Section 1.2: The Windows XP Professional Boot Process
1.2.1: Files Used in the Boot Process
A Windows XP Professional Intel-based boot sequence requires a number of files. A list of these files, their appropriate locations and the stages of the boot process associated with each file are listed in Table 1.7
Note: Systemroot represents the path to your Windows XP Professional installation folder, which by default is C:Winnt
Table 1.7: Files Used in the Windows XP Professional Boot Process
| File | Location | Boot stage |
|---|---|---|
| Ntldr | System partition root (C: ) | Preboot and boot |
| Boot.ini | System partition root | Boot |
| Bootsect.dos | System partition root | Boot (optional) |
| Ntdetect.com | System partition root | Boot |
| Ntbootdd.sys | System partition root | Boot (optional) |
| Ntoskrnl.exe | systemroot\System32 | Kernel load |
| Hal.dll | systemroot\System32 | Kernel load |
| System | systemroot\System32\Config | Kernel initialization |
| Device drivers | systemroot\System32\Drivers | Kernel initialization |
Note: The string systemroot (typed as %systemroot%) represents the folder in the boot partition that contains the Windows XP Professional system files.
1.2.1.1: Preboot Sequence
During startup, a Windows XP Professional-based computer initializes the boot portion of the hard disk and the preboot sequence begins. This sequence consists of four steps:
- The computer runs power-on self test (POST) process to determine the amount of physical memory; and
- The hardware components are present.
- If the computer has a Plug and Play (BIOS), enumeration and configuration of hardware devices occurs.
- The computer BIOS locates the boot device and loads and runs the master boot record (MBR).
Note: Windows XP Professional modifies the boot sector during installation so that Ntldr loads during system startup. Therefore you should disable the Boot Sector Virus Protection in your BIOS Setup.
1.2.1.2: Boot Sequence
After the computer loads Ntldr into memory, the boot sequence gathers information about hardware and drivers in preparation for the Windows XP Professional load phases. The boot sequence uses the following files: Ntldr, Boot.ini, Bootsect.dos (optional), Ntdetect.com, and Ntoskrnl.exe.
The boot sequence also has five phases:
- Initial Boot Loader Phase: During the initial boot loader phase, Ntldr switches the microprocessor from real mode to 32-bit flat memory mode, which Ntldr requires. Then, Ntldr starts the appropriate the minifile system drivers. The minifile system drivers are built into Ntldr so that Ntldr can find and load Windows XP Professional from partitions formatted with either the FAT or NTFS file system.
- Operating System Selection Phase: During the boot sequence, Ntldr reads the Boot.ini file. If multiple operating systems are supported on the computer in the Boot.ini file, then the Please Select The Operating System To Start screen, which you can use to select the operating system that should be loaded within a specified time before the default operating system. If no Boot.ini file is present, Ntldr attempts to load Windows XP Professional from the Winnt folder on the first partition of the first disk, typically C:Winnt.
- Hardware Detection Phase: On Intel-based computers, Ntdetect.com and Ntoskrnl.exe perform hardware detection. Ntdetect.com executes if Windows XP Professional should be loads. Ntdetect.com collects a list of installed hardware components and returns this list to Ntldr for later inclusion in the registry under the HKEY_LOCAL_MACHINEHARDWARE key.
- Configuration Selection Phase: After Ntldr starts loading Windows XP Professional and collects hardware information, the operating system loader process displays the Hardware Profile/Configuration Recovery Menu screen, which contains a list of the hardware profiles that have been created on the computer, if more that one hard profile exists on the computer. The first hardware profile is highlighted. You can press the Down arrow key to select another profile. You can also press L to invoke the Last Known Good Configuration option.
- Windows XP Professional Logon Phase: The Windows XP Professional boot sequence is complete once the user has successfully logged on at the computer.
1.2.1.3: Kernel Load
After the configuration selection, Ntoskrnl.exe, the Windows XP kernel loads and initializes. Ntoskrnl.exe also loads and initializes device drivers and loads services. If you press Enter when the Hardware Profile/Configuration Recovery Menu screen displays, or if Ntldr makes the selection automatically, the computer enters the kernel load phase. The screen clears and a series of white rectangles appears across the bottom of the screen. During the kernel load phase, Ntldr:
- Loads Ntoskrnl.exe but does not initialize it.
- Loads the hardware abstraction layer file (Hal.dll).
- Loads the HKEY_LOCAL_MACHINESYSTEM registry key.
- Selects the control set required to initialize the computer.
- Loads device drivers with a value of 0x0 for the Start entry. These are typically low-level hardware device drivers, such as those for a hard disk.
1.2.1.4: Kernel Initialization
When the kernel load phase is complete, the kernel initializes and takes control from Ntldr. The system displays a graphical screen with a status bar that indicates load status. During the kernel initialization stage four tasks are performed:
- The Hardware key is created.
- The Clone control set is created.
- Device drivers are loaded and initialized.
- Services are started.
1.2.1.5: Logon
The logon process begins at the end of the kernel initialization phase, when the Win32 subsystem automatically starts Winlogon.exe, which starts Local Security Authority (Lsass.exe) and displays the Logon dialog box. This allows you to log on while Windows XP initializes the network device drivers.
Note: Windows XP startup is not considered successful until a user logs on at the computer. After a logon, the system automatically copies the Clone control set to the LastKnownGood control set making the current control set the Last Known Good Configuration