无忧启动论坛

 找回密码
 注册
搜索
系统gho:最纯净好用系统下载站投放广告、加入VIP会员,请联系 微信:wuyouceo
查看: 10992|回复: 33
打印 上一主题 下一主题

求助:哪位达人能解释一下PE的启动过程?

[复制链接]
跳转到指定楼层
1#
发表于 2008-2-19 00:23:48 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
假设在硬盘上已安装有一PE内核映像,我先把我所知晓得的一些皮毛和盘托出如下:

MBR->bootsect->ntldr->boot.ini->grldr->setupldr.bin->winnt.sif->txtsetup.sif
...
...
pecmd.exe 、xcmd.exe、xpelogon、xpeinit

...中间的过程不清楚,需要兄弟们补充!

最好还能将启动过程中的执行的进程讲一下,如ntoskrnl.exe->smss.exe->winlogon.exe等(这是参考windows pe的),如果太多,给个网址也行!
2#
发表于 2008-2-19 00:24:57 | 只看该作者
恩,我也想知道,同求一下。
回复

使用道具 举报

3#
发表于 2008-2-19 00:38:05 | 只看该作者
呵呵,这个问题相当复杂,我也不知道,应该是 MBR,DBR,ntldr,setupldr.bin这后就不知道了

winnt.sif,txtsetup.sif,boot.ini---------这些是给人看的,CPU看不懂 :)
回复

使用道具 举报

4#
 楼主| 发表于 2008-2-19 00:41:20 | 只看该作者
原帖由 老九老毛桃粉丝 于 2008-2-19 12:38 AM 发表
winnt.sif,txtsetup.sif,boot.ini---------这些是给人看的,CPU看不懂 :)

这我知道,只是形象、快捷的表示,不想打太多文字。

我知道,PE的启动,是先安装好,再启动。当然,现在也有变化。
上述过程中,调用到的文件,如winnt.sif是无人值守安装文件,txtsetup.sif是文本方式的安装信息文件。

我所知晓的有且仅有这些了!大家结合老毛桃的911版来讲好了。

[ 本帖最后由 youngsun 于 2008-2-19 12:49 AM 编辑 ]
回复

使用道具 举报

5#
发表于 2008-2-19 00:53:11 | 只看该作者
PE光盘的引导过程,首先启动引导文件XP.BIF,再找到WXPE目录下SETUPLDR.BIN,读取WINNT.XPE,加载WINPE.IS_,再WXPE\NTDETECT.COM启动PE,即
XP.BIF->SETUPLDR.BIN->WINNT.XPE->WINPE.IS_->NTDETECT.COM
回复

使用道具 举报

6#
 楼主| 发表于 2008-2-19 08:02:38 | 只看该作者
原帖由 jxsrpl 于 2008-2-19 12:53 AM 发表
PE光盘的引导过程,首先启动引导文件XP.BIF,再找到WXPE目录下SETUPLDR.BIN,读取WINNT.XPE,加载WINPE.IS_,再WXPE\NTDETECT.COM启动PE,即
XP.BIF->SETUPLDR.BIN->WINNT.XPE->WINPE.IS_->NTDETECT.COM

很好,希望能继续下去, ntdetect.com->hal.dll -> ... ???  什么时候调用setupreg.hiv的 ?是谁调用他的?

问题太多了,唉,真希望有人指个明路。。。

[ 本帖最后由 youngsun 于 2008-2-19 08:12 AM 编辑 ]
回复

使用道具 举报

7#
 楼主| 发表于 2008-2-19 20:17:36 | 只看该作者
再次向论坛兄弟们呼吁,无助啊!
回复

使用道具 举报

8#
 楼主| 发表于 2008-2-22 21:03:19 | 只看该作者
趁晚上人多时,再呼吁一下。。。

假设在硬盘上已安装有一PE内核映像,我先把我所知晓得的一些皮毛和盘托出如下:

MBR->bootsect->ntldr->boot.ini->grldr->setupldr.bin->winnt.sif->txtsetup.sif
ntdetect.com->hal.dll -> ... ???  什么时候调用setupreg.hiv的 ?是谁调用他的?
...
...
pecmd.exe 、xcmd.exe、xpelogon、xpeinit ,  PECMD是谁调用他的?

中间的过程不清楚,需要兄弟们补充!
回复

使用道具 举报

9#
发表于 2008-2-22 21:47:06 | 只看该作者
对于PE的了解,也是一知半解!期待高手们的解决!
回复

使用道具 举报

10#
发表于 2008-2-23 22:11:40 | 只看该作者
等待高手出来回答!!!!!!!!
回复

使用道具 举报

11#
 楼主| 发表于 2008-2-24 00:07:16 | 只看该作者
自问自答一下:
发现setupreg.hiv中的setup项有cmdline值如下:
PELOGON.EXE PECMD.EXE LOAD %SystemRoot%\SYSTEM32\PECMD.INI

如此,setupreg.hiv又是谁调用的呢?

注:已有123兄弟答复:ntdll.dll。

[ 本帖最后由 youngsun 于 2008-2-24 11:18 AM 编辑 ]
回复

使用道具 举报

12#
发表于 2008-2-24 10:55:42 | 只看该作者
仅做参考:

引导阶段
MBR->bootsect->ntldr->boot.ini->grldr->setupldr.bin(PE下相当于windows 的ntldr)->winnt.xpe(相当于 PE 的boot.ini)->NTDETECT.COM

加载内核阶段
setupldr.bin(PE下相当于windows 的ntldr)->加载ntokrnl.exe即内核(只是加载,并未初始化)、加载hal.dll、加载注册表HKEY_LOCAL_MACHINEsystem键

初始化内核阶段
ntokrnl.exe内核初始化那些在加载内核阶段被加载的底层驱动程序,然后内核扫描HKEY_LOCAL_MACHINEsystemCurrentControlSetservice...下start键值为1的设备驱动程序。这些设备驱动程序在加载的时候便完成初始化。Session Manager启动了Windows XP高级子系统以及服务,Session Manager启动控制所有输入、输出设备以及访问显示器屏幕的Win32子系统以及Winlogon进程,初始化内核完毕。

然后登陆

################################################################################################################


下面是windows的顺序,PE可参考下:

预引导阶段
在按下计算机电源使计算机启动,并且在Windows XP专业版操作系统启动之前这段时间,我们称之为预引导(Pre-Boot)阶段,在这个阶段里,计算机首先运行Power On Self Test(POST),POST检测系统的总内存以及其他硬件设备的现状。如果计算机系统的BIOS(基础输入/输出系统)是即插即用的,那么计算机硬件设备将经过检验以及完成配置。计算机的基础输入/输出系统(BIOS)定位计算机的引导设备,然后MBR(Master Boot Record)被加载并运行。在预引导阶段,计算机要加载Windows XP的NTLDR文件。

引导阶段
Windows XP Professional引导阶段包含4个小的阶段。
首先,计算机要经过初始引导加载器阶段(Initial Boot Loader),在这个阶段里,NTLDR将计算机微处理器从实模式转换为32位平面内存模式。在实模式中,系统为MS-DOS保留640kb内存,其余内存视为扩展内存,而在32位平面内存模式中,系统(Windows XP Professional)视所有内存为可用内存。接着,NTLDR启动内建的mini-file system drivers,通过这个步骤,使NTLDR可以识别每一个用NTFS或者FAT文件系统格式化的分区,以便发现以及加载Windows XP Professional,到这里,初始引导加载器阶段就结束了。
接着系统来到了操作系统选择阶段,如果计算机安装了不止一个操作系统(也就是多系统),而且正确设置了boot.ini使系统提供操作系统选择的条件下,计算机显示器会显示一个操作系统选单,这是NTLDR读取boot.ini的结果

操作系统选择阶段结束,硬件检测阶段开始。
在硬件检测阶段中,ntdetect.com将收集计算机硬件信息列表并将列表返回到NTLDR,这样做的目的是便于以后将这些硬件信息加入到注册表HKEY_LOCAL_MACHINE下的hardware中。

硬件检测完成后,进入配置选择阶段。如果计算机含有多个硬件配置文件列表,可以通过按上下按钮来选择。如果只有一个硬件配置文件,计算机不显示此屏幕而直接使用默认的配置文件加载Windows XP专业版。

引导阶段结束。在引导阶段,系统要用到的文件一共有:NTLDR,Boot.ini,ntdetect.com,ntokrnl.exe,Ntbootdd.sys,bootsect.dos(可选的)。

注释:一般没有Ntbootdd.sys,bootsect.dos
Ntbootdd.sys
如果包含引导卷标的磁盘是SCSI基础的,并且是用BIOS固件支持不可访问的,那么Ntldr载入一个文件名为Ntbootdd.sys的文件,和使用它来代替引导代码函数来供磁盘访问。Ntbootdd.sys是SCSI微型端口驱动的拷贝,windows用这个驱动在它完全接手操作的时候去访问引导磁盘。
该语法格式如下:
scsi(W)disk(X)rdisk(Y)partition(Z)



bootsect.dos
在安装MS-DOS,Windows Me,Windows 98,或者Windows 95时,你可能已经创建一个MS-DOS引导扇区。Windows安装程序检测这个引导扇区,看这个将被Windows引导扇区重写的引导扇区是否是一个有效的MS-DOS引导扇区。如果是,Windows安装程序拷贝这个引导扇区的内容到一个存在于分区根目录下称为Bootsect.dos的文件中。



加载内核阶段
在加载内核阶段,ntldr加载称为Windows XP内核的ntokrnl.exe。系统加载了Windows XP内核但是没有将它初始化。接着ntldr加载硬件抽象层(HAL,hal.dll),然后,系统继续加载HKEY_LOCAL_MACHINEsystem键,NTLDR读取select键来决定哪一个Control Set将被加载。控制集中包含设备的驱动程序以及需要加载的服务。NTLDR加载HKEY_LOCAL_MACHINEsystemservice...下start键值为0的最底层设备驱动。当作为Control Set的镜像的Current Control Set被加载时,ntldr传递控制给内核,初始化内核阶段就开始了。


初始化内核阶段
在初始化内核阶段开始的时候,彩色的Windows XP的logo以及进度条显示在屏幕中央,在这个阶段,系统完成了启动的4项任务:
内核使用在硬件检测时收集到的数据来创建了HKEY_LOCAL_MACHINEHARDWARE键。
内核通过引用HKEY_LOCAL_MACHINEsystemCurrent的默认值复制Control Set来创建了Clone Control Set。Clone Control Set配置是计算机数据的备份,不包括启动中的改变,也不会被修改。
系统完成初始化以及加载设备驱动程序,内核初始化那些在加载内核阶段被加载的底层驱动程序,然后内核扫描HKEY_LOCAL_MACHINEsystemCurrentControlSetservice...下start键值为1的设备驱动程序。这些设备驱动程序在加载的时候便完成初始化,如果有错误发生,内核使用ErrorControl键值来决定如何处理,值为3时,错误标志为危机/关键,系统初次遇到错误会以LastKnownGood Control Set重新启动,如果使用LastKnownGood Control Set启动仍然产生错误,系统报告启动失败,错误信息将被显示,系统停止启动;值为2时错误情况为严重,系统启动失败并且以LastKnownGood Control Set重新启动,如果系统启动已经在使用LastKnownGood值,它会忽略错误并且继续启动;当值是1的时候错误为普通,系统会产生一个错误信息,但是仍然会忽略这个错误并且继续启动;当值是0的时候忽略,系统不会显示任何错误信息而继续运行

Session Manager启动了Windows XP高级子系统以及服务,Session Manager启动控制所有输入、输出设备以及访问显示器屏幕的Win32子系统以及Winlogon进程,初始化内核完毕。

登陆
Winlogon.exe启动Local Security Authority,同时Windows XP Professional欢迎屏幕或者登陆对话框显示,这时候,系统还可能在后台继续初始化刚才没有完成的驱动程序。
提示输入有效的用户名或密码。
Service Controller最后执行以及扫描HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServives来检查是否还有服务需要加载,Service Controller查找start键值为2或更高的服务,服务按照start的值以及DependOnGroup和DepandOnService的值来加载。
只有用户成功登陆到计算机后,Windows XP的启动才被认为是完成,在成功登陆后,系统拷贝Clone Control Set到LastKnownGood Control Set,完成这一步骤后,系统才意味着已经成功引导了。

大家讨论下

[ 本帖最后由 ace2002 于 2008-2-24 11:07 AM 编辑 ]
回复

使用道具 举报

13#
发表于 2008-2-24 11:05:11 | 只看该作者
Txtsetup.sif 是一个安装信息文件(sif),主要用于Windows 的文本安装模式(就如其名)。
Windows PE 启动时也会用到它(Windows PE 用到了文本安装模式的末尾和 GUI 安装模式的开始部分)。
屏幕上显示一排>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
就是Txtsetup.sif 复制文件的过程吧

然后短暂的黑屏是加载内核阶段
然后是彩色的Windows XP的logo以及进度条显示在屏幕中央,初始化内核
回复

使用道具 举报

14#
 楼主| 发表于 2008-2-24 11:24:25 | 只看该作者
谢谢LS兄弟!这些都是些基础资料,很早以前就看过了。一篇是windows PE启动的官方说明,一篇是windows XP的启动过程原理。

以上都只是些定性描述,缺乏PE制作所需要的严谨与严密。
回复

使用道具 举报

15#
发表于 2008-2-24 11:24:44 | 只看该作者
不错不错,多谢谢分享!
回复

使用道具 举报

16#
发表于 2008-2-24 12:55:52 | 只看该作者
我也想知道.在setupldr.bin中好象有一个建虚拟内存盘的过程.
回复

使用道具 举报

17#
发表于 2008-2-25 16:01:38 | 只看该作者
参考一下windows的启动过程:
深入研究Windows内部原理系列之七:开机引导过程 张银奎

http://download.microsoft.com/do ... /msft020207vxpm.zip
回复

使用道具 举报

18#
发表于 2008-2-25 17:49:03 | 只看该作者
setuipreg.hiv(相当于XP的system),一部分由SETUPLDR.BIN的SETUPLOADER模块(相当于NTLDR的OSLOADER模块)调用,一部分由NTOSKRNL.EXE调用,一部分由SMSS(及SERVICE、SVCHOST等)调用。NTDETECT由SETUPLDR调用检测硬件信息并返回SETUPLDR(一般的教材都没提到返回LDR模块这点);启动菜单、NTBOOTDD(或者INT13H)、内存管理、RAM盘映像管理(2003的SETUPLDR)、HAL、BOOTVID、KDCOM由SETUPLOADER模块调用或实现;完成一系列初始化和NTOSKRNL入口初始化后,SETUPLDR转向NTOSKRNL;WIN32K.SYS和SMSS由NTOSKRNL.EXE调用;NTDLL.DLL(NT Layer DLL和SMSS同在一个目录,似乎是SMSS用的)、CSRSS、PECMD由SMSS调用;PE的WINLOGON、登陆窗口和SHELL(EXPLORER)由PECMD调用(登陆窗口在WINLOGON后面调用,SHELL在登陆窗口后面调用);LSASS、SERVICE由WINLOGON调用;SVCHOST由SERVICE调用。
*XP的USERINIT在登陆窗口和SHELL之间调用(PE好像没有这一步,是否由PECMD来完成就不太清楚了)*
*TXTSETUP.SIF好像由SETUPLDR调用,不过与NTOSKRNL好像也有关系*
***以上纯属个人理解,如有不同意见欢迎讨论***

[ 本帖最后由 netwinxp 于 2008-2-25 06:35 PM 编辑 ]
回复

使用道具 举报

19#
发表于 2008-2-25 18:29:49 | 只看该作者
楼上正解。而且内核初始化后就有了多线程,很多进程同时启动,更加复杂了。希望楼主看一下#17的推荐.
回复

使用道具 举报

20#
发表于 2008-2-25 18:31:14 | 只看该作者
原帖由 yamingw 于 2008-2-25 18:29 发表
楼上正解。而且内核初始化后就有了多线程,很多进程同时启动,更加复杂了。希望楼主看一下#17的推荐.

那个我看过,不过过于笼统:)多线程基本发生在SMSS后面

[ 本帖最后由 netwinxp 于 2008-2-25 06:32 PM 编辑 ]
回复

使用道具 举报

21#
 楼主| 发表于 2008-2-25 18:50:07 | 只看该作者
原帖由 netwinxp 于 2008-2-25 05:49 PM 发表
setuipreg.hiv(相当于XP的system),一部分由SETUPLDR.BIN的SETUPLOADER模块(相当于NTLDR的OSLOADER模块)调用,一部分由NTOSKRNL.EXE调用,一部分由SMSS(及SERVICE、SVCHOST等)调用。NTDETECT由SETUPLDR调用检测 ...

好!谢谢netwinxp兄弟,此回贴堪称经典,网上是找不到的。

慢慢消化中。。。
回复

使用道具 举报

22#
发表于 2008-2-25 18:53:23 | 只看该作者
原帖由 youngsun 于 2008-2-25 18:50 发表

好!谢谢netwinxp兄弟,此回贴堪称经典,网上是找不到的。

慢慢消化中。。。

多用用Process Explorer和DASM(或eXeScope)分析一下就比较容易理解了
回复

使用道具 举报

23#
 楼主| 发表于 2008-2-25 19:38:57 | 只看该作者
原帖由 netwinxp 于 2008-2-25 06:53 PM 发表

多用用Process Explorer和DASM(或eXeScope)分析一下就比较容易理解了

多谢花猫兄弟!后面的工具我去找找看。正在WIKI上看,对启动过程描述得十分之详细。
http://en.wikipedia.org/wiki/Windows_NT_startup_process
回复

使用道具 举报

24#
发表于 2008-3-16 17:38:09 | 只看该作者

回复 #23 youngsun 的帖子

楼主:
你提供的连接怎么总不好用呢?
回复

使用道具 举报

25#
发表于 2008-3-16 19:44:51 | 只看该作者
wiki的,最好找代理上.
回复

使用道具 举报

26#
发表于 2008-3-16 21:00:42 | 只看该作者
原帖由 youngsun 于 2008-2-25 07:38 PM 发表

多谢花猫兄弟!后面的工具我去找找看。正在WIKI上看,对启动过程描述得十分之详细。
http://en.wikipedia.org/wiki/Windows_NT_startup_process


可以贴上来???最好能翻译成中文^_^
回复

使用道具 举报

27#
发表于 2008-3-16 22:51:22 | 只看该作者
复杂的问题我不懂,我想也学不懂的,但简单的问题想问个:PE导入核心后,要调用哪些文件去调动外置的挂载软件,

要怎么样写配置文件?谢谢
回复

使用道具 举报

28#
发表于 2008-3-16 23:01:04 | 只看该作者
建议LS仔细学习PECMD的说明,并参照别人的成品。
回复

使用道具 举报

29#
发表于 2008-4-1 14:01:18 | 只看该作者
打开后鸟语一大篇,看不懂
回复

使用道具 举报

30#
发表于 2008-11-20 19:14:06 | 只看该作者
Windows NT startup process
From Wikipedia, the free encyclopedia
Jump to: navigation, search
The Windows NT startup process is the process by which Microsoft's Windows NT, Windows 2000, Windows XP and Windows Server 2003 operating systems initialize.

In Windows Vista, this process has changed slightly (see Windows Vista startup process).

Contents [hide]
1 Boot Loader Phase
2 Kernel loading phase
3 Session Manager
4 Winlogon
5 Logon phase
6 Remote booting & installation
7 Additional information
8 See also
9 Footnotes
10 References
11 External links



[edit] Boot Loader Phase
For more details on this topic, see NTLDR.
The boot loader phase varies by platform. Since the earlier phases are not specific to the OS, the boot process is considered to start:

For x86 or x64: when the partition boot sector code is executed in real mode and loads NTLDR
For IA-64: when the IA64ldr.efi EFI program is executed (later referred as simply IA64ldr)
From that point, the boot process continues as follows:

An NTLDR file, located in the root folder of the boot disk, is composed of two parts. The first is the StartUp module and immediately followed by the OS loader (osloader.exe), both stored within that file. When NTLDR is loaded into memory and control is first passed to StartUp module, the CPU is operating in real mode. StartUp module's main task is to switch the processor into protected mode, which facilitates 32-bit memory access, thus allowing it to create the initial Interrupt descriptor table, Global Descriptor Table, page tables and enable paging. This provides the basic operating environment on which the operating system will build. StartUp module then loads and launches OS loader.

NTLDR's OS loader includes basic functionality to access IDE-based disks formatted for NTFS or FAT file systems, or CDFS (ISO 9660), ETFS or UDFS in newer operating system versions. Disks are accessed through the system BIOS, through native ARC routines on ARC systems, or via network using TFTP protocol. It should be noted that all BIOS calls are done through virtual 8086 mode beyond this point, because the BIOS can not be accessed directly within protected mode. If the boot disk is a SCSI disk and the SCSI controller is not using real-mode INT 0x13, an additional file, Ntbootdd.sys is loaded to handle disk access in place of the default routines. This is a copy of the same SCSI miniport driver that is used when Windows is running.

The boot loader then reads the contents of boot.ini to locate information on the system volume. If the boot.ini file is missing, the boot loader will attempt to locate information from the standard installation directory. For Windows NT machines, it will attempt to boot from C:\WINNT. For Windows XP and 2003 machines, it will boot from C:\WINDOWS.

At this point, the screen is cleared, and in the Windows 2000 or later versions of NTLDR and IA64ldr which support system hibernation, the root directory default volume as defined in boot.ini is searched for a hibernation file, hiberfil.sys. If this file is found and an active memory set is found in it, the contents of the file (which will match the amount of physical memory in the machine) are loaded into memory, and control is transferred into the Windows kernel at a point from which hibernation can be resumed[1]. The file is then immediately marked as non-active, so that a crash or other malfunction cannot cause this (now-outdated) memory state to be re-loaded. If a state resume fails, the next time NTLDR runs it will ask the user whether to try resuming again or to discard the file and proceed with normal booting.

If boot.ini contains more than one operating system entry, a boot menu is displayed to the user, allowing the user to choose which operating system is to be loaded. If a non NT-based operating system such as Windows 98 is selected (specified by an MS-DOS style of path, e.g. C:\), then NTLDR loads the associated "boot sector" file listed in boot.ini (by default, this is bootsect.dos if no file name is specified) and passes execution control to it. If an NT-based operating system is selected, NTLDR runs ntdetect.com, which gathers basic information about the computer's hardware as reported by the BIOS.

At this point in the boot process, NTLDR clears the screen and displays a textual progress bar, (which is often not seen on XP or 2003 systems, due to their initialization speed); Windows 2000 also displays the text "Starting Windows..." underneath. If the user presses F8 during this phase, the advanced boot menu is displayed, containing various special boot modes including Safe mode, with the Last Known Good Configuration, with debugging enabled, and (in the case of Server editions) Directory Services Restore Mode.

Once a boot mode has been selected (or if F8 was never pressed) booting continues.

If an x64 version of Windows is being booted (Windows XP Professional x64 Edition or Windows Server 2003 x64 Editions), the CPU is now switched into Long mode, enabling 64-bit addressing.

Next, the Windows kernel Ntoskrnl.exe and the Hardware Abstraction Layer hal.dll are read into memory. If either of these files fails to load, the message "Windows could not start because the following file was missing or corrupt" is displayed to the user, and the boot process comes to a halt.

If multiple hardware configurations are defined in the registry, the user is prompted at this point to choose one.

With the kernel in memory, boot-time device drivers are loaded (but not yet initialized). This information (along with information on all detected hardware and Windows Services) is stored in the HKLM\SYSTEM portion of the registry, in a set of registry keys collectively called a Control Set. Multiple control sets (typically two) are kept, in the event that the settings contained in the currently-used one prohibit the system from booting. HKLM\SYSTEM contains control sets labeled ControlSet001, ControlSet002, etc., as well as CurrentControlSet. During regular operation, Windows uses CurrentControlSet to read and write information. CurrentControlSet is a reference to one of the control sets stored in the registry. Windows picks the "real" control set being used based on the values set in the HKLM\SYSTEM\Select registry key:

Default will be NTLDR or IA64ldr's choice if nothing else overrides this.
If the value of the Failed key matches Default, then NTLDR or IA64ldr displays an error message, indicating that the last boot failed, and gives the user the option to try booting, anyway, or to use the "Last Known Good Configuration".
If the user has chosen Last Known Good Configuration from the boot menu, the control set indicated by the LastKnownGood key is used instead of Default.
When a control set is chosen, the Current key gets set accordingly. The Failed key is also set to the same as Current until the end of the boot process. LastKnownGood is also set to Current if the boot process completes successfully.

For the purposes of booting, a driver is either a "Boot" driver that is loaded by NTLDR or IA64ldr prior to starting the kernel and started before system drivers by the kernel, a "System" driver, which is loaded and started by ntoskrnl.exe after the boot drivers or an "Automatic" driver which is loaded much later when the GUI already has been started. "Boot" drivers are almost exclusively drivers for hard-drive controllers and file systems (ATA, SCSI, file system filter manager, etc.); in other words, they are the absolute minimum that ntoskrnl.exe will need to get started with loading other drivers, and the rest of the operating system. "System" drivers cover a wider range of core functionality, including the display driver, CD-ROM support, and the TCP/IP stack.

The appropriate file system driver for the partition type (NTFS, FAT, or FAT32) which the Windows installation resides on is also loaded.

With this finished, control is then passed from NTLDR or IA64ldr to the kernel. At this time, Windows NT shows the famous "blue screen" displaying number of CPUs and the amount of memory installed, whilst Windows 2000, XP and 2003 switch into a graphical display mode to display the Windows logo, unless the /noguiboot or /sos switches are present in boot.ini.


[edit] Kernel loading phase
ntoskrnl.exe < the kernel
hal.dll < type of hardware abstraction layer
kdcom.dll < Kernel Debugger HW Extension DLL
bootvid.dll < for the windows logo and side-scrolling bar
config\system registry
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
Process services in the order provided
HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder
The initialization of the kernel subsystem and the Windows Executive subsystems is done in two phases.

During the first phase, basic internal memory structures are created, and each CPU's interrupt controller is initialized. The memory manager is initialized, creating areas for the file system cache, paged and non-paged pools of memory. The Object Manager,[1] initial security token for assignment to the first process on the system, and the Process Manager itself. The System idle process as well as the System process are created at this point.

The second phase involves initializing the device drivers which were identified by NTLDR as being system drivers.

Through the process of loading device drivers, a "progress bar" is visible at the bottom of the display on Windows 2000 systems; in Windows XP and Windows Server 2003, this was replaced by an animated bar which does not represent actual progress. Prior to Windows XP, this part of the boot process took significantly longer; this is because the drivers would be initialized one at a time. On Windows XP and Server 2003, the drivers are all initialized asynchronously.


[edit] Session Manager
Once all the Boot and System drivers have been loaded, the kernel (system thread) starts the Session Manager Subsystem (smss.exe).

Before any files are opened, Autochk [2] is started by smss.exe. Autochk mounts all drives and checks them one at a time whether they were not shut down cleanly before. In that case it will automatically run chkdsk, however just before the user can abort this process by pressing any key within 10 seconds (this was implemented in Windows NT 4.0 Service Pack 4, in earlier versions you could not skip chkdsk). Since Windows 2000, XP and 2003 show no text screen at that point (unlike NT, which still shows the blue text screen), they will show a different background picture holding a mini-text-screen in the center of the screen and show the progress of chkdsk there.

At boot time, the Session Manager Subsystem :

Creates environment variables (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment)
Starts the kernel-mode side of the Win32 subsystem (win32k.sys). This allows Windows to switch into graphical mode as there is now enough infrastructure in place.
Starts the user-mode side of the Win32 subsystem, the Client/Server Runtime Server Subsystem (csrss.exe). This makes Win32 available to user-mode applications.
Creates virtual memory paging files (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management)
Any rename operations queued up are performed. This allows previously in-use files (e.g. drivers) to be replaced as part of a reboot.
Starts the Windows Logon Manager (winlogon.exe). Winlogon is responsible for handling interactive logons to a Windows system (local or remote). The Graphical Identification And Authentication (GINA) library is loaded inside the Winlogon process, and provides support for logging in as a local or Windows domain user.
The Session Manager stores its configuration at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager. The exact operation of most of these items is based on the configuration set in the registry.


[edit] Winlogon

"Begin logon" dialog box in Windows XP.For more details on this topic, see Winlogon.
Winlogon is responsible for responding to the secure attention key (called secure attention sequence in Windows and it is the Control-Alt-Delete key combination), loading the user profile on logon, and optionally locking the computer when a screensaver is running. In Windows Vista and later operating systems, Winlogon's roles and responsibilities have changed significantly.

Winlogon calls GINA
GINA begin logon prompt is displayed (image)
User presses SAS (Control-Alt-Delete)
GINA logon dialog is displayed
User inputs credentials (Username, Domain and Password)
GINA passes credentials back to Winlogon
Winlogon passes credentials to LSA
LSA determines which account databases is to be used
Local SAM
Domain SAM
Active Directory
Winlogon (loaded by SMSS)
At this point, Winlogon starts the Service Control Manager (SCM), which in turn will start all the Windows services that are set to "Auto-Start". The Local Security Authority Subsystem Service (lsass.exe) is also started, which enforces the local security policy (checking user permissions, creating audit trails, doling out security tokens, etc.).
userinit.exe

[edit] Logon phase
After a user has successfully logged in to the machine, Winlogon does the following:

Updates the Control Sets; the LastKnownGood control set is updated to reflect the current control set.
User and Computer Group Policy settings are applied.
Startup programs are run from the following locations:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
All Users ProfilePath\Start Menu\Programs\Startup\ (please note that this path is localized on non-English versions of Windows)
Current User ProfilePath\Start Menu\Programs\Startup\ (please note that this path is localized on non-English versions of Windows)

[edit] Remote booting & installation
Please help improve this section by expanding it. Further information might be found on the talk page or at requests for expansion. (January 2007)

The Boot Information Negotiation Layer (BINL) is a Windows 2000 service that makes it possible for installation to be done on computers that are able to remotely boot.
For more details on this topic, see Remote_Installation_Services.

[edit] Additional information
The HKLM\HARDWARE section of the registry is populated by the kernel at boot-time with the information about detected hardware that was gathered by ntdetect.com. More specifically:

If ACPI is supported by the hardware, the Fixed ACPI Description Table (FADT), Firmware ACPI Control Structure (FACS) and Root System Description Table (RSDT) are written to HKLM\HARDWARE\ACPI.
Details about installed CPU(s), such as the brand, speed, and feature set (MMX, SSE, etc.) installed are stored in HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\#.
In similar fashion, details about installed FPU(s) are stored in HKLM\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\#.
Information about the various multifunction adapters (ISA, PNP, ACPI, etc.) and the devices on them that are detected by ntdetect.com, is stored in HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\#.

[edit] See also
Architecture of Windows NT
Windows Startup Process
Linux startup process
Booting
Master boot record
Power-on self-test
BootVis

[edit] Footnotes
^ Other boot loaders (typically for other operating systems) may be executed prior to control being passed to NTLDR. This known as a "chained" boot sequence.
^ This feature is known as hibernation, and was introduced in Windows 2000.

[edit] References
^ Windows, NT Object Manager
Russinovich, Mark; David Solomon (2005). "Startup and Shutdown", Microsoft Windows Internals, 4th edition, Microsoft Press, pp. 251-273. ISBN 0-7356-1917-4.  
"Troubleshooting the Startup Process". Windows XP Resource Kit. Microsoft Technet. Retrieved on 2006-02-15.
Mark Minasi, John Enck. "Troubleshooting NT Boot Failures". Administrator's Survival Guide: System Management and Security. Windows IT Library. Retrieved on 2006-02-15.
Microsoft KB Article 244036 on remote installation & booting

[edit] External links
Definition of the RunOnce Keys
boot.ini switches
Startup Applications List
Troubleshooting Windows XP Startup Process
[hide]v • d • eWindows Components

Core Aero · ClearType · Desktop Window Manager · DirectX · Explorer · Taskbar · Start menu · Shell (namespace · Special Folders · File associations) · Search (Saved search · iFilters) · Graphics Device Interface · Imaging Format · .NET Framework · TCP/IP stack (Server Message Block)Vista  · Audio · Printing (XML Paper Specification) · Active Scripting (WSH · VBScript · JScript) · COM (OLE · OLE Automation · DCOM · ActiveX · ActiveX Document · Structured storage · Transaction Server) · Previous Versions · Win32 console

Management
tools Backup and Restore Center · command.com · cmd.exe · Control Panel (Applets) · Device Manager · Disk Cleanup · Disk Defragmenter · Event Viewer · Management Console · Netsh · Problem Reports and Solutions · Sysprep · System Configuration · Task Manager · System File Checker · System Restore · Windows Installer · PowerShell · Windows Update · WinSAT · Windows Easy Transfer · System Policy Editor

Applications Calculator · Calendar · Character Map · Contacts · DVD Maker · Fax and Scan · Internet Explorer · Journal · Mail · Magnifier · Media Center · Meeting Space · Mobile Device Center · Mobility Center · Movie Maker · Narrator · Notepad · Paint · Photo Gallery · Private Character Editor · Remote Assistance · Sidebar · Snipping Tool · Sound Recorder · Speech Recognition · Windows Media Player (11) · WordPad

Games Chess Titans · FreeCell · Hearts · Hold 'Em · InkBall · Mahjong Titans · Minesweeper · Purble Place · Solitaire · Spider Solitaire  · Tinker

Kernel Ntoskrnl.exe · hal.dll · System Idle Process · Svchost.exe · Registry · Windows service · Service Control Manager · DLL · EXE · NTLDR / Boot Manager · Winlogon · Recovery Console · I/O · WinRE · WinPE · Kernel Patch Protection

Services Autorun · BITS · Task Scheduler · Wireless Zero Configuration · Shadow Copy · Error Reporting · Multimedia Class Scheduler · CLFS

File systems NTFS (Hard link · Junction point · Mount Point · Reparse point · Symbolic link · TxF · EFS) · FAT32·FAT16·FAT12 · exFAT · CDFS · UDF · DFS · IFS

Server Domains · Active Directory · DNS · Group Policy · Roaming user profiles · Folder redirection · Distributed Transaction Coordinator · MSMQ · Windows Media Services · Rights Management Services · IIS · Terminal Services · WSUS · Network Access Protection · DFS Replication · Remote Differential Compression · Print Services for UNIX · Remote Installation Services · Windows Deployment Services · System Resource Manager · Hyper-V

Architecture NT series architecture · Object Manager · Startup process (Vista) · I/O request packets · Kernel Transaction Manager · Logical Disk Manager · Security Accounts Manager · Windows Resource Protection · LSASS · CSRSS · SMSS · MinWin

Security UAC · BitLocker · Defender · DEP · Protected Media Path · Mandatory Integrity Control · UIPI · Windows Firewall · Security Center

Compatibility Unix subsystem (Microsoft POSIX  · Interix) · Virtual DOS machine · Windows on Windows · WOW64
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|捐助支持|无忧启动 ( 闽ICP备05002490号-1 )

闽公网安备 35020302032614号

GMT+8, 2024-12-22 18:51

Powered by Discuz! X3.3

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表