It is extremely important for a good technician to understand the boot sequence in every system, particularly Windows XP and Windows Vista. With that knowledge we will be able to solve any problem when the system cant start.

The files executed during the boot process are:

Pre-boot sequence

During the start of any computer, the BIOS looks for the boot sector of the hard drive (MBR – Master Boot Record) in the following way:

1. When we turn on the computer, the POST routine executes (Power on self test) to determine the physical memory and the hardware installed in the computer.
2. BIOS looks for the boot device and if its a hard drive, loads and executes the MBR (Master boot record).
3. The MBR looks in the partitions table the partition marked as active, executing in memory the boot sector of the partition.
4. This sector looks for the NTLDR file (NT loader) and executes it.

Start sequence (Boot)

After loading the NTLDR in memory, the boot sequence looks for information about the hardware and drivers to prepare the load phases of the operative system. The boot sequence uses the following files:

• NTLDR
• BOOT.INI
• BOOTSECT.DOS (optional)
• NTDETECT.COM
• NTOSKRNL.EXE

The boot sequence is executed in 4 phases;

• Initial Boot Loader
• Operative System Election
• Hardware Detection
• Configuration Election

Initial Boot Loader – During this phase, NTLDR changes the processors working mode from real to protected mode (32 bit flat memory mode). Then, the NTLDR loads the minidrivers of the system included inside the NTLDR. This minidrivers help the NTLDR to load Windows from FAT, FAT32 and NTFS partitions.

Operative System election – During the boot sequence, NTLDR reads the BOOT.INI file. and if the file has more than one line of the SO, a screen appears during the execution of the BOOT.INI file to select the Operative System.

If we dont select any system, NTLDR loads the default operative system that is specified in the BOOT.INI file. As default is the last installation of Windows.

Remember this section is seen only when there is more than one line of the Operative System installed in the BOOT.INI. If the BOOT.INI doesnt exists, the NTLDR always tries to load the operative system of the first active partition of the hard drive.

Hardware Detection – NTDETECT.COM and NTOSKRNL.EXE are in charge of detecting the hardware. NTDETECT runs immediately after we selected the operative system to start with.

If we select a W9X core system instead of NT/W2000/XP, the NTLDR loads and executes the BOOTSECT.DOS. Is a copy of the boot sector that existed in the partition of the system when was installed for first time. This sector corresponds to a partition previously formatted with MSDOS or with a W9X/ME system. NTDETECT.COM builds a list of the hardware installed, and gives the list to the NTLDR program to inclued it in the registry by the key HKEY_LOCAL_MACHINEHARDWARE

NTDETECT detects the following components:

• Type of BUS adapter
• Communication Ports
• Mathematic Coprocessor
• Disk Drives
• Keyboard
• Mouse or pointing device
• Parallel Port
• SCSI Adapter
• Video Adapter

Configuration election

After the NTLDR starts loading Windows and has collected the hardware information, the system loader shows the Hardware Profile screen if there is more than one user defined in the system.

If there is only one Hardware profile this screen will not appear, and Windows continues the boot process using the configuration of the default hardware profile.

Kernel Loader

It is loaded after the election of Kernel configuration (NTOSKRNL.EXE). Is the moment when the election of the system disappear and white rectangles appear in the bottom of the screen, indicating the load process of NTOSKRNL.

During the boot phase, NTLDR makes the following:

• Loads NTOSKRNL.EXE (but doesnt executes it).
• Loads the abstraction layer of the hardware (HAL.DLL)
• Loads the registry key HKEY_LOCAL_MACHINESYSTEM from %systemroot%System32ConfigSystem.
• Select a control set to start the computer. Inside the control set there is the information that will be used to boot, like for example the list of drivers of the devices and services to run.
• Loads the drivers of the devices that contain a 0x0 value in the Start entrance of the device in the registry. This are usually hardware devices of lower level. The value of this list is specified in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl ServiceGroupOrder

Kernel Initialization

After the Kernel finishes loading, it initializes and NTLDR gives control to the core (NTOSKRNL.EXE). In this moment the system opens a screen showing a bar with boot process. Four tasks occur in this phase:

1. The key of the Hardware is created in the registry. The Kernel uses the information collected during the hardware detection to create the registry key HKEY_LOCAL_MACHINEHARDWARE. This contains information about the components of the hardware and the interruptions used by the specific devices.
2. The Clone Control Set is created by coping the value of the registry saved in HKEY_LOCAL_MACHINEHARDWARESelect. This information will never be modified, is an identical copy of the configuration of the computer and doesnt show any modification made during the boot process.
3. Loads and initialize the device drivers. After creating the Clone Control set , the kernel looks for the key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices to find the drivers of the devices with a 0x1 value in the Start entry. As in the boot phase of the core, the Group entry specifies the order in which will be loaded.
4. If an error occur during the boot or initialization of one of this controllers, it will follow the action specified in the ErrorControl entry of the device driver.

The possible values are:

0x0 (Ignore) – The start sequence ignores the error and continues without showing a message.

0x1 (Normal) – The start sequence shows a message, but ignores the error and continues the boot process.

0x2 (Sever) – The start sequence fails and continues, but using the control set of the Last good configuration known. The error is ignored and continues.

0x3 (Critic) – The same than 0x2 but if in this case the error repeats, the Last good configuration known stops the start sequence with an error message.

The values of ErrorControl appear in the registry by the subkeys HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNombre_del_servicio_o_dispositivoErrorControl

Services Initialization

After the Kernel loads and initializes the device drivers, the Session Manager Program (SMSS.EXE) starts this subsystems and Windows Services. SMSS executes the instructions of the BootExecute key, Memory Management, DOS Devices and the subkeys of BootExecute Subsystem.

Executes the commands of this key before starting any service.

Memory Management Key

Creates the information of the pagination file, necessary for the Virtual Memory Manager.

DOS Device Key

Creates the symbolic links that associate commands with the correct component of the system.

SubSystems Key

Starts the Win32 subsystem. This controls every I/O and the access to the Video screen, and then starts the WinLogon process.

LOGON

The Logon process starts after the initialization phase of the Kernel finishes. The system automatically starts the WINLOGON.EXE program, opens the Local Security Authority (LSASS.EXE) and the Logon screen.

Then, the service controller executes and makes a final search in the services key of the registry looking for the services with a 0x2 value in the entry. This services, including the Workstation service and the Server service, are configured as default to automatically load HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices.

Windows boot process its not finished until the user has logged. After the logon is correct, the system copies the Clone Control Set to the LastKnownGood keys.

Comments

Add New Search

Write comment

Name: Email:  do not notifynotify Website: Title:     Please input the anti-spam code that you can read in the image.

Johnny  - Thanks!! |18 May 2009 Very complete and clear explanation!

Powered by Whispers Team

Whispers Team . All rights reserved."