Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
EPL Standings
Windows Vista

Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 3) - Kernel Loading Phase

6/12/2013 11:35:44 AM

5. Kernel Loading Phase

The Windows Boot Loader is responsible for loading the Windows kernel (Ntoskrnl.exe) and the hardware abstraction layer (HAL) into memory. Together, the kernel and the HAL initialize a group of software components that are called the Windows executive. The Windows executive processes the configuration information stored in the registry in HKLM\SYSTEM\CurrentControlSet, and starts services and drivers.

The following sections provide more detail about the kernel loading phase.

Control Sets

The Windows Boot Loader reads control set information from the registry key HKEY_LOCAL_MACHINE\SYSTEM, which is stored in the file systemroot\system32\Config\System, so that the kernel can determine which device drivers need to be loaded during startup. Typically, several control sets exist, with the actual number depending on how often system configuration settings change.

The HKEY_LOCAL_MACHINE\SYSTEM subkeys used during startup are:

  • \CurrentControlSet, a pointer to a ControlSetxxx subkey (where xxx represents a control set number, such as 001) designated in the \Select\Current value.

  • \Select, which contains the following entries:

    • Default Points to the control set number (for example, 001=ControlSet001) that the system has specified for use at the next startup. If no error or manual invocation of the LastKnownGood startup option occurs, this control set number is designated as the value of the Default, Current, and LastKnownGood entries (assuming that a user is able to log on successfully).

    • Current Points to the last control set that was used to start the system.

    • Failed Points to a control set that did not start Windows Vista successfully. This value is updated when the LastKnownGood option is used to start the system.

    • LastKnownGood Points to the control set that was used during the last user session. When a user logs on, the LastKnownGood control set is updated with configuration information from the previous user session.

The Windows Boot Loader uses the control set identified by the \Select\Default value unless you choose the Last Known Good Configuration from the Advanced Boot Options menu.

The kernel creates the registry key HKEY_LOCAL_MACHINE\HARDWARE, which contains the hardware data collected at system startup. Windows Vista supports an extensive set of devices, with additional drivers not on the Windows Vista operating system CD provided by hardware manufacturers. Drivers are kernel-mode components required by devices to function within an operating system. Services are components that support operating system and application functions and act as network servers. Services can run in a different context than user applications and typically do not offer many user-configurable options.

For example, the Print Spooler service does not require a user to be logged on to run and functions independently of the user who is logged on to the system. Drivers generally communicate directly with hardware devices, while services usually communicate with hardware through drivers. Windows Vista driver and service files are typically stored in the systemroot\System32 and systemroot\System32\Drivers folders and use .exe, .sys, or .dll filename extensions.

Drivers are also services. Therefore, during kernel initialization, the Windows Boot Loader and Ntoskrnl use the information stored in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Servicename registry subkeys to determine both the drivers and services to load. In the Servicename subkeys, the entry Start specifies when to start the service. For example, the Windows Boot Loader loads all drivers for which Start is 0, such as device drivers for hard disk controllers. After execution is transferred to the kernel, the kernel loads drivers and services for which Start is 1.

Table 1 lists the values (in decimal) for the registry entry Start. Boot drivers (those for which Start is 0) and file system drivers are always loaded regardless of the value of Start because they are required to start Windows Vista.

Table 1. Values for the Start Registry Entry
ValueStart typeValue descriptions for start entries
0BootSpecifies a driver that is loaded (but not started) by the boot loader. If no errors occur, the driver is started during kernel initialization prior to any non-Boot drivers being loaded.
1SystemSpecifies a driver that loads and starts during kernel initialization after drivers with a Start value of 0 have been started.
2Auto loadSpecifies a driver or service that is initialized at system startup by Session Manager (Smss.exe) or the Services Controller (Services.exe).
3Load on demandSpecifies a driver or service that the SCM will start only on demand. These drivers have to be started manually by calling a Win32 SCM API such as the Services snap-in.
4DisabledSpecifies a disabled (not started) driver or service.
5Delayed startA new start type that starts less critical services shortly after startup to allow the operating system to be responsive to the user sooner.

Table 2 lists some of the values (in decimal) for the Type registry entry.

Table 2. Type Registry Values
ValueValue descriptions for type entries
1Specifies a kernel device driver.
2Specifies a kernel mode file system driver (also a kernel device driver).
4Specifies arguments passed to an adapter.
8Specifies a file system driver such as a file system recognizer driver.
16Specifies a service that obeys the service control protocol, runs within a process that hosts only one service, and can be started by the Services Controller.
32Specifies a service that runs in a process that hosts multiple services.
256Specifies a service that is allowed to display windows on the console and receive user input.

Some drivers and services require that conditions, also known as dependencies, be met. You can find dependencies listed under the DependOnGroup and DependOnService entries in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Servicename subkey for each service or driver. The Services subkey also contains information that affects how drivers and services are loaded. Table 3 lists some of these other entries.

Table 3. Other Registry Entries in the Servicename Subkeys
DependOnGroupAt least one item from this group must start before this service is loaded.
DependOnServiceLists the specific services that must load before this service loads.
DisplayNameDescribes the component.
ErrorControlControls whether a driver error requires the system to use the LastKnownGood control set or to display a Stop message.

If the value is 0x0 (Ignore, no error is reported), do not display a warning and proceed with startup.

If the value is 0x1 (Normal, error reported), record the event to the System Event Log and display a warning message, but proceed with startup.

If the value is 0x2 (Severe), record the event to the System Event Log, use the LastKnownGood settings, restart the system, and proceed with startup.

If the value is 0x3 (Critical), record the event to the System Event Log, use the LastKnownGood settings, and restart the system. If the LastKnownGood settings are already in use, display a Stop message.
GroupDesignates the group that the driver or service belongs to. This allows related drivers or services to start together (for example, file system drivers). The registry entry List in the subkey HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\ServiceGroupOrder specifies the group startup order.
ImagePathIdentifies the path and filename of the driver or service if the ImagePath entry is present.
ObjectNameSpecifies an object name. If the Type entry specifies a service, it represents the account name that the service uses to log on when it runs.
TagDesignates the order in which a driver starts within a driver group.

Session Manager

After all entries that have Boot and Startup data types are processed, the kernel starts the Session Manager (Smss.exe), a user process that continues to run until the operating system is shut down. The Session Manager performs important initialization functions, such as:

  • Creating system environment variables.

  • Starting the kernel-mode portion of the Win32 subsystem (implemented by systemroot\system32\Win32k.sys), which causes Windows Vista to switch from text (used to display the Windows Boot Manager menu) to graphics mode (used to display the startup progress bar). Windows-based applications run in the Windows subsystem. This environment allows applications to access operating system functions, such as displaying information to the screen.

  • Starting the user-mode portion of the Win32 subsystem (implemented by systemroot\system32\Csrss.exe). The applications that use the Windows subsystem are user mode processes; they do not have direct access to hardware or device drivers. Instead, they have to access Windows APIs to gain indirect access to hardware. This allows Windows to control direct hardware access, improving security and reliability. User-mode processes run at a lower priority than kernel-mode processes. When the operating system needs more memory, it can page to disk the memory used by user-mode processes.

  • Starting the Logon Manager (systemroot\system32\Winlogon.exe).

  • Creating additional virtual memory paging files.

  • Performing delayed rename operations for files specified by the registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations. For example, you might be prompted to restart the computer after installing a new driver or application so that Windows Vista can replace files that are currently in use.

Session Manager searches the registry for service information contained in the following subkeys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager contains a list of commands to run before loading services. The Autochk.exe tool is specified by the value of the registry entry BootExecute and virtual memory (paging file) settings stored in the Memory Management subkey. Autochk, which is a version of the Chkdsk tool, runs at startup if the operating system detects a file system problem that requires repair before completing the startup process.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems stores a list of available subsystems. For example, Csrss.exe contains the user-mode portion of the Windows subsystem.

If startup fails during the kernel loading phase after another operating system was installed on the computer, the cause of the problem is likely an incompatible boot loader. Boot loaders installed by older versions of Windows cannot be used to start Windows Vista. Use System Recovery to replace startup files with Windows Vista startup files.

Otherwise, if startup fails during the kernel loading phase, use boot logging to isolate the failing component. Then use safe mode to disable problematic components (if possible) or use System Recovery to replace problematic files.

6. Logon Phase

The Windows subsystem starts Winlogon.exe, a system service that enables logging on and off. Winlogon.exe then does the following:

  • Starts the Services subsystem (Services.exe), also known as the Service Control Manager (SCM). The Service Controller Manager initializes services that the registry entry Start designates as Autoload in the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename

  • Starts the Local Security Authority (LSA) process (Lsass.exe).

  • Parses the Ctrl+Alt+Delete key combination at the Begin Logon prompt (if the computer is part of an Active Directory domain).

The logon user interface (LogonUI) component and the credential provider (which can be the standard credential provider or a third-party credential provider) collects the user name and password (or other credentials) and passes this information securely to the LSA for authentication. If the user supplied valid credentials, access is granted by using either the default Kerberos V 5 authentication protocol or NTLM.

Winlogon initializes security and authentication components while Plug and Play initializes auto-load services and drivers. After the user logs on, the control set referenced by the registry entry LastKnownGood (located in HKLM\SYSTEM\Select) is updated with the contents in the CurrentControlSet subkey. By default, Winlogon then launches Userinit.exe and the Windows Explorer shell. Userinit may then launch other processes, including:

  • Group Policy settings take effect Group Policy settings that apply to the user and computer take effect.

  • Startup programs run When not overridden by Group Policy settings, Windows Vista starts logon scripts, startup programs, and services referenced in the following registry subkeys and file system folders:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Runonce

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \policies\Explorer\Run

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run

    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion \Windows\Run

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \RunOnce

    • systemdrive\Documents and Settings\All Users\Start Menu\Programs\Startup

    • systemdrive\Documents and Settings\username\Start Menu\Programs\Startup

    Several applications might be configured to start by default after you install Windows Vista, including the Microsoft Windows Sidebar and Windows Defender. Computer manufacturers or IT departments might configure other startup applications.

Windows Vista startup is not complete until a user successfully logs on to the computer.

Other -----------------
- Participating in Internet Newsgroups : Setting Up a News Account, Working with Newsgroups in Windows Mail
- Participating in Internet Newsgroups : Some Usenet Basics
- Configuring Startup and Troubleshooting Startup Issues : What’s New with Windows Vista Startup
- Managing Client Protection : Microsoft Forefront Client Security
- Managing Client Protection : Using Windows Defender (part 2)
- Managing Client Protection : Using Windows Defender (part 1)
- Securing the Workstation : Beginning with Basic Security
- Managing Client Protection : User Account Control (part 4) - How to Configure User Account Control
- Managing Client Protection : User Account Control (part 3) - UAC Virtualization, UAC and Startup Programs, Compatibility Problems with UAC
- Managing Client Protection : User Account Control (part 2) - UAC User Interface, How Windows Vista Determines Whether an Application Needs Administrative Privileges
- Managing Client Protection : User Account Control (part 1) - UAC for Standard Users, UAC for Administrators
- Maintaining Desktop Health : Using Task Scheduler (part 5) - Scheduled Tasks Events, Troubleshooting Task Scheduler
- Maintaining Desktop Health : Using Task Scheduler (part 4) - Managing Tasks
- Maintaining Desktop Health : Using Task Scheduler (part 3) - Creating New Tasks
- Maintaining Desktop Health : Using Task Scheduler (part 2) - Task Scheduler Security, Task Scheduler User Interface
- Maintaining Desktop Health : Using Task Scheduler (part 1) - Task Scheduler Architecture
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 4) - Using the Problem Reports And Solutions Control Panel
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 3) - Architecture of Windows Error Reporting, Configuring Windows Error Reporting
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 2) - Conceptual Components
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 1) - Error Reporting Cycle, Report Data Overview
Most view of day
- Workflow in Dynamics AX 2009 : Workflow Architecture
- SQL Server 2012 : XML and the Relational Database - Querying XML Data Using XQuery (part 1) - Understanding XQuery Expressions and XPath
- Windows Phone 7 : The Silverlight Controls (part 6) - Interactive Controls - ApplicationBar Controls
- Developing Disk Images : Configuring the Lab Distribution Share (part 3) - Adding Packages
- Programming Drivers for the User Mode Driver Framework : Functions for COM Support
- Adobe Dreamweaver CS5 : Using Java Applets
- BizTalk Server 2010 : Installation of WCF SAP Adapter (part 4) - IDOC Deep Dive, Building a BizTalk application — Sending IDOC
- Integrating BizTalk Server 2010 and Microsoft Dynamics CRM : Communicating from Dynamics CRM to BizTalk Server (part 1) - Setup
- Windows Server 2012 : Enabling and disabling the graphical interface in Hyper-V
- Microsoft Lync Server 2013 : Office 365 and Lync Online - Experiencing Lync Online
Top 10
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 3) - Creating IPv4 DHCP Scopes
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 2) - Installing DHCP Server and Server Tools
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 1)
- Windows Server 2012 : DHCP,IPv6 and IPAM - Understanding the Components of an Enterprise Network
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 3) - Translating Text with the Mini Translator
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 2) - Translating a Word or Phrase with the Research Pane
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 1) - Setting Options for the Research Task Pane, Searching with the Research Task Pane
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 2) - Ending a Linked Notes Session, Viewing Linked Notes
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 1) - Beginning a Linked Notes Session
- Microsoft OneNote 2010 : Doing Research with Side Notes (part 3) - Moving Side Notes to Your Existing Notes
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro