Intro

My notes on how Windows boots. These other notes are relevant as well: Windows Native Mode And Native Shell

Documentation

• Inside the Boot Process, Part 2 - Excellent article. Must read

• Another well-detailed narrative of the boot steps: Initializing the Kernel and Executive Subsystems and Smss, Csrss, and Wininit

• Boot sequence flowchart

• Advanced troubleshooting for Windows boot problems

Tips and Tidbits

Boot Process

Open

Windows NT OS Kernel

• The kernel loads into memory the system registry hive and additional drivers that are marked as BOOT_START.

• The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that are not marked BOOT_START.

Initializing the Kernel and Executive Subsystems

More details can be found here: Inside the Boot Process, Part 2

• The NT Kernel goes through two phases in its boot process: phase 0 and phase 1.

• Phase 0 initializes just enough of the Kernel and Executive subsystems so that basic services required for the completion of initialization become operational in phase 1.

• NT keeps interrupts disabled during phase 0 and enables them before phase 1.

• Most Executive subsystems implement their initialization code by having one function take a parameter that identifies which phase is executing.

• As its last step, the Process Manager creates the System process and launches a thread for this process that will direct phase 1 initialization

• The I/O Manager's initialization is particularly interesting, because it is during phase 1 initialization that the boot drivers that NTLDR loaded finally start. 

• Immediately after initializing the boot drivers, the I/O Manager loads and initializes all drivers marked as SERVICE_SYSTEM_START (system start).

• At the end of the Phase1Initialization function, the NT Kernel and Executive subsystems are fully operational. The function's last action is to launch the Session Manager Subsystem (SMSS, which is in \winnt\system32\smss.exe) user-mode process.

• SMSS is responsible for creating the user-mode environment that provides the visible interface to NT

Open

source: Boot sequence flowchart

SMSS

Source: Inside the Boot Process, Part 2

• SMSS is a native application

• SMSS doesn't use Win32 APIs--­it uses only core Executive APIs known collectively as NT's Native API.

• SMSS doesn't use the Win32 APIs because the Win32 subsystem isn't executing when SMSS launches.

  • In fact, one of SMSS's tasks is to start the Win32 subsystem.

• SMSS first processes commands in the Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\BootExecute.

  • Typically, this value contains one command to run the CHKDSK disk consistency checking application. 

• SMSS creates page files after CHKDSK runs so that larger applications can begin to execute.

• Then, SMSS calls the Configuration Manager Executive subsystem to finish initializing the Registry

• Finally, SMSS launches csrss.exe and winlogon.exe.

  • CSRSS is the user-mode portion of the Win32 subsystem, and Winlogon is the logon manager.

Winlogon

• Winlogon starts the Services subsystem (\winnt\system32\services.exe), which loads all services and device drivers marked Auto Start. (The Services subsystem is also known as the Service Control Manager--­SCM.)

• At approximately the time the Services subsystem is starting networking services, Winlogon presents users with the initial logon dialog box. That action brings us to the end of the boot process.