I thought that only ntoskrnl could load a driver?
I was conforted in that idea by the fact that the system registry hive is also a plain file as indeed this hive contains the list of drivers to be loaded by ntoskrnl.
So I would bet on between 4 and 5 in your previous post
Yep , but the at least in my previous post may mean that *something* needs to be passed (as a parameter or *whatever* ) to ntoskrnl (or to the earlier loaded winload.exe) to "tell it" to load the WOF.SYS driver first.
If you prefer, IF there is the need of a "special request" to load the WOF.SYS driver, then it is to be seen if the request is originated (and later passed on) :
a. between 2 and 3,
b. between 3 and 4
c. between 4 and 5
As said, doing the BOOTMGR replacement experiment may give some further hints about what is happening....
If we can exclude a "particular" BOOTMGR version from the equation (and hopefully exclude also the winload.exe in a later similar experiment) supporting earlier OS version should be more likely to happen...