Windows Nt Startup Process Article Index for
Windows Nt 		Website Links For
Windows Nt 		 

Information About

Windows Nt Startup Process
  CATEGORIES ABOUT WINDOWS NT STARTUP PROCESS
   
windows nt
   
booting
   
windows administration
   
windows components
   
APPAREL
BABY
BEAUTY
BOOKS
CAR TOYS
CELL PHONES
DVD'S
ELECTRONICS
GOURMET FOOD
GROCERIES
HEALTH & PERSONAL
HOME & GARDEN
JEWELRY
MUSIC
MUSIC INSTRUMENTS
OFFICE PRODUCTS
SOFTWARE
SPORTING GOODS
TOOLS & HARDWARE
TOYS
VIDEO GAMES
SHOPPING HOME
MORE SHOPPING...



In Windows Vista , this process has changed significantly.


INITIAL STARTUP PHASE


After the computer is turned on, but before the Windows startup process begins, the computer executes a Power-on Self-test (POST), which does an initial check of the computer's hardware. If this process finishes without trouble, control is passed to the hard disk's boot sector, which is the MBR and the code inside it looks for the system partition, and then executes its boot sector, which, in Windows NT -based operating systems, loads NTLDR and then starts executing code in it.


BOOT LOADER PHASE


When the boot process starts, NTLDR does the following:

#Accesses the file system on the boot drive (either FAT or NTFS ).
#F8 KeyPressed?
#If ''hiberfil.sys'' is found, the contents are loaded into memory and the system resumes where it left off.
#Otherwise, '' Boot.ini '' is read, and prompts the user with the boot menu accordingly.
#If a non NT-based OS is selected, then NTLDR loads the associated "boot sector" file listed in ''boot.ini'' (''bootsect.dos'' if no file is specified) and gives it control.
#If an NT-based OS is selected, then NTLDR runs '' Ntdetect.com '', which gathers information about the computer's hardware.
#This information is then passed to '' Ntoskrnl.exe '', the Windows Kernel .


KERNEL LOADING PHASE

In this stage, NTLDR does the following:
  • Loads the Windows kernel (Ntoskrnl.exe) and the Hardware Abstraction Layer ( Hal.dll ) into memory.

  • The HKLM \SYSTEM portion of the Windows Registry is loaded into memory, and a "control set" is chosen.

  • If multiple hardware configurations are defined in the registry, the user is prompted to choose one.

  • Drivers that are required to start Windows are loaded.


Through this process, a "progress bar" is visible at the bottom of the display on Windows 2000, XP, and Server 2003 systems. Prior to Windows XP, this part of the boot process took significantly longer; this is because the drivers would be initialized one at a time. On Windows XP and Server 2003, the drivers are all initialized asynchronously.


Hal.dll


The Hardware Abstraction Layer is the interface between the operating system and the computer's hardware. Windows comes with several HAL's to support different kinds of hardware; the one that Windows Setup chooses is named '' Hal.dll '' (generally speaking, uni- vs. multi-processor, ACPI vs. non-ACPI, and APIC vs. PIC , are the determining factors).


Control sets


The HKLM\SYSTEM portion of the registry contains all the information about detected hardware (both at boot-time and Plug-and-play ), as well as a complete list of Windows Services. This portion of the registry is stored in a file located at %SystemRoot%\System32\Config\system, in a set of registry keys called the ''Control Set''. Multiple control sets (typically two) are kept, in the event that the settings contained in the currently-used one prohibit the system from booting.

In HKLM\SYSTEM are control sets labeled ControlSet001, ControlSet002, etc., as well as CurrentControlSet. During regular operation, Windows uses CurrentControlSet to read and write information. CurrentControlSet is a reference to one of the control sets stored in the registry. Windows picks the "real" control set being used based on the values set in the HKLM\SYSTEM\Select registry key:

  • Default will be NTLDR's choice if nothing else overrides this.

  • If the value of the Failed key matches Default, then NTLDR displays an error message, indicating that the last boot failed, and gives the user the option to try booting, anyway, or to use the "Last Known Good Configuration".

  • If the user has chosen Last Known Good Configuration from the NTLDR boot menu, the control set indicated by the LastKnownGood key is used instead of Default.


When a control set is chosen, the Current key gets set accordingly. The Failed key is also set to the same as Current until the end of the boot process. LastKnownGood is also set to Current if the boot process completes successfully.


Hardware and drivers

The HKLM\HARDWARE section of the registry is populated by the kernel at boot-time with the information about detected hardware that was gathered by ntdetect.com. More specifically:
  • If ACPI is supported by the hardware, the Fixed ACPI Description Table (FADT), Firmware ACPI Control Structure (FACS) and Root System Description Table (RSDT) are written to HKLM\HARDWARE\ACPI.

  • Details about installed CPU(s), such as the brand, speed, and feature set ( MMX , SSE , etc.) installed are stored in HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\#.

  • In similar fashion, details about installed FPU (s) are stored in HKLM\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\#.

  • Information about the various multi-function adapters (ISA, PNP, ACPI, etc.) and the devices on them that are detected by ntdetect.com, is stored in HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\#.


Drivers are considered by Windows to be "services". As such, all the drivers that are to be loaded at this point are stored in HKLM\SYSTEM\CurrentControlSet\Services.

For the purposes of booting, a driver is either a "Boot" driver that is loaded by NTLDR prior to starting the kernel and started before system drivers by the kernel, or a "System" driver, which is loaded and started by ntoskrnl.exe after boot drivers. "Boot" drivers are almost exclusively drivers for hard-drive controllers and file systems ( ATA , SCSI , file system filter manager, etc.); in other words, they are the absolute minimum that ntoskrnl.exe will need to get started with loading other drivers, and the rest of the operating system. "System" drivers cover a wider range of core functionality, including the display driver, CD-ROM support, and the TCP/IP stack.

After this (and before any files are opened), Autochk {Link without Title} , a boot-time version of Chkdsk is started; if the computer was not shut down cleanly, Autochk will attempt to repair any potential damage.

More detailed information can be found in the Windows XP Resource Kit: Kernel Loading Phase .


SESSION MANAGER

Once all the Boot and System drivers have been loaded, the kernel (system thread) starts the Session Manager Subsystem (smss.exe). SMSS is one of the most important components of Windows. At boot time, it:

  • Creates environment variables

  • Starts the kernel-mode side of the Win32 subsystem (win32k.sys). This allows Windows to switch into graphical mode as there is now enough infrastructure in place.

  • Starts the user-mode side of the Win32 subsystem, the Client/Server Runtime Server Subsystem (csrss.exe). This makes Win32 available to user-mode applications.

  • Creates Virtual Memory paging files.

  • Any rename operations queued up are performed. This allows previously in-use files (e.g. drivers) to be replaced as part of a reboot.

  • Starts the Windows Logon Manager ( Winlogon.exe ). Winlogon is responsible for handling interactive logons to a Windows system (local or remote). The Graphical Identification And Authentication (GINA) library is loaded inside the Winlogon process, and provides support for logging in as a local or Windows Domain user.


The Session Manager stores its configuration at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager. The exact operation of most of these items is based on the configuration set in the registry.


WINLOGON


#ctrl+alt+del
#Winlogon calls GINA
##GINA logon dialog box is displayed
  • User inputs credentials

    • ##GINA passes credentials back to Winlogon

#Winlogon passes credentials to LSA
  • LSA Determines which account databases is to be used

  • ---Local SAM

  • ---Domain SAM

  • ---Active Directory

    • #Winlogon (loaded by SMSS)

  • At this point, Winlogon starts the Service Control Manager (SCM), which in turn will start all the Windows services that are set to "Auto-Start". The Local Security Authority Subsystem Service (lsass.exe) is also started, which enforces the local security policy (checking user permissions, creating audit trails, doling out security tokens, etc.).

  • userinit.exe



LOGON PHASE

After a user has successfully logged in to the machine, Winlogon does the following:

  • Updates the Control Sets; the LastKnownGood control set is updated to reflect the current control set.

  • User and Computer Group Policy settings are applied.

  • Startup programs are run from the following locations:

  • #HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce

  • #HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

  • #HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • #HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

  • #HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • #HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • #''ProfilePath''\Start Menu\Programs\Startup\



PLUG AND PLAY DEVICE DETECTION (WINDOWS 2000 AND LATER ONLY)



SEE ALSO



FOOTNOTES