Understanding the Boot Process


The boot sequence requires certain files. Listed below are the files used in the Windows XP Professional boot process, the appropriate location of each file, and the stages of the boot process associated with each file. Systemroot (typed as %systemroot%) represents the path to your Windows XP Professional installation directory, which will usually be C:\Windows

To view the listed files, open Windows Explorer and click Folder Options on the Tools menu. In the View tab of the Folder Options dialog box, under Hidden Files And Folders, click Show Hidden Files And Folders. Clear the Hide Protected Operating System Files (Recommended) check box. A Warning message box appears, indicating that it is not a good idea to display the protected operating system files. Click Yes to display them. Click OK to close the Folder Options dialog box.

File Location Boot stage
NTLDR System partition root (C:\ ) Preboot and boot
BOOT.INI System partition root Boot
BOOTSECT.DOS System partition root Boot (optional)
NTDETECT.COM System partition root Boot
NTBOOTDD.SYS System partition root Boot (optional)
NTOSKRNL.EXE systemroot\System32 Kernel load
HAL.DLL systemroot\System32 Kernel load
SYSTEM systemroot\System32 Kernel initialization
Device drivers (.sys) systemroot\System32\Drivers Kernel initialization


Preboot Sequence
During startup, a computer running Windows XP Professional initializes and then locates the boot portion of the hard disk. The following four steps occur during the preboot sequence:

(1) The computer runs POST (Power-On Self Test) routines to determine the amount of physical memory, whether the hardware components are present, and so on. If the computer has a Plug and Play BIOS, enumeration and configuration of hardware devices occurs at this stage.
(2) The computer BIOS locates the boot device and loads and runs the MBR (Master Boot Record).
(3) The MBR scans the partition table to locate the active partition, loads the boot sector on the active partition into memory, and then executes it.
(4) The computer loads and initializes the NTLDR file, which is the operating system loader.

Windows XP Professional Setup modifies the boot sector during installation so that NTLDR loads during system startup.


Boot Sequence
After the computer loads NTLDR into memory, the boot sequence gathers information about hardware and drivers in preparation for the Windows XP Professional load phases. The boot sequence uses the following files: NTLDR, BOOT.INI, BOOTSECT.DOS (optional), NTDETECT.COM, and NTOSKRNL.EXE.

The boot sequence has four phases: initial boot loader phase, operating system selection, hardware detection, and configuration selection.

Initial Boot Loader Phase
During the initial boot loader phase, NTLDR switches the microprocessor from real mode to 32-bit flat memory mode, which NTLDR requires to carry out any additional functions. Next, NTLDR starts the appropriate minifile system drivers. The minifile system drivers are built into NTLDR so that NTLDR can find and load Windows XP Professional from partitions formatted with file allocation table (FAT), FAT32, or NT file system (NTFS).

Operating System Selection
During the boot sequence, NTLDR reads the BOOT.INI file. If more than one operating system selection is available in the BOOT.INI file, then the Please Select The Operating System To Start screen appears, listing the operating systems specified in the BOOT.INI file. If you do not select an entry before the timer reaches zero, NTLDR loads the operating system specified by the default parameter in the BOOT.INI file. Windows XP Professional Setup sets the default parameter to the most recent Windows XP Professional installation. If there is only one entry in the BOOT.INI file, the Please Select The Operating System To Start screen does not appear and the default operating system is automatically loaded.
If the BOOT.INI file is not present, NTLDR attempts to load Windows XP Professional from the first partition of the first disk, typically C:\.

Hardware Detection
NTDETECT.COM and NTOSKRNL.EXE perform hardware detection. NTDETECT.COM executes after you select Windows XP Professional on the Please Select The Operating System To Start screen (or after the timer times out).

If you select an operating system other than Windows XP Professional, such as Microsoft Windows 98, NTLDR loads and executes BOOTSECT.DOS, which is a copy of the boot sector that was on the system partition at the time that Windows XP Professional was installed. Passing execution to BOOTSECT.DOS starts the boot process for the selected operating system.
NTDETECT.COM collects a list of currently installed hardware components and returns this list to NTLDR for later inclusion in the registry under the HKEY_LOCAL_MACHINE\HARDWARE key.

NTDETECT.COM detects the following components:

  • Bus/adapter type
  • Communication ports
  • Floating-point coprocessor
  • Floppy disks
  • Keyboard
  • Mouse/pointing device
  • Parallel ports
  • SCSI adapters
  • Video adapters

Configuration Selection
After NTLDR starts loading Windows XP Professional and collects hardware information, the operating system loader presents you with the Hardware Profile/Configuration Recovery menu, which contains a list of the hardware profiles that are set up on the computer. The first hardware profile is highlighted. You can press the down-pointing arrow key to select another profile. You also can press L to invoke the LastKnownGood configuration.

If there is only a single hardware profile, NTLDR does not display the Hardware Profile/Configuration Recovery menu and loads Windows XP Professional using the default hardware profile configuration.


Kernel Load
After configuration selection, the Windows XP Professional kernel (NTOSKRNL.EXE) loads and initializes. NTOSKRNL.EXE also loads and initializes device drivers and loads services. If you press Enter when the Hardware Profile/Configuration Recovery menu appears, or if NTLDR makes the selection automatically, the computer enters the kernel load phase. The screen clears and a series of white rectangles appears across the bottom of the screen.

During the kernel load phase, NTLDR does the following:

  • Loads NTOSKRNL.EXE but does not initialize it.
  • Loads the hardware abstraction layer file (HAL.DLL).
  • Loads the HKEY_LOCAL_MACHINE\SYSTEM registry key from %systemroot%\System32\Config\System.
  • Selects the control set it will use to initialize the computer. A control set contains configuration data used to control the system, such as a list of the device drivers and services to load and start.
  • Loads device drivers with a value of 0x0 for the Start entry. These typically are low-level hardware device drivers, such as those for a hard disk. The value for the List entry, which is specified in the HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ ServiceGroupOrder subkey of the registry, defines the order in which NTLDR loads these device drivers.


Kernel Initialization
When the kernel load phase is complete, the kernel initializes, and then NTLDR passes control to the kernel. At this point, the system displays a graphical screen with a status bar indicating load status. Four tasks are accomplished during the kernel initialization stage:

(1) The Hardware key is created. On successful initialization, the kernel uses the data collected during hardware detection to create the registry key HKEY_LOCAL_MACHINE\HARDWARE. This key contains information about hardware components on the system board and the interrupts used by specific hardware devices.
(2) The Clone control set is created. The kernel creates the Clone control set by copying the control set referenced by the value of the Current entry in the HKEY_LOCAL_MACHINE\SYSTEM\Select subkey of the registry. The Clone control set is never modified, as it is intended to be an identical copy of the data used to configure the computer and should not reflect changes made during the startup process.

Device drivers are loaded and initialized. After creating the Clone control set, the kernel initializes the low-level device drivers that were loaded during the kernel load phase. The kernel then scans the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services subkey of the registry for device drivers with a value of 0x1 for the Start entry. As in the kernel load phase, a device driver's value for the Group entry specifies the order in which it loads. Device drivers initialize as soon as they load.

If an error occurs while loading and initializing a device driver, the boot process proceeds based on the value specified in the ErrorControl entry for the driver:

ErrorControl value Action Taken
0x0 (Ignore) The boot sequence ignores the error and proceeds without displaying an error message.
0x1 (Normal) The boot sequence displays an error message but ignores the error and proceeds.
0x2 (Severe) The boot sequence fails and then restarts using the LastKnownGood control set. If the boot sequence is currently using the LastKnownGood control set, the boot sequence ignores the error and proceeds.
0x3 (Critical) The boot sequence fails and then restarts using the LastKnownGood control set. However, if the LastKnownGood control set is causing the critical error, the boot sequence stops and displays an error message.
ErrorControl values appear in the registry under the subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\name_of_service_or_driver\ErrorControl.

(4) Services are started. After the kernel loads and initializes devices drivers, the Session Manager (SMSS.EXE) starts the higher order subsystems and services for Windows XP Professional. Session Manager executes the instructions in the BootExecute data item, and in the Memory Management, DOS Devices, and SubSystems keys.
Data item or key Action Taken
BootExecute data item Session Manager executes the commands specified in this data item before it loads any services.
Memory Management key Session Manager creates the paging file information required by the Virtual Memory Manager.
DOS Devices key Session Manager creates symbolic links that direct certain classes of commands to the correct componentin the file system.
SubSystems key Session Manager starts the Win32 subsystem, which controls all input/output (I/O) and access to the video screen and starts the WinLogon process.


The logon process begins at the conclusion of the kernel initialization phase. The Win32 subsystem automatically starts WINLOGON.EXE, which starts the Local Security Authority (LSASS.EXE) and displays the Logon dialog box. You can log on at this time, even though Windows XP Professional might still be initializing network device drivers.

Next, the Service Controller executes and makes a final scan of the HKEY_ LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services subkey, looking for services with a value of 0x2 for the Start entry. These services, including the Workstation service and the Server service, are marked to load automatically.

The services that load during this phase do so based on their values for the DependOnGroup or DependOnService entries in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services registry subkey.

A Windows XP Professional startup is not considered good until a user successfully logs on to the system. After a successful logon, the system copies the Clone control set to the LastKnownGood control set.