Windows NT Technical Support

Chapter 17

The Windows NT Boot Process

 

In this chapter we’ll take a look at the mysteries of the computer’s startup sequence and the NT bootup process.  We’ll see how its supposed to work, and some of the things that can go wrong too.

 

Overview of the Windows NT Boot Process

 

When a Windows NT computer starts up, it goes through five “phases”:

  1. The POST (power on self test)
  2. The Initial Startup Process
  3. The “Boot Loader” Process
  4. The “Boot Sequence”
  5. The “Load Phase”

 

The processes are a little different between x86 type computers and RISC (mostly Alpha AXP processor) computers.  I will focus on the Intel x86 computers, although you might come into contact with RISC computers in the future, so keep the location of this material in mind so that you know where to look it up if you need to in the future.

 

What are the required files in order to boot up successfully?

  1. Ntldr
  2. Boot.ini
  3. Bootsect.dos
  4. Ntdetect.com
  5. Ntbootdd.sys (only seen when you have a SCSI disk controller and the onboard BIOS is turned off)

 

What are these files for?

  1. Ntldr
    This file starts up the loading of the operating system (the “system files”)
  2. Boot.ini
    This file is used to build the “boot loader” menu that you see what you start the computer and are given the choice of the operating system you want to start up.
  3. Bootsect.dos
    If you are going to start an operating system that is “based on DOS”, then you’ll need to load the old boot sector, which is stored in the Bootsect.dos file.  Examples of such operating systems would be DOS, Win 3.x, Win95, or OS/2 version 1.x and 2.x
  4. Ntdetect.com
    The file is a program which examines all the hardware of the computer during the start up process.  It passes its findings to Ntldr, and then Ntldr passes the finding to the registry.
  5. Ntbootdd.sys
    You only see this file is you have a computer that has a SCSI drive controller and the controller’s onboard BIOS is turned off. 
  6. Ntoskrnl.exe
    This is the NT “kernel” file.  This the “core” file for Windows NT, and contains the most important, basic operating system instructions for the entire Windows NT environment.  If the Kernel gets whacked, you have NO operating system.
  7. System
    The System file is actually one of the registry files.  It controls which device drivers load and services that are supposed to be started.
  8. Device Drivers
    The device drivers are responsible for making sure that all the hardware in the computer can talk to the operating system.  If you don’t have a device driver for your hardware, then the operating system can’t talk to the hardware.  If the OS can’t talk to the hardware, the hardware won’t work.

 

The Windows NT Boot Sequence

First, what happens before the Windows NT Boot sequence?

  1. The POST (power on self test) begins.  This is a test the computer puts itself through during startup, where it follows the instructions in the System BIOS.  You see this when you start the computer and see the results of the POST findings in a chart on startup.  It checks to see what type of processor is running, how many and how large are the hard drives, how much memory is in the computer, and it also checks the integrity of the memory.
  2. The boot disk is located.  The Master Boot Record on that disk is read and loaded into memory, and a program in the MBR is run
  3. The MBR program locates the Partition Boot Record (a list of the partitions on the hard dirve(s) in your computer).  It can tell from looking at this list which of the partitions is the Primary, Active partition.  Then it loads the boot sector from the Primary Active Partition
  4. Ntldr is loaded and initialized from the boot sector

 

The NT Boot Sequence begins after the loading of Ntldr into memory

  1. First thing Ntldr does is switch the processor into “protected” mode.  In protected mode the processor will use a “flat” memory address space, unlike the divisions of memory we saw in DOS with the low, upper, and high memory address spaces.
  2. Ntldr loads “mini” file system drivers, like for ntfs.sys or fastfat.sys, in order to read files on either NTFS or FAT partitions
  3. If there is a boot.ini file, it will read this file build a boot menu so that you can choose which operating system you want to start up.
  4. Ntldr now starts to load the operating system.  This will either be the OS that you choose from the boot menu, or the default entry in the boot.ini file.
    NOTE:  If you don’t choose NT as your operating system, the Bootsect.dos file is loaded and Ntldr will pass control of the machine to the operating system you chose.
  5. If you have selected an NT operating system, Ntdetect.com will run next.  Ntdetect.com will look at all of the hardware devices on the machine, and pass its findings back to Ntldr. Then, Ntldr will tell the registry of these findings.
  6. Ntldr finally loads the Ntoskrnl.exe, Hal.dll, and the System “hive” (regsistry key)
    Ntldr scans the System registry key and loads device drivers.  When Ntoskrnl.exe runs, the boot process completes, and the LOAD process begins.

 

The Windows NT Load Phase

After completing the boot sequence, we are now ready for loading the operating system.  The loading of the NT operating system is called the “load phase”.

 

The Load Phase has five steps:

  1. Kernel Load (HAL is loaded)
  2. Kernel Initialization
  3. Services Load
  4. Win32 Subsystem starts
  5. Users Logs On

 

Kernel Load Phase

During the Kernel Load Phase, the ntoskrnl.exe is loaded, and then the HAL is loaded, and finally the system hive is loaded.  The system hive contains information regarding which drivers and services should be started.  This is taking place while you’re watch the “black dot screen”.  If you want to see which drivers are actually loading, you can put the /sos switch at the end of the OS line for the particular operating system in the boot.ini file.

 

Kernel Initialization phase

During this phase, the loaded drivers and services are initialized (started).  This is the “blue dot screen”.  The CurrentControlSet is saved (a “control set” is a list of device drivers and services to load).  The registry hardware list is created during this phase as well.

 

Error Control Values

What happens if one of the drivers is bad and doesn’t load or initial correctly?  Sometimes you can start the computer, and sometimes you’re stuck with the dreaded BSOD with no one to hear your screams.  Well, what happens is determined by an “error control value” given to each driver.  Depending on the error control level assigned to the driver, you might be able to start the computer or not:

  1. 0x0 = Ignore
    If the driver has this error control level, the boot sequence will just ignore the error, and continue loading the operating syste
  2. 0x1 = Normal
    An error message is displayed, but the boot sequence will ignore the error and proceed.
  3. 0x2 = Severe
    Not Good.  The boot sequence will fail, and will start up the “last known good” control set.  If you are already using the last known good control set to start up, the error will be ignored and the boot sequence will continue
  4. 0x3 = Critical
    The boot sequence will fail, and will start the last known good configuration.  However, if you’re already using the last known good configuration, the boot sequence will stop and you get a BSOD.

 

Services Load Phase

The Session Manager starts up now.  The Session Manager will start the higher order substystem and services.  The Session Manager will carry out instructions in these 4 registry entries:

  1. BootExecute data item
  2. Memory Management Key
  3. DOS Devices Key
  4. Subsystems Key

 

The BootExecute Data Item will run programs automatically at startup.  An example is the Autochk.exe program.  You can add other programs or alter the way these programs run from within this registry key.

 

The Memory Management Key controls how memory will be managed for the operating system.  One of the things it does is create the pagefile for virtual memory.

 

The DOS Devices Key converts DOS hardware calls into NT hardware calls.  For example, the PRN command in DOS sends jobs directory to the printer by accessing the hardware.  HAL would not be happy.  So, this key redirects the print job to LPT1 which is managed by HAL

 

The Subsystems Key starts the required subsystems.  By default, only the Win32 subsystem is required.

 

Win32 Subsystem Start Phase

Remember that the Win32 subsystem is responsible for programs that are written in DOS, Win 3.x, Win95, and Windows NT.  When the Win32 subsystem starts it also starts the winlogon.exe process, which then starts up the lsass.exe (local security authority subsystem).

 

Then, the Service Controller is started (screg.exe).  The Service controller takes another look at the registry and looks for services that are marked to load automatically (you control that process in the services applet in the control panel).  These services are now started up.

 

User Logs On

The boot is completed and considered good when only when the user actually logs on.

 

Troubleshooting the Boot Process

 

Given how complicated this is, you can imagine that a lot of things can go bad along the way.

 

Common Boot Process Errors

BOOT: Couldn’t find NTLDR

Please insert another disk

You’ll see this is the ntldr file is missing.  Do a repair process for the startup environment and it will fix this.

 

NTDETECT V4.0 Checking Hardware…

NTDETECT failed

 

You’ll see this one if ntdetect.com is missing.  Again, do a repair process for the startup environment and it will fix this

 

Windows NT could not start because the following file is missing or corrupt:

\winnt root\system32\ntoskrnl.exe

Please re-install a cpy of the above file.

 

You’ll see this is the ntoskrnl.exe is corrupt or missing, but really, this isn’t the case very often.  More likely, your boot.ini isn’t pointing to the boot partition.  Fix it!

 

I/O Error accessing boot sector file

Multi(0)disk(0)rdisk(0)partition(1):\bootss

 

This nasty shows up when your bootsect.dos file gets whacked.  Fix this by doing a repair process for the startup environment.

 

OS Loader V4.0

 

Windows NT could not start ecause of a computer disk hardware configuration problem.

Could not read from the selected boot disk.  Check boot path and disk hardware.

Please check the Windows NT documentation bout hardware disk configuration and your hardware reference manuals for additional information.

 

What this is trying to tell you is that it can’t find the disk that the boot partition is on.  This is usually from the disk either being dead or asleep or not plugged into the drive controller.  Fix it.

 

Creating A Windows NT Boot Disk

 

What do you do when the boot process goes haywire and you just want to get the machine started without having to go through the repair process?  A quick fix is to create an NT boot disk. However, the process of creating an NT boot disk is completely different then creating a DOS boot disk.

 

How do you make one?

  1. Format a floppy disk in Windows NT.  You have to do this so that the NT boot sector is written on the floppy disk.  Don’t use a preformatted floppy or one that you’ve formatted in DOS.
  2. Now, add the boot files:
    ntldr
    ntdectect.com
    boot.ini
    ntbootdd.sys
    (you don’t need a bootsect.dos file on this disk)
  3. Restart the computer with the boot disk in so that you can test it!

 

The Last Known Good Configuration

 

The last known configuration was put there so that you can get out of jams you might have got yourself into when you’ve junked up the registry or installed a device driver that’s lame.

 

Whenever a user successfully logs on, the control set is saved.  Now, if the user goes in and makes changes to the registry or adds or removes drivers, the control set that was there when the user logged on (a good one we assume), is safe and sound, unaffected by the changes that are made, which are saved in the “CurrentControlSet” registry key.

 

When you start your computer you have the option of choosing either:

  1. The Default Configuration
    This is the control set that was saved when you last shut down the computer
  2. Last Known Good.  This is the one that was saved when you last LOGGED ON to the computer

 

So, if you’ve made registry changes or added or removed drivers during your last session, and now you can’t boot up, try using the Last Known Good configuration.  That will “undo” everything you did AFTER the last time you logged on, and start you up with the same control set you have when you successfully logged on.

 

Now, if you think that you’ve messed up, but you get to the log on screen.  DON’T LOG ON! Because once you log on, the system thinks that was a good configuration, and will save it as a Last Known Good configuration, even if you are not sure its completely good.

 

You might use the LKG configuration when you’ve installed a new video driver and it whacks your display.  That will return the system to using the old video driver, and then you can see again.

 

The LKG configuration will NOT help you if there is a problem with the hardware itself.  For example, you have installed a new video card and its no good.  Using the LKG configuration will be of no help to you here, but the hardware is broken, and not too many software programs can fix broken hardware.

 

The Emergency Repair Process

 

You should ALWAYS first try the LKG before doing the repair process.  Mostly because its faster and easier, and if it works, you’ve saved yourself a lot of time.  However, if the LKG doesn’t pull you through, you’ll have to move next to the Repair Process.

 

The Emergency Repair Process can save you from a multitude of sins.  It can repair the registry and restore or fix important operating system files.

 

Where does the Repair Process get the information it needs to carry out the repair?  From one of two places:

  1. An Emergency Repair Disk
  2. The Repair Folder, which is a subfolder of the <systemroot> directory

 

How do you get information to put on a ERD (emergency repair disk) or the repair folder?

 

You have to run the RDISK.exe program.  When you run RDISK, it will place registry key and startup information in the repair folder or the ERD or both.  Every time you make an important system configuration change you should make a new ERD.  DO NOT WRITE OVER THE OLD ONE.  You should keep the old ERDs in case you want to “rollback” to a previous configuration for some reason. (like the last configuration change was no good, but you did an RDISK before you knew it was no good).

 

When you create an ERD, it will format the disk first, so make sure you don’t need anything on it,  It does this to make sure there aren’t any nasty things on there like viruses.

 

Also, if you don’t want to type 20,000 user accounts all over again, run the RDISK command with the /s switch.  The /s switch will save security information too.

 

The Emergency Repair Process

So, it’s broken, but you have done an RDISK recently, so you know you can get your stuff back.  How?

  1. Boot from either the CD or the three setup disks
  2. When the installation process asks you if you want to upgrade or repair, choose “R” for repair
  3. If you have an ERD, insert the ERD and continue.  If you don’t have an ERD, then let setup find your repair folder, which it will do.
  4. Do what it tells you to do
  5. Restart the machine

 

Now, the repair process will allow you to fix different things:

  1. Inspect Registry Files
    This is fix broken registry entries
  2. Inspect Startup Environment
    Pick this if your NT installation doesn’t show up as one of the bootable systems or your boot menu is gone
  3. Verify Windows NT System Files
    Pick this if your think one of the operating system files is bad
  4. Inspect Boot Sector
    Pick this is NO operating system will start.