Windows Startup and Shutdown B 1 1 93502081
Windows Startup and Shutdown 資 四B 資 碩 1 強 資 碩 1 93502081 楊濬仲 93502065 陳建志 965202080 凌家 965205005 陳昱 1
Windows Startup Step Ready Boot Start Boot Loader Kernel Initialization System Login Shutdown Startup solve problems 3
Windows Startup Step Window Setup Program Ready Boot Master Boot Record Start Boot ntldr Load kernel Ntoskrnl. exe Kernel Initialization Winlogon System Login Winlogon Shutdown 4
Windows Startup Step Window Setup Program Ready Boot Master Boot Record Start Boot ntldr Load kernel Ntoskrnl. exe Kernel Initialization Winlogon System Login Winlogon Shutdown 5
Ready Boot Partition A hard disk contain up to four primary partitions Extended partition contain extended partitions File system Such as FAT , NTFS 6
Partitons 7
Windows Setup Program When installed, windows setup do two operation Write the MBR to a hard disk Writes boot sector to the first bootable partition While overwrite boot sector, windows setup copies the old content as Bootsect. dos in the root directory 8
Windows Startup Step Window Setup Program Ready Boot Master Boot Record Start Boot ntldr Load kernel Ntoskrnl. exe Kernel Initialization Winlogon System Login Winlogon Shutdown 9
Start Boot BIOS MBR Boot Sector Ntldr Boot. ini Ntoskrnl. exe Start Boot Load kernel Kernel Initialization Bootvid. dll Hal. dll Boot-start device driver 10
Master Boot Record(MBR) Define MBR is the code write in first sector Responsibilities Reads and loads partition boot sectors Included boot code:space contains executable instructions partition table:four entries that define location of primary partitions 11
MBR (cont’d) 12
MBR (cont’d) Action Scan primary partition table until finds bootable partition flag When MBR finds at least one such flag , it reads the first flag’s sector to boot Reference 13
Boot Sector Define The first sector of such a partition Responsibilities Reads the root directory to load Ntldr 14
Boot Sector (cont’d) 15
Windows Setup Program When installed, windows setup do two operation Write the MBR to a hard disk Writes boot sector to the first bootable partition While overwrite boot sector, windows setup copies the old content as Bootsect. dos in the root directory (ps. 此部分為 install 所執行的operation) 16
Boot. ini Called by ntldr Responsibilities Boot menu file Location The root directory of the system volume 17
Boot. ini (cont’d) C: boot. ini 18
Boot. ini (cont’d) Syntax Advanced RISC Computing There are three variants to the syntax used by windows. multi(W)disk(X)rdisk(Y)partition(Z) scsi(W)disk(X)rdisk(Y)partition(Z) signature(V)disk(X)rdisk(Y)partition(Z) 19
Boot. ini (cont’d) W is disk controller number , typically 0 X is always 0 in the multi() syntax • multi(W)disk(X)rdisk(Y)partition(Z) Y specifies the physical hard disk attached to controller W Z indicates the partition number on the physical disk instructs Windows to use BIOS INT 13 functions to load system files 20
Boot. ini (cont’d) W is disk controller number , typically 0 X is the physical hard disk attached to the controller , typically 0 15 • scsi(W)disk(X)rdisk(Y)partition(Z) Y specifies the SCSI logical unit number (LUN) of the disk , typically 0 Z is the partition that corresponds to the boot volume with numbering starting at 1 informs Windows that it should rely on disk I/O services provided by Ntbootdd. sys (described shortly) to access the files on the boot volume 21
Boot. ini (cont’d) V is a 32 -bit hexadecimal disk signature that identifies the disk X is the physical hard disk with the specific signature(V)disk(X)rdisk(Y)partition(Z) Y is always 0 Z is the partition number on which the boot volume is located instructs Windows to locate the disk with the signature that matches the first value in parentheses, regardless of the controller number associated with the disk and to use Ntbootdd. sys to access the boot volume 22
Boot option Boot Qualifier Meaning /3 GB Increases the size of the user process address space from 2 GB to 3 GB /BOOTLOGO Use this switch to have Windows XP or Windows Server 2003 display an installable splash screen instead of the standard splash screen /FASTDETECT Default boot option for Windows /KERNEL= /HAL= Enables you to override Ntldr's default filename for the kernel image (Ntoskrnl. exe) and/or the HAL (Hal. dll) /LASTKNOWNGOOD Causes the system to boot as if the Last. Known. Good boot option was selected /MAXMEM= Limits Windows to ignore (not use) physical memory beyond the amount indicated /ONECPU Causes Windows to use only one CPU on a multiprocessor system /SAFEBOOT Specifies options for a safe mode boot /SOS Causes Windows to list the device drivers marked to load at boot time and then to display the system version number, amount of physical memory, and number of processors 23
Boot. ini (cont’d) C: boot. ini 24
Windows Startup and Shutdown 陳建 志 25
Windows Startup Step Window Setup Program Ready Boot Master Boot Record Start Boot ntldr Load kernel Ntoskrnl. exe Kernel Initialization Winlogon System Login Winlogon Shutdown 26
Windows Startup Step Window Setup Program Ready Boot Master Boot Record Start Boot ntldr Load kernel Ntoskrnl. exe Kernel Initialization Winlogon System Login Winlogon Shutdown 27
Loader procedure Bootsector Ntldr Enable Paging Read Boot. ini Hardware Detect Load Boot driver Ntoskrnl 28
Loader procedure Bootsector Ntldr Enable Paging Read Boot. ini Hardware Detect Load Boot driver Ntoskrnl 31
Enable Paging Bootsector Ntldr Real mode Protect mode Create page table 32
Ntldr Step 1 Ntldr begin its existence while a system is executing in an mode called real mode No virtual-to-physical translation of memory addresses occurs Only first 1 MB of physical memory can accessible Ntldr switch the system to protected mode Still no virtual-to-physical translation After the system is in protected mode, Ntldr can access all of physical memory Creating enough page table and small than 16 MB 33
Loader procedure Bootsector Ntldr Enable Paging Read Boot. ini Hardware Detect Load Boot driver Ntoskrnl 34
Prepare Read Boot. ini Ntldr Enable paging Ntbootdd. sys Boot code 35
Ntldr Step 2 After Ntldr enables paging, it is fully operational. It still relies on functions supplied by the boot-code to access IDE- based system and boot disks If the disk containing the boot volume is SCSIbased and isn’t accessible using BIOS firmware support Ntldr loads Ntbootdd. sys and uses it instead of the boot-code functions for disk access Ntbootdd. sys is a copy of the SCSI miniport driver that Windows uses when its fully operation to access the boot disk 36
Prepare Read Boot. ini Enable paging Ntbootdd. sys Boot code Hiberfil. sys 37
Ntldr Step 3 If there is a valid Hiberfil. sys file in the root of the system volume It shortcuts the boot process by reading the contents of the file into memory Transferring control to code in the kernel that resumes a hibernated system It will be valid only if the last time the computer was shut down it was hibernated 38
Read Boot. ini Ntbootdd. sys Boot code Hiberfil. sys Read Boot. ini 39
Ntldr Step 3 Cont. Ntldr reads the Boot. ini file from the root directory using built-in file system code. Like the boot sector's code, Ntldr contains read-only NTFS and FAT code Unlike the boot sector's code, Ntldr's file system code can read subdirectories 40
Ntldr Step 4 If there is more than one boot-selection entry in Boot. ini, it presents the user with the bootselection menu If there is only one entry, Ntldr bypasses the menu and proceeds to displaying the startup progress bar Selection entries in Boot. ini direct Ntldr to the partition on which the Windows system directory of the selected installation resides This partition might be the same as the boot partition, or it might be another primary partition 41
Boot. ini can include optional arguments that Ntldr and other components involved in the boot process interpret Any options that are included on the Boot. ini save to the Registry value HKLMSystemCurrent. Control. SetControlSystem. Start. Options If the user doesn't select an entry from the selection menu within the timeout period the Boot. ini file specifies, Ntldr chooses the default selection which is the top-most entry in boot. ini with a path matching the path specified in the "default=" line 43
Hardware detect Hiberfil. sys Read Boot. ini Bootsect. dos Ntdetect. com 44
If the Boot. ini entry refers to an MS-DOS installation, Ntldr reads the contents of the Bootsect. dos file into memory, switches back to 16 -bit real mode, and calls the MBR code in Bootsect. dos Code in Bootsect. dos continues an MS-DOS-specific boot, such as is used to boot Microsoft Windows Me, Windows 98, or Windows 95 on a computer 45
Loader procedure Bootsector Ntldr Enable Paging Read Boot. ini Hardware Detect Load Boot driver Ntoskrnl 46
Ntldr Step 5 Once the boot selection has been made, Ntldr loads and executes Ntdetect. com, a 16 -bit real-mode program that uses a system's BIOS to query the computer for basic device and configuration information The time and date information stored in the system's CMOS The types of buses on the system and identifiers for devices attached to the buses The number, size, and type of disk drives on the system The types of mouse input devices connected to the system The number and type of parallel ports configured on the system The types of video adapters present on the system This information is gathered into internal data structures that will be stored under the HKLMHARDWAREDESCRIPTION registry key later in the boot 47
On Windows 2000, Ntldr then clears the screen and displays the "Starting Windows" progress bar. This progress bar remains empty until Ntldr begins loading boot drivers Below the progress bar is the message, "For troubleshooting and advanced startup options for Windows, press F 8. " If the user presses F 8, the advanced boot menu is presented, which allows the user to select such options as booting from last known good, safe mode, debug mode, and so on On Windows XP and Windows Server 2003, Ntldr presents a logo splash screen instead of a progress bar 48
Advanced boot menu Windows Advanced Option Menu Please select an option: Safe Mode with Networking Safe Mode with Command Prompt Enable Boot Logging Enable VGA mode Last Known Good Configuration (your most recent setting that worked) Directory Service Restore Mode (Windows domain controller only) Debugging Mode Start Windows Normally Reboot Return to OS choice menu Use the up and down arrow keys to move the highlight your choice. 49
Loader procedure Bootsector Ntldr Enable Paging Read Boot. ini Hardware Detect Load Boot driver Ntoskrnl 50
If Ntldr is running on an x 64 system and the kernel specified by the entry selected in the boot menu is for x 64 Ntldr switches the processor to long mode the native word size is 64 -bits Ntldr begins loading the files from the boot volume needed to start the kernel initialization 51
52
Loads the appropriate kernel and HAL images Ntoskrnl. exe and Hal. dll by default If Ntldr fails to load either of these files, it prints the message "Windows could not start because the following file was missing or corrupt", followed by the name of the file Reads in the SYSTEM registry hive, so that it can determine which device drivers need to be loaded to accomplish the boot WindowsSystem 32ConfigSystem 53
Scans the in-memory SYSTEM registry hive and locates all the boot device drivers. Boot device drivers are drivers necessary to boot the system. These drivers are indicated in the registry by a start value of SERVICE_BOOT_START (0) Every device driver has a registry subkey under HKLMSYSTEMCurrent. Control. SetServices Adds the file system driver that's responsible for implementing the code for the type of partition on which the installation directory resides to the list of boot drivers to load Ntldr must load this driver at this time 54
Loads the boot drivers, which should only be drivers that, like the file system driver for the boot volume, would introduce a circular dependency if the kernel was required to load them To indicate the progress of the loading, Ntldr updates a progress bar displayed below the text "Starting Windows". The progress bar moves for each driver loaded If the /SOS switch is specified in the Boot. ini selection, Ntldr doesn't display the progress bar but instead displays the filenames of each boot driver the drivers are loaded but not initialized at this time—they initialize later in the boot sequence 55
Loader procedure Bootsector Ntldr Enable Paging Read Boot. ini Hardware Detect Load Boot driver Ntoskrnl 56
Prepares CPU registers for the execution of Ntoskrnl. exe This action is the end of Ntldr's role in the boot process Ntldr calls the main function in Ntoskrnl. exe to perform the rest of the system initialization 57
The IA 64 Boot Process IA 64 conform to the Extensible Firmware Interface (EFI) specification as defined by Intel An EFI-compliant system has firmware that runs boot loader code that's been programmed into the system's nonvolatile RAM (NVRAM) by Windows Setup The boot code reads the IA 64 -equivalent of the x 86 and x 64 Boot. ini contents, which are also stored in NVRAM Both Microsoft EFI tools runnable in the EFI console and Bootcfg. exe, a tool included with Windows, allow for modification of the NVRAM boot selections and switches 58
Hardware detection occurs next, where the boot loader uses EFI interfaces to determine the number and type of the following devices: Network adapters Video adapters Keyboards Disk controllers Storage devices As Ntldr does on x 86 systems, the boot loader presents a menu of boot selections with an optional timeout the loader navigates to the subdirectory on the EFI System partition corresponding to the selection and loads several other files required to continue the boot: Fpswa. efi and Ia 64 ldr. efi 59
The EFI specification requires that the system have a partition designated as the EFI System partition that is formatted with the FAT file system That is between 100 MB and 1 GB in size or up to one percent of the size of the disk Each Windows installation has a subdirectory on the EFI System partition under EFIMicrosoft The first installation is assigned the folder Winnt 50, the second Winnt 50. 1 Each subsequent installation has a unique index number following the period in the folder name 60
Ia 64 ldr. efi is responsible for loading Ntoskrnl. exe, Hal. dll, and the boot-start drivers, after which the boot proceeds through the same steps as for x 86 and x 64 61
Windows Startup and Shutdown 凌家 強 62
Windows Startup Step Window Setup Program Ready Boot Master Boot Record Start Boot ntldr Load kernel Ntoskrnl. exe Kernel Initialization Winlogon System Login Winlogon Shutdown 63
Windows Startup Step Window Setup Program Ready Boot Master Boot Record Start Boot ntldr Load kernel Ntoskrnl. exe Kernel Initialization Winlogon System Login Winlogon Shutdown 64
What is the Ntoskrnl Image ntoskrnl. exe - the kernel image for the family of Microsoft Window NT operating systems. - It provides the Microkernel and Executive layers of the Windows NT kernel space. - It contains the Cache Manager, the Executive, the Kernel, the Security Reference Monitor, the Memory Manager, and the Scheduler, among other things. 65
66
Initialization Kernel Procedure // NTOSKRNL main int main( boot parameters ) { Call Hal. Initial. Processor // Fire up NT! and Ki. Initialize. Kernel for each CPU Ki. System. Startup(); return 0; } 67
Ki. Initialize. Kernel Phase 0 Phase 1 ki. Init. System Exp. Initialze. Executive Hal. Init. System Ob. Init. System Se. Init. System Ps. Init. System Pp. Init. System Set IRQL DISPATCH_LEVEL Phase 1 Initialization Mm. Zero. Page. Thread 68
Windows Kernel IRQL (Interrupt Request Level) - Executive interrupt priority level Software IRQL - PASSIVE_LEVEL 0 //Passive release level - LOW_LEVEL 0 //Lowest interrupt level - APC_LEVEL 0 //APC interrupt level - DISPATCH_LEVEL //Dispath level Hardware IRQL - DIRQL //from 3 to 26 for device ISR - PROFILE_LEVEL 27, 0 x 1 B //Timer used for profiling. - CLOCK 1_LEVEL 28, 0 x 1 C // Interval clock 1 level - not used on x 86 - CLOCK 2_LEVEL 28, 0 x 1 C // Interval clock 2 level - SYNCH_LEVEL 28, 0 x 1 C // Synchronization level - IPI_LEVEL 29, 0 x 1 D // Interprocessor interrupt level - POWER_LEVEL 30, 0 x 1 E // Power failure level - HIGH_LEVEL 31, 0 x 1 F // Highest interrupt level 69
Initialization Kernel Procedure Ntoskrnl begins the first of two phases: ■Phase 0 begins : - Disable Interrupts - Calls Ki. System. Startup => Hal. Initialize. Processor => Ki. Initialize. Kernel (per cpu) - Proceeds to call Exp. Initialize. Executive which loads critical resource management interfaces(Plug on play, Security Monitor, Memory manager) ■Phase 1 begins : - Ntoskrnl re-enables Interrupts and displays the Windows Boot Status Screen - Ntoskrnl loads the HARDWARE Registry hive - Ntoskrnl proceeds to initialize the necessary drivers 70
Introduction Ntoskrnl Internal Process 71
Ki. Initialize. Kernel - this function can initialize processor about data structure. Main function : 1. Initialize kernel data structure. 2. Initialize processor control block. 3. Initialize routine using kernel executive. 4. In the latest, Return to Ki. System. Startup. 72
Ki. Initial. System & Exp. Initialize. Executive Ki. Init. System Initialize kernel data structure. Exp. Initialize. Executive implement initial phase 0 components. 73
Exp. Initialize. Executive - Using global variable “Initialization. Phase” different from phase. - phase 0 and phase 1. - After success set it number 2. 74
Ki. Initialize. Kernel Phase 0 Phase 1 ki. Init. System Exp. Initialze. Executive Hal. Init. System 75
Phase 0 procedure Hal. Init. System, intialize HAL Mm. Init. System, intialize memory manager Ob. Init. System, intialize object package program Se. Init. System, intialize Security reference monitor Ps. Init. System, intialize process manager Pp. Init. System, intialize plug and play manager 76
Mm. Init. System & Ob. Init. System Mm. Init. System - The memory manager constructs page tables and internal data structures that are necessary to provide basic memory services. Ob. Init. System - During the object manager initialization, the objects that are necessary to construct the object manager namespace are defined so that other subsystems can insert objects into it. A handle table is created so that resource tracking can begin. 77
Se. Init. System & Ps. Init. System Se. Init. System - The security reference monitor initializes the token type object and then uses the object to create and prepare the first local system account token for assignment to the initial process. Ps. Init. System - The process manager performs most of its initialization in phase 0, defining the process and thread object types and setting up lists to track active processes and threads. The process manager also creates a process object for the initial process and names it Idle. - As it last step, the process manager creates the System process and a system thread to execute the routine Phase 1 Initialization. 78
Ki. Initialize. Kernel Phase 0 Phase 1 ki. Init. System Exp. Initialze. Executive Hal. Init. System Ob. Init. System Se. Init. System Ps. Init. System Phase 1 Initialization 79
Plug and Play manager - involves simply initializing an executive resource used to synchronize bus resources. 80
Ki. Initialize. Kernel Phase 0 Phase 1 ki. Init. System Exp. Initialze. Executive Hal. Init. System Ob. Init. System Se. Init. System Ps. Init. System Pp. Init. System Set IRQL DISPATCH_LEVEL Phase 1 Initialization 81
Phase 1 Initialization VOID Phase 1 Initialization (IN PVOID Context) { Phase 1 Initialization. Discard(Context); Mm. Zero. Page. Thread(); return; Start Phase 1 Initialization } 82
83
Windows kernel mode Windows executive contains the base operating system services, such as memory management, process and thread management, security, I/O, networking, and interprocess communication. Windows kernel consist of low-level operating system functions, such as thread scheduling, interrupt and exception dispatching, and multiprocessor synchronization. Device drivers include both hardware device drivers that translate user I/O function calls into specific hardware device I/O requests as well as file system and network drivers. The hardware abstraction layer (HAL) is a layer of code that isolates the kernel, devices drivers, and the rest of the Windows executive from platform-specific hardware differences. 84
Executive major components Configuration manager : implementing and managing the system registry. Process and thread manager : creates and terminates processes and threads. Security reference monitor(SRM) : enforces security policies on the local computer. I/O manager : implements device-independent I/O and is responsible for dispatching to the appropriate device drivers for further processing. Plug and Play(Pn. P) manager : determines which drivers are required to support a particular device and loads those drivers. 85
Executive major components(cont) Power manager : generates power management I/O notifications to device drivers. Cache manager : improves the performance of file-based I/O by causing recently referenced disk data to reside in main memory for quick access. Memory manager : implements virtual memory. 86
Executive major components(cont) Object manager : creates, manages, and deletes Windows executive objects and abstract data types that are used to represent operating system resources such as processes, threads, and the various synchronization objects. LPC facility : passes messages between a client process and a server process on the same computer. A broad set of common run-time library functions, such as string processing, arithmetic operations, data type conversion, and security structure processing. Executive support routines, such as system memory allocation, interlocked memory access, as well as two special types of synchronization objects : resources and fast mutexes. 87
START KERNEL INITIALIZE PHASE 1 88
Kernel Initialization Phase 1 Hal. Init. System is called to prepare the system to accept interrupts from devices and to enable interrupts. The boot video driver(WindowsSystem 32Bootvid. dll)is called, which in turn displays the Windows startup screen. The power manager initialization is called. The system time is initialized(by calling Hal. Query. Real. Time. Clock) and then stored as the time the system booted. On a multiporcessor system, the remaining processors are initialized and execution starts. 89
Kernel Initialization Phase 1 (cont) The object manager creates the namespace root directory(), Object. Types directory, and the DOS device name mapping directory(? ? On windows 2000, and Global? ? On Windows XP and Windows Server 2003). It then creates the Dos. Devices symbolic link that points at the DOS device name mapping directory. The executive is called to create the executive object types, including semaphore, mutex, event, and timer. The kernel initializes scheduler(dispatcher) data structures and the system service dispatch table. The security reference monitor creates the Security directory in the object manager namespace and initializes auditing data structures if auditing is enabled. 90
Kernel Initialization Phase 1 (cont) The memory manager is called to create the section object and the memory manager system worker threads. National language support(NLS) tables are mapped into system space. Ntdll. dll is mapped into the system address space. The cache manager initializes the file system cache data structures and creates its worker threads. The configuration manager creates the Registry key object in the object manager namespace and copies the initial registry data passed by Ntldr into the HARDWARE and SYSTEM hives. 91
Kernel Initialization Phase 1 (cont) Global file system driver data structures are initialized. The Plug and Play manager calls the Plug and Play BIOS. The local procedure call(LPC) subsystem initializes the LPC port type object. If the system was booted with boot logging(/BOOTING. ), the boot log file is initialized. 92
Kernel Initialization Phase 1 (cont) The I/O manager initialization now takes place. - This stage is a complex phase of system startup that accounts for 50 percent of the “progress” reported in the progress bar. 93
Kernel Initialization Phase 1 (cont) If the computer is booting in safe mode, this fact is recorded in the registry. Unless explicitly disabled in the registry, paging of kernel-mode code(in Ntoskrnl and drivers) is enabled. 94
Kernel Initialization Phase 1 (cont) The power manager is called to initialize various power management structures. The security reference monitor is called to create the Command Server Thread that communicates with Lsass. The last step is to create the Session Manager subsystem(Smss) process. 95
Windows Startup Step Window Setup Program Ready Boot Master Boot Record Start Boot ntldr Load kernel Ntoskrnl. exe Kernel Initialization Winlogon System Login Winlogon Shutdown 96
Initialize System Process System Idle Process (PID : 0) Phase 0 Smss. exe (Session Manager) Phase 1 1. Load Csrss. exe (Windows environment subsystem) And Win 32 k. sys 2. start Winlogon. exe (Logon process) 97
Startup procedure This step begins with the starting of the Session Manager(Smss. exe) ■First user-mode process created in the system. ■Smss, being a native application, can perform unique actions. - Creation of Security Tokens. - Uses its own native API, unavailable to the rest of Windows ■ Smss’s first task is initializing the rest of the Registry hive. ■ Smss then runs any programs defined in HKLMSYSTEMCurrent. Control. SetControlSession ManagerBoot. Execute ■ Smss loads the Windows Subsystem(win 32 k. sys). ■ Smss then loads Csrss and starts Winlogon. 98
Startup Procedure Winlogon & Csrss ■Winlogon then performs its startup steps such as creating the initial window station and desktop objects. ■Winlogon then loads Msgina. dll (or replacement) to handle WIx. Logged. Out. SAS, displaying the standard Windows logon dialog box. ■Winlogon creates the Service Control Manager(SCM) or services. exe - Loads all the necessary services marked for auto-start. - Loads the Local Security Authentication Subsystem(Lsass). 99
100
101
Windows Startup and Shutdown 陳昱 端 102
Windows Startup Step Window Setup Program Ready Boot Master Boot Record Start Boot ntldr Load kernel Ntoskrnl. exe Kernel Initialization Winlogon System Login Winlogon Shutdown 103
Windows Startup Step Window Setup Program Ready Boot Master Boot Record Start Boot ntldr Load kernel Ntoskrnl. exe Kernel Initialization Winlogon System Login Winlogon Shutdown 104
Shutdown Initiates shutdown. Terminate the user processes. Terminate the system processes. Finish shutdown 105
Initiate shutdown Explorer EWX_SHUTDOWN Exit. Windows. Ex RPC Call Windows message Csrss Winlogon 106
Initiate shutdown Initiates a shutdown by calling the Windows Exit. Windows. Ex function with EWX_SHUTDOWN. Exit. Windows. Ex call Csrss instructing it to perform the shutdown. Csrss sends a Windows message to Winlogon, then Winlogon impersonates the currently logged-on user. 107
Terminate the user processes Winlogon Internal flags Exit. Windows. Ex RPC Call Csrss WM_QUERYENDSESSION / WM_ENDSESSION CTRL_LOGOFF_EVENT Logon session User Processes Console application 108
Terminate the user processes Winlogon calls Exit. Windows. Ex with some special internal flags. Csrss loops through all the processes in the logon session in reverse order of their shutdown level. Csrss sends the WM_QUERYENDSESSION Windows message to each thread in the process. If the thread returns TRUE, the system shutdown can proceed. Csrss then sends the WM_ENDSESSION Windows message to the thread to request it to exit. If the thread doesn’t exit before the timeout, Csrss displays the hung-program dialog box. 109
Terminate the user processes This dialog box indicates that a program isn’t shutting down in a timely manner and gives the user a choice of either killing the process or aborting the shutdown. 110
Terminate the user processes Then Csrss continues sending the WM_QUERYENDSESSION / WM_ENDSESSION message pairs to the other threads in the process that own windows. When all threads in the process have exited, Csrss terminates the process and goes on to the next process in the session. If Csrss finds a console application, it invokes the console control handler by sending the CTRL_LOGOFF_EVENT event. If the handler returns FALSE, Csrss kills the process. If the handler returns TRUE or doesn’t respond before the timeout, Csrss displays the hung-program dialog box. Next, Winlogon calls Exit. Windows. Ex to have Csrss terminate any COM processes that are part of the interactive user’s session. 111
Terminate the system processes Winlogon System Process Context Exit. Windows. Ex RPC Call Csrss WM_QUERYENDSESSION / WM_ENDSESSION CTRL_SHUTDOWN_EVENT Belong to System Context System Processes Have registered Console application 112
Terminate the system processes Winlogon calls Exit. Windows. Ex with the system process context. Csrss looks at all the processes belonging to the system context. Csrss sends the WM_QUERYENDSESSION/ WM_ENDSESSION messages to GUI threads (as before). Csrss sends CTRL_ SHUTDOWN_EVENT to console applications that have registered control handlers. 113
Terminate the system processes Csrss performs the same timeouts as when it was terminating the user processes, but it doesn’t display any dialog boxes and doesn’t kill any processes. These timeouts simply allow system processes a chance to clean up and exit before the system shuts down. Many system processes are still running when the system shuts down, such as Smss, Winlogon, the SCM, and Lsass. 114
Finish Shutdown Winlogon Nt. Shutdown. System Driver and Subsystem Nt. Set. System. Power. State I/O Manager 115
Finish shutdown Winlogon calls function Nt. Shutdown. System to finish the shutdown process. The function calls function Nt. Set. System. Power. State to orchestrate the shutdown of drivers and the rest of the executive subsystems. Nt. Set. System. Power. State calls the I/O manager to send shutdown I/O packets to all device drivers that have requested shutdown notification. This action gives device drivers a chance to perform any special processing their device might require before Windows exits. 116
Finish shutdown The configuration manager flushes any modified registry data to disk. The memory manager writes all modified pages containing file data back to their respective files. If the option to clear the paging file at shutdown is enabled, the memory manager clears the paging file at this time. The I/O manager is called a second time to inform the file system drivers that the system is shutting down. The power manager takes depends on whether the user specified a shutdown, a reboot, or a power down. 117
Windows Startup Step Ready Boot Start Boot Loader Kernel Initialization System Login Shutdown Startup solve problems 118
Windows recovery mode Last Known Good Safe Mode Recovery Console 119
Last Known Good Press the F 8 key during the boot and select last known good from the menu. The system marks the present control set as failed by setting the Failed value of HKLMSystemSelect. Then changes HKLMSystemSelectCurrent to the value stored in HKLMSystemSelectLast. Known. Good. It also updates the symbolic link HKLMSystemCurrent. Control. Set to point at the Last. Known. Good control set. 120
Last Known Good 121
Last Known Good 122
Last Known Good 123
Safe Mode The most common reason Windows systems become unbootable is that a device driver crashes the machine during the boot sequence. Safe mode is a concept Windows borrows from Consumer Windows - a boot configuration that consists of the minimal set of device drivers and services. Only rely on the drivers and services that are necessary for booting, and Windows avoids loading third-party and other nonessential drivers that might crash. 124
Safe Mode When Windows boots, you press the F 8 key to enter a special boot menu that contains the safe-mode boot options. Three safe-mode : Standard Safe Mode With Networking. Safe Mode With Command Prompt. 125
Safe Mode HKLMSYSTEMCurrent. Control. SetControlSafe. Boot 126
Safe Mode Standard safe mode comprises the minimum number of device drivers and services necessary to boot successfully. Networking-enabled safe mode adds network drivers and services to the drivers and services that standard safe mode includes. Safe mode with command prompt is identical to standard safe mode except that Windows runs the command prompt application (cmd. exe) instead of Windows Explorer as the shell when the system enables GUI mode. 127
Driver Loading in Safe Mode Device drivers and services of standard and networkingenabled safe mode are in the HKLMSYSTEMCurrent. Control. SetControlSafe. Boot registry key. This key contains the Minimal and Network subkeys. Each subkey contains more subkeys that specify the names of device drivers or services or of groups of drivers. The VGA display driver provides basic graphics services for any PC-compatible display adapter. Each subkey under the Safe. Boot key has a default value that describes what the subkey identifies. the vga. sys subkey’s default value is “Driver”. 128
Recovery Console In some situations a safe-mode boot won’t help the system boot. A driver prevents the system from booting is a member of a Safe group. A third-party driver loads at the boot prevents the system from booting. A system module or critical device driver file that is part of a safe-mode configuration becomes corrupt. The system drive’s Master Boot Record (MBR) is damaged. The Recovery Console allows you to boot into a limited command-line shell from the Windows CD or boot disks to repair an installation without having to boot the installation. 129
Recovery Console The system prompts you to choose among two repair options: start the Recovery Console. �If you press the F 10 key, you take a shortcut directly to the Recovery Console. initiate the emergency repair process. The system prompts you to enter the Administrator account password to log on to the installation as the administrator. If you successfully log on, the system puts you into a command shell that is similar to an MS-DOS environment. 130
Recovery Console The command set lets you perform simple file operations (such as copy, rename, and delete), enable and disable services and drivers, and even repair MBRs and boot records. You only can access the following directories : root directories. the system directory of the installation you logged on to, or directories on removable drives such as CDs and 3. 5 -inch floppy disks. If security policy settings stored in the SECURITY hive of the Registry of the installation permit that, you may access other directories. 131
Recovery Console This prohibition provides a certain level of security for data that an administrator might not usually be able to access. You can override this restriction by using the Local Security Policy editor (secpol. msc) to configure the Recovery Console settings in the Security Options folder of Local Policies when the system is booted normally. 132
SOLVING COMMON BOOT PROBLEMS 133
MBR Corruption 134
MBR Corruption Symptoms A system that has MBR corruption will execute power- on self test (POST), and then hang. You might see one of the following messages: �“Invalid Partition Table” �“Error Loading Operating System” �“Missing Operating System” Cause The MBR can become corrupt because of �Hard-disk errors, disk corruption as a Result of a driver bug while Windows is running. �Intentional scrambling as a result of a virus. 135
MBR Corruption Resolution Boot into the Recovery Console and execute the fixmbr command. This command replaces the executable code in the MBR. But, it does not repair the partition table. The only way to restore a damaged partition table is to restore it from a backup copy or to use a thirdparty disk-corruption repair tool. 136
Boot Sector Corruption 137
Boot Sector Corruption Symptoms Boot sector corruption can look like MBR corruption where the system hangs after BIOS POST at a black screen, or you might see the messages: �“A disk read error occurred, ” � “NTLDR is missing, ” �“NTLDR is compressed. ” Cause The Boot Sector can become corrupt because of �hard disk errors. �disk corruption as a result of a driver bug while Windows is running, or �intentional scrambling as a result of a virus. 138
Boot Sector Corruption Resolution Boot into the Recovery Console and execute the fixboot command. This command rewrites the boot sector of the volume that you specify. You should execute the command on both the system and boot volumes if they are different. 139
Boot. ini Misconfiguration 140
Boot. ini Misconfiguration Symptoms After BIOS POST, you’ll see a message �“Windows could not start because of a computer disk hardware configuration problem”. �“Could not read from selected boot disk”. �“Check boot path and disk hardware”. Cause Boot. ini Misconfiguration maybe result from the file �has been deleted, �is corrupted, or �no longer references the boot volume because the addition of a partition has changed the Advanced RISC Computing (ARC) name of the volume. 141
Boot. ini Misconfiguration Resolution Boot into the Recovery Console, and execute the “bootcfg /rebuild”. This command has the Recovery Console scan each volume looking for Windows installations. When it discovers an installation, it asks you whether it should add it to Boot. ini as a boot option and what name it should display for the installation in the boot menu. 142
System File Corruption 143
System File Corruption Symptoms There are several ways the corruption of system files— which include executables, drivers, or DLLs—can manifest. After BIOS POST, you’ll see a message �“Windows could not start because the following file is missing or corrupt”. �“STOP: 0 x. C 0000135 {Unable to Locate Component}”. Cause The volume on which a system file is located is corrupt or one or more system files have been deleted or become corrupt. 144
System File Corruption Resolution Boot into the Recovery Console, and execute the chkdsk command. If Chkdsk does not report any problems, obtain a backup copy of the system file in question. One place to check is in the WindowsSystem 32Dll. Cache directory, in which Windows places copies of many system files for access. If you cannot find a copy of the file there, see if you can locate a copy from another system in the network. Note that the backup file must be from the same Service Pack or hot fix as the file that you are replacing. 145
System Hive Corruption Symptoms If the System registry hive is missing or corrupted, after the BIOS POST NTLDR will display the message, �“Windows could not start because the following file is missing or corrupt: WINDOWSSYSTEM 32CONFIGSYSTEM, ” Cause The System registry hive, which contains configuration information necessary for the system to boot, has become corrupt or has been deleted. 146
System Hive Corruption Resolution Boot into the Recovery Console, and execute the chkdsk command on the boot volume to correct any volume corruption. If the problem is not corrected, obtain a backup of the System registry hive. If you have made ASR backups of the system or have used the Windows Backup utility to make backups of system state, copies of the registry hives from the most recent backup are stored in WindowsRepair. Then copy the file named System to WindowsSystem 32Config. 147
Post–Splash Screen Crash or Hang Symptoms Problems that occur after the Windows splash screen displays, the desktop appears. You log in fall into this category and can appear as a blue screen crash or a hang, where the entire system is frozen or the mouse cursor tracks the mouse but the system is otherwise unresponsive. Cause These problems are almost always a result of a bug in a device driver, but they can sometimes be the result of corruption of a registry hive other than the System hive. 148
Post–Splash Screen Crash or Hang Resolution The first thing you should try is the last known good configuration. Last known good (LKG) consists of the registry control set that was last used to boot the system successfully. Because a control set includes core system configuration and the device driver and services registration database, using a version that does not reflect changes or newly installed drivers or services might avoid the source of the problem. You access last known good by pressing the F 8 key early in the boot process to access the same menu from which you can boot into safe mode. 149
References WINDOWS XP SHUTDOWN TROUBLESHOOTING http: //www. aumha. org/win 5/a/shtdwnxp. php Microsoft Developer Network (MSDN) http: //msdn. microsoft. com/en-us/default. aspx 150
- Slides: 150