Security → something trying to change ntoskrnl.exe

Hi Danny,
Do not even worry about sending your ntoskrnl.exe to anyone..enough people have posted in this thread to make it time for you to understand what happens to your PC when you turn it on with XP installed. and to tie it in with the NT Loader...the NT OS Kernel..the Hal ..etc.

The change in your ntoskrnl.exe in normal the way Sygate Professional looks at it..:)

There are many reasons for it to change..it is not infected.

Startup Phases for x86-based Systems

The Windows XP Professional startup process closely resembles that of Microsoft® Windows NT® version 4.0 and Microsoft® Windows® 2000, but significantly differs from Microsoft® MS-DOS®, Microsoft® Windows® 95, Microsoft® Windows® 98, and Microsoft® Windows® Millennium Edition (Windows Me).

All computers running Windows XP Professional share the same startup sequence:

Power-on self test (POST) phase
Initial startup phase
Boot loader phase
Detect and configure hardware phase
Kernel loading phase
Logon phase

The preceding startup sequence applies to systems started or restarted after a normal shutdown, and does not apply when you bring your computer out of hibernation or standby. See "Resolving Power Management Problems on x86-based Systems" later in this chapter for more information about problems that might occur when you bring your computer out of standby or hibernation.

For Windows XP Professional to start, the system and boot partitions must contain the files listed in Table 28.1.

Table 28.1 Windows XP Professional x86-based Startup Files

File Name Disk Location Description
Ntldr Root of the system partition The operating system loader.
Boot.ini Root of the system partition A file that specifies the paths to Windows XP Professional installations. For multiple-boot systems, Boot.ini contains the operating system choices that display on the startup menu.
Bootsect.dos (multiple-boot systems only) Root of the system partition A hidden system file that Ntldr loads for a Windows XP Professional multiple-boot configuration that includes MS-DOS, Windows 95, Windows 98, or Windows Me. Bootsect.dos contains the boot sector for these operating systems.
Ntdetect.com Root of the system partition The file that passes information about the hardware configuration to Ntldr.
Ntbootdd.sys Root of the system partition (required for SCSI or Advanced Technology Attachment (ATA) controllers with firmware disabled or that do not support extended INT-13 calls). The device driver used to access devices attached to a SCSI or ATA hard disk whose adapter is not using BIOS. The contents of this file depend on the startup controller used.
Ntoskrnl.exe systemroot\System32 The core (also called the kernel) of the Windows XP Professional operating system. Code that runs as part of the kernel does so in privileged processor mode and has direct access to system data and hardware.
During installation on single processor systems, Windows XP Professional Setup copies Ntoskrnl.exe from the operating system CD . During installation on multi-processor systems, Windows XP Professional Setup copies Ntoskrnlmp.exe and renames it Ntoskrnl.exe.

Hal.dll systemroot\System32 The Hardware abstraction layer (HAL) dynamic-link library file. The HAL abstracts low-level hardware details from the operating system and provides a common programming interface to devices of the same type (such as video adapters).
The Microsoft® Windows® XP Professional operating system CD contains several Hal files. Setup copies to your computer the file that fits your hardware configuration and then renames the file as Hal.dll.

System registry file systemroot\System32\Config\System The registry file that contains the data used to create the registry key HKEY_LOCAL_MACHINE\SYSTEM. This key contains information that the operating system requires to start devices and system services.
Device drivers systemroot\System32\Drivers Driver files for hardware devices, such as keyboard, mouse, and video.

Note

Windows NT 4.0, Windows 2000, and Windows XP Professional define the "system" and "boot" partitions differently from other operating systems. The system volume contains files that are needed to start Windows XP Professional, such as the Windows loader (Ntldr). The boot volume contains Windows XP Professional operating system files and folders such as systemroot and systemroot\System32. In x86-based computers, the boot volume can be, but does not have to be, the same volume as the system volume.
In Table 28.1, the term systemroot is one of many environment variables used to associate string values, such as folder or file paths, to variables that Windows XP Professional applications and services use. For example, by using environment variables, scripts can run without modification on computers that have different configurations. To obtain a list of environment variables that you can use for troubleshooting, type set at the command line.

For more information about environment variables, see "To add or change the values of environment variables" in Windows XP Professional Help and Support Center. For more information about system files, see "System Files Reference" in this book.

Kernel Loading Phase

Ntldr is responsible for loading the Windows kernel (Ntoskrnl.exe) and the hardware abstraction layer (HAL) into memory. The Hal.dll file that your computer uses can vary. During installation, Windows XP Professional Setup copies one of several HAL files (see Table 28.2 for a list of these files) and renames the file Hal.dll.

Together, the kernel and the HAL initialize a group of software components that are called the Windows executive. The Windows executive processes the configuration information stored in registry control sets, and starts services and drivers.

Ntldr uses the control set identified by the Default value unless you choose the Last Known Good Configuration from the Windows Advanced Options menu.

The kernel uses the internal data structures provided by Ntldr to create the HKEY_LOCAL_MACHINE\HARDWARE key, which contains the hardware data collected at system startup. The data includes information about various hardware components and system resources allocated to each device. You can monitor the kernel load process by viewing the Starting up progress indicator that appears during startup. For more information about Last Known Good Configuration, see "Tools for Troubleshooting" in this book.

Windows XP Professional supports an extensive set of devices. New or updated drivers that are not on the Windows XP Professional operating system CD are provided by hardware manufacturers. Drivers are kernel-mode components required by devices to function within an operating system. Services are components that support operating system functions and applications. Services can run in a different context than user applications and typically do not offer many user-configurable options. Services, such as the Print Spooler, do not require a user to be logged on to run and act independently of the user who is logged on to the system. Windows XP Professional driver and service files are typically stored in the systemroot\System32 and systemroot\System32\Drivers folders and use .exe, .sys, or .dll file name extensions.

Drivers are also services. Therefore, during kernel initialization, Ntldr and Ntoskrnl.exe use the information stored in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename registry subkeys to determine both the drivers and services to load. For example, Ntldr searches the Services subkey for drivers with a Start value of 0, such as hard disk controllers. After Ntldr starts Ntoskrnl.exe, an Ntoskrnl.exe component searches for and starts drivers, such as network protocols, that have a Start value of 1.

Some drivers and services require that certain dependencies be met before they start. You can find dependencies listed under the DependOnGroup and DependOnService entries in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename subkey for each service or driver. For more information about using dependencies to prevent or delay a driver or service from starting, see "Temporarily Disabling Services" later in this chapter. The Services subkey also contains information that affects how drivers and services are loaded, a few of which are listed in Table 28.5.

Session Manager
After all entries that have Boot and Startup data types are processed, the kernel starts Session Manager. Session Manager (Smss.exe) performs important initialization functions, such as:

Creating system environment variables.
Starting the kernel-mode portion of the Windows subsystem (implemented by systemroot\System32\Win32k.sys), which causes Windows XP Professional to switch from text mode to graphics mode. Windows-based applications run in the Windows subsystem. This environment allows applications to access operating system functions, such as displaying information to the screen.
Starting the user-mode portion of the Windows subsystem (implemented by systemroot\System32\Csrss.exe).
Starting the Logon Manager (systemroot\System32\Winlogon.exe).
Creating additional virtual memory paging files.
Performing delayed rename operations for files listed in the registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations. For example, you might be prompted to restart the computer after installing a new driver or application so that Windows XP Professional can replace the file in use.
The Windows subsystem and the applications that run within it are user mode processes; they do not have direct access to hardware or device drivers. User-mode processes run at a lower priority than kernel-mode processes. When the operating system needs more memory, it can page to disk the memory that is used by user-mode processes. For more information about user-mode and kernel-mode components, see "Common Stop Messages for Troubleshooting" in this book.

Session Manager searches the registry for service information that is contained in the following subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager contains a list of commands to run before loading services. The Autochk.exe tool is specified by the value of the BootExecute entry and virtual memory (paging file) settings stored in the Memory Management subkey. Autochk, which is a version of the Chkdsk tool, runs at startup if the operating system detects a file system problem that requires repair before completing the startup process. For more information about Autochk and Chkdsk, see "Troubleshooting Disks and File Systems" in this book.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems contains a list of available subsystems. For example, Csrss.exe contains the user-mode portion of the Windows subsystem.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename. The Service Control Manager initializes services that the Start entry designates as Auto-load.

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmc_str_reii.asp