Talk:Booting process of Windows NT

startup process as graphic

startup process as graphics, graphical representation of a chronological sequence of events could be very helpful Amigor (talk) 22:40, 24 September 2008 (UTC)

HKLM\Software hive

when hklm\software will be loaded and which parts/keys of hklm\software will be processed in which order? Amigor (talk) 23:03, 24 September 2008 (UTC)

Initial Startup Phase

POST => Boot Device => MBR => Bootable Primary Partition => NTLDR ?

Kernel Loading Phase

This is where(?)

• System Idle Process
• SYSTEM

process starts?

In short, yes. The "System Idle Process" isn't well-named... It's actually a thread that resides in the kernel (one per CPU) that swallows up any time not used by another process, and puts the CPU into idle mode (which reduces power usage). The "System" process is where most of the kernel threads hang out and do their work. Warrens 03:52, 13 February 2006 (UTC)

Log on phase

is this where user.exe is loaded? Where does WPA come into the boot process? What services are typically started, and from what? explorer.exe, services.exe, svchost.exe. Maybe some pictures of various logon boxes?

These are good things to be added to the article. user.exe, however, is not a part of Windows NT-based systems, save for providing backwards compatibility with 16-bit Windows 3.x applications. Should also note that images of Windows boot screens is unfortunately a violation of their copyright, so such things can't really be used here. I agree it'd be nice, though. Warrens 03:52, 13 February 2006 (UTC)

He said logon boxes, not boot screens, although that may be what he meant. I don't think there's anything wrong with screeshots of logon boxes though, and there is already one in the article. Which, I might add, could stand to be updated with one from Vista, XP or even Windows 2000. Things are similar, but have changed since NT 4. Also, perhaps some mention of the windows Welcome screen? --Tech Nerd 02:05, 16 March 2007 (UTC)

Oh, and why are boot screens violation of copyright, wouldn't that fall under the software-screenshots fair-use category? If no-one minds, I think I'll upload an updated version of the logon prompt.

Where also does userinit.exe fall into play? 70.82.42.107 05:48, 1 March 2006 (UTC)

WPA is integrated into winlogon.exe. Services are launched by services.exe and their definition is in SCM database, which is in fact stored in registry under HKLM\SYSTEM\CurrentControlSet\Services key. Svchost.exe is process used to host many system services and this process is launched as these services are started. And finally, explorer.exe, or more generally comma-separated list of processes under the Shell value in the HKLM\SOFTWARE\Microsoft\Windows NT\Winlogon key, is launched from userinit.exe. And this process (or more generally, comma-separated list of processes under Userinit value) is launched from GINA. Jakub Horky 14:00, 6 November 2006 (UTC)

Expansion

I'll be working on this page (and most of its descendants) through Fri Jan 27 and Sat Jan 28. Given that there are probably thousands of computers going through this exact startup process even as I type this, surely we can do a better job of explaining it. :-) Warrens 02:21, 28 January 2006 (UTC)

Spyware / Virus Removal

Thanks for adding to this discussion. I was looking around on the WWW for a decent article on how NT systems start up. This is valuable information for diagnostic, and removal of spyware / viruses and setting things back to default. Excellent.

Loading Shell (if any)

Worth mentioning loading the shell, as other startup items have been mentioned but not this? HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Win XP)

Yes, shell is launched by userinit.exe and that information should surely be included in the article. But I won't do that because I'm pretty sure Warrens will come and revert it by abusing again his "no source = no inclusion" rule. Jakub Horky 23:41, 6 November 2006 (UTC)

Structure

Curious as to what others think in regards to setting the format to numbered lists.

Paragraph explanation

1. step
   • explanation...
2. step 2

SNIa 14:05, 19 February 2006 (UTC)

System partition and boot partition Merge

I don't think system partition and boot partition should be merged as this can be involved into boot processes of other systems. SNIa 04:29, 1 March 2006 (UTC)

Some corrections

There are some errors in the startup process description as is described in the main article; most notably:

- LSASS is started before Winlogon, and before lots of other things; it manages the security, so it has to be in place before (almost) everything else starts.
- The SCM is not started by Winlogon (otherwise a user logon would be required to start services); it's started at the same time Winlogon starts and operates independently.
- Computer group policies are applied before any user logon as well.

Also, a really useful info to be added are the various Windows screens displayed in the various boot process phases; here they are:

- Initial text-mode progress bar: Windows is loading boot drivers here.
- Windows bitmap with graphic progress bar: Windows is loading system drivers
- At this point, the GUI is started and the main window is displayed; it shows various messages, corresponding to later boot phases:
- "Starting Windows": LSASS and SMSS are started
- "Preparing network connections": networking is initialized and services are started by SCM
- "Applying computer settings": computer policies are applied
- "Installing managed software": any software being deployed through computer group policies is installed
- At this point, Winlogon is started and the CTRL-ALT-DELETE window is displayed; services are running
- An user inputs his/her credentials; if the logon is succesful, some other steps follow:
- "Loading personal settings": the user profile is loaded (maybe from a network server)
- "Applying personal settings": user policies are applied
- "Installing managed software": any software being deployed through user group policies is installed
- Finally the Windows shell is started and any application specified in the "Run" registry keys and in the Startup folders are started

Massimo80 22:52, 8 May 2006 (UTC)

• Your description of what starts LSASS and the SCM is directly contradicted both by the sources cited by this article and by various books on the subject, all of which state that they are started by WINLOGON. Given that you provide no source to verify your alternative description of the process, whereas the article as it currently stands both cites and agrees with its sources, the article should continue to read as it currently does. Please see our Wikipedia:Verifiability policy. Your logic ("otherwise a user logon would be required to start services" "it has to be in place before [WINLOGON]") is also faulty. Uncle G 16:45, 8 June 2006 (UTC)

• Yes, your theory is false. Winlogon.exe starts all those processes. It starts: (following information is related mainly to XP)
  • process specified by ServiceControllerStart value in the registry, defaulted to "services.exe" (== SCM)
  • Then (in some circumstances) it starts process specified by SaveDumpStart value in the registry, defaulted to "savedump.exe".
  • Then it starts process specified by LsaStart value in the registry, defaulted to "lsass.exe"
  • And finally, it starts all comma-separated processes specified by System value in the registry, defaulted to nothing.

All registry values reside in the HKLM\SOFTWARE\Microsoft\Windows NT\Winlogon key.

But there is another inaccuracy: the launch of SCM & LSASS is done in very early stage of winlogon.exe processing. It is definitely before the user is prompted to press Ctrl-Alt-Del, for example. Jakub Horky 13:48, 6 November 2006 (UTC)

It should be noted that the user is not always prompted to press Ctrl+Alt+Del. Some computers have this turned off, and others use the welcome screen, which doesn't require Ctrl+Alt+Del ever.--Tech Nerd 02:10, 16 March 2007 (UTC)

setup.exe

Where in this process would HKLM\SYSTEM\SETUP\CmdLine appear?

This would be before scandisk? SNIa 07:27, 4 June 2006 (UTC)

I think that key is only ever called during the GUI stage of Setup. The Chkdsk stuff is called as part of SMSS's initialization, and I don't think SMSS is able to run yet before the GUI setup is completd. Warrens 04:44, 5 June 2006 (UTC)

I did a test and I set this value back to setup -newsetup and this process started on the next boot. SNIa 04:28, 29 June 2006 (UTC)

When I start the windows startup process, I press shift + F10, get the command prompt, then type taskmgr I see the following on setup -newsetup:

• taskmgr.exe
• svchost.exe
• svchost.exe
• svchost.exe
• setup.exe
• lsass.exe
• services.exe
• winlogon.exe
• csrss.exe
• smss.exe
• System
• System Idle Process

SNIa 18:27, 28 July 2006 (UTC)

Process specified by CmdLine value is started by winlogon.exe (even on already installed system) when SetupType value is set to 0x1 or 0x4. It is started after the start of processes such as SCM or SMSS, but before loading GINA. Winlogon then doesn't do anything else - it just waits and when the process quits, winlogon initiates system shutdown. Jakub Horky 23:26, 6 November 2006 (UTC)

According to [Technet], SetupType=2 also causes CmdLine to be taken in account. I suspect that more values or combinations of these values can also cause the same effect :-). Antoinel 12:01, 19 February 2007 (UTC)

Precision

Name of kernel : ntoskrnl, ntkrnlmp, ntkrnlpa, ntkrpamp

• NTOSKRNL.EXE : 1 CPU
• NTKRNLMP.EXE : N CPU SMP
• NTKRNLPA.EXE : 1 CPU, PAE
• NTKRPAMP.EXE : N CPU SMP PAE

Autochk and smss.exe

Autochk and smss.exe

HKLM\SYSTEM\CurrentControlSet\ControlSessionManager\BootExecute
the default value of this key is AUTOCHK.

The default value is "autocheck autochk *". These parts have various meanings: "autocheck" is just the flag for SMSS (another such flag is e.g. "async"). "autochk" is name of the process which has to be launched (autochk.exe) and "*" is command-line argument for the process. Jakub Horky 23:37, 6 November 2006 (UTC)

sp1 of Windows Server 2003 : Boot-time policy

See also boot-time policy

Romanc19s 15:07, 20 August 2006 (UTC)

Bootstrap Without BIOS Disk Access

I find this to be a bit confusing: If the boot disk is a SCSI disk and cannot be accessed using the BIOS's firmware support, an additional file, Ntbootdd.sys is loaded. If the BIOS doesn't provide disk access then how does the bootsector code load NTLDR and how does NTLDR load ntbootdd.sys?

NTBootDD.sys is located at the same place as NTLDR, and loaded the same way, using BIOS. Later, NTLDR relies on NTBootDD.sys to load the kernel, normally from another disk which cannot be accessed by BIOS. AntoineL 08:37, 16 February 2007 (UTC)

It would be nice if this article, Master boot record and boot sector referenced a PC bootstrapping article that would explain what basic services are available to the bootloader in IDE/SCSI/etc. environments.

The article about booting seems to me to be a good and indeep explanations of the basic points. I am not sure more detailled technicals details fit into the wikipedia. Antoinel 15:20, 19 February 2007 (UTC)

This book: http://book.itzero.com/read/microsoft/0507/Microsoft.Press.Microsoft.Windows.Internals.Fourth.Edition.Dec.2004.internal.Fixed.eBook-DDU_html/0735619174/ch05lev1sec1.html indicates that NTBootDD.sys is also invoked if the system disk is too large for the computer -- if the system disk is larger than the BIOS supports. It would seem to depend on detection at the installation stage, and there is no explanation of how that works.150.101.166.15 (talk) 02:18, 22 November 2007 (UTC)

Autochk details

"Autochk mounts all drives and checks them one at a time whether they were not shut down cleanly before. In that case it will automatically run chkdsk, ..."

1) Autochk doesn't mount any drives. It is non-critical process where it doesn't matter if it won't run while startup.

2) Autochk does NOT run chkdsk.exe. Chkdsk.exe is usermode executable which is dependent on Win32 subsystem. Autochk.exe is its native variant. The file system checking is implemented right in autochk.exe. (This is the same e.g. for autofmt.exe, autolfn.exe or autoconv.exe.) Jakub Horky 00:18, 7 November 2006 (UTC)

In win server 2003, Chkdsk.exe is a wrapper for Autochk.exe. If Chkdsk.exe can't find Autochk.exe, it will ask for it.150.101.166.15 (talk) 02:21, 22 November 2007 (UTC)

I believe I saw chkdsk.dll or chkdsk32.dll in nt4/5, also when installing HPFS into nt4/5 there was a checking DLL, otherwise there would be a logical paradox that autochk/chkdsk should be able to check unknown file systems. So I suspect both Exe are wrappers around the same set of "installable FS" checker DLLs. Compare it with Linux which provides fsck.(file system name) executables to supplement "fsck" POSIX-blessed launcher.

Now, one more correction.

3) "earlier versions would not allow the user to abort chkdsk"

Not true. From my memory this was only so for system partition, the one holding WINNT folder. Other disks were stopped to Y/N prompts. Also, the BSOD was by default left as is, for a human operator to come and see. Then this human would control subsequent boot, including approving or canceling disk checks. When this behaviors was reverted to reboot-on-BSD this required implementing t

Not true. From my memory this was only so for system partition, the one holding WINNT folder. Other disks were stopped to Y/N prompts. Also, the BSOD was by default left as is, for a human operator to come and see. Then this human would control subsequent boot, including approving or canceling disk checks. When this behaviors was reverted to reboot-on-BSD this required implementing th

e

Not true. From my memory this was only so for system partition, the one holding WINNT folder. Other disks were stopped to Y/N prompts. Also, the BSOD was by default left as is, for a human operator to come and see. Then this human would control subsequent boot, including approving or canceling disk checks. When this behavior was changed to reboot-on-BSOD default this required implementing a non-blocking autochk prompt. 2A02:2168:A9F7:1300:9577:4C5C:ECF9:EDE (talk) 13:48, 9 March 2023 (UTC)

Sorry, pals. This new editor fails badly on Firefox/Android. Someone with desktop please remove the obvious typos above, I could not do it reliably. 2A02:2168:A9F7:1300:9577:4C5C:ECF9:EDE (talk) 13:50, 9 March 2023 (UTC)

P.S. Frankly, I still dislike both changes. BSOD is too serious event to just let "artificial idiot" trumple on the OS shards, always revert this change when I can. And non-blocking 10 seconds disk check means I am chained to keyboard for few minutes of slow post-error boot, where earlier I could look away. 2A02:2168:A9F7:1300:9577:4C5C:ECF9:EDE (talk) 13:48, 9 March 2023 (UTC)

Bootloader Phase

Processor mode

The Bootloader phase claims that the first thing NTLDR does is set the system into protected mode. Then it claims it uses the BIOS for IDE access. From a technical point of view this would not be possible, so must be incorrect. -The Pain 04:51, 27 December 2006 (UTC)

Hmm... I think I wrote that. I'll double-check my references (Windows Internals 4th ed., mainly) and clarify things if I can. -/- Warren 05:05, 27 December 2006 (UTC)

I'm not absolutely sure, but think there is no problem to call BIOS INTs from protected mode.

The fact is that CPU is switched to protected mode as early as in StartUp module, certainly before BIOS INTs are used by OS loader. Jakub Horky 15:55, 7 January 2007 (UTC)

The article is correct. Yes, the first thing NTLDR (really, the StartUp module which is prepended to 32-bit OsLoader) does is to switch to protected mode to enable 32-bit mode. After that, StartUp acts the same way as DOS extenders (except there is no DOS support, obviously), switching the CPU between modes to provide the BIOS services to the 32-bit code. AntoineL 08:45, 16 February 2007 (UTC)

Switching to long mode

According to [present version], for x64 versions the processor is switched to long mode just after the selection of the target OS, before loading NtOsKrnl, Hal and all the stuff. I believe the effective switch is done much later, after all the boot-time drivers are loaded and just before control is passed to the kernel bootstrap routine. Reason for that is that long mode and real mode are incompatible, and NTLDR still needs to switch into real mode to load everything using Bios. One can check for sure by trying to use NtBootDD.sys and scsi(x) instead of Bios: for this to work, you should not use the (x64) version used by the OS, but rather a i386 (that is, 32-bit) version of the SCSI miniport, the same you would use to load a 32-bit kernel.
This process is not adequately documented, so I cannot provide official sources, sorry. NT6 (Vista) is different here, but I do not know how it works exactly. Antoinel 09:49, 16 February 2007 (UTC)

Able to Boot over Software iSCSI initiator

http://www.youtube.com/watch?v=hBc9WePkliE

http://www.emboot.com —The preceding unsigned comment was added by 66.183.241.105 (talk) 06:30, 11 April 2007 (UTC).

Welcome screen

I think the Windows XP welcome screen needs to be mentioned in the winlogon section. The welcome screen has a different method for logging users in. the user clicks their name, then the system tried to log them in with no password; if that doesn't work, then it prompts for a password. It makes for messy audit logs :| --Tech Nerd 03:05, 14 July 2007 (UTC)

Sounds like it would make a nice addition to the article. Be bold. Also, please sign your comments with four tildes (~~~~) --Android Mouse 03:53, 13 July 2007 (UTC)

OK, I'll maybe add a separate section. And an image. Sorry about not signing; I always forget. --Tech Nerd 03:05, 14 July 2007 (UTC)

Load Order

Sysinternals had a great tool to see the order that devices are loaded on a win NT / 2k system.
http://www.microsoft.com/technet/sysinternals/Utilities/LoadOrder.mspx —Preceding unsigned comment added by 216.232.115.128 (talk) 22:38, 13 December 2007 (UTC)

Complete list of boot switches ?

The boot.ini switches link in the article (under "External links") points to a list which is incomplete. For example it is missing the switches /execute and /NOPAE , that are mentioned in the MS KB 900524. Does anyone know a comprehensive list of switches ? --Xerces8 (talk) 09:28, 26 April 2008 (UTC)

System Startup and Logon Processing Overview

The following attempts to document the order of processing the system and user policies following a system reboot and as part of the user logon:

1. Network starts, then Remote Procedure Call System Service (RPCSS) and multiple universal naming convention provider (MUP) start.
2. Where Active Directory is involved, an ordered list of GPOs is downloaded and applied. The list may include GPOs that:
   • Apply to the location of machines in a directory.
   • Apply only when settings have changed.
   • Depend on configuration of the scope of applicability: local, site, domain, organizational unit, and so on.
   • No desktop user interface is presented until the above have been processed.
3. Execution of startup scripts (hidden and synchronous by default).
4. A keyboard action to effect start of logon (Ctrl-Alt-Del).
5. User credentials are validated, user profile is loaded (depends on policy settings).
6. An ordered list of user GPOs is obtained. The list contents depends on what is configured in respect of:
   • Is the user a domain member, thus subject to particular policies?
   • Loopback enablement, and the state of the loopback policy (merge or replace).
   • Location of the Active Directory itself.
   • Has the list of GPOs changed? No processing is needed if not changed.
7. User policies are applied from Active Directory. Note: There are several types.
8. Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on GPOs (hidden and executed synchronously). NT4-style logon scripts are then run in a normal window.
9. The user interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4 domain), machine (system) policies are applied at startup; user policies are applied at logon.

Credit: http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/PolicyMgmt.html#id436916 SNIa (talk) 03:50, 6 May 2008 (UTC)

LSA the same as lsass.exe?

I'm a bit confused by the Winlogon section. Firstly, it is stated that winlogon has changed significantly in Vista, then 3 points are displayed below. I believe these 3 points are detailing the process in XP and earlier OS's. I think the wording of the first paragraph should be changed to be clearer - on reading that paragraph I was expecting the 3 following points to detail the changes made in Vista. Also, a link to the differences of Winlogon in Vista would be appropriate if possible.

Secondly, step 2 states that "LSA determines which account database is to be used", then step 3 states that lsass.exe is started. Is the LSA mentioned in step 2 a separate entity to lsass.exe? If not then I assume winlogon creates lsass.exe in step 2, then passes the users credentials on to it?

Thirdly, below step 3 is a single floating dot point labelled "userinit.exe" that looks out of place. There is no other mention of userinit in the article, so maybe this was a stub left to remind the author to come back and talk further about it?59.167.119.53 (talk) 02:31, 30 November 2008 (UTC)

I have now updated the article to make these three changes (I wrote the above comment 'LSA the same as lsass.exe?' before I had a wikipedia account). In fact I have rearranged this section quite heavily. I believe this section of the article is clearer now. I still have not found any documents detailing the changes to winlogon in Vista though. Anyone?Gechurch (talk) 11:40, 10 January 2009 (UTC)

The operating system starts when certain basic drivers flagged as "Boot" are loaded into memory.

What does it mean to be "flagged as boot"? — Preceding unsigned comment added by 75.154.84.151 (talk) 06:48, 3 April 2013 (UTC)

no idea

I cant seem to find any good info via a normal installation of windows 7

gonna try winPE Bloctans (talk) 01:40, 8 November 2023 (UTC)

(using windows 7 as it is simpler then windows 10) Bloctans (talk) 01:41, 8 November 2023 (UTC)

External links modified

Hello fellow Wikipedians,

I have just added archive links to one external link on Windows NT startup process. Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

• Added archive http://web.archive.org/web/20070311183615/http://www.microsoft.com:80/resources/documentation/Windows/XP/all/reskit/en-us/prkd_tro_mdca.asp to http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prkd_tro_mdca.asp

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—^{cyberbot II}_{Talk to my owner:Online} 20:01, 29 February 2016 (UTC)

Move discussion in progress

There is a move discussion in progress on Talk:Booting process of Windows NT since Vista which affects this page. Please participate on that page and not in this talk page section. Thank you. —RMCD bot 22:46, 20 March 2023 (UTC)

Boot, System and AutoLoad Driver Flags

https://web.archive.org/web/20110514163940/http://support.microsoft.com/kb/103000 lists the meanings of values for boot drivers (hopefully hasn't changed since windows 7)

summary:

Each key in HKLM\System\CurrentControlSet\services has a value named Start

Value Data:

0x0 = Boot driver

0x1 = System driver

0x2 = Autoload Driver

0x3 = Load on demand driver

0x4 = Disabled driver

Hope this helps Bloctans (talk) 01:56, 8 November 2023 (UTC)