Windows 8.1 gives malicious code the boot(s)

Windows 8.1 includes a variety of security controls designed to guard against malware compromise during the boot process.


Windows boot process

The Windows operating system has a number of security controls, and most users have some sort of anti-malware security suite installed on their Windows PC -- but those things can’t protect you until the operating system is up and running. There are threats out there that can compromise a system during the boot process, before the Windows defenses are enabled. Microsoft recognized this threat and developed additional protections during the boot process.

There are three different boot protections, and which ones work on your system depends on the hardware you have in place. Let’s examine the different boot security controls and how they work, so you can understand what protection you have in place during the boot process on your PC.

Trusted Boot

The primary boot process security control is called Trusted Boot. It monitors the boot process and guards against malicious code trying to hide or execute. If malware is able to load before the Windows security controls and anti-malware tools are active, it can hide from those tools or compromise their ability to detect threats.

Trusted Boot makes sure that the Windows components that are loaded during the boot process have not been altered or tampered with by malware and that anti-malware software is loaded ahead of any third-party applications or device drivers. In the event that malware is successfully loaded during the boot process, Trusted Boot attempts to automatically remediate the issue and remove the threat.

Measured Boot

This feature complements Trusted Boot and provides third-party verification and attestation that the boot process is secure. Measured Boot only works on systems with a Trusted Platform Chip (TPC). Measured Boot takes measurements of each phase of the boot process, and it signs and securely stores the data in the TPM.

The measurements can also be used as an additional layer of defense. The data can be sent to a Remote Attestation Service that compares the measurements against known good values and validates that the boot process is secure. The Remote Attestation Service can issue a Device Claim, certifying the PC as secure, and that Device Claim (or lack thereof) can be used to control access to the network.

Secure Boot

Secure Boot takes Trusted Boot to the next level on Windows 8 certified systems, which includes the Unified Extensible Firmware Interface (UEFI). It prevents rootkits and other malware from loading during the boot process, because only authorized code signed with a recognized certificate is allowed to execute.

If you want to boot an unsigned or unrecognized operating system on a Windows 8 certified PC -- either standalone or in a dual-boot configuration -- you can disable the UEFI Secure Boot option. With Secure Boot disabled, the boot process is less secure.


To sum up your options, Trusted Boot works on systems even without a TPM or UEFI. Measured Boot and Attestation of boot measurements are only possible on systems that have a TPM to securely store the signed measurement data. Secure Boot required hardware that supports UEFI.

No matter what boot protection you use, the bottom line is that Microsoft has taken steps to secure the boot process and ensure that malicious code is not able to run during boot up, before the operating system and security software are active to defend against them.

What boot protection do you have on your Windows 8.1 machine(s)? Has it ever failed to protect your system from malware? Share your experience in the discussion thread below.



By Tony Bradley

Tony Bradley is a principal analyst with Bradley Strategy Group. He is a respected authority on technology, and information security. He writes regularly for Forbes, and PCWorld, and contributes to a wide variety of online and print media outlets. He...