Want to follow a detailed example of what happens when Windows starts?
In this article you will find the following detail about Windows startup:
- Descriptions of the major components.
- Detailed sequences of activities for each process.
- Example registry keys and values.
This article is a companion to the Windows 7 Startup article which covers background material and an overview diagram of the main startup sequence.
Caveats
Here I include the caveats which are a duplicate of those in the main article:
- The articles are always going to be an overview rather than a complete description.
- The articles are now unlikely to have more detail added.
- The articles may have errors but wherever possible I have confirmed the steps in a real example. I've still had to rely on other commentaries as I've only used the tools that would be used by a confident user. That's why there is no mention of advanced tools for programmers like kernel debuggers or the special debug version of Windows (a checked build).
- These articles are not not a troubleshooting guide although I have included some pointers for where to look for solutions to some problems.
- These articles are not a guide to altering your system start-up processes. They should not be relied upon for making any changes to your system. Instead you should confirm any change through the relevant support channels for Microsoft Windows or the particular application you are dealing with.
- These articles do not include starting Windows 8 or 10, installing Windows, resuming Windows from sleep or hibernation, or using safe mode and the other startup options. If you do want more detail in some area then let me know by registering with this site and leaving a comment.
This article only looks at Windows 7 64-bit
Windows 7 is a good compromise between old and new versions of Windows. Although it is very similar to Vista there are major differences in the startup processes. I have pointed out some of those differences where it improves this article. For any thing else related to earlier version of Windows you will have to look elsewhere.
The examples I am using are based on startup traces I ran on my test PC running Windows 7 64-bit. I used 64-bit Windows because it was the future at the time and I needed to highlight how 64-bit Windows handles 32-bit processes.
The traces provide some timings to give you a relative indication of the time taken by the startup phases and it also provides you with the option to compare it with your own Windows startup. Just be aware that there are several reasons why your relative timings may be considerably different to mine.
Icons highlight key issues
I have included icons to highlight various topics of interest so you can scan the detail more easily.
32-bit and 64-bit Windows have some significant differences:
32 applies to 32-bit Windows only.
64 applies to 64-bit Windows only.
Where the startup feature was changed from Windows Vista:
7 indicates a new feature for Windows 7.
On the very few occasions where the Windows Edition is relevant:
Δ indicates differences between Windows Editions.
If you are troubleshooting then look for these icons:
! indicates a known troubleshooting issue.
! indicates a critical process (processes set this status themselves) which can crash or halt Windows if it fails.
§ provides information on diagnostic tools and their output.
∞ indicates a process that normally runs until Windows stops.
How to view and print the larger tables
I am trying to pack a lot of information into some of the tables and diagrams so they look better in a display that is 1600 pixels wide. If your display is smaller, particularly if it is below 1200 pixels wide, then you can use the 'Printer-friendly view' to remove the sidebars so you can read them more easily.
In the tables I have placed a blank line between each filename and registry key to keep them separate. Where a registry key is too long to fit in one line of a table then I have also inserted line breaks to break it up.
Windows startup in detail
Windows Operating System (OS) Boot Loader: WinLoad.exe !
The fist steps in loading the Windows Kernel mode are provided by the Windows Boot Loader. This program provides temporary functions that boot or start the Windows Kernel which is the first permanent component to start. The Boot Loader continues to perform further activities to support Kernel mode initialization until it has got sufficient sub-systems running to continue with its normal permanent operations.
The Boot Loader activities fall into four main areas:
- Reads the minimum configuration data from disk: the Boot Configuration Data (BCD) and the SYSTEM hive of the Registry.
- Enumerates the devices and "boot start" drivers. For the most essential drivers and itself, the boot loader also verifies their integrity and crashes the system if there are any problems.
- Initializes the system so the Windows Kernel can be loaded and executed.
- After the Kernel starts, loads into memory the configuration and enumerated drivers for the Kernel to use.
Note: The Windows Boot Manager and the Windows Boot Loader perform similar steps in their initial stage: they setup the same structures, they read the BCD and determine the system drive and volume, they read the Boot Boot Status Data Log (BootStat.dat), and both can display a recovery menu if startup has previously failed.
| Table 1 - Windows OS boot loader: Winload.exe | ||
| Example time1 [seconds] | Activity | Filename or Registry details2 |
| 0.00-2.663 |
Loaded by the Windows Boot Manager § Phase: OS Loader, PreSMSS Init or Pre Session Init = Blank screen appears following the firmware and boot manager startup screens. Duration: OSLoaderDuration |
%SystemRoot%\System32\WINLOAD.EXE |
| 0.18 | Read configuration data | |
| Default boot configuration data (BCD) | ||
| for the BIOS |
%SystemDrive%\Boot\BCD |
|
| for the EFI |
%SystemDrive%\EFI\Microsoft\Boot\ |
|
| Read the Boot Status Data Log (BootStat.dat) |
%WinDir%\BOOTSTAT.DAT |
|
| System registry hive |
%SystemRoot%\System32\Config\System |
|
| Boot Start drivers | HKLM\SYSTEM\CurrentControlSet\Services\service name where the Start value = 0 for Boot_Start4 | |
| 0.18 | Loads Kernel-mode boot diagnostics | |
| 0.18 | ! Enumerate and validate critical Kernel boot drivers which must load correctly or Windows will crash: |
Enumerations will eventually be stored in: HKLM\SYSTEM\CurrentControlSet\Enum\ |
|
Verify the programs' executable signatures against the digital signature catalogue. Winload will crash if any of the above programs fail the test. |
%SystemRoot%\system32\CatRoot \{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\nt5.cat. |
|
| Windows loader verifies itself |
%SystemRoot%\System32\WINLOAD.EXE |
|
| Kernel |
%SystemRoot%\System32\NTOSKRNL.EXE |
|
|
Hardware Abstraction Layer (HAL) The DLL used depends upon whether it is 32-bit or 64-bit Windows. If Windows is 32-bit then single CPUs only have a standard Programmable Interrupt Controller (PIC) while multi-CPU systems have an Advanced PIC (APIC). NTOSKRNL links to this DLL. |
64 %SystemRoot%\System32\HAL.DLL 32 %SystemRoot%\System32\HALACPI.DLL single CPU 32 %SystemRoot%\System32\HALMACPI.DLL multi-CPU |
|
|
VGA Boot Driver which provides the Windows Logo. NTOSKRNL links to this DLL. |
%SystemRoot%\System32\BOOTVID.DLL |
|
| Trusted Platform Module (TPM) which might not be used on your system |
%SystemRoot%\System32\TPM.SYS |
|
| Kernel Security Support Provider Interface |
%SystemRoot%\System32\KSECDD.SYS |
|
| Common Log File System (CLFS) driver |
%SystemRoot%\System32\CLFS.SYS |
|
| Code Integrity (CI) Module |
%SystemRoot%\System32\CI.DLL |
|
|
Kernel Debugger HW Extension DLLs named after the communications interface used. NTOSKRNL links to KDCom.DLL. |
%SystemRoot%\System32\KDCOM.DLL %SystemRoot%\System32\KDUSB.DLL %SystemRoot%\System32\KD1394.DLL |
|
| Security Processor Loader (SPLDR) | %SystemRoot%\System32\SPLDR.SYS | |
| 0.18 | Enumerate other Kernel boot start drivers | |
| Platform-Specific Hardware Error Driver (PSCHED) |
%SystemRoot%\System32\PSHED.DLL |
|
| e.g. Advanced Configuration and Power Interface (ACPI) driver |
%SystemRoot%\System32\ACPI.SYS |
|
| e.g. Partition Manager (PM) driver |
%SystemRoot%\System32\Drivers\PARTMGR.SYS |
|
| e.g. Paging file driver | %SystemDrive%\pagefile.sys | |
| 0.18 | Enumerate other files | |
| The "Starting Windows" screen | %SystemDrive%\activity.bmp | |
| 0.21-3.03 | Enumerate boot devices | |
| e.g. Advanced Configuration and Power Interface (ACPI) device |
HKLM\SYSTEM\ControlSet001\Enum\Root \ACPI_HAL\0000 |
|
| e.g. Kernel Security Support Provider Interface which is also one of the critical drivers |
HKLM\SYSTEM\ControlSet001\Enum\Root \LEGACY_KSECDD\0000 |
|
|
e.g. Modem etc. |
HKLM\SYSTEM\ControlSet001\Enum\Root \LEGACY_MODEM\0000 |
|
| 0.21 | Enable Paging | |
| Paging file |
%SystemDrive%\pagefile.sys |
|
|
0.22 |
Passes control to the OS Kernel The Windows Boot Loader continues to enumerate, initialize and load devices and drivers until the Kernel has loaded the necessary subsystems. § Start: BootKernelInitTime |
%SystemRoot%\System32\NTOSKRNL.EXE |
1 The example times include the start time and less often the end time as well. Below the times I have included variable names that are used in the reports from traces and event logging. The first of those variables, OsLoaderDuration, is the time from 0 until the boot loader passes control to the kernel-mode systems.
2 The filename and registry details do not match exactly what you will find because I have provided full paths to those files. That means that I have also used environment variables such as "%SystemRoot%" in the place of the explicit path. This allows you to find the file more easily on any system.
3 This is the zero start but the trace recording is not yet running so this time is effectively attributed to the Kernel-mode startup to which Winload is closely linked.
4 Control sets store configuration information in the registry. For example, the HKLM\SYSTEM\CurrentControlSet\Control\ contains the kernel-mode and user-mode subsystem configuration settings.
HKLM\SYSTEM\CurrentControlSet\ is a symbolic link to one of the control set copies that is the active control set. HKLM\SYSTEM\Select stores the Current, Default, Failed, and LasKnowGood values.
! The error message that HAL.DLL is missing generally means that the %SystemRoot%\System32\ folder has been deleted.
Kernel-mode !
Kernel mode processes are the core of Windows. There are a wide range of kernel-mode sub-systems that provide the basic components of the operating system which other programs rely upon. You can refer to the diagram on kernel mode in the article on Windows Components for Startup.
Kernel-mode processes have almost unrestricted access to resources than user-mode processes which are restricted in many ways to protect Windows. Kernel-mode processes:
- Can access hardware directly whereas user-mode processes cannot.
- Can access all of the computer's memory whereas user-mode processes are limited to assigned memory spaces.
- Can access the kernel memory whereas user-mode processes cannot.
- Are not normally paged out of RAM to virtual memory on disk.
- Run at a high priority so they don't have to wait on user-mode processes which run at a lower priority.
Kernel mode initialization performs three main functions:
- Set-up data structures.
- Load and initialize components.
- Start the Plug and Play (PnP) manager to initialize the boot start drivers that were enumerated by the Windows Boot Loader.
| Table 2 - Windows Kernel Mode: NTOSKRNL.exe | ||
| Example time [seconds] | Activity | Filename or Registry details |
|
0.22 |
Passed control from the Windows Boot Loader The Windows Boot Loader continues to enumerate, initialize and load devices and drivers until the Kernel has loaded the necessary subsystems. § Phase: Kernel initialization, BootStart |
%SystemRoot%\System32\WINLOAD.EXE |
|
0.22-3.05 |
Initialize the boot drivers that are predefined (i.e. are there 'out of the box') for the Boot Loader. § Start: BootPNPInitStartTimeMS or pnpBootStartStartTime Duration: BootPNPInitDuration or pnpBootStartDuration |
|
| Advanced Configuration and Power Interface (ACPI) driver |
%SystemRoot%\System32\Drivers \ACPI.SYS |
|
| Kernel Security Support Provider Interface |
%SystemRoot%\System32\Drivers \KSECDD.SYS |
|
|
Windows Kernel-Mode Driver Framework Runtime etc. |
%SystemRoot%\System32\Drivers\Wdf01000 | |
| 0.23-3.03 | Start the enumerated devices | |
| ACPI-compliant Advanced Programmable Interrupt (APIC) driver |
HKLM\SYSTEM\ControlSet001\Enum \ACPI_HAL\PNP0C08\0 |
|
| PCI Standard ISA Bridge |
HKLM\SYSTEM\ControlSet001\Enum\PCI \VEN_10DE&DEV_0260&SUBSYS _2A34103C&REV_A3 \3&2411e6fe&1&50 |
|
| A shadow copy device to backup configuration settings. It is used by the Volume Snapshot Service (VSS) or Volume Shadow Copy Service. |
STORAGE\VolumeSnapshot \HarddiskVolumeSnapshot1 |
|
| 2.14 | ReadyBoost driver is loaded so ReadyBoot can start | |
| 2.14-102.22 | ReadyBoot starts | |
|
Note: As discussed above, ReadyBoot prefetches files, stores them in the prefetch folder, and loads them in an optimal sequence to speed up startup. That is why it runs until Windows has completely started up. ReadyBoot uses the ReadyBoost driver. ReadyBoot is one function of SuperFetcher which also prefetches user-mode applications i.e. it learns how you work too. |
HKLM\SYSTEM\ControlSet001\Control \Session Manager\Memory Management \PreFetchParameters\EnablePrefetcher HKLM\SYSTEM\ControlSet001\Control \Session Manager\Memory Management \PreFetchParameters\EnableSuperfetcher %SystemRoot%\PreFetch |
|
| 2.66-35.80 |
"Loading Windows" splash screen appears. § Phase: MainPathBoot Duration: MainPathBootTime |
|
| 3.04 | Reinitialize boot drivers | |
|
8.70-11.16 |
Start the Plug and Play (PNP) Manager which is a sub-system of the IO Manager. § Phase: SystemStart Start: SystemPNPInitStartTimeMS or pnpSystemStartStartTime Duration: SystemPNPInitDuration or pnpSystemStartDuration End: pnpSystemStartEndTime |
|
| 8.70-11.16 | PNP Manager loads the boot start drivers | |
|
Platform-Specific Hardware Error Driver (PSCHED) etc. |
%SystemRoot%\System32\PSHED.DLL | |
| 8.99-11.16 | PNP Manager initializes the boot start drivers | |
|
Platform-Specific Hardware Error Driver (PSCHED) etc. |
HLKM\SYSTEM\ControlSet001\services\Psched | |
| 11.14 | ||
| 11.17 | Pass control to the Session Manager | %SystemRoot%\System32\SMSS.EXE |
User Mode: Session Manager (SMSS) !
The Session Manager (SMSS) is the first "properly created" process for Windows once kernel-mode startup is complete. You can refer to the diagram on user mode in the article on Windows Components for Startup - an additional diagram will soon be added to show how the Session Manager fits.
It performs three main tasks:
- Spawns many other processes that spawn further processes. That includes spawning multiple instances of itself, concurrently (running at the same time) up to four plus one per additional CPU;
- Loads and starts the drivers other than the boot drivers; and
- Initializes the Registry.
The first instance also marks itself as critical.
| Table 3 - Windows Session Manager: SMSS.exe | ||
| Example time [seconds] | Activity | Filename or Registry details |
| 11.17-17.74 | Passed control from the kernel | %SystemRoot%\System32\NTOSKRNL.EXE |
| 11.17 |
The first instance of SMSS Blank screen appears during this phase § Phase: Session Initialization, SMSSInit or Session Init Duration: BootSmssInitTime |
|
| Marks itself as critical | ||
| Initializes an ALPC port to receive commands | ||
| Initializes system-wide environment variables. Reads the environment template from the registry to update its environment as the default for all processes that SMSS spawns. |
HKLM\SYSTEM\CurrentControlSet\Control\ Session Manager\Environment e.g.HKLM\SYSTEM\CurrentControlSet\Control \Session Manager\Environment\windir = %SystemRoot% |
|
| Creates DOS device symbolic links e.g. AUX, NUL, PRN |
HKLM\SYSTEM\CurrentControlSet\Control \Session Manager\DOS Devices |
|
| Creates a directory in the Object Manager |
Root\Sessions |
|
| 11.18-12.81 |
Runs the boot execute programs and wait for them to complete. These can only be programs using the NTDLL API. |
HKLM\SYSTEM\CurrentControlSet\Control \Session Manager\BootExecute = autocheck autochk * |
| 11.72-12.78 | Autochk.exe uses the NTDLL API as Chkdsk.exe uses Win32 API so it could not run now. | %SystemRoot%\System32\AUTOCHK.EXE |
| 12.81 | Completes file renaming and delete operations that were set to run after restart |
HKLM\SYSTEM\CurrentControlSet\Control \Session Manager\PendingFileRenameOperations HKLM\SYSTEM\CurrentControlSet\Control \Session Manager\PendingFileRenameOperations2 etc. |
| Initializes the paging files. |
HKLM\SYSTEM\CurrentControlSet\Control\ Session Manager\Memory Management\PagingFiles |
|
| 12.81-14.31 |
Completes initializing the registry by mounting the remaining files. |
HKLM\Software HKLM\Security HKLM\SAM |
| Merge the in-memory version of the System hive loaded by Winload so any additions or updates from the boot process are preserved. | HKLM\System | |
| 14.31 | Runs the setup execute programs |
HKLM\SYSTEM\CurrentControlSet\Control \Session Manager\SetupExecute |
|
Note that the Kernel-Mode API is specified. Also note that the Subsystem key determines which environmental sub-system is able to execute the program. Refer to the discussion of user-mode components in the article on Windows components. |
HKLM\System\CurrentControlSet \Control\Session Manager\Subsystems\Kmode = %SystemRoot%\System32\WIN32K.SYS) |
|
| Calculates the drive letter of the boot volume |
HKLM\System\Setup\SystemPartition |
|
| 11.71-11.72 | Spawns SMSS threads to initialize sessions: |
HKLM\System\CurrentControlSet\Control \Session Manager\Subsystems |
| The number of initial sessions |
HKLM\System\CurrentControlSet\Control \Session Manager\NumberOfInitialSessions = 2 |
|
| Run the required server processes |
HKLM\System\CurrentControlSet\Control \Session Manager\Subsystems\Required = Windows |
|
| The Client Server Run-Time Sub-System (CSRSS) is the default server process for the user mode of the Win32 API. |
HKLM\System\CurrentControlSet\Control \Session Manager\Subsystems\Windows = %SystemRoot%\System32\CSRSS.EXE [etc.] |
|
| Run any optional server processes. |
HKLM\System\CurrentControlSet\Control \Session Manager\Subsystems\Optional = POSIX |
|
| The POSIX Sub-System is the server process for the user-mode of the POSIX API. |
HKLM\System\CurrentControlSet\Control \Session Manager\Subsystems\Optional\Posix = %SystemRoot%\System32\PSXSS.EXE |
|
| 13.25 | Initialize sessions above 0 | |
| 13.25-13.97 |
Session 1 instance of SMSS. § Start: SessionInitStartTimeMS Duration: Session1InitDuration |
|
| Create the session subsystem. |
HKLM\System\CurrentControlSet\Control \Session Manager\Subsystem |
|
| Run CSRSS. |
%SystemRoot%\System32\CSRSS.EXE ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
|
| 14.95-17.03 |
Initialize non-interactive session 0 by spawning an instance of itself. Session 0is always a WinInit session. |
%SystemRoot%\System32\smss.exe 00000000 00000040 |
| 17.03-17.74 |
Initialize the interactive session 1 by spawning an instance of itself. Sessions above 0 are Winlogon sessions. |
%SystemRoot%\System32\smss.exe 00000001 00000040 |
| Initialize any more sessions until the NumberOfInitialSessions is met. | ||
| Waits for Session 0 of CSRSS | ||
| 14.95-17.03 |
Session 0 instance of SMSS Start: SessionInitStartTimeMS Duration: Session0InitDuration |
|
|
HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand |
||
| Run CSRSS |
%SystemRoot%\System32\CRSS.EXE ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On Subsystem Type=Windows ServerDLL=basesrv,1 ServerDll=winsrv:userServerDllInitialization ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16ssrv |
|
|
Preload "Known" DLLs so they're always open . ! These run at the highest privilege so these must be trusted. |
HKLM\System\CurrentControlSet\Control \Session Manager\KnownDLLs |
|
| 17.74 | Create an instance of Winlogon for interactive sessions | %SystemRoot%\WINLOGON.EXE |
| 17.74 | Exit | |
| Later instances of SMSS also run then exit | ||
User Mode: Client Server Run-Time Sub-System (CSRSS) !
The Client Server Runtime is a critical process that is used to provide the the user-mode portion of the Win32 API (Application Programming Interface). Originally it provided the entire API but Win32K now provides the kernel mode portion. However, CSRSS continues to create kernel-mode threads.
If CSRSS fails then Windows can't get out of kernel-mode so you will see a BSOD (Blue Screen Of Death, as it is called). !
| Table 4 - Windows Client Server Runtime: CSRSS.exe | ||
| Example time [seconds] | Activity | Filename or Registry details |
| 15.31 | Run by SMSS session 0 |
%SystemRoot%\System32\smss.exe 00000000 00000040 |
| 17.00 | Load the Multi-User Window Server DLL |
%SystemRoot%\System32\WINSRV.DLL |
| ???? | Load the Windows NT BASE Server DLL |
%SystemRoot%\System32\BASESRV.DLL |
| 17.02 | Load the Client Server Runtime Process DLL | %SystemRoot%\System32\CSRSRV.DLL |
| Table 5 - Windows Client Server Runtime: CSRSS.exe | ||
| Example time [seconds] | Activity | Filename or Registry details |
| 17.05 | Run by SMSS session 1 |
%SystemRoot%\System32\SMSS.EXE |
| 17.28 | Load the Canonical Display Driver DLL which blends GDI and DirectX drawing in an emulated display for the Win32K subsystem. |
%SystemRoot%\System32\CDD.DLL |
| ??? | Load the Base Server DLL |
%SystemRoot%\System32\BASSRV.DLL |
| 17.72 | Load the Multi-User Window Server DLL |
%SystemRoot%\System32\WINSRV.DLL |
| 17.73 | Load the Client Server Runtime Process (CSRSS) DLL |
%SystemRoot%\System32\CSRSRV.DLL |
| 17.74 | Start the Windows Logon Application | %SystemRoot%\System32\WINLOGON.EXE |
User Mode: Windows Initialization (WinInit) !
Windows Initialization or WININIT runs the first time a user logs on. It runs once to handle system tasks that do not need to run again.
| Table 6 - Windows Init: WININIT.exe | ||
| Example time [seconds] | Activity | Filename or Registry details |
| 17.03 | Run by SMSS session 0 | %SystemRoot%\System32\smss.exe 00000000 00000040 |
|
Creates and opens an interactive workstation for legacy interactive services that use session 0 Currently, Session 0 should not be used for interactive services but older services do use it. So Windows uses an interactive Services Detection service to advise users when a session 0 service displays a windows. |
||
| 17.42 | Start Services Control Manger (SCM) |
%SystemRoot%\System32\SERVICES.EXE |
| 17.69 | Start Local Security Authority SubSystem (LSASS) |
%SystemRoot%\System32\LSASS.EXE |
| 17.70 | Start Local Session Manager (LSM) | %SystemRoot%\System32\LSM.EXE |
WinInit recognizes when a non-interactive, session 0, process creates a window on the desktop.
User Mode: Services Control Manager (SCM)
The Service Control Manager runs as a Windows console program.:
- Scans the registry for configured device drivers and services.
- Loads the auto class device drivers and services
- Waits for requests to start and stop services
| Table 7 - Services Control Manager: Services.exe | ||
| Example time [seconds] | Activity | Filename or Registry details |
| 17.42 | Run by Windows Initialization |
%SystemRoot%\System32\WININIT.EXE |
| 18.90 | Start Plug and Play |
%SystemRoot%\System32\SERVICES.EXE |
| 18.90-49.90 |
Start auto start services § Phase: ServicesAutoStart Start: autoStartStartTime Duration: autoStartDuration End: autoStartEndTime |
HKLM\SYSTEM\CurrentControlSet \Services\service name\Start = 2 for Auto_Start services |
| Save the last successful Control Set as Last Known Good | HKLM\SYSTEM\Select\LastKnowGood | |
Service load order !
A number of factors affect the load order for services:
- SCM looks at the Start value for each service (HKLM\SYSTEM\CurrentControlSet\Services\service name). it starts 2 = Auto_Start services and 3 = Demand_Start services. WinLoad has already loaded 0 = Boot_Start services and 1 = System_Start services.
- The services are loaded in service group order by default. See HKLM\System\CurrentControlSet\Control\ServiceGroupOrder
- Dependencies between services and groups. For example, a group has to have at least one service successfully load before dependent services can start. Dependencies are defined in the DependOnGroup and DepenOnService values . Note that the latter applies only for the services that SCM loads i.e. Auto_Start and Demand_Start.
- A services image file database ensures that image files aren't loaded more than once.
- HKLM\System\CurrentControlSet\Control\Windows\NoInteractiveServices can be set to 1 so SCM checks for interactive services.
- After loading all the auto start drivers there is a delay of 120 seconds before the delayed services are started. This delay helps other startup processes to complete. It can be set at HKLM\S\CurrrentControlSet\Control\AutoStartDelay.
Service failure !
Services can fail and SCM can log these events or restart the boot process if critical services fail. Again there is a value for each service in HKLM\SYSTEM\CurrentControlSet\Services\service name. ErrorControl has the following values:
- 0 = Ignore so continue with no further action.
- 1 = Normal so log the event and continue.
- 2 = Severs so reboot to the last known good control set if it has not been used already, otherwise continue.
- 3 = Critical so reboot to the last known good control set if it has not been used already, otherwise crash. !
SCM has an additional function that doesn't appear to relate to services at all. when a connection for a network drive letter is created or deleted it broadcasts a message for GUI applications. This is primarily for Windows Explorer which needs to update open windows with the change.
User Mode: Local Security Authority SubSystem (LSASS)
The Local Security Authority Sub-System that handles local (i.e. not network) system security policies. Most of its functionality is handled by the Local Security Authority service (LSASrv.dll) and its database is stored in the registry in a protected area under HKLM\Security:
- authenticates user logon by calling the appropriate authentication DLL. Authenticated users have an access token generated that contains the user security profile.
- System security auditing including sending related event messages to the Event log.
It processes any request for security authorisations that it receives through the communications (LCM) port it creates. Requests come from three sources:
- Winlogon
- network logon service process
- other user-mode processes that want to authenticate users
Note that Windows maintains compatibility with older versions of Windows by applying an implicit integrity level to objects that do not have specific security.
| Table 8 - Local Security Authority SubSystem: LSASS.exe | ||
| Example time [seconds] | Activity | Filename or Registry details |
| 17.69 | Run by Windows Initialization |
%SystemRoot%\System32\WININIT.EXE |
| Creates initial processes which usually default to UserInit.exe. |
HKLM\Software\Microsoft\Windows NT \CurrentVersion\Winlogon\Userinit the default is "%SystemRoot%\System32\Userinit.exe," |
|
| If AutoLogon is set then use the default user name. |
HKLM\Software\Microsoft\Windows NT \CurrentVersion\Winlogon\AutoLogonChecked HKLM\Software\Microsoft\Windows NT \CurrentVersion\Winlogon\DefaultUserName |
|
|
Start the Encrypting File System (EFS) service for encrypting data on disk. It can encrypt folders but not entire drives like BitLocker Δ It is not fully supported on Windows 7 Starter, Home Basic, and Home Premium. |
%SystemRoot%\System32\EFSSVC.DLL | |
| Start the Cryptography Application Programming Interface - Next Generation (CNG) Key Isolation service | %SystemRoot%\System32\KEYISO.DLL | |
|
Starts the Security Accounts Manger (SamSS) service. SAMSS manages the SAM database of defined user names and groups stored in the registry at HKLM\SAM. It does not include users defined for a domain controller/server. |
%SystemRoot%\System32\SAMSRV.DLL | |
User Mode: Local Session Manager (LSM)
The Local Session Manager manages terminal server sessions running on the local machine.
LSM is notified by WinLogon of:
- logon and logoff
- connect to and disconnect from session
- lock and unlock the desktop
- start and terminate the shell
| Table 9 - Local Session Manager: LSM.exe | ||
| Example time [seconds] | Activity | Filename or Registry details |
| 17.70 | Run by Windows Initialization (WinInit) | %SystemRoot%\System32\WININIT.EXE |
User Mode: Interactive Windows Logon (WinLogon) !
The Windows Logon Application runs under LSASS and manages interactive logon sessions. It performs the following main tasks:
- Displays the logon screen by running the Logon User Interface (LogonUI.exe);
- Services are started by the Service Control Manager (SCM)
- Identifies and authenticates users through credential provider DLLs
- Can load additional network provider DLLs
- Group policy is applied.
- Passes the username and password to LSASS for authentication.
The Secure Attention Sequence (SAS), keying Ctrl+Alt+Del, cannot be produced by a process so it differentiates users from processes.
If WinLogon, like CSRSS, fails then Windows can't get out of kernel-mode so you will see a BSOD (Blue Screen Of Death, as it is called). !
| Table 10 - Windows Logon: WinLogon.exe | ||
| Example time [seconds] | Activity | Filename or Registry details |
| 17.74 | Run by SMSS session 1 | %SystemRoot%\System32\smss.exe 00000001 00000040 |
| Create an interactive workstation for session 1 | ||
|
Creates the interactive Window Station to display a user interface and receive input. This represents the keyboard, mouse and display. Uses security access control to prevent other processes from accessing this workstation without Winlogon permission. |
WinSta0 | |
Creates three desktops:
|
||
| 29.1 | Initialize the Windows User Experience Session Initialization DLL |
%SystemRoot%\System32\UXINIT.DLL |
| 20.10 | Spawns the Windows Logon User Interface Host (LogonUI) | %SystemRoot%\System32\LOGONUI.EXE /flags:0x0 |
| 35.79 |
Desktop appears in this phase § Phase: BootPostBoot Duration: BootPostBootTime |
|
| 122.34 |
The desktop first appears in this phase so you can logon, i.e. Windows becomes usable § BootTime = MainPathBootTime + BootPostBootTime |
|
| 1,243.21 | Run User Initialization (UserInit) |
HKLM\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Winlogon Userinit = SystemRoot%\System32\USERINIT.EXE |
Further notes on desktops
At this point it is worth discussing the arrangement of the session desktops. Two points are important: user objects are associated with one desktop but are accessible from any desktop for the session to ensure that hot-keys can work; and every session has an interactive windows station.
Session 0 and Session 1 plus any further other interactive session have an interactive windows station:
-
WinSta0 the interactive windows station has three desktops
- WinLogon
- Default
- Disconnect
Session 0 also has other windows stations but these only have the Default desktop:
- System
- Network service
- Local service
- Windows Search Service
User Mode: User Initialization (UserInit)
User Initialization (UserInit) sets-up the user environment before starting the Windows shell which by defaults is Windows Explorer:
- runs logon scripts
- connects to the network
- applies Group Policies including running the Group Policy logon script
- creates events for some failed logon scripts
| Table 11 - User Initialization: UserInit.exe | ||
| Example time [seconds] | Activity | Filename or Registry details |
| 1,243.21-1,273.41 | Run by Window Logon (WinLogon) | %SystemRoot%\System32\WINLOGON.EXE |
| Initiate the user environment | ||
| Creates the temporary folder (or is this lsass?) | %WinDir%\Temp | |
| Run logon scripts | ||
| Connect to the network | ||
| Apply Group Policies | ||
| Logs events if particular logon scripts fail. | ||
| 1,243.65 |
Run the Windows shell. The default is Explorer.exe |
HKLM\Software\Microsoft\Windows NT \CurrentVersion\Winlogon Shell = %SystemRoot%\EXPLORER.EXE |
! If you run no logon scripts and are not connecting to a network (i.e. you are offline) then UserInit can be bypassed. But if this is not done correctly then Windows Explorer will not run leaving you with no useful desktop.
User Mode: Windows Logon User Interface Host (LogonUI)
The Windows Logon User Interface Host provides the user interface for logging on:
- Presents users with a logon screen to using credential providers to obtain the user account name and password. Windows has default credential providers that can be replaced or supplemented by third-party providers.
- Allow alternative credential providers to be used for alternative input methods e.g. biometric scans such as thumb-prints and retinas.
- Allow secondary authentication using network provider DLLs. This provides for authentication from a network server at the same time using one logon.
LogonUI is a separate process from WinLogon.exe. Any failure with third-party credential providers will not cause Windows to crash. Instead it can spawn another instance of LogonUI.
| Table 12 - Windows Logon User Interface Host: LogonUI.exe | ||
| Example time [seconds] | Activity | Filename or Registry details |
| 20.10-1,250.05 | Run by WinLogon | %SystemRoot%\System32\WINLOGON.EXE |
| ~20.99 |
§ The user logon dialog is displayed. Phase: LogonUI displays desktop |
|
|
Load credential provider DLLs from the credential provider list of CLSIDs in the registry. The primary credential provider is the "PasswordProvider". There is also a "Smartcard Pin Provider" and a network provider DLL "NPProvider". |
HKLM\Software\Microsoft\Windows \CurrentVersion\Authentication \Credential Providers\{CLSID} = PasswordProvider HKLM\Software\Microsoft\Windows \CurrentVersion\Authentication \LogonUI\LastLoggedOnProvider = {CLSID} |
|
|
SmartCard credential provider allows a smart card to be used with a PIN. The default is SmartcardCredentialProvider.DLL |
For HKLM\Software\Classes\CLSID\{CLSID} = "Smartcard Pin Provider" HKLM\Software\Classes \CLSID\{CLSID}\InProcServer32 = %SystemRoot%\System32 \SMARTCARDCREDENTIALPROVIDER.DLL |
|
|
Network provider DLL allows secondary authentication from a network server. If there is no Network Provider then it will default to the default password provider which is normally AuthUI.dll |
For HKLM\Software\Classes\CLSID\{CLSID} = "NPProvider" HKLM\Software\Classes\CLSID\{CLSID}\InProcServer32 = %SystemRoot%\System32\AUTHUI.DLL |
|
| ~1,236.75 |
The user log on. In this case, after a a twenty minute and fifteen second wait. § Duration: UserLogonWaitDuration |
|
For more detail including diagrams about the logon process see Credentials Management in Windows Authentication.
- The details for the last user logon through LogonUI are stored in HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication.
- The network credential providers are also called credential managers so don't confuse them with Microsoft Credentials Manager which allows users store passwords.
- Windows can determine the authentication strength, e.g. smartcard authentication is stronger than password authentication, for a user logon and assign membership of various groups to provide access or prevent access to resources accordingly,
User Mode: Network Logon (NetLogon)
Network logon (%SystemRoot%\System32\NETLOGON.DLL) is not used in the example. It is usually invisible to users as it would use the credentials authenticated by user logon. If it requires additional credentials then they are obtained using the Network Provider during LogonUI.
User Mode: Explorer
When Explorer starts the Desktop Window Manager also starts and displays the desktop.
The default desktop appears when the shell is ready to display something, or after thirty seconds, whichever is first.
| Table 13 - Windows Explorer: Explorer.exe | ||
| Example time [seconds] | Activity | Filename or Registry details |
| 1,243.65 |
Run by User Initialization (UserInit). Phase: ExplorerInit End: BootDoneViaExplorer |
SystemRoot%\System32\USERINIT.EXE |
| 1,248.89 |
Explorer has initialized. Explorers post-boot period ends and then explorer waits a default 10 seconds idle time before this phase ends. § Phase: PostExplorerPeriod Duration: postBootDisturbance + postBootRequiredIdleTime End: BootDoneViaPostBoot |
|
| 1,378.69 | Explorer completes booting to the user desktop. | |
User Mode: Trace trail
In my example, Windows Performance Reporting (WPR) started with Explorer initialization at 1,243s, started the trace tail at 1,378.69 when Explorer has booted to the desktop, and ended the trace at 1,382s:
C:\Program Files (x86)\Windows Kits\8.0\Windows Performance Toolkit\WPRUI.EXE
Related Links
- Windows 7 Startup should be read before this article because it provides a necessary overview.
- Windows Startup Terminology summarises terms that are used in this article. The terms generally relate to running programs so there is section on how programs start and run.
- Windows 7 Startup Components presents three main diagrams that illustrate the components of Windows: kernel mode system processes, user mode application support, and user-mode system processes.
- What Everybody Should Know About the Windows Registry
Microsoft references:
- The Windows Internals book doesn't specifically look at Windows startup but it does look at the mechanisms involved in many aspects of startup. The 6th Edition looks at Windows 7 and the two volumes are cheap at the moment because the next edition which covers Windows 8 should be available later in 2014.
Back to the top of the article.
We are looking for people with skills or interest in the following areas:
