Chapter 6

Working with System Files and the Boot Process

IN THIS CHAPTER

Bullet Identifying the names and purposes of each file required to boot up a Windows 7 or newer computer

Bullet Identifying the locations of Windows 7 or newer boot files

Starting a computer has long been referred to as booting. Before you can use your computer, you need to be able to boot it to a point where the operating system (OS) is functional. Otherwise, your computer is like a safe without a known combination. This chapter will help you get that “safe” open by examining the boot process, which encompasses a series of steps, from powering-on to loading the OS shell. This chapter reviews the hardware POST (power-on self-test) process and will concentrate on the OS portion of the overall process. This chapter also introduces you to the standard Windows boot process and the files that are required, and also how to correct or deal with boot problems related to the boot files. A solid understanding of the Windows boot files will prepare you for the A+ exams, and a general knowledge of the other files will prepare you for working with these systems in the field.

If, as an A+ Certified Professional, you are faced with troubleshooting the boot process on a computer for a user, it is required that you understand the boot sequence. If you do not know what the normal boot process is, you will be at a deficit attempting to troubleshoot issues with it. As a CompTIA A+ Certified Professional, you will often have to bring your knowledge of the core operating system files to bear on your user’s computer conundrums.

For the exam If you are unfamiliar with boot processes in general, focus on the entire chapter. The A+ exams, though, focus on the Windows boot process.

The Power-On Self-Test (POST) Process

The power-on self-test (POST) process starts when power is applied to the system. Electrical current makes its way from the power lead on the motherboard to the ROM-BIOS chips; when the current is received by the BIOS chips, they immediately begin executing their programs. One of the first checks is the memory (both a count and integrity test). After the memory check, the POST process moves on to find out what ports or I/O devices exist on the system. If the system is equipped with a PnP (Plug and Play), as almost all systems are, the BIOS-level PnP configuration takes place. The next thing that happens is a search for bootable devices. The order of this search is defined by the settings stored in CMOS memory, but is often c: (first partition on the first bootable hard drive), then the optical drive, followed by removable media, such as flash drives, and finally a bootable network card.

For each device in the list of potential bootable devices, the partition table is checked for the active partition. Floppy disks and the CD-ROM check only the first partition. For this partition, the first sector is read and checked for a boot loader. For modern Windows, the first sector is checked for the bootmgr file. When this file is located, it is executed. If it was not found on the first potential bootable device, the second and third devices are checked before reporting a boot failure.

Standard Boot Process for Windows

Like with so many areas of the OS, each new version of Windows comes with changes to the core boot process. The major change implemented in Windows Vista is the introduction of the boot loader application; the configuration data is also stored in a different location. For Windows 7 and newer OSes, the boot loader is bootmgr. This process is used by current Windows OSes that have been released after Windows 7, so it is the same process that is used by Windows Server 2012 and newer server OSes.

bootmgr

The boot manager (bootmgr) is responsible for reading the boot configuration data stored in the boot configuration database and displaying the boot menu. You will find a rescue copy of bootmgr stored on System Volume in the windowsootpcat directory, but the copy that is used to boot your computer is actually found on the root of the hidden System Reserved partition that Windows creates when you perform your installation. This partition is not so much hidden, but rather not assigned a drive letter. The System Reserved partition is usually the first partition on your installation disk and will be marked as the active partition in the disk's partition table. The active partition is the partition where the POST process looks to locate the boot loader. If it is not the System Reserved partition, then it will be the C: drive.

Boot Configuration Database

Rather than relying on boot configuration being stored in a single file, such as boot.ini, which was used in older Windows OSes, Microsoft now uses a Boot Configuration Database (BCD). This database stores more comprehensive information about the boot settings. If you are using a computer that supports EFI (Extensible Firmware Interface), the BCD is stored in the EFI System Partition. If you are using a computer that supports an IBM-style BIOS, the information is stored on the active partition in the BootBCD file. If you need to make changes to this configuration, you can use the System Properties, msconfig.exe, bootrec.exe, or bcdedit.exe.

winload.exe

If you choose to boot to Windows, the boot manager will transfer control over to windowssystem32winload.exe, which is stored on System Volume. winload.exe — the OS boot loader — has one main job, and that is to load the Windows OS kernel (ntoskrnl.exe).

ntoskrnl.exe

The main goal of the boot process is to get the OS kernel loaded and functioning. The computer has already given you a choice of OSes, inventoried the hardware, and is now ready to actually start loading the OS into memory. ntoskrnl.exe represents the first and most important step in this process. The OS kernel for Windows is responsible for all thread-level scheduling in the system. It plays a major control role, managing all other components on the system. Without it, there would be anarchy in the OS.

winload.exe proceeds to the path specified in BCD to locate ntoskrnl.exe in the system32 folder. If the kernel is loaded, winload.exe proceeds to execute it. winload.exe will generate a missing kernel error message if it fails to locate the kernel. (Startup error messages are covered in Book 7, Chapter 1.) After the kernel is running, winload.exe passes control of the system to it. There are several steps to the kernel load, starting with loading devices and then moving on to loading any system services. After the services are running, it loads the default shell application and user profile.

The default user profile is used to run the user logon process. At this point, the logon screen will tell you, Press Ctrl+Alt+Delete to begin. After providing logon credentials, that user session is discarded, and a new one is started for the new user.

The device load process

All the devices to be loaded during the system startup are listed in the Registry. The Registry includes information about each device here:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices<device>

In this location, you can find several values that describe how the device will start up. These values are listed in Table 6-1.

TABLE 6-1 Device and Service Settings in the Registry

Value

Description

Display Name

This string is used to display the name in areas of Windows, such as Device Manager or the Services administrative tool.

Error Control

This value configures how errors will be reported back to the OS. A value of 0 does not report any errors with the device back to the OS. A value of 1 reports errors normally. A value of 2 makes errors severe and will cause an automatic reboot of the computer to the Last Known Good Configuration.

A value of 3 makes errors critical and will also cause an automatic reboot of the computer to the Last Known Good Configuration. If the Last Known Good Configuration is already used, severe errors will enable the computer to continue to boot, but critical errors will start the bug-check routine.

Group

Devices can be grouped. This is done mostly for dependencies. If any device in a group fails, dependent devices will not start.

Image Path

This is the path and name of the actual driver file that is used for the device or service.

Start

This identifies when the device will start up. The five start types are boot (0), system (1), automatic (2), manual (3), and disabled (4). Most devices have boot or system for a start value, but you might find a few set to automatic. Most services are set for either automatic or manual.

Tag

A Tag ID is assigned to the service when it is installed, but is not actually used by the OS.

Type

Identifies that type of service or device. All devices should have a value of 1. Service types should be 1 for kernel device drivers, 2 for file system drivers, 4 for arguments for an adapter, 10 for single process Win32 applications that follow the Service Control Protocol, and 20 for Win32 Services that can share their process with other Win32 Services.

The service load process

All services that are to be loaded during the system startup are listed in the Registry. The Registry includes information about each device in the following location:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices<service>

This is the same location used for devices. The biggest difference between devices and services is that devices map out to a physical piece of hardware, but services are only software. The values for services are listed in Table 6-1 in the previous section.

Loading the shell

After processing all the device drivers, the user's shell loads. The application that makes up the shell is actually defined by a shell = line in system.ini, the default being explorer.exe. If the current shell ever crashes and is removed from RAM, explorer.exe will be loaded. Explorer checks the Registry to see what desktop components are supposed to be displayed and then checks the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices key in the Registry to auto-start other applications. One of the services started at this point is the network service. When the network service is started up, you will be presented with a logon screen.

After loading the requested services, Explorer then executes any entries that it finds in the Registry in the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce key. Each entry under runonce is executed sequentially, waiting for each to finish before moving on to the next. When these are completed, Explorer then moves on to the run and load entries in win.ini to launch additional applications, followed by the run entries in the Registry, found in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun, and finally the Startup group from the Start menu, Start ⇒ Programs ⇒ Startup.

Tip This process is almost identical for all versions of Windows that are based on Windows NT; this includes the latest versions of Windows. Microsoft has taken the opportunity to modify the boot process to make improvements to the overall OS loading system in the current OSes.

Tip For information on editing the Registry, see the regedit.exe section in Book 6, Chapter 4.

Managing Memory and Virtual Memory

With the adoption of Windows NT–based OSes like Windows 7 and newer versions, you no longer need to worry about boot-time memory management because after the OS kernel loads, the memory structure switches to a flat memory model and implements a virtual memory structure.

As improvements were made in the field of RAM, and as computers with more and more memory continued to ship, software developers created applications that used the new memory. To make the entire process of managing memory easier, Microsoft decided to implement virtual memory for the Windows OSes. Virtual memory allows Windows to present a 32-bit virtual machine (VM) that contains 4GB of memory to applications running in the 32-bit Windows environment. When working with 64-bit Windows, 32-bit processes are still limited to 4GB of virtual memory, while 64-bit processes have a much higher limit. On 64-bit Windows 8.1 and newer versions, this limit is 128TB. The OS then used a Virtual Memory Manager (VMM) to control or manage the mapping of data between the virtual addresses used by the application and where the data was stored in physical memory. The VMM was also able to move data that was not being actively used in RAM to a file on the disk. The swapping of memory data pages to and from the disk file led to the file being named “swap file” in older versions of Windows and “paging file” in versions of Windows like Windows 7 and newer versions. The drawback in the system of swapping data shows up when an application wants to use data that is in the swap file because it then has to wait for the data to be retrieved back into RAM before it can be accessed.

Access speeds of hard disks are measured in milliseconds (10-3), and memory access is measured in nanoseconds (10-9). It should not be hard to guess that this means that when data has to be retrieved from the swap file on a hard drive, the process is extremely slow relative to retrieving it directly from RAM.

Technical stuff The VMM manages virtual memory addresses up to the virtual memory limit, such as 4GB or 128TB, and the mapping of those addresses to a physical location, either in RAM or on a hard drive. You should rely on using the paging file only when applications need a small amount of additional memory. Most OSes implement virtual memory and allow it to use swap space on a hard drive to allow applications with high memory requirements to function, but greater performance will be achieved by adding more physical RAM to the system.

When an application needs to store information to memory, it passes the request to the VMM. VMM stores the information in RAM but might move the information to the swap file on the drive later. The process for retrieving application data is illustrated in Figure 6-1; the process looks like this:

  1. When the application requests information, the VMM checks whether the information is in RAM.
  2. If the information is in RAM, the information is simply returned to the application, and the process is complete.
  3. If the information isn't in RAM, VMM checks whether there is enough space in RAM to retrieve the information from the swap file.
  4. If there is enough space to retrieve the information, the information is retrieved from the drive, stored into RAM, and passed on to the application; and the process is complete.
  5. If there isn’t enough space to retrieve the information, VMM checks for memory locations that have not been accessed recently and passes them from RAM down to the swap file.
  6. When enough information is moved to the swap file to make room for the requested information, that information is moved into RAM and then returned to the application.
Illustration of the swap process.

FIGURE 6-1: The swap process.

A clean memory location in RAM is a location that has not been accessed since the last time the VMM marked it clean. If the memory location has been accessed with a read or write request, this location is marked as dirty. When looking for memory data to move to the swap file, each location is checked; if it is clean, it is moved to the hard drive, and if it is dirty, it is marked as dirty and left. If the first scan did not free enough RAM, an immediate second search for movable memory data is required, at which time any memory data that is now dirty is data that was accessed since the first scan, mere milliseconds ago. This algorithm is the Least Recently Used (LRU) algorithm, and it ensures that data that is actively used in RAM will stay in RAM.

The 32-bit versions of Windows allow a 32-bit memory space to be used. Rather than being able to use all 4GB (232) of address space, only 2GB is configured by default for use with User Mode processes. User Mode processes are applications or processes that run on the computer. This includes server processes such as Microsoft Exchange and Microsoft SQL. The 64-bit version of Windows allows a 64-bit address space to be used by the VMM, which makes the limit 16EB (264), but User Mode processes are limited to 8TB of space for running processes. The remainder of the space is used by operating system processes.

Technical stuff When running Windows 8.1 or newer OS on a 64-bit platform, the User Mode memory limit is increase to 128TB. This is the virtual memory limit, which defines the address locations that can be used, and which is different from the physical memory limit. The physical limit of 64-bit Windows 8 Enterprise is 512GB while 64-bit Windows 10 Enterprise is 6TB.

Getting an A+

This chapter examines the process undertaken by the software on your computer during the boot process. The basic boot process for Windows computers is discussed, as well as the differences between them.

Key points that you should remember about this chapter are

  • Virtual memory is managed by the Virtual Memory Manager, which presents a 4GB address space to 32-bit applications on the system. 64-bit applications on 64-bit OSes have a higher limit.
  • Virtual memory is made up of physical RAM and hard drive space in the form of a swap file or paging file.
  • The Windows boot process uses the bootmgr, BCD, and winload.exe files.

Prep Test

1. A user has a program that automatically starts when he logs into his computer. He would like to disable it. Where should he look for possible settings?

(A) load = lines in win.ini

(B) The Startup group in the Start menu

(C) The RUN key in the Registry

(D) All the above

(E) None of the above

2. As part of troubleshooting the boot process on a Windows 10 computer, you are asked to identify the order in which files are processed. List the files from the left column in the right column in the order in which they are executed as part of the boot process. Not all files will be used.

Boot process on a Windows 10 computer

3. You have been called by a user to help resolve a problem with her computer booting. She has multiple hard drives installed in her computer. You need to find out why the wrong device is being used as a boot device. The search order for bootable drives is stored in which location?

(A) System BIOS

(B) PNP Configuration

(C) io.sys

(D) CMOS Memory

4. You are helping to bring an older support professional up to speed on the current Windows boot process. You have been asked to view the boot information that was formerly found in the boot.ini file. Where is this information currently stored?

(A) bootrec.exe

(B) himem.sys

(C) bcdedit.exe

(D) BCD

5. You are looking to export configuration information for multiple services so that you will have a backup of their configuration. Where should you look for the information that you want to archive?

(A) MFT

(B) BCD

(C) Pagefile

(D) Registry

6. How large is the memory address space that is presented in 32-bit applications running on a Windows 7 computer?

(A) 640KB

(B) 1MB

(C) 1GB

(D) 4GB

7. You are working with a user running 64-bit applications on a 64-bit version of Windows 7. The user is concerned about the application running out of useable memory on the computer. What is the limit of User Mode memory access on a Windows 7 computer?

(A) 128TB

(B) 8TB

(C) 4GB

(D) 2GB

8. What is the name of the file that Windows 7 uses to store memory data for the virtual memory system?

(A) Memory file

(B) Swap file

(C) Storage file

(D) Paging file

Answers

  1. D. Automatic commands can be found in any of the listed locations (win.ini, Startup group, or the Registry). Review “Standard Boot Process for Windows.”
  2. The correct order of files used in the boot process is bootmgr, winload.exe, and ntoskrnl.exe. Check out “Standard Boot Process for Windows.”
    Boot process on a Windows 10 computer
  3. D. CMOS memory contains the boot device order. Take a look at “The Power-On Self-Test (POST) Process.”
  4. D. With Windows Vista and newer OSes, you will find the information that was formerly found in the boot.ini file in the Boot Configuration Database (BCD). bcdedit.exe and bootrec.exe are tools for accessing the information in the BCD. himem.sys is an old memory management driver for MS DOS. Peek at “Boot Configuration Database.”
  5. D. The registry is where all service information is stored in the key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices<service>. Examine “The service load process.”
  6. D. The memory address that is present in each application or VM is 4GB in size. Examine “Managing Memory and Virtual Memory.”
  7. B. When running the 64-bit version of Windows lower than Windows 8.1, the User Mode memory limit is 8TB. It goes up to 128TB with Windows 8.1. Refer to “Managing Memory and Virtual Memory.”
  8. D. Windows 7 refers to the file used by virtual memory as a paging file or the page file. Look over “Managing Memory and Virtual Memory.”
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.23.130.191