Windows 7 Startup Detail

toggle-button

Want to follow a detailed example of what happens when Windows starts?

In this article you will find the following detail about Windows startup:

  • Descriptions of the major components.
  • Detailed sequences of activities for each process.
  • Example registry keys and values.

This article is a companion to the Windows 7 Startup article which covers background material and an overview diagram of the main startup sequence.

Caveats

Here I include the caveats which are a duplicate of those in the main article:

  • The articles are always going to be an overview rather than a complete description.
  • The articles are now unlikely to have more detail added.
  • The articles may have errors but wherever possible I have confirmed the steps in a real example. I've still had to rely on other commentaries as I've only used the tools that would be used by a confident user. That's why there is no mention of advanced tools for programmers like kernel debuggers or the special debug version of Windows (a checked build).
  • These articles are not not a troubleshooting guide although I have included some pointers for where to look for solutions to some problems.
  • These articles are not a guide to altering your system start-up processes. They should not be relied upon for making any changes to your system. Instead you should confirm any change through the relevant support channels for Microsoft Windows or the particular application you are dealing with.
  • These articles do not include starting Windows 8 or 10, installing Windows, resuming Windows from sleep or hibernation, or using safe mode and the other startup options. If you do want more detail in some area then let me know by registering with this site and leaving a comment.

This article only looks at Windows 7 64-bit

Windows 7 is a good compromise between old and new versions of Windows. Although it is very similar to Vista there are major differences in the startup processes. I have pointed out some of those differences where it improves this article. For any thing else related to earlier version of Windows you will have to look elsewhere.

The examples I am using are based on startup traces I ran on my test PC running Windows 7 64-bit. I used 64-bit Windows because it was the future at the time and I needed to highlight how 64-bit Windows handles 32-bit processes.

The traces provide some timings to give you a relative indication of the time taken by the startup phases and it also provides you with the option to compare it with your own Windows startup. Just be aware that there are several reasons why your relative timings may be considerably different to mine.

Icons highlight key issues

I have included icons to highlight various topics of interest so you can scan the detail more easily.

32-bit and 64-bit Windows have some significant differences:
32 applies to 32-bit Windows only.
64 applies to 64-bit Windows only.

Where the startup feature was changed from Windows Vista:
 7  indicates a new feature for Windows 7.

On the very few occasions where the Windows Edition is relevant:
 Δ  indicates differences between Windows Editions.

If you are troubleshooting then look for these icons:
 !  indicates a known troubleshooting issue.
 !  indicates a critical process (processes set this status themselves) which can crash or halt Windows if it fails.
 §  provides information on diagnostic tools and their output.  
 ∞  indicates a process that normally runs until Windows stops.

How to view and print the larger tables

I am trying to pack a lot of information into some of the tables and diagrams so they look better in a display that is 1600 pixels wide. If your display is smaller, particularly if it is below 1200 pixels wide, then you can use the 'Printer-friendly view' to remove the sidebars so you can read them more easily.

In the tables I have placed a blank line between each filename and registry key to keep them separate. Where a registry key is too long to fit in one line of a table then I have also inserted line breaks to break it up.

 

Windows startup in detail

Windows Operating System (OS) Boot Loader: WinLoad.exe  ! 

The fist steps in loading the Windows Kernel mode are provided by the Windows Boot Loader. This program provides temporary functions that boot or start the Windows Kernel which is the first permanent component to start. The Boot Loader continues to perform further activities to support Kernel mode initialization until it has got sufficient sub-systems running to continue with its normal permanent operations.

The Boot Loader activities fall into four main areas:

  • Reads the minimum configuration data from disk: the Boot Configuration Data (BCD) and the SYSTEM hive of the Registry.
  • Enumerates the devices and "boot start" drivers. For the most essential drivers and itself, the boot loader also verifies their integrity and crashes the system if there are any problems.
  • Initializes the system so the Windows Kernel can be loaded and executed.
  • After the Kernel starts, loads into memory the configuration and enumerated drivers for the Kernel to use.

Note: The Windows Boot Manager and the Windows Boot Loader perform similar steps in their initial stage: they setup the same structures, they read the BCD and determine the system drive and volume, they read the Boot Boot Status Data Log (BootStat.dat), and both can display a recovery menu if startup has previously failed.

[show-hide toggle]

 

Kernel-mode  ! 

Kernel mode processes are the core of Windows. There are a wide range of kernel-mode sub-systems that provide the basic components of the operating system which other programs rely upon. You can refer to the diagram on kernel mode in the article on Windows Components for Startup.

Kernel-mode processes have almost unrestricted access to resources than user-mode processes which are restricted in many ways to protect Windows. Kernel-mode processes:

  • Can access hardware directly whereas user-mode processes cannot.
  • Can access all of the computer's memory whereas user-mode processes are limited to assigned memory spaces.
  • Can access the kernel memory whereas user-mode processes cannot.
  • Are not normally paged out of RAM to virtual memory on disk.
  • Run at a high priority so they don't have to wait on user-mode processes which run at a lower priority.

Kernel mode initialization performs three main functions:

  • Set-up data structures.
  • Load and initialize components.
  • Start the Plug and Play (PnP) manager to initialize the boot start drivers that were enumerated by the Windows Boot Loader.
[show-hide toggle]

 

User Mode: Session Manager (SMSS)   ! 

The Session Manager (SMSS)  is the first "properly created" process for Windows once kernel-mode startup is complete. You can refer to the diagram on user mode in the article on Windows Components for Startup - an additional diagram will soon be added to show how the Session Manager fits.

It performs three main tasks:

  • Spawns many other processes that spawn further processes. That includes spawning multiple instances of itself, concurrently (running at the same time) up to four plus one per additional CPU;
  • Loads and starts the drivers other than the boot drivers; and
  • Initializes the Registry.

The first instance also marks itself as critical.

[show-hide toggle]

 

User Mode: Client Server Run-Time Sub-System (CSRSS)  ! 

The Client Server Runtime is a critical process that is used to provide the the user-mode portion of the Win32 API (Application Programming Interface). Originally it provided the entire API but Win32K now provides the kernel mode portion. However, CSRSS continues to create kernel-mode threads.

[show-hide toggle]

 

User Mode: Windows Initialization (WinInit)  ! 

Windows Initialization or WININIT runs the first time a user logs on. It runs once to handle system tasks that do not need to run again.

[show-hide toggle]

 

User Mode: Services Control Manager (SCM)

The Service Control Manager runs as a Windows console program.:

  • Scans the registry for configured device drivers and services.
  • Loads the auto class device drivers and services
  • Waits for requests to start and stop services
[show-hide toggle]

 

User Mode: Local Security Authority SubSystem (LSASS)

The Local Security Authority Sub-System that handles local (i.e. not network) system security policies. Most of its functionality is handled by the Local Security Authority service (LSASrv.dll) and its database is stored in the registry in a protected area under HKLM\Security:

  • authenticates user logon by calling the appropriate authentication DLL. Authenticated users have an access token generated that contains the user security profile.
  • System security auditing including sending related event messages to the Event log.

It processes any request for security authorisations that it receives through the communications (LCM) port it creates. Requests come from three sources:

  • Winlogon
  • network logon service process
  • other user-mode processes that want to authenticate users

Note that Windows maintains compatibility with older versions of Windows by applying an implicit integrity level to objects that do not have specific security.

[show-hide toggle]

User Mode: Local Session Manager (LSM)

The Local Session Manager manages terminal server sessions running on the local machine.

LSM is notified by WinLogon of:

  • logon and logoff
  • connect to and disconnect from session
  • lock and unlock the desktop
  • start and terminate the shell
[show-hide toggle]

 

User Mode: Interactive Windows Logon (WinLogon) 

The Windows Logon Application runs under LSASS and manages interactive logon sessions. It performs the following main tasks:

  • Displays the logon screen by running the Logon User Interface (LogonUI.exe);
  • Services are started by the Service Control Manager (SCM)
  • Identifies and authenticates users through credential provider DLLs
  • Can load additional network provider DLLs
  • Group policy is applied.
  • Passes the username and password to LSASS for authentication.
[show-hide toggle]

 

User Mode: User Initialization (UserInit)

User Initialization (UserInit) sets-up the user environment before starting the Windows shell which by defaults is Windows Explorer:

  • runs logon scripts
  • connects to the network
  • applies Group Policies including running the Group Policy logon script
  • creates events for some failed logon scripts
[show-hide toggle]

 

User Mode: Windows Logon User Interface Host (LogonUI)

The Windows Logon User Interface Host provides the user interface for logging on:

  • Presents users with a logon screen to using credential providers to obtain the user account name and password. Windows has default credential providers that can be replaced or supplemented by third-party providers.
  • Allow alternative credential providers to be used for alternative input methods e.g. biometric scans such as thumb-prints and retinas.
  • Allow secondary authentication using network provider DLLs. This provides for authentication from a network server at the same time using one logon.

LogonUI is a separate process from WinLogon.exe. Any failure with third-party credential providers will not cause Windows to crash. Instead it can spawn another instance of LogonUI.

[show-hide toggle]

 

User Mode: Network Logon (NetLogon)

Network logon (%SystemRoot%\System32\NETLOGON.DLL) is not used in the example. It is usually invisible to users as it would use the credentials authenticated by user logon. If it requires additional credentials then they are obtained using the Network Provider during LogonUI.

 

User Mode: Explorer

When Explorer starts the Desktop Window Manager also starts and displays the desktop.

The default desktop appears when the shell is ready to display something, or after thirty seconds, whichever is first.

[show-hide toggle]

 

User Mode: Trace trail

In my example, Windows Performance Reporting (WPR) started with Explorer initialization at 1,243s, started the trace tail at 1,378.69 when Explorer has booted to the desktop, and ended the trace at 1,382s:
C:\Program Files (x86)\Windows Kits\8.0\Windows Performance Toolkit\WPRUI.EXE

 

Related Links

Microsoft references:

  • The Windows Internals book doesn't specifically look at Windows startup but it does look at the mechanisms involved in many aspects of startup. The 6th Edition looks at Windows 7 and the two volumes are cheap at the moment because the next edition which covers Windows 8 should be available later in 2014.

Back to the top of the article.

 

Please rate this article: 

Your rating: None
4.555555
Average: 4.6 (9 votes)