Software:Windows NT 6 startup process

From HandWiki
Revision as of 14:46, 7 March 2023 by LinXED (talk | contribs) (update)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Short description: Boot process used in modern Windows NT-based products
Windows Boot Manager (bootmgr)
Other namesbootmgr
Developer(s)Microsoft
Operating systemWindows
Predecessorntldr
TypeBootloader
LicenseProprietary

The startup process of Windows NT 6 (Windows Vista and later) differ from the startup process part of previous versions of Windows.

In this article, unless otherwise specified, what is said about Windows Vista also applies to all later NT operating systems. For Windows Vista, the boot sector or UEFI loads the Windows Boot Manager (a file named BOOTMGR on either the system or the boot partition), accesses the Boot Configuration Data store and uses the information to load the operating system. Then, the BCD invokes the boot loader and in turn proceeds to initiate the Windows kernel. Initialization at this point proceeds similarly to previous Windows NT versions.[1]

History

Windows Vista introduces a complete overhaul of the Windows operating system loader architecture.[2][3] The earliest known reference to this revised architecture is included within PowerPoint slides distributed by Microsoft during the Windows Hardware Engineering Conference of 2004 when the operating system was codenamed "Longhorn."[4] This documentation mentions that the Windows operating system loader would be undergoing a significant restructuring in order to support EFI and to "do some major overhaul of legacy code."[5] The new boot architecture completely replaces the NTLDR architecture used in previous versions of Windows NT.[3]

Most of the steps that follows the NT kernel being loaded, including kernel initialization and user-space initialization, is kept the same as in earlier NT systems.[1] Refactoring in Winlogon resulted in GINA being completely replaced by Credential Providers and graphical components in Windows Vista and later.[6]

Boot Configuration Data

Windows Boot Manager (BOOTMGR) with Windows 7 highlighted and options to load Windows Vista through BOOTMGR and XP through NTLDR.

Boot Configuration Data (BCD) is a firmware-independent database for boot-time configuration data. It is used by Microsoft's new Windows Boot Manager and replaces the boot.ini that was used by NTLDR.

Boot Configuration Data is stored in a data file that has the same format as Windows Registry hives and is eventually mounted at registry key [HKEY_LOCAL_MACHINE\BCD00000][7] (with restricted permissions[8]). For UEFI boot, the file is located at /EFI/Microsoft/Boot/BCD on the EFI System Partition. For traditional BIOS boot, the file is at /boot/BCD on the active partition.[9]

bcdedit
Developer(s)Microsoft
Operating systemMicrosoft Windows
TypeCommand
LicenseProprietary commercial software
Websitedocs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit

Boot Configuration Data may be altered using a command-line tool (bcdedit.exe), using the Registry Editor[7] (regedit.exe), using Windows Management Instrumentation, or with third-party tools such as EasyBCD, BOOTICE,[10] or Visual BCD Editor.[11]

Boot Configuration Data contain the menu entries that are presented by the Windows Boot Manager, just as boot.ini contained the menu entries that were presented by NTLDR. These menu entries can include:

  • Options to boot Windows Vista and later by invoking winload.exe.
  • Options to resume Windows Vista and later from hibernation by invoking winresume.exe.
  • Options to boot a prior version of the Windows NT family by invoking its NTLDR.
  • Options to load and to execute a volume boot record.

Boot Configuration Data allows for third-party integration, so anyone can implement tools like diagnostics or recovery options.

Boot loaders

bootmgr

The BIOS invokes MBR boot code from a hard disk drive at startup. The MBR boot code and the VBR boot code are OS-specific. In Microsoft Windows, the MBR boot code tries to find an active partition (the MBR is only 512 bytes), then executes the VBR boot code of an active partition. The VBR boot code tries to find and execute the bootmgr file from an active partition.[12]

The UEFI invokes bootmgfw.efi from an EFI system partition at startup.

winload.exe

The Windows Boot Manager invokes winload.exe—the operating system boot loader—to load the operating system kernel executive (ntoskrnl.exe) and core device drivers. In that respect, winload.exe is functionally equivalent to the operating system loader function of NTLDR in prior versions of Windows NT. In UEFI systems, the file is called winload.efi and the file is always located at \windows\system32 or \windows\system32\boot.

winresume.exe

If the computer has recently hibernated, then bootmgr will instead invoke winresume.exe. In UEFI systems, the file is called winresume.efi and is always located at \windows\system32 or \windows\system32\boot.[13]

Advanced Boot Options

With the advent of the new boot manager in Windows Vista, many components have been changed; one is the Advanced Boot Options menu that provides options for advanced boot modes (e.g., Safe Mode). Due to the implementation of fast startup in Windows 8 and up, access to the Advanced Boot Options menu has been disabled by default. However, access is still possible with a BCD modification. These are the possible boot modes:

  • Repair Your Computer - Boots Windows Recovery Environment (WinRE or Windows RE)
  • Safe Mode - Loads Safe Mode, a boot mode with minimal drivers and resources intended for malware removal or replacing faulty drivers.
  • Safe Mode with Networking - Loads Safe Mode along with the network drivers.
  • Safe Mode with Command Prompt - Loads Safe Mode with the Command Prompt as the shell instead of Windows Explorer. Windows Explorer can still be loaded by typing explorer at the command prompt.
  • Enable Boot Logging - Enables writing of ntbtlog.txt, a file that will log the boot process; listing drivers that loaded and drivers that did not.
  • Enable low resolution video - Disables the default graphics driver and uses the standard VGA driver. Intended in case the user changed the resolution to an unusable level (i.e. 320×200 at low refresh rates <24 Hz, 60 Hz>)
  • Last Known Good Configuration - Loads configuration based on the last successful boot process. Intended for Registry corruptions. This mode is removed in Windows 8 and later versions of Windows.
  • Directory Services Restore Mode - Boot mode used to reboot the Domain Controller in case it is not working as intended.
  • Debugging Mode - Boots while loading the kernel debugger.
  • Disable automatic restart on system failure - Disables the auto-reboot function after a Blue Screen of Death is experienced.
  • Disable early launch anti-malware driver - ELAM prechecks boot required drivers for signatures and tampering. Disabling ELAM is intended to allows booting on false positive driver checks but could also allow a tampered driver to load.[14]
  • Disable Driver Signature Enforcement - Disables the kernel setting that prohibits unsigned drivers from loading.
  • Start Windows Normally

The ABO menu is accessible by rapidly pressing or holding the F8 key before Windows boots. Starting from Windows 8 on UEFI, it can only be accessed by clicking Restart while holding the Shift key.

See also

References

  1. 1.0 1.1 "The Windows NT 6 boot process". Frequently Given Answers. https://jdebp.eu/FGA/windows-nt-6-boot-process.html. 
  2. "Inside the Windows Vista Kernel – Startup Processes". Microsoft. https://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx. 
  3. 3.0 3.1 Microsoft (February 4, 2008). "Boot Configuration Data in Windows Vista" (DOCX). http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/BCD.docx. 
  4. "Microsoft Longhorn" (in EN). Experience Longhorn. https://longhorn.ms/. 
  5. Ritz, Andrew (2004). "EFI and Windows 'Longhorn'" (PPT). Microsoft. http://download.microsoft.com/download/1/8/f/18f8cee2-0b64-41f2-893d-a6f2295b40c8/TW04022_WINHEC2004.ppt. 
  6. "Winlogon and GINA". Microsoft. http://msdn.microsoft.com/en-us/library/aa380543.aspx. 
  7. 7.0 7.1 Russinovich, Mark (8 November 2011). "Fixing Disk Signature Collisions". Mark's Blog. Microsoft TechNet (Microsoft Corporation). https://docs.microsoft.com/en-us/archive/blogs/markrussinovich/fixing-disk-signature-collisions. 
  8. "Why can't I edit the system BCD store via regedit?". http://superuser.com/questions/654971/why-cant-i-edit-the-system-bcd-store-via-regedit. 
  9. Microsoft. "Knowledge Base Article ID: 2004518". https://support.microsoft.com/en-us/kb/2004518. 
  10. Pauly. "BOOTICE board index". http://bbs.ipauly.com/viewforum.php?f=2. 
  11. Bo Yans. "Visual BCD Editor". http://www.boyans.net. 
  12. "Boot Sequence of Windows Multi-Boot - Multibooters.com". http://www.multibooters.com/guides/boot-sequence-of-mixed-windows-multiboot.html. 
  13. Hudek, Ted; Marshall, Don; Graf, Eliot (23 April 2019). "Overview of Boot Options in Windows" (in EN). Microsoft. https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/boot-options-in-windows. 
  14. QuinnRadich. "Early launch antimalware - Win32 apps" (in en-us). https://docs.microsoft.com/en-us/windows/win32/w8cookbook/secured-boot. 

Further reading