The Windows NT 4.0 Boot Process

Files required for a successful boot:
? NTLDR - The operating system loader, which must reside in the root of the
boot drive. In a multi-boot environment, it will be used to start the other
systems initially. This file is hidden, system, and read-only.
? BOOT.INI - a text file which is used to build the OS Selection menu, and
gives the path to each OS available. This file also must be in the root of
the boot drive, and is read-only, system.
? BOOTSECT.DOS - This file contains the boot sector of the Operating
System that was on the hard drive previous to installing NT. NTLDR will
use this to boot in a multi-boot environment if an OS other than NT was
chosen from the boot menu. It too, is a hidden system file that must be in
the root of the boot drive.
? NTDETECT.COM - This program examines the hardware on the machine,
and builds a list, which it passes back to NTLDR to be used to build the
Hardware Hive of HKEY_LOCAL_MACHINE in the Registry. This file is
also a hidden, read-only system file, in the root of the boot partition.
? NTOSKERNEL.EXE - The kernel of the OS itself, which resides in the
WINNT\SYSTEM32 directory.
? NTBOOTDD.SYS - This device driver file will only be used on systems
that boot from a SCSI disk on which the SCSI adapter BIOS is disabled.
? SYSTEM - This file is located in the WINNT\ SYSTEM32\CONFIG folder,
and controls which drivers and services are loaded during the Windows
NT startup.
Next when the machine is first powered on, it will go through a series of steps
before NT actually begins booting:
? POST - Power On Self Test
? The machine locates the boot device, and loads the MBR (Master Boot
Record) into memory.
? The MBR's program will locate the active partition and load the boot sector
into memory from it.
? NTLDR will be loaded into memory and run.
This brings us to the actual NT booting process.
? NTLDR switches the processor to a 32-bit flat memory model, supporting
up to 4 GB of RAM (physically installed).
? NTLDR starts what is called a minifile system. Windows NT can read one
of three file formats: FAT, NTFS & CDFS.
? NTLDR reads the BOOT.INI file, and displays the operating system
selections in the Boot Menu.
? If Windows NT is selected, NTLDR will run NTDETECT.COM.
? If another OS is selected, NTLDR will load and run BOOTSECT.DOS, and
pass control to it, and exit. The other OS will continue as though the
machine had just booted. If BOOTSECT.DOS is missing or corrupt, it
must be replaced or reconstructed in order to boot to the other OS.
? NTDETECT.COM scans the machine's hardware (you will notice the
keyboard lights and modem lights flash at this point, as it scans the
various ports).
? NTLDR then loads NTOSKRNL.EXE and passes the hardware information
to it.
? This technically ends the "boot phase" and begins the "load phase."
LOAD PHASES
There are four more phases to go before NT is officially up and running. They
are the Kernel Load, Kernel Initialization, Services Load, and Subsystem Start
Phases.
? Kernel Load phase, the HAL (hardware abstraction layer) is loaded, which
hides the physical hardware from applications.
? System hive of the registry is loaded next, and scanned for drivers and
services that should be loaded.
? Kernel Initialization phase, the screen is blue. The drivers are initialized
and loaded, and the registry's CurrentControlSet is then saved, and the
Clone control set is created, but not saved. The registry hardware list is
then created from the information gathered earlier.
? Services Load phase, the session manager is started (SMSS.EXE), which
runs any programs listed in HKEY_
LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Session
Manager: BootExecute. After this, the session manager sets up the
pagefile(s). Next the Clone Control Set is written to the registry. The last
thing the session manager does is load the required subsystems (by
default, only Win32).
? Subsystem Start phase, WINLOGON.EXE is automatically started, which
starts the Local Security Authority (LSASS.EXE) and brings up the logon
dialog box (CTRL+ALT+DEL). The Service Controller (SCREG.EXE) is
then run, which looks through the registry for services that are set to
automatic load, and loads them.
User Logon:
Once the user logs on successfully, a boot is considered complete, and the
Clone control set is copied to the Last Known Good control set.