Win

🧵 The Kernel Boot Blind Spot: Why EDR/AVs are "Brainless" in Phase 0 (SERVICE_BOOT_START) If you think the Windows Registry is fully available when Kernel Drivers initialize, you’re mistaken. If you think the Filesystem as you are familiar with is fully initialized during the Phase 0, you’re mistaken. And judging by my recent Procmon boot logs (up-to-date Windows 11 25H2), even #Microsoft developers seem to forget this architectural reality. 1⃣ The Hive Gap During Phase 0 (SERVICE_BOOT_START) and Phase 1 (SERVICE_SYSTEM_START), the OS Loader and Kernel only map the SYSTEM hive. The SOFTWARE hive and others? They don’t exist yet. They are physically on disk, but not mounted into the Object Manager namespace until smss.exe kicks in (Phase >1). 2⃣ The "NAME NOT FOUND" Wall of Shame I boot-logged a fresh Windows 11 25H2 install (you can do too). The amount of Microsoft drivers (e.g., Ntfs.sys, Tcpip.sys, Fvevol.sys, Mup.sys, Crashdmp.sys, Netio.sys, Pacer.sys, etc.) spamming RegOpenKey on HKLM\SOFTWARE and getting NAME NOT FOUND is comical. They are blindly grasping for config keys that architecturally cannot exist yet. 3⃣ The EDR Constraint This is exactly why AV/EDR vendors force their core config into the SYSTEM hive (usually under their Service key). During Phase 0, they have no Filesystem and no SOFTWARE hive. They are loaded, but they are operating in a limited standalone capacity. 4⃣ The "Golden Window" Modern EDRs load their Kernel Filters at SERVICE_BOOT_START (Phase 0). But they are mostly passive monitors here—"look but don't touch"—because they lack the Intelligence provided by their User-Mode services (which don't start until Phase 2/Auto-Start). 5⃣ The Kill Chain This creates a fatal architectural flaw. A malicious driver loaded at SERVICE_SYSTEM_START (Phase 1) can execute after the Filesystem is writable but before the EDR's User-Mode "Brain" starts. You can surgically delete the EDR's service binaries from disk while its Kernel Filter is watching, effectively disarming it before it ever fully wakes up. The filter sees the IO, but without its User-Mode backend to provide heuristics or cloud verdict, it defaults to a fail-open state for signed drivers. 💡 TL;DR: Phase 0/1 = No SOFTWARE Hive. EDR Kernel Drivers = Awake but "Brainless." Phase 1 Driver = God Mode for EDR Neutralization. We all learned something today. Apparently, some MS driver devs need to learn it too. 😉 #WindowsInternals #KernelMode #EDR #AV #Infosec #ReverseEngineering #Bypass