Windows NT Server 4.0 Notes


Module 18: Windows NT Boot Process

Introduction

Nt boots in stages:

  • the boot sequence stage loads platform-specific components
  • then the boot process continues common to all platforms

Windows NT boot process occurs in these stages:

    • The Power On Self Test (POST) Process
    • The Initial Startup Process
    • The Boot Loader Process
    • The Boot Sequence
    • The Load Phase
Files Required for System Boot

Intel x86 Boot Sequence Files

  •  All these files MUST be in the root directory of the system partition

    File

    File Attributes 

    Function

    Ntldr H; R ; S
    • Loads OS
    Boot.ini R ; S
    • Builds OS Loader V4.00 Operating System Selection menu
    Bootsect.dos H
    • Loaded by Ntldr if another OS (MS-DOS, Windows 95, OS/2 1.x ) is selected instead of Windows NT.
    • Contains a copy of the boot sector that was on hard disk before installing Windows NT
    Ntdetect.com H; R ; S
    • Used to examine available hardware and to build a hardware list. Information is passed back to Ntldr to be added to registry later in boot
    Ntbootdd.sys H; R ; S
    • Only on systems booting from BIOS-disabled SCSI hard disk,
    • Driver accesses devices attached to SCSI adapter during Windows NT boot sequence.

RISC Boot Sequence Files

    File

    Function

    Osloader.exe OS loader; equivalent to Ntldr
    *.pal (Alpha only) these files contain PAL code, software subroutines that provide an OS with direct control of the microprocessor

Boot Sequence Files Common to both Systems

File

Function

Ntoskrnl.exe Windows NT kernel file, 
System Collection of system configuration settings, location. Controls which device drivers and services are loaded during initialization
Device drivers Files that support device drivers, such as Ftdisk and Scsidisk
Hal.dll Hardware abstraction layer protects kernel and rest of Windows NT Executive from platform-specific hardware differences. Manipulates hardware directly. 

Files Required for NT System Boot

Intel x86

RISC

Ntldr

Osloader.exe

Boot.ini

*.pal (Alpha only)

Bootsect.dos

Ntdetect.com

Ntbootdd.sys (SCSI only)

Ntoskrnl.exe

System

Device Drivers

Hal.dll

 

The Intel x86 Boot Sequence

Preboot Sequence

  • POST  à determines amount of physical memory and presence of hardware components
  • Boot device located and MBR is loaded in memory; the program in MBR is run.
  • MBR scans Partition Boot Record (PBR) table to locate active partition and its boot sector is loaded into memory.
  • Ntldr is loaded and then initialized from boot sector.

 

Note: when Windows NT is first installed on the machine, it changes the boot sector so that Ntldr loads on system startup.

Boot Sequence

  • Boot sequence begins after Ntldr is loaded in memory
  • Boot sequence gathers information about hardware and drivers in preparation for the Windows NT load phases.
  • These files are used during the Boot Sequence:Ntldr, Boot.ini, Bootsect.dos, Ntdetect.com and Ntoskrnl.exe are used.
  • Ntldr switches microprocessor from real mode into 32-bit flat memory mode.
  • Ntldr starts the appropriate minifile system drivers; these are built into Ntldr to find and load Windows NT from different file system formats (FAT, NTFS).
  • Ntldr reads Boot.ini (if one exists) and then displays the OS selections contained within Boot.ini.

This is called the Boot Loader Operating System Selection menu.

  • Ntldr loads OS. The OS that is loaded is one selected by user, if no selection the default OS.
If Windows NT is selected If an OS other than NT is selected

ê

ê

Ntldr runs Ntdetect.com. This scans the hardware and then sends the list of detected hardware back to Ntldr for later inclusion in registry under: HKEY_LOCAL_MACHINE\HARDWARE Ntldr loads and runs Bootsect.dos and passes control to it. The other OS then boots. The NT boot process is an end. :-(
  •  Ntldr then loads Ntoskrnl.exe, Hal.dll and the System hive. Ntldr scans the System hive and loads the device drivers configured to start at boot time.
  • Finally, Ntldr starts Ntoskrnl.exe, at which point the boot process ends and the load phases begin.

Files Needed for Boot and their locations

Folder

Intel x86-based file

System root partition Ntldr, Boot.ini, Bootsect.dos, Ntdetect.com, Ntbootdd.sys
Systemroot\System32 Ntoskrnl.exe, Hal.dll
Systemroot\System32\Config System 
Systemroot\System32\Drivers Device drivers
The RISC Boot Sequence
NOTE: Ntldr, Boot.ini, and Bootsect.dos files required for Intel x86 based computers are not needed on RISC-based computers.
    • On RISC based computers, Ntldr functionality is build into the firmware.
    • Initial stages of loading the Windows NT OS are performed by Osloader.exe (in stead of Ntldr)
    • RISC POST routine collects the hardware information and passes it to Osloader.exe (Ntdetect.com is also not needed)

Preboot Sequence

  1. ROM firmware selects a boot device by reading a boot precedence table from nonvolatile RAM.
  2. For hard-disk boot, firmware reads MBR and determines whether system partition is present.
  3. If system partition exists, firmware reads the first sector of partition into memory. It then examines BIOS Parameter Block to determine whether the volume’s file system is supported by the firmware.
  4. If file system is supported by firmware, the firmware searches root directory of the volume for Osloader.exe, loads it and passes control to it, along with a list of available hardware.

Boot Sequence

  1. Osloader.exe loads
    • Ntoskrnl.exe,
    • Hal.dll,
    • *.pal and the
    • System hive.
  2. Osloader.exe scans System hive, and then loads the device drivers that are configured to start at boot time.
  3. Osloader.exe then passes control to Ntoskrnl.exe. This ends the NT boot sequence.

Files Needed for Boot:

Folder

RISC file

Os\nt40 Osloader.exe, Hal.dll, *.pal (Alpha only)
Systemroot\system32 Ntoskrnl.exe
Systemroot\system32\Config System
Systemroot\system32\Drivers Device drivers
Windows NT Load Phases

The boot sequence for both the RISC and Intel x86 platform ends and the load process starts when control is passed from Ntldr to Ntoskrnl.exe, with the following phases:

  • Kernel load. HAL is loaded
  • Kernel Initialization
  • Services Load
  • Win32 Subsystem Start
  • User Logs On. Last known good is created.

Kernel Load Phase

  • Kernel load phase begins as soon as Ntoskrnl.exe is loaded.
  • HAL (Hardware abstraction layer), which hides platform-specific issues from NT as you may recall, is loaded after kernel.
  • System hive is loaded next and scanned for drivers and services that should be loaded at this stage. These drivers and services are loaded but not initialized, in the order in which they appear beside "List" in the HKEY_LOCAL_MACHINE\SYTEM\CurrectControlset\Control\ServiceGroupOrdER.
  • This portion of the boot sequence occurs when the screen clears after Ntdetect.com has run and progress dots (…) are displayed across the top of the screen. You can display the name of the drivers being loaded on this screen by adding an /sos switch to the appropriate OS line in Boot.ini.

Kernel Initialization Phase

  • The kernel initialization phase initializes the kernel and the drivers that were loaded during the kernel load phase.
  • During this phase, the System hive is again scanned to determine which high-level drivers should be loaded. These drivers are initialized and loaded after the kernel has been initialized.
  • The registry's CurrentControlSet is then saved, and the Clone control set is created and initialized, but not saved. The registry hardware list is then created, using the information from Ntdetect.com (Intel) or Osloader.exe (RISC).
  • A control set contains configuration data used to control the system, such as which device drivers and services to load and start. Control sets are stored in the registry as subkeys of HKEY_LOCAL_MACHINE\SYSTEM\Select
  • In this stage of the boot sequence the screen is painted blue.

ErrorControl Values

  • 0x0--"Ignore". The boot sequence ignores the error and proceeds without displaying an error message.
  • 0x1--"Normal". The boot sequence ignores the error and proceeds, but displaying error message.
  • 0x2--"Severe". The boot sequence fails and then restarts using the LastKnownGood control set. The error is ignored and the boot sequence continues.
  • 0x3--"Critical". The boot sequence fails and then restarts  using the LastKnownGood control set. If the boot sequence is currently using the LastKnownGood control set, the boot sequence stops and an error message is displayed.
  • ErrorControl Values are stored in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Name_of_service_or_driver\ErrorControl.

Services Load Phase

The services Load Phase starts the Session Manager (Smss.exe), which starts the higher-order subsystems and services for NT. Session Manager carries out the instructions under the following four registry entries:

  • BootExecute Data Item. Session Manager immediately reads and carries out the list of programs in: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute. The default entry is: autocheck autockk *. Autocheck.exe is the boot-time version of Chkdsk. * causes an automatic check of each partition.
   Entry for BootExecute can be modified. 

    Example: autocheck autochk /p* forces equivalent of Chkdsk /f on each partition on every subsequent system restart.

BootExecute value can also contain more than one command; 
 

    Example: Autocheck autochk * autoconv \DosDevices\ d: /FS:ntfs; second command causes drive D to be converted to NTFS on the next system boot.

  • Memory Management Key. After all of the checks have been successfully performed on the system's hard disks, Session Manager sets up the paging files defined in: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PageFiles. When the partitions are checked and the paging files are setup, the CurrectControlSet and the Clone control set are written to the registry.
  • DOS Devices Key. Next, the Session Manager creates symbolic links. These links direct certain classes of commands to the correct component in the file system.
  • Subsystems Key. The last step performed by Session Manager is to load the required subsystems, as defined in the registry in: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Required. The default is the Win32 subsystem.

Win32 Subsystem Start Phase

  • When the Win32 subsystem starts, it automatically starts Winlogon.exe, which starts the Local Security Authority (Lsass.exe) and displays the CTRL+ALT+DEL logon dialog box.
  • Next the Service Controller (Screg.exe) is run, which makes a final pass through the registry looking for services that are marked to load automatically, such as the Workstation and Server services. The services that are loaded during this phase are loaded based on their dependencies, that is, their DependOnGroup or DependOnService.

User Logs On

  • The boot is not considered good until a user successfully logs on to the system.
  • After a successful logon, the Clone control set is copied to the LastKnownGood control set.
Creating a Windows NT Boot Disk

Required Boot Files:

Intel x86-based system Ntldr, boot.ini, Bootsect.dos, Ntdetect.com, Ntbootdd.sys (for system with a BIOS-disabled SCSI adapter.
RISC-based system Osloader.exe Hal.dll, *.pal (Alpha only)

Precautions

  1. Windows NT boot disk must be formatted on a Windows NT computer so that the boot sector on the floppy disk can find and run Ntldr.
  2. If computer is Intel x86-based, Boot.ini on boot disk may need to be modified to reflect the Advanced RISC Computing (ARC) path to system partition on the failed computer. The path includes disk controller, disk drive and partition for Windows NT system files.
  3. After created, use it to start Windows NT. Only certain files are loaded from floppy disk. All others are accessed from the hard disk of computer. If Ntoskrnl.exe or other files on hard disk are corrupt, the boot disk will be of NO use until the file is restored.

Use the Emergency Repair Disk to restore missing or corrupt files.
 

Last Known Good Configuration
  • After a user successfully logs on to Windows NT, current configuration information from registry key HKEY_LOCAL_MACHINE is copied to the LastKnownGood control set.
  • This is a copy of the most recent LastKnownGood control set used to successfully boot Windows NT.

Function of Last Known Good Configuration

  • Windows NT provides two configurations in which you can start your computer
    • Default. The configuration that was saved when you shut down the computer.
    • Last known Good. The configuration the was saved when you last successfully logged on to your computer.
  • When you logon, the Last Known Good Configuration is saved if the logon is successful. If unsuccessful, the Last Known Good is tried.

When to Use the Last Known Good Configuration

If NT is going to load, normally the default control set will load

  • Two conditions that cause the system to load the last Known Good configuration.
    • When the system is recovering from a severe or critical device driver loading error.
    • When the Last Known Good configuration is selected during the boot process.

    Use the Last Known Good control set to recover from the following types of problems

Use it to recover from following types of problems:

  • After a new device driver is installed, Windows NT is restarted, but system stops responding.
  • After a new video driver is installed and the system is restarted. However nothing is visible on the computer screen, because the new video resolution is incompatible with the video adapter.
  • A critical device driver, such as the SCSI port driver, is accidentally disabled. Automatic.

Using it doesn't help in following situations:

  • When problem is unrelated to changes in the control set information, such as might arise from incorrectly configured user profiles or file permissions.
  • When logging on after making changes. The control set has been updated.
  • When switching between different hardware profiles. LastKnownGood control set is only a method for switching between configuration information in the registry.
  • When startup failures are caused by hardware failures or missing or corrupted files.

How to Use the Last Known Good Configuration

To use the Last Known Good, when you see OS loader v4.00 (or 5.00) press space bar to evoke Hardware Profile/Configuration Recovery menu and select L to choose the Last Known Good configuration and press Enter to select the original configuration.

  • Creating and Updating an Emergency Repair Disk
    •  

    • Emergency Repair folder and disk are used to return a computer running Windows NT to the state of the last Emergency Repair update or to the state just after the Windows NT installation.
    • Disk can repair missing or corrupt Windows NT files and restore the registry. Which include Security Accounts Manager (SAM) database, security information, disk configuration information, software registry entries and other system information.
    • Repair Disk utility (Rdisk.exe) is located in Systemroot\System32, and has two options:

The Update Repair Info Option

  • Overwrites files in systemroot\Repair folder. During the update process, a $$hive$$.tmp file is created, which temporarily stores registry information before it is copied to the appropriate file.
  • After update the repair process prompts the user to create an Emergency Repair Disk. This option formats a floppy and then creates an Emergency Repair Disk
  • This is the same result as selecting Create Repair Disk. Also copies of Autoexec.nt and Config.nt are placed in the folder.
Note: - This option deletes and creates files if Windows NT is installed on an NTFS partition, this user must have appropriate permissions.  One must be member of Administrators or Power Users group or have appropriate privileges. For others it seems to work, but with saving files you get an error message that not all files could be saved

Repair Disk utility will not back up Default, SAM, or Security files, unless the /s parameter with rdisk command is specified.

    Create Repair Disk Option

    • prompts the user to insert a disk that can be formatted in drive A.
    • If current repair disk is used, Create Repair Disk does not update the disk, but reformats it and creates new repair disk.

    Soooo, a NEW REPAIR DISK ALWAYS CREATED.

    Setup.log

  • Is located in Emergency Repair folder and on the Emergency Repair disk. Setup.log is used to check the validity of the Windows NT files on the system.

Files Included on the Emergency Repair Disk
"._" means compressed version.

File

Description

Setup.log Information file used for verifying files installed on system. Read-only, Hidden, System file
System._ Copy from System hive from registry 
Sam._ Copy from Sam (Security Accounts Manager)  from registry
Security._ Copy from Security hive from registry
Software._ Copy from Software hive from registry
Default._ Copy from Default hive from registry
Config.nt NT version of Config.sys
Used when initializing a NT Virtual DOS Machine (NTVDM)
Autoexec.nt NT version of Autoexec.bat
File used when initializing an NTVDM
Ntuser.da_ Compressed version of systemroot\Profiles\Default user\Ntuser.dat

Decompress the compressed files with the expand utility.
 

The Emergency Repair Process

To perform Emergency Repair Process, you need:

  • The original installation CD, in case any files are detected as missing or corrupt.
  • If the SAM database is replaced, the Administrator Password stored on the ERD.
  • If Emergency Repair Process failed to repair, you need to reinstall NT from the original installation source.
  • To repair a Windows NT installation, Windows NT Setup needs either configuration information saved in systemroot\Repair folder or on Emergency Repair disk
  1. Restoring Windows NT Server on an Intel x86-based computer
  2. Restoring Windows NT on a RISC-based computer (Read page 499).

The repair process in Windows NT Setup enables selection of what is to be repaired.
 
Inspect Registry Files. Setup replaces one or more registry files with the files that were created when NT was first installed, or when the ERD was last updated. All changes made to the system since the last update to the repair files are lost. Inspect startup environment. Select this option if NT is installed but does not appear in the list of bootable systems. For this option, the ERD is needed. Verify Windows NT system files. Select this option to verify that each file in the installation is good and matches the files that was installed from the distribution files. The repair process also verifies that files need to start, such as Ntldr and Ntoskrnl.exe are present and valid. When the repair process determines that file on the disk does not match what was installed, it displays a message that identifies the file asks whether you want to replace it. Inspect boot sector. Select this option if no system that is installed on the computer boots. Setup copies a new boot sector the hard disk.

Troubleshooting the Boot Process

Common Boot Process Errors

  • If the Ntldr file is missing, the following message appears before the Boot Loader Operating System Selection menu:

Boot: Couldn't fine NTLDR

Please insert another disk.

  • If Ntdetect.com is missing, the following message appears before the Boot Loader Operating System Selection menu:

NTDETECT V4.0 Checking Hardware..

NTDETECT failed

  • If Ntoskrnl.exe is missing, the following message appears after the Last Known Good prompt:

Windows NT could not start because the following file is missing or corrupt:

winnt root\system32\ntoskrnl.exe

Please re-install a copy of the above file

  • If Bootsect.dos is missing, the following message appears before the Boot Loader Operating System Selection menu when user tries to boot an MS-DOS based system. Bootsect.dos contains partition information specific to the computer and cannot borrow from other computers

I/O Error accessing boot sector file

Multi (0)disk(0)rdisk(0)partition (1):\bootos

All above cases can be restored with Emergency Repair process.

The Boot.ini File

Boot.ini file contains two parts: [boot loader] and [operating system] sections

  • [boot loader]
    • timeout
      • the number of seconds to wait before continuing to load the default
      • If you set timeout=0, the Boot Loader Operating System Selection menu may appear briefly or not at all.
    • default
      • The path to the default OS that will load when timeout reaches 0
  • [operating systems]
    • List of OSs displayed on Boot Loader Operating System Menu
    • with ARC path info for loading.

Troubleshooting Boot.ini Problems
  • A New Operating System Appears on the Boot Loader Operating System Selection Menu. If the path name for the default parameter in the [boot loader]section of Boot.ini does not match an of the path names in the [operating system] section of Boot.ini, the menu selection "NT(default)" appears. This selection is highlighted and loads unless the user selects another operating system.

There are three situations when you get this message:

    Windows NT could not start because the following file is missing or corrupt: <winnt root>\system32\ntoskrnl.exe

    Please reinstall a copy of the above file.

  1. Boot.ini is missing. Ntldr automatically tries to boot NT if NT is installed in the default folder of multi(0)disk(0)rdisk(0)partition(1)\Winnt or scsi(0)disk(0)rdisk(0)partition(1)\Winnt, Windows NT boots successfully. Otherwise, the following message appears
  2. Invalid Windows NT Path Name. If the path anme to NT is incorrect in the Boot.ini file, the following message appears.
  3. The Ntoskrnl.exe could actually BE missing or corrupt!
  • Invalid Device in Windows NT Path. If there is an invalid device in the path to NT in the Boot.ini file, the following message appears:

OS Loader v4.0

Windows NT could not start because of a computer disk hardware configuration problem.

Could not read from the selected boot disk. Check boot path and disk hardware.

Please check the Windows NT (TM); documentation about hardware disk configuration and your hardware reference manuals for additional information.

In all cases boot.ini can be edited or Emergency Repair can restore the Boot.ini file.
Troubleshooting Revisited

You receive the following error message, find out what file is missing.

Boot: Couldn't find NTLDR

Please insert another disk

Ntldr
NTDETECT failed Ntdetect.com
No error message, but the Operating System Select menu failed to appear Boot.ini
I/O Error accessing boot sector file

Multi(0)disk(0)rdisk(0)partition(1)\BOOTS

Bootsect.dos
  • One of the computers that support can no longer boot to DOS, even though it appears on the boot menu. Why? Probably the Bootsec.dos is corrupted.
  • You created a NT boot disk that contains all the files as needed, but you get the following error message when you used it, Why.

Non-system disk or disk error

Replace and press any key when ready
 

The disk that you used was not formatted under NT. Boot disk must be formatted under NT.

  • You change the settings for your network adapter card. When you reboot, you receive the following message: " One or more services failed to start." When you attempt to log on you receive a message stating that a domain controller could not be found, but you were logged on using cached credentials. After logging on, you found that you couldn't connect to network resources. You shut down your computer restart using the Last Known Good configuration, but the same behavior results. Why?

Last Known Good is updated with the current control set following the first successful logon after a reboot. When you notice something wrong following a restart, DO NOT LOG ON.

  • You receive a call from someone who tells you that he forgot the administrator Password. He used ERD to restore the original administrator PW, and now no one else can log on to the system. Why and how to correct?

The Emergency Repair Process replaces the entire directory database with the original directory database that was created during installation, or with the last updated version from using Rdisk.exe. If he had never updated the directory database stored on the ERD the only accounts present after the repair would be the Administrator and the Guest account (and possibly an initial user account) created during installation.

To correct it, he could use the original administrator PW to log on, and then restore the directory database from a tape backup.

  • You got the following error message. What went wrong?

Boot: Couldn't find NTLDR

Please insert another disk
 

The Ntldr is either missing or corrupt. Use a NT Boot disk or Emergency Repair process.


E-mail Me! Comments and suggestions? E-mail me at grantwil@sk.sympatico.ca
Last Updated: Wednesday, March 10, 1999 Grant Wilson, Tisdale, SK. Canada