Booting windows nt 2000 xp

When you startup a Windows NT, 2000 or XP based machine (which are all based on a similar set of code), the computer is loading and juggling many files in order to load the operating system. This is a basic breakdown of the NT/2000/XP startup process which comes in handy for troubleshooting startup problems.

The following files are loaded during the Windows NT/2000/XP startup process:

• Ntldr
• Boot.ini
• Bootsect.dos (for mutlibooting systems only)
• Ntbootdd.sys (loaded only if SCSI drives exist)
• Ntdetect.com
• Ntoskrnl.exe
• Hal.dll
• The Registry files in systemroot\System32\Config
• The Driver files in systemroot\System32\Drivers

The first part that is loaded is the Ntldr (NT Loader) which is started by the active partitions boot sector. It then changes the processor into protected mode, starts the file system and reads the contents of the boot.ini file. The boot.ini file determines startup options and the boot menu selections such as when you dual boot multiple OS’s.

If you are dual booting and you choose a non NT/2000/XP operation system (ie. Linux) then Bootsect.dos is loaded. If you are running any SCSI devices Ntbootdd.sys is loaded which contains the SCSI boot drivers.

Ntdetect.com gathers data regarding the current hardware configuration and passes this information to Ntldr. If your BIOS is ACPI compliant, Windows will use ACPI to initialize the devices. If the computer has multiple hardware profiles then Windows chooses the correct one based on the current hardware configuration.

The Windows kernel loads. Ntldr passes the information that was collected by Ntdetect.com to Ntoskrnl.exe. Ntoskrnl.exe then loads Windows kernel. Hal.dll (Hardware Extraction Layer) and the systems registry information. An indicator on the bottom of the screen (typically a green bar in XP) indicates the progress of this step.

The Windows drivers load and the user logs on. Networking components load such as TCP/IP along with other services and the Windows logon screen appears. After Windows loads successfully, Windows updates the “Last Known Good Configuration” option which you see when you press F8 during bootup to reflect the current configuration state.

Plug and Play detects and configures new devices found on the PC. If Windows finds new devices they are assigned system resources, Windows extracts the necessary drivers from a file called Driver.cab. If the correct driver file is not found in the Driver.cab archive then the user is prompted to provide them. This step occurs simultaneously with the Windows logon process.

In the event that your Windows computer does fail during bootup, you can press F8 on the screen just before the loading screen appears and choose “Enable Boot Logging” which will create a file called Ntbtlog.txt. This file will record all the events during bootup which can help you determine which part is not loading correctly.

Boot
sequence for Windows NT, 2000, XP and 2003: 

BIOS: performs
Power On Self Test (POST)
BIOS: loads
MBR from the boot device specified/selected by the BIOS

MBR: contains
a small amount of code that reads the partition table, the first partition
marked as active is determined to be the system volume

MBR: loads
the boot sector from the system volume

BOOT
SECTOR: reads the root directory of the system volume at loads
NTLDR

NTLDR: reads
BOOT.INI from the system volume to determine the boot drive (presenting a menu
if more than 1 entry is defined)
NTLDR: loads
and executes NTDETECT.COM from the system volume to perform BIOS hardware
detection
NTLDR: loads
NTOSKRNL.EXE, HAL.DLL, BOOTVID.DLL (and KDCOM.DLL for XP upwards) from the boot
(Windows) volume
NTLDR: loads
\WINDOWS\SYSTEM32\CONFIG\SYSTEM which becomes the system hive
HKEY_LOCAL_MACHINE\System
NTLDR: loads
drivers flagged as “boot” defined in the system hive, then passes control to
NTOSKRNL.EXE

NTOSKRNL.EXE: brings
up the loading splash screen and initializes the kernel subsystem
NTOSKRNL.EXE: starts
the boot-start drivers and then loads & starts the system-start drivers
NTOSKRNL.EXE: creates
the Session Manager process (SMSS.EXE)

SMSS.EXE: runs
any programs specified in BootExecute (e.g. AUTOCHK, the native API version of
CHKDSK)
SMSS.EXE: processes
any delayed move/rename operations from hotfixes/service packs replacing in-use
system files
SMSS.EXE: initializes
the paging file(s) and the remaining registry hives
** before this step completes,
bugchecks will not result in a memory dump as we need a working page file on
the boot (Windows) volume **
SMSS.EXE: starts
the kernel-mode portion of the Win32 subsystem (WIN32K.SYS)
SMSS.EXE:
starts the user-mode portion of the Win32 subsystem (CSRSS.EXE)
SMSS.EXE: starts
WINLOGON.EXE

WINLOGON.EXE: starts
the Local Security Authority (LSASS.EXE)
WINLOGON.EXE: loads
the Graphical User Identification and Authentication DLL (MSGINA.DLL by
default)
WINLOGON.EXE: displays
the logon window
WINLOGON.EXE: starts
the services controller (SERVICES.EXE)
** at this point users can
logon **

SERVICES.EXE: starts
all services markes as automatic

———

NOTES:
The SYSTEM volume
is the partition from which the boot process starts, containing the MBR, boot
sector, NTLDR, NTDETECT.COM & BOOT.INI

The BOOT volume is
the partition which contains the Windows folder – this can be a logical
partition

Процесс запуска Windows NT — это процесс инициализации операционных систем Microsoft Windows NT, Windows 2000, Windows XP и Windows Server 2003. В Windows Vista процесс сильно изменён.

Фаза начальной загрузки[]

Шаблон:Details

Фаза начальной загрузки различается в зависимости от аппаратной платформы. Начиная с ранней фазы, не привязанной к ОС, началом процесса загрузки считается:

• Для x86 или x64: когда код сектора загрузочного раздела исполняется в реальном режиме и загружает NTLDR
• Для IA-64: когда исполняется программа IA64ldr.efi EFI (позднее называемая просто как IA64ldr)

От данной точки процесс загрузки продолжает выполнять следующее:

Файл NTLDR, размещенный в корневой папке загрузочного диска, состоит из двух частей. Первая — это модуль StartUp, после которого следует загрузчик ОС (osloader.exe), обе части хранятся в файле NTLDR. При загрузке NTLDR в память управление передается модулю StartUp, при этом центральный процессор работает в реальном режиме. Основная задача StartUp — перевод процессора в защищённый режим, что позволяет использовать 32-разрядную адресацию памяти, а также создать таблицу дескрипторов прерываний, таблицу глобальных дескрипторов, таблицу страниц и включение страничной работы с памятью. Это делается с использованием возможностей основного операционного окружения, на котором установлена операционная система. Затем модуль StartUp загружает и запускает загрузчик ОС.

Загрузчик ОС в NTLDR содержит основные функции для доступа к дискам IDE, отформатированным в файловых системах NTFS, FAT, CDFS (ISO 9660), ETFS или UDFS в новейших версиях операционных систем. Доступ к дискам производится через BIOS посредством встроенной программы ARC на системах с ARC или посредством сети, используя протокол TFTP. Помимо этой точки, все вызовы к BIOS проходят через виртуальный режим 8086, так как из защищённого режима невозможен прямой доступ к BIOS. Если загрузочный диск является SCSI и SCSI-контроллер не использует 13-ое прерывание реального режима, то для получения доступа к диску загружается дополнительный файл Ntbootdd.sys. Он является копией того же драйвера miniport для SCSI, который используется, когда запускается Windows.

Затем загрузчик считывает содержимое файла boot.ini для обнаружения информации о системном томе. Если такой файл отсутствует, то загрузчик пытается обнаружить информацию из стандартного установочного каталога. Для машин под Windows NT это каталог C:\WINNT. Для машин под Windows XP и 2003 загружается из C:\WINDOWS.

В этом месте экран очищается и в Windows 2000 и поздних версиях NTLDR и IA64ldr, которые поддерживают гибернацию системы, корневой каталог тома по умолчанию определён в boot.ini для поиска файла гибернации hiberfil.sys. Если этот файл найден и активная память работает, содержимое файла (который совпадает по размеру с физической памятью в машине) загружается в память и передаёт управление в ядро Windows с точки, с которой гибернация была восстановлена. После этого файл сразу же помечается как неактивный, так что повреждение или другие сбои не могут вызвать это (уже устаревшее) состояние памяти в виде повторной загрузки. Если возвращение состояния не удалось, то в следующий раз NTLDR спросит пользователя, надо ли снова пытаться восстанавливать или отменить обработку файла и произвести обычную загрузку.

Если boot.ini содержит запись более чем об одной операционной системе, то пользователю показывается меню загрузки, позволяющее выбрать, какую именно из операционных систем загружать. Если выбрана операционная система, не основанная на NT, подобно Windows 98, то NTLDR загружает соответствующий файл загрузочного сектора, указанный в списке в boot.ini (по умолчанию это bootsect.dos, если не задано иное имя файла) и контроль над выполнением переходит к нему. Если выбрана операционная система, основанная на NT, NTLDR запускает ntdetect.com, который собирает основную информацию об аппаратном обеспечении компьютера, сообщаемую BIOS‘ом.

В этой точке процесса загрузки NTLDR очищает экран и выводит псевдографический индикатор состояния (который часто не виден под системами XP или 2003 из-за их скорости инициализации); Windows 2000 также показывает текст «Starting Windows…». Если во время этой фазы пользователь нажмёт F8, то показывается расширенное меню загрузки, содержащее различные специальные режимы загрузки, включающие в себя безопасный режим с конфигурацией последней успешной загрузки, с включением отладки и (в случае серверных редакций) режим восстановления служб Директорий.

Загрузка продолжается, как только выбирается один из пунктов или если повторно нажимается F8.

Фаза загрузки ядра[]

1. ntoskrnl.exe (ядро)
2. hal.dll (тип абстрактного уровня аппаратного обеспечения)
3. kdcom.dll (библиотека расширения ядра отладчика аппаратного обеспечения)
4. bootvid.dll (для логотипа Windows и индикатора статуса загрузки)
5. config\system — реестр
   1. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
   2. процессы служб в порядке готовности
   3. *HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

Инициализация подсистемы ядра и подсистемы выполнения Windows делается за две фазы.

Во время первой фазы создаются базовые внутренние структуры памяти и инициализируется контроллер прерываний каждого процессора. Инициализируется менеджер памяти, создаются области для файлового кэша системы, страничных и нестраничных опросов памяти. Менеджер объектов^[1] инициализирует токен безопасности для назначения первому процессу системы и менеджер процессов инициализирует сам себя. В этой точке также как системный процесс создаётся System Idle Process.

Второй этап предполагает инициализацию драйверов устройств, которые были определены NTLDR как системные драйверы.

Во время процесса загрузки драйверов устройств в нижней части экрана систем под Windows 2000 виден индикатор статуса; в Windows XP и Windows Server 2003 это было заменено анимированной полоской, которая не отражает реального времени процедуры. До Windows 2000 эта часть процесса загрузки занимала значительно больше времени, потому что драйверы инициализировались последовательно по одному. В Windows XP и Windows Server 2003 все драйверы инициализируются асинхронно.

См. также[]

• Архитектура Windows NT
• NTLDR
• Начальная загрузка компьютера
• Процесс загрузки Windows (Windows startup process)
• Процесс загрузки Vista (Windows Vista startup process)
• Процесс загрузки Linux
• Загрузчик операционной системы
• Мультизагрузка
• Главная загрузочная запись
• POST (аппаратное обеспечение)
• BootVis

Примечания[]

Ссылки[]

• Шаблон:Cite book
• Troubleshooting the Startup Process. Windows XP Resource Kit. Microsoft Technet. Проверено 15 февраля 2006. Архивировано из первоисточника 3 апреля 2012.
• Mark Minasi, John Enck. Troubleshooting NT Boot Failures. Administrator’s Survival Guide: System Management and Security. Windows IT Library. Проверено 15 февраля 2006. Архивировано из первоисточника 3 апреля 2012.
• Microsoft KB Article 244036 on remote installation & booting
• Definition of the RunOnce Keys
• boot.ini switches
• Startup Applications List
• Troubleshooting Windows XP Startup Process
• AnVir Task Manager — утилита для анализа и редактирования программ автозагрузки Windows

Компоненты Microsoft Windows
Основные	Aero • ClearType • Диспетчер рабочего стола • DirectX • Панель задач (Пуск • Область уведомлений) • Проводник (Пространство имён • Специальные папки • Ассоциации файлов) • Windows Search (Smart folders • iFilters) • GDI • WIM • SMB • .NET Framework • XPS • Active Scripting (WSH • VBScript • JScript) • COM (OLE • DCOM • ActiveX • Структурированное хранилище • Сервер транзакций) • Теневая копия • WDDM • UAA • Консоль Win32
Службы управления	Архивация и восстановление • COMMAND.COM • cmd.exe • Средство переноса данных • Просмотр событий • Установщик • netsh.exe • PowerShell • Отчёты о проблемах • rundll32.exe • Программа подготовки системы (Sysprep) • Настройка системы (MSConfig) • Проверка системных файлов • Индекс производительности • Центр обновления • Восстановление системы • Дефрагментация диска • Диспетчер задач • Диспетчер устройств • Консоль управления • Очистка диска • Панель управления (элементы)
Приложения	Контакты • DVD Maker • Факсы и сканирование • Internet Explorer • Журнал • Экранная лупа • Media Center • Проигрыватель Windows Media • Программа совместной работы • Центр устройств Windows Mobile • Центр мобильности • Экранный диктор • Paint • Редактор личных символов • Удалённый помощник • Распознавание речи • WordPad • Блокнот • Боковая панель • Звукозапись • Календарь • Калькулятор • Ножницы • Почта • Таблица символов • Исторические: Movie Maker • NetMeeting • Outlook Express • Диспетчер программ • Диспетчер файлов • Фотоальбом • Windows To Go
Игры	Chess Titans • Mahjong Titans • Purble Place • Пасьянсы (Косынка • Паук • Солитер) • Сапёр • Пинбол • Червы
Ядро ОС	Ntoskrnl.exe • Слой аппаратных абстракций (hal.dll) • Бездействие системы • svchost.exe • Реестр • Службы • Диспетчер управления сервисами • DLL (формат модулей) • PE • NTLDR • Диспетчер загрузки • Программа входа в систему (winlogon.exe) • Консоль восстановления • Windows RE • Windows PE • Защита ядра от изменений
Службы	Autorun.inf • Фоновая интеллектуальная служба передачи • Файловая система стандартного журналирования • Отчёты об ошибках • Планировщик классов мультимедиа • Теневая копия • Планировщик задач • Беспроводная настройка
Файловые системы	ReFS • NTFS (Жёсткая ссылка • Точка соединения • Точка монтирования • Точка повторной обработки • Символьная ссылка • TxF • EFS) • WinFS • FAT • exFAT • CDFS • UDF • DFS • IFS
Сервер	Active Directory • Службы развёртывания • Служба репликации файлов • DNS • Домены • Перенаправление папок • Hyper-V • IIS • Media Services • MSMQ • Защита доступа к сети (NAP) • Службы печати для UNIX • Удалённое разностное сжатие • Службы удаленной установки • Служба управления правами • Перемещаемые профили пользователей • SharePoint • Диспетчер системных ресурсов • Удаленный рабочий стол • WSUS • Групповая политика • Координатор распределённых транзакций
Архитектура	NT • Диспетчер объектов • Пакеты запроса ввода/вывода • Диспетчер транзакций ядра • Диспетчер логических дисков • Диспетчер учетных записей безопасности • Защита ресурсов • lsass.exe • csrss.exe • smss.exe • spoolsv.exe • Запуск
Безопасность	BitLocker • Защитник • Предотвращение выполнения данных • Обязательный контроль целостности • Защищённый канал данных • UAC • UIPI • Брандмауэр • Центр обеспечения безопасности • Защита файлов
Совместимость	Подсистема UNIX (Interix) • Виртуальная машина DOS • Windows on Windows • WOW64

The booting process of Windows NT is the process run to start Windows NT. The process has been changed between releases, with the biggest changes being made with Windows Vista. In versions before Vista, the booting process begins when the BIOS loads the Windows NT bootloader, NTLDR. Starting with Vista, the booting process begins with either the BIOS or UEFI load the Windows Boot Manager, which replaces NTLDR as the bootloader. Next, the bootloader starts the kernel, which starts the session manager, which begins the login process. Once the user is logged in, File Explorer, the graphical user interface used by Windows NT, is started.

History[edit]

Windows Vista introduces a complete overhaul of the Windows operating system loader architecture.^[1][2] The earliest known reference to this revised architecture is included within PowerPoint slides distributed by Microsoft during the Windows Hardware Engineering Conference of 2004 when the operating system was codenamed «Longhorn». This documentation mentions that the Windows operating system loader would be undergoing a significant restructuring in order to support EFI and to «do some major overhaul of legacy code».^[3] The new boot architecture completely replaces the NTLDR architecture used in previous versions of Windows NT.^[2]

Most of the steps that follow the NT kernel being loaded, including kernel initialization and user-space initialization, are kept the same as in earlier NT systems.^[4] Refactoring in Winlogon resulted in GINA being completely replaced by Credential Providers and graphical components in Windows Vista and later.^[5]

BIOS/UEFI[edit]

On systems with a BIOS, the BIOS invokes MBR boot code from a hard disk drive at startup. The MBR boot code and the VBR boot code are OS-specific. In Microsoft Windows, the MBR boot code tries to find an active partition (the MBR is only 512 bytes), then executes the VBR boot code of an active partition. The VBR boot code tries to find and execute NTLDR for Windows XP and earlier, or the Windows Boot Manager for Windows Vista and later, from an active partition.^[6]

On systems with a UEFI, the UEFI invokes bootmgfw.efi from an EFI system partition at startup, starting the Windows Boot Manager.

Boot loader phase[edit]

The Windows NT startup process starts when the computer finds a Windows boot loader, a portion of the Windows operating system responsible for finding Microsoft Windows and starting it up. Prior to Windows Vista, the boot loader was NTLDR. Microsoft has also released operating systems for Intel Itanium processors which use IA-64 architecture. The boot loader of these editions of Windows is IA64ldr.efi (later referred as simply IA64ldr). It is an Extensible Firmware Interface (EFI) program.^[7] Windows Vista and later use the Windows Boot Manager (bootmgr).

Operating system selection[edit]

The boot loader, once executed, searches for Windows operating systems. Windows Boot Manager does so by reading Boot Configuration Data (BCD), a complex firmware-independent database for boot-time configuration data. Its predecessor, NTLDR, does so by reading the simpler boot.ini. If the boot.ini file is missing, the boot loader will attempt to locate information from the standard installation directory. For Windows NT and 2000 machines, it will attempt to boot from C:\WINNT. For machines running Windows XP, 2003, and later, it will boot from C:\WINDOWS.

Both databases may contain a list of installed Microsoft operating systems that may be loaded from the local hard disk drive or a remote computer on the local network. NTLDR supports operating systems installed on disks whose file system is NTFS or FAT file systems, CDFS (ISO 9660) or UDFS.^[8] Windows Boot Manager also supports operating systems installed inside a VHD file, stored on an NTFS disk drive.^[9]

In Windows 2000 or in later versions of Windows in which hibernation is supported, the Windows boot loader starts the search for operating systems by searching for hiberfil.sys. NTLDR looks into the root folder of the default volume specified in boot.ini. Windows Boot Manager looks up the location of hiberfil.sys in BCD. If this file is found and an active memory set is found in it, the boot loader loads the contents of the file (which is a compressed version of a physical memory dump of the machine) into memory and restores the computer to the state that it was in prior to hibernation by running winresume.exe.

Next, the boot loader looks for a list of installed operating system entries. If more than one operating system is installed, the boot loader shows a boot menu and allow the user to select an operating system. If a non NT-based operating system such as Windows 98 is selected (specified by an MS-DOS style of path, e.g. C:\), then the boot loader loads the associated «boot sector» file listed in boot.ini or BCD (by default, this is bootsect.dos if no file name is specified) and passes execution control to it.

Otherwise, the boot process continues. For Windows Vista and after, this is done through a separate program, winload.exe.

Loading the Windows NT kernel[edit]

The operating system starts when certain basic drivers flagged as «Boot» are loaded into memory. The appropriate file system driver for the partition type (NTFS, FAT, or FAT32) which the Windows installation resides in is amongst them. At this point in the boot process, the boot loader clears the screen and displays a textual progress bar (which is often not seen due to the initialization speed); Windows 2000 also displays the text «Starting Windows…» underneath.

If the user presses F8 during this phase, the advanced options menu is displayed, containing various special boot modes including Safe mode, with the Last Known Good Configuration, with debugging enabled, and (in the case of Server editions) Directory Services Restore Mode. Starting with Windows Vista, this menu was changed significantly. Once a boot mode has been selected (or if F8 was never pressed) booting continues.

Hardware information about the computer is gathered by NTDETECT.COM in Windows XP and earlier or by winload.exe in later versions. This information is stored in the HKLM\HARDWARE\DESCRIPTION key in the Windows Registry.

Next the Windows NT kernel (Ntoskrnl.exe), the Hardware Abstraction Layer (hal.dll), kdcom.dll (Kernel Debugger HW Extension DLL), bootvid.dll (the Windows logo and side-scrolling bar), and config\system (one of the registry hives) are loaded.

For Windows XP and earlier, if multiple hardware configurations are defined in the Registry, the user is prompted at this point to choose one.

With the kernel in memory, boot-time device drivers are loaded (but not yet initialized). The required information (along with information on all detected hardware and Windows Services) is stored in the HKEY_LOCAL_MACHINE\SYSTEM portion of the registry, in a set of registry keys collectively called a Control Set. In Windows XP and earlier, multiple control sets are kept, in the event that the settings contained in the currently-used one prohibit the system from booting. HKEY_LOCAL_MACHINE\SYSTEM contains control sets labeled ControlSet001, ControlSet002, etc. Windows uses CurrentControlSet to read and write information, but the key is merely a synthesized link to one of the sets defined by HKLM\System\Select\Control; it does not exist in the Hive file.^[10]

Windows now picks the «real» control set being used based on the values set in the HKEY_LOCAL_MACHINE\SYSTEM\Select registry key:

• Default will be the boot loader’s choice if nothing else overrides it.
• If the value of the Failed key matches Default, then the boot loader displays an error message, indicating that the last boot failed, and gives the user the option to try booting anyway, or to use the «Last Known Good Configuration».
• If the user chooses (or has chosen) Last Known Good Configuration, the control set indicated by the LastKnownGood key is used instead of Default.

When a control set is chosen, the Current key gets set accordingly. The Failed key is also set to the same as Current until the end of the boot process. LastKnownGood is also set to Current if the boot process completes successfully.

Which services are started and the order which each group is started in are provided by the following keys:

• HKLM\SYSTEM\CurrentControlSet\Services
• HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

For the purposes of booting, a driver may be one of the following:

• A «Boot» driver that is loaded by the boot loader prior to starting the kernel. «Boot» drivers are almost exclusively drivers for hard-disk controllers and file systems (ATA, SCSI, file system filter manager, etc.); in other words, they are the absolute minimum that the kernel will need to get started with loading other drivers, and the rest of the operating system.
• A «System» driver which is loaded and started by the kernel after the boot drivers. «System» drivers cover a wider range of core functionality, including the display driver, CD-ROM support, and the TCP/IP stack.
• An «Automatic» driver which is loaded much later when the GUI already has been started.

With this finished, control is then passed from the boot loader to the kernel.

Kernel phase[edit]

The initialization of the kernel subsystem and the Windows Executive subsystems is done in two phases.

During the first phase, basic internal memory structures are created, and each CPU’s interrupt controller is initialized. The memory manager is initialized, creating areas for the file system cache, paged and nonpaged pools of memory. The Object Manager,^[11] initial security token for assignment to the first process on the system, and the Process Manager itself. The System idle process as well as the System process are created at this point.

The second phase involves initializing the device drivers which were identified by NTLDR as being system drivers.

Through the process of loading device drivers, a «progress bar» is visible at the bottom of the display on Windows 2000 systems; in Windows XP and Windows Server 2003, this was replaced by an animated bar which does not represent actual progress. Prior to Windows XP, this part of the boot process took significantly longer; this is because the drivers would be initialized one at a time. On Windows XP and Server 2003, the drivers are all initialized asynchronously.

Session manager[edit]

Once all the Boot and System drivers have been loaded, the kernel (system thread) starts the Session Manager Subsystem (smss.exe). The Session Manager stores its configuration at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager. The exact operation of most of these items is based on the configuration set in the registry.^[12]

The Session Manager creates the environment variables located at the registry entry HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment. It also creates additional paging files with configuration data from HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management.^[13]

The Session Manager Subsystem is then responsible starting the Win32 subsystem. It starts the kernel-mode side of the subsystem implemented by win32k.sys.^[13] Once this is done, Windows is able to switch into graphical mode as there is now enough infrastructure in place. The user-mode side of the subsystem, Client/Server Runtime Subsystem (csrss.exe), is also started.^[13] This makes the Win32 subsystem available to user-mode applications.

The Session Manager Subsystem is also responsible for doing any operations that are requested to be done at the start of a session. Commands listed in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute, such as autochk and convert, are executed. These commands are run before services are loaded by later steps of the booting process.^[13] Any rename operations queued at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations. This is used to allow previously in-use files (e.g. drivers) to be replaced as part of a reboot.^[14]

autochk mounts all drives and checks them one at a time to see whether or not they were cleanly unmounted. If autochk determines one or more volumes are dirty, it will automatically run chkdsk and provides the user with a short window to abort the repair process by pressing a key within 10 seconds (introduced in Windows NT 4.0 Service Pack 4; earlier versions would not allow the user to abort chkdsk). Since Windows 2000, XP and 2003 show no text screen at that point (unlike NT 3.1 to 4.0, which displayed a blue text screen), the user will see a different background picture holding a mini-text-screen in the center of the screen and show the progress of chkdsk there.^[15]

Starting with Windows Vista, the Session Manager Subsystem creates a temporary instance of itself that launches the Windows Startup Application (wininit.exe) and a second Client/Server Runtime Subsystem (csrss.exe) for Session 0, a session decided to system processes. From here, the Windows Startup Application starts the Service Control Manager (services.exe), which starts all the Windows services that are set to «Auto-Start» and sets the LastKnownGood to the current control set.^[14] The application also starts the Local Security Authority Subsystem Service (lsass.exe). Before Windows Vista, these processes where started by Windows Logon instead of the Windows Startup Application, which didn’t exist. The dedicated session for system processes also didn’t exist.^[16]

The Session Manager Subsystem now starts Winlogon (Windows Logon Application), which is responsible for handling interactive logons to a Windows system, either local or remote.^[16]

Authentication[edit]

The authentication process is implemented by Winlogon. This program is responsible for responding to the secure attention sequence (SAS), loading the user profile on logon, and optionally locking the computer when a screensaver is running.

Winlogon checks if automatic logon is enabled, and if so, logs in to the specified account automatically.^[17] If there is not automatic logon enabled, Winlogon starts the process to allow the user to logon. Before Windows Vista this was done by GINA,^[18] but starting with Vista this is done by LogonUI. If configured, both of these programs display a prompt for the user to enter the Secure Attention Sequence (SAS) (Control-Alt-Delete). They then display the login dialog which prompts the user to enter their credentials. Once the user submits these credentials, they are passed to LSASS and any other additional network credential providers. This allows multiple network providers to authenticate the user at once during normal logon.^[19][18]

LSASS first tries to use cached data in the LSA database, the SECURITY hive of the registry. If there is none, LSASS determines which account protocol is to be used by using the security packages listed in the key HKLM\SYSTEM\CurrentControlSet\Control\Lsa. There are two standard packages, msv1_0.dll, which implements the NTLM protocols, and Kerberos.dll, which provides remote login by using Active Directory. msv1_0.dll is used in stand-alone systems and domain-member systems for backward compatibility. If the user is trying to log into the local host then msv1_0.dll uses the Security Account Manager database located at HKLM/SAM. If the user is trying to log into another host then the NetLogon service is used to carry the data with the following sequence:

msv1_0.dll <-> netlogon <-> remote netlogon <-> remote msv1_0.dll <-> remote SAM

After the user is authenticated, LSASS enforces the local security policy (checking user permissions, creating audit trails, doling out security tokens, etc.) and passes control pack to Winlogon. Winlogon creates and opens an interactive windows station, WinSta0,^[20] and creates three desktops, Winlogon, Default and ScreenSaver. Winlogon switches from the Winlogon desktop to the Default desktop when the shell indicates that it is ready to display something for the user, or after thirty seconds, whichever comes first. The system switches back to the Winlogon desktop if the user presses Control-Alt-Delete or when a User Account Control prompt is shown.^[21] Winlogon now starts the program specified in the Userinit value which defaults to userinit.exe. This value supports multiple executables.^[19]

Shell[edit]

Userinit is the first program that runs with the user credentials. It is responsible to start all the other programs that compose the user shell environment.

The shell program (typically Explorer.exe) is started from the registry entry Shell= pointed to by the same registry entry in key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\Boot; its default value is SYS:Microsoft\Windows NT\CurrentVersion\Winlogon, which evaluates to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.^[22]

Userinit starts by loading the user profile. There are a few types of user profiles and it can be local or remote. This process can be very slow if the user profile is of the «roaming» type. User and Computer Group Policy settings are then applied and user scripts, machine scripts, and proquota.exe are run. Startup programs are started and then the shell configured in registry, which defaults to explorer.exe. Now Userinit exits and the shell program continues running without a parent process.

Userinit runs startup programs from the following locations:^[13]

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
• %ALLUSERSPROFILE%\Start Menu\Programs\Startup\ (this path is localized on non-English versions of Windows before Vista)
• %USERPROFILE%\Start Menu\Programs\Startup\ (this path is localized on non-English versions of Windows before Vista)

Advanced options[edit]

With the advent of the new boot manager in Windows Vista, many components have been changed; one is the Advanced Boot Options menu that provides options for advanced boot modes (e.g., Safe Mode). Due to the implementation of fast startup in Windows 8 and up, access to the Advanced Boot Options menu has been disabled by default. However, access is still possible with a BCD modification. These are the possible boot modes:

• Repair Your Computer — Boots Windows Recovery Environment (WinRE or Windows RE)
• Safe Mode — Loads Safe Mode, a boot mode with minimal drivers and resources intended for malware removal or replacing faulty drivers.
• Safe Mode with Networking — Loads Safe Mode along with the network drivers.
• Safe Mode with Command Prompt — Loads Safe Mode with the Command Prompt as the shell instead of Windows Explorer. Windows Explorer can still be loaded by typing explorer at the command prompt.
• Enable Boot Logging — Enables writing of ntbtlog.txt, a file that will log the boot process; listing drivers that loaded and drivers that did not.
• Enable low resolution video — Disables the default graphics driver and uses the standard VGA driver. Intended in case the user changed the resolution to an unusable level (i.e. 320×200 at low refresh rates <24 Hz, 60 Hz>)
• Last Known Good Configuration — Loads configuration based on the last successful boot process. Intended for Registry corruptions. This mode is removed in Windows 8 and later versions of Windows.
• Directory Services Restore Mode — Boot mode used to reboot the Domain Controller in case it is not working as intended.
• Debugging Mode — Boots while loading the kernel debugger.
• Disable automatic restart on system failure — Disables the auto-reboot function after a Blue Screen of Death is experienced.
• Disable early launch anti-malware driver — ELAM prechecks boot required drivers for signatures and tampering. Disabling ELAM is intended to allow booting on false positive driver checks but could also allow a tampered driver to load.^[23]
• Disable Driver Signature Enforcement — Disables the kernel setting that prohibits unsigned drivers from loading.
• Start Windows Normally

The ABO menu is accessible by rapidly pressing or holding the F8 key before Windows boots. Starting from Windows 8 on UEFI, it can only be accessed by clicking Restart while holding the Shift key.

Remote booting and installation[edit]

To successfully boot, the client must support PXE booting and the Windows Deployment Services (WDS) component must be installed on the server. It is not installed by default. WDS is the successor of Remote Installation Services (RIS).

The PXE program is found on the BIOS or on a ROM chip on the network card.

PXE booting is not a technology specific to Windows and can also be used to start a Linux system. In fact, a Linux system can act as a server to service DHCP or TFTP.

PXE can be used to start Windows Setup to install the system on the client computer or to run the operating system from RAM. The latter, called Remote Boot, was introduced by Windows XP Embedded SP1^[24] and is only available for this flavor of Windows.^[25]

The general process for both methods is as follows:

• PXE boots
• DHCP request broadcast
• Optionally DHCP router redirects to the server
• The server sends the Network Bootstrap Program (NBP) (PXEboot.com)^[26] through TFTP
• The NBP program downloads the required files through the BINL protocol

The Boot Information Negotiation Layer (BINL) is a Windows 2000 service running on the server that communicates with the client after the NBP was already loaded by the PXE.

See also[edit]

• Architecture of Windows NT
• Windows Setup
  • Booting process of Windows NT Setup before Vista
• Booting process of DOS-based Windows
• Booting process of Linux
• Master boot record
• Power-on self-test
• BootVis

References[edit]

Further reading[edit]

External links[edit]

• Startup Applications List
• How to edit SETUPAPI.DLL Archived January 6, 2019, at the Wayback Machine

[ Embedded in DMADMIN.EXE,
SPCMDCON.SYS or various other
System files; see Introduction ]

Web Presentation and Text are
Copyright©2003, 2007 by Daniel B. Sedory
NOT to be reproduced in any form without Permission of the Author !

This page examines the Windows™ 2000 MBR code introduced in
1999 when Microsoft finally released what was supposed to be version 5.0 of their NT OS; which was still being called
NT4. Instead, they renamed it to Windows™ 2000; most likely an effort to refocus customer recognition once again on their more
solid Windows™ trademark rather than the «New Technology» (NT) name.

This MBR code is installed on blank hard drives when Disk
Management is used by a Windows™ 2000, XP or 2003 OS. [When
dealing with Dynamic Disks, the partition type is set to 42h and the data in the
Partition Table may become useless!]

Note: Like all other code presented in this series, this MBR code could still be used
to boot any OS on an x86 PC if it meets the conditions listed here*.

 Absolute Sector 0 (Cylinder 0, Head 0, Sector 1)

        0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
 0000  33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C  3.....|.P.P....|
 0010  BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04  ...PW...........
 0020  38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5  8n.|.u..........
 0030  83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B  ...It.8,t.......
 0040  F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88  ..<.t...........
 0050  4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B  N..F.s*.F..~..t.
 0060  80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83  .~..t....u..F...
 0070  46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB  F...V...!.s.....
 0080  BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0  ..>.}U.t..~..t..
 0090  B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56  .......W.......V
 00A0  00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC  .....r#..$?.....
 00B0  43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56  C..........B..9V
 00C0  0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C  .w#r.9F.s......|
 00D0  8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A  .N..V...sQOtN2..
 00E0  56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD  V......V.`..U.A.
 00F0  13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60  .r6..U.u0...t+a`
 0100  6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A  j.j..v..v.j.h.|j
 0110  01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B  .j..B....aas.Ot.
 0120  32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61  2..V.....a..Inva
 0130  6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61  lid partition ta
 0140  62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E  ble.Error loadin
 0150  67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74  g operating syst
 0160  65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61  em.Missing opera
 0170  74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00  ting system.....
 0180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01B0  00 00 00 00 00 2C 44 63 A8 E1 A8 E1 00 00 80 01  .....,Dc........
 01C0  01 00 07 7F BF FD 3F 00 00 00 C1 40 5E 00 00 00  ......?....@^...
 01D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA  ..............U.
        0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F