Windows Boot process

Windows NT startup process starts when the computer finds a Windows boot loader, a portion of Windows operating system responsible for finding Microsoft Windows and starting it up. On IA-32 or x64 systems, the boot loader is called Windows Boot Manager (BOOTMGR).

 Prior to Windows Vista however, the boot loader was NTLDR. Microsoft has also released operating systems for Intel Itanium processors which use IA-64 architecture. The boot loader of these editions of Windows is IA64ldr.efi (later referred as simply IA64ldr). It is an Extensible Firmware Interface (EFI) program

 

 

 

• BIOS: performs Power On Self Test (POST)
• BIOS: BIOS Bootstrapping loads MBR from the boot device specified/selected by the BIOS

• MBR: contains a small amount of code that reads the partition table, the first partition marked as active is determined to be the system volume
• MBR: loads the boot sector from the system volume

• BOOT SECTOR: reads the root directory of the system volume at loads NTLDR

  

 A boot sector or boot block is a region of a hard disk, floppy disk, optical disc, or other data storage device that contains machine code to be loaded into random-access memory (RAM) by a computer system's built-in firmware. The purpose of a boot sector is to allow the boot process of a computer to load a program (usually, but not necessarily, an operating system) stored on the same storage device.

 

• NTLDR: reads BOOT.INI from the system volume to determine the boot drive (presenting a menu if more than 1 entry is defined)

• NTLDR: loads and executes NTDETECT.COM from the system volume to perform BIOS hardware detection

• NTLDR: loads NTOSKRNL.EXE, HAL.DLL, BOOTVID.DLL (and KDCOM.DLL for XP upwards) from the boot (Windows) volume

• NTLDR: loads \WINDOWS\SYSTEM32\CONFIG\SYSTEM which becomes the system hive HKEY_LOCAL_MACHINE\System

• NTLDR: loads drivers flagged as "boot" defined in the system hive, then passes control to NTOSKRNL.EXE

• NTOSKRNL.EXE: brings up the loading splash screen and initializes the kernel subsystem

• NTOSKRNL.EXE: starts the boot-start drivers and then loads & starts the system-start drivers

• NTOSKRNL.EXE: creates the Session Manager process (SMSS.EXE)

• SMSS.EXE: runs any programs specified in BootExecute (e.g. AUTOCHK, the native API version of CHKDSK)

• SMSS.EXE: processes any delayed move/rename operations from hotfixes/service packs replacing in-use system files

• SMSS.EXE: initializes the paging file(s) and the remaining registry hives

 

** before this step completes, bugchecks will not result in a memory dump as we need a working page file on the boot (Windows) volume **

• SMSS.EXE: starts the kernel-mode portion of the Win32 subsystem (WIN32K.SYS)
• SMSS.EXE: starts the user-mode portion of the Win32 subsystem (CSRSS.EXE)
• SMSS.EXE: starts WINLOGON.EXE

• WINLOGON.EXE: starts the Local Security Authority (LSASS.EXE)

• WINLOGON.EXE: loads the Graphical User Identification and Authentication DLL (MSGINA.DLL by default)

• WINLOGON.EXE: displays the logon window

• WINLOGON.EXE: starts the services controller (SERVICES.EXE)

** at this point users can logon **

 

• SERVICES.EXE: starts all services markes as automatic

 

NOTES:

 
The SYSTEM volume is the partition from which the boot process starts, containing the MBR, boot sector, NTLDR, NTDETECT.COM & BOOT.INI

The BOOT volume is the partition which contains the Windows folder - this can be a logical partition

 

Example 1:
2 hard disks, 0 and 1
Disk 0, partition 0 is the SYSTEM volume
Windows is installed to "D:" which is disk 1, partition 0 [even if disk 0 has an extended & logical partitions] - this is the BOOT volume
- if either disk fails or is removed, Windows cannot boot


Example 2:
1 hard disk, 2 partitions
Disk 0, partition 0 is the SYSTEM volume
Disk 0, partition 1 is the BOOT volume [D:]
- add another disk to the system and create a partition on it, this becomes D: and Windows will not boot [disk 0, partition 1 now becomes E:]

 

Disk partitioning

Disk partitioning is the act of dividing a hard disk drive (HDD) into multiple logical storage units referred to as partitions, to treat one physical disk drive as if it were multiple disks, so that different filesystems can be used on each partition.

 

 

 

 

Primary partition

 A primary partition contains one file system. In DOS and all versions of Microsoft Windows systems, what Microsoft calls the system partition was required to be the first partition. All Windows operating systems from Windows 95 onwards can be located on ( almost ) any partition, but the boot files (io.sys, bootmgr, ntldr, etc.) must be on a primary partition.

 

Extended partition

An HDD may contain only one extended partition; the extended partition can be subdivided into multiple logical partitions. In DOS/Windows systems, each logical partition may then be assigned an additional drive letter.

 

Benefits of multiple partitions

Creating more than one partition has the following advantages:

• Separation of the operating system (OS) and program files from user files. This allows image backups (or clones) to be made of only the operating system and installed software.
• Having a separate area for operating system virtual memory swapping/paging.
• Keeping frequently used programs and data near each other.
• Having cache and log files separate from other files. These can change size dynamically and rapidly, potentially making a file system full.
• Use of multi-boot setups, which allow users to have more than one operating system on a single computer. For example, one could install Linux, BSD, Mac OS X, Microsoft Windows or other operating systems on different partitions of the same HDD and have a choice of booting into any compatible operating system at power-up.
• Protecting or isolating files, to make it easier to recover a corrupted file system or operating system installation. If one partition is corrupted, other file systems may not be affected.