Andrew Tech Help

  • Increase font size
  • Default font size
  • Decrease font size
Home In Depth Tech Nerd Stuff Windows Boot Process
In Depth Tech Nerd Stuff

Windows Boot Process

Monday, 16 March 2009 19:42 Administrator Andrew
E-mail Print PDF
You press that button on your laptop or Desktop and then wait for Windows to to load... but have you ever wondered what Windows is actually doing while that logo appears saying Windows is loading. Well this guide will explain how the Windows NT (Windows NT/2000/XP/Server 03) and Windows Vista (Windows Vista & 7) bootloaders work.

Windows NT/2000/XP and Server 2003

Windows 2000/XP and Server 2003 are built off the original NT kernel so they take many of the base features from Windows NT including the startup process. The startup process on these Operating Systems is as follows:

  1. The Boot Loader executes the NTLDR file which is found in the root "\" directory of the boot drive (so it's normally located at C:\NTLDR but this can vary in dual boot systems). The NTLDR loads the file system on the boot drive (either FAT, FAT32, NTFS or CDFS) and checks for a hiberfil.sys file. If it is present and the user has previously hibernated the machine, the machine is resumed to the previous state and the rest of this boot process is skipped.
  2. After loading the basic file system, if the machine is not hibernating, the NTLDR file checks for a boot.ini file in the root "\" directory of the boot drive (If there is no boot.ini then the boot loader will attempt to boot from C:\WINNT in Windows NT and 2000 or from C:\Windows in Windows XP or Server 2003 . This file lists all the operating systems stored on the computer. If there is more than one entry and depending on the settings in the boot.ini file, it will display the Boot Menu, asking for the user to choose which operating system they want. If the User chooses an operating system that is not either Windows NT/2000/XP or Server 2003 then it will pass control over to the boot loader for that OS and the rest of this boot process is skipped.
  3. After a Windows NT/2000/XP or Server 2003 installation has been chosen from the boot menu either automatically or by the user then ntdetect.com is run. This file will run hardware detection. After this finishes ntoskrnl.exe is run and it takes the information from ntdetect.com and starts to load the NT kernel. The Kernel reads the hal.dll file which allows for a small number of core devices to interact with the software. The System component of the registry is also read so that key drivers for CD-ROMs, Display Adapters, Memory etc are ready for loading by the kernel.
  4. This is the point where the Windows 2000/XP/Server 2003 logo appears and all the System Drivers are loaded into memory. Once the system drivers are loaded then smss.exe (Session Manager Subsystem) is run which scans to check if drives were shut down cleanly and if not allows for the famous "Chkdsk" scan. Once the check is done then win32k.sys is loaded and Windows can now switch to graphical mode (YAY!). The Win32 User Mode subsystem (csrss.exe) is loaded which allows Win32 to be accessible to applications. At this point Virtual Memory paging files are created and then winlogon.exe is loaded. By this point you should be seeing the Windows is Starting Up screen.
  5. Winlogon.exe loads the Local Security Authority Subsystem Service (Lsass.exe) and the Service Control Manager (SCM) which allows all the other Windows Services to be run if they are set to run on boot. These include things such as network server/client, Windows Firewall etc. Winlogon.exe then calls on GINA (Graphical Identification and Authentication - Msgina.dll). This allows Windows to bring up that nice pretty logon box for you to enter your logon details into. Once you enter your password and click OK, GINA gives the username and password you entered back over to LSASS and it checks whether it need to authenticate with SAM (Security Accounts Manager) or the Active Directory for computers on a Domain. Windows Server 2003, if it's a standalone server will authenticate with the SAM and if it's a Domain Controller it will bypass the SAM completely and login with the Active Directory. Finally LSASS then makes sure the user permissions are enforced.
  6. Finally all the programs located in your startup folder and in the Run keys in the registry are executed and the Windows shell (explorer.exe) is loaded. This allows your desktop to appear and you can get to work

Windows Vista, 7 & Server 2008

Windows Vista, 7 and Server 2008 were built mostly off the 2000/XP/Server 2003 kernel so they take many of the base features from Windows NT, but the startup and authentication process has changed a bit since Windows XP the startup process on these Operating Systems is as follows:

  1. The computer boots either from the Boot Loader MBR (if it's a BIOS based machine) or from the EFI if it's a machine based on the Extensible Firmware Interface. The boot loader or EFI will load the Windows Boot Manager "bootmgr" (which is located on the root "\" directory of the system drive. This replaces NTLDR in previous versions of Windows.
  2. The Windows Boot Manager reads from the Boot Configuration Data which is stored in the \Boot\BCD folder on BIOS based system and on the special EFI System partition on EFI based systems. It is similar to the Windows Registry in the way it's built. This boot configuration data replaces the boot.ini file from previous versions of Windows. This file has a list of all the operating systems. If the user chooses a Windows NT/2000/XP/Server 2003 system then the Windows Boot Manager will pass control over to NTLDR for that OS and the old boot style is invoked. For other Operating Systems control is passed over to the relevant boot loader.
  3. For a Windows Vista/7/Server 2008 system the Windows Boot Manager and Boot Configuration Data then checks if the system will be resuming from hibernation, in which case winresume.exe is loaded and the system is brought out of hibernation. If the system is booting from shutdown then winload.exe is loaded. This then loads the Windows Kernel (ntoskrnl.exe) and then the basic boot process until login is the same as Windows NT/2000/XP and Server 2003.
  4. In Windows Vista when you login the LSASS assigns all users tokens. Administrative users get 2 tokens, one limited token and one administrative token, Limited Users only receive a limited token. When an administrative user tries to run a process that requires privileges that the limited token can't supply then a UAC prompt appears asking for permission to continue. This appears on a secure desktop so that malware cannot click the Continue button automatically. Once permission is given that process then receives an administrative token and it can continue as normal. If a limited user tries to run a program that requires and administrative token, a UAC prompt also appears, but it requires the user of an administrator account to enter their password to continue. This security allows Microsoft to stop programs running as administrator unless it's absolutely required.

Some information sourced from Wikipedia and Ezine Articles

blog comments powered by Disqus
back to top
Last Updated on Sunday, 29 March 2009 22:06  

Main Menu

ATH Web Links

Protest Against Internet Censorship In Australia

EFAPetition