Troubleshooting Windows 2000/XP start up guide for MCSE/MCSA Windows
Posted by admin on June 21, 2007
1. Power-On Self Test – POST
This is a hardware driven process that the PC will go through. This entails performing various hardware checks – memory, disk etc – and carrying out instructions contained within the system BIOS. Failure at this point will either result in an on-screen diagnostic message or a series of beeps; the number of beeps indicating the nature of the problem. Refer to the BIOS manufacturer for further details. See also: PC boot process.
2. Inital start-up Phase
In this stage of start-up, the settings in CMOS memory are used to determine from where and how the system will load its operating system, notably the storage devices present and boot order. Typically this will be floppy disk, hard disk or CD-ROM although it can also include network adaptors and SCSI controllers.
When the system is to load from is a hard disk – such as when no floppy disk is present – the first sector of the hard disk is loaded. This is known as the Master Boot Record – MBR – and contains a sequence of code and a table of four entries defining the locations on the hard disk of the primary partitions (known as the partition table).
Once loaded, the code from the MBR is used to scan the partition table and find the location of the Active Partition, load the first sector – the boot sector - of this partition and then pass control to it. The code in the boot sector is very small and provides only enough information to understand the partition format sufficiently enough to load a few other files – notably NTLDR – and just from the root of the partition. It now loads NTLDR, the BIOS portion of the boot process finishes and the code in NTLDR takes over.
From this list, it’s obvious that there are several vital elements that must be present for NT, 2000 and XP to load:
- Viable boot media – hard disk, CD-ROM etc.
- If hard disk, a correct partition table with an active partition defined.
- The boot sector of the active partition matching the format of the partition.
- The file ‘Ntldr’ in the root directory of the active partition.If any of these are missing or corrupt an error message is displayed, giving an indication of problem – ie invalid partition table; missing operating system or NTLDR missing.
3. Boot Loader Phase
Once NTLDR is in control it starts the process of loading NT/2000 or XP. This includes:
- Changing memory mode from real to 32-bit.
x86 processes were originally 8 and 16-bit processes with limited addressing capabilities. Modern x86 compatible processes still start in mode to ensure compatibility but can address far greater memory ranges and the first thing XP does is to switch from real-mode to protect-mode with paging for 32-bit memory addressing to enable greater memory ranges.
- Load boot.ini
This file contains the location of the boot partition and possibly a menu allowing selection of other operating systems. Typical boot.ini: [boot loader] timeout=10 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
This shows that the system is to be loaded from the director \WINNT on partition 1 of hard disk 0 and its title is Windows 2000 Professional.
- If more than one OS is specified in Boot.ini, a menu is displayed on screen allowing the user to select which operating system to load.
If multiple operating systems are available but the user doesn’t make a selection within the period defined by the timeout setting the OS specified under the Defaultoption is loaded.If the disk was defined as SCSI in boot.ini, NTLDR would load an further device driver – Ntbootdd.sys – to initialize and negotiate with the SCSI controllers in the computer. NTLDR then finds the boot drive attached to the controller to complete the kernel load.
4. Hardware Detect
NTDLR now loads Ntdetect.com from the root of the boot partition and runs it. This shows a message on screen (in NT and 2000) to the effect ‘NT Detect: checking hardware’ and scans for basic system hardware such as system clock, mouse and keyboard, video adaptors and disks. Ntdetect next passes details of the hardware it has found back to NTLDR. In NT and 20000, this now displays the on-screen message ‘OSLOADER V4.0′, before structuring and organising the information returned by ntdetect.com. It then loads the hardware extraction layer into memory before loading and finally passing control to ntoskrnl.exe, found in systemroot\system32.
5. Kernel Load
The core of operating system is now loaded and established. This includes:
ntoskrnl.exe loads the file systemroot\system32\config\system, builds the registry key HKEY_LOCAL_MACHINE\SYSTEM and reads the information from it. Under this key are various subkeys including Last Known Good, Failed and Default subkeys (later on in the boot process one of these keys can be selected). The kernel then uses information previously returned by ntdetect.com to build HKEY_LOCAL_MACHINE\HARDWARE which contains details of the various hardware and resources to be allocated. As the kernel loads, Windows 2000/XP displays the Start Up progress indicator bar along the bottom of screen.
Once the hardware is up and running the kernel then loads, and if necessary starts, various system services defined in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename.
After this the kernel initiates the session manager (smss.exe) which assigns environmental variables, switches from text to graphics mode, starts the logon manager – winlogon.exe – and creates virtual memory page files.
6. Logon
The start-up process is very nearly complete.
In this final stage, the services subsystem (SCM) and local security authority (LSA) are loaded and the system waits for the CTRL+ALT+DEL key combination. After CTRL+ALT+DEL is detected, the system collects the username and password and sends the information to LSA for authorisation. If authorisation is granted, SCM starts auto-load drivers while winlogin starts up.
After successful login, the Last Known Good registry settings are updated to reflect the current registry; group policy objects are applied and start-up programs run.
