Windows Vista introduces a complete overhaul of the Windows operating system loader architecture.^[1][2] The earliest known reference to this revised architecture is included within PowerPoint slides distributed by Microsoft during the Windows Hardware Engineering Conference of 2004 when the operating system was codenamed "Longhorn". This documentation mentions that the Windows operating system loader would be undergoing a significant restructuring in order to support EFI and to "do some major overhaul of legacy code".^[3] The new boot architecture completely replaces the NTLDR architecture used in previous versions of Windows NT.^[2]

Most of the steps that follow the NT kernel being loaded, including kernel initialization and user-space initialization, are kept the same as in earlier NT systems.^[4] Refactoring in Winlogon resulted in GINA being completely replaced by Credential Providers and graphical components in Windows Vista and later.^[5]

On systems with a BIOS, the BIOS invokes MBR boot code from a hard disk drive at startup. The MBR boot code and the VBR boot code are OS-specific. In Microsoft Windows, the MBR boot code tries to find an active partition (the MBR is only 512 bytes), then executes the VBR boot code of an active partition. The VBR boot code tries to find and execute NTLDR for Windows XP and earlier, or the Windows Boot Manager for Windows Vista and later, from an active partition.^[6]

On systems with a UEFI, the UEFI invokes bootmgfw.efi from an EFI system partition at startup, starting the Windows Boot Manager.

The Windows NT startup process starts when the computer finds a Windows boot loader, a portion of the Windows operating system responsible for finding Microsoft Windows and starting it up. Prior to Windows Vista, the boot loader was NTLDR. Microsoft has also released operating systems for Intel Itanium processors which use IA-64 architecture. The boot loader of these editions of Windows is IA64ldr.efi (later referred as simply IA64ldr). It is an Extensible Firmware Interface (EFI) program.^[7] Windows Vista and later use the Windows Boot Manager (bootmgr).

Operating system selection Edit

The boot loader, once executed, searches for Windows operating systems. Windows Boot Manager does so by reading Boot Configuration Data (BCD), a complex firmware-independent database for boot-time configuration data. Its predecessor, NTLDR, does so by reading the simpler boot.ini. If the boot.ini file is missing, the boot loader will attempt to locate information from the standard installation directory. For Windows NT and 2000 machines, it will attempt to boot from C:\WINNT. For machines running Windows XP, 2003, and later, it will boot from C:\WINDOWS.

Both databases may contain a list of installed Microsoft operating systems that may be loaded from the local hard disk drive or a remote computer on the local network. NTLDR supports operating systems installed on disks whose file system is NTFS or FAT file systems, CDFS (ISO 9660) or UDFS.^[8] Windows Boot Manager also supports operating systems installed inside a VHD file, stored on an NTFS disk drive.^[9]

In Windows 2000 or in later versions of Windows in which hibernation is supported, the Windows boot loader starts the search for operating systems by searching for hiberfil.sys. NTLDR looks into the root folder of the default volume specified in boot.ini. Windows Boot Manager looks up the location of hiberfil.sys in BCD. If this file is found and an active memory set is found in it, the boot loader loads the contents of the file (which is a compressed version of a physical memory dump of the machine) into memory and restores the computer to the state that it was in prior to hibernation by running winresume.exe.

Next, the boot loader looks for a list of installed operating system entries. If more than one operating system is installed, the boot loader shows a boot menu and allow the user to select an operating system. If a non NT-based operating system such as Windows 98 is selected (specified by an MS-DOS style of path, e.g. C:\), then the boot loader loads the associated "boot sector" file listed in boot.ini or BCD (by default, this is bootsect.dos if no file name is specified) and passes execution control to it.

Otherwise, the boot process continues. For Windows Vista and after, this is done through a separate program, winload.exe.

Loading the Windows NT kernel Edit

The operating system starts when certain basic drivers flagged as "Boot" are loaded into memory. The appropriate file system driver for the partition type (NTFS, FAT, or FAT32) which the Windows installation resides in is amongst them. At this point in the boot process, the boot loader clears the screen and displays a textual progress bar (which is often not seen due to the initialization speed); Windows 2000 also displays the text "Starting Windows..." underneath.

If the user presses F8 during this phase, the advanced options menu is displayed, containing various special boot modes including Safe mode, with the Last Known Good Configuration, with debugging enabled, and (in the case of Server editions) Directory Services Restore Mode. Starting with Windows Vista, this menu was changed significantly. Once a boot mode has been selected (or if F8 was never pressed) booting continues.

Hardware information about the computer is gathered by NTDETECT.COM in Windows XP and earlier or by winload.exe in later versions. This information is stored in the HKLM\HARDWARE\DESCRIPTION key in the Windows Registry.

Next the Windows NT kernel (Ntoskrnl.exe), the Hardware Abstraction Layer (hal.dll), kdcom.dll (Kernel Debugger HW Extension DLL), bootvid.dll (the Windows logo and side-scrolling bar), and config\system (one of the registry hives) are loaded.

For Windows XP and earlier, if multiple hardware configurations are defined in the Registry, the user is prompted at this point to choose one.

With the kernel in memory, boot-time device drivers are loaded (but not yet initialized). The required information (along with information on all detected hardware and Windows Services) is stored in the HKEY_LOCAL_MACHINE\SYSTEM portion of the registry, in a set of registry keys collectively called a Control Set. In Windows XP and earlier, multiple control sets are kept, in the event that the settings contained in the currently-used one prohibit the system from booting. HKEY_LOCAL_MACHINE\SYSTEM contains control sets labeled ControlSet001, ControlSet002, etc. Windows uses CurrentControlSet to read and write information, but the key is merely a synthesized link to one of the sets defined by HKLM\System\Select\Control; it does not exist in the Hive file.^[10]

Windows now picks the "real" control set being used based on the values set in the HKEY_LOCAL_MACHINE\SYSTEM\Select registry key:

• Default will be the boot loader's choice if nothing else overrides it.
• If the value of the Failed key matches Default, then the boot loader displays an error message, indicating that the last boot failed, and gives the user the option to try booting anyway, or to use the "Last Known Good Configuration".
• If the user chooses (or has chosen) Last Known Good Configuration, the control set indicated by the LastKnownGood key is used instead of Default.

When a control set is chosen, the Current key gets set accordingly. The Failed key is also set to the same as Current until the end of the boot process. LastKnownGood is also set to Current if the boot process completes successfully.

Which services are started and the order which each group is started in are provided by the following keys:

• HKLM\SYSTEM\CurrentControlSet\Services
• HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

For the purposes of booting, a driver may be one of the following:

• A "Boot" driver that is loaded by the boot loader prior to starting the kernel. "Boot" drivers are almost exclusively drivers for hard-disk controllers and file systems (ATA, SCSI, file system filter manager, etc.); in other words, they are the absolute minimum that the kernel will need to get started with loading other drivers, and the rest of the operating system.
• A "System" driver which is loaded and started by the kernel after the boot drivers. "System" drivers cover a wider range of core functionality, including the display driver, CD-ROM support, and the TCP/IP stack.
• An "Automatic" driver which is loaded much later when the GUI already has been started.

With this finished, control is then passed from the boot loader to the kernel.

The initialization of the kernel subsystem and the Windows Executive subsystems is done in two phases.

During the first phase, basic internal memory structures are created, and each CPU's interrupt controller is initialized. The memory manager is initialized, creating areas for the file system cache, paged and nonpaged pools of memory. The Object Manager,^[11] initial security token for assignment to the first process on the system, and the Process Manager itself. The System idle process as well as the System process are created at this point.

The second phase involves initializing the device drivers which were identified by NTLDR as being system drivers.

Through the process of loading device drivers, a "progress bar" is visible at the bottom of the display on Windows 2000 systems; in Windows XP and Windows Server 2003, this was replaced by an animated bar which does not represent actual progress. Prior to Windows XP, this part of the boot process took significantly longer; this is because the drivers would be initialized one at a time. On Windows XP and Server 2003, the drivers are all initialized asynchronously.

Once all the Boot and System drivers have been loaded, the kernel (system thread) starts the Session Manager Subsystem (smss.exe). The Session Manager stores its configuration at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager. The exact operation of most of these items is based on the configuration set in the registry.^[12]

The Session Manager creates the environment variables located at the registry entry HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment. It also creates additional paging files with configuration data from HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management.^[13]

The Session Manager Subsystem is then responsible starting the Win32 subsystem. It starts the kernel-mode side of the subsystem implemented by win32k.sys.^[13] Once this is done, Windows is able to switch into graphical mode as there is now enough infrastructure in place. The user-mode side of the subsystem, Client/Server Runtime Subsystem (csrss.exe), is also started.^[13] This makes the Win32 subsystem available to user-mode applications.

The Session Manager Subsystem is also responsible for doing any operations that are requested to be done at the start of a session. Commands listed in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute, such as autochk and convert, are executed. These commands are run before services are loaded by later steps of the booting process.^[13] Any rename operations queued at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations. This is used to allow previously in-use files (e.g. drivers) to be replaced as part of a reboot.^[14]

autochk mounts all drives and checks them one at a time to see whether or not they were cleanly unmounted. If autochk determines one or more volumes are dirty, it will automatically run chkdsk and provides the user with a short window to abort the repair process by pressing a key within 10 seconds (introduced in Windows NT 4.0 Service Pack 4; earlier versions would not allow the user to abort chkdsk). Since Windows 2000, XP and 2003 show no text screen at that point (unlike NT 3.1 to 4.0, which displayed a blue text screen), the user will see a different background picture holding a mini-text-screen in the center of the screen and show the progress of chkdsk there.^[15]

Starting with Windows Vista, the Session Manager Subsystem creates a temporary instance of itself that launches the Windows Startup Application (wininit.exe) and a second Client/Server Runtime Subsystem (csrss.exe) for Session 0, a session decided to system processes. From here, the Windows Startup Application starts the Service Control Manager (services.exe), which starts all the Windows services that are set to "Auto-Start" and sets the LastKnownGood to the current control set.^[14] The application also starts the Local Security Authority Subsystem Service (lsass.exe). Before Windows Vista, these processes where started by Windows Logon instead of the Windows Startup Application, which didn't exist. The dedicated session for system processes also didn't exist.^[16]

The Session Manager Subsystem now starts Winlogon (Windows Logon Application), which is responsible for handling interactive logons to a Windows system, either local or remote.^[16]

The authentication process is implemented by Winlogon. This program is responsible for responding to the secure attention sequence (SAS), loading the user profile on logon, and optionally locking the computer when a screensaver is running.

Winlogon checks if automatic logon is enabled, and if so, logs in to the specified account automatically.^[17] If there is not automatic logon enabled, Winlogon starts the process to allow the user to logon. Before Windows Vista this was done by GINA,^[18] but starting with Vista this is done by LogonUI. If configured, both of these programs display a prompt for the user to enter the Secure Attention Sequence (SAS) (Control-Alt-Delete). They then display the login dialog which prompts the user to enter their credentials. Once the user submits these credentials, they are passed to LSASS and any other additional network credential providers. This allows multiple network providers to authenticate the user at once during normal logon.^[19][18]

LSASS first tries to use cached data in the LSA database, the SECURITY hive of the registry. If there is none, LSASS determines which account protocol is to be used by using the security packages listed in the key HKLM\SYSTEM\CurrentControlSet\Control\Lsa. There are two standard packages, msv1_0.dll, which implements the NTLM protocols, and Kerberos.dll, which provides remote login by using Active Directory. msv1_0.dll is used in stand-alone systems and domain-member systems for backward compatibility. If the user is trying to log into the local host then msv1_0.dll uses the Security Account Manager database located at HKLM/SAM. If the user is trying to log into another host then the NetLogon service is used to carry the data with the following sequence:

msv1_0.dll <-> netlogon <-> remote netlogon <-> remote msv1_0.dll <-> remote SAM 

After the user is authenticated, LSASS enforces the local security policy (checking user permissions, creating audit trails, doling out security tokens, etc.) and passes control pack to Winlogon. Winlogon creates and opens an interactive windows station, WinSta0,^[20] and creates three desktops, Winlogon, Default and ScreenSaver. Winlogon switches from the Winlogon desktop to the Default desktop when the shell indicates that it is ready to display something for the user, or after thirty seconds, whichever comes first. The system switches back to the Winlogon desktop if the user presses Control-Alt-Delete or when a User Account Control prompt is shown.^[21] Winlogon now starts the program specified in the Userinit value which defaults to userinit.exe. This value supports multiple executables.^[19]

Userinit is the first program that runs with the user credentials. It is responsible to start all the other programs that compose the user shell environment.

The shell program (typically Explorer.exe) is started from the registry entry Shell= pointed to by the same registry entry in key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\Boot; its default value is SYS:Microsoft\Windows NT\CurrentVersion\Winlogon, which evaluates to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.^[22]

Userinit starts by loading the user profile. There are a few types of user profiles and it can be local or remote. This process can be very slow if the user profile is of the "roaming" type. User and Computer Group Policy settings are then applied and user scripts, machine scripts, and proquota.exe are run. Startup programs are started and then the shell configured in registry, which defaults to explorer.exe. Now Userinit exits and the shell program continues running without a parent process.

Userinit runs startup programs from the following locations:^[13]

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
• %ALLUSERSPROFILE%\Start Menu\Programs\Startup\ (this path is localized on non-English versions of Windows before Vista)
• %USERPROFILE%\Start Menu\Programs\Startup\ (this path is localized on non-English versions of Windows before Vista)

With the advent of the new boot manager in Windows Vista, many components have been changed; one is the Advanced Boot Options menu that provides options for advanced boot modes (e.g., Safe Mode). Due to the implementation of fast startup in Windows 8 and up, access to the Advanced Boot Options menu has been disabled by default. However, access is still possible with a BCD modification. These are the possible boot modes:

• Repair Your Computer - Boots Windows Recovery Environment (WinRE or Windows RE)
• Safe Mode - Loads Safe Mode, a boot mode with minimal drivers and resources intended for malware removal or replacing faulty drivers.
• Safe Mode with Networking - Loads Safe Mode along with the network drivers.
• Safe Mode with Command Prompt - Loads Safe Mode with the Command Prompt as the shell instead of Windows Explorer. Windows Explorer can still be loaded by typing explorer at the command prompt.
• Enable Boot Logging - Enables writing of ntbtlog.txt, a file that will log the boot process; listing drivers that loaded and drivers that did not.
• Enable low resolution video - Disables the default graphics driver and uses the standard VGA driver. Intended in case the user changed the resolution to an unusable level (i.e. 320×200 at low refresh rates <24 Hz, 60 Hz>)
• Last Known Good Configuration - Loads configuration based on the last successful boot process. Intended for Registry corruptions. This mode is removed in Windows 8 and later versions of Windows.
• Directory Services Restore Mode - Boot mode used to reboot the Domain Controller in case it is not working as intended.
• Debugging Mode - Boots while loading the kernel debugger.
• Disable automatic restart on system failure - Disables the auto-reboot function after a Blue Screen of Death is experienced.
• Disable early launch anti-malware driver - ELAM prechecks boot required drivers for signatures and tampering. Disabling ELAM is intended to allow booting on false positive driver checks but could also allow a tampered driver to load.^[23]
• Disable Driver Signature Enforcement - Disables the kernel setting that prohibits unsigned drivers from loading.
• Start Windows Normally

The ABO menu is accessible by rapidly pressing or holding the F8 key before Windows boots. Starting from Windows 8 on UEFI, it can only be accessed by clicking Restart while holding the Shift key.

To successfully boot, the client must support PXE booting and the Windows Deployment Services (WDS) component must be installed on the server. It is not installed by default. WDS is the successor of Remote Installation Services (RIS).

The PXE program is found on the BIOS or on a ROM chip on the network card.

PXE booting is not a technology specific to Windows and can also be used to start a Linux system. In fact, a Linux system can act as a server to service DHCP or TFTP.

PXE can be used to start Windows Setup to install the system on the client computer or to run the operating system from RAM. The latter, called Remote Boot, was introduced by Windows XP Embedded SP1^[24] and is only available for this flavor of Windows.^[25]

The general process for both methods is as follows:

• PXE boots
• DHCP request broadcast
• Optionally DHCP router redirects to the server
• The server sends the Network Bootstrap Program (NBP) (PXEboot.com)^[26] through TFTP
• The NBP program downloads the required files through the BINL protocol

The Boot Information Negotiation Layer (BINL) is a Windows 2000 service running on the server that communicates with the client after the NBP was already loaded by the PXE.

• Architecture of Windows NT
• Windows Setup
  • Booting process of Windows NT Setup before Vista
• Booting process of DOS-based Windows
• Booting process of Linux
• Master boot record
• Power-on self-test
• BootVis

• How to edit SETUPAPI.DLL January 6, 2019, at the Wayback Machine