Chapter 6
IN THIS CHAPTER
Identifying the names and purposes of each file required to boot up a Windows 7 or newer computer
Identifying the locations of Windows 7 or newer boot files
Starting a computer has long been referred to as booting. Before you can use your computer, you need to be able to boot it to a point where the operating system (OS) is functional. Otherwise, your computer is like a safe without a known combination. This chapter will help you get that “safe” open by examining the boot process, which encompasses a series of steps, from powering-on to loading the OS shell. This chapter reviews the hardware POST (power-on self-test) process and will concentrate on the OS portion of the overall process. This chapter also introduces you to the standard Windows boot process and the files that are required, and also how to correct or deal with boot problems related to the boot files. A solid understanding of the Windows boot files will prepare you for the A+ exams, and a general knowledge of the other files will prepare you for working with these systems in the field.
If, as an A+ Certified Professional, you are faced with troubleshooting the boot process on a computer for a user, it is required that you understand the boot sequence. If you do not know what the normal boot process is, you will be at a deficit attempting to troubleshoot issues with it. As a CompTIA A+ Certified Professional, you will often have to bring your knowledge of the core operating system files to bear on your user’s computer conundrums.
The power-on self-test (POST) process starts when power is applied to the system. Electrical current makes its way from the power lead on the motherboard to the ROM-BIOS chips; when the current is received by the BIOS chips, they immediately begin executing their programs. One of the first checks is the memory (both a count and integrity test). After the memory check, the POST process moves on to find out what ports or I/O devices exist on the system. If the system is equipped with a PnP (Plug and Play), as almost all systems are, the BIOS-level PnP configuration takes place. The next thing that happens is a search for bootable devices. The order of this search is defined by the settings stored in CMOS memory, but is often c:
(first partition on the first bootable hard drive), then the optical drive, followed by removable media, such as flash drives, and finally a bootable network card.
For each device in the list of potential bootable devices, the partition table is checked for the active partition. Floppy disks and the CD-ROM check only the first partition. For this partition, the first sector is read and checked for a boot loader. For modern Windows, the first sector is checked for the bootmgr
file. When this file is located, it is executed. If it was not found on the first potential bootable device, the second and third devices are checked before reporting a boot failure.
Like with so many areas of the OS, each new version of Windows comes with changes to the core boot process. The major change implemented in Windows Vista is the introduction of the boot loader application; the configuration data is also stored in a different location. For Windows 7 and newer OSes, the boot loader is bootmgr
. This process is used by current Windows OSes that have been released after Windows 7, so it is the same process that is used by Windows Server 2012 and newer server OSes.
The boot manager (bootmgr
) is responsible for reading the boot configuration data stored in the boot configuration database and displaying the boot menu. You will find a rescue copy of bootmgr
stored on System Volume in the windowsootpcat
directory, but the copy that is used to boot your computer is actually found on the root of the hidden System Reserved partition that Windows creates when you perform your installation. This partition is not so much hidden, but rather not assigned a drive letter. The System Reserved partition is usually the first partition on your installation disk and will be marked as the active partition in the disk's partition table. The active partition is the partition where the POST process looks to locate the boot loader. If it is not the System Reserved partition, then it will be the C:
drive.
Rather than relying on boot configuration being stored in a single file, such as boot.ini
, which was used in older Windows OSes, Microsoft now uses a Boot Configuration Database (BCD). This database stores more comprehensive information about the boot settings. If you are using a computer that supports EFI (Extensible Firmware Interface), the BCD is stored in the EFI System Partition. If you are using a computer that supports an IBM-style BIOS, the information is stored on the active partition in the BootBCD
file. If you need to make changes to this configuration, you can use the System Properties, msconfig.exe
, bootrec.exe
, or bcdedit.exe
.
If you choose to boot to Windows, the boot manager will transfer control over to windowssystem32winload.exe
, which is stored on System Volume. winload.exe
— the OS boot loader — has one main job, and that is to load the Windows OS kernel (ntoskrnl.exe
).
The main goal of the boot process is to get the OS kernel loaded and functioning. The computer has already given you a choice of OSes, inventoried the hardware, and is now ready to actually start loading the OS into memory. ntoskrnl.exe
represents the first and most important step in this process. The OS kernel for Windows is responsible for all thread-level scheduling in the system. It plays a major control role, managing all other components on the system. Without it, there would be anarchy in the OS.
winload.exe
proceeds to the path specified in BCD to locate ntoskrnl.exe
in the system32
folder. If the kernel is loaded, winload.exe
proceeds to execute it. winload.exe
will generate a missing kernel error message if it fails to locate the kernel. (Startup error messages are covered in Book 7, Chapter 1.) After the kernel is running, winload.exe
passes control of the system to it. There are several steps to the kernel load, starting with loading devices and then moving on to loading any system services. After the services are running, it loads the default shell application and user profile.
The default user profile is used to run the user logon process. At this point, the logon screen will tell you, Press Ctrl+Alt+Delete to begin
. After providing logon credentials, that user session is discarded, and a new one is started for the new user.
All the devices to be loaded during the system startup are listed in the Registry. The Registry includes information about each device here:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices<device>
In this location, you can find several values that describe how the device will start up. These values are listed in Table 6-1.
TABLE 6-1 Device and Service Settings in the Registry
Value |
Description |
Display Name |
This string is used to display the name in areas of Windows, such as Device Manager or the Services administrative tool. |
Error Control |
This value configures how errors will be reported back to the OS. A value of A value of |
Group |
Devices can be grouped. This is done mostly for dependencies. If any device in a group fails, dependent devices will not start. |
Image Path |
This is the path and name of the actual driver file that is used for the device or service. |
Start |
This identifies when the device will start up. The five start types are boot ( |
Tag |
A Tag ID is assigned to the service when it is installed, but is not actually used by the OS. |
Type |
Identifies that type of service or device. All devices should have a value of |
All services that are to be loaded during the system startup are listed in the Registry. The Registry includes information about each device in the following location:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices<service>
This is the same location used for devices. The biggest difference between devices and services is that devices map out to a physical piece of hardware, but services are only software. The values for services are listed in Table 6-1 in the previous section.
After processing all the device drivers, the user's shell loads. The application that makes up the shell is actually defined by a shell =
line in system.ini
, the default being explorer.exe
. If the current shell ever crashes and is removed from RAM, explorer.exe
will be loaded. Explorer checks the Registry to see what desktop components are supposed to be displayed and then checks the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
key in the Registry to auto-start other applications. One of the services started at this point is the network service. When the network service is started up, you will be presented with a logon screen.
After loading the requested services, Explorer then executes any entries that it finds in the Registry in the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
key. Each entry under runonce
is executed sequentially, waiting for each to finish before moving on to the next. When these are completed, Explorer then moves on to the run and load entries in win.ini
to launch additional applications, followed by the run entries in the Registry, found in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
, and finally the Startup group from the Start menu, Start ⇒ Programs ⇒ Startup.
With the adoption of Windows NT–based OSes like Windows 7 and newer versions, you no longer need to worry about boot-time memory management because after the OS kernel loads, the memory structure switches to a flat memory model and implements a virtual memory structure.
As improvements were made in the field of RAM, and as computers with more and more memory continued to ship, software developers created applications that used the new memory. To make the entire process of managing memory easier, Microsoft decided to implement virtual memory for the Windows OSes. Virtual memory allows Windows to present a 32-bit virtual machine (VM) that contains 4GB of memory to applications running in the 32-bit Windows environment. When working with 64-bit Windows, 32-bit processes are still limited to 4GB of virtual memory, while 64-bit processes have a much higher limit. On 64-bit Windows 8.1 and newer versions, this limit is 128TB. The OS then used a Virtual Memory Manager (VMM) to control or manage the mapping of data between the virtual addresses used by the application and where the data was stored in physical memory. The VMM was also able to move data that was not being actively used in RAM to a file on the disk. The swapping of memory data pages to and from the disk file led to the file being named “swap file” in older versions of Windows and “paging file” in versions of Windows like Windows 7 and newer versions. The drawback in the system of swapping data shows up when an application wants to use data that is in the swap file because it then has to wait for the data to be retrieved back into RAM before it can be accessed.
Access speeds of hard disks are measured in milliseconds (10-3), and memory access is measured in nanoseconds (10-9). It should not be hard to guess that this means that when data has to be retrieved from the swap file on a hard drive, the process is extremely slow relative to retrieving it directly from RAM.
When an application needs to store information to memory, it passes the request to the VMM. VMM stores the information in RAM but might move the information to the swap file on the drive later. The process for retrieving application data is illustrated in Figure 6-1; the process looks like this:
A clean memory location in RAM is a location that has not been accessed since the last time the VMM marked it clean. If the memory location has been accessed with a read or write request, this location is marked as dirty. When looking for memory data to move to the swap file, each location is checked; if it is clean, it is moved to the hard drive, and if it is dirty, it is marked as dirty and left. If the first scan did not free enough RAM, an immediate second search for movable memory data is required, at which time any memory data that is now dirty is data that was accessed since the first scan, mere milliseconds ago. This algorithm is the Least Recently Used (LRU) algorithm, and it ensures that data that is actively used in RAM will stay in RAM.
The 32-bit versions of Windows allow a 32-bit memory space to be used. Rather than being able to use all 4GB (232) of address space, only 2GB is configured by default for use with User Mode processes. User Mode processes are applications or processes that run on the computer. This includes server processes such as Microsoft Exchange and Microsoft SQL. The 64-bit version of Windows allows a 64-bit address space to be used by the VMM, which makes the limit 16EB (264), but User Mode processes are limited to 8TB of space for running processes. The remainder of the space is used by operating system processes.
This chapter examines the process undertaken by the software on your computer during the boot process. The basic boot process for Windows computers is discussed, as well as the differences between them.
Key points that you should remember about this chapter are
bootmgr
, BCD
, and winload.exe
files.1. A user has a program that automatically starts when he logs into his computer. He would like to disable it. Where should he look for possible settings?
(A) load =
lines in win.ini
(B) The Startup group in the Start menu
(C) The RUN key in the Registry
(D) All the above
(E) None of the above
2. As part of troubleshooting the boot process on a Windows 10 computer, you are asked to identify the order in which files are processed. List the files from the left column in the right column in the order in which they are executed as part of the boot process. Not all files will be used.
3. You have been called by a user to help resolve a problem with her computer booting. She has multiple hard drives installed in her computer. You need to find out why the wrong device is being used as a boot device. The search order for bootable drives is stored in which location?
(A) System BIOS
(B) PNP Configuration
(C) io.sys
(D) CMOS Memory
4. You are helping to bring an older support professional up to speed on the current Windows boot process. You have been asked to view the boot information that was formerly found in the boot.ini file. Where is this information currently stored?
(A) bootrec.exe
(B) himem.sys
(C) bcdedit.exe
(D) BCD
5. You are looking to export configuration information for multiple services so that you will have a backup of their configuration. Where should you look for the information that you want to archive?
(A) MFT
(B) BCD
(C) Pagefile
(D) Registry
6. How large is the memory address space that is presented in 32-bit applications running on a Windows 7 computer?
(A) 640KB
(B) 1MB
(C) 1GB
(D) 4GB
7. You are working with a user running 64-bit applications on a 64-bit version of Windows 7. The user is concerned about the application running out of useable memory on the computer. What is the limit of User Mode memory access on a Windows 7 computer?
(A) 128TB
(B) 8TB
(C) 4GB
(D) 2GB
8. What is the name of the file that Windows 7 uses to store memory data for the virtual memory system?
(A) Memory file
(B) Swap file
(C) Storage file
(D) Paging file
win.ini
, Startup group, or the Registry). Review “Standard Boot Process for Windows.”bootmgr
, winload.exe
, and ntoskrnl.exe
. Check out “Standard Boot Process for Windows.”
boot.ini
file in the Boot Configuration Database (BCD). bcdedit.exe
and bootrec.exe
are tools for accessing the information in the BCD. himem.sys
is an old memory management driver for MS DOS. Peek at “Boot Configuration Database.”HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices<service>
. Examine “The service load process.”3.23.130.191