A Native Executable is an application that runs during Windows startup on NT based operating systems before the Win32 subsystem starts up. Its gets it name from the fact that it runs in the "Native" subsystem like device drivers. Unfortunately, these days the term Native Executable gives the connotation of an executable that is written in machine language as opposed to Java bytecode or .NET bytecode. This makes it hard to get information on Native Executables by googling.

Examples of Native Executables

• chkdsk When Chkdsk runs at startup, it is actually the executable autochk.exe running. The need for this is obvious. First of all it would be impossible to unmount the boot volume while windows is loaded. Secondly, the OS is shutdown improperly, you need to scan the hard drive before loading the whole OS.
• UltraDegrag UltraDefrag is an excellent defragmentation utility written by Dmitri Arkhangelski. It has a boot time defragmentation mode that works via a native executable. The code is clearly written and serves as a good example of a real world native executable.

How to develop Native Executables

Native Executables can be developed via the Microsoft Windows Driver Development kit. The process was originally undocumented but thankfullt Mark Russinovich explained how to build native application in a SysInternals Article.

Debugging Native Executables

Like Device Drivers, Native Executables you can send messages via DbgPrint() system calls. These messages can be seen by a kernel debugger and are equivalent to the Win32 API call OutputDebugString(). However, since a Native Executable executes at startup, you cannot start an interactive debugger.

Two tools that can capture these messages are Mark Russinovich's DebugView and Alter's DbgPrintLog. Both have startup options to load their kernel drivers at boot time, and store the messages in a buffer where they can be accessed by the application when the Win32 subsystem starts up.

Running a Natice executable

TODO: Finish this session

The registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager. The value is BootExecute. IT is a multi string value. One line per executable.