You are on page 1of 8

Windows NT startup process

From Wikipedia, the free encyclopedia

Simplified Version
This is the (simplified) boot sequence for Windows NT, 2000, XP and 2003: BIOS: performs Power On Self Test (POST) BIOS: loads MBR from the boot device specified/selected by the BIOS MBR: contains a small amount of code that reads the partition table, the first partition marked as active is determined to be the system volume MBR: loads the boot sector from the system volume BOOT SECTOR: reads the root directory of the system volume at loads NTLDR NTLDR: reads BOOT.INI from the system volume to determine the boot drive (presenting a menu if more than 1 entry is defined) NTLDR: loads and executes NTDETECT.COM from the system volume to perform BIOS hardware detection NTLDR: loads NTOSKRNL.EXE, HAL.DLL, BOOTVID.DLL (and KDCOM.DLL for XP upwards) from the boot (Windows) volume NTLDR: loads \WINDOWS\SYSTEM32\CONFIG\SYSTEM which becomes the system hive HKEY_LOCAL_MACHINE\System NTLDR: loads drivers flagged as "boot" defined in the system hive, then passes control to NTOSKRNL.EXE NTOSKRNL.EXE: brings up the loading splash screen and initializes the kernel subsystem NTOSKRNL.EXE: starts the boot-start drivers and then loads & starts the system-start drivers NTOSKRNL.EXE: creates the Session Manager process (SMSS.EXE) SMSS.EXE: runs any programs specified in BootExecute (e.g. AUTOCHK, the native API version of CHKDSK) SMSS.EXE: processes any delayed move/rename operations from hotfixes/service packs replacing in-use system files SMSS.EXE: initializes the paging file(s) and the remaining registry hives ** before this step completes, bugchecks will not result in a memory dump as we need a working page file on the boot (Windows) volume ** SMSS.EXE: starts the kernel-mode portion of the Win32 subsystem (WIN32K.SYS) SMSS.EXE: starts the user-mode portion of the Win32 subsystem (CSRSS.EXE) SMSS.EXE: starts WINLOGON.EXE WINLOGON.EXE: starts the Local Security Authority (LSASS.EXE) WINLOGON.EXE: loads the Graphical User Identification and Authentication DLL (MSGINA.DLL by default) WINLOGON.EXE: displays the logon window

the CPU runs the instructions located at the real mode memory location 0xFFFF0 of the BIOS.WINLOGON. Contents [hide]           1 Boot Sequence 2 Boot loader phase 3 Kernel loading phase 4 Session Manager 5 Winlogon 6 Remote booting & installation 7 Additional information 8 See also 9 References 10 External links Boot Sequence   Upon poweron.COM & BOOT. Windows XP and Windows Server 2003 operating systems initialize.INI The BOOT volume is the partition which contains the Windows folder .EXE: starts all services markes as automatic --------- Full Explanation NOTES: The SYSTEM volume is the partition from which the boot process starts. NTLDR. the startup code runs the POST to check & initialize required devices.this can be a logical partition The Windows NT startup process is the process by which Microsoft's Windows NT. Windows 2000. NTDETECT. In Windows Vista and later. this process has changed slightly (see Windows Vista startup process).EXE) ** at this point users can logon ** SERVICES. In any case.EXE: starts the services controller (SERVICES. . 0xFFFF0 usually contains a jump instruction (jmp in assembly language) pointing to the BIOS startup programming. boot sector. containing the MBR.

the CPU is operating in real mode. both stored within that file.exe). Global Descriptor Table. The first is the StartUp module and immediately followed by the OS loader (osloader. StartUp module's main task is to switch the processor into protected mode. The boot sector code is mostly OS specific. All BIOS calls are done through virtual 8086 mode beyond this point. BIOS loads the boot sector contents (from the MBR in the case of a HDD) into memory & transfers control to (executes) this boot code. . Since the earlier phases are not specific to the OS.sys is loaded to handle disk access in place of the default routines. StartUp module then loads and launches OS loader. This is a copy of the same SCSI miniport driver that is used when Windows is running. Ntbootdd. is composed of two parts. Disks are accessed through the system BIOS. or the active partition's boot sector is invalid. page tables and enable paging. or CDFS (ISO 9660). The last 2 bytes of the first sector contains 0xAA55 (a boot signature) indicates a bootable device. located in the root folder of the boot disk. If the boot disk is a SCSI disk and the SCSI controller is not using real-mode INT 0x13. This boot code scans for a partition flagged as bootable (often called "active") in its partition table. which loads and executes the kernel. an additional file. which facilitates 32-bit memory access. through native ARC routines on ARC systems. the boot process is considered to start:   For x86 or x64: when the partition boot sector code is executed in real mode and loads NTLDR For IA-64: when the IA64ldr. or via network using TFTP protocol. Boot loader phase For more details on this topic. This provides the basic operating environment on which the operating system will build. see NTLDR. the boot process continues as follows: An NTLDR file.efi EFI program is executed (later referred as simply IA64ldr) From that point. When NTLDR is loaded into memory and control is first passed to StartUp module. the MBR loads a secondary loader to select the partition via user input.       The BIOS checks a preconfigured list of nonvolatile storage devices (boot device sequence) for the first bootable device on the list. ETFS or UDFS in newer operating system versions. Once identified. thus allowing it to create the initial Interrupt descriptor table. If this is no partition flagged as active. The boot loader phase varies by platform. as the BIOS can not be directly accessed within protected mode. NTLDR's OS loader includes basic functionality to access IDE-based disks formatted for NTFS or FAT file systems. The boot code loads the boot sector code (the volume boot record) from that partition and executes (jumps to) it.

the next time NTLDR runs it will ask the user whether to try resuming again or to discard the file and proceed with normal booting. it will boot from C:\WINDOWS. this is bootsect. NTLDR clears the screen and displays a textual progress bar. it will attempt to boot from C:\WINNT. the message "Windows could not start because the following file was missing or corrupt" is displayed to the user. Next. the screen is cleared. e." underneath. which gathers basic information about the computer's hardware as reported by the BIOS.ini (by default. If boot.dll are read into memory. and the boot process comes to a halt. the root directory default volume as defined in boot. the user is prompted at this point to choose one. Once a boot mode has been selected (or if F8 was never pressed) booting continues. containing various special boot modes including Safe mode. so that a crash or other malfunction cannot cause this (now-outdated) memory state to be re-loaded. For Windows NT and 2000 machines. If either of these files fails to load. the advanced boot menu is displayed. enabling 64-bit addressing. due to their initialization speed).sys. the boot loader will attempt to locate information from the standard installation directory.dos if no file name is specified) and passes execution control to it. a boot menu is displayed to the user. NTLDR runs ntdetect.ini to locate information on the system volume. If the boot. Windows 2000 also displays the text "Starting Windows.ini is searched for a hibernation file. If an NT-based operating system is selected. and in the Windows 2000 or later versions of NTLDR and IA64ldr which support system hibernation. hiberfil. If multiple hardware configurations are defined in the registry. If a state resume fails. then NTLDR loads the associated "boot sector" file listed in boot. with the Last Known Good Configuration.ini file is missing. and (in the case of Server editions) Directory Services Restore C:\). boot-time device drivers are loaded (but not yet initialized).g. For Windows XP and 2003 machines. If an x64 version of Windows is being booted (Windows XP Professional x64 Edition or Windows Server 2003 x64 Editions). the contents of the file (which will match the amount of physical memory in the machine) are loaded into memory. and control is transferred into the Windows kernel at a point from which hibernation can be resumed. (which is often not seen on XP or 2003 systems. At this point in the boot process. This information (along with information on all detected hardware and Windows Services) is stored in . the CPU is switched into long mode.. with debugging enabled. the Windows kernel Ntoskrnl.exe and the Hardware Abstraction Layer hal. If the user presses F8 during this phase.The boot loader then reads the contents of boot. allowing the user to choose which operating system is to be loaded. If a non NT-based operating system such as Windows 98 is selected (specified by an MS-DOS style of path.ini contains more than one operating system entry. The file is then immediately marked as non-active. With the kernel in memory. If this file is found and an active memory set is found in it.. At this point.

For the purposes of booting.dll (for the windows logo and side-scrolling bar) config\system registry 1. and the TCP/IP stack. With this finished.the HKLM\SYSTEM portion of the registry. During regular operation.). file system filter manager. which is loaded and started by ntoskrnl. in a set of registry keys collectively called a Control Set. "System" drivers cover a wider range of core functionality. Windows picks the "real" control set being used based on the values set in the HKLM\SYSTEM\Select registry key:   Default  will be NTLDR or IA64ldr's choice if nothing else overrides this. CD-ROM support.dll (type of hardware abstraction layer) kdcom. etc. a driver is either a "Boot" driver that is loaded by NTLDR or IA64ldr prior to starting the kernel and started before system drivers by the kernel. indicating that the last boot failed. CurrentControlSet is a reference to one of the control sets stored in the registry. they are the absolute minimum that ntoskrnl. as well as CurrentControlSet. "Boot" drivers are almost exclusively drivers for hard-disk controllers and file systems (ATA. HKLM\SYSTEM contains control sets labeled ControlSet001. XP and 2003 switch into a graphical display mode to display the Windows logo. a "System" driver. Multiple control sets (typically two) are kept. then NTLDR or IA64ldr displays an error message. 3. The appropriate file system driver for the partition type (NTFS. and gives the user the option to try booting. SCSI.exe (the kernel) hal. Windows uses CurrentControlSet to read and write information. At this time.exe after the boot drivers or an "Automatic" driver which is loaded much later when the GUI already has been started. or FAT32) which the Windows installation resides on is also loaded. LastKnownGood is also set to Current if the boot process completes successfully. the Current key gets set accordingly. The Failed key is also set to the same as Current until the end of the boot process. including the display driver. whilst Windows 2000. unless the /noguiboot or /sos switches are present in boot. in the event that the settings contained in the currently-used one prohibit the system from booting. FAT. If the value of the Failed key matches Default. When a control set is chosen.ini. etc. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute .exe will need to get started with loading other drivers. control is then passed from NTLDR or IA64ldr to the kernel. ControlSet002.dll (Kernel Debugger HW Extension DLL) bootvid. the control set indicated by the LastKnownGood key is used instead of Default. If the user has chosen Last Known Good Configuration from the boot menu. 2. Windows NT shows the famous "blue screen" displaying number of CPUs and the amount of memory installed. in other words. and the rest of the operating system. anyway. 5. Kernel loading phase 1.. ntoskrnl. 4. or to use the "Last Known Good Configuration".

however just before the user can abort this process by pressing any key within 10 seconds (this was implemented in Windows NT 4. Process services in the order provided 3. and the Process Manager itself. The Object Manager.exe). Before any files are opened. basic internal memory structures are created. XP and 2003 show no text screen at that point (unlike NT. The System idle process as well as the System process are created at this point. the kernel (system thread) starts the Session Manager Subsystem (smss. Autochk mounts all drives and checks them one at a time whether they were not shut down cleanly before. The memory manager is initialized. On Windows XP and Server 2003.sys).0 Service Pack 4. in Windows XP and Windows Server 2003. Since Windows 2000. Starts the user-mode side of the Win32 subsystem. this is because the drivers would be initialized one at a time. and each CPU's interrupt controller is initialized. the drivers are all initialized asynchronously. Autochk [1] is started by smss. Prior to Windows XP. the Session Manager Subsystem :     Creates environment variables (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment) Starts the kernel-mode side of the Win32 subsystem (win32k.[1] initial security token for assignment to the first process on the system. the Client/Server Runtime Server Subsystem (csrss. paged and non-paged pools of memory.2. this was replaced by an animated bar which does not represent actual progress. At boot time. Creates virtual memory paging files (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management) . During the first phase. a "progress bar" is visible at the bottom of the display on Windows 2000 systems. Through the process of loading device drivers. This allows Windows to switch into graphical mode as there is now enough infrastructure in place. they will show a different background picture holding a mini-text-screen in the center of the screen and show the progress of chkdsk there. *HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder The initialization of the kernel subsystem and the Windows Executive subsystems is done in two phases. Session Manager Once all the Boot and System drivers have been loaded.exe. this part of the boot process took significantly longer.exe). The second phase involves initializing the device drivers which were identified by NTLDR as being system drivers. which still shows the blue text screen). This makes Win32 available to user-mode applications. in earlier versions you could not skip chkdsk). creating areas for the file system cache. In that case it will automatically run chkdsk.

This allows previously in-use files (e. and provides support for logging in as a local or Windows domain user. The logon process is as follows:        Winlogon calls GINA (Optional) Logon prompt is displayed by GINA. doling out security tokens. Winlogon "Begin logon" dialog box in Windows XP. which in turn will start all the Windows services that are set to Auto-Start [2]. It is also responsible for responding to the secure attention sequence (SAS). The exact operation of most of these items is based on the configuration set in the registry. and optionally locking the computer when a screensaver is running. which determines which account database is to be used: o Local SAM o Domain SAM o Active Directory LSASS enforces the local security policy (checking user permissions. password. creating audit trails.). After a user has successfully logged in to the machine. The Graphical Identification aNd Authentication (GINA) library is loaded inside the Winlogon process. and the user presses the secure attention sequence (Control-Alt-Delete) Logon dialog is displayed by GINA User enters credentials (username. For more details on this topic. loading the user profile on logon.  Any rename operations queued up are performed.exe). drivers) to be replaced as part of a reboot. The Session Manager stores its configuration at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager. etc. and domain) GINA passes credentials back to Winlogon Winlogon passes credentials to LSASS. Winlogon starts the Local Security Authority Subsystem Service (LSASS) and Service Control Manager (SCM). Starts the Windows Logon Manager (winlogon. see Winlogon. Winlogon is responsible for handling interactive logons to a Windows system (local or remote). Winlogon does the following: .g.

Remote booting & installation .   Updates the Control Sets. the LastKnownGood control set is updated to reflect the current control set.  Startup programs are run from the following locations [4]: o o o o o o o o o HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce %ALLUSERSPROFILE%\Start Menu\Programs\Startup\ (please note that this path is localized on non-English versions of Windows before Vista) %USERPROFILE%\Start Menu\Programs\Startup\ (please note that this path is localized on non-English versions of Windows before Vista) Winlogon's responsibilities have changed significantly from the above in Windows Vista. User and Computer Group Policy settings are applied.ini\Boot [3].exe) from the registry entry Shell= pointed to by the same registry entry in key is HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system. Starts the shell program (typically Explorer. which evaluates to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. its default value SYS:Microsoft\Windows NT\CurrentVersion\Winlogon.