Legal Information
PC Knowledge Base - Windows Load
Good Knowledge Is Good2Use

It's a good idea to understand whatÆs happening during system startup, so the problems you encounter will fall into their proper place as you envision the process. Many of the steps described here involve system files and processes. You'll find troubleshooting solutions for their failures in the next section of this chapter.

  1. It Starts with Hardware

    The boot process starts with POST, RAM check, and any SCSI BIOS checking.

  2. Ntldr Loads

    The Ntldr program starts the bootup of the operating system. This is when you see OS Loader V4.00 on your screen. If you don't see that message, something is wrong with Ntldr.
    Ntldr checks for the presence of certain files:

    • Boot.ini, a text file that holds information about the operating systems installed on the computer and where to find them on the drive
    • Ntdetect.com, an application that performs the hardware detection process
    • Bootsect.dos, which exists if you dual-boot with DOS (or a Windows operating system that can run from DOS)
    • Ntbootdd.sys, which exists if you boot from a SCSI drive
    Then the following events are launched by Ntldr:
    • It starts a basic file system based on your boot drive. If you have a SCSI drive, Ntbootdd.sys is opened. Otherwise, the system known as INT13 is used.
    • It reads Boot.ini and displays the information it finds on your screen (the bootup menu).
    • It waits for user input about the choice of operating system, and starts the default operating system if the time for making a choice elapses. It uses the information in Boot.ini to do this.

  3. Ntdetect Runs

    Once the NT operating system starts, Ntdetect.com launches to check the hardware in your computer. It announces itself with an on-screen message, NTDETECT V4.0 Checking Hardware.
    Here's what Ntdetect looks at:

    • The machine ID
    • The bus type
    • The video controller
    • The keyboard type
    • The serial ports
    • The parallel ports
    • The floppy drive(s)
    • The mouse

  4. Ntldr Loads the Startup Files

    After Ntdetect has finished its work, Ntldr opens three files:

    • Ntoskrnl.exe, which is the Windows NT kernel Hal.dll, which is the Hardware Abstraction Layer
    • %SystemRoot%\System32\Config\System, which is the System hive in the computer's registry
    If there's a problem, youÆll get an error message.
    If everything is fine you'll see the familiar Press Spacebar to use Last Known Good message.

  5. Ntldr Loads the Drivers

    The system hive tells Ntldr which drivers to load. You can see this information for yourself in the registry, go to

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
    If you pressed the spacebar and indicated a different LastKnownGood, it will head for that configuration.

    As Ntldr loads the drivers into memory, it writes a period to the screen for each driver.

    This is the end of the boot sequence. Now the load sequence begins. Ntldr passes control of the operating system startup to Ntoskrnl.

  6. The Load Sequence Begins

    When the NT kernel begins, the screen changes to blue and you'll see a display message about the operating system version, the number of processors, and the amount of memory. Then dots start appearing, indicating progress as the kernel does its work.

    1. First the kernel copies the Current Control Set to a registry key named
      HKEY_LOCAL_MACHINE\SYSTEM\Clone
      (you cannot open this key; it's active and therefore protected).
    2. Then it performs the following tasks:
      • It initializes the low-level drivers that were loaded by Ntldr.
      • It searches all of the drivers (using the System hive) and initializes any that have a Start value of 1. Each time a driver is initialized, another dot appears on the blue screen.
      • It loads Smss.exe (the Services Manager application), which checks the registry subkey
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager.
        That subkey has a value item named BootExecute, and Smss runs whatever application is named in the data for that item. By default the value of that data item is AUTOCHK (Chkdsk), and there's no reason to add anything else.
      • Smss.exe loads the page file.
      • Smss.exe then checks the registry subkey
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems.
    It uses the information it finds in the value item named Windows to start the Windows NT operating system.
  7. The Subsystem Starts

    Once the previous steps have completed, the Win32 subsystem takes over and begins the last processes:

    • Winlogon.exe launches, sending the first logon dialog box to the screen (the logo, then the
    • Press Ctrl-Alt-Del . . . dialog box.
    • Lsass.exe (the Local Security Authority program) is launched.
    • Screg.exe (a Scan Registry program) is launched. It searches the registry for autoload drivers.
      One of the drivers it should always find (perhaps the only one) is Services.exe. This is the application that loads the workstation and server services.
  8. The User Logs On

    Now the user logs on, and the registry key Clone is copied to LastKnownGood. The operating system is up and running.



Search Knowledge Base Feedback
If you like our web site refer a friend.
Your friends name.
 Your friends email address.
Your Name
 Your Email Address


© Copyright 1998-1999 GOOD2USE