Windows NT startup process


Windows NT startup process

The Windows NT startup process is the process by which Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 operating systems initialize. In Windows Vista and later, this process has changed slightly; see Windows Vista startup process.

Contents

Boot loader phase

Windows NT startup process starts when the computer finds a Windows boot loader, a portion of Windows operating system responsible for finding Microsoft Windows and starting it up. On IA-32 or x64 systems, the boot loader is called Windows Boot Manager (BOOTMGR). Prior to Windows Vista however, the boot loader was NTLDR. Microsoft has also released operating systems for Intel Itanium processors which use IA-64 architecture. The boot loader of these editions of Windows is IA64ldr.efi (later referred as simply IA64ldr). It is an Extensible Firmware Interface (EFI) program.[1]

Operating system selection

The boot loader, once executed, searches for a Windows operating system. Windows Boot Manager does so by reading Boot Configuration Data (BCD), a complex firmware-independent database for boot-time configuration data. Its predecessor, NTLDR, does so by reading the simpler boot.ini. If the boot.ini file is missing, the boot loader will attempt to locate information from the standard installation directory. For Windows NT and 2000 machines, it will attempt to boot from C:\WINNT. For Windows XP and 2003 machines, it will boot from C:\WINDOWS.

Both databases may contain a list of installed Microsoft operating systems that may be loaded from the local hard disk drive or a remote computer on the local network. NTLDR supports operating systems installed on disks whose file system is NTFS or FAT file systems, CDFS (ISO 9660) or UDFS.[2] Windows Boot Manager also supports operating systems installed inside a VHD file, stored on an NTFS disk drive.[3]

In the Windows 2000 or in later versions of Windows which hibernation is supported, the Windows boot loader starts the search for operating systems by searching for hiberfil.sys. NTLDR looks into the root folder of the default volume specified in boot.ini. Windows Boot Manager looks up the location of hiberfil.sys in BCD. If this file is found and an active memory set is found in it, the boot loader loads the contents of the file (which will match the amount of physical memory in the machine) into memory and restores the computer to the state that the was prior to hibernation.

Next, the boot loader looks for a list of installed operating system entries. If more than one operating system is installed, the boot loader shows a boot menu and allow the user to select an operating system. If a non NT-based operating system such as Windows 98 is selected (specified by an MS-DOS style of path, e.g. C:\), then the boot loader loads the associated "boot sector" file listed in boot.ini or BCD (by default, this is bootsect.dos if no file name is specified) and passes execution control to it. Otherwise, the boot process continues.

Loading Windows NT kernel

The operating system starts when certain basic drivers flagged as "Boot" are loaded into memory. The appropriate file system driver for the partition type (NTFS, FAT, or FAT32) which the Windows installation resides are amongst them. At this point in the boot process, the boot loader clears the screen and displays a textual progress bar, (which is often not seen due to the initialization speed); Windows 2000 also displays the text "Starting Windows..." underneath. If the user presses F8 during this phase, the advanced boot menu is displayed, containing various special boot modes including Safe mode, with the Last Known Good Configuration, with debugging enabled, and (in the case of Server editions) Directory Services Restore Mode. Once a boot mode has been selected (or if F8 was never pressed) booting continues.

Next, the Windows NT kernel (Ntoskrnl.exe) and the Hardware Abstraction Layer (hal.dll) are loaded into memory. If multiple hardware configurations are defined in the Windows Registry, the user is prompted at this point to choose one.

With the kernel in memory, boot-time device drivers are loaded (but not yet initialized). The required information (along with information on all detected hardware and Windows Services) is stored in the HKEY_LOCAL_MACHINE\System portion of the registry, in a set of registry keys collectively called a Control Set. Multiple control sets (typically two) are kept, in the event that the settings contained in the currently-used one prohibit the system from booting. HKEY_LOCAL_MACHINE\System contains control sets labeled ControlSet001, ControlSet002, etc., as well as CurrentControlSet. During regular operation, Windows uses CurrentControlSet to read and write information. CurrentControlSet is a reference to one of the control sets stored in the registry. Windows picks the "real" control set being used based on the values set in the HKLM\SYSTEM\Select registry key:

  • Default will be the boot loader's choice if nothing else overrides this
  • If the value of the Failed key matches Default, then the boot loader displays an error message, indicating that the last boot failed, and gives the user the option to try booting anyway, or to use the "Last Known Good Configuration".
  • If the user choose (or has chosen) Last Known Good Configuration, the control set indicated by the LastKnownGood key is used instead of Default.

When a control set is chosen, the Current key gets set accordingly. The Failed key is also set to the same as Current until the end of the boot process. LastKnownGood is also set to Current if the boot process completes successfully.

For the purposes of booting, a driver may be one of the following:

  1. A "Boot" driver that is loaded by the boot loader prior to starting the kernel. "Boot" drivers are almost exclusively drivers for hard-disk controllers and file systems (ATA, SCSI, file system filter manager, etc.); in other words, they are the absolute minimum that the kernel will need to get started with loading other drivers, and the rest of the operating system.
  2. A "System" driver which is loaded and started by the kernel after the boot drivers. "System" drivers cover a wider range of core functionality, including the display driver, CD-ROM support, and the TCP/IP stack.
  3. An "Automatic" driver which is loaded much later when the GUI already has been started.

With this finished, control is then passed from the boot loader to the kernel. At this time, Windows NT 4.0 shows number of CPUs and the amount of memory installed on a screen with blue background, whilst Windows 2000 and later show a graphical boot screen unless boot loader configurations specify otherwise.

Kernel loading phase

  1. ntoskrnl.exe (the kernel)
  2. hal.dll (type of hardware abstraction layer)
  3. kdcom.dll (Kernel Debugger HW Extension DLL)
  4. bootvid.dll (for the windows logo and side-scrolling bar)
  5. config\system registry
    1. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
    2. Process services in the order provided
    3. *HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

The initialization of the kernel subsystem and the Windows Executive subsystems is done in two phases.

During the first phase, basic internal memory structures are created, and each CPU's interrupt controller is initialized. The memory manager is initialized, creating areas for the file system cache, paged and non-paged pools of memory. The Object Manager,[4] initial security token for assignment to the first process on the system, and the Process Manager itself. The System idle process as well as the System process are created at this point.

The second phase involves initializing the device drivers which were identified by NTLDR as being system drivers.

Through the process of loading device drivers, a "progress bar" is visible at the bottom of the display on Windows 2000 systems; in Windows XP and Windows Server 2003, this was replaced by an animated bar which does not represent actual progress. Prior to Windows XP, this part of the boot process took significantly longer; this is because the drivers would be initialized one at a time. On Windows XP and Server 2003, the drivers are all initialized asynchronously.

Session Manager

Once all the Boot and System drivers have been loaded, the kernel (system thread) starts the Session Manager Subsystem (smss.exe).

Before any files are opened, Autochk [1] is started by smss.exe. Autochk mounts all drives and checks them one at a time whether they were not shut down cleanly before. In that case it will automatically run chkdsk, however just before the user can abort this process by pressing any key within 10 seconds (this was implemented in Windows NT 4.0 Service Pack 4, in earlier versions you could not skip chkdsk). Since Windows 2000, XP and 2003 show no text screen at that point (unlike NT, which still shows the blue text screen), they will show a different background picture holding a mini-text-screen in the center of the screen and show the progress of chkdsk there.

At boot time, the Session Manager Subsystem :

  • Creates environment variables (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment)
  • Starts the kernel-mode side of the Win32 subsystem (win32k.sys). This allows Windows to switch into graphical mode as there is now enough infrastructure in place.
  • Starts the user-mode side of the Win32 subsystem, the Client/Server Runtime Server Subsystem (csrss.exe). This makes Win32 available to user-mode applications.
  • Creates virtual memory paging files (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management)
  • Performs any rename operations that are queued up. This allows previously in-use files (e.g. drivers) to be replaced as part of a reboot.
  • Starts the Windows Logon Manager (winlogon.exe). Winlogon is responsible for handling interactive logons to a Windows system (local or remote). The Graphical Identification aNd Authentication (GINA) library is loaded inside the Winlogon process, and provides support for logging in as a local or Windows domain user.

The Session Manager stores its configuration at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager. The exact operation of most of these items is based on the configuration set in the registry.

Winlogon

"Begin logon" dialog box in Windows XP.

Winlogon starts the Local Security Authority Subsystem Service (LSASS) and Service Control Manager (SCM), which in turn will start all the Windows services that are set to Auto-Start [2]. It is also responsible for responding to the secure attention sequence (SAS), loading the user profile on logon, and optionally locking the computer when a screensaver is running.

The logon process is as follows:

  • Winlogon calls GINA
  • (Optional) Logon prompt is displayed by GINA, and the user presses the secure attention sequence (Control-Alt-Delete)
  • Logon dialog is displayed by GINA
  • User enters credentials (username, password, and domain)
  • GINA passes credentials back to Winlogon
  • Winlogon passes credentials to LSASS, which determines which account database is to be used:
  • LSASS enforces the local security policy (checking user permissions, creating audit trails, doling out security tokens, etc.).

After a user has successfully logged in to the machine, Winlogon does the following:

  • Updates the Control Sets; the LastKnownGood control set is updated to reflect the current control set.
  • User and Computer Group Policy settings are applied.
  • Starts the shell program (typically Explorer.exe) from the registry entry Shell= pointed to by the same registry entry in key

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\Boot [3]; its default value is SYS:Microsoft\Windows NT\CurrentVersion\Winlogon, which evaluates to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

  • Startup programs are run from the following locations [4]:
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
    • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\ (please note that this path is localized on non-English versions of Windows before Vista)
    • %USERPROFILE%\Start Menu\Programs\Startup\ (please note that this path is localized on non-English versions of Windows before Vista)

At some point after calling GINA, the registry is checked for a string named 'autoadminlogon' and if it exists user credentials can be pulled from the registry and automatically inserted into the GINA.

    • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\autoadminlogon

Winlogon's responsibilities have changed significantly from the above in Windows Vista.

Remote booting & installation

  • The Boot Information Negotiation Layer (BINL) is a Windows 2000 service that makes it possible for installation to be done on computers that are able to remotely boot.

See also

References

Further reading

  1. Russinovich, Mark; Solomon, David A. (2005). "Startup and Shutdown". Microsoft Windows Internals (4th edition ed.). Microsoft Press. pp. 251–273. ISBN 0-7356-1917-4. 
  2. "Troubleshooting the Startup Process". Windows XP Resource Kit. Microsoft Technet. November 3, 2005. http://technet.microsoft.com/en-us/library/bb457123.aspx. Retrieved October 24, 2011. 
  3. Minasi, Mark; Enck, John (June 1998). "Troubleshooting NT Boot Failures". Administrator's Survival Guide: System Management and Security. Windows IT Library. ISBN 188241988X. http://www.left-brain.com/article/book/administrators-survival-guide-system-management-and-s. Retrieved February 15, 2006. [dead link]
  4. "Description of PXE Interaction Among PXE Client, DHCP, and RIS Server (Revision 2.4)". Microsoft Support. Microsoft Corporation. February 28, 2007. http://support.microsoft.com/kb/244036/. Retrieved October 24, 2011. 
  5. "Definition of the RunOnce Keys in the Registry (revision 2.3)". Microsoft Support. Microsoft Corporation. January 19, 2007. http://support.microsoft.com/kb/137367. Retrieved October 24, 2011. 
  6. "Available switch options for the Windows XP and the Windows Server 2003 Boot.ini files (revision 6.3)". Microsoft Support. Microsoft Corporation. November 28, 2007. http://support.microsoft.com/kb/833721. Retrieved October 24, 2011. 

External links


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Windows Vista startup process — This refers to the boot components for Windows Vista and Windows Server 2008. The Windows Vista startup process is the process by which Microsoft s Windows Vista operating system initializes. Quick Overview Bios > Master Boot Record > Boot Sector …   Wikipedia

  • Windows startup process — The Windows Startup Process is the process by which Microsoft s Windows series of operating systems initializes. DOS based Windows In Windows 3.x and 95/98/ME, the boot loader phase is handled by MS DOS. During the boot phase, the Autoexec.bat… …   Wikipedia

  • Linux startup process — The Linux startup process is the process by which Linux based operating systems initialize. It is in many ways similar to the BSD and other Unix style boot processes, from which it derives.Overview of typical processIn Linux, the flow of control… …   Wikipedia

  • Windows Recovery Environment — (WinRE) is a set of tools included in the Windows Vista and Windows Server 2008 operating systems to help diagnose and recover from serious errors which may be preventing Windows from booting successfully. WinRE may be installed to the hard disk… …   Wikipedia

  • Windows library files — Like most modern operating systems, Microsoft Windows supports shared libraries, collections of code which can be used by multiple processes while only being loaded once into memory. Windows terms its shared libraries Dynamic link libraries (DLL… …   Wikipedia

  • Windows NT — Not to be confused with Windows NT 4.0. Windows NT Company / developer Microsoft Programmed in C, C++ and Assembly language …   Wikipedia

  • Windows Defender — A component of Microsoft Windows Windows Defender in Windows 7 …   Wikipedia

  • Windows Me — Part of the Microsoft Windows family …   Wikipedia

  • Windows 9x — Windows 4.x redirects here. For the operating system in the NT family, see Windows NT 4.0. Windows 9x Screenshot of Windows 95, the first version of Windows in the 9x series Company / developer …   Wikipedia

  • Windows 98 — Part of the Microsoft Windows family …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.