Drivers and Services Load
Ntldr now loads the low-level system services and device drivers, but the services aren't initialized—that occurs later. This is the end of the boot sequence, and the process that begins now is the load sequence, or the kernel phase.
Ntldr has a pecking order for loading system services and device drivers. When you install Windows, drivers and system services are copied to your computer, and information about them is written to the registry. The registry data is a hexadecimal entry that ends with a number in parentheses. That number gives Ntldr its pecking order for loading drivers and system services. For an example, open the registry and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. You'll see a long list of services and device drivers. Select any subkey and look at the REG_DWORD data item named Start.
- The data value (0) means the service is loaded during the kernel load phase.
- The data value (1) means the service is loaded during the kernel initialization phase (the next phase).
- The data value (2) means the service is loaded during the services load phase.
- The data value (3) means the service is enabled but not initialized (the service requires a manual startup, which you perform in the Microsoft Management Console (MMC) Services snap-in).
- The data value (4) means the service isn't enabled.
The OS Loads
Ntoskrnl begins to load the OS. The Windows kernel is initialized, and subsystems are loaded and initialized. These actions provide the basic systems that are necessary to complete the task of loading the OS. The boot drivers that Ntldr loaded earlier are now initialized, followed by initialization of the rest of the drivers and services. When the first-level drivers are initialized, you might encounter a problem, typically in the form of a STOP error or a Blue Screen of Death. This problem almost always occurs during the first boot after you update a driver. When Ntoskrnl initializes the driver, the OS balks because it doesn't like it.
To solve this problem, restart the computer, press F8 to display the Advanced Options menu, and load the Last Known Good Configuration to roll back to the previous driver. Then, either obtain a better driver from the manufacturer or stick with your rollback to the previous driver.
The Windows kernel and executive systems are now operational. The Session Manager Subsystem (smss.exe) configures the user environment. The system checks information in the registry so that it can begin loading the remaining drivers and software that need to be added. The kernel also loads kernel32.dll, gdi32.dll, and user32.dll, which provide the Win32 API services that software programs require.
The Computer Logs on to the Domain
While the kernel is still loading and initializing drivers, the computer logs on to the domain. Using its machine account (a unique name, with its own password), the computer opens a secure channel (sometimes called a clear channel) to a domain controller (DC). All this occurs before the user logon features are available.
Machine accounts are used between client computers (including member servers) and DCs. Within each domain, the same process occurs among multiple DCs. Therefore, the order in which you restart computers after a shutdown is important. Computers use the secure channel to exchange the information necessary for authentication and authorization functions. Machine accounts enhance network security, making sure that a computer attempting to send sensitive information is really a member of the domain.
As an additional security feature, computers (like users in a security-conscious network configuration) must change their passwords periodically. By default, the password change interval is 30 days. When it's time to change the password, the computer generates a new password and sends it through the secure channel (which it accesses by using the previous password) to the nearest DC. Thereafter, the computer must use the new password to access a secure channel.
The DC updates its database and immediately replicates the computer password change to the other DCs in the domain. Computer account passwords are flagged as Announce Immediately events, so they don't wait for the next scheduled DC replication. Sometimes, these events can cause serious performance hits. If many (or all) of the computers in your domain have passwords that expire on the same day, the work that the DCs have to do can immediately slow down other important DC tasks. such as authenticating users or running scheduled replications. The situation is even worse if you have a DC that's providing other services, such as acting as a DNS server. You can change the way machine passwords are managed for the domain, for an OU, or for an individual computer—although attempting to improve performance by configuring one computer at a time isn't efficient. In a future article, I'll discuss the methods available for changing the way computers log on to a domain.
User Logon Services Load
The Win32 subsystem launches winlogon.exe, which sends the logon dialog box to the screen and loads the Local Security Authority (lsass.exe). The logon process begins, and the user must enter a username and password in the Log On To Windows dialog box. Assuming the user knows the username and password, the system completes the logon process, and the user can begin working. At this point, the Windows startup is complete, and the current startup configuration settings become the newest Last Known Good. Notice that a successful logon is necessary to make startup a Last Known Good.
No More Nerves
Startup failures make everyone nervous—both users and Help desk personnel. Understanding the startup process makes problems less intimidating and helps you resolve those problems quickly and easily.
End of Article
Prev. page
1
2
[3]
next page -->
