The booting process of Windows NT is the process run to start Windows NT. The process has been changed between releases, with the biggest changes being made with Windows Vista. In versions before Vista, the booting process begins when the BIOS loads the Windows NT bootloader, NTLDR. Starting with Vista, the booting process begins with either the BIOS or UEFI load the Windows Boot Manager, which replaces NTLDR as the bootloader. Next, the bootloader starts the kernel, which starts the session manager, which begins the login process. Once the user is logged in, File Explorer, the graphical user interface used by Windows NT, is started.
Windows Vista introduces a complete overhaul of the Windows operating system loader architecture. The earliest known reference to this revised architecture is included within PowerPoint slides distributed by Microsoft during the Windows Hardware Engineering Conference of 2004 when the operating system was codenamed "Longhorn". This documentation mentions that the Windows operating system loader would be undergoing a significant restructuring in order to support EFI and to "do some major overhaul of legacy code". The new boot architecture completely replaces the NTLDR architecture used in previous versions of Windows NT.
Most of the steps that follow the NT kernel being loaded, including kernel initialization and user-space initialization, are kept the same as in earlier NT systems. Refactoring in Winlogon resulted in GINA being completely replaced by Credential Providers and graphical components in Windows Vista and later.
On systems with a BIOS, the BIOS invokes MBR boot code from a hard disk drive at startup. The MBR boot code and the VBR boot code are OS-specific. In Microsoft Windows, the MBR boot code tries to find an active partition (the MBR is only 512 bytes), then executes the VBR boot code of an active partition. The VBR boot code tries to find and execute NTLDR for Windows XP and earlier, or the Windows Boot Manager for Windows Vista and later, from an active partition.
On systems with a UEFI, the UEFI invokes
bootmgfw.efi from an EFI system partition at startup, starting the Windows Boot Manager.
The Windows NT startup process starts when the computer finds a Windows boot loader, a portion of the Windows operating system responsible for finding Microsoft Windows and starting it up. Prior to Windows Vista, the boot loader was NTLDR. Microsoft has also released operating systems for Intel Itanium processors which use IA-64 architecture. The boot loader of these editions of Windows is IA64ldr.efi (later referred as simply IA64ldr). It is an Extensible Firmware Interface (EFI) program. Windows Vista and later use the Windows Boot Manager (
The boot loader, once executed, searches for Windows operating systems. Windows Boot Manager does so by reading Boot Configuration Data (BCD), a complex firmware-independent database for boot-time configuration data. Its predecessor,
NTLDR, does so by reading the simpler
boot.ini. If the boot.ini file is missing, the boot loader will attempt to locate information from the standard installation directory. For Windows NT and 2000 machines, it will attempt to boot from
C:\WINNT. For machines running Windows XP, 2003, and later, it will boot from
Both databases may contain a list of installed Microsoft operating systems that may be loaded from the local hard disk drive or a remote computer on the local network. NTLDR supports operating systems installed on disks whose file system is NTFS or FAT file systems, CDFS (ISO 9660) or UDFS. Windows Boot Manager also supports operating systems installed inside a VHD file, stored on an NTFS disk drive.
In Windows 2000 or in later versions of Windows in which hibernation is supported, the Windows boot loader starts the search for operating systems by searching for hiberfil.sys. NTLDR looks into the root folder of the default volume specified in boot.ini. Windows Boot Manager looks up the location of hiberfil.sys in BCD. If this file is found and an active memory set is found in it, the boot loader loads the contents of the file (which is a compressed version of a physical memory dump of the machine) into memory and restores the computer to the state that it was in prior to hibernation by running winresume.exe.
Next, the boot loader looks for a list of installed operating system entries. If more than one operating system is installed, the boot loader shows a boot menu and allow the user to select an operating system. If a non NT-based operating system such as Windows 98 is selected (specified by an MS-DOS style of path, e.g. C:\), then the boot loader loads the associated "boot sector" file listed in boot.ini or BCD (by default, this is bootsect.dos if no file name is specified) and passes execution control to it.
Otherwise, the boot process continues. For Windows Vista and after, this is done through a separate program,
The operating system starts when certain basic drivers flagged as "Boot" are loaded into memory. The appropriate file system driver for the partition type (NTFS, FAT, or FAT32) which the Windows installation resides in is amongst them. At this point in the boot process, the boot loader clears the screen and displays a textual progress bar (which is often not seen due to the initialization speed); Windows 2000 also displays the text "Starting Windows..." underneath.
If the user presses F8 during this phase, the advanced options menu is displayed, containing various special boot modes including Safe mode, with the Last Known Good Configuration, with debugging enabled, and (in the case of Server editions) Directory Services Restore Mode. Starting with Windows Vista, this menu was changed significantly. Once a boot mode has been selected (or if F8 was never pressed) booting continues.
Hardware information about the computer is gathered by NTDETECT.COM in Windows XP and earlier or by
winload.exe in later versions. This information is stored in the
HKLM\HARDWARE\DESCRIPTION key in the Windows Registry.
Next the Windows NT kernel (Ntoskrnl.exe), the Hardware Abstraction Layer (hal.dll), kdcom.dll (Kernel Debugger HW Extension DLL), bootvid.dll (the Windows logo and side-scrolling bar), and config\system (one of the registry hives) are loaded.
For Windows XP and earlier, if multiple hardware configurations are defined in the Registry, the user is prompted at this point to choose one.
With the kernel in memory, boot-time device drivers are loaded (but not yet initialized). The required information (along with information on all detected hardware and Windows Services) is stored in the
HKEY_LOCAL_MACHINE\SYSTEM portion of the registry, in a set of registry keys collectively called a Control Set. In Windows XP and earlier, multiple control sets are kept, in the event that the settings contained in the currently-used one prohibit the system from booting.
HKEY_LOCAL_MACHINE\SYSTEM contains control sets labeled
ControlSet002, etc. Windows uses
CurrentControlSet to read and write information, but the key is merely a synthesized link to one of the sets defined by
HKLM\System\Select\Control; it does not exist in the Hive file.
Windows now picks the "real" control set being used based on the values set in the
HKEY_LOCAL_MACHINE\SYSTEM\Select registry key:
Defaultwill be the boot loader's choice if nothing else overrides it.
Default, then the boot loader displays an error message, indicating that the last boot failed, and gives the user the option to try booting anyway, or to use the "Last Known Good Configuration".
LastKnownGoodkey is used instead of
When a control set is chosen, the
Current key gets set accordingly. The
Failed key is also set to the same as
Current until the end of the boot process.
LastKnownGood is also set to
Current if the boot process completes successfully.
Which services are started and the order which each group is started in are provided by the following keys:
For the purposes of booting, a driver may be one of the following:
With this finished, control is then passed from the boot loader to the kernel.
Further information: ntoskrnl.exe
The initialization of the kernel subsystem and the Windows Executive subsystems is done in two phases.
During the first phase, basic internal memory structures are created, and each CPU's interrupt controller is initialized. The memory manager is initialized, creating areas for the file system cache, paged and nonpaged pools of memory. The Object Manager, initial security token for assignment to the first process on the system, and the Process Manager itself. The System idle process as well as the System process are created at this point.
The second phase involves initializing the device drivers which were identified by NTLDR as being system drivers.
Through the process of loading device drivers, a "progress bar" is visible at the bottom of the display on Windows 2000 systems; in Windows XP and Windows Server 2003, this was replaced by an animated bar which does not represent actual progress. Prior to Windows XP, this part of the boot process took significantly longer; this is because the drivers would be initialized one at a time. On Windows XP and Server 2003, the drivers are all initialized asynchronously.
Further information: Session Manager Subsystem
Once all the Boot and System drivers have been loaded, the kernel (system thread) starts the Session Manager Subsystem (
smss.exe). The Session Manager stores its configuration at
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager. The exact operation of most of these items is based on the configuration set in the registry.
The Session Manager creates the environment variables located at the registry entry
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment. It also creates additional paging files with configuration data from
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management.
The Session Manager Subsystem is then responsible starting the Win32 subsystem. It starts the kernel-mode side of the subsystem implemented by
win32k.sys. Once this is done, Windows is able to switch into graphical mode as there is now enough infrastructure in place. The user-mode side of the subsystem, Client/Server Runtime Subsystem (
csrss.exe), is also started. This makes the Win32 subsystem available to user-mode applications.
The Session Manager Subsystem is also responsible for doing any operations that are requested to be done at the start of a session. Commands listed in
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute, such as
convert, are executed. These commands are run before services are loaded by later steps of the booting process. Any rename operations queued at
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations. This is used to allow previously in-use files (e.g. drivers) to be replaced as part of a reboot.
autochk mounts all drives and checks them one at a time to see whether or not they were cleanly unmounted. If autochk determines one or more volumes are dirty, it will automatically run chkdsk and provides the user with a short window to abort the repair process by pressing a key within 10 seconds (introduced in Windows NT 4.0 Service Pack 4; earlier versions would not allow the user to abort chkdsk). Since Windows 2000, XP and 2003 show no text screen at that point (unlike NT 3.1 to 4.0, which displayed a blue text screen), the user will see a different background picture holding a mini-text-screen in the center of the screen and show the progress of chkdsk there.
Starting with Windows Vista, the Session Manager Subsystem creates a temporary instance of itself that launches the Windows Startup Application (
wininit.exe) and a second Client/Server Runtime Subsystem (
csrss.exe) for Session 0, a session decided to system processes. From here, the Windows Startup Application starts the Service Control Manager (
services.exe), which starts all the Windows services that are set to "Auto-Start" and sets the
LastKnownGood to the current control set. The application also starts the Local Security Authority Subsystem Service (
lsass.exe). Before Windows Vista, these processes where started by Windows Logon instead of the Windows Startup Application, which didn't exist. The dedicated session for system processes also didn't exist.
The Session Manager Subsystem now starts Winlogon (Windows Logon Application), which is responsible for handling interactive logons to a Windows system, either local or remote.
Further information: Winlogon
The authentication process is implemented by Winlogon. This program is responsible for responding to the secure attention sequence (SAS), loading the user profile on logon, and optionally locking the computer when a screensaver is running.
Winlogon checks if automatic logon is enabled, and if so, logs in to the specified account automatically. If there is not automatic logon enabled, Winlogon starts the process to allow the user to logon. Before Windows Vista this was done by GINA, but starting with Vista this is done by LogonUI. If configured, both of these programs display a prompt for the user to enter the Secure Attention Sequence (SAS) (Control-Alt-Delete). They then display the login dialog which prompts the user to enter their credentials. Once the user submits these credentials, they are passed to LSASS and any other additional network credential providers. This allows multiple network providers to authenticate the user at once during normal logon.
LSASS first tries to use cached data in the LSA database, the SECURITY hive of the registry. If there is none, LSASS determines which account protocol is to be used by using the security packages listed in the key
HKLM\SYSTEM\CurrentControlSet\Control\Lsa. There are two standard packages,
msv1_0.dll, which implements the NTLM protocols, and
Kerberos.dll, which provides remote login by using Active Directory.
msv1_0.dll is used in stand-alone systems and domain-member systems for backward compatibility. If the user is trying to log into the local host then
msv1_0.dll uses the Security Account Manager database located at
HKLM/SAM. If the user is trying to log into another host then the NetLogon service is used to carry the data with the following sequence:
msv1_0.dll <-> netlogon <-> remote netlogon <-> remote msv1_0.dll <-> remote SAM
After the user is authenticated, LSASS enforces the local security policy (checking user permissions, creating audit trails, doling out security tokens, etc.) and passes control pack to Winlogon. Winlogon creates and opens an interactive windows station,
WinSta0, and creates three desktops,
ScreenSaver. Winlogon switches from the Winlogon desktop to the
Default desktop when the shell indicates that it is ready to display something for the user, or after thirty seconds, whichever comes first. The system switches back to the
Winlogon desktop if the user presses Control-Alt-Delete or when a User Account Control prompt is shown. Winlogon now starts the program specified in the Userinit value which defaults to
userinit.exe. This value supports multiple executables.
Further information: File Explorer
Userinit is the first program that runs with the user credentials. It is responsible to start all the other programs that compose the user shell environment.
The shell program (typically
Explorer.exe) is started from the registry entry
Shell= pointed to by the same registry entry in key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\Boot; its default value is
SYS:Microsoft\Windows NT\CurrentVersion\Winlogon, which evaluates to
Userinit starts by loading the user profile. There are a few types of user profiles and it can be local or remote. This process can be very slow if the user profile is of the "roaming" type. User and Computer Group Policy settings are then applied and user scripts, machine scripts, and
proquota.exe are run. Startup programs are started and then the shell configured in registry, which defaults to
Userinit exits and the shell program continues running without a parent process.
Userinit runs startup programs from the following locations:
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\(this path is localized on non-English versions of Windows before Vista)
%USERPROFILE%\Start Menu\Programs\Startup\(this path is localized on non-English versions of Windows before Vista)
With the advent of the new boot manager in Windows Vista, many components have been changed; one is the Advanced Boot Options menu that provides options for advanced boot modes (e.g., Safe Mode). Due to the implementation of fast startup in Windows 8 and up, access to the Advanced Boot Options menu has been disabled by default. However, access is still possible with a BCD modification. These are the possible boot modes:
explorerat the command prompt.
ntbtlog.txt, a file that will log the boot process; listing drivers that loaded and drivers that did not.
The ABO menu is accessible by rapidly pressing or holding the
F8 key before Windows boots. Starting from Windows 8 on UEFI, it can only be accessed by clicking
Restart while holding the
Further information: Windows Deployment Services
To successfully boot, the client must support PXE booting and the Windows Deployment Services (WDS) component must be installed on the server. It is not installed by default. WDS is the successor of Remote Installation Services (RIS).
The PXE program is found on the BIOS or on a ROM chip on the network card.
PXE booting is not a technology specific to Windows and can also be used to start a Linux system. In fact, a Linux system can act as a server to service DHCP or TFTP.
PXE can be used to start Windows Setup to install the system on the client computer or to run the operating system from RAM. The latter, called Remote Boot, was introduced by Windows XP Embedded SP1 and is only available for this flavor of Windows.
The general process for both methods is as follows:
PXEboot.com) through TFTP
The Boot Information Negotiation Layer (BINL) is a Windows 2000 service running on the server that communicates with the client after the NBP was already loaded by the PXE.