To diagnose and correct a startup problem, you need to understand what occurs during startup. Figure 1 provides a high-level overview of the different paths startup can take. The normal startup sequence for Windows 7 is: Power-on self test (POST) phase. Initial startup phase. Windows Boot Manager phase. Windows Boot Loader phase. Kernel loading phase. Logon phase.
This
sequence will vary if the computer is resuming from hibernation or if a
non–Windows 7 option is selected during the Windows Boot Manager phase.
The following sections describe the phases of a normal startup process in more detail. As
soon as you turn on a computer, its processor begins to carry out the
programming instructions contained in the BIOS or EFI. The BIOS and EFI,
which are types of firmware, contain the processor-dependent code that
starts the computer regardless of the operating system installed. The
first set of startup instructions is the POST, which is responsible for
the following system and diagnostic functions: Performs initial hardware checks, such as determining the amount of memory present Verifies that the devices needed to start an operating system, such as a hard disk, are present Retrieves system configuration settings from nonvolatile memory, which is located on the motherboard
The
contents of the nonvolatile memory remain even after you shut down the
computer. Examples of hardware settings stored in the nonvolatile memory
include device boot order and Plug and Play (PnP) information. After
the motherboard POST completes, add-on adapters that have their own
firmware (for example, video and hard drive controllers) carry out
internal diagnostic tests. If startup fails before or during POST,
your computer is experiencing a hardware failure. Generally, the BIOS
or EFI displays an error message that indicates the nature of the
problem. If video is not functioning correctly, the BIOS or EFI usually
indicates the nature of the failure with a series of beeps. To
access and change system and peripheral firmware settings, consult the
system documentation provided by the manufacturer. After
the POST, computers must find and load the Windows Boot Manager. Older
BIOS computers and newer EFI computers do this slightly differently, as
the following sections describe. Initial Startup Phase for BIOS ComputersAfter
the POST, the settings that are stored in the nonvolatile memory, such
as boot order, determine the devices that the computer can use to start
an operating system. In addition to floppy disks or hard disks attached
to Advanced Technology Attachment (ATA), Serial ATA, and small computer
system interface (SCSI) controllers, computers can typically start an
operating system from other devices, such as the following: It
is possible to specify a custom boot order, such as CDROM, Floppy, Hard
Disk. When you specify CDROM, Floppy, Hard Disk as a boot order, the
following events occur at startup: The
computer searches the CD-ROM for bootable media. If a bootable CD or
DVD is present, the computer uses the media as the startup device.
Otherwise, the computer searches the next device in the boot order. You
cannot use a non-bootable CD or DVD to start your system. The presence
of a non-bootable CD or DVD in the CD-ROM drive can add to the time the
system requires to start. If you do not intend to start the computer
from CD, remove all CDs from the CD-ROM drive before restarting. The
computer searches the floppy disk for bootable media. If a bootable
floppy is present, the computer uses the floppy disk as the startup
device and loads the first sector (sector 0, the floppy disk boot
sector) into memory. Otherwise, the computer searches the next device in
the boot order or displays an error message. The
computer uses the hard disk as the startup device. The computer
typically uses the hard disk as the startup device only when the CD-ROM
drive and the floppy disk drive are empty.
There
are exceptions in which code on bootable media transfers control to the
hard disk. For example, when you start your system by using the bootable
Windows DVD, Windows Setup checks the hard disk for Windows
installations. If one is found, you have the option of bypassing DVD
startup by not responding to the Press Any Key To Boot From CD Or DVD
prompt that appears. This prompt is actually displayed by the startup
program located on the Windows DVD, not by your computer's hardware. If
startup fails during the initial startup phase, you are experiencing a
problem with the BIOS configuration, the disk subsystem, or the file
system. The following error message is common during this phase. It
indicates that none of the configured bootable media types was available. Non-system disk or disk error
Replace and press any key when ready If you changed the disk
configuration recently, verify that all cables are properly connected
and jumpers are correctly configured. If booting from the hard disk,
verify that all removable media have been removed. If booting from a CD
or DVD, verify that the BIOS is configured to start from the CD or DVD
and that the Windows medium is present. If the disk subsystem and BIOS
are configured correctly, the problem may be related to the file system. If you boot from the hard disk, the computer reads the boot
code instructions located on the MBR. The MBR is the first sector of
data on the startup hard disk. The MBR contains instructions (called boot code) and a table (called a partition table)
that identify primary and extended partitions. The BIOS reads the MBR
into memory and transfers control to the code in the MBR. The computer then searches the partition table for the active partition, also known as a bootable partition. The first sector of the active partition contains boot code that enables the computer to do the following: Read the contents of the file system used. Locate
and start a 16-bit stub program (Bootmgr) in the root directory of the
boot volume. This stub program switches the processor into 32- or 64-bit
Protected mode and loads the 32- or 64-bit Windows Boot Manager, which
is stored in the same Bootmgr file. After the Windows Boot Manager
loads, startup is identical for both BIOS and EFI computers.
NoteThe
stub program is necessary because 32-bit and 64-bit computers first
start in Real mode. In Real mode, the processor disables certain
features to allow compatibility with software designed to run on 8-bit
and 16-bit processors. The Windows Boot Manager is 32-bit or 64-bit,
however, so the stub program sets up the BIOS computer to run the 32-bit
or 64-bit software properly. If an active partition does
not exist or if boot sector information is missing or corrupt, a message
similar to any of the following might appear: If
an active partition is successfully located, the code in the boot
sector locates and starts Windows Boot Loader (WinLoad) and the BIOS
transfers execution to it. Initial Startup Phase for EFI ComputersStartup
for EFI computers initially differs from startup for BIOS computers.
EFI computers have a built-in boot manager that enables the computer's
hardware to choose from multiple operating systems based on user input.
When you install Windows 7 on an EFI computer, Windows adds a single
entry to the EFI boot manager with the title Windows Boot Manager. This
entry points to the \Efi\Microsoft\Boot\Bootmgfw.efi 32-bit or 64-bit
EFI executable program—the Windows Boot Manager. This is the same
Windows Boot Manager that is eventually loaded on BIOS-based computers.
Windows configures the EFI boot manager to display the EFI startup menu
for only 2 seconds and then load the Windows Boot Manager by default to
minimize complexity and startup time. If
you install a different operating system or manually change the EFI
boot manager settings, EFI might no longer load the Windows Boot
Manager. To resolve this problem, use the Startup Repair tool. Alternatively, you might be able to update the
EFI boot manager settings manually using your computer's built-in EFI
tools. For more information about configuring EFI, consult your
computer's documentation. Windows Boot Manager PhaseThe
Windows Boot Manager is capable of natively reading supported file
systems, and it uses that capability to parse the BCD registry file
without fully loading the file system. For
computers that have a single operating system, Windows Boot Manager
never displays a user interface. It does, however, wait for a few
moments to allow the user to press a key to display the standard boot
menu, as shown in Figure 2, or to press F8 to choose Advanced Boot Options, as shown in Figure 3.
If the user does not press a key within a few seconds of POST
completing, Windows Boot Manager starts the Windows Boot Loader, which
in turn starts Windows 7. For
computers with multiple operating systems installed (such as both
Windows 7 and Windows XP), Windows Boot Manager displays a menu of
operating system choices at startup. Depending on what you choose,
Windows Boot Manager will start a different process: If you choose Windows Vista or Windows 7, Windows Boot Manager starts the Windows Boot Loader to open Windows. If
you choose Earlier Version Of Windows or another entry for Windows
Server 2003, Windows XP Professional, Microsoft Windows 2000, or
Microsoft Windows NT 4.0, Windows Boot Manager starts Ntldr, which then
proceeds with the hardware detection phase. If you select another operating system, control is passed to the boot sector for the other operating system. If
you choose Windows Memory Diagnostic by pressing the Tab key, Windows
Boot Manager starts the diagnostic tool without first opening Windows.
Windows Boot Loader PhaseThe
Windows Boot Manager starts the Windows Boot Loader phase when the user
chooses to load Windows Vista or Windows 7. The Windows Boot Loader
does the following: Loads the operating system kernel, Ntoskrnl.exe, but does not yet run it. Loads the Hardware Abstraction Layer (HAL), Hal.dll. This will not be used until the kernel is run. Loads the system registry hive (System32\Config\System) into memory. Scans
the HKEY_LOCAL_MACHINE\SYSTEM\Services key for device drivers and loads
all drivers that are configured for the boot class into memory. The
Windows Boot Loader does not, however, initiate the drivers. Drivers are
not initiated until the kernel loading phase. Enables paging. Passes control to the operating system kernel, which starts the next phase.
The
Windows Boot Loader is responsible for loading the Windows kernel
(Ntoskrnl.exe) and the HAL into memory. Together, the kernel and the HAL
initialize a group of software features that are called the Windows executive.
The Windows executive processes the configuration information stored in
the registry in HKLM\SYSTEM\CurrentControlSet and starts services and
drivers. The following sections provide more detail about the kernel
loading phase. The
Windows Boot Loader reads control set information from the registry key
HKEY_LOCAL_MACHINE\SYSTEM, which is stored in the file
%SystemRoot%\System32\Config\System, so that the kernel can determine
which device drivers need to be loaded during startup. Typically,
several control sets exist, with the actual number depending on how
often system configuration settings change. The HKEY_LOCAL_MACHINE\SYSTEM subkeys used during startup are: \CurrentControlSet, a pointer to a ControlSetxxx subkey (where xxx represents a control set number, such as 001) designated in the \Select\Current value. \Select, which contains the following entries: Default
Points to the control set number (for example, 001=ControlSet001) that
the system has specified for use at the next startup. If no error or
manual invocation of the LastKnownGood startup option occurs, this
control set number is designated as the value of the Default, Current,
and LastKnownGood entries (assuming that a user is able to log on
successfully). Current Points to the last control set that was used to start the system. Failed
Points to a control set that did not start Windows Vista successfully.
This value is updated when the LastKnownGood option is used to start the
system. LastKnownGood
Points to the control set that was used during the last user session.
When a user logs on, the LastKnownGood control set is updated with
configuration information from the previous user session.
The
Windows Boot Loader uses the control set identified by the
\Select\Default value unless you choose the Last Known Good
Configuration from the Advanced Boot Options menu. The kernel
creates the registry key HKEY_LOCAL_MACHINE\HARDWARE, which contains
the hardware data collected at system startup. Windows supports an
extensive set of devices, with additional drivers not on the Windows
operating system DVD provided by hardware manufacturers. Drivers are
kernel-mode features required by devices to function within an operating
system. Services are features that support operating system and
application functions and act as network servers. Services can run in a
different context than user applications and typically do not offer many
user-configurable options. For example, the Print Spooler service
does not require a user to be logged on to run and functions
independently of the user who is logged on to the system. Drivers
generally communicate directly with hardware devices, whereas services
usually communicate with hardware through drivers. Driver and service
files are typically stored in the %SystemRoot%\System32 and
%SystemRoot%\System32\Drivers folders and use .exe, .sys, or .dll file
name extensions. Drivers are also services. Therefore, during
kernel initialization, the Windows Boot Loader and Ntoskrnl use the
information stored in the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Servicename registry subkeys to determine both the drivers and services to load. In the Servicename
subkeys, the Start entry specifies when to start the service. For
example, the Windows Boot Loader loads all drivers for which Start is 0,
such as device drivers for hard disk controllers. After execution is
transferred to the kernel, the kernel loads drivers and services for
which Start is 1. Table 1
lists the values (in decimal) for the registry entry Start. Boot
drivers (those for which Start is 0) and file system drivers are always
loaded regardless of the value of Start because they are required to
start Windows. Table 1. Values for the Start Registry Entry VALUE | START TYPE | VALUE DESCRIPTIONS FOR START ENTRIES |
---|
0 | Boot | Specifies a driver that is loaded (but not started) by the boot loader. If no errors occur, the driver is started during kernel initialization prior to any non-boot drivers being loaded. | 1 | System | Specifies a driver that loads and starts during kernel initialization after drivers with a Start value of 0 have been started. | 2 | Auto load | Specifies a driver or service that is initialized at system startup by Session Manager (Smss.exe) or the Services Controller (Services.exe). | 3 | Load on demand | Specifies a driver or service that the Service Control Manager (SCM)
will start only on demand. These drivers have to be started manually by
calling a Win32 SCM application programming interface (API), such as
the Services snap-in. | 4 | Disabled | Specifies a disabled (not started) driver or service. | 5 | Delayed start | Specifies
that less-critical services will start shortly after startup to allow
the operating system to be responsive to the user sooner. This start
type was first introduced in Windows Vista. |
Table 2 lists some of the values (in decimal) for the Type registry entry. Table 2. Type Registry Values VALUE | VALUE DESCRIPTIONS FOR TYPE ENTRIES |
---|
1 | Specifies a kernel device driver | 2 | Specifies a kernel-mode file system driver (also a kernel device driver) | 4 | Specifies arguments passed to an adapter | 8 | Specifies a file system driver, such as a file system recognizer driver | 16 | Specifies
a service that obeys the service control protocol, runs within a
process that hosts only one service, and can be started by the Services
Controller | 32 | Specifies a service that runs in a process that hosts multiple services | 256 | Specifies a service that is allowed to display windows on the console and receive user input |
Some drivers and services require that conditions, also known as dependencies,
be met. You can find dependencies listed under the DependOnGroup and
DependOnService entries in the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Servicename
subkey for each service or driver. The Services subkey also contains information that affects how drivers and services are loaded. Table 3 lists some of these other entries. Table 3. Other Registry Entries in the Servicename Subkeys ENTRY | DESCRIPTION |
---|
DependOnGroup | At least one item from this group must start before this service is loaded. | DependOnService | Lists the specific services that must load before this service loads. | DisplayName | Describes the feature. | ErrorControl | Controls whether a driver error requires the system to use the LastKnownGood control set or to display a Stop message.
If the value is 0x0 (Ignore, No Error Is Reported), it does not display a warning and proceeds with startup.
If the value is 0x1 (Normal, Error Reported), it records the event to
the System Event Log and displays a warning message but proceeds with
startup.
If the value is 0x2 (Severe), it records the event to the System
Event Log, uses the LastKnownGood settings, restarts the system, and
proceeds with startup.
If the value is 0x3 (Critical), it records the event to the System
Event Log, uses the LastKnownGood settings, and restarts the system. If
the LastKnownGood settings are already in use, it displays a Stop
message. | Group | Designates
the group that the driver or service belongs to. This allows related
drivers or services to start together (for example, file system
drivers). The registry entry List in the subkey
HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\ServiceGroupOrder
specifies the group startup order. | ImagePath | Identifies the path and file name of the driver or service if the ImagePath entry is present. | ObjectName | Specifies an object name. If the Type entry specifies a service, it represents the account name that the service uses to log on when it runs. | Tag | Designates the order in which a driver starts within a driver group. |
After
all entries that have Boot and Startup data types are processed, the
kernel starts the Session Manager (Smss.exe), a user process that
continues to run until the operating system is shut down. The Session
Manager performs important initialization functions, such as: Creating system environment variables. Starting
the kernel-mode portion of the Win32 subsystem (implemented by
%SystemRoot%\System32\Win32k.sys), which causes Windows to switch from
text mode (used to display the Windows Boot Manager menu) to graphics
mode (used to display the Starting Windows logo). Windows-based
applications run in the Windows subsystem. This environment allows
applications to access operating system functions, such as displaying
information to the screen. Starting
the user-mode portion of the Win32 subsystem (implemented by
%SystemRoot%\System32\Csrss.exe). The applications that use the Windows
subsystem are user-mode processes; they do not have direct access to
hardware or device drivers. Instead, they have to access Windows APIs to
gain indirect access to hardware. This allows Windows to control direct
hardware access, improving security and reliability. User-mode
processes run at a lower priority than kernel-mode processes. When the
operating system needs more memory, it can page to disk the memory used
by user-mode processes. Starting the Logon Manager (%SystemRoot%\System32\Winlogon.exe). Creating additional virtual memory paging files. Performing
delayed rename operations for files specified by the registry entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\PendingFileRenameOperations. For example, you might be prompted
to restart the computer after installing a new driver or application so
that Windows can replace files that are currently in use.
Session Manager searches the registry for service information contained in the following subkeys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager contains a list of commands to run before loading services. The
Autochk.exe tool is specified by the value of the registry entry
BootExecute and virtual memory (paging file) settings stored in the
Memory Management subkey. Autochk, which is a version of the Chkdsk
tool, runs at startup if the operating system detects a file system
problem that requires repair before completing the startup process. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\SubSystems stores a list of available subsystems. For example,
Csrss.exe contains the user-mode portion of the Windows subsystem.
If startup fails during the kernel
loading phase after another operating system was installed on the
computer, the cause of the problem is likely an incompatible boot
loader. Boot loaders installed by versions of Windows prior to Windows
Vista cannot be used to start Windows Vista or Windows 7. Use System
Recovery to replace startup files with Windows startup files. Otherwise, if startup fails during the kernel
loading phase, use boot logging to isolate the failing feature. Then
use safe mode to disable problematic features (if possible) or use
System Recovery to replace problematic files. The
Windows subsystem starts Winlogon.exe, a system service that enables
you to log on and log off. Winlogon.exe then does the following: Starts
the Services subsystem (Services.exe), also known as the SCM. The SCM
initializes services that the registry entry Start designates as
Autoload in the registry subkey
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Servicename. Starts the Local Security Authority (LSA) process (Lsass.exe). Parses the Ctrl+Alt+Delete key combination at the Begin Logon prompt (if the computer is part of an AD DS domain).
The
logon user interface (LogonUI) feature and the credential provider
(which can be the standard credential provider or a third-party
credential provider) collect the user name and password (or other
credentials) and pass this information securely to the LSA for
authentication. If the user supplied valid credentials, access is
granted by using either the default Kerberos V 5 authentication protocol
or Windows NT LAN Manager (NTLM). Winlogon
initializes security and authentication features while PnP initializes
auto-load services and drivers. After the user logs on, the control set
referenced by the registry entry LastKnownGood (located in
HKLM\SYSTEM\Select) is updated with the contents in the
CurrentControlSet subkey. By default, Winlogon then starts Userinit.exe
and the Windows Explorer shell. Userinit may then start other processes,
including: Group Policy settings take effect Group Policy settings that apply to the user and computer take effect. Startup programs run
When not overridden by Group Policy settings, Windows starts logon
scripts, startup programs, and services referenced in the following
registry subkeys and file system folders: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce SystemDrive\Documents and Settings\All Users\Start Menu\Programs\Startup SystemDrive\Documents and Settings\username\Start Menu\Programs\Startup
Several
applications might be configured to start by default after you install
Windows, including Windows Defender. Computer manufacturers or IT
departments might configure other startup applications. Windows startup is not complete until a user successfully logs on to the computer. If startup fails during the logon
phase, you have a problem with a service or application configured to
start automatically.
|