eventlog Running Auto Share Process
COM+ Event System EventSystem Running Manual Share Process
Fast User Switching Compatibility FastUserSwitchingCompatability Stopped Manual Share Process
Help and Support helpsvc Running Auto Share Process
HID Input Service HidServ Running Auto Share Process
HTTP SSL HTTPFilter Stopped Manual Share Process

Page 36 of 47
 Windows XP Boot – Milestones & Behaviour

Display Name Name State Start Mode

InstallDriver Table Manager IDriverT Stopped Manual Own Process
IMAPI CD-Burning COM Service ImapiService Stopped Manual Own Process
Server lanmanserver Running Auto Share Process
Workstation lanmanworkstation Running Auto Share Process
TCP/IP NetBIOS Helper LmHosts Running Auto Share Process
Machine Debug Manager MDM Running Auto Own Process
Messenger Messenger Stopped Disabled Share Process
Microsoft Office Groove Audit Service Microsoft Office Groove AuditService Stopped Manual Own Process
NetMeeting Remote Desktop Sharing mnmsrvc Stopped Manual Own Process
Distributed Transaction Coordinator MSDTC Stopped Manual Own Process
Windows Installer MSIServer Running Manual Share Process
Network DDE NetDDE Stopped Disabled Share Process
Network DDE DSDM NetDDEdsdm Stopped Disabled Share Process
Net Logon Netlogon Running Auto Share Process
Network Connections Netman Running Manual Share Process
NICCONFIGSVC NICCONFIGSVC Running Auto Own Process
Network Location Awareness (NLA) Nla Running Manual Share Process
Symantec AntiVirus Client Norton AntiVirus Server Running Auto Own Process
NT LM Security Support Provider NtLmSsp Stopped Manual Share Process
Removable Storage NtmsSvc Stopped Manual Share Process
Microsoft Office Diagnostics Service odserv Stopped Manual Own Process
Office Source Engine ose Stopped Manual Own Process
Plug and Play PlugPlay Running Auto Share Process
Pml Driver HPZ12 Pml Driver HPZ12 Stopped Disabled Own Process
IPSEC Services PolicyAgent Running Auto Share Process
Protected Storage ProtectedStorage Running Auto Share Process
“Remote Access Auto Connection RasAuto Stopped Manual Share Process
Manager”
Remote Access Connection Manager RasMan Running Manual Share Process
Remote Desktop Help Session Manager RDSessMgr Stopped Manual Own Process
Routing and Remote Access RemoteAccess Stopped Disabled Share Process

Page 37 of 47
 Windows XP Boot – Milestones & Behaviour

Display Name Name State Start Mode

Remote Registry RemoteRegistry Running Auto Share Process
Remote Procedure Call (RPC) Locator RpcLocator Stopped Manual Own Process
Remote Procedure Call (RPC) RpcSs Running Auto Share Process
QoS RSVP RSVP Stopped Manual Own Process
Security Accounts Manager SamSs Running Auto Share Process
Smart Card SCardSvr Stopped Manual Share Process
Task Scheduler Schedule Running Auto Share Process
Secondary Logon seclogon Running Auto Share Process
System Event Notification SENS Running Auto Share Process
“Windows Firewall/Internet Connection SharedAccess Running Auto Share Process
Sharing (ICS)”
Shell Hardware Detection ShellHWDetection Running Auto Share Process
Print Spooler Spooler Running Auto Own Process
System Restore Service srservice Stopped Auto Share Process
SSDP Discovery Service SSDPSRV Stopped Manual Share Process
Windows Image Acquisition (WIA) stisvc Running Auto Share Process
MS Software Shadow Copy Provider SwPrv Stopped Manual Own Process
Performance Logs and Alerts SysmonLog Stopped Manual Own Process
Telephony TapiSrv Running Manual Share Process
Terminal Services TermService Running Manual Share Process
Themes Themes Stopped Disabled Share Process
Telnet TlntSvr Stopped Disabled Own Process
Distributed Link Tracking Client TrkWks Running Auto Share Process
Windows User Mode Driver Framework UMWdf Running Auto Own Process
Universal Plug and Play Device Host upnphost Stopped Manual Share Process
Uninterruptible Power Supply UPS Stopped Manual Own Process
“Messenger Sharing Folders USN Journal usnjsvc Stopped Manual Own Process
Reader service”
Volume Shadow Copy VSS Stopped Manual Own Process
Windows Time W32Time Running Auto Share Process
WebClient WebClient Running Auto Share Process

Page 38 of 47
 Windows XP Boot – Milestones & Behaviour

Display Name Name State Start Mode

Windows Defender WinDefend Running Auto Own Process
Windows Management Instrumentation winmgmt Running Auto Share Process
Portable Media Serial Number Service WmdmPmSN Stopped Manual Share Process
“Windows Management Instrumentation Driver Wmi Stopped Manual Share Process
Extensions”
WMI Performance Adapter WmiApSrv Stopped Manual Own Process
Security Center wscsvc Stopped Auto Share Process
Automatic Updates wuauserv Running Auto Share Process
Wireless Zero Configuration WZCSVC Running Auto Share Process
Network Provisioning Service xmlprov Stopped Manual Share Process

Page 39 of 47
 Windows XP Boot – Milestones & Behaviour

Appendix E – Milestones & Description

Initial Startup
Windows NT Session Manager (SMSS.EXE) performs the following initialisation steps:

Step Number Description ProcMon Signature Network Signature Details

Creates an LPC port object The SMSS.EXE process can be seen to create
(SmApiPort) and two threads to wait two new threads which will show as Thread No network activity associated with
1 Page 8
for client requests, such as to load a Create in the Operation column. this step.
new subsystem or create a session.
Defines the symbolic links for MS- The SMSS.EXE process can be seen to read the
DOS device names such as COM1 registry key, No network activity associated with
2 Page 8
and LPT1. ‘HKLM\System\CurrentControlSet\Control\Sessi this step.
on Manager\DOS Devices’.
If Terminal Services is installed, N/A
Smss.exe creates the \Sessions
directory in the object manager’s
3 namespace for multiple sessions. N/A Page 9
This step is not present in this
capture as Terminal Services was not
installed on the machine.
SMSS.EXE runs programs at boot-up SMSS.EXE can be seen to read the registry key
No network activity associated with
4 that are contained in the registry ‘HKLM\System\CurrentControlSet\Control\Sessi Page 9
this step.
key. on Manager\BootExecute’.
Performs delayed file rename and SMSS.EXE can be seen to read
delete operations. ‘HKLM\System\CurrentControlSet\Control\Sessi
on Manager\PendingFileRenameOperations’ No network activity associated with
5 Page 10
and this step.
‘HKLM\System\CurrentControlSet\Control\Sessi
on Manager\PendingFileRenameOperations2’

Page 40 of 47
 Windows XP Boot – Milestones & Behaviour

Step Number Description ProcMon Signature Network Signature Details

Opens known DLL’s and creates SMSS.EXE can be seen to read
Page 11
section objects for them in the ‘HKLM\System\CurrentControlSet\Control\Sessi No network activity associated with
6 &
\Knowndlls directory of the Object on Manager\KnownDLLs’ registry key. this step.
Page 12
Manager Namespace.
Creates additional pages in the SMSS.EXE process can be seen to read and write No network activity associated with
7 Page 13
paging file(s). to the paging file ‘C:\pagefile.sys’. this step.
Initialises the registry. SMSS.EXE reads the registry hives for
No network activity associated with
8 HKLM\SAM, HKLM\SECURITY and Page 14
this step.
HKLM\SOFTWARE keys.
Creates system environment SMSS.EXE reads the registry key
Page 15
variables. ‘HKLM\System\CurrentControlSet\Session No network activity associated with
9 &
Manager\Environment’ and then the associated this step.
Page 16
keys for the individual environment viarables.
Loads the kernel-mode part of the SMSS.EXE opens Win32k.sys and reads the Page 16
No network activity associated with
10 Windows subsystem (Win32K.sys). registry keys for the graphics driver. &
this step.
Page 17
Starts the subsystem processes, SMSS.EXE reads the ‘CRSS.EXE’ file.
including ‘csrss’, (client/server No network activity associated with
11 Page 17
runtime subsystem). this step.

SMSS starts the WinLogon process. SMSS.EXE reads the ‘WinLogon.exe’ file.
No network activity associated with
12 WinLogon process can be seen to start and Page 18
this step.
create a new thread.
The interface TCP/IP parameters as SVCHOST.EXE can be seen to access the TCP/IP The DHCP request broadcast is seen
read and set. parameters for the interface and later the stack and the response to it from a DHCP
Page 19
of this process can be seen to form the DHCP server, although a response may not
13 To
request and set the IP information for the be sent in all cases. Read up on
Page 22
interface. Microsoft DHCP behaviour Windows
2000 onwards.

Page 41 of 47
 Windows XP Boot – Milestones & Behaviour

Step Number Description ProcMon Signature Network Signature Details

NetBIOS name registration
14 announcement is made.
The WinLogon process loads the
MSGINA.DLL library to display the
15
logon dialog box.
CTRL-ALT-DEL (SAS event) has been
pressed.
16
The user has entered their
credentials and pressed enter which
triggers a SAS event.
17
Once initial authentication has been
successful, the desktop starts to
load.
18
The SYSTEM process is seen to read the NBNS protocol is used to broadcast Page 23
NetBIOS parameters in the registry. the name registration on the local To
subnet. Page 25
The stack of the WinLogon process can be seen
Page 26
to load the MSGINA library and call the No network activity associated with
To
‘WlxDisplaySASNotice’ function which displays this step.
Page 29
the press CTRL-ALT-DEL message.
WinLogon process reads the
HKLM\Software\Microsoft\Windows
No network activity associated with
NT\CurrentVersion\WinLogon registry key and Page 30
this step.
the stack contains functions called from the
MSGINA library.
LSASS process reads the
HKLM\System\CurrentControlSet\Services\NetL
Kerberos requests can be seen Page 31
ogon\JoinDomain registry key and the stack of
requesting authentication tickets for &
this process can be seen to call functions from
domain services. Page 32
the Kerberos.dll library in response to the logon
attempt.
Filtering the ProcMon capture file for anything A large amount of SMB traffic can be
in the path or detail that contains the username seen accessing shares containing
Page 33
quickly identifies the processes associated with scripts etc. Filtering for the username
&
loading the profile and profile specific settings. in the SMB traffic can quickly identify
Page 34
traffic associated with the user’s
profile.

Page 42 of 47
 Windows XP Boot – Milestones & Behaviour

Appendix F – Kerberos Authentication Sequence

Understanding Kerberos Concepts (Courtesy of Microsoft TechNet)
Kerberos Version 5 is standard on all versions of Windows 2000 and ensures the highest level of security to network resources. The Kerberos protocol name
is based on the three- headed dog figure from Greek mythology known as Kerberos. The three heads of Kerberos comprise the Key Distribution Center
(KDC), the client user and the server with the desired service to access. The KDC is installed as part of the domain controller and performs two service
functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS). As exemplified in the figure below, three exchanges are involved when the
client initially accesses a server resource:

1. AS Exchange
2. TGS Exchange
3. Client/Server (CS) Exchange

Page 43 of 47
 Windows XP Boot – Milestones & Behaviour

AS Exchange
When initially logging on to a network, users must negotiate access by providing a log-in name and password in order to be verified by the AS portion of a
KDC within their domain. The KDC has access to Active Directory user account information. Once successfully authenticated, the user is granted a Ticket to
Get Tickets (TGT) that is valid for the local domain. The TGT has a default lifetime of 10 hours and may be renewed throughout the user's log-on session
without requiring the user to re-enter his password. The TGT is cached on the local machine in volatile memory space and used to request sessions with
services throughout the network. The following is a discussion of the TGT retrieval process.

Example AS Administration
The AS request identifies the client to the KDC in plain text and if pre-authentication is enabled, a time stamp will be encrypted using the user's password
hash as an encryption key. If the KDC reads a valid time when using the user's password hash (stored in the Active Directory) to decrypt the time stamp, the
KDC knows that request isn't a replay of a previous request. The pre-authentication feature may be disabled for specific users in order to support some
applications that don't support the security feature. Access the user account from the Active Directory users and the computers will snap-in and select the
account tab. From the account options: slide window, check mark the "Do not require Kerberos" pre-authentication option as shown below.

Page 44 of 47
 Windows XP Boot – Milestones & Behaviour

If the KDC approves the client's request for a TGT, the reply (referred to as the AS reply) will include two sections: a TGT encrypted with a key that only the
KDC (TGS) can decrypt and a session key encrypted with the user's password hash to handle future communications with the KDC. Because the client
system cannot read the TGT contents, it must blindly present the ticket to the TGS for service tickets. The TGT includes time to live parameters,
authorization data, a session key to use when communicating with the client and the client's name.

TGS Exchange
The user presents the TGT to the TGS portion of the KDC when desiring access to a server service. The TGS on the KDC authenticates the user's TGT and
creates a ticket and session key for both the client and the remote server. This information, known as the service ticket, is then cached locally on the client
machine.
The TGS receives the client's TGT and reads it using its own key. If the TGS approves of the client's request, a service ticket is generated for both the client
and the target server. The client reads its portion using the TGS session key retrieved earlier from the AS reply. The client presents the server portion of the
TGS reply to the target server in the client/server exchange coming next.

Client/Server Exchange
Once the client user has the client/server service ticket, he can establish the session with the server service. The server can decrypt the information coming
indirectly from the TGS using its own long-term key with the KDC. The service ticket is then used to authenticate the client user and establish a service
session between the server and client. After the ticket's lifetime is exceeded, the service ticket must be renewed to use the service.

Client/Server Exchange Detail

The client blindly passes the server portion of the service ticket to the server in the client/server request to establish a client/server session. If mutual
authentication is enabled, the target server returns a time stamp encrypted using the service ticket session key. If the time stamp decrypts correctly, not
only has the client authenticated himself to the server, but the server also has authenticated itself to the client. The target server never has to directly
communicate with the KDC. This reduces downtime and pressure on the KDC.

Further Clarification of the Log-in Process

A TGT and a service ticket are needed to access services on remote computers, but they are also required to successfully log on to a local system. When the
log-on window appears, password encryption using a one-way hash algorithm occurs immediately and negotiations commence with the KDC for a valid TGT
and service ticket. The process is the same as accessing a remote service. An access token is created for the user containing all security groups to which they
belong. This access token is attached to the user's log-on session and is subsequently inherited by any process or application the user starts.

Referral Tickets
The AS and TGS functions are separate within the KDC. This permits the user to use the TGT obtained from an AS in his domain to obtain service tickets
from a TGS in other domains. This is accomplished through referral tickets.

Page 45 of 47
 Windows XP Boot – Milestones & Behaviour

Once a trust has been established between two domains, referral tickets can be granted to clients requesting authorization for services in other domains.
When there is a trust established between the two domains, an interdomain key based on the trust password becomes available for authenticating KDC
functions. This can best be explained by example of a user/client seeking services in another domain. As illustrated in Figure 3, a user client in Entcert1.com
requests authority for a server in Entcert2.com. He utilizes referral tickets. The numbers in Figure 3 correspond to the following numbered explanations:

1. The client contacts its domain KDC TGS using a TGT. The KDC recognizes a request for a session with a foreign domain server and responds by
returning a referral ticket for the KDC in the foreign domain.

2. The client contacts the KDC of the foreign domain with the referral ticket. This ticket is encrypted with the interdomain key. Given that the
decryption works, the TGS service for the foreign domain returns a service ticket for the server service in Entcert2.com.

3. The client performs the client/server exchange with the server and begins the user session with the service.

When more domains are involved, the referral process extends and involves the transitive properties between Windows 2000 domains. Maintaining
individual two-way trusts between all domains creates a complex administrative nightmare. The use of Kerberos transitive domains cuts down on
interdomain administration. This can best be explained by example of a user/client seeking services in another domain. As illustrated in Figure 11-4,
Entcert1.com has a trust relationship with Entcert2.com. Entcert2.com has a trust relationship with Entcert3.com. There is no trust between Entcert1.com
and Entcert3.com. A client from Entcert1.com accessing a service on a server in Entcert3.com would obtain a service ticket through the following steps (the
numbers appearing in Figure 4 correspond to the following numbered explanations):
Use the TGS service in Entcert1.com to obtain a referral ticket for a KDC in Entcert2.com.

1. Use the referral ticket with the TGS service on the KDC in Entcert2.com and obtain a referral for Entcert3.com.

Page 46 of 47
 Windows XP Boot – Milestones & Behaviour

2. Use the second referral ticket with the TGS service on the KDC for Entcert3.com and obtain a service ticket for the server in Entcert3.com.

3. Use the Client/Server Exchange to open a session with the service in Entcert3.com.

Delegation with Forwarding and Proxy

Some server services require access to a second server, such as a back-end database. In order to establish a session with the second server, the primary
server must be authenticated on behalf of the client's user account and authority level. This is common in a three-tier client/server model. This activity is
commonly accomplished with proxy or forwarding authentication.

Page 47 of 47