5. Kernel Loading Phase
The Windows Boot Loader is responsible for
loading the Windows kernel (Ntoskrnl.exe) and the hardware abstraction
layer (HAL) into memory. Together, the kernel and the HAL initialize a
group of software components that are called the Windows executive. The
Windows executive processes the configuration information stored in the
registry in HKLM\SYSTEM\CurrentControlSet, and starts services and
drivers.
The following sections provide more detail about the kernel loading phase.
Control Sets
The Windows Boot Loader reads control set
information from the registry key HKEY_LOCAL_MACHINE\SYSTEM, which is
stored in the file systemroot\system32\Config\System, so that the kernel
can determine which device drivers need to be loaded during startup.
Typically, several control sets exist, with the actual number depending
on how often system configuration settings change.
The HKEY_LOCAL_MACHINE\SYSTEM subkeys used during startup are:
\CurrentControlSet, a pointer to a ControlSetxxx subkey (where xxx represents a control set number, such as 001) designated in the \Select\Current value.
\Select, which contains the following entries:
Default
Points to the control set number (for example, 001=ControlSet001) that
the system has specified for use at the next startup. If no error or
manual invocation of the LastKnownGood startup option occurs, this
control set number is designated as the value of the Default, Current,
and LastKnownGood entries (assuming that a user is able to log on
successfully).
Current Points to the last control set that was used to start the system.
Failed
Points to a control set that did not start Windows Vista successfully.
This value is updated when the LastKnownGood option is used to start the
system.
LastKnownGood
Points to the control set that was used during the last user session.
When a user logs on, the LastKnownGood control set is updated with
configuration information from the previous user session.
The Windows Boot Loader uses the control set
identified by the \Select\Default value unless you choose the Last Known
Good Configuration from the Advanced Boot Options menu.
The kernel creates the registry key
HKEY_LOCAL_MACHINE\HARDWARE, which contains the hardware data collected
at system startup. Windows Vista supports an extensive set of devices,
with additional drivers not on the Windows Vista operating system CD
provided by hardware manufacturers. Drivers are kernel-mode components
required by devices to function within an operating system. Services are
components that support operating system and application functions and
act as network servers. Services can run in a different context than
user applications and typically do not offer many user-configurable
options.
For example, the Print Spooler service does not
require a user to be logged on to run and functions independently of
the user who is logged on to the system. Drivers generally communicate
directly with hardware devices, while services usually communicate with
hardware through drivers. Windows Vista driver and service files are
typically stored in the systemroot\System32 and
systemroot\System32\Drivers folders and use .exe, .sys, or .dll filename
extensions.
Drivers are also services. Therefore, during
kernel initialization, the Windows Boot Loader and Ntoskrnl use the
information stored in the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Servicename registry subkeys to determine both the drivers and services to load. In the Servicename
subkeys, the entry Start specifies when to start the service. For
example, the Windows Boot Loader loads all drivers for which Start is 0,
such as device drivers for hard disk controllers. After execution is
transferred to the kernel, the kernel loads drivers and services for
which Start is 1.
Table 1
lists the values (in decimal) for the registry entry Start. Boot
drivers (those for which Start is 0) and file system drivers are always
loaded regardless of the value of Start because they are required to
start Windows Vista.
Table 1. Values for the Start Registry Entry
| Value | Start type | Value descriptions for start entries |
|---|
| 0 | Boot | Specifies
a driver that is loaded (but not started) by the boot loader. If no
errors occur, the driver is started during kernel initialization prior
to any non-Boot drivers being loaded. |
| 1 | System | Specifies a driver that loads and starts during kernel initialization after drivers with a Start value of 0 have been started. |
| 2 | Auto load | Specifies
a driver or service that is initialized at system startup by Session
Manager (Smss.exe) or the Services Controller (Services.exe). |
| 3 | Load on demand | Specifies
a driver or service that the SCM will start only on demand. These
drivers have to be started manually by calling a Win32 SCM API such as
the Services snap-in. |
| 4 | Disabled | Specifies a disabled (not started) driver or service. |
| 5 | Delayed start | A
new start type that starts less critical services shortly after startup
to allow the operating system to be responsive to the user sooner. |
Table 2 lists some of the values (in decimal) for the Type registry entry.
Table 2. Type Registry Values
| Value | Value descriptions for type entries |
|---|
| 1 | Specifies a kernel device driver. |
| 2 | Specifies a kernel mode file system driver (also a kernel device driver). |
| 4 | Specifies arguments passed to an adapter. |
| 8 | Specifies a file system driver such as a file system recognizer driver. |
| 16 | Specifies
a service that obeys the service control protocol, runs within a
process that hosts only one service, and can be started by the Services
Controller. |
| 32 | Specifies a service that runs in a process that hosts multiple services. |
| 256 | Specifies a service that is allowed to display windows on the console and receive user input. |
Some drivers and services require that conditions, also known as dependencies,
be met. You can find dependencies listed under the DependOnGroup and
DependOnService entries in the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Servicename
subkey for each service or driver. The Services subkey also contains information that affects how drivers and services are loaded. Table 3 lists some of these other entries.
Table 3. Other Registry Entries in the Servicename Subkeys
| Entry | Description |
|---|
| DependOnGroup | At least one item from this group must start before this service is loaded. |
| DependOnService | Lists the specific services that must load before this service loads. |
| DisplayName | Describes the component. |
| ErrorControl | Controls whether a driver error requires the system to use the LastKnownGood control set or to display a Stop message.
If the value is 0x0 (Ignore, no error is reported), do not display a warning and proceed with startup.
If the value is 0x1 (Normal, error
reported), record the event to the System Event Log and display a
warning message, but proceed with startup.
If the value is 0x2 (Severe), record the
event to the System Event Log, use the LastKnownGood settings, restart
the system, and proceed with startup.
If the value is 0x3 (Critical), record the event to the
System Event Log, use the LastKnownGood settings, and restart the
system. If the LastKnownGood settings are already in use, display a Stop
message.
|
| Group | Designates
the group that the driver or service belongs to. This allows related
drivers or services to start together (for example, file system
drivers). The registry entry List in the subkey
HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\ServiceGroupOrder
specifies the group startup order. |
| ImagePath | Identifies the path and filename of the driver or service if the ImagePath entry is present. |
| ObjectName | Specifies
an object name. If the Type entry specifies a service, it represents
the account name that the service uses to log on when it runs. |
| Tag | Designates the order in which a driver starts within a driver group. |
Session Manager
After all entries that have Boot and Startup
data types are processed, the kernel starts the Session Manager
(Smss.exe), a user process that continues to run until the operating
system is shut down. The Session Manager performs important
initialization functions, such as:
Creating system environment variables.
Starting
the kernel-mode portion of the Win32 subsystem (implemented by
systemroot\system32\Win32k.sys), which causes Windows Vista to switch
from text (used to display the Windows Boot Manager menu) to graphics
mode (used to display the startup progress bar). Windows-based
applications run in the Windows subsystem. This environment allows
applications to access operating system functions, such as displaying
information to the screen.
Starting the
user-mode portion of the Win32 subsystem (implemented by
systemroot\system32\Csrss.exe). The applications that use the Windows
subsystem are user mode processes; they do not have direct access to
hardware or device drivers. Instead, they have to access Windows APIs to
gain indirect access to hardware. This allows Windows to control direct
hardware access, improving security and reliability. User-mode
processes run at a lower priority than kernel-mode processes. When the
operating system needs more memory, it can page to disk the memory used
by user-mode processes.
Starting the Logon Manager (systemroot\system32\Winlogon.exe).
Creating additional virtual memory paging files.
Performing
delayed rename operations for files specified by the registry entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\PendingFileRenameOperations. For example, you might be prompted
to restart the computer after installing a new driver or application so
that Windows Vista can replace files that are currently in use.
Session Manager searches the registry for service information contained in the following subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager contains a list of commands to run before loading services. The
Autochk.exe tool is specified by the value of the registry entry
BootExecute and virtual memory (paging file) settings stored in the
Memory Management subkey. Autochk, which is a version of the Chkdsk
tool, runs at startup if the operating system detects a file system
problem that requires repair before completing the startup process.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\SubSystems stores a list of available subsystems. For example,
Csrss.exe contains the user-mode portion of the Windows subsystem.
If startup fails during the kernel loading
phase after another operating system was installed on the computer, the
cause of the problem is likely an incompatible boot loader. Boot loaders
installed by older versions of Windows cannot be used to start Windows
Vista. Use System Recovery to replace startup files with Windows Vista
startup files.
Otherwise, if startup fails during the kernel
loading phase, use boot logging to isolate the failing component. Then
use safe mode to disable problematic components (if possible) or use
System Recovery to replace problematic files.
6. Logon Phase
The Windows subsystem starts Winlogon.exe, a
system service that enables logging on and off. Winlogon.exe then does
the following:
Starts the Services subsystem
(Services.exe), also known as the Service Control Manager (SCM). The
Service Controller Manager initializes services that the registry entry
Start designates as Autoload in the registry subkey
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename
Starts the Local Security Authority (LSA) process (Lsass.exe).
Parses the Ctrl+Alt+Delete key combination at the Begin Logon prompt (if the computer is part of an Active Directory domain).
The logon user interface (LogonUI) component and
the credential provider (which can be the standard credential provider
or a third-party credential provider) collects the user name and
password (or other credentials) and passes this information securely to
the LSA for authentication. If the user supplied valid credentials,
access is granted by using either the default Kerberos V 5
authentication protocol or NTLM.
Winlogon initializes security and authentication
components while Plug and Play initializes auto-load services and
drivers. After the user logs on, the control set referenced by the
registry entry LastKnownGood (located in HKLM\SYSTEM\Select) is updated
with the contents in the CurrentControlSet subkey. By default, Winlogon
then launches Userinit.exe and the Windows Explorer shell. Userinit may
then launch other processes, including:
Group Policy settings take effect Group Policy settings that apply to the user and computer take effect.
Startup programs run
When not overridden by Group Policy settings, Windows Vista starts
logon scripts, startup programs, and services referenced in the
following registry subkeys and file system folders:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Runonce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion \Windows\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \RunOnce
systemdrive\Documents and Settings\All Users\Start Menu\Programs\Startup
systemdrive\Documents and Settings\username\Start Menu\Programs\Startup
Several
applications might be configured to start by default after you install
Windows Vista, including the Microsoft Windows Sidebar and Windows
Defender. Computer manufacturers or IT departments might configure other
startup applications.
Windows Vista startup is not complete until a user successfully logs on to the computer.
