Detailed analysis of Windows Startup Process

Source: Internet
Author: User

Dozen
The power-on boot machine is almost a daily task for computer enthusiasts. We will not be unfamiliar with the screen boot screen,, the computer did some work when displaying these boot screens.
What job? I believe some of my friends are not very clear. This article will introduce what computers have done when the power is turned on to the appearance of windows blue sky and white clouds.

First
Let's first understand some basic concepts. First, we are very familiar with BIOS (Basic Input and Output Systems). BIOS is the underlying Code that deals directly with hardware. It provides control hardware for the operating system.
The basic functions of the device. The BIOS includes the BIOS of the system BIOS (commonly referred to as the motherboard BIOS), the video card bios, and other devices (such as the IDE controller, scsicard, or Nic ).
System BIOS is the main character of this article, because the Startup Process of a computer is under its control. The BIOS is generally stored in the ROM (read-only storage chip), even if it is turned off or power down
And the code will not disappear.

The second basic concept is the memory address. Generally, 32 MB, 64 MB, or MB memory is installed on our machine. Each byte of memory is assigned an address for CPU access.
Save. The 32 MB address range is expressed as 0 ~ in hexadecimal notation ~ 1 ffffffh, where 0 ~ Fffffh's low-end 1 MB memory is very special, because the first 8086 processor can access
The maximum memory is 1 MB. The low-end 640kb of 1 MB is called Basic memory, while the a0000h ~ Bffffh must be retained for the display card. c0000h ~ Fffffh is
It is reserved for the BIOS. The system BIOS usually occupies the last 64 kB or a bit more space ~ C7fffh, IDE Controller
BIOS in c8000h ~ Cbfffh.


Now let's take a closer look at the computer startup process.


Step 1:
When we press the power switch, the power supply starts to power the motherboard and other devices, the voltage is not stable, the control chipset on the motherboard will send to the CPU and keep a reset (reset) signal, let
The CPU automatically restores to the initial state, but the CPU does not immediately execute the command at the moment. When the chipset detects that the power supply has begun to stabilize the power supply (of course, the process from unstable to stable is only a matter of an instant ),
It removes the reset signal (if you manually press the reset button on the computer panel to restart the machine, the chipset will remove the reset signal when the button is released), and the CPU will immediately start from the address
Run the command at ffff0h. According to the previous introduction, this address is actually within the system BIOS address range, whether it is Award bios or Ami.
Here, the BIOS is just a jump command that jumps to the real startup code in the system BIOS.


Step 2: The first thing to do with the startup code of the system BIOS is to perform post (power-on self
Test, after power-on self-check), the main task of post is to check whether some key devices in the system exist and can work normally, such as memory and graphics card devices. Since post was the first detected
At this time, the video card has not been initialized. If the system BIOS finds some fatal errors during the post process, for example, the memory is not found or there is a problem with the memory (at this time, only the 640k regular
The system BIOS will directly control the speaker voice to report errors. The length and number of sounds represent the type of errors. Under normal circumstances, the post process is very fast and we can hardly feel it
By the time it exists, after the post ends, other code will be called for more complete hardware detection.


Step 3:
Next, the system BIOS will look for the BIOS of the video card. As mentioned above, the starting address of the ROM chip storing the video card BIOS is usually located at c0000h, where the system BIOS finds the video card
The BIOS then calls its initialization code. The video card BIOS initializes the video card. At this time, most video cards will display some initialization information on the screen to introduce the manufacturers, graphics chip types, and other content.
The image is almost a flash. The system BIOS then looks for the BIOS program of another device. After finding the program, you also need to call the initialization code in the BIOS to initialize the relevant device.


Step 4: after finding the BIOS of all other devices, the system BIOS displays its own boot screen, including the type, serial number, and version number of the system BIOS.

Step 5: The system BIOS detects and displays the CPU type and operating frequency, starts testing all ram, and displays the Memory Test Progress on the screen, we can choose to use a simple and time-consuming or detailed testing method in the CMOS settings.

Step 6: After the memory test is passed, the system BIOS will start to detect some standard hardware devices installed in the system, including hard disks, CD-Rom, serial ports, parallel ports, and soft drives, in addition, the vast majority of newer versions of the system BIOS also need to automatically detect and set the memory timing parameters, hard disk parameters and access mode.

Step 7: After the standard device is detected, the plug-and-play code in the system BIOS starts to detect and configure the plug-and-play devices installed in the system, after a device is found, the system BIOS displays the device name, model, and other information on the screen, and allocates resources such as interrupt, DMA channel, and I/O port to the device.


Step 8: by now, all hardware has been tested and configured. Most system BIOS will be refreshed and a table is displayed on the top of the screen, it roughly lists the various standard hardware devices installed in the system, the resources they use, and some related working parameters.


Step 9: The system BIOS will update the escd (eXtended System Configuration
Data, extended system configuration data ). Escd is a means by which the system BIOS exchanges hardware configuration information with the operating system. The data is stored in CMOS (a small block of special ram
Power supply from the battery on the Board. Generally, the escd data is updated only after the hardware configuration of the system is changed. Therefore, we do not see "Update escd...
Success ", however, some motherboard system BIOS uses a different data format than Windows 9x when saving escd data, so windows
9x changes the escd data to its own format during its own startup, but even if the hardware configuration does not change during the next startup, the system BIOS also changes the escd data format.
Back, this loop will cause the system BIOS to update the escd every time the machine is started, which is why some machines will display relevant information at each startup.


Step 10:
After the escd is updated, the startup code of the system BIOS performs the last task, that is, starting from a floppy disk, hard disk, or optical drive according to the boot sequence specified by the user. Take boot from drive C as an example, the system BIOS
The Master Boot Record on the hard disk will be read and executed. The Master Boot Record will then find the first active partition from the partition table, and then read and execute the Partition Boot Record for this active partition, the Partition Boot Record will be responsible for reading and
Execute Io. sys, which is the most basic system file for DOS and Windows 9X. Windows
9x Io. sys first initializes some important system data, and then displays the familiar blue sky and white clouds. In this picture, Windows will continue to perform dos and Gui (figure
User Interface.


If a tool or software is installed in the system that directs multiple operating systems, the Master Boot Record is usually replaced with the boot code of the software, which allows you to select an operating system, then read and execute the basic Boot Code of the operating system (the Basic Boot Code of DOS and Windows is the Partition Boot Record ).

The above describes the various initialization tasks that the computer will complete when enabling the power switch (or press the reset key) for cold start. If we press CTRL + ALT + DEL under DOS
(Or restart the computer from Windows) for hot start, the post process will jump over and start directly from step 3. In addition, the CPU and memory test in step 5 will not proceed.
Line. We can see that, whether it is a cold start or a hot boot, the system BIOS repeats these things again and again, which we do not pay too much attention to at ordinary times. However, these monotonous hardware detection steps are just for us.
The normal use of the computer provides the foundation.



Windows Startup Process

Phase
I believe many people may not be able to start Windows after they restart Windows. Therefore, I want to introduce what is done during Windows Startup and what stages are involved.
Shao.
Here we will introduce the Startup Process of Windows 2 k/XP/2K3 series, NT series, very similar.
Although windows is not open-source (nonsense! : O
), But there is still a lot of information for reference, but also the public symbol of Ms. If you have the opportunity, try the live of kernel.
Debug, so I believe we can still see a lot of things. I have never done this before ......
Wait until you have Installed VMware on your machine. Try again and paste the process records here.



Windows Startup Process mainly includes the following parts:

1. Master Boot Record (MBR)

2. Boot Sector


3. ntldr (some people may find it familiar. Have you ever heard of ntldr during startup ?;) )


4. ntoskrnl.exe

5. SMSs


6. Winlogon

7. Service Control Manager (SCM)
OK.

Me
In this post, we will introduce these components one by one based on the above startup process. Of course, most of the content here comes from inside Windows 2000 and Windows
The corresponding chapters of Internals (startup and
Shutdown ). What I can do is basically translate and repeat. At most some comments may be added.
Of course, if you have read the source code (analysis) of the Linux Startup Process, it may not be satisfied with the introduction below, in addition, the hardware-related part is not mentioned here (at most, it is possible to add
I know about hardware.


1. MBR & Boot Sector


A physical hard disk is addressed in units of sectors (sector. Windows Installer will write some content to you during installation
The first sector of the hard disk where the system is installed. This is called Master Boot Record (MBR ).


MBR contains two parts:
(1). Boot Code;
(2). Partition Table;
Boot Code, that is, the startup code. During system startup, the BIOS completes the self-check process and selects the Startup Device (
That is, a hard disk), then read the MBR of the disk into the memory, and jump to the address where the MBR is located to execute its boot code.
Partition Table. This table has only four entries, because the ms OS allows a disk to be divided into up to four primary partitions.
Partition (primary partition ). The content in the partition table here is the information about the four partitions, including its initial sector,
And so on.
During the startup process, the MBR Boot Code searches for the partition table and finds
Partition, read the first sector (that is, boot sector) of the partition, and execute the code.

Before the installer writes data to the boot sector, you need to know the file system type (fat? FAT32? NTFS ?), Then write
Enter different boot sector. Why different boot sector are required for different file systems? The reason is that the Boot Sector
The task is to load the OS Startup file. The file loading process requires the participation of the file system.
In the boot sector, different file systems are required to support code to load system files. For Windows
For startup, the file to be loaded is ntldr.

It should be added that the support code for the file system in the boot sector is "minimized. After all, the maximum Boot Sector size is available.
That is, only 512 bytes. It is unlikely to have a complete file system. In addition, our requirements are also very simple, just need it
Understand the file system and read the files in it. We do not need to write files.
After the Boot Sector loads ntldr, it jumps to the entrance of ntldr. The subsequent task is handed over to ntldr. At this time,
If the system is still running in 16-bit real-time mode, ntldr will enable paging and switch to 32 as the protection mode.


In this process, the possible error message is as follows:
For the NTFS file system, "Boot: Couldn't find ntldrp ";
For the FAT file system, "ntldr is missing ";
This error indicates that the boot sector does not find ntldr in the root directory of the partition.



2. ntldr

Ntldr
Is a "man-in-the-middle", in the boot
When the sector is transferred to ntldr, the system is in the real mode. At this time, any address accessed by the program is a real address, that is, a physical address (although there are 80 x86 most basic segment functions ).
Yes, I should know if I have learned this real-time mode assembly), and the address range is limited to 1 m (20-bit address. Therefore, the first thing to do after entering ntldr is to transfer to the protection mode, so that
To fully access the 32-bit address range. However, because the corresponding page table is not set at this time, you cannot perform real-world address translation (that is, there is no paging function ).


Ntldr needs to initialize a certain page table and enable paging. At this time, the system has entered the standard Windows status (protection mode + paging ). When talking about the transfer-in protection mode
Initialize gdt and IDT. The key here is that Windows uses flat memory.
Mode, that is, in its protection mode, the base addresses of all segments are the same. This is closely related to its memory management mechanism. Here we will first mention it.
Although the system has already entered the protection mode, ntldr still needs to rely on some BIOS calls to access the disk and display the system. If the disk is SCSI and the BIOS call cannot be accessed
If you ask this type of disk, ntldr loads ntbootdd. sys to replace the disk access code in the boot code. Ntldr and boot
Similar to sector, sector also contains the read-only code of the NTFS and FAT file systems. What is the difference? Its progress is that it can access sub-directories.


Since windows has been shut down by means of hibernation. Therefore, ntldr needs to check whether there is a valid
If the hiberfil. SYS file exists, it indicates that the last shutdown was in sleep mode. As a result, ntldr began to take the "shortcut": Read
The hiberfil. SYS file directly jumps to the "Wake up sleep" code in the kernel to start the computer.
When the system starts normally, ntldr reads the boot. ini file. If the file indicates that there are multiple enable options, the Start menu is displayed for the user to choose from.
There is another possible exception here, although this possibility is very small now. This exception is the DOS Startup options (including Win9x and me series ). In this case, ntldr Loads
The bootsect. DOS file is switched back to the actual mode and jumps to the MBR code in the file. At this time, it is the same as the initial startup status (read into MBR) to start the corresponding OS.
After you select the Start Menu, ntldr also needs to perform some operations based on the parameter. Are these parameters not described and explained here.


Then let's proceed...
Ntldr loads and executes ntdetect.com. This program is a 16-bit protection program. It is called by the BIOS to obtain information about the system hardware (such as the bus type and system time ).
Ah, disk drive, parallel serial port, etc.), and then gather the information and return it to ntldr. The information will be saved to the registered HKLM/hardware at the end of startup.
/Description.
It seems that all of the above work is done in the background. Except for the possible Startup menu, other work is invisible to users. Well, we should give some feedback to the user.
Ntldr first clears the screen and then displays "Starting
Windows and progress bar. Here, 2000 and XP/2003 are different. The progress bar of the black and white screen is displayed in 2000. At this time, the screen does not have a Windows logo. While
XP/2003 displays windows
The color screen progress bar of the logo (haha, all popular color screens ). Note that ntldr starts to load any "Boot driver" (boot
Driver), the progress bar is always empty.
You may have noticed that when "Starting Windows" is displayed, "for troubleshooting and
Advanced startup options for Windows, press
F8. ", and then when the progress bar appears and starts rolling (forward), there is no chance to press F8 to enter the safe mode. In fact, there is still a reason for this. Because the system starts to load the driver
The main task is to load the kernel file and the registry system.
Hive. These two things have nothing to do with other startup methods such as security mode. Both the security mode and standard startup require loading these two things. The difference between the security mode and the standard mode lies in its
The loaded drivers are different. Therefore, once Windows starts to load those boot drivers, the mode cannot be changed.

After ntldr starts to display "Starting Windows", follow these steps:

1.

And hal(ntoskrnl.exe and Hal. dll ). If ntldr fails to load the two files
The following error message: Windows cocould not start because the following file was missing
Or upload upt, and will tell you the file name that cannot be loaded.


2. Read system hive from/Windows/system32/config/system.
Note: hive refers to a file that contains a subtree in the registry.


3. In system hive, find all the boot
Driver (the start value of this type of driver is 0, that is, service_boot_start ). All drivers of the system are in the HKLM/
There is a subkey under system/CurrentControlSet/services ).

4. Load the file system driver of the partition where boot drivers is located to facilitate subsequent boot driver loading.


5. Load boot drivers. At this time, the progress bar on the screen will be updated. For Windows 2000, it is the black and white progress bar.


6. Set the CPU sender and paste it to the ntoskrnl.exe portal.
Now that the ntldr task is finished, all the tasks are handed over to ntoskrnl. Of course, when transferring control, the information required by the other party (including the memory layout, hardware information, and system hive) is also handed over to ntoskrnl, ntldr completes its mission.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.