How They Work — Boot · Kernel · User Space · System Architecture
bootmgfw.efi from the EFI System Partition (ESP).
winload.efintoskrnl.exe (NT OS Kernel) into RAMhal.dll — Hardware Abstraction Layerntoskrnl.exe is the heart of Windows — runs entirely in Kernel Mode (Ring 0).
SYSTEM hive provides driver configpagefile.sys)win32k.sys kernel-mode, csrss.exe user-mode)wininit.exe for session 0 (services) and winlogon.exe for interactive logonwininit.exe — starts all configured Windows Services.
winlogon.exe manages the secure attention sequence (Ctrl+Alt+Del) and logon.
lsass.exe) authenticates credentials via Kerberos / NTLMuserinit.exe → explorer.exe (Desktop) or shell for admin sessionsntdll.dll → syscall instruction → kernelgrubx64.efi.
/boot/grub2/grub.cfg — generated by grub2-mkconfigvmlinuz) and initramfs into RAMroot=, rd.lvm.lv=, rhgb quiet/ (root filesystem) — LVM volume, XFS, ext4, or NFSpivot_root) to the real filesystem, then discards itselfvmlinuz) decompresses itself and begins hardware setup — runs in Kernel Space.
modprobe) or built-in/sbin/init → symlinked to systemd on RHEL 7+/usr/lib/systemd/system/ and /etc/systemd/system/multi-user.target (headless) or graphical.target/etc/fstab and activates swap/devjournald collects logs from all units — queryable via journalctl/var/log/audit/audit.loggetty), or SSSD-integrated AD authentication.
/etc/pam.d/bash, zsh) and loads environment: /etc/profile, ~/.bashrc/etc/sudoers.d/syscall / int 0x80 instruction — glibc wraps them