Windows Server&RHEL Linux

How They Work — Boot · Kernel · User Space · System Architecture

Microsoft

Windows Server

1 · Power On & POST
The server powers on and the CPU starts executing firmware from ROM.
  • POST (Power-On Self Test) — hardware inventory: CPU, RAM, PCI devices
  • UEFI Firmware (replaces legacy BIOS on Server 2016+) initializes platform
  • Secure Boot validates bootloader signature against firmware certificate store
📋2 · Windows Boot Manager (BOOTMGR)
UEFI locates and executes bootmgfw.efi from the EFI System Partition (ESP).
  • Reads Boot Configuration Data (BCD) store — lists OS entries
  • Presents boot menu if multiple OS entries exist; selects default after timeout
  • Hands control to the OS Loader: winload.efi
⚙️3 · Windows OS Loader (winload.efi)
Loads the kernel and critical early components into memory.
  • Loads ntoskrnl.exe (NT OS Kernel) into RAM
  • Loads hal.dll — Hardware Abstraction Layer
  • Loads boot-start drivers (storage, filesystem) needed to mount the system volume
  • Initializes Kernel Mode — switches CPU to Ring 0 (privileged)
🧠4 · NT Kernel & Executive Initialization
ntoskrnl.exe is the heart of Windows — runs entirely in Kernel Mode (Ring 0).
  • Memory Manager — virtual memory, page tables, working sets
  • Process & Thread Manager — scheduling, context switching
  • I/O Manager — routes all I/O requests through driver stack
  • Security Reference Monitor — access control, token validation
  • Object Manager — manages kernel objects (files, events, processes)
  • Registry loaded into memory — SYSTEM hive provides driver config
🔗5 · Session Manager (smss.exe)
First User Mode process — launched directly by the kernel.
  • Creates the system page file (pagefile.sys)
  • Initializes the Win32 subsystem (win32k.sys kernel-mode, csrss.exe user-mode)
  • Launches wininit.exe for session 0 (services) and winlogon.exe for interactive logon
🛠️6 · Service Control Manager (services.exe)
Launched by wininit.exe — starts all configured Windows Services.
  • Starts Auto services first: LanmanServer, EventLog, Netlogon, RPC, WMI
  • Services run as SYSTEM, Network Service, Local Service, or domain accounts
  • On Server Core: no GUI — management via PowerShell / WinRM / MMC remoting
  • On Desktop Experience: Starts dwm.exe (Desktop Window Manager) and Explorer
🔐7 · User Logon & Authentication
winlogon.exe manages the secure attention sequence (Ctrl+Alt+Del) and logon.
  • LSASS (lsass.exe) authenticates credentials via Kerberos / NTLM
  • Creates a User Access Token with SIDs and privilege set
  • Starts userinit.exeexplorer.exe (Desktop) or shell for admin sessions
  • Group Policy applied: computer policy at boot, user policy at logon
8 · Running State — User & Kernel Space
All applications run in User Mode (Ring 3) and request kernel services via system calls.
  • Win32 API calls route through ntdll.dll → syscall instruction → kernel
  • Kernel Mode Drivers handle storage, network, GPU, and devices
  • WMI / .NET / PowerShell provide management surfaces
  • Hyper-V hypervisor (if enabled) runs at Ring -1, VMMs above it
Windows Server — Privilege Ring Model
User Mode · Ring 3 (Non-Privileged)
Win32 Apps
PowerShell
Services (svchost)
IIS / SQL Server
csrss.exe
lsass.exe
System Call Interface · ntdll.dllSYSCALL instruction
Kernel Mode · Ring 0 (Privileged)
NT Kernel (ntoskrnl)
HAL
I/O Manager
Memory Mgr
Process Mgr
Security Ref. Monitor
Kernel Drivers
NTFS / ReFS Driver
TCP/IP Stack
Hyper-V Hypervisor (Ring -1) — virtualizes hardware when roles enabled
CPU
RAM
Storage
Network
GPU
Red Hat

RHEL Linux Server

1 · Power On & POST
Same physical layer — CPU executes firmware from ROM on power-on.
  • POST — verifies CPU, RAM, PCI/NVMe devices, BMC (iDRAC) initializes
  • UEFI Firmware scans EFI System Partition for boot entries
  • Secure Boot validates GRUB2 shim signature against Red Hat's signing key
📋2 · GRUB2 Bootloader
GRand Unified Bootloader 2 — installed to EFI partition as grubx64.efi.
  • Reads /boot/grub2/grub.cfg — generated by grub2-mkconfig
  • Presents kernel selection menu (default: latest kernel; timeout configurable)
  • Loads the selected kernel image (vmlinuz) and initramfs into RAM
  • Passes kernel parameters: root=, rd.lvm.lv=, rhgb quiet
🗜️3 · initramfs — Early Userspace
A compressed RAM-based filesystem loaded before the real root is mounted.
  • Contains kernel modules for storage drivers (LVM, dm-crypt, iSCSI, NVMe)
  • dracut builds initramfs on RHEL — modular and customizable
  • Mounts the real / (root filesystem) — LVM volume, XFS, ext4, or NFS
  • Switches root (pivot_root) to the real filesystem, then discards itself
🧠4 · Linux Kernel Initialization
The kernel (vmlinuz) decompresses itself and begins hardware setup — runs in Kernel Space.
  • Memory subsystem — NUMA topology, buddy allocator, slab allocator, swap
  • Scheduler — CFS (Completely Fair Scheduler) initializes per-CPU run queues
  • VFS (Virtual Filesystem Switch) — abstracts ext4, XFS, tmpfs, proc, sysfs
  • Network stack — TCP/IP, netfilter (firewalld/iptables), bonding drivers
  • Device drivers loaded as modules (modprobe) or built-in
  • Launches PID 1: /sbin/init → symlinked to systemd on RHEL 7+
⚙️5 · systemd — PID 1 & Init System
systemd is the first User Space process — parent of all other processes.
  • Reads unit files from /usr/lib/systemd/system/ and /etc/systemd/system/
  • Activates the default target: multi-user.target (headless) or graphical.target
  • Starts units in parallel using dependency graph (wants, requires, after, before)
  • Mounts filesystems per /etc/fstab and activates swap
  • Starts udevd — dynamic device manager for /dev
  • journald collects logs from all units — queryable via journalctl
🛠️6 · System Services & Daemons
Core RHEL daemons started by systemd targets:
  • NetworkManager — manages network interfaces, bonds, VLANs, DNS
  • firewalld — zone-based firewall using nftables backend
  • sshd — remote administration via SSH (replaces console for servers)
  • chronyd — NTP time synchronization (replaces ntpd on RHEL 7+)
  • auditd — kernel audit framework, writes to /var/log/audit/audit.log
  • rsyslog or journald — centralized logging and forwarding
  • tuned — performance profile daemon (throughput, latency, virtual-guest)
🔐7 · User Login & Authentication
Users log in via SSH, console (getty), or SSSD-integrated AD authentication.
  • PAM (Pluggable Authentication Modules) — authentication pipeline: /etc/pam.d/
  • SSSD — integrates with Active Directory / LDAP; caches credentials offline
  • Login spawns a shell (bash, zsh) and loads environment: /etc/profile, ~/.bashrc
  • SELinux enforces Mandatory Access Control — process context labels on all actions
  • sudo provides controlled privilege escalation; /etc/sudoers.d/
8 · Running State — User & Kernel Space
Applications run in User Space and interact with hardware only through the kernel.
  • System calls enter the kernel via syscall / int 0x80 instruction — glibc wraps them
  • cgroups v2 — resource limits (CPU, RAM, I/O) applied per service/container
  • namespaces — process, network, mount, user isolation (basis for containers)
  • Podman / containers run as namespaced userspace processes on RHEL 8+
  • KVM/QEMU provides hypervisor when RHEL is used as a virtualization host
RHEL Linux — Privilege Boundary Model
User Space (Non-Privileged)
Shell (bash)
Applications
systemd services
sshd / httpd
Podman containers
SSSD / PAM
System Call Interface · glibcSYSCALL instruction → kernel
Kernel Space (Privileged)
Linux Kernel (vmlinuz)
CFS Scheduler
Memory Mgr
VFS Layer
XFS / ext4 driver
TCP/IP + netfilter
SELinux LSM
Device Drivers (.ko)
cgroups v2
KVM Hypervisor (kernel module) — virtualizes when RHEL hosts VMs
CPU
RAM
Storage
Network
GPU
Side-by-Side Comparison
Firmware / Boot
UEFI + Secure BootUEFI + Secure Boot
BOOTMGR → winload.efiGRUB2 shim → vmlinuz
BCD store controls menugrub.cfg controls menu
Kernel
NT Kernel (ntoskrnl.exe)Linux Kernel (vmlinuz)
Monolithic with WDM driver modelMonolithic + loadable modules (.ko)
HAL abstracts hardwareDevice Tree / ACPI abstracts hardware
Init System (PID 1)
smss.exe → wininit.exesystemd (/sbin/init)
SCM starts servicesUnit files & targets
Registry for service config/etc/systemd/system/
Authentication
LSASS + Kerberos/NTLMPAM + SSSD + Kerberos
AD via native domain joinAD via realm / SSSD
Group Policy (GPO)SSSD + sudo + PAM policy
Access Control
ACLs + Security TokensDAC + SELinux (MAC)
SID-based DACL on objectsUnix permissions + labels
UAC for elevationsudo for elevation
Filesystem
NTFS / ReFSXFS (default) / ext4
VSS for snapshotsLVM snapshots / Btrfs
Drive letters (C:\, D:\)Single tree from / (root)
Networking
NDIS + WFP (firewall)netfilter + nftables
Windows Firewall / Defenderfirewalld zones
NIC Teaming / LBFObonding / team drivers
Logging
Windows Event Logjournald + rsyslog
Event Viewer / Get-WinEventjournalctl -xe
EVTX binary formatBinary journal + /var/log/
Package Management
MSI / MSIX / WinGetRPM / DNF (yum)
WSUS / SCCM patchingsubscription-manager + repos
Windows Updatednf update / yum update
Virtualization
Hyper-V (Ring -1)KVM (kernel module)
Hyper-V Manager / SCVMMvirsh / virt-manager / oVirt
VMBus for synthetic devicesvirtio drivers for VMs
Remote Management
WinRM / PowerShell / RDPSSH / Ansible / Cockpit
port 5985/5986 (WS-Man)port 22 (OpenSSH)
MMC snap-ins / RSATWeb console: :9090 (Cockpit)
Containers
Windows Containers / DockerPodman / Docker / CRI-O
Process isolation via jobsnamespaces + cgroups v2
Nano Server / Server Core imagesUBI (Red Hat base images)