Thread: Windows - a brief guide inside
View Single Post
Old 16-01-2006, 07:18 PM   #3 (permalink)
Paul Adams
MSFT
 
Paul Adams's Avatar
 
Join Date: Jul 2003
Location: %systemroot%
Posts: 1,835
Thanks: 11
Thanked 50 Times in 41 Posts
Paul Adams's system
=====================================================================
2. The "boot" process from a hard disk
=====================================================================
As the most common boot process takes place from a hard disk, this is what I shall focus on.

A hard disk has a Master Boot Record (MBR) stored on its first sector, the master boot code examines the master partition table for an extended partition, and if it finds one it begins to recursively examine the extended partition table to find all logical partitions (they are chained, so the chain must be followed to its end).

Once all of the extended partition information is resolved, the master boot code attempts to load the partition boot sector of the primary partition that is marked as "active" (there can be only one marked active at any time) - if there are no such partitions (and no further bootable devices are found) then an error is presented indicating that the system is not bootable.

The active primary partition will have a pointer to NTLDR (the NT Loader) which is the first tangible thing a user can see if they were to browse the disk.

Up until now the only disk services available have been provided by the "INT 13" BIOS interface, just enough to be able to locate, load and execute the boot sector, which has the ability to understand the Windows file systems on the partitions on the system just enough to load NTLDR.
Also, the system has been running in "real mode", which means no virtual-to-phyiscal memory addressing can take place, and only the first 1MiB of memory is addressable.

NTLDR switches to "protected mode" (allows all physical memory to be addressed), enables paging (virtualisation of memory addresses) and opens C:\BOOT.INI (this file cannot reside elsewhere) to find a list of operating system options.

While Windows Vista supports the NTLDR boot loader, its default is a new type of boot loader which does not rely on BOOT.INI (in fact this file is ignored).
The boot loader type can be changed by using the tool "fixntfs".
Protected mode with paging enabled is the mode in which Windows executes normal operation.

If there is just one operating system and one entry in BOOT.INI, no menu is presented by default.
In the event of a dual-boot (or even multi-boot) setup there will be more than one entry in BOOT.INI, each entry points to a disk/partition/folder where the operating system resides, with one is marked as default.

An example BOOT.INI entry:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Professional x64 Edition" /fastdetect /NoExecute=OptOut

In the event that a legacy (Win9x) Windows operating system is selected from NTDLR, BOOTSECT.DOS is loaded which contains the original boot sector for Windows 95/98/ME.

There are many documented switches available for boot options in BOOT.INI - the most common are probably /3GB and /DEBUG (I will touch on these later)
There can only be 1 "non NT" operating system in the boot loader menu, and there is a limit of 10 options in total.

If a version of Windows is already installed on a system and a Windows installation is started again then this second version can be installed to any partition with room - BOOT.INI will get amended automatically to add this new boot option to the list.

Another key file on the system partition is NTDETECT.COM which collects system information during the boot, and some systems using SCSI devices may have NTBOOTDD.SYS which contains a SCSI driver.

Notes on 64-bit Windows
Some versions of Windows are 64-bit and as such require a more recent version of NTLDR (to allow 64-bit protected mode), so if you install Windows XP x64 Edition first and follow it with an installation of Windows XP (32-bit) then the first installation will not be bootable as the NTLDR will be regressed to the version which only understands 32-bit versions of the kernel.

The 64-bit NTLDR & NTDETECT are backwardsly-compatible so are able to boot either a 32-bit or 64-bit version of Windows and it is safe to install a 64-bit version after a 32-bit version.

In the event where a system becomes unbootable, it could be:
- BOOT.INI needs fixing to remove invalid entries (maybe a second Windows installation was removed by just formatting its partition)
- the MBR needs repairing (see the above note, or a legacy or non-Windows OS overwrote it)
- essential boot files are missing or corrupt (disk corruption, virus or other OS possibly to blame)

To recover a system that has lost its boot options but the Windows folders appear to be present, the best option is to boot from the Windows installation CD/DVD - from there you can choose a repair installation, or go into the Recovery Console and run one or more of the repair tools FIXBOOT, FIXMBR or BOOTCFG.
Based on the outcome of processing BOOT.INI, NTLDR then performs the following actions:
- loads HAL.DLL (the kernel-mode DLL which interfaces NTOSKRNL and drivers with the hardware: HAL = "Hardware Abstraction Layer")
- loads BOOTVID.DLL
- loads boot-start device drivers
- loads NTOSKRNL.EXE (the kernel - initializes the executive subsystems and boot and system-start drivers, and runs SMSS.EXE)

NTOSKRNL.EXE also contains the Windows loading splash screen which some people like to hack to change but can be a risky business.

SMSS.EXE is the Session Manager SubSystem, it loads the Windows subsystem including WIN32K.SYS and CSRSS.EXE and starts WINLOGON.EXE
- WIN32K.SYS is the kernel mode part of the Windows subsystem
- CSRSS is the "Client Server Runtime Subsystem Service", the user-mode part of the Windows subsystem
- WINLOGON starts the Service Control Manager (SCM), Local Security Authority Subsystem Service (LSASS) and presents the authentication prompt

SMSS, CSRSS and WINLOGON can be seen as running processes in Task Manager - if the "session 0" instance of any of these processes is terminated, Windows will reboot as they are absolutely vital.

WINLOGON is what intercepts the "Secure Attention Sequence" (SAS) - you know this as "CTRL ALT DELETE".
If there is no user logged on currently then the logon prompt is presented.
If there is a user logged and the Welcome Screen is used then the Task Manager appears
If there is a user logged and the "classic logon" method is used then "Windows Security" appears, with options such as changing the password and locking the workstation.

It is a security feature to ensure that no other process can ever intercept that key combination, and you are really authenticating to Windows and not a keylogging program written by someone else.

If a system is configured in the BIOS to boot from a CD/DVD drive before a hard disk, and you happen to have a Windows NT 4.0 CD in the drive, then Windows Setup will launch from there rather than your Windows installation booting as normal.
This has caused me many "what the hell?!?" moments after reconfiguring the OS by installing something from the CD that requires a restart.

But how can this be prevented?
If the BIOS checks the CD and sees it is bootable, it will boot off it.

With Windows 2000 onwards the CD/DVD still gets booted, however the bootstrap now checks the hard disks for bootable primary partitions and if it finds one it presents the message "Press any key to boot from CD...".
If the user does not press a key within a few seconds, then the boot loader loads the boot code from the hard disk, rather than continuing to boot from the CD.

Of course, if there is no bootable primary partition then the CD will control the entire boot sequence.
If the computer is a member of a domain, then the client now checks for group policies with computer configuration settings applicable to it and any scripts under the following location are executed (even if a user does not log on):
Computer Configuration / Windows Settings / Scripts / Startup
Paul Adams is offline   Reply With Quote