The Windows Club

TheWindowsClub covers authentic Windows 11, Windows 10 tips, tutorials, how-to's, features, freeware. Created by Anand Khanse, MVP.

How to Secure the Boot Process in Windows 11/10

Download Windows Speedup Tool to fix errors and make PC run faster

You will agree that an operating system’s primary function is to provide a safe execution environment where different applications can run safely. This necessitates the requirement of a basic framework for uniform program execution to use the hardware and access system resources securely. The Windows Kernel provides this basic service in all but the most simplistic operating systems. Several portions of the OS initialize and run at system boot time to enable these fundamental capabilities for the operating system.

In addition to this, other features are capable of offering initial protection. These include:

  • Windows Defender offers comprehensive protection for your system, files, and online activities from malware and other threats. The tool uses signatures to detect and quarantine apps that are malicious in nature.
  • SmartScreen Filter issues warnings to users before enabling them to run an untrustworthy app. Here, it is important to remember that these features can offer protection only after Windows starts. Most modern malware—and bootkits in particular, can run even before Windows starts, thereby lying hidden and bypassing operating system security, completely.

Fortunately, Windows 11/10 provides protection even during startup. How? Well, for this, we first need to understand what Rootkits are and how they work. Thereafter, we can delve deeper into the subject and find how Windows protection system works.

Boot Process

Rootkits

Rootkits are a set of tools used by crackers to hack a device. The cracker tries installing a rootkit on a computer first by obtaining user-level access, either by exploiting a known vulnerability or cracking a password, and then retrieving the required information. The rootkit conceals the fact that an operating system has been compromised by replacing vital executables.

Different types of rootkits run during different phases of the startup process. These include,

  1. Kernel rootkits – Developed as device drivers or loadable modules, these kits can replace a portion of the operating system kernel so the rootkit can start automatically when the operating system loads.
  2. Firmware rootkits – These kits overwrite the firmware of the PC’s basic input/output system or other hardware so the rootkit can kick in before Windows wakes up.
  3. Driver rootkits – At the driver level, applications can access the system’s hardware fully. So, this kit pretends to be one of the trusted drivers that Windows uses to communicate with the PC hardware.
  4. Bootkits – It is an advanced form of rootkits that takes the basic functionality of a rootkit and extends it with the ability to infect the Master Boot Record (MBR). It replaces the operating system’s bootloader so that the PC loads the Bootkit before the operating system.

Windows 11/10 has four features that secure the Windows boot process and avoid these threats.

Securing the Windows Boot Process

Secure Boot

Secure Boot is a security standard developed by members of the PC industry to help you protect your system from malicious programs by not allowing any unauthorized applications to run during the system start-up process. The feature ensures that your PC boots are using only software that the PC manufacturer trusts. So, whenever your PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are verified, the PC boots and the firmware gives control to the operating system.

Trusted Boot

This bootloader uses the Virtual Trusted Platform Module (VTPM) to verify the digital signature of the Windows 10 kernel before loading it, which, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been altered or changed to any extent, the bootloader detects it and refuses to load it by recognizing it as a corrupted component. In short, it provides a chain of trust for all the components during boot.

Early Launch Anti-Malware

Early launch anti-malware (ELAM) protects the computers present in a network when they start up and before third-party drivers initialize. After Secure Boot has successfully managed to protect the bootloader and Trusted Boot has finished/completed the task of safeguarding the Windows kernel, the role of ELAM begins. It closes any loophole left for malware to start or initiate infection by infecting a non-Microsoft boot driver. The feature immediately loads a Microsoft or non-Microsoft anti-malware. This helps in establishing a continuous chain of trust established by Secure Boot and Trusted Boot, earlier.

Measured Boot

It has been observed that PCs infected with rootkits continue to appear healthy, even with anti-malware running. These Infected PCs, if connected to a network in an enterprise, pose a serious risk to other systems by opening routes for the rootkits to access vast amounts of confidential data. Measured Boot in Windows allows a trusted server on the network to verify the integrity of the Windows startup process by using the following processes.

  1. Running non-Microsoft remote attestation client – The trusted attestation server sends the client a unique key at the end of every startup process.
  2. The PC’s UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app.
  3. The TPM uses the unique key to sign the log recorded by the UEFI digitally. The client then sends the log to the server, possibly with other security information.

With all this information at hand, the server can now find whether the client is healthy and grant the client access to either a limited quarantine network or to the full network.

Read the full details on Microsoft.

AnandK@TWC

Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP (2006-16) & a Windows Insider MVP (2016-2022). Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.