Windows XP Boot Process. All computers running Windows XP Professional have the same startup sequence: Power-on self test (POST) phase Initial startup phase Boot loader phase Detect and configure hardware phase Kernel loading phase Logon phase. Files Required to Boot.
All computers running Windows XP Professional have the same startup sequence: • Power-on self test (POST) phase • Initial startup phase • Boot loader phase • Detect and configure hardware phase • Kernel loading phase • Logon phase
Power-On Self Test As soon as you turn on a computer, its central processing unit (CPU) begins to carry out the programming instructions contained in the basic input/output system (BIOS). The BIOS, which is a type of firmware, contains the processor-dependent code that starts the computer. The first set of startup instructions is the power-on self test (POST). The POST is responsible for the following system and diagnostic functions: • This phase involves a check for basic hardware components such as memory, keyboard etc.. • Verifies that the devices needed to start an operating system, such as a hard disk, are present • Retrieves system configuration settings from non-volatile complementary metal-oxide semiconductor (CMOS) memory, which is located on the motherboard Initial Startup Phase • After the POST, the settings that are stored in CMOS memory, such as boot order, determine the devices that the computer can use to start an operating system. Usually the hard disk , but can be a floppy disk or a CD-ROM. When successful , locates and executes the MBR. • The MBR is responsible for locating and then initializing the boot sector on the active partition
Boot Loader Phase • Ntldr loads startup files from the boot partition and then does the following: Sets an x86-based processor to run in 32-bit flat memory mode • An x86-based computer first starts in real mode. In real mode, the processor disables certain features to allow compatibility with software designed to run on 8-bit and 16-bit processors. Ntldr then switches the processor to 32-bit mode, which allows access to large amounts of memory and enables Windows XP Professional to start. Starts the file system • Ntldr contains the program code that Windows XP Professional needs to read and write to disks formatted by using the NTFS or file allocation table (FAT16 or FAT32) file systems. Reads the Boot.ini file • Ntldr reads the contents of the Boot.ini file to determine whether the computer has a dual-boot configuration. If so, the contents of the Boot.ini are displayed on screen in order that the user can choose an operating system to load. This menu is displayed for 30 seconds by default. If the user does not make a choice before the 30-second expiry time, the default operating system will be loaded. The default operating system is the system located at the top of the menu, and is usually the latest Windows XP operating system to have been installed. If the computer is not configured for dual-boot – ie Windows XP is the only operating system installed – the Boot.ini contents are not displayed and the Windows XP system is loaded automatically.
Detects hardware and Hardware Phase • Ntldr starts Ntdetect.com, a program that performs basic device detection. Ntldr then passes Boot.ini information, as well as hardware and software data in the registry, to Ntoskrnl.exe. Ntdetect.com detects hardware profile information (for example, docked and undocked configurations for portable computers) Detect and Configure Hardware Phase • After processing the Boot.ini file, Ntldr starts Ntdetect.com. Ntdetect.com collects information about installed hardware by using calls to system firmware routines. Ntdetect.com then passes this information back to Ntldr. Ntldr gathers the data received from Ntdetect.com and organizes the information into internal data structures. Ntldr then starts Ntoskrnl.exe and provides it with information obtained from Ntdetect.com. • Ntdetect.com collects the following type of hardware and device information: • System firmware information, such as time and date • Bus and adapter types • Video adapters • Keyboard • Communication ports • Disks • Floppy disks • Input devices (such as mouse devices) • Parallel ports • Devices installed on the Industry Standard Architecture (ISA) bus
During this phase, Ntdetect.com searches for hardware profile information. Windows XP Professional creates a single default profile for desktop computers and creates two default profiles for portable computers. For portable computers, the operating system selects the appropriate profile based on the hardware state of the computer: • Desktop computer. - Profile 1 • Portable computer. - Docked Profile - Undocked Profile Kernel Loading Phase • Ntldr is responsible for loading the Windows kernel (Ntoskrnl.exe) and the hardware abstraction layer (HAL) into memory. Control sets • Ntldr reads control set information from the HKEY_LOCAL_ MACHINE\SYSTEM registry key, which is created from information in the systemroot\System32\Config\System file, so that Ntldr can determine which device drivers need to be loaded during startup.
The kernel uses the internal data structures provided by Ntldr to create the HKEY_LOCAL_MACHINE\HARDWARE key, which contains the hardware data collected at system startup. The data includes information about various hardware components and system resources allocated to each device. • Drivers are kernel-mode components required by devices to function within an operating system. Services are components that support operating system functions and applications. Services can run in a different context than user applications and typically do not offer many user-configurable options. Services, such as the Print Spooler, do not require a user to be logged on to run and act independently of the user who is logged on to the system. Windows XP Professional driver and service files are typically stored in the systemroot\System32 and systemroot\System32\Drivers folders and use .exe, .sys, or .dll file name extensions. • Drivers are also services. Therefore, during kernel initialization, Ntldr and Ntoskrnl.exe use the information stored in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename registry subkeys to determine both the drivers and services to load. For example, Ntldr searches the Services subkey for drivers with a Start value of 0, such as hard disk controllers. After Ntldr starts Ntoskrnl.exe, an Ntoskrnl.exe component searches for and starts drivers, such as network protocols
Logon Phase The Windows subsystem starts Winlogon.exe, a system service that enables logging on and off. Winlogon.exe then does the following: • Starts the Services subsystem (Services.exe), also known as the Service Control Manager (SCM). • Starts the Local Security Authority (LSA) process (Lsass.exe). • Parses the Ctrl+Alt+Del key combination at the Begin Logon prompt. The Graphical Identification and Authentication (GINA) component collects the user name and password, and passes this information securely to the LSA for authentication. If the user supplied valid credentials, access is granted by using either the Kerberos V 5 authentication protocol or NTLM.