Windows Boot Sequence

  1. Turn on your computer;
  2. The Computer initiates a POST (Power On Self Test) for devices that have a BIOS (Basic Input/Output System);
    • Test the memory & various Subsystems
      • Examples: AGP and Network cards
  3. BIOS then attempts to find the MBR (Master Boot Record)
    • A 512-byte sector (LBA 0 or HD0)
  4. If successful, the Windows OS takes Control, and looks for NTLDR(Boot Loader for Windows NT based OSes)
    1. In Vista and Server 2008, this has been replaced with:
    2. NTLDRallows:
      1. Memory Addressing
      2. Initiates the File System
      3. Reads boot.ini
    3. NTLDRhas to be at the ROOT of an active partition to detect:
      1. NTDETECT.COM
      2. BOOT.INI
      3. BOOTSECT.DOS (needed for multi-OS installs)
      4. NTBOOTDD.SYS(need for SCSI adapters)
        • Only used if:
          • Boot Drive is SCSI;
          • Not using real-mode INT 0x13;
        • Then a copy of the SCSI miniport driver is loaded for Windows to run
      5. Troubleshooting:
  5. If XP is selected in the Boot Menu, NTLDRruns:
    1. NTDETECT.COM
      • Gathers basic information from hardware BIOs
    2. BOOT.INI
    3. BOOTSECT.DOS
    4. The systems starts in 16-bit real mode, and then moves into 32-bit protected mode
    5. It is possible to select F8 for Additional Boot Modes (Safe Mode, Last Known Good Configuration, etc.)
  6. NTLDR then loads NTOSKRNL.EXE and HAL.DLL
    1. Located at: %SystemRoot%System32
    2. Additional files/locations loaded:
      1. kdcom.dll (Kernel Debugger HW)
      2. bootvid.dll (Windows Logo & Side-Scrolling bar)
  7. NTLDRreads the Registry for the following information:
    1. Hardware Profile
    2. Authorized Device Drivers
    3. And needs to be in the Exact Order
  8. “Session Manager” is then started
    1. Smss.exe starts Autochk
      1. Mounts all drives
      2. Checks drives for a Clean shutdown state
    2. Starts win32k.sys for the Graphical User Interface (GUI) interface
    3. Starts csrss.exe (Client/Server Runtime Subsystem)
      1. User-Mode Applications
    4. Creates Virtual Memory/Paging file
      1. HKLMSYSTEMCurrentControlSetControlSession ManagerMemory Management
  9. NTOSKRNL.EXE takes control and starts WINLOGON.EXE which in turn starts LSASS.EXE
    1. LSASS.EXE (Local Security Authority Subsystem Service) provides the Logon screen

– Andrew
§ § § § §